* [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.
@ 2023-11-22 22:19 Arnd Bergmann
2023-11-22 23:07 ` Gustavo A. R. Silva
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Arnd Bergmann @ 2023-11-22 22:19 UTC (permalink / raw)
To: Robert Richter, Borislav Petkov, Tony Luck, Sergey Temerkhanov
Cc: Arnd Bergmann, Gustavo A. R. Silva, Kees Cook, James Morse,
Mauro Carvalho Chehab, Yeqi Fu, linux-edac, linux-kernel
From: Arnd Bergmann <arnd@arndb.de>
Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
warning for a common bug in the usage of strncat():
drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1899 | strncat(msg, other, L2C_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1220 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apparently the author of this driver expected strncat() to behave the
way that strlcat() does, which uses the size of the destination buffer
as its third argument rather than the length of the source buffer.
The result is that there is no check on the size of the allocated
buffer.
Change it to use strncat().
Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/edac/thunderx_edac.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
index b9c5772da959..90d46e5c4ff0 100644
--- a/drivers/edac/thunderx_edac.c
+++ b/drivers/edac/thunderx_edac.c
@@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
decode_register(other, OCX_OTHER_SIZE,
ocx_com_errors, ctx->reg_com_int);
- strncat(msg, other, OCX_MESSAGE_SIZE);
+ strlcat(msg, other, OCX_MESSAGE_SIZE);
for (lane = 0; lane < OCX_RX_LANES; lane++)
if (ctx->reg_com_int & BIT(lane)) {
@@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
lane, ctx->reg_lane_int[lane],
lane, ctx->reg_lane_stat11[lane]);
- strncat(msg, other, OCX_MESSAGE_SIZE);
+ strlcat(msg, other, OCX_MESSAGE_SIZE);
decode_register(other, OCX_OTHER_SIZE,
ocx_lane_errors,
ctx->reg_lane_int[lane]);
- strncat(msg, other, OCX_MESSAGE_SIZE);
+ strlcat(msg, other, OCX_MESSAGE_SIZE);
}
if (ctx->reg_com_int & OCX_COM_INT_CE)
@@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id)
decode_register(other, OCX_OTHER_SIZE,
ocx_com_link_errors, ctx->reg_com_link_int);
- strncat(msg, other, OCX_MESSAGE_SIZE);
+ strlcat(msg, other, OCX_MESSAGE_SIZE);
if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE)
edac_device_handle_ue(ocx->edac_dev, 0, 0, msg);
@@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int);
- strncat(msg, other, L2C_MESSAGE_SIZE);
+ strlcat(msg, other, L2C_MESSAGE_SIZE);
if (ctx->reg_int & mask_ue)
edac_device_handle_ue(l2c->edac_dev, 0, 0, msg);
--
2.39.2
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.
2023-11-22 22:19 [PATCH] EDAC, thunderx: fix possible out-of-bounds string access Arnd Bergmann
@ 2023-11-22 23:07 ` Gustavo A. R. Silva
2023-11-23 11:58 ` Borislav Petkov
2023-11-23 17:05 ` Borislav Petkov
2 siblings, 0 replies; 8+ messages in thread
From: Gustavo A. R. Silva @ 2023-11-22 23:07 UTC (permalink / raw)
To: Arnd Bergmann, Robert Richter, Borislav Petkov, Tony Luck,
Sergey Temerkhanov
Cc: Arnd Bergmann, Gustavo A. R. Silva, Kees Cook, James Morse,
Mauro Carvalho Chehab, Yeqi Fu, linux-edac, linux-kernel
On 11/22/23 16:19, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
> warning for a common bug in the usage of strncat():
Great to see this catching bugs already. :)
>
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
> drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
> drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1899 | strncat(msg, other, L2C_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
> drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1220 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Apparently the author of this driver expected strncat() to behave the
> way that strlcat() does, which uses the size of the destination buffer
> as its third argument rather than the length of the source buffer.
> The result is that there is no check on the size of the allocated
> buffer.
>
> Change it to use strncat().
s/strncat/strlcat
with that:
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks!
