Received: by 2002:a05:7412:98c1:b0:fa:551:50a7 with SMTP id kc1csp1907572rdb; Mon, 8 Jan 2024 14:37:50 -0800 (PST) X-Google-Smtp-Source: AGHT+IEsN2pGScGb8HIKB92ajetw/gOSJUOZd2hl6rYEbWR94Yavu8p9HLzr/hFxycD9Y0fMB2v8 X-Received: by 2002:a50:c019:0:b0:557:3fdb:9418 with SMTP id r25-20020a50c019000000b005573fdb9418mr1557247edb.30.1704753470049; Mon, 08 Jan 2024 14:37:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704753470; cv=none; d=google.com; s=arc-20160816; b=MIAOM1HSEbAqpokzCMhfFHKCmMkR99QMUjnfhqhMwehvgdy7Q7DRhguGIW3L+/cwxu ZWRdKkJnlao21N0iWNka+DBKTrPTWvgEQ0Y8NGqxFq2iCsYLYGnjK7ss3wvkPBT6HhDc qv6/ZkxK1hAVbrgM4ezTo+wB+9qe+2oGcYKQA/IJXBON/ziUNVtKnuZkPhfDhHNBl0Ju 6NF4xtEVucWmPhAvocEnCUxJivnzLfHso4JcXtUKewNV5shzY1m82+NnN2ohBRHlqKMS idjUSb+nv44vnHg0RfUbrWithr+B9Pm+Vyavzi0Li+wBb/aagaijNdeZErGRI8XAfCto 01oQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=UOcszfoOtbrQymFXSK9IHNzongPjla6aRzHiR7rojiM=; fh=vNVZpOPPykpkggmbZejbA1FkrsGz9yfbLLorFcYabGw=; b=ljubA6q5f+vr1agvDCRejzvja5jeqQuYdoXrKnko5taDnsXByZUoaKRANN8DReetI/ uLEVKhMAgyiP/rjDXNTed5jT8rV+PxMHe/74GrSRXAVpxMdgZemlmdAR9EBe9RARWW+t 4qjJOJo/uosS6dInd25tFAYdG6yWuKsT1yXV5sS48k+L8ba73rIN2L+1CHT6dO4D8oIk p9fdDnRM/lXlp00Vc9+N/VKtdudhzl9uOGRUSI9Tm/OW3PMzPecHb0lXnH7T+xRVlwBi TFmDvInRfnMBlkcWWb88NdQQqShV7k88ZAl3V5yyPJNSVw1YiAJ8tc6qYD7Zi1QydCec KFjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=IGc2EARI; spf=pass (google.com: domain of linux-kernel+bounces-20154-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-20154-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id s22-20020a50d496000000b00554bcef1809si243658edi.380.2024.01.08.14.37.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 14:37:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-20154-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=IGc2EARI; spf=pass (google.com: domain of linux-kernel+bounces-20154-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-20154-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A036B1F23FEB for ; Mon, 8 Jan 2024 22:37:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A3EDF5647A; Mon, 8 Jan 2024 22:37:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="IGc2EARI" Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 230B646453 for ; Mon, 8 Jan 2024 22:37:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-6da202aa138so1947050b3a.2 for ; Mon, 08 Jan 2024 14:37:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1704753442; x=1705358242; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=UOcszfoOtbrQymFXSK9IHNzongPjla6aRzHiR7rojiM=; b=IGc2EARIQIIB8O6Vm+GdRoHHDYEJGZtAyNrfiAXZoVqhyFaB0Veqo74kzPpzCO8RFS /OKocbHnarCKal10551hsTCP/ZFIxrFdncYeXTPitXkvTOTZYxJF5614Ou7o8g8wNh+3 dvJ17WZaSLtZqIqJQYVmnVwxq9iDq1rp5qhQs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704753442; x=1705358242; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=UOcszfoOtbrQymFXSK9IHNzongPjla6aRzHiR7rojiM=; b=mfq2C9mm5O4Kpufe0nZ0+LDxvIlL3XltuYdTjF7xPwujN/pehQs16c/FT76UPtuiBO 3JmNDg4nRffPLgPbBDQzz80i5UOEmaBVeHMjpYW4jjFSgiz1nvdYPyf3r74rSO5jVaXJ 0n9BkdO49wFpFyyX50S6F+n0zCgDh05NDwhKekkHTJ/oFw3JT+kRxlmG3HGl97iKGurr eoazl/G4vaLI96ob5ZHButmC8ETkvAPH1SxwOSQgCsHqOaloOsmal/MuvkFZ8NOMwq7h y7XWN3ohgmjUqKH+Wyl/0NlhnN70xRn/XpaiMlaIyPraAgeM3rN/0Pcjk8gdMqMF73W3 KBSg== X-Gm-Message-State: AOJu0YwbXI8YAtl2VjMTuVySvS7Gl3Nm7rZ41v5PPQk8o0PRo3q4cf96 oR9lpCo3rBYvVLMq3mBCq98EK5xP7xm2 X-Received: by 2002:a05:6a20:12cb:b0:199:9541:c624 with SMTP id v11-20020a056a2012cb00b001999541c624mr4433828pzg.101.1704753442384; Mon, 08 Jan 2024 14:37:22 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id a14-20020a056a000c8e00b006d9bf45436asm362084pfv.48.2024.01.08.14.37.