Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp5278518rwb; Wed, 9 Aug 2023 01:13:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHiRUrT9c2IlUkR7oT3gojgfbx1ld1uRlkoFG3wUdf5DzLyLt6ThE7ph/wUo/jcPul3GI+G X-Received: by 2002:aa7:cb5a:0:b0:521:ad49:8493 with SMTP id w26-20020aa7cb5a000000b00521ad498493mr2137096edt.6.1691568823827; Wed, 09 Aug 2023 01:13:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691568823; cv=none; d=google.com; s=arc-20160816; b=Uoa4FfbGRUXWdLsYvT3w5adr5zGZCoxlBix5F0EuGvZtv4z/gV+JV+jyc2VQIdYslz SV2bd5TT7QaP8IvfOkuCX15luPqI0Rd8HAOC5LAK+4n7S/HO3ZfqXrgecypCURNlXJUy EveHtMhnXMT0cMMVpJr0PKabTYSjbT7ywvh15gtykCHhyhW9cGyN7KJ1WbAZ3NLwI/oW lVLJBC8kbxqzL6A1ga2kyVxU8EKamPVcNIWMIbpOltejF941AKFq/Z6VyrxoVbrYX+Vh xTcoHW02oIyAObOpu96b2tR6dZpgu3m9wpxNc79lBFI59yiH9inXXO0TKTblcidrbO+U lRpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=O6QTyGYJq5CZ0z6wz0gNTaqfEUGAUBZI0nRd69rAYc4=; fh=xt4wnjAZ2VzI8YWUMFNvBqrEImBHn3T0nnSLmtUtbOc=; b=drHvZMFmFjrcjC7gcP+f85Wz1OOr9rUnpQUxMr8Z2tvasAQLe+DKC72SJZ/U1fQBcQ Vvf2tNpLYVtJt3S11DsPVrmPWiQ/xf9wLAqAG2sflrpo0V+yGxHwGMDb4gDyI6hLMaG9 EhbGskBjMmGb+NqK1Baq3olt3WXiBBhNTEG/EUgrbKEayNuAbK4hoRIfwUMosa3UEbc+ frl/spZbUOopCgzgqSPoBX89+d9tbVxPV5CQ9GjeyDkQ4Lu5U+QnLfshP+0cSs4NMUgE 1DNTFQC2tSQqZwifKjlW96P9VLK0RHv8QP7T8qgxh97lZlr2zrF2BTt/HTOpkU33R/8i cBWA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s26-20020a056402165a00b005233e8b00b0si3508270edx.217.2023.08.09.01.13.18; Wed, 09 Aug 2023 01:13:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229454AbjHIHcR (ORCPT + 99 others); Wed, 9 Aug 2023 03:32:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229560AbjHIHcB (ORCPT ); Wed, 9 Aug 2023 03:32:01 -0400 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3525C1BE1; Wed, 9 Aug 2023 00:32:00 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.30.67.143]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4RLMFR2skRz4f3lfG; Wed, 9 Aug 2023 15:31:55 +0800 (CST) Received: from [10.67.110.48] (unknown [10.67.110.48]) by APP4 (Coremail) with SMTP id gCh0CgBXNKfqQNNkPrAmAQ--.25321S2; Wed, 09 Aug 2023 15:31:56 +0800 (CST) Message-ID: <3497b8d9-4fb2-24af-aea2-09cd2c5fc6db@huaweicloud.com> Date: Wed, 9 Aug 2023 15:31:54 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [PATCH v2] netfilter: ebtables: fix fortify warnings Content-Language: en-US To: Kees Cook , "Gustavo A. R. Silva" , "GONG, Ruiqi" Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , Roopa Prabhu , Nikolay Aleksandrov , Kees Cook , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, Wang Weiyang , Xiu Jianfeng References: <20230808133038.771316-1-gongruiqi@huaweicloud.com> <5E8E0F9C-EE3F-4B0D-B827-DC47397E2A4A@kernel.org> From: "GONG, Ruiqi" In-Reply-To: <5E8E0F9C-EE3F-4B0D-B827-DC47397E2A4A@kernel.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-CM-TRANSID: gCh0CgBXNKfqQNNkPrAmAQ--.25321S2 X-Coremail-Antispam: 1UD129KBjvJXoW7uF4xCw18tw1fArW5ury7Awb_yoW5Jry3pF 1qk3Wakr48JayYgw1xXwnYyr4F934qgF13JrW3G34rGryvqFy7G39YkryY9a4kJwn8uF48 AF1YgrWagFWDJFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9214x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka 0xkIwI1lc7I2V7IY0VAS07AlzVAYIcxG8wCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x kEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E 67AF67kF1VAFwI0_GFv_WrylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw CI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6rWUJVWr Zr1UMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYx BIdaVFxhVjvjDU0xZFpf9x0JUdHUDUUUUU= X-CM-SenderInfo: pjrqw2pxltxq5kxd4v5lfo033gof0z/ X-CFilter-Loop: Reflected X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023/08/09 6:53, Kees Cook wrote: > > [...] >>> >>> diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h >>> index a494cf43a755..b0caad82b693 100644 >>> --- a/include/uapi/linux/netfilter_bridge/ebtables.h >>> +++ b/include/uapi/linux/netfilter_bridge/ebtables.h >>> @@ -182,12 +182,14 @@ struct ebt_entry { >>> unsigned char sourcemsk[ETH_ALEN]; >>> unsigned char destmac[ETH_ALEN]; >>> unsigned char destmsk[ETH_ALEN]; >>> - /* sizeof ebt_entry + matches */ >>> - unsigned int watchers_offset; >>> - /* sizeof ebt_entry + matches + watchers */ >>> - unsigned int target_offset; >>> - /* sizeof ebt_entry + matches + watchers + target */ >>> - unsigned int next_offset; >>> + __struct_group(/* no tag */, offsets, /* no attrs */, >>> + /* sizeof ebt_entry + matches */ >>> + unsigned int watchers_offset; >>> + /* sizeof ebt_entry + matches + watchers */ >>> + unsigned int target_offset; >>> + /* sizeof ebt_entry + matches + watchers + target */ >>> + unsigned int next_offset; >>> + ); >>> unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); > > While we're here, can we drop this [0] in favor of []? > > -Kees > There are still quite a lot of zero-element array in include/uapi/linux/netfilter_bridge/ebtables.h. I will submit another patch to change them altogether. >>> }; >>> >>> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c >>> index 757ec46fc45a..5ec66b1ebb64 100644 >>> --- a/net/bridge/netfilter/ebtables.c >>> +++ b/net/bridge/netfilter/ebtables.c >>> @@ -2115,8 +2115,7 @@ static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *ba >>> return ret; >>> >>> offsets[0] = sizeof(struct ebt_entry); /* matches come first */ >>> - memcpy(&offsets[1], &entry->watchers_offset, >>> - sizeof(offsets) - sizeof(offsets[0])); >>> + memcpy(&offsets[1], &entry->offsets, sizeof(offsets) - sizeof(offsets[0])); >> ^^^^^^^^^^^^ >> You now can replace this ____________________________________| >> with just `sizeof(entry->offsets)` >> >> With that change you can add my >> Reviewed-by: Gustavo A. R. Silva >> >> Thank you >> -- >> Gustavo >> >>> >>> if (state->buf_kern_start) { >>> buf_start = state->buf_kern_start + state->buf_kern_offset; >>> -- >>> 2.41.0 >>> > >