* Re: [PATCH 42/64] net: qede: Use memset_after() for counters
@ 2021-08-02 14:29 Shai Malin
2021-08-02 16:23 ` Kees Cook
0 siblings, 1 reply; 5+ messages in thread
From: Shai Malin @ 2021-08-02 14:29 UTC (permalink / raw)
To: Kees Cook
Cc: Gustavo A. R. Silva, Keith Packard, Greg Kroah-Hartman,
Andrew Morton, linux-kernel, linux-wireless, netdev, dri-devel,
linux-staging, linux-block, linux-kbuild, clang-built-linux,
linux-hardening, GR-everest-linux-l2, Ariel Elior
On Tue, Jul 31, 2021 at 07:07:00PM -0300, Kees Cook wrote:
> On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memset(), avoid intentionally writing across
> > neighboring fields.
> >
> > Use memset_after() so memset() doesn't get confused about writing
> > beyond the destination member that is intended to be the starting point
> > of zeroing through the end of the struct.
> >
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > The old code seems to be doing the wrong thing: starting from not the
> > first member, but sized for the whole struct. Which is correct?
>
> Quick ping on this question.
>
> The old code seems to be doing the wrong thing: it starts from the second
> member and writes beyond int_info, clobbering qede_lock:
Thanks for highlighting the problem, but actually, the memset is redundant.
We will remove it so the change will not be needed.
>
> struct qede_dev {
> ...
> struct qed_int_info int_info;
>
> /* Smaller private variant of the RTNL lock */
> struct mutex qede_lock;
> ...
>
>
> struct qed_int_info {
> struct msix_entry *msix;
> u8 msix_cnt;
>
> /* This should be updated by the protocol driver */
> u8 used_cnt;
> };
>
> Should this also clear the "msix" member, or should this not write
> beyond int_info? This patch does the latter.
It should clear only the msix_cnt, no need to clear the entire
qed_int_info structure.
>
> -Kees
>
> > ---
> > drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c
> b/drivers/net/ethernet/qlogic/qede/qede_main.c
> > index 01ac1e93d27a..309dfe8c94fb 100644
> > --- a/drivers/net/ethernet/qlogic/qede/qede_main.c
> > +++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
> > @@ -2419,7 +2419,7 @@ static int qede_load(struct qede_dev *edev, enum
> qede_load_mode mode,
> > goto out;
> > err4:
> > qede_sync_free_irqs(edev);
> > - memset(&edev->int_info.msix_cnt, 0, sizeof(struct qed_int_info));
> > + memset_after(&edev->int_info, 0, msix);
We will replace the redundant memset with:
edev->int_info.msix_cnt = 0;
> > err3:
> > qede_napi_disable_remove(edev);
> > err2:
> > --
> > 2.30.2
> >
>
> --
> Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH 42/64] net: qede: Use memset_after() for counters
2021-08-02 14:29 [PATCH 42/64] net: qede: Use memset_after() for counters Shai Malin
@ 2021-08-02 16:23 ` Kees Cook
0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2021-08-02 16:23 UTC (permalink / raw)
To: Shai Malin
Cc: Gustavo A. R. Silva, Keith Packard, Greg Kroah-Hartman,
Andrew Morton, linux-kernel, linux-wireless, netdev, dri-devel,
linux-staging, linux-block, linux-kbuild, clang-built-linux,
linux-hardening, GR-everest-linux-l2, Ariel Elior
On Mon, Aug 02, 2021 at 02:29:28PM +0000, Shai Malin wrote:
>
> On Tue, Jul 31, 2021 at 07:07:00PM -0300, Kees Cook wrote:
> > On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > > field bounds checking for memset(), avoid intentionally writing across
> > > neighboring fields.
> > >
> > > Use memset_after() so memset() doesn't get confused about writing
> > > beyond the destination member that is intended to be the starting point
> > > of zeroing through the end of the struct.
> > >
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > > The old code seems to be doing the wrong thing: starting from not the
> > > first member, but sized for the whole struct. Which is correct?
> >
> > Quick ping on this question.
> >
> > The old code seems to be doing the wrong thing: it starts from the second
> > member and writes beyond int_info, clobbering qede_lock:
>
> Thanks for highlighting the problem, but actually, the memset is redundant.
> We will remove it so the change will not be needed.
>
> >
> > struct qede_dev {
> > ...
> > struct qed_int_info int_info;
> >
> > /* Smaller private variant of the RTNL lock */
> > struct mutex qede_lock;
> > ...
