From: Kees Cook <keescook@chromium.org>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Kevin Tian <kevin.tian@intel.com>, Joerg Roedel <joro@8bytes.org>,
Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>,
iommu@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] iommufd: Add top-level bounds check on kernel buffer size
Date: Fri, 27 Jan 2023 16:57:26 -0800 [thread overview]
Message-ID: <202301271655.A51DC1CF@keescook> (raw)
In-Reply-To: <Y9RwpuVyEi2SBmdQ@ziepe.ca>
On Fri, Jan 27, 2023 at 08:47:34PM -0400, Jason Gunthorpe wrote:
> On Fri, Jan 27, 2023 at 02:38:17PM -0800, Kees Cook wrote:
> > While the op->size assignments are already bounds-checked at static
> > initializer time, these limits aren't aggregated and tracked when doing
> > later variable range checking under -Warray-bounds. Help the compiler
> > see that we know what we're talking about, and we'll never ask to
> > write more that sizeof(ucmd.cmd) bytes during the memset() inside
> > copy_struct_from_user(). Seen under GCC 13:
> >
> > In function 'copy_struct_from_user',
> > inlined from 'iommufd_fops_ioctl' at ../drivers/iommu/iommufd/main.c:333:8:
> > ../include/linux/fortify-string.h:59:33: warning: '__builtin_memset' offset [57, 4294967294] is out of the bounds [0, 56] of object 'buf' with type 'union ucmd_buffer' [-Warray-bounds=]
> > 59 | #define __underlying_memset __builtin_memset
>
> This seems strange to me
>
> I thought the way gcc handled this was if it knew the value must be in
> a certain range then it would check it
>
> If it couldn't figure out any ranges it would not make a warning.
>
> So why did it decide "rest" was in that really weird range?
It's because it got bounds-checked at the lower end (for the minimum
size test).
>
> Is this just a compiler bug?
I don't think so. This just keeps the bounds within the buffer size now.
--
Kees Cook
next prev parent reply other threads:[~2023-01-28 0:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-27 22:38 [PATCH] iommufd: Add top-level bounds check on kernel buffer size Kees Cook
2023-01-28 0:47 ` Jason Gunthorpe
2023-01-28 0:57 ` Kees Cook [this message]
2023-01-28 1:13 ` Jason Gunthorpe
2023-02-01 1:01 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202301271655.A51DC1CF@keescook \
--to=keescook@chromium.org \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.