All of lore.kernel.org
 help / color / mirror / Atom feed
* [kees:flexcpy/next-20220502 6/34] net/ipv4/ip_options.c:154 __ip_options_echo() warn: potential spectre issue 'start' [r]
@ 2022-05-04 10:25 kernel test robot
  0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2022-05-04 10:25 UTC (permalink / raw)
  To: kbuild

[-- Attachment #1: Type: text/plain, Size: 11576 bytes --]

CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Kees Cook <keescook@chromium.org>

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git flexcpy/next-20220502
head:   1dbd8181297512b190aca23477043ac635daba4e
commit: f72034cf9d13b64d3d457b6da825bde7fe758a27 [6/34] fortify: Add run-time WARN for cross-field memcpy()
:::::: branch date: 9 hours ago
:::::: commit date: 9 hours ago
config: x86_64-randconfig-m001 (https://download.01.org/0day-ci/archive/20220504/202205041839.lCNMvkmN-lkp(a)intel.com/config)
compiler: gcc-11 (Debian 11.2.0-20) 11.2.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

New smatch warnings:
net/ipv4/ip_options.c:154 __ip_options_echo() warn: potential spectre issue 'start' [r]
net/ipv4/ip_options.c:616 ip_options_rcv_srr() warn: potential spectre issue 'optptr' [r]

Old smatch warnings:
net/ipv4/ip_options.c:547 ip_forward_options() warn: potential spectre issue 'optptr' [w]
net/ipv4/ip_options.c:556 ip_forward_options() warn: possible spectre second half.  'srrptr'
net/ipv4/ip_options.c:556 ip_forward_options() warn: possible spectre second half.  'srrspace'

