Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp6129874rdb; Mon, 1 Jan 2024 09:45:35 -0800 (PST) X-Google-Smtp-Source: AGHT+IGpUPEts5ortjvH6R7asmaJmurj5wBj26mLesA3CNO6ilPEV4I7hFHt3vB6nRkSgj1JRkWB X-Received: by 2002:a17:902:784c:b0:1d3:3952:8885 with SMTP id e12-20020a170902784c00b001d339528885mr15313287pln.11.1704131135533; Mon, 01 Jan 2024 09:45:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704131135; cv=none; d=google.com; s=arc-20160816; b=qWki/qw1P/HTh1JKISIxnnrNyO5Lw3yKTWieNkkpEtdlrK5Wbwc2ovAQM7QETyDkBu 2j+Y8XbkgRJVTFIuBFvskwkwVGzK9/QvEBt8/dNjSMl06fCNbMDa+NHYhPzmPrI/KZ2x CWDUHhCVDZ88c2zLK7L1ypG+gnzrDAJc4QsLIqVh6DWKLACHHS94hNhcIrsXAKH0cTub +C3lnqke818mfTYn4+1qKSGdYGCAf4FCjiYZVpB2ZvEjAPUbXnFHHZdO+tN4gcy0n61r 9qNS/2TmpLnBpuEv3rPOp9yEN8DkLC+qdXfWGRE2VOs4Arl8UfQo8qVkOFsqUyiHACmg A96w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=huackJ8jZzDmN0sqCQfiharq0gTzy0SAIzq039inA2o=; fh=hZeSQXIRiC2BYsOhTpUmve7tuMFDqM1c/zUzrW+RidM=; b=pg+opr3eAeKq9YgLSCiIJS2XHpuroypjEOQ4zqUYb21gDOMeq26Z2/CoA4+/65V+Wd Lz8UwBfUTVvDR6VShijD89uG1FZ5M7niKmKTwhCu5jwLJ9B56bM9tMJsNggBUATc1IO7 QPZ0B5nRo/0vJRnx9CuJ3iaiOOARHY9E1LZLp+ofgKU1a/JKmvvaBClXG65eLoz/KzaN zn+ZKLJog5wlUNPpTj1zYchaUOl5tVKWJhGXiT63ItDCkdMJoTaCk8Drc18lniB6wPHQ Wz9L6rx5klWJ4RBpo8Vx84x/KgMGWtjKK1/4liK0RK1q8VojyZ/To5yPdUN9gKC37iCS Lr5g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@embeddedor.com header.s=default header.b=CXEJS0rK; spf=pass (google.com: domain of linux-kernel+bounces-13917-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-13917-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id q19-20020a170902bd9300b001d3177065acsi16688881pls.229.2024.01.01.09.45.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jan 2024 09:45:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-13917-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=fail header.i=@embeddedor.com header.s=default header.b=CXEJS0rK; spf=pass (google.com: domain of linux-kernel+bounces-13917-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-13917-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 2F35F281B89 for ; Mon, 1 Jan 2024 17:45:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9F8AF9453; Mon, 1 Jan 2024 17:45:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=embeddedor.com header.i=@embeddedor.com header.b="CXEJS0rK" X-Original-To: linux-kernel@vger.kernel.org Received: from omta038.useast.a.cloudfilter.net (omta038.useast.a.cloudfilter.net [44.202.169.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C8E8D8F6C for ; Mon, 1 Jan 2024 17:45:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=embeddedor.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=embeddedor.com Received: from eig-obgw-5009a.ext.cloudfilter.net ([10.0.29.176]) by cmsmtp with ESMTPS id KIiKrxz79WcCIKMKJrCZaV; Mon, 01 Jan 2024 17:43:47 +0000 Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with ESMTPS id KMKIrK3qO97pzKMKJrwtVT; Mon, 01 Jan 2024 17:43:47 +0000 X-Authority-Analysis: v=2.4 cv=ULDOoQTy c=1 sm=1 tr=0 ts=6592f9d3 a=1YbLdUo/zbTtOZ3uB5T3HA==:117 a=GfQleyYEO+cc22AUyTT7qQ==:17 a=OWjo9vPv0XrRhIrVQ50Ab3nP57M=:19 a=dLZJa+xiwSxG16/P+YVxDGlgEgI=:19 a=IkcTkHD0fZMA:10 a=dEuoMetlWLkA:10 a=wYkD_t78qR0A:10 a=4RBUngkUAAAA:8 a=yPCof4ZbAAAA:8 a=s-YHb6lbn-Xrcz-ehpMA:9 a=QEXdDO2ut3YA:10 a=_sbA2Q-Kp09kWB8D3iXc:22 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=embeddedor.com; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=huackJ8jZzDmN0sqCQfiharq0gTzy0SAIzq039inA2o=; b=CXEJS0rKPiVtT0jkmsZb232rnJ 2+WW4RY+4KPwgyCD2zH5QJFt53/kD82w6Rp5uen9NUtZ49P8M8HASTOL56IYlZMWSi1D5ws7RuDHZ vKGXdwvPnSEGKKzTd2kCUbhNIpIvH4Z205mNYsMFcDl26ImPEHYR4bDn4scPJJnIGjAUvfbgr79kB VkK/l36AumOzmYgg+1qHnZoa2RkATQtftLxLsR1EQ6K2GaY8Y/nTxDJpw9VTEfVtZRidkedRdC9a7 4t8fSkMI/WmMbzwM3BTSa9Z+Kq4NPaRxZokXMtRvKkmcZ6Q9/2mvt1bwuvS+xUC4qDQUDR5E7eaUK wUE14Tmg==; Received: from 187.184.157.186.cable.dyn.cableonline.com.mx ([187.184.157.186]:10555 helo=[192.168.0.10]) by gator4166.hostgator.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96.2) (envelope-from ) id 1rKMKH-002ID1-2h; Mon, 01 Jan 2024 11:43:45 -0600 Message-ID: Date: Mon, 1 Jan 2024 11:43:42 -0600 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC PATCH] VMCI: Silence memcpy() run-time false positive warning Content-Language: en-US To: Harshit Mogalapalli , linux-hardening@vger.kernel.org, keescook@chromium.org, gustavoars@kernel.org, Bryan Tan , Vishnu Dasa , VMware PV-Drivers Reviewers , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org Cc: vegard.nossum@oracle.com, darren.kenny@oracle.com, syzkaller References: <20240101130828.3666251-1-harshit.m.mogalapalli@oracle.com> From: "Gustavo A. R. Silva" In-Reply-To: <20240101130828.3666251-1-harshit.m.mogalapalli@oracle.