[PATCH] landlock: avoid memcpy static check warning

Linux Security Modules development
 help / color / mirror / Atom feed

From: Arnd Bergmann <arnd@kernel.org>
To: "Mickaël Salaün" <mic@digikod.net>,
	"Paul Moore" <paul@paul-moore.com>,
	"James Morris" <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>
Cc: "Arnd Bergmann" <arnd@arndb.de>,
	"Günther Noack" <gnoack@google.com>,
	"Tingmao Wang" <m@maowtm.org>, "Kees Cook" <kees@kernel.org>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] landlock: avoid memcpy static check warning
Date: Tue, 19 May 2026 22:30:05 +0200	[thread overview]
Message-ID: <20260519203012.1340274-1-arnd@kernel.org> (raw)

From: Arnd Bergmann <arnd@arndb.de>

The fortified string helpers trigger a -Wrestrict warning when
gcc deducts that the size of the landlock_layer array can
overflow as a result of the flex_array_size() calculation:

In file included from arch/x86/include/asm/string.h:6,
                 from security/landlock/ruleset.c:16:
security/landlock/ruleset.c: In function 'create_rule':
arch/x86/include/asm/string_32.h:150:25: error: '__builtin_memcpy' accessing 4294967295 bytes at offsets 0 and 0 overlaps 6442450943 bytes at offset -2147483648 [-Werror=restrict]
  150 | #define memcpy(t, f, n) __builtin_memcpy(t, f, n)
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
security/landlock/ruleset.c:139:9: note: in expansion of macro 'memcpy'
  139 |         memcpy(new_rule->layers, layers,
      |         ^~~~~~
  'create_rule': event 1
include/linux/compiler.h:69:46:
   68 |         (cond) ?                                        \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   69 |                 (__if_trace.miss_hit[1]++,1) :          \
      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~
      |                                              |
      |                                              (1) when the condition is evaluated to true
   70 |                 (__if_trace.miss_hit[0]++,0);           \
      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:57:69: note: in expansion of macro '__trace_if_value'
   57 | #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
      |                                                                     ^~~~~~~~~~~~~~~~
include/linux/compiler.h:55:28: note: in expansion of macro '__trace_if_var'
   55 | #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
      |                            ^~~~~~~~~~~~~~
include/linux/overflow.h:334:9: note: in expansion of macro 'if'
  334 |         if (check_mul_overflow(factor1, factor2, &bytes))
      |         ^~
  'create_rule': event 2

Out of these individually helpful checks (-Wrestrict, fortified
string helpers, flex_array_size), one of them has to go to avoid
the warning.

Seeing that the length of the array is already checked earlier
in this function, through both an explicit LANDLOCK_MAX_NUM_LAYERS
comparison and the implicit kzalloc_flex() having succeeded,
replace the flex_array_size() call with a direct multiplication.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 security/landlock/ruleset.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 181df7736bb9..26e0b7193a7b 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -137,7 +137,7 @@ create_rule(const struct landlock_id id,
 	new_rule->num_layers = new_num_layers;
 	/* Copies the original layer stack. */
 	memcpy(new_rule->layers, layers,
-	       flex_array_size(new_rule, layers, num_layers));
+	       sizeof(struct landlock_layer) * num_layers);
 	if (new_layer)
 		/* Adds a copy of @new_layer on the layer stack. */
 		new_rule->layers[new_rule->num_layers - 1] = *new_layer;
-- 
2.39.5

next             reply	other threads:[~2026-05-19 20:30 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-19 20:30 Arnd Bergmann [this message]
2026-05-20  9:10 ` [PATCH] landlock: avoid memcpy static check warning Mickaël Salaün
2026-05-20 11:45   ` Arnd Bergmann

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:181df7736bb dfblob:26e0b7193a7 )
 OR (
bs:"[PATCH] landlock: avoid memcpy static check warning" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260519203012.1340274-1-arnd@kernel.org \
    --to=arnd@kernel.org \
    --cc=arnd@arndb.de \
    --cc=gnoack@google.com \
    --cc=jmorris@namei.org \
    --cc=kees@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=m@maowtm.org \
    --cc=mic@digikod.net \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox