Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp1825469rdd; Thu, 11 Jan 2024 10:13:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IG919qw23tGJPZwrtzAfU9ItfYSOM64ujGytpsUqow6FRhbukMmUP6oM1x0rBbiupFWkLuF X-Received: by 2002:a17:903:1251:b0:1d4:cb95:f3d0 with SMTP id u17-20020a170903125100b001d4cb95f3d0mr93807plh.73.1704996835723; Thu, 11 Jan 2024 10:13:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704996835; cv=none; d=google.com; s=arc-20160816; b=IhlB/f4BVumjm8CxC3HvRH4yqdqIucJFhgbxikqxOcIx26fqTEHOYNYQcCwNnrUn0x q+vs0glhsjC+PhtyA9noVlnwR+/EUJ0AGdla8PFvuMPYQRUVwxaLkpSaM8J7rNymxyth Zhx0hBEK+e2dRpcvzCO2AILBBtlrLidn9WgewhS3NH9w9Mc7UWfqYaPb2sxW5R+6jJqK WB7Tgm2XcJCO4BSC0fBK4f8dxbprFUjKbbsxBdEXNzEOSVQEAUykbhGkYvSXS+IZ3VgK KN+6ZVq6+xV9+uwAcaY0AEDq5VugQv6unMzFP5TsMSNJIwnjmBkoGhfJYw+k9Kw3+3mX 6Eqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=1Q/8Soo+wEKDq7eYPc8t+IYgpbRZAsRM2amYkmZMpzg=; fh=/7aoyatQJOpdBaO7g1Hh71+xKBilyGvU3A2QzvSM/kY=; b=foJa0hHVcH1qvbdd9misyBqhh1Z1ebE8hpMcWgctYwJUKjV8F5lVKgd4OfjI29ahJc VoAeE84d+VSI1ExSGB0ocnKb9KmtoyyYGbtX6M3fmIWVM5rsY3Iv6anKRCDBRgU4w0vt 42RXtvoNgjROoFKBEqCbWptauzqwlgCTsDXO5YHDxFPkeWJrhOUeaRpd3WjUA9EEJkHf bo7dMkycoMQe+gBzAACl/J/aMCu035YozM/XFgF4hsEIxEumsg6TbfFMw73TSQmYjQoQ xDedkHRQDOVTBQtanqKSvyEZGvfEPWTqIjccvriH6AcS5B24ZXifmy2OaTKAiaHdldt5 Hjbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="N/cO3F36"; spf=pass (google.com: domain of linux-kernel+bounces-23966-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-23966-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id kr4-20020a170903080400b001d43cfe9772si1528724plb.571.2024.01.11.10.13.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jan 2024 10:13:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-23966-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="N/cO3F36"; spf=pass (google.com: domain of linux-kernel+bounces-23966-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-23966-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 321EC2874E5 for ; Thu, 11 Jan 2024 18:13:55 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 169B553813; Thu, 11 Jan 2024 18:13:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="N/cO3F36" Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBB1E537E4 for ; Thu, 11 Jan 2024 18:13:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-28b400f08a4so4657996a91.1 for ; Thu, 11 Jan 2024 10:13:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1704996825; x=1705601625; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=1Q/8Soo+wEKDq7eYPc8t+IYgpbRZAsRM2amYkmZMpzg=; b=N/cO3F36YmS3aq/jRKxDFCLqmZJZnUe1iqMkts0N7drA1FZPwRWbcL5u8PoUBN/oU5 vwJ926//PLZAewfjwZIGo81AF00RgWu4LuWd/jyv5zxkclPoce7u7djJDVu8j6jK3k5J eZ79CUqcD+Rv2pwU1NnxeudYq+9apyQXuV8N0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704996825; x=1705601625; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1Q/8Soo+wEKDq7eYPc8t+IYgpbRZAsRM2amYkmZMpzg=; b=D7SXISoDDGJvLJ7Lp6xXHBPaWLKrtetpXzLmAw5cikc+nIUe3bQlKTSr+EgXVUFYBp 7TfaNiThivgJrcO1v0SATlfiIuCEYnf6khZS5l37sJmuzcVVkkxmvtSw/8uskgyq3kZ7 kE5mmrAx9vYAf8gm2lUJSyC4cz7xuSAQ0POdyJyFoQAbW7AUYnUvPrz9ONJjD6RGcDiu 9SlQkDg5buVt/wLU3dvk1loFwcnvmNveevajofaBY1Bp0r6cJyhpK2ld/hVEgQHtqYCF Xs8vVoduazPgNWmnRa9WZn5lHK9InCUHhIjHVz7EC4rt9aIrvFIwFydoA3u7CXXS3GWH 3m3Q== X-Gm-Message-State: AOJu0YwNtHLVTfYjvk3ixiGGk84unxJPJy9vkEb9ivDC7FR9W/MYmttx 1C+UIHwBHkmPPAsfYr1fXgoDnlIWjcxi X-Received: by 2002:a17:90a:3da5:b0:28d:df02:447b with SMTP id i34-20020a17090a3da500b0028ddf02447bmr216438pjc.0.1704996825202; Thu, 11 Jan 2024 10:13:45 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id jh18-20020a170903329200b001d4593a2e8fsm1465916plb.83.2024.01.11.10.13.