From: James Bottomley <jejb@linux.ibm.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>,
James Smart <james.smart@broadcom.com>,
Dick Kennedy <dick.kennedy@broadcom.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH][next] scsi: lpfc: Avoid -Wstringop-overflow warning
Date: Wed, 31 May 2023 10:56:50 -0400 [thread overview]
Message-ID: <25ef15e7601e1b4510cbbd40c6d1ab7c64213863.camel@linux.ibm.com> (raw)
In-Reply-To: <202305301529.1EEA11B@keescook>
On Tue, 2023-05-30 at 15:44 -0700, Kees Cook wrote:
> On Tue, May 30, 2023 at 05:36:06PM -0400, James Bottomley wrote:
> > On Tue, 2023-05-30 at 15:30 -0600, Gustavo A. R. Silva wrote:
> > > Avoid confusing the compiler about possible negative sizes.
> > > Use size_t instead of int for variables size and copied.
> > >
> > > Address the following warning found with GCC-13:
> > > In function ‘lpfc_debugfs_ras_log_data’,
> > > inlined from ‘lpfc_debugfs_ras_log_open’ at
> > > drivers/scsi/lpfc/lpfc_debugfs.c:2271:15:
> > > drivers/scsi/lpfc/lpfc_debugfs.c:2210:25: warning: ‘memcpy’
> > > specified
> > > bound between 18446744071562067968 and 18446744073709551615
> > > exceeds
> > > maximum object size 9223372036854775807 [-Wstringop-overflow=]
> > > 2210 | memcpy(buffer + copied, dmabuf-
> > > >virt,
> > > |
> > > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > 2211 | size - copied - 1);
> > > | ~~~~~~~~~~~~~~~~~~
> > >
> >
> > This looks like a compiler bug to me and your workaround would have
> > us using unsigned types everywhere for sizes, which seems wrong.
> > There are calls which return size or error for which we have
> > ssize_t and that type has to be usable in things like memcpy, so
> > the compiler must be fixed or the warning disabled.
>
> The compiler is (correctly) noticing that the calculation involving
> "size" (from which "copied" is set) could go negative.
It can? But if it can, then changing size and copied to unsigned
doesn't fix it, does it?
> The "unsigned types everywhere" is a slippery slope argument that
> doesn't apply: this is fixing a specific case of a helper taking a
> size that is never expected to go negative in multiple places
> (open-coded multiplication, vmalloc, lpfc_debugfs_ras_log_data, etc).
> It should be bounds checked at the least...
So your claim is the compiler only gets it wrong in this one case and
if we just change this one case it will never get it wrong again? I
think I prefer the idea that there's a problem in the bounds checking
code which should be susceptible to fixing if we file a compiler bug
(either it should get it right or ignore the case if it can't decide).
> struct lpfc_hba {
> ...
> uint32_t cfg_ras_fwlog_buffsize;
> ...
> };
>
> lpfc_debugfs_ras_log_open():
> ...
> struct lpfc_hba *phba = inode->i_private;
> int size;
> ...
> size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba-
> >cfg_ras_fwlog_buffsize;
> debug->buffer = vmalloc(size);
> ...
> debug->len = lpfc_debugfs_ras_log_data(phba, debug->buffer,
> size);
> ...
>
> lpfc_debugfs_ras_log_data():
> ...
> if ((copied + LPFC_RAS_MAX_ENTRY_SIZE) >= (size - 1))
> {
> memcpy(buffer + copied, dmabuf->virt,
> size - copied - 1);
>
> Honestly, the "if" above is the weirdest part, and perhaps that
> should
> just be adjusted instead:
>
> if (size <= LPFC_RAS_MAX_ENTRY_SIZE)
> return -ENOMEM;
> ...
> if (size - copied <= LPFC_RAS_MAX_ENTRY_SIZE) {
> memcpy(..., size - copied - 1);
> copied += size - copied - 1;
> break;
> }
> ...
> }
> return copied;
No one said you couldn't improve the code. It was claiming a fix by
changing a signed variable to unsigned that got my attention because
it's a classic indicator of compiler problems. I didn't say anything
about all the strlcpy replacements where the source is guaranteed to be
zero terminated so the problem alluded to in the changelog doesn't
exist. But since it all becomes about the inefficiency of the ignored
strlen it did strike me that the most common pattern in sysfs code is
strlcpy followed by strim or strstrip, which could be done slightly
more efficiently as a single operation, if someone wanted actually to
improve our sysfs use cases ...
James
next prev parent reply other threads:[~2023-05-31 14:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-30 21:30 [PATCH][next] scsi: lpfc: Avoid -Wstringop-overflow warning Gustavo A. R. Silva
2023-05-30 21:36 ` James Bottomley
2023-05-30 22:44 ` Kees Cook
2023-05-31 14:56 ` James Bottomley [this message]
2023-06-01 16:48 ` Kees Cook
2023-06-01 22:13 ` Justin Tee
2023-06-01 22:29 ` Gustavo A. R. Silva
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=25ef15e7601e1b4510cbbd40c6d1ab7c64213863.camel@linux.ibm.com \
--to=jejb@linux.ibm.com \
--cc=dick.kennedy@broadcom.com \
--cc=gustavoars@kernel.org \
--cc=james.smart@broadcom.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox