Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp4541192rwb; Tue, 8 Aug 2023 09:55:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHHg+gBvCPzU3+NUNnhY14ikIaluxKCZHiIf20JP6QPIUN6U9yUJAYaw8v6TPZUjLBu5Nyk X-Received: by 2002:a17:902:9006:b0:1bc:a3d:3b80 with SMTP id a6-20020a170902900600b001bc0a3d3b80mr200119plp.68.1691513724673; Tue, 08 Aug 2023 09:55:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691513724; cv=none; d=google.com; s=arc-20160816; b=fZriwSKE4MdNazkzkARD7yeWBHy9AzysEVP0rq5ge1RbQoiQF09GZZI2LlTMA9AePO 212tqkqMVRJwglic5x2XfigLEueE0yZRigO6hPQRTE04dyrMRpOLh/eMBiYybaDbD7bc MwRAZ9WcR80TR/9i31xNzAk3Mse7EHOwtlvgmkM8SScoHRzTAPvlR4AeXg2j5mMiDotw X9X2aRJ9d2YNsC0DpBqWjPaYvZ3XD/MpkkqPgepm4kiS1gNxo8DJ2b4wwhGbP7gA1/eC GDTqJNJ5oAIbtRiZir29up6O/lDMeGd26CKucc+7/+oCz42LfqDMHKOCYRciORVfMpbH 8R4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=B9KWfKiBL0yGcyiPzOOtr2YSrwRH6r1phwfAIl+A6oU=; fh=tZLvh7RWGODMiS2kjw1ykPJCeGRaWm+h5gKgtEspoeA=; b=yl3dmuktoSG9Wx3k9tOl8S+xHHqF1o9mdssNE/H3BIU9Oe9/egnsLBIxazXqMQ37RX zaND5g4uVWNxZeIVPXRND9Ka+L+ghaCPg552zl68eQm/+vfNVLy9vTaEgLxXdwxxcV8W TEws82j/PzU6a9H6n9NO4TnEmS/pmTh1mwMAOCmcKPfMOcx2L+RWE3KLzHQwJvrv3ksd ngZEqI1uHXq1lAcy5jFY1lY+990lpK13EwP4w/aMErSaROErNo9+sNGr4ZBnYZy2Z08D 6fhS6g+1DgyPkppGJVV43Djwomwvrew5bEW1O0aRSFVAOTNbjFxSCXdK7XCLa4XHNZi8 pAvg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f8-20020a170902684800b001b8e443b6ffsi6816210pln.7.2023.08.08.09.55.12; Tue, 08 Aug 2023 09:55:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232312AbjHHQlv (ORCPT + 99 others); Tue, 8 Aug 2023 12:41:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59298 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232268AbjHHQlI (ORCPT ); Tue, 8 Aug 2023 12:41:08 -0400 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:237:300::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A2EE415B8C; Tue, 8 Aug 2023 08:54:50 -0700 (PDT) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1qTP2U-0001Au-Qj; Tue, 08 Aug 2023 17:54:30 +0200 Date: Tue, 8 Aug 2023 17:54:30 +0200 From: Florian Westphal To: "GONG, Ruiqi" Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , Roopa Prabhu , Nikolay Aleksandrov , Kees Cook , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, Wang Weiyang , Xiu Jianfeng Subject: Re: [PATCH] netfilter: ebtables: fix fortify warnings Message-ID: <20230808155430.GB9741@breakpoint.cc> References: <20230808014821.241688-1-gongruiqi@huaweicloud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230808014821.241688-1-gongruiqi@huaweicloud.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org GONG, Ruiqi wrote: > From: "GONG, Ruiqi" > > When compiling with gcc 13 and CONFIG_FORTIFY_SOURCE=y, the following > warning appears: > > In function ‘fortify_memcpy_chk’, > inlined from ‘size_entry_mwt’ at net/bridge/netfilter/ebtables.c:2118:2: > ./include/linux/fortify-string.h:592:25: error: call to ‘__read_overflow2_field’ > declared with attribute warning: detected read beyond size of field (2nd parameter); > maybe use struct_group()? [-Werror=attribute-warning] > 592 | __read_overflow2_field(q_size_field, size); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The compiler is complaining: > > memcpy(&offsets[1], &entry->watchers_offset, > sizeof(offsets) - sizeof(offsets[0])); > > where memcpy reads beyong &entry->watchers_offset to copy > {watchers,target,next}_offset altogether into offsets[]. Silence the > warning by wrapping these three up via struct_group(). > > Signed-off-by: GONG, Ruiqi > --- > include/uapi/linux/netfilter_bridge/ebtables.h | 14 ++++++++------ > net/bridge/netfilter/ebtables.c | 3 +-- > 2 files changed, 9 insertions(+), 8 deletions(-) > > diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h > index a494cf43a755..e634da196d08 100644 > --- a/include/uapi/linux/netfilter_bridge/ebtables.h > +++ b/include/uapi/linux/netfilter_bridge/ebtables.h > @@ -182,12 +182,14 @@ struct ebt_entry { > unsigned char sourcemsk[ETH_ALEN]; > unsigned char destmac[ETH_ALEN]; > unsigned char destmsk[ETH_ALEN]; > - /* sizeof ebt_entry + matches */ > - unsigned int watchers_offset; > - /* sizeof ebt_entry + matches + watchers */ > - unsigned int target_offset; > - /* sizeof ebt_entry + matches + watchers + target */ > - unsigned int next_offset; > + struct_group(offsets, > + /* sizeof ebt_entry + matches */ This is an UAPI header, I think you need to use __struct_group here.