From: Kees Cook <keescook@chromium.org>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>,
linux-hardening@vger.kernel.org, error27@gmail.com,
gustavoars@kernel.org, Bryan Tan <bryantan@vmware.com>,
Vishnu Dasa <vdasa@vmware.com>,
VMware PV-Drivers Reviewers <pv-drivers@vmware.com>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, vegard.nossum@oracle.com,
darren.kenny@oracle.com, syzkaller <syzkaller@googlegroups.com>
Subject: Re: [PATCH v2 2/2] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
Date: Thu, 11 Jan 2024 10:13:44 -0800 [thread overview]
Message-ID: <202401111001.78284D8F@keescook> (raw)
In-Reply-To: <8e527ade-fe49-4697-8e36-589775c63354@moroto.mountain>
On Thu, Jan 11, 2024 at 10:15:40AM +0300, Dan Carpenter wrote:
> On Wed, Jan 10, 2024 at 04:03:28PM -0800, Kees Cook wrote:
> >
> > Oops, yes, thanks for fixing my confusion. Right, this is a direct write
> > across members into the flex array, not a composite destination. Yay
> > all the corner cases. :P
>
> Is there a document somewhere which explains what will trigger a runtime
> warning? For example, if you write across members but it's not into a
> flex array does that cause an issue? Or if you read across members?
There isn't a good place to find this. There are some code comments near
the memcpy macros, but that's not really sufficient.
At present FORTIFY is only being pedantic about _writes_, as that's
generally a higher priority problem. The implemented restriction is that
the destination buffer must be a single addressable struct member. That
destination can be a composite member (i.e. an entire substruct), but
going beyond a single member in a single memcpy() is no longer allowed
because the compiler cannot reason about whether such a copy is
"intentional".
> For example, this line reads from bulletin->vlan and
> bulletin->vlan_padding. This causes a compiler warning in Clang and
> GCC depending on the options but does it also trigger a runtime warning?
> https://elixir.bootlin.com/linux/latest/source/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c#L2655
Right, the -Wstringop-overread and related compiler flags are doing the
source buffer size checking.
Note that for the compile-time warnings, GCC has the capacity to be much
more strict than the FORTIFY checks because it can perform value _range_
tracking, where as FORTIFY compile-time checks are limited to having the
copy size being a constant expression. (i.e. GCC may produce compile
time warnings for cases that FORTIFY will only warn about at runtime if
the range is violated.)
> (I wrote a patch for this a few months back but didn't send it because
> of the merge window. I forgot about it until now that we're in a merge
> window again... :P)
memcpy(&ivi->vlan, &bulletin->vlan, VLAN_HLEN);
#define VLAN_HLEN 4
ivi->vlan is u32
bulletin has:
u16 vlan;
u8 vlan_padding[6];
yeah, ew. Should it even be reading padding? i.e. should this be:
ivi->vlan = bulletin->vlan << 16;
?
Or should bulletin be:
union {
struct {
u16 vlan;
u8 vlan_padding[6];
};
struct {
u32 vlan_header;
u8 vlan_header_padding[4];
};
};
with:
ivi->vlan = bulletin->vlan_header;
?
I've been finding that almost all memcpy()s and memset()s into non-array
types are better just rewritten as a direct assignment. :P
--
Kees Cook
next prev parent reply other threads:[~2024-01-11 18:13 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-05 16:39 [PATCH v2 1/2] VMCI: Use struct_size() in kmalloc() Harshit Mogalapalli
2024-01-05 16:40 ` [PATCH v2 2/2] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Harshit Mogalapalli
2024-01-05 17:11 ` Gustavo A. R. Silva
2024-01-08 7:33 ` Dan Carpenter
2024-01-08 17:03 ` Gustavo A. R. Silva
2024-01-08 17:31 ` Harshit Mogalapalli
2024-01-08 17:38 ` Gustavo A. R. Silva
2024-01-08 18:36 ` Dan Carpenter
2024-01-08 19:21 ` Gustavo A. R. Silva
2024-01-08 22:37 ` Kees Cook
2024-01-09 2:05 ` Gustavo A. R. Silva
2024-01-09 9:07 ` Dan Carpenter
2024-01-09 12:31 ` Gustavo A. R. Silva
2024-01-09 13:22 ` Dan Carpenter
2024-01-09 14:35 ` Gustavo A. R. Silva
2024-01-11 0:03 ` Kees Cook
2024-01-11 7:15 ` Dan Carpenter
2024-01-11 18:13 ` Kees Cook [this message]
2024-01-12 5:35 ` Dan Carpenter
2024-01-11 12:53 ` kovalev
2024-02-16 7:35 ` Harshit Mogalapalli
2024-01-05 16:57 ` [PATCH v2 1/2] VMCI: Use struct_size() in kmalloc() Gustavo A. R. Silva
2024-01-08 22:28 ` Kees Cook
2024-02-01 18:06 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202401111001.78284D8F@keescook \
--to=keescook@chromium.org \
--cc=arnd@arndb.de \
--cc=bryantan@vmware.com \
--cc=dan.carpenter@linaro.org \
--cc=darren.kenny@oracle.com \
--cc=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=gustavoars@kernel.org \
--cc=harshit.m.mogalapalli@oracle.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pv-drivers@vmware.com \
--cc=syzkaller@googlegroups.com \
--cc=vdasa@vmware.com \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.