Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp6017572rdb; Mon, 1 Jan 2024 05:55:34 -0800 (PST) X-Google-Smtp-Source: AGHT+IHV0W+WlhYFmcNyXPwHeYeWlW2m/P6nJJDRuTCSQIHHn3JWhwTvqQfMQrTfqoE+Zz+ZOIxF X-Received: by 2002:a05:6a20:42a5:b0:197:a64:a563 with SMTP id o37-20020a056a2042a500b001970a64a563mr1811491pzj.56.1704117334434; Mon, 01 Jan 2024 05:55:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704117334; cv=none; d=google.com; s=arc-20160816; b=avgk81wEvo4DOi7TUP8dtBMFI9BrLqHmkLC+cRLdqZ5/XhWgH0oiEJbf7t8HunMIJh LilKrC4/y31B5lQ+kEaOSb55HcvWUfxUlRgkSjAi9P8DhmhSMcUPEITNQ5wFStI1/XdF bPuFcIAa5hlIA7uIx3lzJrpRGKFRcqK+d9v3SKbXkchBJeciGLftPLcm7Jta+++Z+0zb S5reYxX154oZ6WSYhVo4ULkf/FLt65UWutrd6Wo32bHDOMqBOEWTzErWUaanKQKZGdU1 aAnS7r9m9PdrQ+I4E0TrzeGs/BQIFaRuRE6TSQ5SlAP6HitwPZ2AKE5KSurS5ZpcY+lf h6kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=ltIO8SLmOy4eK+ArScnjo7COg6o0dQmmTmX6vAwkkVY=; fh=5wRnfCmW47jPj4IMLSrGOTiOdNyjS6fM4Vvhkd4ji/c=; b=gKPcQk06GkTZw2246C+j1EJDayDhzftICb3x9JZPHWs2ulpWgKWZw7XbaVAXQmMz1p BWeS0Nxi5Ydop+67VCN0ANveiCMYxqjRyEuig/RCy51eOZJx+EdFghYunI6muhoSaIBp +pYNyOJcEeChTU0MkSG+h+ZvKJuklvOQ74PR28p6wncGGvSBIomiYCRBFjeK7cBG5wEF ctjEPzf7/7ZKIGe4rWN7Q50iUg0TWYjNCZj83F5p5U+rd3I7alR/3a9e3qX9+F8WKlhC blkVPaQbPxbfeDVBAs6UCfG/pwsOLJ1mv6GrcaiZyrDy70tCqtMK+igmDGxvTuEMyk0R Z8fA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PIGNGs1E; spf=pass (google.com: domain of linux-kernel+bounces-13874-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-13874-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id t21-20020a63f355000000b005c278ba0fe3si18460637pgj.556.2024.01.01.05.55.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jan 2024 05:55:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-13874-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PIGNGs1E; spf=pass (google.com: domain of linux-kernel+bounces-13874-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-13874-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 4EB63B213E8 for ; Mon, 1 Jan 2024 13:55:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BDF35523C; Mon, 1 Jan 2024 13:55:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="PIGNGs1E" X-Original-To: linux-kernel@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D2854689; Mon, 1 Jan 2024 13:55:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8F905C433C8; Mon, 1 Jan 2024 13:55:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1704117322; bh=9bF83ulcc4J+BxQt4Tt43+iD8iO6iG3MxkjSXNsPzYw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=PIGNGs1EynH9ZG6jspYYK8swv9jfMptWebdyVWA5gGXb9vX8/ttrjb0RB7pHlFIwo YPNNsbeMIXD4LJtvDhxob/X26wSZHyb/P4kyiHvyO3kzW/pTkUJi7tC6SA0m6S7ImY HLhbUr+XiA0kecmJjipNwlrSnTMH2n98MYtlqnVg= Date: Mon, 1 Jan 2024 13:55:19 +0000 From: Greg Kroah-Hartman To: Harshit Mogalapalli Cc: linux-hardening@vger.kernel.org, keescook@chromium.org, gustavoars@kernel.org, Bryan Tan , Vishnu Dasa , VMware PV-Drivers Reviewers , Arnd Bergmann , linux-kernel@vger.kernel.org, vegard.nossum@oracle.com, darren.kenny@oracle.com, syzkaller Subject: Re: [RFC PATCH] VMCI: Silence memcpy() run-time false positive warning Message-ID: <2024010103-connector-plausibly-bc35@gregkh> References: <20240101130828.3666251-1-harshit.m.mogalapalli@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240101130828.3666251-1-harshit.m.mogalapalli@oracle.com> On Mon, Jan 01, 2024 at 05:08:28AM -0800, Harshit Mogalapalli wrote: > Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. > > memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" > at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) > > WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237 > dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237 > > Some code commentry, based on my understanding: > > 544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) > /// This is 24 + payload_size > > memcpy(&dg_info->msg, dg, dg_size); > Destination = dg_info->msg ---> this is a 24 byte > structure(struct vmci_datagram) > Source = dg --> this is a 24 byte structure (struct vmci_datagram) > Size = dg_size = 24 + payload_size > > > {payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32. > > 35 struct delayed_datagram_info { > 36 struct datagram_entry *entry; > 37 struct work_struct work; > 38 bool in_dg_host_queue; > 39 /* msg and msg_payload must be together. */ > 40 struct vmci_datagram msg; > 41 u8 msg_payload[]; > 42 }; > > So those extra bytes of payload are copied into msg_payload[], so there > is no bug, but a run time warning is seen while fuzzing with Syzkaller. > > One possible way to silence the warning is to split the memcpy() into > two parts -- one -- copying the msg and second taking care of payload. And what are the performance impacts of this? thanks, greg k-h