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jan 2024 10:13:44 -0800 (PST) Date: Thu, 11 Jan 2024 10:13:44 -0800 From: Kees Cook To: Dan Carpenter Cc: "Gustavo A. R. Silva" , Harshit Mogalapalli , linux-hardening@vger.kernel.org, error27@gmail.com, gustavoars@kernel.org, Bryan Tan , Vishnu Dasa , VMware PV-Drivers Reviewers , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, vegard.nossum@oracle.com, darren.kenny@oracle.com, syzkaller Subject: Re: [PATCH v2 2/2] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Message-ID: <202401111001.78284D8F@keescook> References: <20240105164001.2129796-1-harshit.m.mogalapalli@oracle.com> <20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com> <202401081430.9DAB37B46@keescook> <9c742547-0021-464b-b7a8-7af46b0a4afa@embeddedor.com> <202401101601.30ED61A1A3@keescook> <8e527ade-fe49-4697-8e36-589775c63354@moroto.mountain> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8e527ade-fe49-4697-8e36-589775c63354@moroto.mountain> On Thu, Jan 11, 2024 at 10:15:40AM +0300, Dan Carpenter wrote: > On Wed, Jan 10, 2024 at 04:03:28PM -0800, Kees Cook wrote: > > > > Oops, yes, thanks for fixing my confusion. Right, this is a direct write > > across members into the flex array, not a composite destination. Yay > > all the corner cases. :P > > Is there a document somewhere which explains what will trigger a runtime > warning? For example, if you write across members but it's not into a > flex array does that cause an issue? Or if you read across members? There isn't a good place to find this. There are some code comments near the memcpy macros, but that's not really sufficient. At present FORTIFY is only being pedantic about _writes_, as that's generally a higher priority problem. The implemented restriction is that the destination buffer must be a single addressable struct member. That destination can be a composite member (i.e. an entire substruct), but going beyond a single member in a single memcpy() is no longer allowed because the compiler cannot reason about whether such a copy is "intentional". > For example, this line reads from bulletin->vlan and > bulletin->vlan_padding. This causes a compiler warning in Clang and > GCC depending on the options but does it also trigger a runtime warning? > https://elixir.bootlin.com/linux/latest/source/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c#L2655 Right, the -Wstringop-overread and related compiler flags are doing the source buffer size checking. Note that for the compile-time warnings, GCC has the capacity to be much more strict than the FORTIFY checks because it can perform value _range_ tracking, where as FORTIFY compile-time checks are limited to having the copy size being a constant expression. (i.e. GCC may produce compile time warnings for cases that FORTIFY will only warn about at runtime if the range is violated.) > (I wrote a patch for this a few months back but didn't send it because > of the merge window. I forgot about it until now that we're in a merge > window again... :P) memcpy(&ivi->vlan, &bulletin->vlan, VLAN_HLEN); #define VLAN_HLEN 4 ivi->vlan is u32 bulletin has: u16 vlan; u8 vlan_padding[6]; yeah, ew. Should it even be reading padding? i.e. should this be: ivi->vlan = bulletin->vlan << 16; ? Or should bulletin be: union { struct { u16 vlan; u8 vlan_padding[6]; }; struct { u32 vlan_header; u8 vlan_header_padding[4]; }; }; with: ivi->vlan = bulletin->vlan_header; ? I've been finding that almost all memcpy()s and memset()s into non-array types are better just rewritten as a direct assignment. :P -- Kees Cook