Re: [PATCH v2 1/4] iio: proximity: hx9023s: fix out-of-bounds access when copying firmware

Next message: Frank Li: "[PATCH v2 1/1] dt-bindings: net: can: nxp,sja1000: add reference to mc-peripheral-props.yaml"
Previous message: Sebastian Andrzej Siewior: "Re: [Intel-wired-lan] [PATCH iwl-next v3] igb: Retrieve Tx timestamp directly from interrupt for i210"
In reply to: Andy Shevchenko: "Re: [PATCH v2 1/4] iio: proximity: hx9023s: fix out-of-bounds access when copying firmware"
Next in thread: Yasin Lee: "[PATCH v2 4/4] iio: proximity: hx9023s: support firmware-name property"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Krzysztof Kozlowski

Date: Thu Feb 12 2026 - 11:31:17 EST

On 12/02/2026 14:48, Andy Shevchenko wrote:
> On Thu, Feb 12, 2026 at 12:25:54PM +0100, Krzysztof Kozlowski wrote:
>> On Thu, Feb 12, 2026 at 02:26:52PM +0800, Yasin Lee wrote:
>>> Initialize fw_size before copying firmware data into the flexible
>>> array member to match the __counted_by() annotation. This fixes a
>>> potential out-of-bounds access that could lead to a kernel crash.
>>
>> I don't think so. Code is equivalent and this was just false positive
>> because compiler could not deduce that in this case counted_by can be by
>> fw->size.
>
> In accordance with [1]:
>
> When finding the element count assignment, it must be reordered
> to before any accesses of the PTR->ARRAY itself, otherwise runtime
> checking will trigger (i.e. the index of ARRAY will be checked against
> COUNTER before COUNTER has been assigned the correct COUNT value).
>
> [1]: https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci#L3
>

Thanks for correcting me. I agree this is a fix but, still, I think this
will no be an out-of-bounds access, because then the runtime checker
will use initial bin->fw_size value of 0.

Best regards,
Krzysztof