From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 729A3C4332F for ; Tue, 11 Oct 2022 16:38:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229721AbiJKQiU (ORCPT ); Tue, 11 Oct 2022 12:38:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37522 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229508AbiJKQiS (ORCPT ); Tue, 11 Oct 2022 12:38:18 -0400 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF0F4A0337 for ; Tue, 11 Oct 2022 09:38:16 -0700 (PDT) Received: by mail-pl1-x62d.google.com with SMTP id c24so13739347plo.3 for ; Tue, 11 Oct 2022 09:38:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=+pJIEIqUm9cUj1SmYNhJXGpR39cH9SzoM6WilMBeHUU=; b=RI4IIQSaXvRAb3D7QnzzQgHHdlPdXjhRr76L6bS2fFS2B2K0X0E2GmmJxgwx/qLV3l yAYEdEGcpr+zjx1++mP03jsZr9PabHIvXRlMg7Bq5mh0PEqRzXt+hxsXKh6bH7ySHKEU GW5JFVv57eZRspJ2mU2BPpnuIaaEEy3NZsLp4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+pJIEIqUm9cUj1SmYNhJXGpR39cH9SzoM6WilMBeHUU=; b=RI40yiCUTPtQWJQwbjNKMOVXL/xhoqGSr4XxbSb9qDFFya5aNZ+T4zNyA8JOF+LHiv OAtlLZuK8KL3mOh9qGbrINucNDQiyA4357E8uXUzWytOAMWIePtOxkfe4KblDfcEVT5R mFuGe6exT1NiJ18geRMFCDwwpIXsBl8Yt6oiVcnB4WF23O8Ob3KwDF/Ea6PBZWl7uQey 8JWitCfKK4s8sOSnDXucTEZX8MIIDmp0GQHhfFSn6E0mCb6EmA9iTHfyOc+3VbS/4++n Yjt9tHRV8JGp0Ge3cutPz9VKsS+MLtpUd2ZGqpeQ8v4BdEGXIvnA6KuARrTZ1kFCK5p3 NzmA== X-Gm-Message-State: ACrzQf1bObjNQDUXudqTv9Vf157MOT0b4ikuMkoQO3le0svp977L9wvB lxqKGmp6OQ/QmcPjaRbpri8HTQ== X-Google-Smtp-Source: AMsMyM6B0D0fQ6NLX5y+52iwlwAK3HZGC+HhYAnBPVJ76NqrBUDrJeJIbYTwa3ClTfrHZ7hH8lrL/Q== X-Received: by 2002:a17:902:b94c:b0:178:336f:13d6 with SMTP id h12-20020a170902b94c00b00178336f13d6mr26369645pls.64.1665506296312; Tue, 11 Oct 2022 09:38:16 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s15-20020a170902ea0f00b0016d72804664sm8881631plg.205.2022.10.11.09.38.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Oct 2022 09:38:15 -0700 (PDT) Date: Tue, 11 Oct 2022 09:38:14 -0700 From: Kees Cook To: "Gustavo A. R. Silva" , Trond Myklebust Cc: kernel test robot , Anna Schumaker , linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] NFS: Avoid memcpy() run-time warning for struct sockaddr overflows Message-ID: <202210110934.AA4F52C77@keescook> References: <20221011065243.583650-1-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 11, 2022 at 10:25:16AM -0500, Gustavo A. R. Silva wrote: > On Mon, Oct 10, 2022 at 11:52:43PM -0700, Kees Cook wrote: > > The 'nfs_server' and 'mount_server' structures include a union of > > 'struct sockaddr' (with the older 16 bytes max address size) and > > 'struct sockaddr_storage' which is large enough to hold all the supported > > sa_family types (128 bytes max size). The runtime memcpy() buffer overflow > > checker is seeing attempts to write beyond the 16 bytes as an overflow, > > but the actual expected size is that of 'struct sockaddr_storage'. Adjust > > the pointers to the correct union member. Avoids this false positive > > run-time warning under CONFIG_FORTIFY_SOURCE: > > > > memcpy: detected field-spanning write (size 28) of single field "&ctx->nfs_server.address" at fs/nfs/namespace.c:178 (size 16) > > > > Reported-by: kernel test robot > > Link: https://lore.kernel.org/all/202210110948.26b43120-yujie.liu@intel.com > > Cc: Trond Myklebust > > Cc: Anna Schumaker > > Cc: linux-nfs@vger.kernel.org > > Signed-off-by: Kees Cook > > Reviewed-by: Gustavo A. R. Silva Thanks! > > --- > > fs/nfs/fs_context.c | 2 +- > > fs/nfs/namespace.c | 2 +- > > fs/nfs/super.c | 4 ++-- > > 3 files changed, 4 insertions(+), 4 deletions(-) > > > > diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c > > index 4da701fd1424..bffa31bb35b9 100644 > > --- a/fs/nfs/fs_context.c > > +++ b/fs/nfs/fs_context.c > > @@ -1540,7 +1540,7 @@ static int nfs_init_fs_context(struct fs_context *fc) > > ctx->version = nfss->nfs_client->rpc_ops->version; > > ctx->minorversion = nfss->nfs_client->cl_minorversion; > > > > - memcpy(&ctx->nfs_server.address, &nfss->nfs_client->cl_addr, > > + memcpy(&ctx->nfs_server._address, &nfss->nfs_client->cl_addr, > > ctx->nfs_server.addrlen); So, I spent a bunch more time looking at the plumbing of struct sockaddr vs struct sockaddr_storage. In NFS, everything I could find is actually already backed by a full sockaddr_storage, so I think a more complete fix here would actually be to update all the internals to pass sockaddr_storage instead of sockaddr. The interfaces to other things (e.g. rpc) can cast back to sockaddr for now. It is a pretty reasonable cleanup, IMO. I'll send a follow-up that makes this change on top of this patch, though they could be squashed if that was desired. -- Kees Cook