vim +/start +154 net/ipv4/ip_options.c

^1da177e4c3f41 Linus Torvalds           2005-04-16   67  
^1da177e4c3f41 Linus Torvalds           2005-04-16   68  /*
^1da177e4c3f41 Linus Torvalds           2005-04-16   69   * Provided (sopt, skb) points to received options,
^1da177e4c3f41 Linus Torvalds           2005-04-16   70   * build in dopt compiled option set appropriate for answering.
^1da177e4c3f41 Linus Torvalds           2005-04-16   71   * i.e. invert SRR option, copy anothers,
^1da177e4c3f41 Linus Torvalds           2005-04-16   72   * and grab room in RR/TS options.
^1da177e4c3f41 Linus Torvalds           2005-04-16   73   *
^1da177e4c3f41 Linus Torvalds           2005-04-16   74   * NOTE: dopt cannot point to skb.
^1da177e4c3f41 Linus Torvalds           2005-04-16   75   */
^1da177e4c3f41 Linus Torvalds           2005-04-16   76  
91ed1e666a4ea2 Paolo Abeni              2017-08-03   77  int __ip_options_echo(struct net *net, struct ip_options *dopt,
91ed1e666a4ea2 Paolo Abeni              2017-08-03   78  		      struct sk_buff *skb, const struct ip_options *sopt)
^1da177e4c3f41 Linus Torvalds           2005-04-16   79  {
^1da177e4c3f41 Linus Torvalds           2005-04-16   80  	unsigned char *sptr, *dptr;
^1da177e4c3f41 Linus Torvalds           2005-04-16   81  	int soffset, doffset;
^1da177e4c3f41 Linus Torvalds           2005-04-16   82  	int	optlen;
^1da177e4c3f41 Linus Torvalds           2005-04-16   83  
^1da177e4c3f41 Linus Torvalds           2005-04-16   84  	memset(dopt, 0, sizeof(struct ip_options));
^1da177e4c3f41 Linus Torvalds           2005-04-16   85  
f6d8bd051c391c Eric Dumazet             2011-04-21   86  	if (sopt->optlen == 0)
^1da177e4c3f41 Linus Torvalds           2005-04-16   87  		return 0;
^1da177e4c3f41 Linus Torvalds           2005-04-16   88  
d56f90a7c96da5 Arnaldo Carvalho de Melo 2007-04-10   89  	sptr = skb_network_header(skb);
^1da177e4c3f41 Linus Torvalds           2005-04-16   90  	dptr = dopt->__data;
^1da177e4c3f41 Linus Torvalds           2005-04-16   91  
^1da177e4c3f41 Linus Torvalds           2005-04-16   92  	if (sopt->rr) {
^1da177e4c3f41 Linus Torvalds           2005-04-16   93  		optlen  = sptr[sopt->rr+1];
^1da177e4c3f41 Linus Torvalds           2005-04-16   94  		soffset = sptr[sopt->rr+2];
^1da177e4c3f41 Linus Torvalds           2005-04-16   95  		dopt->rr = dopt->optlen + sizeof(struct iphdr);
^1da177e4c3f41 Linus Torvalds           2005-04-16   96  		memcpy(dptr, sptr+sopt->rr, optlen);
^1da177e4c3f41 Linus Torvalds           2005-04-16   97  		if (sopt->rr_needaddr && soffset <= optlen) {
^1da177e4c3f41 Linus Torvalds           2005-04-16   98  			if (soffset + 3 > optlen)
^1da177e4c3f41 Linus Torvalds           2005-04-16   99  				return -EINVAL;
^1da177e4c3f41 Linus Torvalds           2005-04-16  100  			dptr[2] = soffset + 4;
^1da177e4c3f41 Linus Torvalds           2005-04-16  101  			dopt->rr_needaddr = 1;
^1da177e4c3f41 Linus Torvalds           2005-04-16  102  		}
^1da177e4c3f41 Linus Torvalds           2005-04-16  103  		dptr += optlen;
^1da177e4c3f41 Linus Torvalds           2005-04-16  104  		dopt->optlen += optlen;
^1da177e4c3f41 Linus Torvalds           2005-04-16  105  	}
^1da177e4c3f41 Linus Torvalds           2005-04-16  106  	if (sopt->ts) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  107  		optlen = sptr[sopt->ts+1];
^1da177e4c3f41 Linus Torvalds           2005-04-16  108  		soffset = sptr[sopt->ts+2];
^1da177e4c3f41 Linus Torvalds           2005-04-16  109  		dopt->ts = dopt->optlen + sizeof(struct iphdr);
^1da177e4c3f41 Linus Torvalds           2005-04-16  110  		memcpy(dptr, sptr+sopt->ts, optlen);
^1da177e4c3f41 Linus Torvalds           2005-04-16  111  		if (soffset <= optlen) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  112  			if (sopt->ts_needaddr) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  113  				if (soffset + 3 > optlen)
^1da177e4c3f41 Linus Torvalds           2005-04-16  114  					return -EINVAL;
^1da177e4c3f41 Linus Torvalds           2005-04-16  115  				dopt->ts_needaddr = 1;
^1da177e4c3f41 Linus Torvalds           2005-04-16  116  				soffset += 4;
^1da177e4c3f41 Linus Torvalds           2005-04-16  117  			}
^1da177e4c3f41 Linus Torvalds           2005-04-16  118  			if (sopt->ts_needtime) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  119  				if (soffset + 3 > optlen)
^1da177e4c3f41 Linus Torvalds           2005-04-16  120  					return -EINVAL;
^1da177e4c3f41 Linus Torvalds           2005-04-16  121  				if ((dptr[3]&0xF) != IPOPT_TS_PRESPEC) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  122  					dopt->ts_needtime = 1;
^1da177e4c3f41 Linus Torvalds           2005-04-16  123  					soffset += 4;
^1da177e4c3f41 Linus Torvalds           2005-04-16  124  				} else {
^1da177e4c3f41 Linus Torvalds           2005-04-16  125  					dopt->ts_needtime = 0;
^1da177e4c3f41 Linus Torvalds           2005-04-16  126  
8628bd8af7c4c1 Jan Luebbe               2011-03-24  127  					if (soffset + 7 <= optlen) {
fd683222097480 Al Viro                  2006-09-26  128  						__be32 addr;
^1da177e4c3f41 Linus Torvalds           2005-04-16  129  
8628bd8af7c4c1 Jan Luebbe               2011-03-24  130  						memcpy(&addr, dptr+soffset-1, 4);
