From: kernel test robot <lkp@intel.com>
To: Kees Cook <keescook@chromium.org>
Cc: kbuild-all@lists.01.org, linux-kernel@vger.kernel.org
Subject: [kees:kspp/memcpy/next-20210816/v2 34/63] include/linux/fortify-string.h:265:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()?
Date: Sat, 28 Aug 2021 16:55:29 +0800 [thread overview]
Message-ID: <202108281623.Fc90gBsN-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 6290 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git kspp/memcpy/next-20210816/v2
head: 0f0894ea4d0761cc43917960b4878fa3d1ed7a5f
commit: 1db8308d772a6ac9744a973ea07cbc811c608c04 [34/63] fortify: Detect struct member overflows in memcpy() at compile-time
config: x86_64-allyesconfig (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
# https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=1db8308d772a6ac9744a973ea07cbc811c608c04
git remote add kees https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git
git fetch --no-tags kees kspp/memcpy/next-20210816/v2
git checkout 1db8308d772a6ac9744a973ea07cbc811c608c04
# save the attached .config to linux build tree
make W=1 ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from include/linux/string.h:253,
from include/linux/bitmap.h:10,
from include/linux/cpumask.h:12,
from arch/x86/include/asm/cpumask.h:5,
from arch/x86/include/asm/msr.h:11,
from arch/x86/include/asm/processor.h:22,
from arch/x86/include/asm/cpufeature.h:5,
from arch/x86/include/asm/thread_info.h:53,
from include/linux/thread_info.h:60,
from arch/x86/include/asm/preempt.h:7,
from include/linux/preempt.h:78,
from include/linux/spinlock.h:51,
from include/linux/wait.h:9,
from include/linux/wait_bit.h:8,
from include/linux/fs.h:6,
from fs/ksmbd/ndr.c:7:
In function 'fortify_memcpy_chk',
inlined from 'ndr_read_string' at fs/ksmbd/ndr.c:86:2,
inlined from 'ndr_decode_dos_attr' at fs/ksmbd/ndr.c:167:2:
>> include/linux/fortify-string.h:265:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
265 | __write_overflow_field(p_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/__write_overflow_field +265 include/linux/fortify-string.h
211
212 /*
213 * To make sure the compiler can enforce protection against buffer overflows,
214 * memcpy(), memmove(), and memset() must not be used beyond individual
215 * struct members. If you need to copy across multiple members, please use
216 * struct_group() to create a named mirror of an anonymous struct union.
217 * (e.g. see struct sk_buff.)
218 *
219 * Mitigation coverage
220 * Bounds checking at:
221 * +-------+-------+-------+-------+
222 * | Compile time | Run time |
223 * memcpy() argument sizes: | write | read | write | read |
224 * +-------+-------+-------+-------+
225 * memcpy(known, known, constant) | y | y | n/a | n/a |
226 * memcpy(unknown, known, constant) | n | y | V | n/a |
227 * memcpy(known, unknown, constant) | y | n | n/a | V |
228 * memcpy(unknown, unknown, constant) | n | n | V | V |
229 * memcpy(known, known, dynamic) | n | n | b | B |
230 * memcpy(unknown, known, dynamic) | n | n | V | B |
231 * memcpy(known, unknown, dynamic) | n | n | b | V |
232 * memcpy(unknown, unknown, dynamic) | n | n | V | V |
233 * +-------+-------+-------+-------+
234 *
235 * y = deterministic compile-time bounds checking
236 * n = cannot do deterministic compile-time bounds checking
237 * n/a = no run-time bounds checking needed since compile-time deterministic
238 * b = perform run-time bounds checking
239 * B = can perform run-time bounds checking, but current unenforced
240 * V = vulnerable to run-time overflow
241 *
242 */
243 __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
244 const size_t p_size,
245 const size_t q_size,
246 const size_t p_size_field,
247 const size_t q_size_field,
248 const char *func)
249 {
250 if (__builtin_constant_p(size)) {
251 /*
252 * Length argument is a constant expression, so we
253 * can perform compile-time bounds checking where
254 * buffer sizes are known.
255 */
256
257 /* Error when size is larger than enclosing struct. */
258 if (p_size > p_size_field && p_size < size)
259 __write_overflow();
260 if (q_size > q_size_field && q_size < size)
261 __read_overflow2();
262
263 /* Warn when write size argument larger than dest field. */
264 if (p_size_field < size)
> 265 __write_overflow_field(p_size_field, size);
266 /*
267 * Warn for source field over-read when building with W=1
268 * or when an over-write happened, so both can be fixed at
269 * the same time.
270 */
271 if ((IS_ENABLED(KBUILD_EXTRA_WARN1) || p_size_field < size) &&
272 q_size_field < size)
273 __read_overflow2_field(q_size_field, size);
274 }
275 /*
276 * At this point, length argument may not be a constant expression,
277 * so run-time bounds checking can be done where buffer sizes are
278 * known. (This is not an "else" because the above checks may only
279 * be compile-time warnings, and we want to still warn for run-time
280 * overflows.)
281 */
282
283 /*
284 * Always stop accesses beyond the struct that contains the
285 * field, when the buffer's remaining size is known.
286 * (The -1 test is to optimize away checks where the buffer
287 * lengths are unknown.)
288 */
289 if ((p_size != (size_t)(-1) && p_size < size) ||
290 (q_size != (size_t)(-1) && q_size < size))
291 fortify_panic(func);
292 }
293
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 66049 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: [kees:kspp/memcpy/next-20210816/v2 34/63] include/linux/fortify-string.h:265:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()?
Date: Sat, 28 Aug 2021 16:55:29 +0800 [thread overview]
Message-ID: <202108281623.Fc90gBsN-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 6421 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git kspp/memcpy/next-20210816/v2
head: 0f0894ea4d0761cc43917960b4878fa3d1ed7a5f
commit: 1db8308d772a6ac9744a973ea07cbc811c608c04 [34/63] fortify: Detect struct member overflows in memcpy() at compile-time
config: x86_64-allyesconfig (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
# https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=1db8308d772a6ac9744a973ea07cbc811c608c04
git remote add kees https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git
git fetch --no-tags kees kspp/memcpy/next-20210816/v2
git checkout 1db8308d772a6ac9744a973ea07cbc811c608c04
# save the attached .config to linux build tree
make W=1 ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from include/linux/string.h:253,
from include/linux/bitmap.h:10,
from include/linux/cpumask.h:12,
from arch/x86/include/asm/cpumask.h:5,
from arch/x86/include/asm/msr.h:11,
from arch/x86/include/asm/processor.h:22,
from arch/x86/include/asm/cpufeature.h:5,
from arch/x86/include/asm/thread_info.h:53,
from include/linux/thread_info.h:60,
from arch/x86/include/asm/preempt.h:7,
from include/linux/preempt.h:78,
from include/linux/spinlock.h:51,
from include/linux/wait.h:9,
from include/linux/wait_bit.h:8,
from include/linux/fs.h:6,
from fs/ksmbd/ndr.c:7:
In function 'fortify_memcpy_chk',
inlined from 'ndr_read_string' at fs/ksmbd/ndr.c:86:2,
inlined from 'ndr_decode_dos_attr' at fs/ksmbd/ndr.c:167:2:
>> include/linux/fortify-string.h:265:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
265 | __write_overflow_field(p_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/__write_overflow_field +265 include/linux/fortify-string.h
211
212 /*
213 * To make sure the compiler can enforce protection against buffer overflows,
214 * memcpy(), memmove(), and memset() must not be used beyond individual
215 * struct members. If you need to copy across multiple members, please use
216 * struct_group() to create a named mirror of an anonymous struct union.
217 * (e.g. see struct sk_buff.)
218 *
219 * Mitigation coverage
220 * Bounds checking at:
221 * +-------+-------+-------+-------+
222 * | Compile time | Run time |
223 * memcpy() argument sizes: | write | read | write | read |
224 * +-------+-------+-------+-------+
225 * memcpy(known, known, constant) | y | y | n/a | n/a |
226 * memcpy(unknown, known, constant) | n | y | V | n/a |
227 * memcpy(known, unknown, constant) | y | n | n/a | V |
228 * memcpy(unknown, unknown, constant) | n | n | V | V |
229 * memcpy(known, known, dynamic) | n | n | b | B |
230 * memcpy(unknown, known, dynamic) | n | n | V | B |
231 * memcpy(known, unknown, dynamic) | n | n | b | V |
232 * memcpy(unknown, unknown, dynamic) | n | n | V | V |
233 * +-------+-------+-------+-------+
234 *
235 * y = deterministic compile-time bounds checking
236 * n = cannot do deterministic compile-time bounds checking
237 * n/a = no run-time bounds checking needed since compile-time deterministic
238 * b = perform run-time bounds checking
239 * B = can perform run-time bounds checking, but current unenforced
240 * V = vulnerable to run-time overflow
241 *
242 */
243 __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
244 const size_t p_size,
245 const size_t q_size,
246 const size_t p_size_field,
247 const size_t q_size_field,
248 const char *func)
249 {
250 if (__builtin_constant_p(size)) {
251 /*
252 * Length argument is a constant expression, so we
253 * can perform compile-time bounds checking where
254 * buffer sizes are known.
255 */
256
257 /* Error when size is larger than enclosing struct. */
258 if (p_size > p_size_field && p_size < size)
259 __write_overflow();
260 if (q_size > q_size_field && q_size < size)
261 __read_overflow2();
262
263 /* Warn when write size argument larger than dest field. */
264 if (p_size_field < size)
> 265 __write_overflow_field(p_size_field, size);
266 /*
267 * Warn for source field over-read when building with W=1
268 * or when an over-write happened, so both can be fixed at
269 * the same time.
270 */
271 if ((IS_ENABLED(KBUILD_EXTRA_WARN1) || p_size_field < size) &&
272 q_size_field < size)
273 __read_overflow2_field(q_size_field, size);
274 }
275 /*
276 * At this point, length argument may not be a constant expression,
277 * so run-time bounds checking can be done where buffer sizes are
278 * known. (This is not an "else" because the above checks may only
279 * be compile-time warnings, and we want to still warn for run-time
280 * overflows.)
281 */
282
283 /*
284 * Always stop accesses beyond the struct that contains the
285 * field, when the buffer's remaining size is known.
286 * (The -1 test is to optimize away checks where the buffer
287 * lengths are unknown.)
288 */
289 if ((p_size != (size_t)(-1) && p_size < size) ||
290 (q_size != (size_t)(-1) && q_size < size))
291 fortify_panic(func);
292 }
293
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 66049 bytes --]
next reply other threads:[~2021-08-28 8:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-28 8:55 kernel test robot [this message]
2021-08-28 8:55 ` [kees:kspp/memcpy/next-20210816/v2 34/63] include/linux/fortify-string.h:265:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? kernel test robot
2021-08-28 10:42 ` Namjae Jeon
2021-08-28 10:42 ` Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202108281623.Fc90gBsN-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild-all@lists.01.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.