* Re: [PATCH] riscv: Avoid fortify warning in syscall_get_arguments()
2025-04-09 21:24 [PATCH] riscv: Avoid fortify warning in syscall_get_arguments() Nathan Chancellor
@ 2025-04-09 23:26 ` Dmitry V. Levin
2025-04-10 17:25 ` Palmer Dabbelt
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Dmitry V. Levin @ 2025-04-09 23:26 UTC (permalink / raw)
To: Nathan Chancellor
Cc: Paul Walmsley, Palmer Dabbelt, Albert Ou, Alexandre Ghiti,
Charlie Jenkins, Kees Cook, linux-riscv, linux-kernel
On Wed, Apr 09, 2025 at 02:24:46PM -0700, Nathan Chancellor wrote:
> When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning
> because of the memcpy() in syscall_get_arguments():
>
> In file included from include/linux/string.h:392,
> from include/linux/bitmap.h:13,
> from include/linux/cpumask.h:12,
> from arch/riscv/include/asm/processor.h:55,
> from include/linux/sched.h:13,
> from kernel/ptrace.c:13:
> In function 'fortify_memcpy_chk',
> inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2:
> include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
> 580 | __read_overflow2_field(q_size_field, size);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
>
> The fortified memcpy() routine enforces that the source is not overread
> and the destination is not overwritten if the size of either field and
> the size of the copy are known at compile time. The memcpy() in
> syscall_get_arguments() intentionally overreads from a1 to a5 in
> 'struct pt_regs' but this is bigger than the size of a1.
>
> Normally, this could be solved by wrapping a1 through a5 with
> struct_group() but there was already a struct_group() applied to these
> members in commit bba547810c66 ("riscv: tracing: Fix
> __write_overflow_field in ftrace_partial_regs()").
>
> Just avoid memcpy() altogether and write the copying of args from regs
> manually, which clears up the warning at the expense of three extra
> lines of code.
>
> Signed-off-by: Nathan Chancellor <nathan@kernel.org>
> ---
> I omitted a Fixes tag because I think this has always been an overread
> if I understand correctly but it is only the addition of the checks from
> commit f68f2ff91512 ("fortify: Detect struct member overflows in
> memcpy() at compile-time") that it becomes a noticeable issue.
>
> This came out of a discussion from the addition of
> syscall_set_arguments(), where the same logic causes a more noticeable
> fortify warning because it happens without W=1, as it is an overwrite:
> https://lore.kernel.org/20250408213131.GA2872426@ax162/
> ---
> arch/riscv/include/asm/syscall.h | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index 121fff429dce66b31fe79b691b8edd816c8019e9..eceabf59ae482aa1832b09371ddb3ba8cd65f91d 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -62,8 +62,11 @@ static inline void syscall_get_arguments(struct task_struct *task,
> unsigned long *args)
> {
> args[0] = regs->orig_a0;
> - args++;
> - memcpy(args, ®s->a1, 5 * sizeof(args[0]));
> + args[1] = regs->a1;
> + args[2] = regs->a2;
> + args[3] = regs->a3;
> + args[4] = regs->a4;
> + args[5] = regs->a5;
> }
>
> static inline int syscall_get_arch(struct task_struct *task)
Reviewed-by: Dmitry V. Levin <ldv@strace.io>
--
ldv
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] riscv: Avoid fortify warning in syscall_get_arguments()
2025-04-09 21:24 [PATCH] riscv: Avoid fortify warning in syscall_get_arguments() Nathan Chancellor
2025-04-09 23:26 ` Dmitry V. Levin
@ 2025-04-10 17:25 ` Palmer Dabbelt
2025-04-15 5:54 ` Alexandre Ghiti
2025-04-16 14:31 ` patchwork-bot+linux-riscv
3 siblings, 0 replies; 6+ messages in thread
From: Palmer Dabbelt @ 2025-04-10 17:25 UTC (permalink / raw)
To: nathan
Cc: Paul Walmsley, aou, alex, Charlie Jenkins, ldv, kees, linux-riscv,
linux-kernel, nathan
On Wed, 09 Apr 2025 14:24:46 PDT (-0700), nathan@kernel.org wrote:
> When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning
> because of the memcpy() in syscall_get_arguments():
>
> In file included from include/linux/string.h:392,
> from include/linux/bitmap.h:13,
> from include/linux/cpumask.h:12,
> from arch/riscv/include/asm/processor.h:55,
> from include/linux/sched.h:13,
> from kernel/ptrace.c:13:
> In function 'fortify_memcpy_chk',
> inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2:
> include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
> 580 | __read_overflow2_field(q_size_field, size);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
>
> The fortified memcpy() routine enforces that the source is not overread
> and the destination is not overwritten if the size of either field and
> the size of the copy are known at compile time. The memcpy() in
> syscall_get_arguments() intentionally overreads from a1 to a5 in
> 'struct pt_regs' but this is bigger than the size of a1.
>
> Normally, this could be solved by wrapping a1 through a5 with
> struct_group() but there was already a struct_group() applied to these
> members in commit bba547810c66 ("riscv: tracing: Fix
> __write_overflow_field in ftrace_partial_regs()").
>
> Just avoid memcpy() altogether and write the copying of args from regs
> manually, which clears up the warning at the expense of three extra
> lines of code.
You could still memcpy, but you'd need some sort of
memcpy(args, ®s->aregs + sizeof(args[0]), 5 * sizeof(args[0]));
(or however you index a struct group). I think it's saner to just do it
with the manual copies, though, as I'd have to look up what this code
does every time I run into it.
> Signed-off-by: Nathan Chancellor <nathan@kernel.org>
> ---
> I omitted a Fixes tag because I think this has always been an overread
> if I understand correctly but it is only the addition of the checks from
> commit f68f2ff91512 ("fortify: Detect struct member overflows in
> memcpy() at compile-time") that it becomes a noticeable issue.
I'm going to add the Fixes. It's a suprious warning (there's no actual
crash from the overread), but even spurious warnings are a headache for
peolpe trying to build stuff.
> This came out of a discussion from the addition of
> syscall_set_arguments(), where the same logic causes a more noticeable
> fortify warning because it happens without W=1, as it is an overwrite:
> https://lore.kernel.org/20250408213131.GA2872426@ax162/
> ---
> arch/riscv/include/asm/syscall.h | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index 121fff429dce66b31fe79b691b8edd816c8019e9..eceabf59ae482aa1832b09371ddb3ba8cd65f91d 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -62,8 +62,11 @@ static inline void syscall_get_arguments(struct task_struct *task,
> unsigned long *args)
> {
> args[0] = regs->orig_a0;
> - args++;
> - memcpy(args, ®s->a1, 5 * sizeof(args[0]));
> + args[1] = regs->a1;
> + args[2] = regs->a2;
> + args[3] = regs->a3;
> + args[4] = regs->a4;
> + args[5] = regs->a5;
> }
>
> static inline int syscall_get_arch(struct task_struct *task)
>
> ---
> base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8
> change-id: 20250409-riscv-avoid-fortify-warning-syscall_get_arguments-19c0495d4ed7
>
> Best regards,
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] riscv: Avoid fortify warning in syscall_get_arguments()
2025-04-09 21:24 [PATCH] riscv: Avoid fortify warning in syscall_get_arguments() Nathan Chancellor
2025-04-09 23:26 ` Dmitry V. Levin
2025-04-10 17:25 ` Palmer Dabbelt
@ 2025-04-15 5:54 ` Alexandre Ghiti
2025-04-15 14:23 ` Nathan Chancellor
2025-04-16 14:31 ` patchwork-bot+linux-riscv
3 siblings, 1 reply; 6+ messages in thread
From: Alexandre Ghiti @ 2025-04-15 5:54 UTC (permalink / raw)
To: Nathan Chancellor, Paul Walmsley, Palmer Dabbelt, Albert Ou,
Charlie Jenkins
Cc: Dmitry V. Levin, Kees Cook, linux-riscv, linux-kernel
Hi Nathan,
On 09/04/2025 23:24, Nathan Chancellor wrote:
> When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning
> because of the memcpy() in syscall_get_arguments():
>
> In file included from include/linux/string.h:392,
> from include/linux/bitmap.h:13,
> from include/linux/cpumask.h:12,
> from arch/riscv/include/asm/processor.h:55,
> from include/linux/sched.h:13,
> from kernel/ptrace.c:13:
> In function 'fortify_memcpy_chk',
> inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2:
> include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
> 580 | __read_overflow2_field(q_size_field, size);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
>
> The fortified memcpy() routine enforces that the source is not overread
> and the destination is not overwritten if the size of either field and
> the size of the copy are known at compile time. The memcpy() in
> syscall_get_arguments() intentionally overreads from a1 to a5 in
> 'struct pt_regs' but this is bigger than the size of a1.
>
> Normally, this could be solved by wrapping a1 through a5 with
> struct_group() but there was already a struct_group() applied to these
> members in commit bba547810c66 ("riscv: tracing: Fix
> __write_overflow_field in ftrace_partial_regs()").
>
> Just avoid memcpy() altogether and write the copying of args from regs
> manually, which clears up the warning at the expense of three extra
> lines of code.
>
> Signed-off-by: Nathan Chancellor <nathan@kernel.org>
> ---
> I omitted a Fixes tag because I think this has always been an overread
> if I understand correctly but it is only the addition of the checks from
> commit f68f2ff91512 ("fortify: Detect struct member overflows in
> memcpy() at compile-time") that it becomes a noticeable issue.
>
> This came out of a discussion from the addition of
> syscall_set_arguments(), where the same logic causes a more noticeable
> fortify warning because it happens without W=1, as it is an overwrite:
> https://lore.kernel.org/20250408213131.GA2872426@ax162/
> ---
> arch/riscv/include/asm/syscall.h | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index 121fff429dce66b31fe79b691b8edd816c8019e9..eceabf59ae482aa1832b09371ddb3ba8cd65f91d 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -62,8 +62,11 @@ static inline void syscall_get_arguments(struct task_struct *task,
> unsigned long *args)
> {
> args[0] = regs->orig_a0;
> - args++;
> - memcpy(args, ®s->a1, 5 * sizeof(args[0]));
> + args[1] = regs->a1;
> + args[2] = regs->a2;
> + args[3] = regs->a3;
> + args[4] = regs->a4;
> + args[5] = regs->a5;
> }
>
> static inline int syscall_get_arch(struct task_struct *task)
>
> ---
> base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8
> change-id: 20250409-riscv-avoid-fortify-warning-syscall_get_arguments-19c0495d4ed7
>
> Best regards,
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
IIUC, Andrew took this patch, if that changes, please let me know and
I'll merge it through the riscv tree.
Thanks,
Alex
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] riscv: Avoid fortify warning in syscall_get_arguments()
2025-04-15 5:54 ` Alexandre Ghiti
@ 2025-04-15 14:23 ` Nathan Chancellor
0 siblings, 0 replies; 6+ messages in thread
From: Nathan Chancellor @ 2025-04-15 14:23 UTC (permalink / raw)
To: Alexandre Ghiti
Cc: Paul Walmsley, Palmer Dabbelt, Albert Ou, Charlie Jenkins,
Dmitry V. Levin, Kees Cook, linux-riscv, linux-kernel
On Tue, Apr 15, 2025 at 07:54:04AM +0200, Alexandre Ghiti wrote:
> Hi Nathan,
>
> On 09/04/2025 23:24, Nathan Chancellor wrote:
> > When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning
> > because of the memcpy() in syscall_get_arguments():
> >
> > In file included from include/linux/string.h:392,
> > from include/linux/bitmap.h:13,
> > from include/linux/cpumask.h:12,
> > from arch/riscv/include/asm/processor.h:55,
> > from include/linux/sched.h:13,
> > from kernel/ptrace.c:13:
> > In function 'fortify_memcpy_chk',
> > inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2:
> > include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
> > 580 | __read_overflow2_field(q_size_field, size);
> > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > cc1: all warnings being treated as errors
> >
> > The fortified memcpy() routine enforces that the source is not overread
> > and the destination is not overwritten if the size of either field and
> > the size of the copy are known at compile time. The memcpy() in
> > syscall_get_arguments() intentionally overreads from a1 to a5 in
> > 'struct pt_regs' but this is bigger than the size of a1.