--
Gustavo
>
> Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/edac/thunderx_edac.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
> index b9c5772da959..90d46e5c4ff0 100644
> --- a/drivers/edac/thunderx_edac.c
> +++ b/drivers/edac/thunderx_edac.c
> @@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
> decode_register(other, OCX_OTHER_SIZE,
> ocx_com_errors, ctx->reg_com_int);
>
> - strncat(msg, other, OCX_MESSAGE_SIZE);
> + strlcat(msg, other, OCX_MESSAGE_SIZE);
>
> for (lane = 0; lane < OCX_RX_LANES; lane++)
> if (ctx->reg_com_int & BIT(lane)) {
> @@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
> lane, ctx->reg_lane_int[lane],
> lane, ctx->reg_lane_stat11[lane]);
>
> - strncat(msg, other, OCX_MESSAGE_SIZE);
> + strlcat(msg, other, OCX_MESSAGE_SIZE);
>
> decode_register(other, OCX_OTHER_SIZE,
> ocx_lane_errors,
> ctx->reg_lane_int[lane]);
> - strncat(msg, other, OCX_MESSAGE_SIZE);
> + strlcat(msg, other, OCX_MESSAGE_SIZE);
> }
>
> if (ctx->reg_com_int & OCX_COM_INT_CE)
> @@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id)
> decode_register(other, OCX_OTHER_SIZE,
> ocx_com_link_errors, ctx->reg_com_link_int);
>
> - strncat(msg, other, OCX_MESSAGE_SIZE);
> + strlcat(msg, other, OCX_MESSAGE_SIZE);
>
> if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE)
> edac_device_handle_ue(ocx->edac_dev, 0, 0, msg);
> @@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
>
> decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int);
>
> - strncat(msg, other, L2C_MESSAGE_SIZE);
> + strlcat(msg, other, L2C_MESSAGE_SIZE);
>
> if (ctx->reg_int & mask_ue)
> edac_device_handle_ue(l2c->edac_dev, 0, 0, msg);
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.
2023-11-22 22:19 [PATCH] EDAC, thunderx: fix possible out-of-bounds string access Arnd Bergmann
2023-11-22 23:07 ` Gustavo A. R. Silva
@ 2023-11-23 11:58 ` Borislav Petkov
2023-11-23 14:03 ` Gustavo A. R. Silva
2023-11-23 17:05 ` Borislav Petkov
2 siblings, 1 reply; 8+ messages in thread
From: Borislav Petkov @ 2023-11-23 11:58 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Robert Richter, Tony Luck, Sergey Temerkhanov, Arnd Bergmann,
Gustavo A. R. Silva, Kees Cook, James Morse,
Mauro Carvalho Chehab, Yeqi Fu, linux-edac, linux-kernel
On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
$ git describe 1b56c90018f0
fatal: Not a valid object name 1b56c90018f0
I'm assuming that's in linux-next?
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.
2023-11-23 11:58 ` Borislav Petkov
@ 2023-11-23 14:03 ` Gustavo A. R. Silva
2023-11-23 14:30 ` Borislav Petkov
0 siblings, 1 reply; 8+ messages in thread
From: Gustavo A. R. Silva @ 2023-11-23 14:03 UTC (permalink / raw)
To: Borislav Petkov, Arnd Bergmann
Cc: Robert Richter, Tony Luck, Sergey Temerkhanov, Arnd Bergmann,
Gustavo A. R. Silva, Kees Cook, James Morse,
Mauro Carvalho Chehab, Yeqi Fu, linux-edac, linux-kernel
On 11/23/23 05:58, Borislav Petkov wrote:
> On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
>> From: Arnd Bergmann <arnd@arndb.de>
>>
>> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
>
> $ git describe 1b56c90018f0
> fatal: Not a valid object name 1b56c90018f0
>
> I'm assuming that's in linux-next?
That's correct, yes.
--
Gustavo
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.
2023-11-23 14:03 ` Gustavo A. R. Silva
@ 2023-11-23 14:30 ` Borislav Petkov
2023-11-23 14:41 ` Gustavo A. R. Silva
0 siblings, 1 reply; 8+ messages in thread
From: Borislav Petkov @ 2023-11-23 14:30 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Arnd Bergmann, Robert Richter, Tony Luck, Sergey Temerkhanov,
Arnd Bergmann, Gustavo A. R. Silva, Kees Cook, James Morse,
Mauro Carvalho Chehab, Yeqi Fu, linux-edac, linux-kernel
On Thu, Nov 23, 2023 at 08:03:58AM -0600, Gustavo A. R. Silva wrote:
> That's correct, yes.
