Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error: call to ‘__read_overflow2’ declared with attribute error: detected read beyond size of object passed as 2nd parameter #1

Closed
Bloodlog opened this issue Jun 8, 2022 · 2 comments
Closed

error: call to ‘__read_overflow2’ declared with attribute error: detected read beyond size of object passed as 2nd parameter #1

Bloodlog opened this issue Jun 8, 2022 · 2 comments

Comments

@Bloodlog
Copy link

Bloodlog commented Jun 8, 2022
edited
Loading

Hi! I am trying to install wifi driver on xiaomi redmi 15 ryzen edition laptop.

$ make
#rm -f .symvers.8852be
make ARCH=x86_64 CROSS_COMPILE= -C /lib/modules/5.15.0-25-generic/build M=/home/bloodlog/rtw8852be  modules
make[1]: вход в каталог «/usr/src/linux-headers-5.15.0-25-generic»
  CC [M]  /home/bloodlog/rtw8852be/phl/hal_g6/btc/hal_btc.o
In file included from ./include/linux/string.h:262,
                 from ./include/linux/bitmap.h:10,
                 from ./include/linux/cpumask.h:12,
                 from ./arch/x86/include/asm/cpumask.h:5,
                 from ./arch/x86/include/asm/msr.h:11,
                 from ./arch/x86/include/asm/processor.h:22,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:65,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/stat.h:19,
                 from ./include/linux/module.h:13,
                 from /home/bloodlog/rtw8852be/include/basic_types.h:38,
                 from /home/bloodlog/rtw8852be/include/drv_types.h:24,
                 from /home/bloodlog/rtw8852be/phl/hal_g6/btc/../../pltfm_ops_linux.h:17,
                 from /home/bloodlog/rtw8852be/phl/hal_g6/btc/../../pltfm_ops.h:21,
                 from /home/bloodlog/rtw8852be/phl/hal_g6/btc/../hal_headers_le.h:22,
                 from /home/bloodlog/rtw8852be/phl/hal_g6/btc/hal_btc.c:16:
In function ‘memcpy’,
    inlined from ‘hal_btc_init’ at /home/bloodlog/rtw8852be/phl/hal_g6/btc/hal_btc.c:1861:2:
./include/linux/fortify-string.h:187:25: error: call to ‘__read_overflow2’ declared with attribute error: detected read beyond size of object passed as 2nd parameter
  187 |                         __read_overflow2();
      |                         ^~~~~~~~~~~~~~~~~~
make[2]: *** [scripts/Makefile.build:285: /home/bloodlog/rtw8852be/phl/hal_g6/btc/hal_btc.o] Ошибка 1
make[1]: *** [Makefile:1875: /home/bloodlog/rtw8852be] Ошибка 2
make[1]: выход из каталога «/usr/src/linux-headers-5.15.0-25-generic»
make: *** [Makefile:767: modules] Ошибка 2
@lwfinger
Copy link
Owner

lwfinger commented Jun 8, 2022

Thanks for this report. The driver was doing
memcpy(btc->dm.run_reason, "None", BTC_RSN_MAXLEN);

instead of
memcpy(btc->dm.run_reason, "None", 5);

Counting the closing NULL, the string is a lot shorter than BTC_RSN_MAXLEN, which is defined as 32.

With this fix, the driver compiles cleanly, AND runs. I am using it now to send this message.

lwfinger added a commit that referenced this issue Jun 9, 2022
@lwfinger
rtw8852be: Fix write and read overruns in memcpy
befa8b5 
The macro hal_mem_cpy(} has several places that can overrun either
the source or destination size. These overruns can lead to kernel
bugs such as:

 detected buffer overflow in memcpy
 ------------[ cut here ]------------
 kernel BUG at lib/string_helpers.c:983!
 invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
 CPU: 0 PID: 5364 Comm: insmod Tainted: G           OE     5.19.0-rc1-00009-g74de34150d21 #848 35456bf5857cb1>
 Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50   09/29/2014
 RIP: 0010:fortify_panic+0xf/0x11
 Code: c7 c7 60 94 70 b8 48 89 d6 e8 b6 21 fe ff 48 89 df e8 ad f6 2e ff e9 9f 3d 70 ff 48 89 fe 48 c7 c7 a0 >
 RSP: 0018:ffff8881ac4df310 EFLAGS: 00010282
 RAX: 0000000000000022 RBX: ffffc9000112d000 RCX: 0000000000000000
 RDX: 0000000000000022 RSI: 0000000000000008 RDI: ffffed103589be55
 RBP: ffffc9000112e010 R08: 0000000000000001 R09: ffff8882b1642e6f
 R10: ffffed10562c85cd R11: 0000000000000000 R12: 0000000000000004
 R13: ffffc9000083f000 R14: ffffc90000944000 R15: ffff888108c40000
 FS:  00007ff77b7a2740(0000) GS:ffff8882b1600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f463f9417ae CR3: 0000000143652006 CR4: 00000000001706f0
 Call Trace:
  <TASK>
  hal_btc_init+0x15d/0x15d [8852be a3b49b18f720e4d07e8f1c83740002efbd8d05f6]

This problem arises in hal_btc_init() from the code "_rsn_cpy(btc->dm.run_reason, "None");"
The macro _rsn_cpy() calls hal_mem_cpy() with a size argument of BTC_RSN_MAXLEN (32)
which is much larger than the 5 bytes of the string "none".

There are other instances where the size of the item to be copied is greater than
than the size of the destination. Accordingly macro hal_mem_cpy() is changed
to test the copy size against the sizes of the source and the destination.

With this change, the driver works.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
@Bloodlog
Copy link
Author

Bloodlog commented Jun 9, 2022

Thanks;)

@Bloodlog Bloodlog closed this as completed Jun 9, 2022
@BenOoi BenOoi mentioned this issue Oct 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Bloodlog @lwfinger