[PATCH] landlock: avoid memcpy static check warning

Linux Security Modules development
 help / color / mirror / Atom feed

* [PATCH] landlock: avoid memcpy static check warning
@ 2026-05-19 20:30 Arnd Bergmann
  2026-05-20  9:10 ` Mickaël Salaün
  0 siblings, 1 reply; 3+ messages in thread
From: Arnd Bergmann @ 2026-05-19 20:30 UTC (permalink / raw)
  To: Mickaël Salaün, Paul Moore, James Morris,
	Serge E. Hallyn
  Cc: Arnd Bergmann, Günther Noack, Tingmao Wang, Kees Cook,
	linux-security-module, linux-kernel

From: Arnd Bergmann <arnd@arndb.de>

The fortified string helpers trigger a -Wrestrict warning when
gcc deducts that the size of the landlock_layer array can
overflow as a result of the flex_array_size() calculation:

In file included from arch/x86/include/asm/string.h:6,
                 from security/landlock/ruleset.c:16:
security/landlock/ruleset.c: In function 'create_rule':
arch/x86/include/asm/string_32.h:150:25: error: '__builtin_memcpy' accessing 4294967295 bytes at offsets 0 and 0 overlaps 6442450943 bytes at offset -2147483648 [-Werror=restrict]
  150 | #define memcpy(t, f, n) __builtin_memcpy(t, f, n)
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
security/landlock/ruleset.c:139:9: note: in expansion of macro 'memcpy'
  139 |         memcpy(new_rule->layers, layers,
      |         ^~~~~~
  'create_rule': event 1
include/linux/compiler.h:69:46:
   68 |         (cond) ?                                        \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   69 |                 (__if_trace.miss_hit[1]++,1) :          \
      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~
      |                                              |
      |                                              (1) when the condition is evaluated to true
   70 |                 (__if_trace.miss_hit[0]++,0);           \
      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:57:69: note: in expansion of macro '__trace_if_value'
   57 | #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
      |                                                                     ^~~~~~~~~~~~~~~~
include/linux/compiler.h:55:28: note: in expansion of macro '__trace_if_var'
   55 | #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
      |                            ^~~~~~~~~~~~~~
include/linux/overflow.h:334:9: note: in expansion of macro 'if'
  334 |         if (check_mul_overflow(factor1, factor2, &bytes))
      |         ^~
  'create_rule': event 2

Out of these individually helpful checks (-Wrestrict, fortified
string helpers, flex_array_size), one of them has to go to avoid
the warning.

Seeing that the length of the array is already checked earlier
in this function, through both an explicit LANDLOCK_MAX_NUM_LAYERS
comparison and the implicit kzalloc_flex() having succeeded,
replace the flex_array_size() call with a direct multiplication.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 security/landlock/ruleset.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 181df7736bb9..26e0b7193a7b 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -137,7 +137,7 @@ create_rule(const struct landlock_id id,
 	new_rule->num_layers = new_num_layers;
 	/* Copies the original layer stack. */
 	memcpy(new_rule->layers, layers,
-	       flex_array_size(new_rule, layers, num_layers));
+	       sizeof(struct landlock_layer) * num_layers);
 	if (new_layer)
 		/* Adds a copy of @new_layer on the layer stack. */
 		new_rule->layers[new_rule->num_layers - 1] = *new_layer;
-- 
2.39.5


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] landlock: avoid memcpy static check warning
  2026-05-19 20:30 [PATCH] landlock: avoid memcpy static check warning Arnd Bergmann
@ 2026-05-20  9:10 ` Mickaël Salaün
  2026-05-20 11:45   ` Arnd Bergmann
  0 siblings, 1 reply; 3+ messages in thread
From: Mickaël Salaün @ 2026-05-20  9:10 UTC (permalink / raw)
  To: Arnd Bergmann, Kees Cook, Gustavo A. R. Silva
  Cc: Paul Moore, James Morris, Serge E. Hallyn, Arnd Bergmann,
	Günther Noack, Tingmao Wang, linux-security-module,
	linux-kernel

Thanks for the report.

On Tue, May 19, 2026 at 10:30:05PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> The fortified string helpers trigger a -Wrestrict warning when
> gcc deducts that the size of the landlock_layer array can
> overflow as a result of the flex_array_size() calculation:
> 
> In file included from arch/x86/include/asm/string.h:6,
>                  from security/landlock/ruleset.c:16:
> security/landlock/ruleset.c: In function 'create_rule':
> arch/x86/include/asm/string_32.h:150:25: error: '__builtin_memcpy' accessing 4294967295 bytes at offsets 0 and 0 overlaps 6442450943 bytes at offset -2147483648 [-Werror=restrict]
>   150 | #define memcpy(t, f, n) __builtin_memcpy(t, f, n)
>       |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
> security/landlock/ruleset.c:139:9: note: in expansion of macro 'memcpy'
>   139 |         memcpy(new_rule->layers, layers,
>       |         ^~~~~~
>   'create_rule': event 1
> include/linux/compiler.h:69:46:
>    68 |         (cond) ?                                        \
>       |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>    69 |                 (__if_trace.miss_hit[1]++,1) :          \
>       |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~
>       |                                              |
>       |                                              (1) when the condition is evaluated to true
>    70 |                 (__if_trace.miss_hit[0]++,0);           \
>       |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/compiler.h:57:69: note: in expansion of macro '__trace_if_value'
>    57 | #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
>       |                                                                     ^~~~~~~~~~~~~~~~
> include/linux/compiler.h:55:28: note: in expansion of macro '__trace_if_var'
>    55 | #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
>       |                            ^~~~~~~~~~~~~~
> include/linux/overflow.h:334:9: note: in expansion of macro 'if'
>   334 |         if (check_mul_overflow(factor1, factor2, &bytes))
>       |         ^~
>   'create_rule': event 2
> 
> Out of these individually helpful checks (-Wrestrict, fortified
> string helpers, flex_array_size), one of them has to go to avoid
> the warning.
> 
> Seeing that the length of the array is already checked earlier
> in this function, through both an explicit LANDLOCK_MAX_NUM_LAYERS
> comparison and the implicit kzalloc_flex() having succeeded,
> replace the flex_array_size() call with a direct multiplication.

Can flex_array_size() be fixed instead?

> 
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>  security/landlock/ruleset.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
> index 181df7736bb9..26e0b7193a7b 100644
> --- a/security/landlock/ruleset.c
> +++ b/security/landlock/ruleset.c
> @@ -137,7 +137,7 @@ create_rule(const struct landlock_id id,
>  	new_rule->num_layers = new_num_layers;
>  	/* Copies the original layer stack. */
>  	memcpy(new_rule->layers, layers,
> -	       flex_array_size(new_rule, layers, num_layers));
> +	       sizeof(struct landlock_layer) * num_layers);
>  	if (new_layer)
>  		/* Adds a copy of @new_layer on the layer stack. */
>  		new_rule->layers[new_rule->num_layers - 1] = *new_layer;
> -- 
> 2.39.5
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] landlock: avoid memcpy static check warning
  2026-05-20  9:10 ` Mickaël Salaün
@ 2026-05-20 11:45   ` Arnd Bergmann
  0 siblings, 0 replies; 3+ messages in thread
From: Arnd Bergmann @ 2026-05-20 11:45 UTC (permalink / raw)
  To: Mickaël Salaün, Arnd Bergmann, Kees Cook,
	Gustavo A. R. Silva
  Cc: Paul Moore, James Morris, Serge E. Hallyn, Günther Noack,
	Tingmao Wang, linux-security-module, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 1075 bytes --]

On Wed, May 20, 2026, at 11:10, Mickaël Salaün wrote:
> On Tue, May 19, 2026 at 10:30:05PM +0200, Arnd Bergmann wrote:
>>
>> Out of these individually helpful checks (-Wrestrict, fortified
>> string helpers, flex_array_size), one of them has to go to avoid
>> the warning.
>> 
>> Seeing that the length of the array is already checked earlier
>> in this function, through both an explicit LANDLOCK_MAX_NUM_LAYERS
>> comparison and the implicit kzalloc_flex() having succeeded,
>> replace the flex_array_size() call with a direct multiplication.
>
> Can flex_array_size() be fixed instead?

I couldn't figure it out myself, but feel free to give it a try.
I've attached the two randconfig files that showed the problem
for me, as this only shows up very rarely.

Actually thinking about it again, I suspect that this is not
really a false positive but that gcc got things right by detecting
that flex_array_size() returns SIZE_MAX in case of an overflow,
and this would in fact cause data corruption when used as
the length in mempcy().

        Arnd

[-- Attachment #2: 0xCD5395EB-config.gz --]
[-- Type: application/gzip, Size: 29766 bytes --]

[-- Attachment #3: 0xF0418B18-config.gz --]
[-- Type: application/gzip, Size: 32113 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-20 11:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-19 20:30 [PATCH] landlock: avoid memcpy static check warning Arnd Bergmann
2026-05-20  9:10 ` Mickaël Salaün
2026-05-20 11:45   ` Arnd Bergmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox