In the latest v4 version I submitted on December 18th,<br />when I opened the -Wanalyzer-out-of-bounds and compiled it on the gcc14.2 environment,<br />'''''' <br />C compiler for the host machine: cc (gcc 14.2.1 "cc (GCC) 14.2.1 20241104 (Red Hat 14.2.1-6)")<br />Compiler for C supports arguments -Wanalyzer-out-of-bounds: YES<br />'''''' <br />this issue did not occur;<br /> <br /> <br />And [PATCH v4] net/zxdh: Provided zxdh basic init, this patch was submitted three months ago on September 9th;<br />So, I am confused;<br />Is this issue also present in the latest v4 submission version and do we need to solved it<br /> <br /> <br /> <br />>Overall this looks good, one test checklist item for me was to build<br />>with Gcc 14 and analyzer option. This finds bugs but can generate false<br />>positives.  The output is quite verbose.<br /> <br />>It complains about this which may or may not be a real problem.<br />>If memcpy() is used instead of rte_memcpy() then the problem goes away.<br />>The issue is that inlined version rte_memcpy() will reference past the arguments<br />>as an internal optimization for small values.<br /> <br />>[1564/3222] Compiling C object drivers/libtmp_rte_net_zxdh.a.p/net_zxdh_zxdh_common.c.o<br />>In file included from ../lib/mempool/rte_mempool.h:50,<br />>                 from ../lib/mbuf/rte_mbuf.h:38,<br />>                 from ../lib/net/rte_ether.h:20,<br />>                 from ../lib/ethdev/rte_eth_ctrl.h:10,<br />>                 from ../lib/ethdev/rte_ethdev.h:1472,<br />>                 from ../lib/ethdev/ethdev_driver.h:21,<br />>                 from ../drivers/net/zxdh/zxdh_common.c:8:<br />>In function ‘rte_mov15_or_less’,<br />>    inlined from ‘rte_memcpy_generic’ at ../lib/eal/x86/include/rte_memcpy.h:395:10,<br />>    inlined from ‘rte_memcpy’ at ../lib/eal/x86/include/rte_memcpy.h:757:10,<br />>    inlined from ‘zxdh_get_res_info’ at ../drivers/net/zxdh/zxdh_common.c:231:2:<br />>.../lib/eal/x86/include/rte_memcpy.h:82:55: warning: stack-based buffer overflow [CWE-121] [-Wanalyzer-out-of-bounds]<br />>   82 |                 ((struct rte_uint64_alias *)dst)->val =<br />>      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^<br />>   83 |                         ((const struct rte_uint64_alias *)src)->val;<br />>      |                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />>  ‘zxdh_panelid_get’: events 1-3<br />>    |<br />>    |../drivers/net/zxdh/zxdh_common.c:250:1:<br />>    |  239 |         uint8_t reps = 0;<br />>    |      |                 ~~~~<br />>    |      |                 |<br />>    |      |                 (2) capacity: 1 byte<br />>    |......<br />>    |  250 | zxdh_panelid_get(struct rte_eth_dev *dev, uint8_t *panelid)<br />>    |      | ^~~~~~~~~~~~~~~~<br />>    |      | |<br />>    |      | (1) entry to ‘zxdh_panelid_get’<br />>    |......<br />>    |  255 |         int32_t ret = zxdh_get_res_panel_id(&param, panelid);<br />>    |      |                       ~<br />>    |      |                       |<br />>    |      |                       (3) inlined call to ‘zxdh_get_res_panel_id’ from ‘zxdh_panelid_get’<br />>    |<br />>           |<br />>           |  242 |         if (zxdh_get_res_info(in, ZXDH_TBL_FIELD_PNLID, &reps, &reps_len) != ZXDH_BAR_MSG_OK)<br />>           |      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />>           |      |             |<br />>           |      |             (4) calling ‘zxdh_get_res_info’ from ‘zxdh_panelid_get’<br />>           |<br />>         ‘zxdh_get_res_info’: events 5-12<br />>           |<br />>           |  186 | zxdh_get_res_info(struct zxdh_res_para *dev, uint8_t field, uint8_t *res, uint16_t *len)<br />>           |      | ^~~~~~~~~~~~~~~~~<br />>           |      | |<br />>           |      | (5) entry to ‘zxdh_get_res_info’<br />>           |......<br />>           |  192 |         if (!res || !dev)<br />>           |      |            ~<br />>           |      |            |<br />>           |      |            (6) following ‘false’ branch....<br />>           |......<br />>           |  195 |         struct zxdh_tbl_msg_header tbl_msg = {<br />>           |      |                                    ~~~~~~~<br />>           |      |                                    |<br />>           |      |                                    (7) ...to here<br />>           |......<br />>           |  217 |         if (ret != ZXDH_BAR_MSG_OK) {<br />>           |      |            ~<br />>           |      |            |<br />>           |      |            (8) following ‘false’ branch (when ‘ret == 0’)...<br />>           |......<br />>           |  225 |         if (tbl_reps->check != ZXDH_TBL_MSG_PRO_SUCCESS) {<br />>           |      |            ~~~~~~~~~~~~~~~~<br />>           |      |            |        |<br />>           |      |            |        (9) ...to here<br />>           |      |            (10) following ‘false’ branch...