"kyber: add tracepoints" causes write beyond size of object

public inbox for linux-block@vger.kernel.org
 help / color / mirror / Atom feed

* "kyber: add tracepoints" causes write beyond size of object
@ 2018-11-10 14:15 Jordan Glover
  2018-11-14 23:23 ` Kees Cook
  0 siblings, 1 reply; 4+ messages in thread
From: Jordan Glover @ 2018-11-10 14:15 UTC (permalink / raw)
  To: linux-block@vger.kernel.org
  Cc: Jens Axboe, Omar Sandoval, Kees Cook, Daniel Micay

Hello,

Commit 6c3b7af1c975b87b86dcb2af233d1ae21eb05107 ("kyber: add tracepoints")[=
1] causes write beyond size of object. This was detected by "FORTIFY_SOURCE=
 intra-object overflow checking"[2] feature which is part of linux-hardened=
 out-of-tree patchset designed to catch such errors.

The specific error is:

In file included from ./include/linux/bitmap.h:9,
                 from ./include/linux/cpumask.h:12,
                 from ./arch/x86/include/asm/cpumask.h:5,
                 from ./arch/x86/include/asm/msr.h:11,
                 from ./arch/x86/include/asm/processor.h:21,
                 from ./arch/x86/include/asm/cpufeature.h:8,
                 from ./arch/x86/include/asm/thread_info.h:53,
                 from ./include/linux/thread_info.h:38,
                 from ./arch/x86/include/asm/preempt.h:7,
                 from ./include/linux/preempt.h:81,
                 from ./include/linux/rcupdate.h:40,
                 from ./include/linux/rculist.h:11,
                 from ./include/linux/pid.h:5,
                 from ./include/linux/sched.h:14,
                 from ./include/linux/blkdev.h:5,
                 from block/kyber-iosched.c:21:
In function =E2=80=98strlcpy=E2=80=99,
    inlined from =E2=80=98perf_trace_kyber_latency=E2=80=99 at ./include/tr=
ace/events/kyber.h:14:1:
./include/linux/string.h:310:4: error: call to =E2=80=98__write_overflow=
=E2=80=99 declared with attribute error: detected write beyond size of obje=
ct passed as 1st parameter
    __write_overflow();
    ^~~~~~~~~~~~~~~~~~
In function =E2=80=98strlcpy=E2=80=99,
    inlined from =E2=80=98trace_event_raw_event_kyber_latency=E2=80=99 at .=
/include/trace/events/kyber.h:14:1:
./include/linux/string.h:310:4: error: call to =E2=80=98__write_overflow=
=E2=80=99 declared with attribute error: detected write beyond size of obje=
ct passed as 1st parameter
    __write_overflow();
    ^~~~~~~~~~~~~~~~~~
make[1]: *** [scripts/Makefile.build:293: block/kyber-iosched.o] Error 1
make: *** [Makefile:1063: block] Error 2
make: *** Waiting for unfinished jobs....

Using 'strlcpy' function is generally not recommended[3][4].

Jordan

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm=
it/?h=3Dv4.20-rc1&id=3D6c3b7af1c975b87b86dcb2af233d1ae21eb05107

[2] https://github.com/anthraxx/linux-hardened/commit/9460692de8eb53fd62d59=
f564eba215e7c03a34b

[3] https://lwn.net/Articles/763641/

[4] https://outflux.net/slides/2018/lss/danger.pdf

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: "kyber: add tracepoints" causes write beyond size of object
  2018-11-10 14:15 "kyber: add tracepoints" causes write beyond size of object Jordan Glover
@ 2018-11-14 23:23 ` Kees Cook
  2018-11-15  0:06   ` Omar Sandoval
  0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2018-11-14 23:23 UTC (permalink / raw)
  To: Jordan Glover
  Cc: linux-block@vger.kernel.org, Jens Axboe, Omar Sandoval,
	Daniel Micay

On Sat, Nov 10, 2018 at 8:15 AM, Jordan Glover
<Golden_Miller83@protonmail.ch> wrote:
> Hello,
>
> Commit 6c3b7af1c975b87b86dcb2af233d1ae21eb05107 ("kyber: add tracepoints")[1] causes write beyond size of object. This was detected by "FORTIFY_SOURCE intra-object overflow checking"[2] feature which is part of linux-hardened out-of-tree patchset designed to catch such errors.
>
> The specific error is:
>
> In file included from ./include/linux/bitmap.h:9,
>                  from ./include/linux/cpumask.h:12,
>                  from ./arch/x86/include/asm/cpumask.h:5,
>                  from ./arch/x86/include/asm/msr.h:11,
>                  from ./arch/x86/include/asm/processor.h:21,
>                  from ./arch/x86/include/asm/cpufeature.h:8,
>                  from ./arch/x86/include/asm/thread_info.h:53,
>                  from ./include/linux/thread_info.h:38,
>                  from ./arch/x86/include/asm/preempt.h:7,
>                  from ./include/linux/preempt.h:81,
>                  from ./include/linux/rcupdate.h:40,
>                  from ./include/linux/rculist.h:11,
>                  from ./include/linux/pid.h:5,
>                  from ./include/linux/sched.h:14,
>                  from ./include/linux/blkdev.h:5,
>                  from block/kyber-iosched.c:21:
> In function ‘strlcpy’,
>     inlined from ‘perf_trace_kyber_latency’ at ./include/trace/events/kyber.h:14:1:
> ./include/linux/string.h:310:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
>     __write_overflow();
>     ^~~~~~~~~~~~~~~~~~
> In function ‘strlcpy’,
>     inlined from ‘trace_event_raw_event_kyber_latency’ at ./include/trace/events/kyber.h:14:1:
> ./include/linux/string.h:310:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
>     __write_overflow();
>     ^~~~~~~~~~~~~~~~~~
> make[1]: *** [scripts/Makefile.build:293: block/kyber-iosched.o] Error 1
> make: *** [Makefile:1063: block] Error 2
> make: *** Waiting for unfinished jobs....
>
> Using 'strlcpy' function is generally not recommended[3][4].