91ed1e666a4ea2 Paolo Abeni              2017-08-03  131  						if (inet_addr_type(net, addr) != RTN_UNICAST) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  132  							dopt->ts_needtime = 1;
^1da177e4c3f41 Linus Torvalds           2005-04-16  133  							soffset += 8;
^1da177e4c3f41 Linus Torvalds           2005-04-16  134  						}
^1da177e4c3f41 Linus Torvalds           2005-04-16  135  					}
^1da177e4c3f41 Linus Torvalds           2005-04-16  136  				}
^1da177e4c3f41 Linus Torvalds           2005-04-16  137  			}
^1da177e4c3f41 Linus Torvalds           2005-04-16  138  			dptr[2] = soffset;
^1da177e4c3f41 Linus Torvalds           2005-04-16  139  		}
^1da177e4c3f41 Linus Torvalds           2005-04-16  140  		dptr += optlen;
^1da177e4c3f41 Linus Torvalds           2005-04-16  141  		dopt->optlen += optlen;
^1da177e4c3f41 Linus Torvalds           2005-04-16  142  	}
^1da177e4c3f41 Linus Torvalds           2005-04-16  143  	if (sopt->srr) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  144  		unsigned char *start = sptr+sopt->srr;
3ca3c68e76686b Al Viro                  2006-09-27  145  		__be32 faddr;
^1da177e4c3f41 Linus Torvalds           2005-04-16  146  
^1da177e4c3f41 Linus Torvalds           2005-04-16  147  		optlen  = start[1];
^1da177e4c3f41 Linus Torvalds           2005-04-16  148  		soffset = start[2];
^1da177e4c3f41 Linus Torvalds           2005-04-16  149  		doffset = 0;
^1da177e4c3f41 Linus Torvalds           2005-04-16  150  		if (soffset > optlen)
^1da177e4c3f41 Linus Torvalds           2005-04-16  151  			soffset = optlen + 1;
^1da177e4c3f41 Linus Torvalds           2005-04-16  152  		soffset -= 4;
^1da177e4c3f41 Linus Torvalds           2005-04-16  153  		if (soffset > 3) {
^1da177e4c3f41 Linus Torvalds           2005-04-16 @154  			memcpy(&faddr, &start[soffset-1], 4);
^1da177e4c3f41 Linus Torvalds           2005-04-16  155  			for (soffset -= 4, doffset = 4; soffset > 3; soffset -= 4, doffset += 4)
^1da177e4c3f41 Linus Torvalds           2005-04-16  156  				memcpy(&dptr[doffset-1], &start[soffset-1], 4);
^1da177e4c3f41 Linus Torvalds           2005-04-16  157  			/*
^1da177e4c3f41 Linus Torvalds           2005-04-16  158  			 * RFC1812 requires to fix illegal source routes.
^1da177e4c3f41 Linus Torvalds           2005-04-16  159  			 */
eddc9ec53be2ec Arnaldo Carvalho de Melo 2007-04-20  160  			if (memcmp(&ip_hdr(skb)->saddr,
eddc9ec53be2ec Arnaldo Carvalho de Melo 2007-04-20  161  				   &start[soffset + 3], 4) == 0)
^1da177e4c3f41 Linus Torvalds           2005-04-16  162  				doffset -= 4;
^1da177e4c3f41 Linus Torvalds           2005-04-16  163  		}
^1da177e4c3f41 Linus Torvalds           2005-04-16  164  		if (doffset > 3) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  165  			dopt->faddr = faddr;
^1da177e4c3f41 Linus Torvalds           2005-04-16  166  			dptr[0] = start[0];
^1da177e4c3f41 Linus Torvalds           2005-04-16  167  			dptr[1] = doffset+3;
^1da177e4c3f41 Linus Torvalds           2005-04-16  168  			dptr[2] = 4;
^1da177e4c3f41 Linus Torvalds           2005-04-16  169  			dptr += doffset+3;
^1da177e4c3f41 Linus Torvalds           2005-04-16  170  			dopt->srr = dopt->optlen + sizeof(struct iphdr);
^1da177e4c3f41 Linus Torvalds           2005-04-16  171  			dopt->optlen += doffset+3;
^1da177e4c3f41 Linus Torvalds           2005-04-16  172  			dopt->is_strictroute = sopt->is_strictroute;
^1da177e4c3f41 Linus Torvalds           2005-04-16  173  		}
^1da177e4c3f41 Linus Torvalds           2005-04-16  174  	}
11a03f78fbf15a Paul Moore               2006-08-03  175  	if (sopt->cipso) {
11a03f78fbf15a Paul Moore               2006-08-03  176  		optlen  = sptr[sopt->cipso+1];
11a03f78fbf15a Paul Moore               2006-08-03  177  		dopt->cipso = dopt->optlen+sizeof(struct iphdr);
11a03f78fbf15a Paul Moore               2006-08-03  178  		memcpy(dptr, sptr+sopt->cipso, optlen);
11a03f78fbf15a Paul Moore               2006-08-03  179  		dptr += optlen;
11a03f78fbf15a Paul Moore               2006-08-03  180  		dopt->optlen += optlen;
11a03f78fbf15a Paul Moore               2006-08-03  181  	}
^1da177e4c3f41 Linus Torvalds           2005-04-16  182  	while (dopt->optlen & 3) {
^1da177e4c3f41 Linus Torvalds           2005-04-16  183  		*dptr++ = IPOPT_END;
^1da177e4c3f41 Linus Torvalds           2005-04-16  184  		dopt->optlen++;
^1da177e4c3f41 Linus Torvalds           2005-04-16  185  	}
^1da177e4c3f41 Linus Torvalds           2005-04-16  186  	return 0;
^1da177e4c3f41 Linus Torvalds           2005-04-16  187  }
^1da177e4c3f41 Linus Torvalds           2005-04-16  188  

:::::: The code at line 154 was first introduced by commit
:::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2

:::::: TO: Linus Torvalds <torvalds@ppc970.osdl.org>
:::::: CC: Linus Torvalds <torvalds@ppc970.osdl.org>

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2022-05-04 10:25 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-04 10:25 [kees:flexcpy/next-20220502 6/34] net/ipv4/ip_options.c:154 __ip_options_echo() warn: potential spectre issue 'start' [r] kernel test robot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.