Patch "nouveau/gsp: Avoid addressing beyond end of rpc->entries" has been added to the 6.8-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    nouveau/gsp: Avoid addressing beyond end of rpc->entries

to the 6.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nouveau-gsp-avoid-addressing-beyond-end-of-rpc-entri.patch
and it can be found in the queue-6.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 632f7374eccb38f25ab8a578e2d7f5c2ec7e23f0
Author: Kees Cook <keescook@xxxxxxxxxxxx>
Date:   Sat Mar 30 07:12:03 2024 -0700

    nouveau/gsp: Avoid addressing beyond end of rpc->entries
    
    [ Upstream commit 838ae9f45c4e43b4633d8b0ad1fbedff9ecf177d ]
    
    Using the end of rpc->entries[] for addressing runs into both compile-time
    and run-time detection of accessing beyond the end of the array. Use the
    base pointer instead, since was allocated with the additional bytes for
    storing the strings. Avoids the following warning in future GCC releases
    with support for __counted_by:
    
    In function 'fortify_memcpy_chk',
        inlined from 'r535_gsp_rpc_set_registry' at ../drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:1123:3:
    ../include/linux/fortify-string.h:553:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
      553 |                         __write_overflow_field(p_size_field, size);
          |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    for this code:
    
            strings = (char *)&rpc->entries[NV_GSP_REG_NUM_ENTRIES];
            ...
                    memcpy(strings, r535_registry_entries[i].name, name_len);
    
    Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240330141159.work.063-kees@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
index a73a5b5897904..dcafbb2004ca2 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
@@ -1112,7 +1112,7 @@ r535_gsp_rpc_set_registry(struct nvkm_gsp *gsp)
 	rpc->numEntries = NV_GSP_REG_NUM_ENTRIES;
 
 	str_offset = offsetof(typeof(*rpc), entries[NV_GSP_REG_NUM_ENTRIES]);
-	strings = (char *)&rpc->entries[NV_GSP_REG_NUM_ENTRIES];
+	strings = (char *)rpc + str_offset;
 	for (i = 0; i < NV_GSP_REG_NUM_ENTRIES; i++) {
 		int name_len = strlen(r535_registry_entries[i].name) + 1;