From: Jan Hendrik Farr <kernel@jfarr.cc>
To: Alan Huang <mmpgouride@gmail.com>
Cc: kent.overstreet@linux.dev, kees@kernel.org,
gustavoars@kernel.org, thorsten.blum@toblux.com,
linux-bcachefs@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH 1/2] bcachefs: Remove incorrect __counted_by annotation
Date: Fri, 2 May 2025 03:55:48 +0200 [thread overview]
Message-ID: <aBQmJIXygwIwj5Yy@archlinux> (raw)
In-Reply-To: <20250501200132.216859-1-mmpgouride@gmail.com>
On 02 04:01:31, Alan Huang wrote:
> This actually reverts 86e92eeeb237 ("bcachefs: Annotate struct bch_xattr
> with __counted_by()").
>
> After the x_name, there is a value. According to the disscussion[1],
> __counted_by assumes that the flexible array member contains exactly
> the amount of elements that are specified. Now there are users came across
> a false positive detection of an out of bounds write caused by
> the __counted_by here[2], so revert that.
>
> [1] https://lore.kernel.org/lkml/Zv8VDKWN1GzLRT-_@archlinux/T/#m0ce9541c5070146320efd4f928cc1ff8de69e9b2
> [2] https://privatebin.net/?a0d4e97d590d71e1#9bLmp2Kb5NU6X6cZEucchDcu88HzUQwHUah8okKPReEt
>
> Signed-off-by: Alan Huang <mmpgouride@gmail.com>
Reviewed-by: Jan Hendrik Farr <kernel@jfarr.cc>
> ---
> fs/bcachefs/xattr_format.h | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/fs/bcachefs/xattr_format.h b/fs/bcachefs/xattr_format.h
> index c7916011ef34..67426e33d04e 100644
> --- a/fs/bcachefs/xattr_format.h
> +++ b/fs/bcachefs/xattr_format.h
> @@ -13,7 +13,13 @@ struct bch_xattr {
> __u8 x_type;
> __u8 x_name_len;
> __le16 x_val_len;
> - __u8 x_name[] __counted_by(x_name_len);
> + /*
> + * x_name contains the name and value counted by
> + * x_name_len + x_val_len. The introduction of
> + * __counted_by(x_name_len) caused a false positive
> + * detection of an out of bounds write.
> + */
In my estimation the comment isn't strictly needed with the name
change in Patch 2/2, but it can also stay.
> + __u8 x_name[];
> } __packed __aligned(8);
>
> #endif /* _BCACHEFS_XATTR_FORMAT_H */
> --
> 2.48.1
>
I was able to reproduce this issue with gcc 15.1.1 and bcachefs as
rootfs (and verify that this fixes it), but wasn't able to reproduce
using clang 19.1.7. Turns out there is one more difference in how
gcc and clang do __bdos. clang apparantly doesn't handle pointer
arithmetic done using + symbol instead of [] for the __counted_by
case. Here's a reproducer:
https://godbolt.org/z/136T98Wdz
Best Regards
Jan
prev parent reply other threads:[~2025-05-02 1:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-01 20:01 [PATCH 1/2] bcachefs: Remove incorrect __counted_by annotation Alan Huang
2025-05-01 20:01 ` [PATCH 2/2] bcachefs: Rename x_name to x_name_and_value Alan Huang
2025-05-02 1:56 ` Jan Hendrik Farr
2025-05-01 20:08 ` [PATCH 1/2] bcachefs: Remove incorrect __counted_by annotation Thorsten Blum
2025-05-01 20:11 ` Thorsten Blum
2025-05-01 20:13 ` Kees Cook
2025-05-02 1:55 ` Jan Hendrik Farr [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aBQmJIXygwIwj5Yy@archlinux \
--to=kernel@jfarr.cc \
--cc=gustavoars@kernel.org \
--cc=kees@kernel.org \
--cc=kent.overstreet@linux.dev \
--cc=linux-bcachefs@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=mmpgouride@gmail.com \
--cc=thorsten.blum@toblux.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox