Received-SPF: pass (google.com: domain of linux-kernel+bounces-14714-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Message-ID: <8732426c-f428-4237-94d0-70e322ecfd13@oracle.com>
Date: Wed, 3 Jan 2024 00:04:28 +0530
User-Agent: Mozilla Thunderbird
Subject: Re: [RFC PATCH] VMCI: Silence memcpy() run-time false positive
 warning
Content-Language: en-US
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-hardening@vger.kernel.org, keescook@chromium.org,
        gustavoars@kernel.org, Bryan Tan <bryantan@vmware.com>,
        Vishnu Dasa <vdasa@vmware.com>,
        VMware PV-Drivers Reviewers <pv-drivers@vmware.com>,
        Arnd Bergmann <arnd@arndb.de>, linux-kernel@vger.kernel.org,
        vegard.nossum@oracle.com, darren.kenny@oracle.com,
        syzkaller <syzkaller@googlegroups.com>
References: <20240101130828.3666251-1-harshit.m.mogalapalli@oracle.com>
 <2024010103-connector-plausibly-bc35@gregkh>
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
In-Reply-To: <2024010103-connector-plausibly-bc35@gregkh>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?utf-8?B?UlREZTBOSDgzOWkrN2l6S2JqNmxXN01QK3NSYk01SVpxbzUwVkQ1TVJKZWd3?=
 =?utf-8?B?dkR6S0lLYkpsdXNmdk50R1RUZE5jbFBlUElzczBVNGpPWW5SZ3Vka2Z1YUND?=
 =?utf-8?B?dWt0WHF1cDdwSVdDMWRPRy9DOFFPelZQSGtkeXYxemNMTzdkWGZram1hNXRp?=
 =?utf-8?B?OUFJMGlMYlZwMXVTd3pad3RoekpqREVUZU14a0E5bVlGL0tCK3ZFOTQ2ay8v?=
 =?utf-8?B?MVpzWjdxeHhEZ1pQRTFPbnkzbzd4ckdIa2xvNnRxSHI4OXdKTXZ2Z0liK1Zx?=
 =?utf-8?B?TS9lc29LdkZUdXBTa1BUYzlMd0FCK25wNlo3WGh2MHU3Q2FadmVIbnpaUTBH?=
 =?utf-8?B?dm1VU0xmamhyNnNRLzVuUVU2VEtUZENOdmxONGFQRGp3c3h4SFB1ZjMyVndN?=
 =?utf-8?B?NUFzVHFxV2FwV3BGbXc5NWw3Snh5NVF0WW1qWWI0ZmZtMDJUMXlrNGgrc1gv?=
 =?utf-8?B?d01SMXNpYmNxNkhWcVJVVFg4L1BsQ3ZGOVJFZWw3dm0vOVk4dnZBWkJRWlZT?=
 =?utf-8?B?V1FnZ082OWJ0amZlYis3ZjVzakFGZHM5U1ZMbHl2R3FxbkNBUUhpWEVwMDUy?=
 =?utf-8?B?S1ZuSXdEOU0za1dBQmxWMldPTDNLaFhVc241Ym53OFU0N3IwWDZaTStCdk15?=
 =?utf-8?B?NTQ1azVXOENPamZKd25NS013YUlJNE9MOFNEeit0TkZvRzlsclhBaTA0eS9i?=
 =?utf-8?B?Ly9RL1YvSU1KWlErU1NPcnVlTWNLTmE3dnh0VHVhQ29Xd2lEU0ZIR2lUVUVT?=
 =?utf-8?B?SzRMMktGZlNkdUNndUdkalVwanJHWFZ6SHJ6Yk9FNHp0elNqNHdmVlcrbXh2?=
 =?utf-8?B?RUE0TDlkVU5tNFY3ZDI0aDRuV21lc2RrelBIVWc4NlhjQzlMbE8xalF6UmhH?=
 =?utf-8?B?bFh5K2pRZW1JT1Z1ZWh6L2lxMWcvcW52cTdWRW95L1BJT3E5NzRaUmdFSEdN?=
 =?utf-8?B?VDNRcDIrbXo4NFFFMXMzUkU4K3FrUjlJOUFEWEhZSjZZN3JCbmp6NklCME44?=
 =?utf-8?B?VDhjbTMwc2tNeTVldDBOOEVGZ3I0R1lsU3IvT0J3dFBHdnlORXpYL0VjRzFT?=
 =?utf-8?B?ais5amp2WEJWNnVXd1NEc2tnR2pjcms5dFVaSy9BelBKRlc5cndwdE9WRXJn?=
 =?utf-8?B?TW1vR2c5Q0xvNVdydkdTZStuSG1mQmpoaXVQakZkdDJyMFJtQVZJQ1RnUDFQ?=
 =?utf-8?B?V1I0N3kzUkVmOVFhYUc1SCtSeHd0bHNOa2Q4MUFzTkhuVEJ6cElQUmphWDJr?=
 =?utf-8?B?OGNxcmQ3eDdvc2JoSXhRSzNRWmpISkZYUFNid3ZSVmtPdUtsQjRROE1ITkxh?=
 =?utf-8?B?R3ZZZ2hQcnVUUzYyVjc2MFBMY2ZsN1Z4YXl3YUIwMlY3eENWT256ay80QjR2?=
 =?utf-8?B?WldGNlg3ZlRIajh1a09ONFdHMGJzZ0xjTXJsQkpoNW0zV1pwaHdqYTVKd2x3?=
 =?utf-8?B?eWxqdGRCMmRLakgvSkthU1JjMkl6MVdOMjV4Tm01V3RxRzNEWXA5N3hjNmRz?=
 =?utf-8?B?RUJyV2I3WG9aQVJBOXppTmd4MzRmVy9vbTVyS2hjbVEyTTVpNTlMYTkrS0Ji?=
 =?utf-8?B?alFwNVVsTFZZUjdIUjZJTU13N0ZKRitiZmdOcDA3U1QyekNGK20xYjVQQ3hu?=
 =?utf-8?B?T1lteEQwNVpsQWp2Y2ZsUFN5TnczMnlBMzlyb3B1UUdCRCtFVTVXWjdXQnhq?=
 =?utf-8?B?UElFQ1c1R0FQWTB3SHBzQi9TbXl5bVREb29yZlY4bG15eTJlMHlqWmNUMUYv?=
 =?utf-8?B?QWZtMUoxR3ZtT0pySTJJa2V0ME9xUGJUQ05KM1EzWWVOZVR0TGR1T01Na3Zy?=
 =?utf-8?B?M3FFWHBsRWNhYVBETVNsNitCRWxPSXZUY0ZSa0kydUlTQWtZOEEwY2lwSGFM?=
 =?utf-8?B?ckwzQ1NER0NKV1paaFkrMGhqUlZ4bU9WV0JmN2tDYjNKR0hBZHRENHBqUGRy?=
 =?utf-8?B?YUtvQzRxMGFqRUtBcUhYYmlzYjdaRVBBTWhIYU9hUm82dlUwU3hCdk1mM0hN?=
 =?utf-8?B?T1IrRzJ5VHJ6RW8zNmdIU1F5NjE4UndiTENBdkJOaFpqM1RINmxXQ2llU2dP?=
 =?utf-8?B?bDdSeWFNMTlzTkhoNDdXLzJGZ1lucXNoNjgrb3g0WGJvT1ZTeE9PVkdGZDJU?=
 =?utf-8?B?cmE0dTVXeVBVZ0hha0xwUk1MRStWNFBjTDZJUTF6dmZCZC9kMkJ0TlZNaTd6?=
 =?utf-8?Q?/Hx+5SqgJKcrkwsWrsenvN4=3D?=
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 
	ZGvPhZZDH76YJOgwnhHDJfrufjE43mPHHEn5qVTyL0ganO/LkBkSzPtzN2m5KWka5gCxu8mxDiySP9waEQCRD+uY7LvqGxkA+mdvgC9aEr2tkQFW4J+aEasYc6zBCAcyf/0O6xO5RqAxUnJhrIcvgTP7CHLoso7n3/8jIzuHh5LwQruQnYKor9HF1ZXycGmzcQ22aSkDt4Fs4Whv1wxNDruo3+Wqm4hagzQFn9gc8nzwjLHqM1Q2bWpKjWLivxb/5QHnBmnMzIALhvAnNl2iZ4/QIzrzP86mzpipjF59sbJvee2f+DV/DvxCbFtQPUe//1a+HjU8lQvZw4rtr5dcF11PMiJ2bmCjIB+C4p/31ctnaz4fiiw2epOcmGJsXknkGKFye1rJXb/fKL5PVNxqovBVHqiyUmCwcb8OpA87UoqB8+1F4b201OCgrK3MkZY00buPKolV8GjhwYYOXhUuRO+eMWSHa9R5Ew5b2VPAlq3jc4AE/jnn4mY8RhifBWwxVK8ctrD61VB6qBHssHdJkwXTOkpeZQ+UdIePJHsmcAq2QUpnhT8fDZqHfi8YyRCy78Gcp96I4cwCw3IkG/8CBSckWX/iH0afxXO1DshCT9A=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: de801298-9ce3-41b9-b1bf-08dc0bc17ae7
X-MS-Exchange-CrossTenant-AuthSource: PH8PR10MB6290.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Jan 2024 18:34:39.9821
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: VD2gOB/hbV91LhmxElqyKvz8rTkEdVt2GAmP5S283YRTIe3gLOOEg/ZusXBAznr5gweHiLfXZEDlbYfVjaADjyk0tqf2YHiQRgl9HydwEufryUPqbfvy4azKfAPijICe
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR10MB7266
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2024-01-02_06,2024-01-02_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0
 mlxlogscore=999 malwarescore=0 spamscore=0 mlxscore=0 phishscore=0
 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2311290000 definitions=main-2401020139
X-Proofpoint-GUID: bjdlTYBZ6QefRcrcI2xXUu19hKXNKsqM
X-Proofpoint-ORIG-GUID: bjdlTYBZ6QefRcrcI2xXUu19hKXNKsqM

Hi Greg,

On 01/01/24 7:25 pm, Greg Kroah-Hartman wrote:
> On Mon, Jan 01, 2024 at 05:08:28AM -0800, Harshit Mogalapalli wrote:
>> Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.
>>
>> memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
>> at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)
>>
>> WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
>> dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237
>>
>> Some code commentry, based on my understanding:
>>
>> 544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
>> /// This is 24 + payload_size
>>
>> memcpy(&dg_info->msg, dg, dg_size);
>> 	Destination = dg_info->msg ---> this is a 24 byte
>> 					structure(struct vmci_datagram)
>> 	Source = dg --> this is a 24 byte structure (struct vmci_datagram)
>> 	Size = dg_size = 24 + payload_size
>>
>>
>> {payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.
>>
>>   35 struct delayed_datagram_info {
>>   36         struct datagram_entry *entry;
>>   37         struct work_struct work;
>>   38         bool in_dg_host_queue;
>>   39         /* msg and msg_payload must be together. */
>>   40         struct vmci_datagram msg;
>>   41         u8 msg_payload[];
>>   42 };
>>
>> So those extra bytes of payload are copied into msg_payload[], so there
>> is no bug, but a run time warning is seen while fuzzing with Syzkaller.
>>
>> One possible way to silence the warning is to split the memcpy() into
>> two parts -- one -- copying the msg and second taking care of payload.
> 
> And what are the performance impacts of this?
> 

I haven't done any performance tests on this.

I tried to look at the diff in assembly code but couldn't comment on 
performance from that. Also, gustavo suggested to do this: instead of 
two memcpy()'s; a direct assignment and memcpy() for the payload part.

Is there a way to do perf analysis based on code without access to hardware?

Thanks,
Harshit

> thanks,
> 
> greg k-h