* [PATCH] landlock: avoid memcpy static check warning
@ 2026-05-19 20:30 Arnd Bergmann
2026-05-20 9:10 ` Mickaël Salaün
0 siblings, 1 reply; 2+ messages in thread
From: Arnd Bergmann @ 2026-05-19 20:30 UTC (permalink / raw)
To: Mickaël Salaün, Paul Moore, James Morris,
Serge E. Hallyn
Cc: Arnd Bergmann, Günther Noack, Tingmao Wang, Kees Cook,
linux-security-module, linux-kernel
From: Arnd Bergmann <arnd@arndb.de>
The fortified string helpers trigger a -Wrestrict warning when
gcc deducts that the size of the landlock_layer array can
overflow as a result of the flex_array_size() calculation:
In file included from arch/x86/include/asm/string.h:6,
from security/landlock/ruleset.c:16:
security/landlock/ruleset.c: In function 'create_rule':
arch/x86/include/asm/string_32.h:150:25: error: '__builtin_memcpy' accessing 4294967295 bytes at offsets 0 and 0 overlaps 6442450943 bytes at offset -2147483648 [-Werror=restrict]
150 | #define memcpy(t, f, n) __builtin_memcpy(t, f, n)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
security/landlock/ruleset.c:139:9: note: in expansion of macro 'memcpy'
139 | memcpy(new_rule->layers, layers,
| ^~~~~~
'create_rule': event 1
include/linux/compiler.h:69:46:
68 | (cond) ? \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
69 | (__if_trace.miss_hit[1]++,1) : \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~
| |
| (1) when the condition is evaluated to true
70 | (__if_trace.miss_hit[0]++,0); \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:57:69: note: in expansion of macro '__trace_if_value'
57 | #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
| ^~~~~~~~~~~~~~~~
include/linux/compiler.h:55:28: note: in expansion of macro '__trace_if_var'
55 | #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
| ^~~~~~~~~~~~~~
include/linux/overflow.h:334:9: note: in expansion of macro 'if'
334 | if (check_mul_overflow(factor1, factor2, &bytes))
| ^~
'create_rule': event 2
Out of these individually helpful checks (-Wrestrict, fortified
string helpers, flex_array_size), one of them has to go to avoid
the warning.
Seeing that the length of the array is already checked earlier
in this function, through both an explicit LANDLOCK_MAX_NUM_LAYERS
comparison and the implicit kzalloc_flex() having succeeded,
replace the flex_array_size() call with a direct multiplication.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
security/landlock/ruleset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 181df7736bb9..26e0b7193a7b 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -137,7 +137,7 @@ create_rule(const struct landlock_id id,
new_rule->num_layers = new_num_layers;
/* Copies the original layer stack. */
memcpy(new_rule->layers, layers,
- flex_array_size(new_rule, layers, num_layers));
+ sizeof(struct landlock_layer) * num_layers);
if (new_layer)
/* Adds a copy of @new_layer on the layer stack. */
new_rule->layers[new_rule->num_layers - 1] = *new_layer;
--
2.39.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] landlock: avoid memcpy static check warning
2026-05-19 20:30 [PATCH] landlock: avoid memcpy static check warning Arnd Bergmann
@ 2026-05-20 9:10 ` Mickaël Salaün
0 siblings, 0 replies; 2+ messages in thread
From: Mickaël Salaün @ 2026-05-20 9:10 UTC (permalink / raw)
To: Arnd Bergmann, Kees Cook, Gustavo A. R. Silva
Cc: Paul Moore, James Morris, Serge E. Hallyn, Arnd Bergmann,
Günther Noack, Tingmao Wang, linux-security-module,
linux-kernel
Thanks for the report.
On Tue, May 19, 2026 at 10:30:05PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> The fortified string helpers trigger a -Wrestrict warning when
> gcc deducts that the size of the landlock_layer array can
> overflow as a result of the flex_array_size() calculation:
>
> In file included from arch/x86/include/asm/string.h:6,
> from security/landlock/ruleset.c:16:
> security/landlock/ruleset.c: In function 'create_rule':
> arch/x86/include/asm/string_32.h:150:25: error: '__builtin_memcpy' accessing 4294967295 bytes at offsets 0 and 0 overlaps 6442450943 bytes at offset -2147483648 [-Werror=restrict]
> 150 | #define memcpy(t, f, n) __builtin_memcpy(t, f, n)
> | ^~~~~~~~~~~~~~~~~~~~~~~~~
> security/landlock/ruleset.c:139:9: note: in expansion of macro 'memcpy'
> 139 | memcpy(new_rule->layers, layers,
> | ^~~~~~
> 'create_rule': event 1
> include/linux/compiler.h:69:46:
> 68 | (cond) ? \
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 69 | (__if_trace.miss_hit[1]++,1) : \
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~
> | |
> | (1) when the condition is evaluated to true
> 70 | (__if_trace.miss_hit[0]++,0); \
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/compiler.h:57:69: note: in expansion of macro '__trace_if_value'
> 57 | #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
> | ^~~~~~~~~~~~~~~~
> include/linux/compiler.h:55:28: note: in expansion of macro '__trace_if_var'
> 55 | #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
> | ^~~~~~~~~~~~~~
> include/linux/overflow.h:334:9: note: in expansion of macro 'if'
> 334 | if (check_mul_overflow(factor1, factor2, &bytes))
> | ^~
> 'create_rule': event 2
>
> Out of these individually helpful checks (-Wrestrict, fortified
> string helpers, flex_array_size), one of them has to go to avoid
> the warning.
>
> Seeing that the length of the array is already checked earlier
> in this function, through both an explicit LANDLOCK_MAX_NUM_LAYERS
> comparison and the implicit kzalloc_flex() having succeeded,
> replace the flex_array_size() call with a direct multiplication.
Can flex_array_size() be fixed instead?
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> security/landlock/ruleset.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
> index 181df7736bb9..26e0b7193a7b 100644
> --- a/security/landlock/ruleset.c
> +++ b/security/landlock/ruleset.c
> @@ -137,7 +137,7 @@ create_rule(const struct landlock_id id,
> new_rule->num_layers = new_num_layers;
> /* Copies the original layer stack. */
> memcpy(new_rule->layers, layers,
> - flex_array_size(new_rule, layers, num_layers));
> + sizeof(struct landlock_layer) * num_layers);
> if (new_layer)
> /* Adds a copy of @new_layer on the layer stack. */
> new_rule->layers[new_rule->num_layers - 1] = *new_layer;
> --
> 2.39.5
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-20 9:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-19 20:30 [PATCH] landlock: avoid memcpy static check warning Arnd Bergmann
2026-05-20 9:10 ` Mickaël Salaün
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox