tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 4da34b7d175dc99b8befebd69e96546c960d526c
commit: 28e77cc1c0686621a4d416f599cee5ab369daa0a fortify: Detect struct member overflows in memset() at compile-time
date: 8 months ago
config: arm-randconfig-r012-20221023
compiler: arm-linux-gnueabi-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=28e77cc1c0686621a4d416f599cee5ab369daa0a
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout 28e77cc1c0686621a4d416f599cee5ab369daa0a
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=arm SHELL=/bin/bash fs/ocfs2/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
All warnings (new ones prefixed by >>):
In file included from include/linux/string.h:253,
from include/linux/bitmap.h:11,
from include/linux/cpumask.h:12,
from include/linux/smp.h:13,
from include/linux/lockdep.h:14,
from include/linux/spinlock.h:62,
from include/linux/mmzone.h:8,
from include/linux/gfp.h:6,
from include/linux/slab.h:15,
from fs/ocfs2/dlmglue.c:11:
In function 'fortify_memset_chk',
inlined from 'ocfs2_lock_res_free' at fs/ocfs2/dlmglue.c:790:2:
>> include/linux/fortify-string.h:220:25: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
220 | __write_overflow_field(p_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/__write_overflow_field +220 include/linux/fortify-string.h
202
203 __FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size,
204 const size_t p_size,
205 const size_t p_size_field)
206 {
207 if (__builtin_constant_p(size)) {
208 /*
209 * Length argument is a constant expression, so we
210 * can perform compile-time bounds checking where
211 * buffer sizes are known.
212 */
213
214 /* Error when size is larger than enclosing struct. */
215 if (p_size > p_size_field && p_size < size)
216 __write_overflow();
217
218 /* Warn when write size is larger than dest field. */
219 if (p_size_field < size)
> 220 __write_overflow_field(p_size_field, size);
221 }
222 /*
223 * At this point, length argument may not be a constant expression,
224 * so run-time bounds checking can be done where buffer sizes are
225 * known. (This is not an "else" because the above checks may only
226 * be compile-time warnings, and we want to still warn for run-time
227 * overflows.)
228 */
229
230 /*
231 * Always stop accesses beyond the struct that contains the
232 * field, when the buffer's remaining size is known.
233 * (The -1 test is to optimize away checks where the buffer
234 * lengths are unknown.)
235 */
236 if (p_size != (size_t)(-1) && p_size < size)
237 fortify_panic("memset");
238 }
239
--
0-DAY CI Kernel Test Service
https://01.org/lkp
On Sun, Oct 23, 2022 at 04:45:58AM +0800, kernel test robot wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head: 4da34b7d175dc99b8befebd69e96546c960d526c
> commit: 28e77cc1c0686621a4d416f599cee5ab369daa0a fortify: Detect struct member overflows in memset() at compile-time
> date: 8 months ago
> config: arm-randconfig-r012-20221023
> compiler: arm-linux-gnueabi-gcc (GCC) 12.1.0
> reproduce (this is a W=1 build):
> wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
> chmod +x ~/bin/make.cross
> # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=28e77cc1c0686621a4d416f599cee5ab369daa0a
> git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> git fetch --no-tags linus master
> git checkout 28e77cc1c0686621a4d416f599cee5ab369daa0a
> # save the config file
> mkdir build_dir && cp config build_dir/.config
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=arm SHELL=/bin/bash fs/ocfs2/
>
> If you fix the issue, kindly add following tag where applicable
> | Reported-by: kernel test robot <[email protected]>
>
> All warnings (new ones prefixed by >>):
>
> In file included from include/linux/string.h:253,
> from include/linux/bitmap.h:11,
> from include/linux/cpumask.h:12,
> from include/linux/smp.h:13,
> from include/linux/lockdep.h:14,
> from include/linux/spinlock.h:62,
> from include/linux/mmzone.h:8,
> from include/linux/gfp.h:6,
> from include/linux/slab.h:15,
> from fs/ocfs2/dlmglue.c:11:
> In function 'fortify_memset_chk',
> inlined from 'ocfs2_lock_res_free' at fs/ocfs2/dlmglue.c:790:2:
> >> include/linux/fortify-string.h:220:25: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
> 220 | __write_overflow_field(p_size_field, size);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This appears to be a compiler bug. The line in question is:
memset(&res->l_lksb, 0, sizeof(res->l_lksb));
Looking at binary output, something is failing in dead code elimination,
as the copy of the code holding this is never called, and has a
non-literal value for the __builtin_object_size() output, which isn't
possible.
-Kees
--
Kees Cook
On 10/29/2022 6:03 AM, Kees Cook wrote:
> On Sun, Oct 23, 2022 at 04:45:58AM +0800, kernel test robot wrote:
>> tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>> head: 4da34b7d175dc99b8befebd69e96546c960d526c
>> commit: 28e77cc1c0686621a4d416f599cee5ab369daa0a fortify: Detect struct member overflows in memset() at compile-time
>> date: 8 months ago
>> config: arm-randconfig-r012-20221023
>> compiler: arm-linux-gnueabi-gcc (GCC) 12.1.0
>> reproduce (this is a W=1 build):
>> wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
>> chmod +x ~/bin/make.cross
>> # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=28e77cc1c0686621a4d416f599cee5ab369daa0a
>> git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
>> git fetch --no-tags linus master
>> git checkout 28e77cc1c0686621a4d416f599cee5ab369daa0a
>> # save the config file
>> mkdir build_dir && cp config build_dir/.config
>> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=arm SHELL=/bin/bash fs/ocfs2/
>>
>> If you fix the issue, kindly add following tag where applicable
>> | Reported-by: kernel test robot <[email protected]>
>>
>> All warnings (new ones prefixed by >>):
>>
>> In file included from include/linux/string.h:253,
>> from include/linux/bitmap.h:11,
>> from include/linux/cpumask.h:12,
>> from include/linux/smp.h:13,
>> from include/linux/lockdep.h:14,
>> from include/linux/spinlock.h:62,
>> from include/linux/mmzone.h:8,
>> from include/linux/gfp.h:6,
>> from include/linux/slab.h:15,
>> from fs/ocfs2/dlmglue.c:11:
>> In function 'fortify_memset_chk',
>> inlined from 'ocfs2_lock_res_free' at fs/ocfs2/dlmglue.c:790:2:
>>>> include/linux/fortify-string.h:220:25: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
>> 220 | __write_overflow_field(p_size_field, size);
>> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> This appears to be a compiler bug. The line in question is:
>
> memset(&res->l_lksb, 0, sizeof(res->l_lksb));
>
> Looking at binary output, something is failing in dead code elimination,
> as the copy of the code holding this is never called, and has a
> non-literal value for the __builtin_object_size() output, which isn't
> possible.
>
> -Kees
>
Hi Kees,
Thanks for your feedback, we'll add it to ignore list.
Best Regards,
Rong Chen