Commit ID is stable enough so that it doesn't change?
I don't want to commit it now and it would happen to change later and
I'll have a stale reference in the commit message...
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.
2023-11-23 14:30 ` Borislav Petkov
@ 2023-11-23 14:41 ` Gustavo A. R. Silva
2023-11-23 16:39 ` Borislav Petkov
0 siblings, 1 reply; 8+ messages in thread
From: Gustavo A. R. Silva @ 2023-11-23 14:41 UTC (permalink / raw)
To: Borislav Petkov
Cc: Arnd Bergmann, Robert Richter, Tony Luck, Sergey Temerkhanov,
Arnd Bergmann, Gustavo A. R. Silva, Kees Cook, James Morse,
Mauro Carvalho Chehab, Yeqi Fu, linux-edac, linux-kernel
On 11/23/23 08:30, Borislav Petkov wrote:
> On Thu, Nov 23, 2023 at 08:03:58AM -0600, Gustavo A. R. Silva wrote:
>> That's correct, yes.
>
> Commit ID is stable enough so that it doesn't change?
Well, it has changed a couple of times in a week.
>
> I don't want to commit it now and it would happen to change later and
> I'll have a stale reference in the commit message...
>
To avoid that, I would just say (in the changelog text) that this patch
is fixing some -Wstringop-overflow warnings, without specifying any
commit ID.
--
Gustavo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.
2023-11-23 14:41 ` Gustavo A. R. Silva
@ 2023-11-23 16:39 ` Borislav Petkov
0 siblings, 0 replies; 8+ messages in thread
From: Borislav Petkov @ 2023-11-23 16:39 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Arnd Bergmann, Robert Richter, Tony Luck, Sergey Temerkhanov,
Arnd Bergmann, Gustavo A. R. Silva, Kees Cook, James Morse,
Mauro Carvalho Chehab, Yeqi Fu, linux-edac, linux-kernel
On Thu, Nov 23, 2023 at 08:41:33AM -0600, Gustavo A. R. Silva wrote:
> To avoid that, I would just say (in the changelog text) that this patch
> is fixing some -Wstringop-overflow warnings, without specifying any
> commit ID.
Doh, obviously.
I hope Arnd is reading this. :-)
Thx, lemme do that.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.
2023-11-22 22:19 [PATCH] EDAC, thunderx: fix possible out-of-bounds string access Arnd Bergmann
2023-11-22 23:07 ` Gustavo A. R. Silva
2023-11-23 11:58 ` Borislav Petkov
@ 2023-11-23 17:05 ` Borislav Petkov
2 siblings, 0 replies; 8+ messages in thread
From: Borislav Petkov @ 2023-11-23 17:05 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Robert Richter, Tony Luck, Sergey Temerkhanov, Arnd Bergmann,
Gustavo A. R. Silva, Kees Cook, James Morse,
Mauro Carvalho Chehab, Yeqi Fu, linux-edac, linux-kernel
On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
> warning for a common bug in the usage of strncat():
>
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
> drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
> drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1899 | strncat(msg, other, L2C_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
> drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1220 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Apparently the author of this driver expected strncat() to behave the
> way that strlcat() does, which uses the size of the destination buffer
> as its third argument rather than the length of the source buffer.
> The result is that there is no check on the size of the allocated
> buffer.
>
> Change it to use strncat().
>
> Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/edac/thunderx_edac.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
Applied, thanks.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-11-23 17:05 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-22 22:19 [PATCH] EDAC, thunderx: fix possible out-of-bounds string access Arnd Bergmann
2023-11-22 23:07 ` Gustavo A. R. Silva
2023-11-23 11:58 ` Borislav Petkov
2023-11-23 14:03 ` Gustavo A. R. Silva
2023-11-23 14:30 ` Borislav Petkov
2023-11-23 14:41 ` Gustavo A. R. Silva
2023-11-23 16:39 ` Borislav Petkov
2023-11-23 17:05 ` Borislav Petkov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox