Re: [PATCH] infiniband: avoid overflow warning

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Daniel Micay <danielmicay@gmail.com>
To: Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>
Cc: Moni Shoua <monis@mellanox.com>,
	Doug Ledford <dledford@redhat.com>,
	Sean Hefty <sean.hefty@intel.com>,
	Hal Rosenstock <hal.rosenstock@gmail.com>,
	"Kalderon, Michal" <Michal.Kalderon@cavium.com>,
	Ariel Elior <Ariel.Elior@cavium.com>,
	"David S. Miller" <davem@davemloft.net>,
	Bart Van Assche <bart.vanassche@sandisk.com>,
	Parav Pandit <parav@mellanox.com>,
	Noa Osherovich <noaos@mellanox.com>,
	linux-rdma <linux-rdma@vger.kernel.org>,
	Linux Kernel Mailinglist <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] infiniband: avoid overflow warning
Date: Mon, 31 Jul 2017 17:37:59 -0400	[thread overview]
Message-ID: <1501537079.1180.3.camel@gmail.com> (raw)
In-Reply-To: <CAGXu5j+EPe7csgFt5SnDoobQWkOGH5qaoSZ=QMHHoGFFsMV45Q@mail.gmail.com>

On Mon, 2017-07-31 at 14:18 -0700, Kees Cook wrote:
> On Mon, Jul 31, 2017 at 2:10 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> > On Mon, Jul 31, 2017 at 10:58 PM, Kees Cook <keescook@chromium.org>
> > wrote:
> > > On Mon, Jul 31, 2017 at 12:30 AM, Arnd Bergmann <arnd@arndb.de>
> > > wrote:
> > > > On Mon, Jul 31, 2017 at 9:08 AM, Moni Shoua <monis@mellanox.com>
> > > > wrote:
> > > > > >                 break;
> > > > > >         default:
> > > > > >                 return -EINVAL;
> > > > > 
> > > > > what happens if you replace 16 with sizeof(struct in6_addr)?
> > > > 
> > > > Same thing: the problem is that gcc already knows the size of
> > > > the structure we
> > > > pass in here, and it is in fact shorter.
> > > 
> > > So gcc is ignoring both the cast (to 16 byte struct in6_addr) and
> > > the
> > > caller's actual 128 byte struct sockaddr_storage, and looking only
> > > at
> > > struct sockaddr? That seems really weird.
> > 
> > Using a sockaddr_storage on the stack would address the warning, but
> > the question was about just changing the hardcoded 16 to a sizeof()
> > operation, and that has no effect.
> 
> Right, I didn't mean that; I was curious why the fortify macro
> resulted in an error at all. The callers are casting from struct
> sockaddr_storage (large enough) to struct sockaddr (not large enough),
> and then the inline is casting back to sockaddr_in6 (large enough). I
> would have expected fortify to check either sockaddr_storage or
> sockaddr_in6, but not sockaddr.
> 
> -Kees
> 

I don't think that's quite what's happening. It will report unknown if
it can't find allocation sites or other guarantees of size. There are no
alloc_size markers yet so it *mostly* does stack / global checks. It
won't infer sizes based on pointer types. It's not a heuristic.

Hoowever, fortify / -fsanitize=object-size can indirectly uncover other
forms of undefined behavior though. Code may rely on doing something
undefined that GCC actively assumes can't happen for optimization. It
can have false positives due to dead code with the compile-time errors
but if the code is actually called with the size that it rejects as
invalid, then it's unlikely there isn't a bug.

next prev parent reply	other threads:[~2017-07-31 21:38 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-31  6:50 [PATCH] infiniband: avoid overflow warning Arnd Bergmann
2017-07-31  7:08 ` Moni Shoua
2017-07-31  7:30   ` Arnd Bergmann
2017-07-31 15:32     ` Bart Van Assche
2017-07-31 16:04       ` Arnd Bergmann
2017-07-31 16:17         ` Bart Van Assche
2017-07-31 19:19           ` Arnd Bergmann
2017-07-31 19:35             ` Daniel Micay
2017-07-31 20:58     ` Kees Cook
2017-07-31 21:10       ` Arnd Bergmann
2017-07-31 21:18         ` Kees Cook
2017-07-31 21:37           ` Daniel Micay [this message]
2017-07-31 21:52           ` Arnd Bergmann
2017-07-31 22:06             ` Kees Cook
2017-08-18 16:40 ` Doug Ledford

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1501537079.1180.3.camel@gmail.com \
    --to=danielmicay@gmail.com \
    --cc=Ariel.Elior@cavium.com \
    --cc=Michal.Kalderon@cavium.com \
    --cc=arnd@arndb.de \
    --cc=bart.vanassche@sandisk.com \
    --cc=davem@davemloft.net \
    --cc=dledford@redhat.com \
    --cc=hal.rosenstock@gmail.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=monis@mellanox.com \
    --cc=noaos@mellanox.com \
    --cc=parav@mellanox.com \
    --cc=sean.hefty@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox