UBSAN: array-index-out-of-bounds

[Randy Dunlap]

from kernel bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=220823


Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15


(from drivers/mtd/devices/mtd_intel_dg.c:)

nvm = kzalloc(struct_size(nvm, regions, nregions), GFP_KERNEL);
...

for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
if (!invm->regions[i].name)
continue;

char *name = kasprintf(GFP_KERNEL, "%s.%s",
dev_name(&aux_dev->dev), invm->regions[i].name);
if (!name)
continue;
750: nvm->regions[n].name = name;
nvm->regions[n].id = i;
n++;
}
nvm->nregions = n;


regions is a flexible array in struct intel_dg_nvm *nvm; [see below]
regions is counted_by nvm->nregions.

Question: does UBSAN use the value of the counted_by variable for array bounds
checking?
If so, that means nvm->nregions must be updated before the array entry
is used. Is that correct?

If not, how does UBSAN do array-bounds checking in cases like this?


struct intel_dg_nvm {
struct kref refcnt;
struct mtd_info mtd;
struct mutex lock; /* region access lock */
void __iomem *base;
void __iomem *base2;
bool non_posted_erase;

size_t size;
unsigned int nregions;
struct {
const char *name;
u8 id;
u64 offset;
u64 size;
unsigned int is_readable:1;
unsigned int is_writable:1;
} regions[] __counted_by(nregions);
};

thanks.
--
~Randy