> >
> >
> > struct qed_int_info {
> > struct msix_entry *msix;
> > u8 msix_cnt;
> >
> > /* This should be updated by the protocol driver */
> > u8 used_cnt;
> > };
> >
> > Should this also clear the "msix" member, or should this not write
> > beyond int_info? This patch does the latter.
>
> It should clear only the msix_cnt, no need to clear the entire
> qed_int_info structure.
Should used_cnt be cleared too? It is currently. Better yet, what patch
do you suggest I replace this proposed one with? :)
Thanks for looking at this!
-Kees
--
Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 42/64] net: qede: Use memset_after() for counters
@ 2021-08-02 16:35 Shai Malin
0 siblings, 0 replies; 5+ messages in thread
From: Shai Malin @ 2021-08-02 16:35 UTC (permalink / raw)
To: Kees Cook
Cc: Gustavo A. R. Silva, Keith Packard, Greg Kroah-Hartman,
Andrew Morton, linux-kernel, linux-wireless, netdev, dri-devel,
linux-staging, linux-block, linux-kbuild, clang-built-linux,
linux-hardening, GR-everest-linux-l2, Ariel Elior
On Mon, Aug 02, 2021 at 07:23:00PM +0300, Kees Cook wrote:
> On Mon, Aug 02, 2021 at 02:29:28PM +0000, Shai Malin wrote:
> > On Tue, Jul 31, 2021 at 07:07:00PM -0300, Kees Cook wrote:
> > > On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote:
> > > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > > > field bounds checking for memset(), avoid intentionally writing across
> > > > neighboring fields.
> > > >
> > > > Use memset_after() so memset() doesn't get confused about writing
> > > > beyond the destination member that is intended to be the starting point
> > > > of zeroing through the end of the struct.
> > > >
> > > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > > ---
> > > > The old code seems to be doing the wrong thing: starting from not the
> > > > first member, but sized for the whole struct. Which is correct?
> > >
> > > Quick ping on this question.
> > >
> > > The old code seems to be doing the wrong thing: it starts from the second
> > > member and writes beyond int_info, clobbering qede_lock:
> >
> > Thanks for highlighting the problem, but actually, the memset is redundant.
> > We will remove it so the change will not be needed.
> >
> > >
> > > struct qede_dev {
> > > ...
> > > struct qed_int_info int_info;
> > >
> > > /* Smaller private variant of the RTNL lock */
> > > struct mutex qede_lock;
> > > ...
> > >
> > >
> > > struct qed_int_info {
> > > struct msix_entry *msix;
> > > u8 msix_cnt;
> > >
> > > /* This should be updated by the protocol driver */
> > > u8 used_cnt;
> > > };
> > >
> > > Should this also clear the "msix" member, or should this not write
> > > beyond int_info? This patch does the latter.
> >
> > It should clear only the msix_cnt, no need to clear the entire
> > qed_int_info structure.
>
> Should used_cnt be cleared too? It is currently. Better yet, what patch
> do you suggest I replace this proposed one with? :)
In qede_sync_free_irqs(), just after:
edev->int_info.used_cnt = 0;
Please add:
edev->int_info.msix_cnt = 0;
Thanks!
>
> Thanks for looking at this!
>
> -Kees
>
> --
> Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH 00/64] Introduce strict memcpy() bounds checking
@ 2021-07-27 20:57 Kees Cook
2021-07-27 20:58 ` [PATCH 42/64] net: qede: Use memset_after() for counters Kees Cook
0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2021-07-27 20:57 UTC (permalink / raw)
To: linux-hardening
Cc: Kees Cook, Gustavo A. R. Silva, Keith Packard,
Greg Kroah-Hartman, Andrew Morton, linux-kernel, linux-wireless,
netdev, dri-devel, linux-staging, linux-block, linux-kbuild,
clang-built-linux
Hi,
This patch series (based on next-20210726) implements stricter (no struct
member overflows) bounds checking for memcpy(), memmove(), and memset()
under CONFIG_FORTIFY_SOURCE. To quote a later patch in the series:
tl;dr: In order to eliminate a large class of common buffer overflow
flaws that continue to persist in the kernel, have memcpy() (under
CONFIG_FORTIFY_SOURCE) perform bounds checking of the destination struct
member when they have a known size. This would have caught all of the
memcpy()-related buffer write overflow flaws identified in at least the
last three years.
