Re: [PATCH] jfs: Fix fortify moan in symlink

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Dr. David Alan Gilbert" <linux@treblig.org>
To: Kees Cook <keescook@chromium.org>
Cc: shaggy@kernel.org, jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	syzbot+5fc38b2ddbbca7f5c680@syzkaller.appspotmail.com
Subject: Re: [PATCH] jfs: Fix fortify moan in symlink
Date: Sat, 29 Oct 2022 13:48:05 +0100	[thread overview]
Message-ID: <Y10hBcMrAYPZzghw@gallifrey> (raw)
In-Reply-To: <202210281526.B32C79C4@keescook>

* Kees Cook (keescook@chromium.org) wrote:
> On Mon, Oct 24, 2022 at 07:49:17PM +0100, Dr. David Alan Gilbert wrote:
> > * Kees Cook (keescook@chromium.org) wrote:
> > > On Sat, Oct 22, 2022 at 09:39:14PM +0100, linux@treblig.org wrote:
> > > > From: "Dr. David Alan Gilbert" <linux@treblig.org>
> > > > 
> > > > JFS has in jfs_incore.h:
> > > > 
> > > >       /* _inline may overflow into _inline_ea when needed */
> > > >       /* _inline_ea may overlay the last part of
> > > >        * file._xtroot if maxentry = XTROOTINITSLOT
> > > >        */
> > > >       union {
> > > >         struct {
> > > >           /* 128: inline symlink */
> > > >           unchar _inline[128];
> > > >           /* 128: inline extended attr */
> > > >           unchar _inline_ea[128];
> > > >         };
> > > >         unchar _inline_all[256];
> > > > 
> > > > and currently the symlink code copies into _inline;
> > > > if this is larger than 128 bytes it triggers a fortify warning of the
> > > > form:
> > > > 
> > > >   memcpy: detected field-spanning write (size 132) of single field
> > > >      "ip->i_link" at fs/jfs/namei.c:950 (size 18446744073709551615)
> > > 
> > > Which compiler are you using for this build?
> > 
> > I think that report was the same on gcc on Fedora 37 and whatever
> > syzkaller was running.
> > 
> > > This size report (SIZE_MAX)
> > > should be impossible to reach. But also, the size is just wrong --
> > > i_inline is 128 bytes, not SIZE_MAX. So, the detection is working
> > > (132 > 128), but the report is broken, and I can't see how...
> > 
> > Yeh, and led me down a blind alley for a while thinking something had
> > really managed to screwup the strlen somehow.
> 
> This looks like a GCC bug (going at least back to GCC 10.2)[1], but some
> extra care around the macro appears to make it go away, so the reporting
> variable doesn't get confused/re-evaluated:

Thanks for chasing that; are you also going to file a gcc bug?

Dave

> diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> index 09a032f6ce6b..9e2d96993c30 100644
> --- a/include/linux/fortify-string.h
> +++ b/include/linux/fortify-string.h
> @@ -550,13 +550,18 @@ __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size,
>  
>  #define __fortify_memcpy_chk(p, q, size, p_size, q_size,		\
>  			     p_size_field, q_size_field, op) ({		\
> -	size_t __fortify_size = (size_t)(size);				\
> -	WARN_ONCE(fortify_memcpy_chk(__fortify_size, p_size, q_size,	\
> -				     p_size_field, q_size_field, #op),	\
> +	const size_t __fortify_size = (size_t)(size);			\
> +	const size_t __p_size = (p_size);				\
> +	const size_t __q_size = (q_size);				\
> +	const size_t __p_size_field = (p_size_field);			\
> +	const size_t __q_size_field = (q_size_field);			\
> +	WARN_ONCE(fortify_memcpy_chk(__fortify_size, __p_size,		\
> +				     __q_size, __p_size_field,		\
> +				     __q_size_field, #op),		\
>  		  #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \
>  		  __fortify_size,					\
>  		  "field \"" #p "\" at " __FILE__ ":" __stringify(__LINE__), \
> -		  p_size_field);					\
> +		  __p_size_field);					\
>  	__underlying_##op(p, q, __fortify_size);			\
>  })
>  
> 
> 
> [1] https://syzkaller.appspot.com/bug?id=23d613df5259b977dac1696bec77f61a85890e3d
> 
> -- 
> Kees Cook
-- 
 -----Open up your eyes, open up your mind, open up your code -------   
/ Dr. David Alan Gilbert    |       Running GNU/Linux       | Happy  \ 
\        dave @ treblig.org |                               | In Hex /
 \ _________________________|_____ http://www.treblig.org   |_______/

next prev parent reply	other threads:[~2022-10-29 12:48 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-22 20:39 [PATCH] jfs: Fix fortify moan in symlink linux
2022-10-24 17:28 ` Kees Cook
2022-10-24 18:49   ` Dr. David Alan Gilbert
2022-10-27 22:18     ` Dave Kleikamp
2022-10-28 22:56     ` Kees Cook
2022-10-29 12:48       ` Dr. David Alan Gilbert [this message]
2022-11-01 21:57         ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y10hBcMrAYPZzghw@gallifrey \
    --to=linux@treblig.org \
    --cc=jfs-discussion@lists.sourceforge.net \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=shaggy@kernel.org \
    --cc=syzbot+5fc38b2ddbbca7f5c680@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox