Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751936AbdHAMFN (ORCPT ); Tue, 1 Aug 2017 08:05:13 -0400 Received: from mout.kundenserver.de ([212.227.17.24]:50330 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751768AbdHAMFL (ORCPT ); Tue, 1 Aug 2017 08:05:11 -0400 From: Arnd Bergmann Cc: Kees Cook , Andrew Morton , Arnd Bergmann , linux-kernel@vger.kernel.org Subject: [PATCH 2/2] adfs: use 'unsigned' types for memcpy length Date: Tue, 1 Aug 2017 14:04:04 +0200 Message-Id: <20170801120438.1582336-2-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20170801120438.1582336-1-arnd@arndb.de> References: <20170726185219.GA57833@beast> <20170801120438.1582336-1-arnd@arndb.de> X-Provags-ID: V03:K0:OTkLSYNPHfZFNtNM/8W8tHWHDLemw88CN2mkvromL7NKAxwYPRF rC9wwImmac4X0ie3TvMYMgaoyZEzssyvZ2EdqF7MRLb6CB0sODllcsh85huoiZ/GNhZdOJs fo2DuHtlEbuKzKORNbewYVlQ7RmTgiNwvnaO1JGkMtI5R/xR0Ww7RAyi3PGIw/p5lY4TnPa FrIO1Lfahw4NabxBpMbfA== X-UI-Out-Filterresults: notjunk:1;V01:K0:ZBOpraHh6g4=:fBeHYnUw3MhsUAVLBhWZqs Unx+XoflV/ibvlLaQC0q68Cn8v4Iw7M6a62xPvgg7a4KW8iXeuaNvgWcvPuarMxS+5WrxFBcP V6Z8WUgHJ3LmbViTSQa5ctzIb4+rOgOcnlwBkicAKeH90PY9BySzsa54TXuyba+9HgOGK67Vu f+ZKLUIiUKv/nbk7N+IY5dkTQ4Elp7FJH35FQad54jqFHxbPkXpIcmME4l7mdcQ806TjhRuKd G3mzuSSJwSG0ITvEty0+684JMhm9PM8w4f9fMa3StuSX/rtLBdHo5D9R0RGC94rhmE1oNSLTq uZdSf2rp1PQK/fFRTXBUuPtbl9CvwiW5eFPgkWIXsdqQYMYTDJlfpeP+Fe8uFR31VqaxCXxFH HdY7qOyhuv7CjHmEv+pJTksU4cJIr4wdtNDSmmslkYKGnuIRoqhTu2ieXk+/+jkSdE8slbhKj BpTWBfphxULM2pwcKEIZ5dMnMJqDcTnALdVUgNYCGlQUvRW0sIFQyPk5eWmMq09ZgOvRNQpXV ec75Ifuif9ljGqli5qTJjC1oQoizdt/wQFqJUnPbqyP21etPIaSBuRtZimnuGcjlD1GfNCrRB XmOnWB5aKoUeUrQmyG5QzH1mLeT9d873plnZj5NQna2JKDisODfKJTQyHXIZbQSK09Dnhz59x FbPZ0KIIgrYguQRe6QQAz0HoEHHssMTVzdf6zGJ5JviKDZKz9LTCXo+P3iNJ1+fkYbucPx0/1 lF4PE/SF5WZkp3S6Z0GWGAHKBjV1bZu10pU5ag== To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1730 Lines: 47 After commit 62d1034f53e3 ("fortify: use WARN instead of BUG for now"), we get a warning in adfs about a possible buffer overflow: In function 'memcpy', inlined from '__adfs_dir_put' at fs/adfs/dir_f.c:318:2, inlined from 'adfs_f_update' at fs/adfs/dir_f.c:403:2: include/linux/string.h:305:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter __read_overflow2(); ^~~~~~~~~~~~~~~~~~ The warning is correct in the sense that a negative 'pos' argument to the function would have that result. However, this is not a bug, as we know the position is always positive (in fact, between 5 and 2007, inclusive) when the function gets called. Changing the variable to a unsigned type avoids the problem. I decided to use 'unsigned int' for the position in the directory and the block number, as they are both counting things, but use size_t for the offset and length that get passed into memcpy. This shuts up the warning. Signed-off-by: Arnd Bergmann --- fs/adfs/dir_f.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/adfs/dir_f.c b/fs/adfs/dir_f.c index 0fbfd0b04ae0..dab3595a1ecc 100644 --- a/fs/adfs/dir_f.c +++ b/fs/adfs/dir_f.c @@ -283,11 +283,12 @@ __adfs_dir_get(struct adfs_dir *dir, int pos, struct object_info *obj) } static int -__adfs_dir_put(struct adfs_dir *dir, int pos, struct object_info *obj) +__adfs_dir_put(struct adfs_dir *dir, unsigned int pos, struct object_info *obj) { struct super_block *sb = dir->sb; struct adfs_direntry de; - int thissize, buffer, offset; + unsigned int buffer; + size_t thissize, offset; buffer = pos >> sb->s_blocksize_bits; -- 2.9.0