Re: memcpy: detected field-spanning write (size 168) of single field "&device->entry" at drivers/firmware/google/coreboot_table.c:103 (size 8)

From: Kees Cook <keescook@chromium.org>
To: Brian Norris <briannorris@chromium.org>
Cc: Guenter Roeck <groeck@google.com>,
	Julius Werner <jwerner@chromium.org>,
	Paul Menzel <pmenzel@molgen.mpg.de>,
	LKML <linux-kernel@vger.kernel.org>,
	Greg KH <gregkh@linuxfoundation.org>,
	Guenter Roeck <groeck@chromium.org>,
	Stephen Boyd <swboyd@chromium.org>,
	Jack Rosenthal <jrosenth@chromium.org>,
	coreboot@coreboot.org
Subject: Re: memcpy: detected field-spanning write (size 168) of single field "&device->entry" at drivers/firmware/google/coreboot_table.c:103 (size 8)
Date: Tue, 3 Jan 2023 14:56:26 -0800	[thread overview]
Message-ID: <202301031447.991A623A61@keescook> (raw)
In-Reply-To: <Y7SCdrL+xZm5CSjy@google.com>

On Tue, Jan 03, 2023 at 11:31:02AM -0800, Brian Norris wrote:
> On Thu, Dec 29, 2022 at 12:28:14PM -0800, Guenter Roeck wrote:
> > On Thu, Dec 29, 2022 at 6:43 AM Julius Werner <jwerner@chromium.org> wrote:
> > >
> > > I can confirm that this warning is a false positive, at least. We're
> > > intentionally copying bytes from beyond the end of the header
> > > structure in this case.
> > >
> > > I don't know what kind of kernel system detects this stuff at runtime
> > > and how to silence it. Probably need to add a void pointer cast or
> > > something?
> > >
> > 
> > This is part of kernel hardening code. Kees Cook might know what to do about it.
> 
> One could probably throw in casts, like this example did:
> 
>   0d043351e5ba ext4: fix fortify warning in fs/ext4/fast_commit.c:1551
> 
> Or one could probably imitate this example, and insert an appropriate
> flexible array (possibly with yet another union?):
> 
>   b43088f30db1 s390/zcrypt: fix warning about field-spanning write

Hi!

Just catching up on this now that I'm back from break. This looks like
it might be easiest to split the copy up as done in some other places.
This'll need some small changes to the struct. For example, adding a
"data" flexible array member:

struct coreboot_table_entry {
	u32 tag;
	u32 size;
	u8  data[];
};

> 
> Side mostly-unrelated note: coreboot_table_populate() doesn't do any
> bounds checking that the individual entry copies don't overflow the
> table buffer size. We're _probably_ not that interested in recovering
> from a malicious (or even buggy) Coreboot, but it does seem like an area
> of improvement.

Right -- there's no bounds checking in this code that I could find.
Though, yes, the "attack surface" is pretty small in the sense that it's
parsing system resources. But adding sanity checking seems like it'd be
a nice addition, as you say. How about something like this:

diff --git a/drivers/firmware/google/coreboot_table.h b/drivers/firmware/google/coreboot_table.h
index 37f4d335a606..2a2cea79204b 100644
--- a/drivers/firmware/google/coreboot_table.h
+++ b/drivers/firmware/google/coreboot_table.h
@@ -29,6 +29,7 @@ struct coreboot_table_header {
 struct coreboot_table_entry {
 	u32 tag;
 	u32 size;
+	u8 data[];	/* Size here is: "size - (sizeof(u32) * 2)" */
 };
 
 /* Points to a CBMEM entry */
diff --git a/drivers/firmware/google/coreboot_table.c b/drivers/firmware/google/coreboot_table.c
index 2652c396c423..f49f5a602b6b 100644
--- a/drivers/firmware/google/coreboot_table.c
+++ b/drivers/firmware/google/coreboot_table.c
@@ -93,6 +93,11 @@ static int coreboot_table_populate(struct device *dev, void *ptr)
 	for (i = 0; i < header->table_entries; i++) {
 		entry = ptr_entry;
 
+		if (entry->size < sizeof(*entry)) {
+			dev_warn(dev, "coreboot table entry too small!\n");
+			return -EINVAL;
+		}
+
 		device = kzalloc(sizeof(struct device) + entry->size, GFP_KERNEL);
 		if (!device)
 			return -ENOMEM;
@@ -100,7 +105,9 @@ static int coreboot_table_populate(struct device *dev, void *ptr)
 		device->dev.parent = dev;
 		device->dev.bus = &coreboot_bus_type;
 		device->dev.release = coreboot_device_release;
-		memcpy(&device->entry, ptr_entry, entry->size);
+		device->entry = *ptr_entry;
+		memcpy(device->entry.data, ptr_entry->data,
+		       entry->size - sizeof(*entry));
 
 		switch (device->entry.tag) {
 		case LB_TAG_CBMEM_ENTRY:


-Kees

> Brian
> 
> > 
> > Guenter
> > 
> > > On Thu, Dec 29, 2022 at 11:46 AM Paul Menzel <pmenzel@molgen.mpg.de> wrote:
> > > >
> > > > Dear Linux folks,
> > > >
> > > >
> > > > Running Linux v6.2-rc1+ on a motherboard using coreboot as firmware, the
> > > > warning below is shown.
> > > >
> > > > ```
> > > > [    1.630244] ------------[ cut here ]------------
> > > > [    1.630249] memcpy: detected field-spanning write (size 168) of
> > > > single field "&device->entry" at
> > > > drivers/firmware/google/coreboot_table.c:103 (size 8)
> > > > [    1.630299] WARNING: CPU: 1 PID: 150 at
> > > > drivers/firmware/google/coreboot_table.c:103
> > > > coreboot_table_probe+0x1ea/0x210 [coreboot_table]
> [...]

-- 
Kees Cook