Due to the macros, this was a little tricky to find, but it looks like
a cut/paste typo:

#define DOMAIN_LEN              16
#define LATENCY_TYPE_LEN        8

                strlcpy(__entry->domain, domain, DOMAIN_LEN);
                strlcpy(__entry->type, type, DOMAIN_LEN);

This should use strscpy() regardless, and should use sizeof(dst)
instead of separate literals. The primary bug is using DOMAIN_LEN for
__entry->type when it is actually LATENCY_TYPE_LEN bytes.

Can you build a patch for this? I'm happy to review.

Thanks for finding this!

-Kees

>
> Jordan
>
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.20-rc1&id=6c3b7af1c975b87b86dcb2af233d1ae21eb05107
>
> [2] https://github.com/anthraxx/linux-hardened/commit/9460692de8eb53fd62d59f564eba215e7c03a34b
>
> [3] https://lwn.net/Articles/763641/
>
> [4] https://outflux.net/slides/2018/lss/danger.pdf



-- 
Kees Cook

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: "kyber: add tracepoints" causes write beyond size of object
  2018-11-14 23:23 ` Kees Cook
@ 2018-11-15  0:06   ` Omar Sandoval
  2018-11-15  0:23     ` Kees Cook
  0 siblings, 1 reply; 4+ messages in thread
From: Omar Sandoval @ 2018-11-15  0:06 UTC (permalink / raw)
  To: Kees Cook
  Cc: Jordan Glover, linux-block@vger.kernel.org, Jens Axboe,
	Omar Sandoval, Daniel Micay

On Wed, Nov 14, 2018 at 05:23:06PM -0600, Kees Cook wrote:
> On Sat, Nov 10, 2018 at 8:15 AM, Jordan Glover
> <Golden_Miller83@protonmail.ch> wrote:
> > Hello,
> >
> > Commit 6c3b7af1c975b87b86dcb2af233d1ae21eb05107 ("kyber: add tracepoints")[1] causes write beyond size of object. This was detected by "FORTIFY_SOURCE intra-object overflow checking"[2] feature which is part of linux-hardened out-of-tree patchset designed to catch such errors.
> >
> > The specific error is:
> >
> > In file included from ./include/linux/bitmap.h:9,
> >                  from ./include/linux/cpumask.h:12,
> >                  from ./arch/x86/include/asm/cpumask.h:5,
> >                  from ./arch/x86/include/asm/msr.h:11,
> >                  from ./arch/x86/include/asm/processor.h:21,
> >                  from ./arch/x86/include/asm/cpufeature.h:8,
> >                  from ./arch/x86/include/asm/thread_info.h:53,
> >                  from ./include/linux/thread_info.h:38,
> >                  from ./arch/x86/include/asm/preempt.h:7,
> >                  from ./include/linux/preempt.h:81,
> >                  from ./include/linux/rcupdate.h:40,
> >                  from ./include/linux/rculist.h:11,
> >                  from ./include/linux/pid.h:5,
> >                  from ./include/linux/sched.h:14,
> >                  from ./include/linux/blkdev.h:5,
> >                  from block/kyber-iosched.c:21:
> > In function ‘strlcpy’,
> >     inlined from ‘perf_trace_kyber_latency’ at ./include/trace/events/kyber.h:14:1:
> > ./include/linux/string.h:310:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
> >     __write_overflow();
> >     ^~~~~~~~~~~~~~~~~~
> > In function ‘strlcpy’,
> >     inlined from ‘trace_event_raw_event_kyber_latency’ at ./include/trace/events/kyber.h:14:1:
> > ./include/linux/string.h:310:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
> >     __write_overflow();
> >     ^~~~~~~~~~~~~~~~~~
> > make[1]: *** [scripts/Makefile.build:293: block/kyber-iosched.o] Error 1
> > make: *** [Makefile:1063: block] Error 2
> > make: *** Waiting for unfinished jobs....
> >
> > Using 'strlcpy' function is generally not recommended[3][4].
> 
> Due to the macros, this was a little tricky to find, but it looks like
> a cut/paste typo:
> 
> #define DOMAIN_LEN              16
> #define LATENCY_TYPE_LEN        8
> 
>                 strlcpy(__entry->domain, domain, DOMAIN_LEN);
>                 strlcpy(__entry->type, type, DOMAIN_LEN);
> 
> This should use strscpy() regardless, and should use sizeof(dst)
> instead of separate literals. The primary bug is using DOMAIN_LEN for
> __entry->type when it is actually LATENCY_TYPE_LEN bytes.
> 
> Can you build a patch for this? I'm happy to review.
> 
> Thanks for finding this!