As this series introduces various helpers and performs several phases of
treewide cleanups, I'm expecting to carry this series in my tree, so I'd
love to get some Reviews and Acks. Given the size, I've mostly aimed this
series at various mailing lists, otherwise the CC size got really big. :)
Specifically, this series is logically split into several steps:
Clean up remaining simple compile-time memcpy() warnings:
media: omap3isp: Extract struct group for memcpy() region
mac80211: Use flex-array for radiotap header bitmap
rpmsg: glink: Replace strncpy() with strscpy_pad()
Introduce struct_group() and apply it treewide to avoid compile-time
memcpy() warnings:
stddef: Introduce struct_group() helper macro
skbuff: Switch structure bounds to struct_group()
bnxt_en: Use struct_group_attr() for memcpy() region
staging: rtl8192e: Use struct_group() for memcpy() region
staging: rtl8192u: Use struct_group() for memcpy() region
staging: rtl8723bs: Avoid field-overflowing memcpy()
lib80211: Use struct_group() for memcpy() region
net/mlx5e: Avoid field-overflowing memcpy()
mwl8k: Use struct_group() for memcpy() region
libertas: Use struct_group() for memcpy() region
libertas_tf: Use struct_group() for memcpy() region
ipw2x00: Use struct_group() for memcpy() region
thermal: intel: int340x_thermal: Use struct_group() for memcpy() region
iommu/amd: Use struct_group() for memcpy() region
cxgb3: Use struct_group() for memcpy() region
ip: Use struct_group() for memcpy() regions
intersil: Use struct_group() for memcpy() region
cxgb4: Use struct_group() for memcpy() region
bnx2x: Use struct_group() for memcpy() region
drm/amd/pm: Use struct_group() for memcpy() region
staging: wlan-ng: Use struct_group() for memcpy() region
drm/mga/mga_ioc32: Use struct_group() for memcpy() region
net/mlx5e: Use struct_group() for memcpy() region
HID: cp2112: Use struct_group() for memcpy() region
Prepare fortify for additional hardening:
compiler_types.h: Remove __compiletime_object_size()
lib/string: Move helper functions out of string.c
fortify: Move remaining fortify helpers into fortify-string.h
fortify: Explicitly disable Clang support
Add compile-time and run-time tests:
fortify: Add compile-time FORTIFY_SOURCE tests
lib: Introduce CONFIG_TEST_MEMCPY
Enable new compile-time memcpy() and memmove() bounds checking:
fortify: Detect struct member overflows in memcpy() at compile-time
fortify: Detect struct member overflows in memmove() at compile-time
Clean up remaining simple compile-time memset() warnings:
scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp
Introduce memset_after() helper and apply it (and struct_group())
treewide to avoid compile-time memset() warnings:
string.h: Introduce memset_after() for wiping trailing members/padding
xfrm: Use memset_after() to clear padding
mac80211: Use memset_after() to clear tx status
net: 802: Use memset_after() to clear struct fields
net: dccp: Use memset_after() for TP zeroing
net: qede: Use memset_after() for counters
ath11k: Use memset_after() for clearing queue descriptors
iw_cxgb4: Use memset_after() for cpl_t5_pass_accept_rpl
intel_th: msu: Use memset_after() for clearing hw header
IB/mthca: Use memset_after() for clearing mpt_entry
btrfs: Use memset_after() to clear end of struct
drbd: Use struct_group() to zero algs
cm4000_cs: Use struct_group() to zero struct cm4000_dev region
KVM: x86: Use struct_group() to zero decode cache
tracing: Use struct_group() to zero struct trace_iterator
dm integrity: Use struct_group() to zero struct journal_sector
HID: roccat: Use struct_group() to zero kone_mouse_event
ipv6: Use struct_group() to zero rt6_info
RDMA/mlx5: Use struct_group() to zero struct mlx5_ib_mr
ethtool: stats: Use struct_group() to clear all stats at once
netfilter: conntrack: Use struct_group() to zero struct nf_conn
powerpc: Split memset() to avoid multi-field overflow
Enable new compile-time memset() bounds checking:
fortify: Detect struct member overflows in memset() at compile-time
Enable Clang support and global array-bounds checking:
fortify: Work around Clang inlining bugs
Makefile: Enable -Warray-bounds
Avoid run-time memcpy() bounds check warnings:
netlink: Avoid false-positive memcpy() warning
iwlwifi: dbg_ini: Split memcpy() to avoid multi-field write
Enable run-time memcpy() bounds checking:
fortify: Add run-time WARN for cross-field memcpy()
A future series will clean up for and add run-time memset() bounds
checking.
Thanks!
-Kees
Makefile | 1 -
arch/s390/lib/string.c | 3 +
arch/x86/boot/compressed/misc.c | 3 +-
arch/x86/kvm/emulate.c | 3 +-
arch/x86/kvm/kvm_emulate.h | 19 +-
arch/x86/lib/memcpy_32.c | 1 +
arch/x86/lib/string_32.c | 1 +
drivers/block/drbd/drbd_main.c | 3 +-
drivers/block/drbd/drbd_protocol.h | 6 +-
drivers/block/drbd/drbd_receiver.c | 3 +-
drivers/char/pcmcia/cm4000_cs.c | 9 +-
drivers/gpu/drm/amd/include/atomfirmware.h | 9 +-
.../drm/amd/pm/inc/smu11_driver_if_arcturus.h | 3 +-
.../drm/amd/pm/inc/smu11_driver_if_navi10.h | 3 +-
.../amd/pm/inc/smu13_driver_if_aldebaran.h | 3 +-
.../gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 6 +-
.../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 12 +-
.../drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 6 +-
drivers/gpu/drm/mga/mga_ioc32.c | 30 +-
drivers/hid/hid-cp2112.c | 14 +-
drivers/hid/hid-roccat-kone.c | 2 +-
drivers/hid/hid-roccat-kone.h | 12 +-
drivers/hwtracing/intel_th/msu.c | 4 +-
drivers/infiniband/hw/cxgb4/cm.c | 5 +-
drivers/infiniband/hw/mlx5/mlx5_ib.h | 4 +-
drivers/infiniband/hw/mthca/mthca_mr.c | 3 +-
drivers/iommu/amd/init.c | 9 +-
drivers/macintosh/smu.c | 3 +-
drivers/md/dm-integrity.c | 9 +-
drivers/media/platform/omap3isp/ispstat.c | 5 +-
.../net/ethernet/broadcom/bnx2x/bnx2x_stats.c | 7 +-
.../net/ethernet/broadcom/bnx2x/bnx2x_stats.h | 14 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 +-
drivers/net/ethernet/chelsio/cxgb3/sge.c | 9 +-
drivers/net/ethernet/chelsio/cxgb4/sge.c | 8 +-
drivers/net/ethernet/chelsio/cxgb4/t4_msg.h | 2 +-
drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h | 10 +-
drivers/net/ethernet/chelsio/cxgb4vf/sge.c | 7 +-
drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 +-
.../net/ethernet/mellanox/mlx5/core/en/xdp.c | 4 +-
.../net/ethernet/mellanox/mlx5/core/en_tx.c | 2 +-
drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +-
drivers/net/wireguard/queueing.h | 4 +-
drivers/net/wireless/ath/ath11k/hal_rx.c | 13 +-
drivers/net/wireless/ath/carl9170/tx.c | 4 +-
drivers/net/wireless/intel/ipw2x00/libipw.h | 12 +-
.../net/wireless/intel/ipw2x00/libipw_rx.c | 8 +-
drivers/net/wireless/intel/iwlwifi/fw/file.h | 2 +-
.../net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 3 +-
.../net/wireless/intersil/hostap/hostap_hw.c | 5 +-
.../wireless/intersil/hostap/hostap_wlan.h | 14 +-
drivers/net/wireless/intersil/p54/txrx.c | 4 +-
drivers/net/wireless/marvell/libertas/host.h | 10 +-
drivers/net/wireless/marvell/libertas/tx.c | 5 +-
.../marvell/libertas_tf/libertas_tf.h | 10 +-
.../net/wireless/marvell/libertas_tf/main.c | 3 +-
drivers/net/wireless/marvell/mwl8k.c | 10 +-
drivers/rpmsg/qcom_glink_native.c | 2 +-
drivers/scsi/ibmvscsi/ibmvscsi.c | 2 +-
drivers/staging/rtl8192e/rtllib.h | 20 +-
drivers/staging/rtl8192e/rtllib_crypt_ccmp.c | 3 +-
drivers/staging/rtl8192e/rtllib_rx.c | 8 +-
.../staging/rtl8192u/ieee80211/ieee80211.h | 24 +-
.../rtl8192u/ieee80211/ieee80211_crypt_ccmp.c | 3 +-
.../staging/rtl8192u/ieee80211/ieee80211_rx.c | 8 +-
drivers/staging/rtl8723bs/core/rtw_mlme.c | 2 +-
drivers/staging/rtl8723bs/core/rtw_security.c | 5 +-
drivers/staging/rtl8723bs/core/rtw_xmit.c | 5 +-
drivers/staging/wlan-ng/hfa384x.h | 16 +-
drivers/staging/wlan-ng/hfa384x_usb.c | 4 +-
.../intel/int340x_thermal/acpi_thermal_rel.c | 5 +-
.../intel/int340x_thermal/acpi_thermal_rel.h | 48 +--
fs/btrfs/root-tree.c | 5 +-
include/linux/compiler-gcc.h | 2 -
include/linux/compiler_types.h | 4 -
include/linux/fortify-string.h | 234 +++++++++++---
include/linux/ieee80211.h | 8 +-
include/linux/if_vlan.h | 6 +-
include/linux/skbuff.h | 9 +-
include/linux/stddef.h | 34 ++
include/linux/string.h | 26 +-
include/linux/thread_info.h | 2 +-
include/linux/trace_events.h | 26 +-
include/net/flow.h | 6 +-
include/net/ieee80211_radiotap.h | 24 +-
