From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: [linux-next:master 1562/1734] include/linux/fortify-string.h:275:25: warning: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()?
Date: Tue, 25 Jan 2022 18:33:09 +0800 [thread overview]
Message-ID: <202201251833.Hon4gcuF-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 6522 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: d25ee88530253138d0b20d43511ca5acbda4e9f7
commit: 602670289b69b2fded3a0b2240c4877e3a015ac6 [1562/1734] fortify: Detect struct member overflows in memcpy() at compile-time
config: arm-aspeed_g5_defconfig (https://download.01.org/0day-ci/archive/20220125/202201251833.Hon4gcuF-lkp(a)intel.com/config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=602670289b69b2fded3a0b2240c4877e3a015ac6
git remote add linux-next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
git fetch --no-tags linux-next master
git checkout 602670289b69b2fded3a0b2240c4877e3a015ac6
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arm SHELL=/bin/bash net/core/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from include/linux/string.h:253,
from include/linux/bitmap.h:11,
from include/linux/cpumask.h:12,
from include/linux/smp.h:13,
from include/linux/lockdep.h:14,
from include/linux/spinlock.h:62,
from include/linux/wait.h:9,
from include/linux/wait_bit.h:8,
from include/linux/fs.h:6,
from include/linux/highmem.h:5,
from include/linux/bvec.h:10,
from include/linux/skbuff.h:17,
from net/core/flow_dissector.c:3:
In function 'fortify_memcpy_chk',
inlined from '__skb_flow_dissect' at net/core/flow_dissector.c:1034:3:
>> include/linux/fortify-string.h:275:25: warning: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning]
275 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/__read_overflow2_field +275 include/linux/fortify-string.h
213
214 /*
215 * To make sure the compiler can enforce protection against buffer overflows,
216 * memcpy(), memmove(), and memset() must not be used beyond individual
217 * struct members. If you need to copy across multiple members, please use
218 * struct_group() to create a named mirror of an anonymous struct union.
219 * (e.g. see struct sk_buff.)
220 *
221 * Mitigation coverage
222 * Bounds checking at:
223 * +-------+-------+-------+-------+
224 * | Compile time | Run time |
225 * memcpy() argument sizes: | write | read | write | read |
226 * +-------+-------+-------+-------+
227 * memcpy(known, known, constant) | y | y | n/a | n/a |
228 * memcpy(unknown, known, constant) | n | y | V | n/a |
229 * memcpy(known, unknown, constant) | y | n | n/a | V |
230 * memcpy(unknown, unknown, constant) | n | n | V | V |
231 * memcpy(known, known, dynamic) | n | n | b | B |
232 * memcpy(unknown, known, dynamic) | n | n | V | B |
233 * memcpy(known, unknown, dynamic) | n | n | b | V |
234 * memcpy(unknown, unknown, dynamic) | n | n | V | V |
235 * +-------+-------+-------+-------+
236 *
237 * y = deterministic compile-time bounds checking
238 * n = cannot do deterministic compile-time bounds checking
239 * n/a = no run-time bounds checking needed since compile-time deterministic
240 * b = perform run-time bounds checking
241 * B = can perform run-time bounds checking, but current unenforced
242 * V = vulnerable to run-time overflow
243 *
244 */
245 __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
246 const size_t p_size,
247 const size_t q_size,
248 const size_t p_size_field,
249 const size_t q_size_field,
250 const char *func)
251 {
252 if (__builtin_constant_p(size)) {
253 /*
254 * Length argument is a constant expression, so we
255 * can perform compile-time bounds checking where
256 * buffer sizes are known.
257 */
258
259 /* Error when size is larger than enclosing struct. */
260 if (p_size > p_size_field && p_size < size)
261 __write_overflow();
262 if (q_size > q_size_field && q_size < size)
263 __read_overflow2();
264
265 /* Warn when write size argument larger than dest field. */
266 if (p_size_field < size)
267 __write_overflow_field(p_size_field, size);
268 /*
269 * Warn for source field over-read when building with W=1
270 * or when an over-write happened, so both can be fixed at
271 * the same time.
272 */
273 if ((IS_ENABLED(KBUILD_EXTRA_WARN1) || p_size_field < size) &&
274 q_size_field < size)
> 275 __read_overflow2_field(q_size_field, size);
276 }
277 /*
278 * At this point, length argument may not be a constant expression,
279 * so run-time bounds checking can be done where buffer sizes are
280 * known. (This is not an "else" because the above checks may only
281 * be compile-time warnings, and we want to still warn for run-time
282 * overflows.)
283 */
284
285 /*
286 * Always stop accesses beyond the struct that contains the
287 * field, when the buffer's remaining size is known.
288 * (The -1 test is to optimize away checks where the buffer
289 * lengths are unknown.)
290 */
291 if ((p_size != (size_t)(-1) && p_size < size) ||
292 (q_size != (size_t)(-1) && q_size < size))
293 fortify_panic(func);
294 }
295
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: Kees Cook <keescook@chromium.org>
Cc: kbuild-all@lists.01.org,
Linux Memory Management List <linux-mm@kvack.org>
Subject: [linux-next:master 1562/1734] include/linux/fortify-string.h:275:25: warning: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()?
Date: Tue, 25 Jan 2022 18:33:09 +0800 [thread overview]
Message-ID: <202201251833.Hon4gcuF-lkp@intel.com> (raw)
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: d25ee88530253138d0b20d43511ca5acbda4e9f7
commit: 602670289b69b2fded3a0b2240c4877e3a015ac6 [1562/1734] fortify: Detect struct member overflows in memcpy() at compile-time
config: arm-aspeed_g5_defconfig (https://download.01.org/0day-ci/archive/20220125/202201251833.Hon4gcuF-lkp@intel.com/config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=602670289b69b2fded3a0b2240c4877e3a015ac6
git remote add linux-next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
git fetch --no-tags linux-next master
git checkout 602670289b69b2fded3a0b2240c4877e3a015ac6
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arm SHELL=/bin/bash net/core/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from include/linux/string.h:253,
from include/linux/bitmap.h:11,
from include/linux/cpumask.h:12,
from include/linux/smp.h:13,
from include/linux/lockdep.h:14,
from include/linux/spinlock.h:62,
from include/linux/wait.h:9,
from include/linux/wait_bit.h:8,
from include/linux/fs.h:6,
from include/linux/highmem.h:5,
from include/linux/bvec.h:10,
from include/linux/skbuff.h:17,
from net/core/flow_dissector.c:3:
In function 'fortify_memcpy_chk',
inlined from '__skb_flow_dissect' at net/core/flow_dissector.c:1034:3:
>> include/linux/fortify-string.h:275:25: warning: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning]
275 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/__read_overflow2_field +275 include/linux/fortify-string.h
213
214 /*
215 * To make sure the compiler can enforce protection against buffer overflows,
216 * memcpy(), memmove(), and memset() must not be used beyond individual
217 * struct members. If you need to copy across multiple members, please use
218 * struct_group() to create a named mirror of an anonymous struct union.
219 * (e.g. see struct sk_buff.)
220 *
221 * Mitigation coverage
222 * Bounds checking at:
223 * +-------+-------+-------+-------+
224 * | Compile time | Run time |
225 * memcpy() argument sizes: | write | read | write | read |
226 * +-------+-------+-------+-------+
227 * memcpy(known, known, constant) | y | y | n/a | n/a |
228 * memcpy(unknown, known, constant) | n | y | V | n/a |
229 * memcpy(known, unknown, constant) | y | n | n/a | V |
230 * memcpy(unknown, unknown, constant) | n | n | V | V |
231 * memcpy(known, known, dynamic) | n | n | b | B |
232 * memcpy(unknown, known, dynamic) | n | n | V | B |
233 * memcpy(known, unknown, dynamic) | n | n | b | V |
234 * memcpy(unknown, unknown, dynamic) | n | n | V | V |
235 * +-------+-------+-------+-------+
236 *
237 * y = deterministic compile-time bounds checking
238 * n = cannot do deterministic compile-time bounds checking
239 * n/a = no run-time bounds checking needed since compile-time deterministic
240 * b = perform run-time bounds checking
241 * B = can perform run-time bounds checking, but current unenforced
242 * V = vulnerable to run-time overflow
243 *
244 */
245 __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
246 const size_t p_size,
247 const size_t q_size,
248 const size_t p_size_field,
249 const size_t q_size_field,
250 const char *func)
251 {
252 if (__builtin_constant_p(size)) {
253 /*
254 * Length argument is a constant expression, so we
255 * can perform compile-time bounds checking where
256 * buffer sizes are known.
257 */
258
259 /* Error when size is larger than enclosing struct. */
260 if (p_size > p_size_field && p_size < size)
261 __write_overflow();
262 if (q_size > q_size_field && q_size < size)
263 __read_overflow2();
264
265 /* Warn when write size argument larger than dest field. */
266 if (p_size_field < size)
267 __write_overflow_field(p_size_field, size);
268 /*
269 * Warn for source field over-read when building with W=1
270 * or when an over-write happened, so both can be fixed at
271 * the same time.
272 */
273 if ((IS_ENABLED(KBUILD_EXTRA_WARN1) || p_size_field < size) &&
274 q_size_field < size)
> 275 __read_overflow2_field(q_size_field, size);
276 }
277 /*
278 * At this point, length argument may not be a constant expression,
279 * so run-time bounds checking can be done where buffer sizes are
280 * known. (This is not an "else" because the above checks may only
281 * be compile-time warnings, and we want to still warn for run-time
282 * overflows.)
283 */
284
285 /*
286 * Always stop accesses beyond the struct that contains the
287 * field, when the buffer's remaining size is known.
288 * (The -1 test is to optimize away checks where the buffer
289 * lengths are unknown.)
290 */
291 if ((p_size != (size_t)(-1) && p_size < size) ||
292 (q_size != (size_t)(-1) && q_size < size))
293 fortify_panic(func);
294 }
295
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
next reply other threads:[~2022-01-25 10:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-25 10:33 kernel test robot [this message]
2022-01-25 10:33 ` [linux-next:master 1562/1734] include/linux/fortify-string.h:275:25: warning: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202201251833.Hon4gcuF-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild-all@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.