Sorry, I forgot to reply to this thread, but Jens queued up a fix for
this already:

http://git.kernel.dk/cgit/linux-block/commit/?h=for-linus&id=18e962ac0781bcb70d433de3b2a325ff792b4288

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: "kyber: add tracepoints" causes write beyond size of object
  2018-11-15  0:06   ` Omar Sandoval
@ 2018-11-15  0:23     ` Kees Cook
  0 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2018-11-15  0:23 UTC (permalink / raw)
  To: Omar Sandoval
  Cc: Jordan Glover, linux-block@vger.kernel.org, Jens Axboe,
	Omar Sandoval, Daniel Micay

On Wed, Nov 14, 2018 at 6:06 PM, Omar Sandoval <osandov@osandov.com> wrote:
> On Wed, Nov 14, 2018 at 05:23:06PM -0600, Kees Cook wrote:
>> On Sat, Nov 10, 2018 at 8:15 AM, Jordan Glover
>> <Golden_Miller83@protonmail.ch> wrote:
>> > Hello,
>> >
>> > Commit 6c3b7af1c975b87b86dcb2af233d1ae21eb05107 ("kyber: add tracepoints")[1] causes write beyond size of object. This was detected by "FORTIFY_SOURCE intra-object overflow checking"[2] feature which is part of linux-hardened out-of-tree patchset designed to catch such errors.
>> >
>> > The specific error is:
>> >
>> > In file included from ./include/linux/bitmap.h:9,
>> >                  from ./include/linux/cpumask.h:12,
>> >                  from ./arch/x86/include/asm/cpumask.h:5,
>> >                  from ./arch/x86/include/asm/msr.h:11,
>> >                  from ./arch/x86/include/asm/processor.h:21,
>> >                  from ./arch/x86/include/asm/cpufeature.h:8,
>> >                  from ./arch/x86/include/asm/thread_info.h:53,
>> >                  from ./include/linux/thread_info.h:38,
>> >                  from ./arch/x86/include/asm/preempt.h:7,
>> >                  from ./include/linux/preempt.h:81,
>> >                  from ./include/linux/rcupdate.h:40,
>> >                  from ./include/linux/rculist.h:11,
>> >                  from ./include/linux/pid.h:5,
>> >                  from ./include/linux/sched.h:14,
>> >                  from ./include/linux/blkdev.h:5,
>> >                  from block/kyber-iosched.c:21:
>> > In function ‘strlcpy’,
>> >     inlined from ‘perf_trace_kyber_latency’ at ./include/trace/events/kyber.h:14:1:
>> > ./include/linux/string.h:310:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
>> >     __write_overflow();
>> >     ^~~~~~~~~~~~~~~~~~
>> > In function ‘strlcpy’,
>> >     inlined from ‘trace_event_raw_event_kyber_latency’ at ./include/trace/events/kyber.h:14:1:
>> > ./include/linux/string.h:310:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
>> >     __write_overflow();
>> >     ^~~~~~~~~~~~~~~~~~
>> > make[1]: *** [scripts/Makefile.build:293: block/kyber-iosched.o] Error 1
>> > make: *** [Makefile:1063: block] Error 2
>> > make: *** Waiting for unfinished jobs....
>> >
>> > Using 'strlcpy' function is generally not recommended[3][4].
>>
>> Due to the macros, this was a little tricky to find, but it looks like
>> a cut/paste typo:
>>
>> #define DOMAIN_LEN              16
>> #define LATENCY_TYPE_LEN        8
>>
>>                 strlcpy(__entry->domain, domain, DOMAIN_LEN);
>>                 strlcpy(__entry->type, type, DOMAIN_LEN);
>>
>> This should use strscpy() regardless, and should use sizeof(dst)
>> instead of separate literals. The primary bug is using DOMAIN_LEN for
>> __entry->type when it is actually LATENCY_TYPE_LEN bytes.
>>
>> Can you build a patch for this? I'm happy to review.
>>
>> Thanks for finding this!
>
> Sorry, I forgot to reply to this thread, but Jens queued up a fix for
> this already:
>
> http://git.kernel.dk/cgit/linux-block/commit/?h=for-linus&id=18e962ac0781bcb70d433de3b2a325ff792b4288

Ah! Perfect. Thanks! :) I should be late to threads more often. ;)

-kees

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-11-15  0:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-10 14:15 "kyber: add tracepoints" causes write beyond size of object Jordan Glover
2018-11-14 23:23 ` Kees Cook
2018-11-15  0:06   ` Omar Sandoval
2018-11-15  0:23     ` Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox