Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp774608rwb; Tue, 27 Sep 2022 04:38:44 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7XU45h3wjGDbhgqV8O3q99PqtNgSkpo6C9hkwN8FFO/LSFbLy09it4/v8JbQnuQPaLBChg X-Received: by 2002:a05:6402:177c:b0:457:11e3:7d0b with SMTP id da28-20020a056402177c00b0045711e37d0bmr15346182edb.354.1664278723752; Tue, 27 Sep 2022 04:38:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664278723; cv=none; d=google.com; s=arc-20160816; b=uljX/3uPYug/jYtLJmf0ebT9jKOZej98wNBTwsTGbPnrx9K5o/GaZPiDpZeAA/xyHB u3be0yS7/n/edoOZcH530jTMIA43+sjZB/+3GmaIb5oEBxmTIlROgF/5hcH7GxvtkuOs L7uPrWCaIJVij2H4cLlYv3qvsz3ooBmV2byhN4bhyGL4bjz+UJoSsA6A7eJ4Ke5l+Dga mPsA9YsCwB15iysbtMx42XN3wf34rMeiMFwMrOjRD5VJelSxFqB+ptP0b+Tf+nHx5aon gPf/dKdjx25aMQwnmJq4Ne0Zlg/1f9bnGNsPllsY/ynFhzK2NPzPQJt4CeKqwfd4gjZN 3aUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Ptj4K7elJYJEC7rm4kDcuNdHODe1p7cGdh2w5mcF+qY=; b=FvWJ9OMkb9MHbDK+IeFgNy2BRgQ8ifRGOuErf2SSQIuJQzW8cR2rXxITC6v1ftGdsX V5ooD8icU7B0KOZWUhkRnEAY5PbddtLQv3v/tGK3fo69SeiSRjnuC0T0uhnWFMXaMBzY kD1sURwfiK6tu5v624H3htaIE8huKsGbfZcaYU6rZWErSwiF/AGmQ5FoP+9JFiYmO5Z4 72Iwr2IHJM2B+K0maCbElO6FTqbF4FPqgeOhTsDBRd6RFno2B7SNuR3eADd9iXkPPiI8 zHSEVb5M4/aFQshpKKuayovAfVY2OVgBsyEibH8iGfuX7Pdr3XYU48DiaRxrZc5I/KY/ fe/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mojatatu-com.20210112.gappssmtp.com header.s=20210112 header.b="EszomKr/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id xa8-20020a170906fd8800b00780a240cfd7si1028510ejb.493.2022.09.27.04.38.18; Tue, 27 Sep 2022 04:38:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@mojatatu-com.20210112.gappssmtp.com header.s=20210112 header.b="EszomKr/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230337AbiI0LZ4 (ORCPT + 99 others); Tue, 27 Sep 2022 07:25:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230452AbiI0LZb (ORCPT ); Tue, 27 Sep 2022 07:25:31 -0400 Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8C7291438CA for ; Tue, 27 Sep 2022 04:23:42 -0700 (PDT) Received: by mail-oi1-x233.google.com with SMTP id j188so11578496oih.0 for ; Tue, 27 Sep 2022 04:23:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=Ptj4K7elJYJEC7rm4kDcuNdHODe1p7cGdh2w5mcF+qY=; b=EszomKr/yjq68/qyms5eY53nhctGp/zrP5YK+lF7uSEuBL61XHu3oCmsrIALWj8CeO DnTkQp8cLT1BNnj1bbpbnXzJuygi6En8UhcT3VtG5eT0zOZ8L04g4TnOiqnDi2WLAyix pBZSrQ5JQlJplDUBSscKpOrivMI6K+0uUfo0oxiRWrm2RPK4AtUh7btjcpn4/CdMnnc1 99rCRFpl0IA7yggIE+NJDwjSSb6nb2g8xywyTBpfvGCYZBuMesCeCyRkRSW3VG7Qp+nz rqIZXvXLWyo61w1uPdKajcNmkVY9t2fCYzKQaTVCzlFicMdfgCBxJOIjfJM4L33PDuWq 8u6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=Ptj4K7elJYJEC7rm4kDcuNdHODe1p7cGdh2w5mcF+qY=; b=HNOgmGnlhAXxVFT5Oc1sVB3fyhMQYR+YML+sAtgzgwVsAtTpgO8PKfe4bZpKk9SPwU QlGBnSsqUwPYKdJj4xzNbVhEaMNuyrQ++/Ur2m3qkBn8FsPA94SmbQHOm835ww8xjLfb GHwbz3lOf9od6vCsw0PW2cc8ZMu+QKE56Y/imTcxMO8fgq1nGRZRPGh09/owHhX9t6Jm b73O/hkBvNalK7aDJOJi9hl5VR0TEsE22WMgrIUc8oByH/ZFtOvClG2MbHm53d/wW0dQ 87gnw2uEOsOPP9rYRG7fIlAwA9kX3yWkL4GzrIePEzlv8Ha9YgBq8OKUNCPlrkEpUl64 fAfA== X-Gm-Message-State: ACrzQf3y3aIRceRjvoLtZBIlsdO/v3hOE54pEA1aMGhqNtaL4hYw+lmG ZYGQWGtz8fqSjH7FC5msnuZ7YoJoJtpAyxFL02+QZg== X-Received: by 2002:a05:6808:148d:b0:350:7858:63ce with SMTP id e13-20020a056808148d00b00350785863cemr1535344oiw.106.1664277821441; Tue, 27 Sep 2022 04:23:41 -0700 (PDT) MIME-Version: 1.0 References: <000000000000a96c0b05e97f0444@google.com> <202209251935.0469930C@keescook> In-Reply-To: <202209251935.0469930C@keescook> From: Jamal Hadi Salim Date: Tue, 27 Sep 2022 07:23:29 -0400 Message-ID: Subject: Re: [syzbot] WARNING in u32_change To: Kees Cook Cc: Eric Dumazet , syzbot , David Miller , Jiri Pirko , Jakub Kicinski , LKML , netdev , Paolo Abeni , syzkaller-bugs , Cong Wang Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Do you want to submit that patch then? FWIW, I could not recreate what syzbot saw even after setting CONFIG_FORTIFY_SOURCE=y cheers, jamal On Sun, Sep 25, 2022 at 10:39 PM Kees Cook wrote: > > On Sun, Sep 25, 2022 at 10:34:37AM -0700, Eric Dumazet wrote: > > Sure, please look at: > > > > commit 54d9469bc515dc5fcbc20eecbe19cea868b70d68 > > Author: Kees Cook > > Date: Thu Jun 24 15:39:26 2021 -0700 > > > > fortify: Add run-time WARN for cross-field memcpy() > > [...] > > Here, we might switch to unsafe_memcpy() instead of memcpy() > > I would tend to agree. Something like: > > diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c > index 4d27300c287c..21e0e6206ecc 100644 > --- a/net/sched/cls_u32.c > +++ b/net/sched/cls_u32.c > @@ -1040,7 +1040,9 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, > } > #endif > > - memcpy(&n->sel, s, sel_size); > + unsafe_memcpy(&n->sel, s, sel_size, > + /* A composite flex-array structure destination, > + * which was correctly sized and allocated above. */); > RCU_INIT_POINTER(n->ht_up, ht); > n->handle = handle; > n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0; > > This alloc/partial-copy pattern is relatively common in the kernel, so > I've been considering adding a helper for it. It'd be like kmemdup(), > but more like kmemdup_offset(), which only the object from a certainly > point is copied. > > -- > Kees Cook