On Wed, Feb 02, 2022 at 03:33:11PM -0800, Guenter Roeck wrote: > On 2/2/22 12:56, Kees Cook wrote: > > On Wed, Feb 02, 2022 at 08:09:03AM -0800, Guenter Roeck wrote: > > > xtensa:allmodconfig: > > > -------------- > > > Error log: > > > In file included from include/linux/uaccess.h:11, > > > from include/linux/sched/task.h:11, > > > from arch/xtensa/kernel/process.c:21: > > > arch/xtensa/kernel/process.c: In function 'copy_thread': > > > arch/xtensa/kernel/process.c:262:52: error: array subscript 53 is above array bounds of 'long unsigned int[16]' > > > > I assume this is a weird cast. I will also check this one out. > > > > int callinc = (regs->areg[0] >> 30) & 3; > int caller_ars = XCHAL_NUM_AREGS - callinc * 4; > put_user(regs->areg[caller_ars+1], > ^^^^^^^^^^^^^^^^^^^^^^^^ > (unsigned __user*)(usp - 12)); > > I think the problem is that XCHAL_NUM_AREGS can be up to 64, > but the size of struct pt_regs->areg[] is fixed to 16. Yeah, that's what I found too. The comment about pt_regs::areg seems to hint that things treat pt_regs differently. I've asked on the xtensa list: https://lore.kernel.org/linux-hardening/202202021501.DA6594BFC@keescook/ -- Kees Cook
