2021-06-17 02:18:54

by Kees Cook

[permalink] [raw]
Subject: [PATCH] s390/dasd: Avoid field over-reading memcpy()

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field array bounds checking for memcpy(), memmove(), and memset(),
avoid intentionally reading across neighboring array fields.

Add a wrapping structure to serve as the memcpy() source, so the compiler
can do appropriate bounds checking, avoiding this future warning:

In function '__fortify_memcpy',
inlined from 'create_uid' at drivers/s390/block/dasd_eckd.c:749:2:
./include/linux/fortify-string.h:246:4: error: call to '__read_overflow2_field' declared with attribute error: detected read beyond size of field (2nd parameter)

Signed-off-by: Kees Cook <[email protected]>
---
drivers/s390/block/dasd_eckd.c | 2 +-
drivers/s390/block/dasd_eckd.h | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
index a6ac505cbdd7..0de1a463c509 100644
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -746,7 +746,7 @@ static void create_uid(struct dasd_eckd_private *private)
memcpy(uid->vendor, private->ned->HDA_manufacturer,
sizeof(uid->vendor) - 1);
EBCASC(uid->vendor, sizeof(uid->vendor) - 1);
- memcpy(uid->serial, private->ned->HDA_location,
+ memcpy(uid->serial, &private->ned->serial,
sizeof(uid->serial) - 1);
EBCASC(uid->serial, sizeof(uid->serial) - 1);
uid->ssid = private->gneq->subsystemID;
diff --git a/drivers/s390/block/dasd_eckd.h b/drivers/s390/block/dasd_eckd.h
index 73651211789f..65e4630ad2ae 100644
--- a/drivers/s390/block/dasd_eckd.h
+++ b/drivers/s390/block/dasd_eckd.h
@@ -332,8 +332,10 @@ struct dasd_ned {
__u8 dev_type[6];
__u8 dev_model[3];
__u8 HDA_manufacturer[3];
- __u8 HDA_location[2];
- __u8 HDA_seqno[12];
+ struct {
+ __u8 HDA_location[2];
+ __u8 HDA_seqno[12];
+ } serial;
__u8 ID;
__u8 unit_addr;
} __attribute__ ((packed));
--
2.25.1


2021-06-29 14:26:16

by Heiko Carstens

[permalink] [raw]
Subject: Re: [PATCH] s390/dasd: Avoid field over-reading memcpy()

On Wed, Jun 16, 2021 at 01:19:17PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field array bounds checking for memcpy(), memmove(), and memset(),
> avoid intentionally reading across neighboring array fields.
>
> Add a wrapping structure to serve as the memcpy() source, so the compiler
> can do appropriate bounds checking, avoiding this future warning:
>
> In function '__fortify_memcpy',
> inlined from 'create_uid' at drivers/s390/block/dasd_eckd.c:749:2:
> ./include/linux/fortify-string.h:246:4: error: call to '__read_overflow2_field' declared with attribute error: detected read beyond size of field (2nd parameter)
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> drivers/s390/block/dasd_eckd.c | 2 +-
> drivers/s390/block/dasd_eckd.h | 6 ++++--
> 2 files changed, 5 insertions(+), 3 deletions(-)

I'll leave it up to Stefan Haberland and Jan Hoeppner to handle this one.

2021-06-29 16:49:17

by Stefan Haberland

[permalink] [raw]
Subject: Re: [PATCH] s390/dasd: Avoid field over-reading memcpy()

Am 16.06.21 um 22:19 schrieb Kees Cook:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field array bounds checking for memcpy(), memmove(), and memset(),
> avoid intentionally reading across neighboring array fields.
>
> Add a wrapping structure to serve as the memcpy() source, so the compiler
> can do appropriate bounds checking, avoiding this future warning:
>
> In function '__fortify_memcpy',
> inlined from 'create_uid' at drivers/s390/block/dasd_eckd.c:749:2:
> ./include/linux/fortify-string.h:246:4: error: call to '__read_overflow2_field' declared with attribute error: detected read beyond size of field (2nd parameter)
>
> Signed-off-by: Kees Cook <[email protected]

Thanks,

applied.