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 187.184.157.186 X-Source-L: No X-Exim-ID: 1rKMKH-002ID1-2h X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: 187.184.157.186.cable.dyn.cableonline.com.mx ([192.168.0.10]) [187.184.157.186]:10555 X-Source-Auth: gustavo@embeddedor.com X-Email-Count: 4 X-Org: HG=hgshared;ORG=hostgator; X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes X-CMAE-Envelope: MS4xfF4aNoZeoIxpCZx9rSOn2N10wT/UbxMn2PSeh5PuiwexcZXSX+eq4T8HgWV/AutFjPyOuVtrGvpN1EJf9wT9WKszUvKpWMFN6lJoAthrDkHDXD1lIuV2 zo/Iom7jUK1o659NpKvmR7yiO6F+Dln78u11KtMds7hjOGF++a7P3x9CPa5w/vv51re92ZOxhXAs7zFxLMIj6D6iyeNEhnI82EVULCUDzC/YMb6z5m2UMd1E On 1/1/24 07:08, Harshit Mogalapalli wrote: > Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. > > memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" > at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) This is not a 'false postive warning.' This is a legitimately warning coming from the fortified memcpy(). Under FORTIFY_SOURCE we should not copy data across multiple members in a structure. For that we alternatives like struct_group(), or as in this case, splitting memcpy(), or as I suggest below, a mix of direct assignment and memcpy(). > > WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237 > dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237 > > Some code commentry, based on my understanding: > > 544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) > /// This is 24 + payload_size > > memcpy(&dg_info->msg, dg, dg_size); > Destination = dg_info->msg ---> this is a 24 byte > structure(struct vmci_datagram) > Source = dg --> this is a 24 byte structure (struct vmci_datagram) > Size = dg_size = 24 + payload_size > > > {payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32. > > 35 struct delayed_datagram_info { > 36 struct datagram_entry *entry; > 37 struct work_struct work; > 38 bool in_dg_host_queue; > 39 /* msg and msg_payload must be together. */ > 40 struct vmci_datagram msg; > 41 u8 msg_payload[]; > 42 }; > > So those extra bytes of payload are copied into msg_payload[], so there > is no bug, but a run time warning is seen while fuzzing with Syzkaller. > > One possible way to silence the warning is to split the memcpy() into > two parts -- one -- copying the msg and second taking care of payload. > > Reported-by: syzkaller > Suggested-by: Vegard Nossum > Signed-off-by: Harshit Mogalapalli > --- > This patch is only tested with the C reproducer, not any testing > specific to driver is done. > --- > drivers/misc/vmw_vmci/vmci_datagram.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/misc/vmw_vmci/vmci_datagram.c b/drivers/misc/vmw_vmci/vmci_datagram.c > index f50d22882476..b43661590f56 100644 > --- a/drivers/misc/vmw_vmci/vmci_datagram.c > +++ b/drivers/misc/vmw_vmci/vmci_datagram.c > @@ -216,6 +216,7 @@ static int dg_dispatch_as_host(u32 context_id, struct vmci_datagram *dg) > if (dst_entry->run_delayed || > dg->src.context == VMCI_HOST_CONTEXT_ID) { > struct delayed_datagram_info *dg_info; > + size_t payload_size = dg_size - VMCI_DG_HEADERSIZE; This seems to be the same as `dg->payload_size`, so I don't think a new variable is necessary. > > if (atomic_add_return(1, &delayed_dg_host_queue_size) > == VMCI_MAX_DELAYED_DG_HOST_QUEUE_SIZE) { > @@ -234,7 +235,8 @@ static int dg_dispatch_as_host(u32 context_id, struct vmci_datagram *dg) > > dg_info->in_dg_host_queue = true; > dg_info->entry = dst_entry; > - memcpy(&dg_info->msg, dg, dg_size); > + memcpy(&dg_info->msg, dg, VMCI_DG_HEADERSIZE); > + memcpy(&dg_info->msg_payload, dg + 1, payload_size); I think a direct assignment and a call to memcpy() is better in this case, something like this: dg_info->msg = *dg; memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size); However, that `dg + 1` thing is making my eyes twitch. Where exactly are we making sure that `dg` actually points to an area in memory bigger than `sizeof(*dg)`?... Also, we could also use struct_size() during allocation, some lines above: - dg_info = kmalloc(sizeof(*dg_info) + - (size_t) dg->payload_size, GFP_ATOMIC); + dg_info = kmalloc(struct_size(dg_info, msg_payload, dg->payload_size), + GFP_ATOMIC); -- Gustavo > > INIT_WORK(&dg_info->work, dg_delayed_dispatch); > schedule_work(&dg_info->work);