mirror of
https://github.com/openwrt/openwrt.git
synced 2025-03-13 15:56:55 +00:00
6df4e4663b
Since the update to kernel 6.1, a warning like this appears in the kernel log: [ 49.773953] ------------[ cut here ]------------ [ 49.773998] WARNING: CPU: 3 PID: 2349 at target-arm_cortex-a7+neon-vfpv4_musl_eabi/linux-ipq40xx_generic/dsl_cpe_mei-ugw_8.5.2.10/src/drv_mei_cpe_msg_process.c:3570 MEI_IoctlCmdMsgWrite+0x290/0x2c8 [drv_mei_cpe] [ 49.777670] memcpy: detected field-spanning write (size 4) of single field "pDestPtr" at target-arm_cortex-a7+neon-vfpv4_musl_eabi/linux-ipq40xx_generic/dsl_cpe_mei-ugw_8.5.2.10/src/drv_mei_cpe_msg_process.c:3570 (size 2) ... [ 50.087078] ---[ end trace 0000000000000000 ]--- The variable "pDestPtr" points to the field "header.index" in a CMV_STD_MESSAGE_T struct (header is a CMV_STD_MESSAGE_HEADER_T struct). The offending code intentionally copies data beyond this field, which is followed by "header.length" and "payload". To fix this, change the assignment of "pDestPtr" to use the pointer to the message plus the offset of the "header.index" field. This way, the compiler knows about the size and thus the false positive warning disappears. While at it, also adjust all places where similar code is used to copy from a CMV_STD_MESSAGE_T struct. Also mark all related structs as packed, because the code (and the driver in general) seems to rely on that anyway. Fixes: https://github.com/openwrt/openwrt/issues/17142 Signed-off-by: Jan Hoffmann <jan@3e8.eu> Link: https://patchwork.ozlabs.org/project/openwrt/patch/20250206225444.2521817-1-jan@3e8.eu/ Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>