* [PATCH] udf: Use unsigned variables for size calculations
@ 2023-02-04 18:34 Kees Cook
2023-02-07 12:07 ` Jan Kara
0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2023-02-04 18:34 UTC (permalink / raw)
To: Jan Kara; +Cc: Kees Cook, linux-kernel, linux-hardening
To avoid confusing the compiler about possible negative sizes, switch
various size variables that can never be negative from int to u32. Seen
with GCC 13:
../fs/udf/directory.c: In function 'udf_copy_fi':
../include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' pointer overflow between offset 80 and size [-2147483648, -1] [-Warray-bounds=]
57 | #define __underlying_memcpy __builtin_memcpy
| ^
...
../fs/udf/directory.c:102:9: note: in expansion of macro 'memcpy'
102 | memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
| ^~~~~~
Cc: Jan Kara <jack@suse.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
fs/udf/directory.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/udf/directory.c b/fs/udf/directory.c
index 2e13c4b5fb81..e0bb73d414dd 100644
--- a/fs/udf/directory.c
+++ b/fs/udf/directory.c
@@ -71,8 +71,9 @@ static int udf_verify_fi(struct udf_fileident_iter *iter)
static int udf_copy_fi(struct udf_fileident_iter *iter)
{
struct udf_inode_info *iinfo = UDF_I(iter->dir);
- int blksize = 1 << iter->dir->i_blkbits;
- int err, off, len, nameoff;
+ u32 blksize = 1 << iter->dir->i_blkbits;
+ u32 off, len, nameoff;
+ int err;
/* Skip copying when we are at EOF */
if (iter->pos >= iter->dir->i_size) {
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] udf: Use unsigned variables for size calculations
2023-02-04 18:34 [PATCH] udf: Use unsigned variables for size calculations Kees Cook
@ 2023-02-07 12:07 ` Jan Kara
0 siblings, 0 replies; 2+ messages in thread
From: Jan Kara @ 2023-02-07 12:07 UTC (permalink / raw)
To: Kees Cook; +Cc: Jan Kara, linux-kernel, linux-hardening
On Sat 04-02-23 10:34:27, Kees Cook wrote:
> To avoid confusing the compiler about possible negative sizes, switch
> various size variables that can never be negative from int to u32. Seen
> with GCC 13:
>
> ../fs/udf/directory.c: In function 'udf_copy_fi':
> ../include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' pointer overflow between offset 80 and size [-2147483648, -1] [-Warray-bounds=]
> 57 | #define __underlying_memcpy __builtin_memcpy
> | ^
> ...
> ../fs/udf/directory.c:102:9: note: in expansion of macro 'memcpy'
> 102 | memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
> | ^~~~~~
>
> Cc: Jan Kara <jack@suse.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Sigh. OK, applied but I really wish gcc was more clever because the
arithmetics making sure we cannot see negative values there is literaly in
two lines above the memcpy...
Honza
> ---
> fs/udf/directory.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/fs/udf/directory.c b/fs/udf/directory.c
> index 2e13c4b5fb81..e0bb73d414dd 100644
> --- a/fs/udf/directory.c
> +++ b/fs/udf/directory.c
> @@ -71,8 +71,9 @@ static int udf_verify_fi(struct udf_fileident_iter *iter)
> static int udf_copy_fi(struct udf_fileident_iter *iter)
> {
> struct udf_inode_info *iinfo = UDF_I(iter->dir);
> - int blksize = 1 << iter->dir->i_blkbits;
> - int err, off, len, nameoff;
> + u32 blksize = 1 << iter->dir->i_blkbits;
> + u32 off, len, nameoff;
> + int err;
>
> /* Skip copying when we are at EOF */
> if (iter->pos >= iter->dir->i_size) {
> --
> 2.34.1
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-02-07 12:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-04 18:34 [PATCH] udf: Use unsigned variables for size calculations Kees Cook
2023-02-07 12:07 ` Jan Kara
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.