<br />>           |......<br />>           |  230 |         *len = tbl_reps->len;<br />>           |      |                ~~~~~~~~~~~~~<br />>           |      |                        |<br />>           |      |                        (11) ...to here<br />>           |  231 |         rte_memcpy(res, (recv_buf + ZXDH_REPS_HEADER_OFFSET +<br />>           |      |         ~<br />>           |      |         |<br />>           |      |         (12) inlined call to ‘rte_memcpy’ from ‘zxdh_get_res_info’<br />>           |<br />>           +--> ‘rte_memcpy’: events 13-14<br />>                  |<br />>                  |../lib/eal/x86/include/rte_memcpy.h:754:12:<br />>                  |  754 |         if (!(((uintptr_t)dst | (uintptr_t)src) & ALIGNMENT_MASK))<br />>                  |      |            ^<br />>                  |      |            |<br />>                  |      |            (13) following ‘false’ branch...<br />>                  |......<br />>                  |  757 |                 return rte_memcpy_generic(dst, src, n);<br />>                  |      |                        ~<br />>                  |      |                        |<br />>                  |      |                        (14) inlined call to ‘rte_memcpy_generic’ from ‘rte_memcpy’<br />>                  |<br />>                  +--> ‘rte_memcpy_generic’: events 15-17<br />>                         |<br />>                         |  394 |         if (n < 16) {<br />>                         |      |            ^<br />>                         |      |            |<br />>                         |      |            (15) ...to here<br />>                         |      |            (16) following ‘true’ branch...<br />>                         |  395 |                 return rte_mov15_or_less(dst, src, n);<br />>                         |      |                        ~<br />>                         |      |                        |<br />>                         |      |                        (17) inlined call to ‘rte_mov15_or_less’ from ‘rte_memcpy_generic’<br />>                         |<br />>                         +--> ‘rte_mov15_or_less’: events 18-21<br />>                                |<br />>                                |   81 |         if (n & 8) {<br />>                                |      |            ^<br />>                                |      |            |<br />>                                |      |            (18) ...to here<br />>                                |      |            (19) following ‘true’ branch...<br />>                                |   82 |                 ((struct rte_uint64_alias *)dst)->val =<br />>                                |      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />>                                |      |                                                       |<br />>                                |      |                                                       (21) out-of-bounds write from byte 1 till byte 7 but ‘reps’ ends at byte 1<br />>                                |   83 |                         ((const struct rte_uint64_alias *)src)->val;<br />>                                |      |                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />>                                |      |                                                               |<br />>                                |      |                                                               (20) ...to here<br />>                                |<br />>.../lib/eal/x86/include/rte_memcpy.h:82:55: note: write of 7 bytes to beyond the end of ‘reps’<br />>   82 |                 ((struct rte_uint64_alias *)dst)->val =<br />>      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^<br />>   83 |                         ((const struct rte_uint64_alias *)src)->val;<br />>      |                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />> <br />>  ┌──────────────────────────────────────────────────────────────────────┐<br />>  │                    write of ‘uint64_t’ (8 bytes)                     │<br />>  └──────────────────────────────────────────────────────────────────────┘<br />>              │                                   │<br />>              │                                   │<br />>              v                                   v<br />>  ┌────────────────────────┐┌────────────────────────────────────────────┐<br />>  │‘reps’ (type: ‘uint8_t’)││             after valid range              │<br />>  └────────────────────────┘└────────────────────────────────────────────┘<br />>  ├───────────┬────────────┤├─────────────────────┬──────────────────────┤<br />>              │                                   │<br />>     ╭────────┴───────╮               ╭───────────┴──────────╮<br />>     │capacity: 1 byte│               │⚠️  overflow of 7 bytes│<br />>     ╰────────────────╯               ╰──────────────────────╯