* [PATCH] net: chelsio: cxgb4: Avoid potential negative array offset
@ 2022-05-03 14:44 Kees Cook
2022-05-05 3:13 ` Jakub Kicinski
0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2022-05-03 14:44 UTC (permalink / raw)
To: Raju Rangoju
Cc: Kees Cook, kernel test robot, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, netdev, stable, Heiner Kallweit,
Bjorn Helgaas, linux-kernel, linux-hardening
Using min_t(int, ...) as a potential array index implies to the compiler
that negative offsets should be allowed. This is not the case, though.
Replace min_t() with clamp_t(). Fixes the following warning exposed
under future CONFIG_FORTIFY_SOURCE improvements:
In file included from include/linux/string.h:253,
from include/linux/bitmap.h:11,
from include/linux/cpumask.h:12,
from include/linux/smp.h:13,
from include/linux/lockdep.h:14,
from include/linux/rcupdate.h:29,
from include/linux/rculist.h:11,
from include/linux/pid.h:5,
from include/linux/sched.h:14,
from include/linux/delay.h:23,
from drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:35:
drivers/net/ethernet/chelsio/cxgb4/t4_hw.c: In function 't4_get_raw_vpd_params':
include/linux/fortify-string.h:46:33: warning: '__builtin_memcpy' pointer overflow between offset 29 and size [2147483648, 4294967295] [-Warray-bounds]
46 | #define __underlying_memcpy __builtin_memcpy
| ^
include/linux/fortify-string.h:388:9: note: in expansion of macro '__underlying_memcpy'
388 | __underlying_##op(p, q, __fortify_size); \
| ^~~~~~~~~~~~~
include/linux/fortify-string.h:433:26: note: in expansion of macro '__fortify_memcpy_chk'
433 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \
| ^~~~~~~~~~~~~~~~~~~~
drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:2796:9: note: in expansion of macro 'memcpy'
2796 | memcpy(p->id, vpd + id, min_t(int, id_len, ID_LEN));
| ^~~~~~
include/linux/fortify-string.h:46:33: warning: '__builtin_memcpy' pointer overflow between offset 0 and size [2147483648, 4294967295] [-Warray-bounds]
46 | #define __underlying_memcpy __builtin_memcpy
| ^
include/linux/fortify-string.h:388:9: note: in expansion of macro '__underlying_memcpy'
388 | __underlying_##op(p, q, __fortify_size); \
| ^~~~~~~~~~~~~
include/linux/fortify-string.h:433:26: note: in expansion of macro '__fortify_memcpy_chk'
433 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \
| ^~~~~~~~~~~~~~~~~~~~
drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:2798:9: note: in expansion of macro 'memcpy'
2798 | memcpy(p->sn, vpd + sn, min_t(int, sn_len, SERNUM_LEN));
| ^~~~~~
Additionally remove needless cast from u8[] to char * in last strim()
call.
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/lkml/202205031926.FVP7epJM-lkp@intel.com
Fixes: fc9279298e3a ("cxgb4: Search VPD with pci_vpd_find_ro_info_keyword()")
Fixes: 24c521f81c30 ("cxgb4: Use pci_vpd_find_id_string() to find VPD ID string")
Cc: Raju Rangoju <rajur@chelsio.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
index e7b4e3ed056c..f119ec7323e5 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
@@ -2793,14 +2793,14 @@ int t4_get_raw_vpd_params(struct adapter *adapter, struct vpd_params *p)
goto out;
na = ret;
- memcpy(p->id, vpd + id, min_t(int, id_len, ID_LEN));
+ memcpy(p->id, vpd + id, clamp_t(int, id_len, 0, ID_LEN));
strim(p->id);
- memcpy(p->sn, vpd + sn, min_t(int, sn_len, SERNUM_LEN));
+ memcpy(p->sn, vpd + sn, clamp_t(int, sn_len, 0, SERNUM_LEN));
strim(p->sn);
- memcpy(p->pn, vpd + pn, min_t(int, pn_len, PN_LEN));
+ memcpy(p->pn, vpd + pn, clamp_t(int, pn_len, 0, PN_LEN));
strim(p->pn);
- memcpy(p->na, vpd + na, min_t(int, na_len, MACADDR_LEN));
- strim((char *)p->na);
+ memcpy(p->na, vpd + na, clamp_t(int, na_len, 0, MACADDR_LEN));
+ strim(p->na);
out:
vfree(vpd);
--
2.32.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] net: chelsio: cxgb4: Avoid potential negative array offset
2022-05-03 14:44 [PATCH] net: chelsio: cxgb4: Avoid potential negative array offset Kees Cook
@ 2022-05-05 3:13 ` Jakub Kicinski
2022-05-05 16:23 ` Kees Cook
2022-05-05 23:21 ` Kees Cook
0 siblings, 2 replies; 4+ messages in thread
From: Jakub Kicinski @ 2022-05-05 3:13 UTC (permalink / raw)
To: Kees Cook
Cc: Raju Rangoju, kernel test robot, David S. Miller, Eric Dumazet,
Paolo Abeni, netdev, stable, Heiner Kallweit, Bjorn Helgaas,
linux-kernel, linux-hardening
On Tue, 3 May 2022 07:44:25 -0700 Kees Cook wrote:
> Using min_t(int, ...) as a potential array index implies to the compiler
> that negative offsets should be allowed. This is not the case, though.
> Replace min_t() with clamp_t(). Fixes the following warning exposed
> under future CONFIG_FORTIFY_SOURCE improvements:
> Additionally remove needless cast from u8[] to char * in last strim()
> call.
>
> Reported-by: kernel test robot <lkp@intel.com>
> Link: https://lore.kernel.org/lkml/202205031926.FVP7epJM-lkp@intel.com
> Fixes: fc9279298e3a ("cxgb4: Search VPD with pci_vpd_find_ro_info_keyword()")
> Fixes: 24c521f81c30 ("cxgb4: Use pci_vpd_find_id_string() to find VPD ID string")
Is it needed in the current release?
> Cc: Raju Rangoju <rajur@chelsio.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: netdev@vger.kernel.org
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
> index e7b4e3ed056c..f119ec7323e5 100644
> --- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
> +++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
> @@ -2793,14 +2793,14 @@ int t4_get_raw_vpd_params(struct adapter *adapter, struct vpd_params *p)
> goto out;
> na = ret;
>
> - memcpy(p->id, vpd + id, min_t(int, id_len, ID_LEN));
> + memcpy(p->id, vpd + id, clamp_t(int, id_len, 0, ID_LEN));
The typing is needed because of the enum, right? The variable is
unsigned, seems a little strange to use clamp(int, ..., 0, constant)
min(unsigned int, ..., constant) will be equivalent with fewer branches.
Is it just me?
> strim(p->id);
> - memcpy(p->sn, vpd + sn, min_t(int, sn_len, SERNUM_LEN));
> + memcpy(p->sn, vpd + sn, clamp_t(int, sn_len, 0, SERNUM_LEN));
> strim(p->sn);
> - memcpy(p->pn, vpd + pn, min_t(int, pn_len, PN_LEN));
> + memcpy(p->pn, vpd + pn, clamp_t(int, pn_len, 0, PN_LEN));
> strim(p->pn);
> - memcpy(p->na, vpd + na, min_t(int, na_len, MACADDR_LEN));
> - strim((char *)p->na);
> + memcpy(p->na, vpd + na, clamp_t(int, na_len, 0, MACADDR_LEN));
> + strim(p->na);
>
> out:
> vfree(vpd);
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] net: chelsio: cxgb4: Avoid potential negative array offset
2022-05-05 3:13 ` Jakub Kicinski
@ 2022-05-05 16:23 ` Kees Cook
2022-05-05 23:21 ` Kees Cook
1 sibling, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-05-05 16:23 UTC (permalink / raw)
To: Jakub Kicinski
Cc: Raju Rangoju, kernel test robot, David S. Miller, Eric Dumazet,
Paolo Abeni, netdev, stable, Heiner Kallweit, Bjorn Helgaas,
linux-kernel, linux-hardening
On Wed, May 04, 2022 at 08:13:58PM -0700, Jakub Kicinski wrote:
> On Tue, 3 May 2022 07:44:25 -0700 Kees Cook wrote:
> > Using min_t(int, ...) as a potential array index implies to the compiler
> > that negative offsets should be allowed. This is not the case, though.
> > Replace min_t() with clamp_t(). Fixes the following warning exposed
> > under future CONFIG_FORTIFY_SOURCE improvements:
>
> > Additionally remove needless cast from u8[] to char * in last strim()
> > call.
> >
> > Reported-by: kernel test robot <lkp@intel.com>
> > Link: https://lore.kernel.org/lkml/202205031926.FVP7epJM-lkp@intel.com
> > Fixes: fc9279298e3a ("cxgb4: Search VPD with pci_vpd_find_ro_info_keyword()")
> > Fixes: 24c521f81c30 ("cxgb4: Use pci_vpd_find_id_string() to find VPD ID string")
>
> Is it needed in the current release?
No, the build warning isn't in the current release, but I'm expecting to
enable the next step of the FORTIFY work in the coming merge window.
> > - memcpy(p->id, vpd + id, min_t(int, id_len, ID_LEN));
> > + memcpy(p->id, vpd + id, clamp_t(int, id_len, 0, ID_LEN));
>
> The typing is needed because of the enum, right? The variable is
> unsigned, seems a little strange to use clamp(int, ..., 0, constant)
> min(unsigned int, ..., constant) will be equivalent with fewer branches.
> Is it just me?
Yes, due to the enum, but you're right; this could just use min_t(uint...
I'll respin!
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] net: chelsio: cxgb4: Avoid potential negative array offset
2022-05-05 3:13 ` Jakub Kicinski
2022-05-05 16:23 ` Kees Cook
@ 2022-05-05 23:21 ` Kees Cook
1 sibling, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-05-05 23:21 UTC (permalink / raw)
To: Jakub Kicinski
Cc: Raju Rangoju, kernel test robot, David S. Miller, Eric Dumazet,
Paolo Abeni, netdev, stable, Heiner Kallweit, Bjorn Helgaas,
linux-kernel, linux-hardening
On Wed, May 04, 2022 at 08:13:58PM -0700, Jakub Kicinski wrote:
> On Tue, 3 May 2022 07:44:25 -0700 Kees Cook wrote:
> > diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
> > index e7b4e3ed056c..f119ec7323e5 100644
> > --- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
> > +++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
> > @@ -2793,14 +2793,14 @@ int t4_get_raw_vpd_params(struct adapter *adapter, struct vpd_params *p)
> > goto out;
> > na = ret;
> >
> > - memcpy(p->id, vpd + id, min_t(int, id_len, ID_LEN));
> > + memcpy(p->id, vpd + id, clamp_t(int, id_len, 0, ID_LEN));
>
> The typing is needed because of the enum, right? The variable is
> unsigned, seems a little strange to use clamp(int, ..., 0, constant)
> min(unsigned int, ..., constant) will be equivalent with fewer branches.
> Is it just me?
I just chased down the origin of "unsigned int", but it's actually a
u16 out of the VPD:
static u16 pci_vpd_lrdt_size(const u8 *lrdt)
{
return get_unaligned_le16(lrdt + 1);
}
static int pci_vpd_find_tag(const u8 *buf, unsigned int len, u8 rdt, unsigned int *size)
{
...
unsigned int lrdt_len = pci_vpd_lrdt_size(buf + i);
...
*size = lrdt_len;
I'm not sure why it was expanded to unsigned int size, maybe in other
call sites it was easier to deal with for possible math, etc?
Anyway, doesn't need changing. I'll send the int/unsigned int shortly...
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-05-05 23:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-03 14:44 [PATCH] net: chelsio: cxgb4: Avoid potential negative array offset Kees Cook
2022-05-05 3:13 ` Jakub Kicinski
2022-05-05 16:23 ` Kees Cook
2022-05-05 23:21 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).