* [PATCH] hinic: Replace memcpy() with direct assignment
@ 2022-06-16 5:23 Kees Cook
2022-06-16 10:43 ` Gustavo A. R. Silva
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Kees Cook @ 2022-06-16 5:23 UTC (permalink / raw)
To: David S. Miller
Cc: Kees Cook, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Nathan Chancellor, Nick Desaulniers, Tom Rix, Leon Romanovsky,
Jiri Pirko, Vladimir Oltean, Simon Horman, netdev, llvm,
linux-kernel, linux-hardening
Under CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y, Clang is bugged
here for calculating the size of the destination buffer (0x10 instead of
0x14). This copy is a fixed size (sizeof(struct fw_section_info_st)), with
the source and dest being struct fw_section_info_st, so the memcpy should
be safe, assuming the index is within bounds, which is UBSAN_BOUNDS's
responsibility to figure out.
Avoid the whole thing and just do a direct assignment. This results in
no change to the executable code.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Tom Rix <trix@redhat.com>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Jiri Pirko <jiri@nvidia.com>
Cc: Vladimir Oltean <olteanv@gmail.com>
Cc: Simon Horman <simon.horman@corigine.com>
Cc: netdev@vger.kernel.org
Cc: llvm@lists.linux.dev
Link: https://github.com/ClangBuiltLinux/linux/issues/1592
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/net/ethernet/huawei/hinic/hinic_devlink.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
index 60ae8bfc5f69..1749d26f4bef 100644
--- a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
+++ b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
@@ -43,9 +43,7 @@ static bool check_image_valid(struct hinic_devlink_priv *priv, const u8 *buf,
for (i = 0; i < fw_image->fw_info.fw_section_cnt; i++) {
len += fw_image->fw_section_info[i].fw_section_len;
- memcpy(&host_image->image_section_info[i],
- &fw_image->fw_section_info[i],
- sizeof(struct fw_section_info_st));
+ host_image->image_section_info[i] = fw_image->fw_section_info[i];
}
if (len != fw_image->fw_len ||
--
2.32.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] hinic: Replace memcpy() with direct assignment
2022-06-16 5:23 [PATCH] hinic: Replace memcpy() with direct assignment Kees Cook
@ 2022-06-16 10:43 ` Gustavo A. R. Silva
2022-06-16 17:19 ` Nathan Chancellor
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Gustavo A. R. Silva @ 2022-06-16 10:43 UTC (permalink / raw)
To: Kees Cook, David S. Miller
Cc: Eric Dumazet, Jakub Kicinski, Paolo Abeni, Nathan Chancellor,
Nick Desaulniers, Tom Rix, Leon Romanovsky, Jiri Pirko,
Vladimir Oltean, Simon Horman, netdev, llvm, linux-kernel,
linux-hardening
On 6/16/22 07:23, Kees Cook wrote:
> Under CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y, Clang is bugged
> here for calculating the size of the destination buffer (0x10 instead of
> 0x14). This copy is a fixed size (sizeof(struct fw_section_info_st)), with
> the source and dest being struct fw_section_info_st, so the memcpy should
> be safe, assuming the index is within bounds, which is UBSAN_BOUNDS's
> responsibility to figure out.
Also, there is a sanity check just before the for() loop:
38 if (fw_image->fw_info.fw_section_cnt > MAX_FW_TYPE_NUM) {
39 dev_err(&priv->hwdev->hwif->pdev->dev, "Wrong fw_type_num read from file, fw_type_num: 0x%x\n ",
40 fw_image->fw_info.fw_section_cnt);
41 return false;
42 }
so, this should be fine.
>
> Avoid the whole thing and just do a direct assignment. This results in
> no change to the executable code.
>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Tom Rix <trix@redhat.com>
> Cc: Leon Romanovsky <leon@kernel.org>
> Cc: Jiri Pirko <jiri@nvidia.com>
> Cc: Vladimir Oltean <olteanv@gmail.com>
> Cc: Simon Horman <simon.horman@corigine.com>
> Cc: netdev@vger.kernel.org
> Cc: llvm@lists.linux.dev
> Link: https://github.com/ClangBuiltLinux/linux/issues/1592
> Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks
--
Gustavo
> ---
> drivers/net/ethernet/huawei/hinic/hinic_devlink.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
> index 60ae8bfc5f69..1749d26f4bef 100644
> --- a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
> +++ b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
> @@ -43,9 +43,7 @@ static bool check_image_valid(struct hinic_devlink_priv *priv, const u8 *buf,
>
> for (i = 0; i < fw_image->fw_info.fw_section_cnt; i++) {
> len += fw_image->fw_section_info[i].fw_section_len;
> - memcpy(&host_image->image_section_info[i],
> - &fw_image->fw_section_info[i],
> - sizeof(struct fw_section_info_st));
> + host_image->image_section_info[i] = fw_image->fw_section_info[i];
> }
>
> if (len != fw_image->fw_len ||
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] hinic: Replace memcpy() with direct assignment
2022-06-16 5:23 [PATCH] hinic: Replace memcpy() with direct assignment Kees Cook
2022-06-16 10:43 ` Gustavo A. R. Silva
@ 2022-06-16 17:19 ` Nathan Chancellor
2022-06-16 22:26 ` Gustavo A. R. Silva
2022-06-17 10:40 ` patchwork-bot+netdevbpf
2022-06-22 18:10 ` patchwork-bot+netdevbpf
3 siblings, 1 reply; 6+ messages in thread
From: Nathan Chancellor @ 2022-06-16 17:19 UTC (permalink / raw)
To: Kees Cook
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Nick Desaulniers, Tom Rix, Leon Romanovsky, Jiri Pirko,
Vladimir Oltean, Simon Horman, netdev, llvm, linux-kernel,
linux-hardening
On Wed, Jun 15, 2022 at 10:23:12PM -0700, Kees Cook wrote:
> Under CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y, Clang is bugged
> here for calculating the size of the destination buffer (0x10 instead of
> 0x14). This copy is a fixed size (sizeof(struct fw_section_info_st)), with
> the source and dest being struct fw_section_info_st, so the memcpy should
> be safe, assuming the index is within bounds, which is UBSAN_BOUNDS's
> responsibility to figure out.
