From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 943C5C433FE for ; Tue, 11 Oct 2022 15:37:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230346AbiJKPg7 (ORCPT ); Tue, 11 Oct 2022 11:36:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231153AbiJKPgl (ORCPT ); Tue, 11 Oct 2022 11:36:41 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDEAB2613F; Tue, 11 Oct 2022 08:25:58 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 54C02611CB; Tue, 11 Oct 2022 15:25:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A4C7DC433C1; Tue, 11 Oct 2022 15:25:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1665501926; bh=zigySSphTJZp9lr24dvtduewqmrbx3E1Xf1G7eWmO9Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=e9zMjpEwpvHxazOA8ZaJCtOyU4VtdurNaMqfkh7bZsv98bs4w332p9srfLLsfEEQK BIKeyPPOwaolUQKnga5Np/wSEecoMqQXU/FAyKZroOhfNMXKuCbCFWOS4M56XdSy80 f4Bzv6aPnCTiLnDpH7ckeq6V9scPDm47uwmNQXPKoA8Y4M/97cF5GxLiEAV08ecysZ 89oKV7qsGvU797Ls8C5AHIGtGSXLlD0ZVCxRzmKbY15oMlnZ4Dq0M1Q655UXm4TnsO KhdcI6JLEO4FFWlB+gYn6fTVJ97ACBBUtlqa5Q99BoH2s5XAzi0ke5LUtCe0knr7KH HmYV4GmdTmB/g== Date: Tue, 11 Oct 2022 10:25:16 -0500 From: "Gustavo A. R. Silva" To: Kees Cook Cc: Trond Myklebust , kernel test robot , Anna Schumaker , linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] NFS: Avoid memcpy() run-time warning for struct sockaddr overflows Message-ID: References: <20221011065243.583650-1-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221011065243.583650-1-keescook@chromium.org> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 10, 2022 at 11:52:43PM -0700, Kees Cook wrote: > The 'nfs_server' and 'mount_server' structures include a union of > 'struct sockaddr' (with the older 16 bytes max address size) and > 'struct sockaddr_storage' which is large enough to hold all the supported > sa_family types (128 bytes max size). The runtime memcpy() buffer overflow > checker is seeing attempts to write beyond the 16 bytes as an overflow, > but the actual expected size is that of 'struct sockaddr_storage'. Adjust > the pointers to the correct union member. Avoids this false positive > run-time warning under CONFIG_FORTIFY_SOURCE: > > memcpy: detected field-spanning write (size 28) of single field "&ctx->nfs_server.address" at fs/nfs/namespace.c:178 (size 16) > > Reported-by: kernel test robot > Link: https://lore.kernel.org/all/202210110948.26b43120-yujie.liu@intel.com > Cc: Trond Myklebust > Cc: Anna Schumaker > Cc: linux-nfs@vger.kernel.org > Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks! -- Gustavo > --- > fs/nfs/fs_context.c | 2 +- > fs/nfs/namespace.c | 2 +- > fs/nfs/super.c | 4 ++-- > 3 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c > index 4da701fd1424..bffa31bb35b9 100644 > --- a/fs/nfs/fs_context.c > +++ b/fs/nfs/fs_context.c > @@ -1540,7 +1540,7 @@ static int nfs_init_fs_context(struct fs_context *fc) > ctx->version = nfss->nfs_client->rpc_ops->version; > ctx->minorversion = nfss->nfs_client->cl_minorversion; > > - memcpy(&ctx->nfs_server.address, &nfss->nfs_client->cl_addr, > + memcpy(&ctx->nfs_server._address, &nfss->nfs_client->cl_addr, > ctx->nfs_server.addrlen); > > if (fc->net_ns != net) { > diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c > index 3295af4110f1..2f336ace7555 100644 > --- a/fs/nfs/namespace.c > +++ b/fs/nfs/namespace.c > @@ -175,7 +175,7 @@ struct vfsmount *nfs_d_automount(struct path *path) > } > > /* for submounts we want the same server; referrals will reassign */ > - memcpy(&ctx->nfs_server.address, &client->cl_addr, client->cl_addrlen); > + memcpy(&ctx->nfs_server._address, &client->cl_addr, client->cl_addrlen); > ctx->nfs_server.addrlen = client->cl_addrlen; > ctx->nfs_server.port = server->port; > > diff --git a/fs/nfs/super.c b/fs/nfs/super.c > index 82944e14fcea..8ea7dfdea427 100644 > --- a/fs/nfs/super.c > +++ b/fs/nfs/super.c > @@ -823,7 +823,7 @@ static int nfs_request_mount(struct fs_context *fc, > struct nfs_fs_context *ctx = nfs_fc2context(fc); > struct nfs_mount_request request = { > .sap = (struct sockaddr *) > - &ctx->mount_server.address, > + &ctx->mount_server._address, > .dirpath = ctx->nfs_server.export_path, > .protocol = ctx->mount_server.protocol, > .fh = root_fh, > @@ -854,7 +854,7 @@ static int nfs_request_mount(struct fs_context *fc, > * Construct the mount server's address. > */ > if (ctx->mount_server.address.sa_family == AF_UNSPEC) { > - memcpy(request.sap, &ctx->nfs_server.address, > + memcpy(request.sap, &ctx->nfs_server._address, > ctx->nfs_server.addrlen); > ctx->mount_server.addrlen = ctx->nfs_server.addrlen; > } > -- > 2.34.1 >