Re: [PATCH 10/12] vhost/crypto: fix build with GCC 12

From: David Marchand <david.marchand@redhat.com>
To: Bruce Richardson <bruce.richardson@intel.com>,
	Fan Zhang <roy.fan.zhang@intel.com>,
	 Maxime Coquelin <maxime.coquelin@redhat.com>,
	Chenbo Xia <chenbo.xia@intel.com>
Cc: dev <dev@dpdk.org>, Thomas Monjalon <thomas@monjalon.net>,
	 Ferruh Yigit <ferruh.yigit@xilinx.com>,
	dpdk stable <stable@dpdk.org>
Subject: Re: [PATCH 10/12] vhost/crypto: fix build with GCC 12
Date: Tue, 14 Jun 2022 11:22:24 +0200	[thread overview]
Message-ID: <CAJFAV8wi6JucKwzxsCQWQ2bQ0_V5+JRY7BW2fsvbQGGAW=8nmw@mail.gmail.com> (raw)
In-Reply-To: <YpiMLYFry0vzlEtq@bricha3-MOBL.ger.corp.intel.com>

On Thu, Jun 2, 2022 at 12:09 PM Bruce Richardson
<bruce.richardson@intel.com> wrote:
>
> On Wed, May 18, 2022 at 12:16:55PM +0200, David Marchand wrote:
> > GCC 12 raises the following warning:
> >
> > In file included from ../lib/mempool/rte_mempool.h:46,
> >                  from ../lib/mbuf/rte_mbuf.h:38,
> >                  from ../lib/vhost/vhost_crypto.c:7:
> > ../lib/vhost/vhost_crypto.c: In function ‘rte_vhost_crypto_fetch_requests’:
> > ../lib/eal/x86/include/rte_memcpy.h:371:9: warning: array subscript 1 is
> >      outside array bounds of ‘struct virtio_crypto_op_data_req[1]’
> >      [-Warray-bounds]
> >   371 | rte_mov32((uint8_t *)dst + 3 * 32, (const uint8_t *)src + 3 * 32);
> >       | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > ../lib/vhost/vhost_crypto.c:1178:42: note: while referencing ‘req’
> >  1178 |         struct virtio_crypto_op_data_req req;
> >       |                                          ^~~
> >
> > Check that copied length is within req boundaries.
> >
> > Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: David Marchand <david.marchand@redhat.com>
> > ---
> >  lib/vhost/vhost_crypto.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/lib/vhost/vhost_crypto.c b/lib/vhost/vhost_crypto.c
> > index b1c0eb6a0f..83325b7042 100644
> > --- a/lib/vhost/vhost_crypto.c
> > +++ b/lib/vhost/vhost_crypto.c
> > @@ -576,16 +576,16 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
> >       uint32_t to_copy;
> >       uint8_t *data = dst_data;
> >       uint8_t *src;
> > -     int left = size;
> > +     uint32_t left = size;
> >
> > -     to_copy = RTE_MIN(desc->len, (uint32_t)left);
> > +     to_copy = RTE_MIN(desc->len, left);
> >       dlen = to_copy;
> >       src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
> >                       VHOST_ACCESS_RO);
>
> Tracking the functions which end up being called by this macro, the dlen
> parameter ends up being of type "uint64_t *", passing a value of int * or
> uint32_t * seems wrong to me. If we are changing the type from int to
> uint32_t, I think it should be promoted all the way to uint64_t.

Indeed.
I'll update in v2.

We already had some CVE on this part of the code, a careful review is needed.

>
> > -     if (unlikely(!src || !dlen))
> > +     if (unlikely(!src || !dlen || dlen > left))
> >               return -1;
> >
>
> If this change is omitted, does the compiler still give warnings. Looking
> through the called code, the dlen parameter can only ever be reduced, not
> incremented (function rte_vhost_va_from_guest_pa() in rte_vhost.h).

If I promote to_copy and left variables as uint64_t, gcc is still
unhappy, for the same reason.
The check on dlen > left seems necessary.

>
> > -     rte_memcpy((uint8_t *)data, src, dlen);
> > +     rte_memcpy(data, src, dlen);
> >       data += dlen;
> >
> >       if (unlikely(dlen < to_copy)) {
> > --
> > 2.36.1
> >
>

-- 
David Marchand