* [PATCH] w1: Split memcpy() of struct cn_msg flexible array
@ 2022-09-27 0:39 Kees Cook
2022-09-27 1:19 ` Gustavo A. R. Silva
0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2022-09-27 0:39 UTC (permalink / raw)
To: Evgeniy Polyakov; +Cc: Kees Cook, linux-kernel, linux-hardening
To work around a misbehavior of the compiler's ability to see into
composite flexible array structs (as detailed in the coming memcpy()
hardening series[1]), split the memcpy() of the header and the payload
so no false positive run-time overflow warning will be generated.
[1] https://lore.kernel.org/linux-hardening/20220901065914.1417829-2-keescook@chromium.org/
Cc: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/w1/w1_netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/w1/w1_netlink.c b/drivers/w1/w1_netlink.c
index fa490aa4407c..db110cc442b1 100644
--- a/drivers/w1/w1_netlink.c
+++ b/drivers/w1/w1_netlink.c
@@ -611,7 +611,8 @@ static void w1_cn_callback(struct cn_msg *cn, struct netlink_skb_parms *nsp)
}
atomic_set(&block->refcnt, 1);
block->portid = nsp->portid;
- memcpy(&block->request_cn, cn, sizeof(*cn) + cn->len);
+ block->request_cn = *cn;
+ memcpy(block->request_cn.data, cn->data, cn->len);
node = (struct w1_cb_node *)(block->request_cn.data + cn->len);
/* Sneeky, when not bundling, reply_size is the allocated space
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] w1: Split memcpy() of struct cn_msg flexible array
2022-09-27 0:39 [PATCH] w1: Split memcpy() of struct cn_msg flexible array Kees Cook
@ 2022-09-27 1:19 ` Gustavo A. R. Silva
0 siblings, 0 replies; 2+ messages in thread
From: Gustavo A. R. Silva @ 2022-09-27 1:19 UTC (permalink / raw)
To: Kees Cook; +Cc: Evgeniy Polyakov, linux-kernel, linux-hardening
On Mon, Sep 26, 2022 at 05:39:27PM -0700, Kees Cook wrote:
> To work around a misbehavior of the compiler's ability to see into
> composite flexible array structs (as detailed in the coming memcpy()
> hardening series[1]), split the memcpy() of the header and the payload
> so no false positive run-time overflow warning will be generated.
>
> [1] https://lore.kernel.org/linux-hardening/20220901065914.1417829-2-keescook@chromium.org/
>
> Cc: Evgeniy Polyakov <zbr@ioremap.net>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks!
--
Gustavo
> ---
> drivers/w1/w1_netlink.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/w1/w1_netlink.c b/drivers/w1/w1_netlink.c
> index fa490aa4407c..db110cc442b1 100644
> --- a/drivers/w1/w1_netlink.c
> +++ b/drivers/w1/w1_netlink.c
> @@ -611,7 +611,8 @@ static void w1_cn_callback(struct cn_msg *cn, struct netlink_skb_parms *nsp)
> }
> atomic_set(&block->refcnt, 1);
> block->portid = nsp->portid;
> - memcpy(&block->request_cn, cn, sizeof(*cn) + cn->len);
> + block->request_cn = *cn;
> + memcpy(block->request_cn.data, cn->data, cn->len);
> node = (struct w1_cb_node *)(block->request_cn.data + cn->len);
>
> /* Sneeky, when not bundling, reply_size is the allocated space
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-27 1:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-09-27 0:39 [PATCH] w1: Split memcpy() of struct cn_msg flexible array Kees Cook
2022-09-27 1:19 ` Gustavo A. R. Silva
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.