* [PATCH] ch: Do not read past the end of vendor_labels[]
@ 2020-06-29 16:10 Bart Van Assche
2020-06-29 18:33 ` Arnd Bergmann
0 siblings, 1 reply; 4+ messages in thread
From: Bart Van Assche @ 2020-06-29 16:10 UTC (permalink / raw)
To: Martin K . Petersen, James E . J . Bottomley
Cc: linux-scsi, Bart Van Assche, Hannes Reinecke, Arnd Bergmann
This patch fixes the following gcc 10 compiler error:
In function 'memcpy',
inlined from 'ch_ioctl' at drivers/scsi/ch.c:666:4:
./include/linux/string.h:377:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
377 | __read_overflow2();
| ^~~~~~~~~~~~~~~~~~
Cc: Hannes Reinecke <hare@suse.de>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
drivers/scsi/ch.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/ch.c b/drivers/scsi/ch.c
index b81b397366db..b675a01380eb 100644
--- a/drivers/scsi/ch.c
+++ b/drivers/scsi/ch.c
@@ -651,19 +651,23 @@ static long ch_ioctl(struct file *file,
memset(&vparams,0,sizeof(vparams));
if (ch->counts[CHET_V1]) {
vparams.cvp_n1 = ch->counts[CHET_V1];
- memcpy(vparams.cvp_label1,vendor_labels[0],16);
+ strncpy(vparams.cvp_label1, vendor_labels[0],
+ ARRAY_SIZE(vparams.cvp_label1));
}
if (ch->counts[CHET_V2]) {
vparams.cvp_n2 = ch->counts[CHET_V2];
- memcpy(vparams.cvp_label2,vendor_labels[1],16);
+ strncpy(vparams.cvp_label2, vendor_labels[1],
+ ARRAY_SIZE(vparams.cvp_label2));
}
if (ch->counts[CHET_V3]) {
vparams.cvp_n3 = ch->counts[CHET_V3];
- memcpy(vparams.cvp_label3,vendor_labels[2],16);
+ strncpy(vparams.cvp_label3, vendor_labels[2],
+ ARRAY_SIZE(vparams.cvp_label3));
}
if (ch->counts[CHET_V4]) {
vparams.cvp_n4 = ch->counts[CHET_V4];
- memcpy(vparams.cvp_label4,vendor_labels[3],16);
+ strncpy(vparams.cvp_label4, vendor_labels[3],
+ ARRAY_SIZE(vparams.cvp_label4));
}
if (copy_to_user(argp, &vparams, sizeof(vparams)))
return -EFAULT;
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ch: Do not read past the end of vendor_labels[]
2020-06-29 16:10 [PATCH] ch: Do not read past the end of vendor_labels[] Bart Van Assche
@ 2020-06-29 18:33 ` Arnd Bergmann
2020-06-29 19:26 ` Bart Van Assche
0 siblings, 1 reply; 4+ messages in thread
From: Arnd Bergmann @ 2020-06-29 18:33 UTC (permalink / raw)
To: Bart Van Assche
Cc: Martin K . Petersen, James E . J . Bottomley, linux-scsi,
Hannes Reinecke
On Mon, Jun 29, 2020 at 6:11 PM Bart Van Assche <bvanassche@acm.org> wrote:
>
> This patch fixes the following gcc 10 compiler error:
>
> In function 'memcpy',
> inlined from 'ch_ioctl' at drivers/scsi/ch.c:666:4:
> ./include/linux/string.h:377:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
> 377 | __read_overflow2();
> | ^~~~~~~~~~~~~~~~~~
>
> Cc: Hannes Reinecke <hare@suse.de>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Signed-off-by: Bart Van Assche <bvanassche@acm.org>
> ---
> drivers/scsi/ch.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/scsi/ch.c b/drivers/scsi/ch.c
> index b81b397366db..b675a01380eb 100644
> --- a/drivers/scsi/ch.c
> +++ b/drivers/scsi/ch.c
> @@ -651,19 +651,23 @@ static long ch_ioctl(struct file *file,
> memset(&vparams,0,sizeof(vparams));
> if (ch->counts[CHET_V1]) {
> vparams.cvp_n1 = ch->counts[CHET_V1];
> - memcpy(vparams.cvp_label1,vendor_labels[0],16);
> + strncpy(vparams.cvp_label1, vendor_labels[0],
> + ARRAY_SIZE(vparams.cvp_label1));
> }
Against which tree is this? I see in mainline the correct
strncpy(vparams.cvp_label1,vendor_labels[0],16);
rather than the broken memcpy. If this was changed recently to the
broken version, maybe send a revert, or add a "Fixes" tag?
Arnd
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ch: Do not read past the end of vendor_labels[]
2020-06-29 18:33 ` Arnd Bergmann
@ 2020-06-29 19:26 ` Bart Van Assche
2020-06-29 19:45 ` Arnd Bergmann
0 siblings, 1 reply; 4+ messages in thread
From: Bart Van Assche @ 2020-06-29 19:26 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Martin K . Petersen, James E . J . Bottomley, linux-scsi,
Hannes Reinecke
On 2020-06-29 11:33, Arnd Bergmann wrote:
> On Mon, Jun 29, 2020 at 6:11 PM Bart Van Assche <bvanassche@acm.org> wrote:
>> diff --git a/drivers/scsi/ch.c b/drivers/scsi/ch.c
>> index b81b397366db..b675a01380eb 100644
>> --- a/drivers/scsi/ch.c
>> +++ b/drivers/scsi/ch.c
>> @@ -651,19 +651,23 @@ static long ch_ioctl(struct file *file,
>> memset(&vparams,0,sizeof(vparams));
>> if (ch->counts[CHET_V1]) {
>> vparams.cvp_n1 = ch->counts[CHET_V1];
>> - memcpy(vparams.cvp_label1,vendor_labels[0],16);
>> + strncpy(vparams.cvp_label1, vendor_labels[0],
>> + ARRAY_SIZE(vparams.cvp_label1));
>> }
>
> Against which tree is this? I see in mainline the correct
>
> strncpy(vparams.cvp_label1,vendor_labels[0],16);
>
> rather than the broken memcpy. If this was changed recently to the
> broken version, maybe send a revert, or add a "Fixes" tag?
Hi Arnd,
Thanks for having taken a look. This patch applies to Martin's for-next
branch. The most recent ch patch I found in Linus' master branch is "ch:
remove ch_mutex()" from February 2020. I haven't found any more recent
ch patches in the linux-next/master branch either. Have I perhaps been
looking at the wrong repository or the wrong branch?
Thanks,
Bart.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ch: Do not read past the end of vendor_labels[]
2020-06-29 19:26 ` Bart Van Assche
@ 2020-06-29 19:45 ` Arnd Bergmann
0 siblings, 0 replies; 4+ messages in thread
From: Arnd Bergmann @ 2020-06-29 19:45 UTC (permalink / raw)
To: Bart Van Assche
Cc: Martin K . Petersen, James E . J . Bottomley, linux-scsi,
Hannes Reinecke
On Mon, Jun 29, 2020 at 9:26 PM Bart Van Assche <bvanassche@acm.org> wrote:
> On 2020-06-29 11:33, Arnd Bergmann wrote:
> > On Mon, Jun 29, 2020 at 6:11 PM Bart Van Assche <bvanassche@acm.org> wrote:
> >> diff --git a/drivers/scsi/ch.c b/drivers/scsi/ch.c
> >> index b81b397366db..b675a01380eb 100644
> >> --- a/drivers/scsi/ch.c
> >> +++ b/drivers/scsi/ch.c
> >> @@ -651,19 +651,23 @@ static long ch_ioctl(struct file *file,
> >> memset(&vparams,0,sizeof(vparams));
> >> if (ch->counts[CHET_V1]) {
> >> vparams.cvp_n1 = ch->counts[CHET_V1];
> >> - memcpy(vparams.cvp_label1,vendor_labels[0],16);
> >> + strncpy(vparams.cvp_label1, vendor_labels[0],
> >> + ARRAY_SIZE(vparams.cvp_label1));
> >> }
> >
> > Against which tree is this? I see in mainline the correct
> >
> > strncpy(vparams.cvp_label1,vendor_labels[0],16);
> >
> > rather than the broken memcpy. If this was changed recently to the
> > broken version, maybe send a revert, or add a "Fixes" tag?
>
> Hi Arnd,
>
> Thanks for having taken a look. This patch applies to Martin's for-next
> branch. The most recent ch patch I found in Linus' master branch is "ch:
> remove ch_mutex()" from February 2020. I haven't found any more recent
> ch patches in the linux-next/master branch either. Have I perhaps been
> looking at the wrong repository or the wrong branch?
That is the right branch, and I don't see any later changes to the file
after Feb 2020 in there or in mainline either, but I also clearly see it
using strncpy(). See also:
https://elixir.bootlin.com/linux/v5.8-rc3/source/drivers/scsi/ch.c#L647
I think there were some patches under discussion about replacing
a lot of strncpy() calls with the more intuitive memcpy(), strnlcpy()
or strscpy() alternatives, but in this case strncpy() in in fact the
correct one (as you also concluded) and I don't see any patches to
this file getting applied to that effect.
Arnd
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-06-29 21:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-29 16:10 [PATCH] ch: Do not read past the end of vendor_labels[] Bart Van Assche
2020-06-29 18:33 ` Arnd Bergmann
2020-06-29 19:26 ` Bart Van Assche
2020-06-29 19:45 ` Arnd Bergmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).