>
> Avoid the whole thing and just do a direct assignment. This results in
> no change to the executable code.
>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Tom Rix <trix@redhat.com>
> Cc: Leon Romanovsky <leon@kernel.org>
> Cc: Jiri Pirko <jiri@nvidia.com>
> Cc: Vladimir Oltean <olteanv@gmail.com>
> Cc: Simon Horman <simon.horman@corigine.com>
> Cc: netdev@vger.kernel.org
> Cc: llvm@lists.linux.dev
> Link: https://github.com/ClangBuiltLinux/linux/issues/1592
> Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Nathan Chancellor <nathan@kernel.org> # build
> ---
> drivers/net/ethernet/huawei/hinic/hinic_devlink.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
> index 60ae8bfc5f69..1749d26f4bef 100644
> --- a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
> +++ b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
> @@ -43,9 +43,7 @@ static bool check_image_valid(struct hinic_devlink_priv *priv, const u8 *buf,
>
> for (i = 0; i < fw_image->fw_info.fw_section_cnt; i++) {
> len += fw_image->fw_section_info[i].fw_section_len;
> - memcpy(&host_image->image_section_info[i],
> - &fw_image->fw_section_info[i],
> - sizeof(struct fw_section_info_st));
> + host_image->image_section_info[i] = fw_image->fw_section_info[i];
> }
>
> if (len != fw_image->fw_len ||
> --
> 2.32.0
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] hinic: Replace memcpy() with direct assignment
2022-06-16 17:19 ` Nathan Chancellor
@ 2022-06-16 22:26 ` Gustavo A. R. Silva
0 siblings, 0 replies; 6+ messages in thread
From: Gustavo A. R. Silva @ 2022-06-16 22:26 UTC (permalink / raw)
To: Nathan Chancellor, Kees Cook
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Nick Desaulniers, Tom Rix, Leon Romanovsky, Jiri Pirko,
Vladimir Oltean, Simon Horman, netdev, llvm, linux-kernel,
linux-hardening
On 6/16/22 19:19, Nathan Chancellor wrote:
> Tested-by: Nathan Chancellor <nathan@kernel.org> # build
I think in this case the tag should be "Build-tested-by" instead.
Thanks
--
Gustavo
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] hinic: Replace memcpy() with direct assignment
2022-06-16 5:23 [PATCH] hinic: Replace memcpy() with direct assignment Kees Cook
2022-06-16 10:43 ` Gustavo A. R. Silva
2022-06-16 17:19 ` Nathan Chancellor
@ 2022-06-17 10:40 ` patchwork-bot+netdevbpf
2022-06-22 18:10 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-06-17 10:40 UTC (permalink / raw)
To: Kees Cook
Cc: davem, edumazet, kuba, pabeni, nathan, ndesaulniers, trix, leon,
jiri, olteanv, simon.horman, netdev, llvm, linux-kernel,
linux-hardening
Hello:
This patch was applied to netdev/net-next.git (master)
by David S. Miller <davem@davemloft.net>:
On Wed, 15 Jun 2022 22:23:12 -0700 you wrote:
> Under CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y, Clang is bugged
> here for calculating the size of the destination buffer (0x10 instead of
> 0x14). This copy is a fixed size (sizeof(struct fw_section_info_st)), with
> the source and dest being struct fw_section_info_st, so the memcpy should
> be safe, assuming the index is within bounds, which is UBSAN_BOUNDS's
> responsibility to figure out.
>
> [...]
Here is the summary with links:
- hinic: Replace memcpy() with direct assignment
https://git.kernel.org/netdev/net-next/c/2c0ab32b73cf
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] hinic: Replace memcpy() with direct assignment
2022-06-16 5:23 [PATCH] hinic: Replace memcpy() with direct assignment Kees Cook
` (2 preceding siblings ...)
2022-06-17 10:40 ` patchwork-bot+netdevbpf
@ 2022-06-22 18:10 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-06-22 18:10 UTC (permalink / raw)
To: Kees Cook
Cc: davem, edumazet, kuba, pabeni, nathan, ndesaulniers, trix, leon,
jiri, olteanv, simon.horman, netdev, llvm, linux-kernel,
linux-hardening
Hello:
This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Wed, 15 Jun 2022 22:23:12 -0700 you wrote:
> Under CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y, Clang is bugged
> here for calculating the size of the destination buffer (0x10 instead of
> 0x14). This copy is a fixed size (sizeof(struct fw_section_info_st)), with
> the source and dest being struct fw_section_info_st, so the memcpy should
> be safe, assuming the index is within bounds, which is UBSAN_BOUNDS's
> responsibility to figure out.
>
> [...]
Here is the summary with links:
- hinic: Replace memcpy() with direct assignment
https://git.kernel.org/netdev/net/c/1e70212e0315
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-06-22 18:10 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-16 5:23 [PATCH] hinic: Replace memcpy() with direct assignment Kees Cook
2022-06-16 10:43 ` Gustavo A. R. Silva
2022-06-16 17:19 ` Nathan Chancellor
2022-06-16 22:26 ` Gustavo A. R. Silva
2022-06-17 10:40 ` patchwork-bot+netdevbpf
2022-06-22 18:10 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).