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 14:37:21 -0800 (PST) Date: Mon, 8 Jan 2024 14:37:21 -0800 From: Kees Cook To: Harshit Mogalapalli Cc: linux-hardening@vger.kernel.org, error27@gmail.com, gustavoars@kernel.org, Bryan Tan , Vishnu Dasa , VMware PV-Drivers Reviewers , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, vegard.nossum@oracle.com, darren.kenny@oracle.com, syzkaller Subject: Re: [PATCH v2 2/2] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Message-ID: <202401081430.9DAB37B46@keescook> References: <20240105164001.2129796-1-harshit.m.mogalapalli@oracle.com> <20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com> On Fri, Jan 05, 2024 at 08:40:00AM -0800, Harshit Mogalapalli wrote: > Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. > > memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" > at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) > > WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237 > dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237 > > Some code commentry, based on my understanding: > > 544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) > /// This is 24 + payload_size > > memcpy(&dg_info->msg, dg, dg_size); > Destination = dg_info->msg ---> this is a 24 byte > structure(struct vmci_datagram) > Source = dg --> this is a 24 byte structure (struct vmci_datagram) > Size = dg_size = 24 + payload_size > > {payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32. > > 35 struct delayed_datagram_info { > 36 struct datagram_entry *entry; > 37 struct work_struct work; > 38 bool in_dg_host_queue; > 39 /* msg and msg_payload must be together. */ > 40 struct vmci_datagram msg; > 41 u8 msg_payload[]; > 42 }; > > So those extra bytes of payload are copied into msg_payload[], a run time > warning is seen while fuzzing with Syzkaller. > > One possible way to fix the warning is to split the memcpy() into > two parts -- one -- direct assignment of msg and second taking care of payload. > > Gustavo quoted: > "Under FORTIFY_SOURCE we should not copy data across multiple members > in a structure." > > Reported-by: syzkaller > Suggested-by: Vegard Nossum > Suggested-by: Gustavo A. R. Silva > Signed-off-by: Harshit Mogalapalli Thanks for getting this fixed! Yeah, it's a "false positive" in the sense that the code was expecting to write into msg_payload. The warning is triggered because of the write across the flex array boundary, which trips a bug in GCC and Clang, which we're forced to work around. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832 (fixed in GCC 14+) https://github.com/llvm/llvm-project/issues/72032 (not yet fixed in Clang) Reviewed-by: Kees Cook -- Kees Cook