> >
> > Normally, this could be solved by wrapping a1 through a5 with
> > struct_group() but there was already a struct_group() applied to these
> > members in commit bba547810c66 ("riscv: tracing: Fix
> > __write_overflow_field in ftrace_partial_regs()").
> >
> > Just avoid memcpy() altogether and write the copying of args from regs
> > manually, which clears up the warning at the expense of three extra
> > lines of code.
> >
> > Signed-off-by: Nathan Chancellor <nathan@kernel.org>
> > ---
> > I omitted a Fixes tag because I think this has always been an overread
> > if I understand correctly but it is only the addition of the checks from
> > commit f68f2ff91512 ("fortify: Detect struct member overflows in
> > memcpy() at compile-time") that it becomes a noticeable issue.
> >
> > This came out of a discussion from the addition of
> > syscall_set_arguments(), where the same logic causes a more noticeable
> > fortify warning because it happens without W=1, as it is an overwrite:
> > https://lore.kernel.org/20250408213131.GA2872426@ax162/
> > ---
> > arch/riscv/include/asm/syscall.h | 7 +++++--
> > 1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> > index 121fff429dce66b31fe79b691b8edd816c8019e9..eceabf59ae482aa1832b09371ddb3ba8cd65f91d 100644
> > --- a/arch/riscv/include/asm/syscall.h
> > +++ b/arch/riscv/include/asm/syscall.h
> > @@ -62,8 +62,11 @@ static inline void syscall_get_arguments(struct task_struct *task,
> > unsigned long *args)
> > {
> > args[0] = regs->orig_a0;
> > - args++;
> > - memcpy(args, ®s->a1, 5 * sizeof(args[0]));
> > + args[1] = regs->a1;
> > + args[2] = regs->a2;
> > + args[3] = regs->a3;
> > + args[4] = regs->a4;
> > + args[5] = regs->a5;
> > }
> > static inline int syscall_get_arch(struct task_struct *task)
> >
> > ---
> > base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8
> > change-id: 20250409-riscv-avoid-fortify-warning-syscall_get_arguments-19c0495d4ed7
> >
> > Best regards,
>
> Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
>
> IIUC, Andrew took this patch, if that changes, please let me know and I'll
> merge it through the riscv tree.
Thanks, I had Andrew drop it so that it could go via the riscv tree so
please pick it up when you can.
https://lore.kernel.org/20250411211833.E3DD1C4CEE2@smtp.kernel.org/
Cheers,
Nathan
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] riscv: Avoid fortify warning in syscall_get_arguments()
2025-04-09 21:24 [PATCH] riscv: Avoid fortify warning in syscall_get_arguments() Nathan Chancellor
` (2 preceding siblings ...)
2025-04-15 5:54 ` Alexandre Ghiti
@ 2025-04-16 14:31 ` patchwork-bot+linux-riscv
3 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+linux-riscv @ 2025-04-16 14:31 UTC (permalink / raw)
To: Nathan Chancellor
Cc: linux-riscv, paul.walmsley, palmer, aou, alex, charlie, ldv, kees,
linux-kernel
Hello:
This patch was applied to riscv/linux.git (fixes)
by Palmer Dabbelt <palmer@rivosinc.com>:
On Wed, 09 Apr 2025 14:24:46 -0700 you wrote:
> When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning
> because of the memcpy() in syscall_get_arguments():
>
> In file included from include/linux/string.h:392,
> from include/linux/bitmap.h:13,
> from include/linux/cpumask.h:12,
> from arch/riscv/include/asm/processor.h:55,
> from include/linux/sched.h:13,
> from kernel/ptrace.c:13:
> In function 'fortify_memcpy_chk',
> inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2:
> include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
> 580 | __read_overflow2_field(q_size_field, size);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
>
> [...]
Here is the summary with links:
- riscv: Avoid fortify warning in syscall_get_arguments()
https://git.kernel.org/riscv/c/adf53771a312
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 6+ messages in thread