include/net/ip6_fib.h | 30 +-
include/net/mac80211.h | 4 +-
include/net/netfilter/nf_conntrack.h | 20 +-
include/uapi/drm/mga_drm.h | 37 ++-
include/uapi/linux/if_ether.h | 12 +-
include/uapi/linux/ip.h | 12 +-
include/uapi/linux/ipv6.h | 12 +-
include/uapi/linux/netlink.h | 1 +
include/uapi/linux/omap3isp.h | 44 ++-
kernel/trace/trace.c | 4 +-
lib/.gitignore | 2 +
lib/Kconfig.debug | 3 +
lib/Makefile | 32 ++
lib/string.c | 210 +------------
lib/string_helpers.c | 201 ++++++++++++
lib/test_fortify/read_overflow-memchr.c | 5 +
lib/test_fortify/read_overflow-memchr_inv.c | 5 +
lib/test_fortify/read_overflow-memcmp.c | 5 +
lib/test_fortify/read_overflow-memscan.c | 5 +
lib/test_fortify/read_overflow2-memcmp.c | 5 +
lib/test_fortify/read_overflow2-memcpy.c | 5 +
lib/test_fortify/read_overflow2-memmove.c | 5 +
.../read_overflow2_field-memcpy.c | 5 +
.../read_overflow2_field-memmove.c | 5 +
lib/test_fortify/test_fortify.h | 31 ++
lib/test_fortify/write_overflow-memcpy.c | 5 +
lib/test_fortify/write_overflow-memmove.c | 5 +
lib/test_fortify/write_overflow-memset.c | 5 +
lib/test_fortify/write_overflow-strlcpy.c | 5 +
lib/test_fortify/write_overflow-strncpy.c | 5 +
lib/test_fortify/write_overflow-strscpy.c | 5 +
.../write_overflow_field-memcpy.c | 5 +
.../write_overflow_field-memmove.c | 5 +
.../write_overflow_field-memset.c | 5 +
lib/test_memcpy.c | 297 ++++++++++++++++++
net/802/hippi.c | 2 +-
net/core/flow_dissector.c | 10 +-
net/core/skbuff.c | 14 +-
net/dccp/trace.h | 4 +-
net/ethtool/stats.c | 15 +-
net/ipv4/ip_output.c | 6 +-
net/ipv6/route.c | 4 +-
net/mac80211/rx.c | 2 +-
net/netfilter/nf_conntrack_core.c | 4 +-
net/netlink/af_netlink.c | 4 +-
net/wireless/lib80211_crypt_ccmp.c | 3 +-
net/wireless/radiotap.c | 5 +-
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_user.c | 2 +-
scripts/test_fortify.sh | 64 ++++
security/Kconfig | 3 +
137 files changed, 1484 insertions(+), 633 deletions(-)
create mode 100644 lib/test_fortify/read_overflow-memchr.c
create mode 100644 lib/test_fortify/read_overflow-memchr_inv.c
create mode 100644 lib/test_fortify/read_overflow-memcmp.c
create mode 100644 lib/test_fortify/read_overflow-memscan.c
create mode 100644 lib/test_fortify/read_overflow2-memcmp.c
create mode 100644 lib/test_fortify/read_overflow2-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2-memmove.c
create mode 100644 lib/test_fortify/read_overflow2_field-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2_field-memmove.c
create mode 100644 lib/test_fortify/test_fortify.h
create mode 100644 lib/test_fortify/write_overflow-memcpy.c
create mode 100644 lib/test_fortify/write_overflow-memmove.c
create mode 100644 lib/test_fortify/write_overflow-memset.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy.c
create mode 100644 lib/test_fortify/write_overflow-strncpy.c
create mode 100644 lib/test_fortify/write_overflow-strscpy.c
create mode 100644 lib/test_fortify/write_overflow_field-memcpy.c
create mode 100644 lib/test_fortify/write_overflow_field-memmove.c
create mode 100644 lib/test_fortify/write_overflow_field-memset.c
create mode 100644 lib/test_memcpy.c
create mode 100644 scripts/test_fortify.sh
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH 42/64] net: qede: Use memset_after() for counters
2021-07-27 20:57 [PATCH 00/64] Introduce strict memcpy() bounds checking Kees Cook
@ 2021-07-27 20:58 ` Kees Cook
2021-07-31 16:07 ` Kees Cook
0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2021-07-27 20:58 UTC (permalink / raw)
To: linux-hardening
Cc: Kees Cook, Gustavo A. R. Silva, Keith Packard,
Greg Kroah-Hartman, Andrew Morton, linux-kernel, linux-wireless,
netdev, dri-devel, linux-staging, linux-block, linux-kbuild,
clang-built-linux
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring fields.
Use memset_after() so memset() doesn't get confused about writing
beyond the destination member that is intended to be the starting point
of zeroing through the end of the struct.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
The old code seems to be doing the wrong thing: starting from not the
first member, but sized for the whole struct. Which is correct?
---
drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c
index 01ac1e93d27a..309dfe8c94fb 100644
--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
+++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
@@ -2419,7 +2419,7 @@ static int qede_load(struct qede_dev *edev, enum qede_load_mode mode,
goto out;
err4:
qede_sync_free_irqs(edev);
- memset(&edev->int_info.msix_cnt, 0, sizeof(struct qed_int_info));
+ memset_after(&edev->int_info, 0, msix);
err3:
qede_napi_disable_remove(edev);
err2:
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 42/64] net: qede: Use memset_after() for counters
2021-07-27 20:58 ` [PATCH 42/64] net: qede: Use memset_after() for counters Kees Cook
@ 2021-07-31 16:07 ` Kees Cook
0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2021-07-31 16:07 UTC (permalink / raw)
To: Ariel Elior, GR-everest-linux-l2
Cc: Gustavo A. R. Silva, Keith Packard, Greg Kroah-Hartman,
Andrew Morton, linux-kernel, linux-wireless, netdev, dri-devel,
linux-staging, linux-block, linux-kbuild, clang-built-linux,
linux-hardening
On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memset(), avoid intentionally writing across
> neighboring fields.
>
> Use memset_after() so memset() doesn't get confused about writing
> beyond the destination member that is intended to be the starting point
> of zeroing through the end of the struct.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> The old code seems to be doing the wrong thing: starting from not the
> first member, but sized for the whole struct. Which is correct?
Quick ping on this question.
The old code seems to be doing the wrong thing: it starts from the second
member and writes beyond int_info, clobbering qede_lock:
struct qede_dev {
...
struct qed_int_info int_info;
/* Smaller private variant of the RTNL lock */
struct mutex qede_lock;
...
struct qed_int_info {
struct msix_entry *msix;
u8 msix_cnt;
/* This should be updated by the protocol driver */
u8 used_cnt;
};
Should this also clear the "msix" member, or should this not write
beyond int_info? This patch does the latter.
-Kees
> ---
> drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c
> index 01ac1e93d27a..309dfe8c94fb 100644
> --- a/drivers/net/ethernet/qlogic/qede/qede_main.c
> +++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
> @@ -2419,7 +2419,7 @@ static int qede_load(struct qede_dev *edev, enum qede_load_mode mode,
> goto out;
> err4:
> qede_sync_free_irqs(edev);
> - memset(&edev->int_info.msix_cnt, 0, sizeof(struct qed_int_info));
> + memset_after(&edev->int_info, 0, msix);
> err3:
> qede_napi_disable_remove(edev);
> err2:
> --
> 2.30.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-08-02 16:35 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-02 14:29 [PATCH 42/64] net: qede: Use memset_after() for counters Shai Malin
2021-08-02 16:23 ` Kees Cook
-- strict thread matches above, loose matches on Subject: below --
2021-08-02 16:35 Shai Malin
2021-07-27 20:57 [PATCH 00/64] Introduce strict memcpy() bounds checking Kees Cook
2021-07-27 20:58 ` [PATCH 42/64] net: qede: Use memset_after() for counters Kees Cook
2021-07-31 16:07 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).