Received: by 2002:ab2:3350:0:b0:1f4:6588:b3a7 with SMTP id o16csp2097880lqe; Tue, 9 Apr 2024 09:25:08 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW3QLl4smHgB/nkqCiw4ipMcwNL0asCr3ER8P+1yKWUtCIX1N9KuqHj/hmbd7AdsTJ3+YdkMkkdxx6u1qxvxh7oC3p5aiGB1lJrxvzuvA== X-Google-Smtp-Source: AGHT+IEI5cxHd+e+xIE1ibhqlT6STlqlElhVb0wzc4ZxkRHHwRIJWzriXj06M+gngNn6sjhsyii+ X-Received: by 2002:a17:903:2286:b0:1e2:b4ce:4f8a with SMTP id b6-20020a170903228600b001e2b4ce4f8amr228985plh.53.1712679908454; Tue, 09 Apr 2024 09:25:08 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712679908; cv=pass; d=google.com; s=arc-20160816; b=dD4zUC3/KWeoFeY80cIq/69aEOxX43iEi3XgBguy1IMTCocQKmtQw551Tx1aEjrRly 1qfq20X06UlghknWCV7HHSHxxxnRa423G+x4eTcFzSQtM0KNDYHafvjo/kTJ7FZLyy6L Frey/0twhW99oQVHE1kNO9Co9khFDOmO6BsM78udV92s2V3Z5DX7v60dSA9RHIBZstag +RaUfODIgBNq9+4Da+yHbAn9UOdE/2igTuWQ0ycr0Z1jUQcqIJrqz/d2bu8zu4vkaA83 safLHXIV6lR0UPhYENizwACge+R/Wviy3UcCZqf90VEAe2f0UbMPdoe4XESCWPoWOcoo efdA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=J2qXXtzg4J7YX49HsQJmNnGtWVZOCJGBc4j0Ja8t6xI=; fh=dAK+yhOFIV5Po95W9c/iQXBChlUr4XXIkSPXK6Y1VnA=; b=iJJJ+FrRO3Qx4wbH1Npxs6lAY9vW7ejuHANsdIAQa3aEtis3kGAgwlxdS/k0/ydn5V otGFJOjuuOjp8YI8c+1C/9wZ2rY6UPOFEtkKpcH8Zp5YqBYZz1Y13hRoDbEUGSEGMC/y CsiqdBC8ge8lduUjtVh6QTbX2ZyquDQeMGmr9/ehMPqCms52buNeECHulApyYZeu32Rd FJviSrmf7X0DZECoFLSsQYMi86DCx1RTvRBLz6APLHyNkZWSkvCqqiGHTTUTMhpPPBRP 7CwR4cAEUs4XdGg2GFuS9byZ0EMf7ZCwdEv9IVSc6CeiAQCDiLfuuRw8sUjT5ygrijxE MRow==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hk3e+T5w; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-137299-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-137299-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id p19-20020a170902e35300b001e3eb95618esi5745471plc.493.2024.04.09.09.25.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Apr 2024 09:25:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-137299-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hk3e+T5w; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-137299-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-137299-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B1612288C42 for ; Tue, 9 Apr 2024 16:15:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BC26313D8B0; Tue, 9 Apr 2024 16:15:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hk3e+T5w" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CC76F13D8A0; Tue, 9 Apr 2024 16:15:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712679321; cv=none; b=g3k1qFm2kFNlA2pzpEB3RiFr+Lhwej5VykU5AoJC/eaR/gZ7PsoH9zNyYGRUKZ/Ysa1PMLj4McuThBtIrlsKhdOD9XanvyAKvPVW+XHTpre08ZaMZOs+vavb7JTj3/ra3jLkSCcTXZDMowzQyP6Nz1HXGvLmv+2bQe2+0FpyQ9c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712679321; c=relaxed/simple; bh=aQnXMHVSse19+ZZ5n5B1a+ECbXRCEMx+99YFJTJvLZ4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=mceUZbe7EsObDX7LtXrBy+kAWo2ZLRA1VVWOgsXkUQXBgciE5NeLIH5nABbJ3V/dlKdvII7RC8/LkGROJrzJ/Ljr0vcpDRegUIPfamfImta0nBDcCQGkG4VA7RHI1jW61MDVqCISpfdxgeGTdhbn9NTQTYmYB4UKI/ZBE1k4LkY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hk3e+T5w; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 32A2AC433F1; Tue, 9 Apr 2024 16:15:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712679320; bh=aQnXMHVSse19+ZZ5n5B1a+ECbXRCEMx+99YFJTJvLZ4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hk3e+T5wh0K9Kad+FZuar56N0ZsAlmRAJwkkOgstUx5MMjyakXAd3tuT1BItcL+w1 bWWSW5ioBrtKbw8Qt5gCwr915JRo0jesU2hD4Q26gIJ3yYa0AV4hQAr+EV7vTFFI+H GqmhWn8Pli4YMOBs5+19b+MyGAM+ppmX9cqkZWFdkL4/Di4EGtYtzYR1OO+fUJkcER 0zUCzflp3O2liOCbbuG8iz2p2sCXVzMYGUtv2DckZLOGZedO2cSaqGoCfPdOCv1GiV Ea2hz+dGJvBPzTXvJjlzunxRnZEY6622if4iEHFFvcFGIcDSHJCEe57X8vR2da+OUn /okM8DtsW6K0Q== Date: Tue, 9 Apr 2024 09:15:17 -0700 From: Nathan Chancellor To: Arnd Bergmann Cc: Kees Cook , Arnd Bergmann , Steffen Klassert , Herbert Xu , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Nick Desaulniers , Bill Wendling , Justin Stitt , "Gustavo A. R. Silva" , Leon Romanovsky , Lin Ma , Simon Horman , Breno Leitao , Tobias Brunner , Raed Salem , Netdev , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: Re: [PATCH] [RFC] xfrm: work around a clang-19 fortifiy-string false-positive Message-ID: <20240409161517.GA3219862@dev-arch.thelio-3990X> References: <20240216202657.2493685-1-arnd@kernel.org> <202402161301.BBFA14EE@keescook> <763214eb-20eb-4627-8d4b-2e7f29db829a@app.fastmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <763214eb-20eb-4627-8d4b-2e7f29db829a@app.fastmail.com> On Mon, Apr 08, 2024 at 09:06:21AM +0200, Arnd Bergmann wrote: > On Fri, Feb 16, 2024, at 22:19, Kees Cook wrote: > > On Fri, Feb 16, 2024 at 09:26:40PM +0100, Arnd Bergmann wrote: > >> From: Arnd Bergmann > >> > >> clang-19 recently got branched from clang-18 and is not yet released. > >> The current version introduces exactly one new warning that I came > >> across in randconfig testing, in the copy_to_user_tmpl() function: > >> > >> include/linux/fortify-string.h:420:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] > >> 420 | __write_overflow_field(p_size_field, size); > >> > >> I have not yet produced a minimized test case for it, but I have a > >> local workaround, which avoids the memset() here by replacing it with > >> an initializer. > >> > >> The memset is required to avoid leaking stack data to user space > >> and was added in commit 1f86840f8977 ("xfrm_user: fix info leak in > >> copy_to_user_tmpl()"). Simply changing the initializer to set all fields > >> still risks leaking data in the padding between them, which the compiler > >> is free to do here. To work around that problem, explicit padding fields > >> have to get added as well. > > > > Per C11, padding bits are zero initialized if there is an initializer, > > so "= { }" here should be sufficient -- no need to add the struct > > members. > > > >> Since this is a false positive, a better fix would likely be to > >> fix the compiler. > > > > As Nathan has found, this appears to be a loop unrolling bug in Clang. > > https://github.com/ClangBuiltLinux/linux/issues/1985 > > > > The shorter fix (in the issue) is to explicitly range-check before > > the loop: > > > > if (xp->xfrm_nr > XFRM_MAX_DEPTH) > > return -ENOBUFS; > > I ran into this issue again and I see that Nathan's fix has > made it into mainline and backports, but it's apparently > not sufficient. > > I don't see the warning with my patch from this thread, but > there may still be a better fix. Is it the exact same warning? clang-19 or older? What architecture/configuration? If my change is not sufficient then maybe there are two separate issues here? I have not seen this warning appear in our CI since my change was applied. Cheers, Nathan