From: Arnd Bergmann <[email protected]>
Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
warning for a common bug in the usage of strncat():
drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1899 | strncat(msg, other, L2C_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1220 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apparently the author of this driver expected strncat() to behave the
way that strlcat() does, which uses the size of the destination buffer
as its third argument rather than the length of the source buffer.
The result is that there is no check on the size of the allocated
buffer.
Change it to use strncat().
Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
Cc: "Gustavo A. R. Silva" <[email protected]>
Cc: Kees Cook <[email protected]>
Signed-off-by: Arnd Bergmann <[email protected]>
---
drivers/edac/thunderx_edac.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
index b9c5772da959..90d46e5c4ff0 100644
--- a/drivers/edac/thunderx_edac.c
+++ b/drivers/edac/thunderx_edac.c
@@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
decode_register(other, OCX_OTHER_SIZE,
ocx_com_errors, ctx->reg_com_int);
- strncat(msg, other, OCX_MESSAGE_SIZE);
+ strlcat(msg, other, OCX_MESSAGE_SIZE);
for (lane = 0; lane < OCX_RX_LANES; lane++)
if (ctx->reg_com_int & BIT(lane)) {
@@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
lane, ctx->reg_lane_int[lane],
lane, ctx->reg_lane_stat11[lane]);
- strncat(msg, other, OCX_MESSAGE_SIZE);
+ strlcat(msg, other, OCX_MESSAGE_SIZE);
decode_register(other, OCX_OTHER_SIZE,
ocx_lane_errors,
ctx->reg_lane_int[lane]);
- strncat(msg, other, OCX_MESSAGE_SIZE);
+ strlcat(msg, other, OCX_MESSAGE_SIZE);
}
if (ctx->reg_com_int & OCX_COM_INT_CE)
@@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id)
decode_register(other, OCX_OTHER_SIZE,
ocx_com_link_errors, ctx->reg_com_link_int);
- strncat(msg, other, OCX_MESSAGE_SIZE);
+ strlcat(msg, other, OCX_MESSAGE_SIZE);
if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE)
edac_device_handle_ue(ocx->edac_dev, 0, 0, msg);
@@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int);
- strncat(msg, other, L2C_MESSAGE_SIZE);
+ strlcat(msg, other, L2C_MESSAGE_SIZE);
if (ctx->reg_int & mask_ue)
edac_device_handle_ue(l2c->edac_dev, 0, 0, msg);
--
2.39.2
On 11/22/23 16:19, Arnd Bergmann wrote:
> From: Arnd Bergmann <[email protected]>
>
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
> warning for a common bug in the usage of strncat():
Great to see this catching bugs already. :)
>
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
> drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
> drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1899 | strncat(msg, other, L2C_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
> drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1220 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Apparently the author of this driver expected strncat() to behave the
> way that strlcat() does, which uses the size of the destination buffer
> as its third argument rather than the length of the source buffer.
> The result is that there is no check on the size of the allocated
> buffer.
>
> Change it to use strncat().
s/strncat/strlcat
with that:
Reviewed-by: Gustavo A. R. Silva <[email protected]>
Thanks!
--
Gustavo
>
> Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
> Cc: "Gustavo A. R. Silva" <[email protected]>
> Cc: Kees Cook <[email protected]>
> Signed-off-by: Arnd Bergmann <[email protected]>
> ---
> drivers/edac/thunderx_edac.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
> index b9c5772da959..90d46e5c4ff0 100644
> --- a/drivers/edac/thunderx_edac.c
> +++ b/drivers/edac/thunderx_edac.c
> @@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
> decode_register(other, OCX_OTHER_SIZE,
> ocx_com_errors, ctx->reg_com_int);
>
> - strncat(msg, other, OCX_MESSAGE_SIZE);
> + strlcat(msg, other, OCX_MESSAGE_SIZE);
>
> for (lane = 0; lane < OCX_RX_LANES; lane++)
> if (ctx->reg_com_int & BIT(lane)) {
> @@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
> lane, ctx->reg_lane_int[lane],
> lane, ctx->reg_lane_stat11[lane]);
>
> - strncat(msg, other, OCX_MESSAGE_SIZE);
> + strlcat(msg, other, OCX_MESSAGE_SIZE);
>
> decode_register(other, OCX_OTHER_SIZE,
> ocx_lane_errors,
> ctx->reg_lane_int[lane]);
> - strncat(msg, other, OCX_MESSAGE_SIZE);
> + strlcat(msg, other, OCX_MESSAGE_SIZE);
> }
>
> if (ctx->reg_com_int & OCX_COM_INT_CE)
> @@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id)
> decode_register(other, OCX_OTHER_SIZE,
> ocx_com_link_errors, ctx->reg_com_link_int);
>
> - strncat(msg, other, OCX_MESSAGE_SIZE);
> + strlcat(msg, other, OCX_MESSAGE_SIZE);
>
> if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE)
> edac_device_handle_ue(ocx->edac_dev, 0, 0, msg);
> @@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
>
> decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int);
>
> - strncat(msg, other, L2C_MESSAGE_SIZE);
> + strlcat(msg, other, L2C_MESSAGE_SIZE);
>
> if (ctx->reg_int & mask_ue)
> edac_device_handle_ue(l2c->edac_dev, 0, 0, msg);
On 11/23/23 05:58, Borislav Petkov wrote:
> On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
>> From: Arnd Bergmann <[email protected]>
>>
>> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
>
> $ git describe 1b56c90018f0
> fatal: Not a valid object name 1b56c90018f0
>
> I'm assuming that's in linux-next?
That's correct, yes.
--
Gustavo
On 11/23/23 08:30, Borislav Petkov wrote:
> On Thu, Nov 23, 2023 at 08:03:58AM -0600, Gustavo A. R. Silva wrote:
>> That's correct, yes.
>
> Commit ID is stable enough so that it doesn't change?
Well, it has changed a couple of times in a week.
>
> I don't want to commit it now and it would happen to change later and
> I'll have a stale reference in the commit message...
>
To avoid that, I would just say (in the changelog text) that this patch
is fixing some -Wstringop-overflow warnings, without specifying any
commit ID.
--
Gustavo
On Thu, Nov 23, 2023 at 08:03:58AM -0600, Gustavo A. R. Silva wrote:
> That's correct, yes.
Commit ID is stable enough so that it doesn't change?
I don't want to commit it now and it would happen to change later and
I'll have a stale reference in the commit message...
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <[email protected]>
>
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
$ git describe 1b56c90018f0
fatal: Not a valid object name 1b56c90018f0
I'm assuming that's in linux-next?
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
On Thu, Nov 23, 2023 at 08:41:33AM -0600, Gustavo A. R. Silva wrote:
> To avoid that, I would just say (in the changelog text) that this patch
> is fixing some -Wstringop-overflow warnings, without specifying any
> commit ID.
Doh, obviously.
I hope Arnd is reading this. :-)
Thx, lemme do that.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <[email protected]>
>
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
> warning for a common bug in the usage of strncat():
>
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
> drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
> drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1899 | strncat(msg, other, L2C_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
> drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1220 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Apparently the author of this driver expected strncat() to behave the
> way that strlcat() does, which uses the size of the destination buffer
> as its third argument rather than the length of the source buffer.
> The result is that there is no check on the size of the allocated
> buffer.
>
> Change it to use strncat().
>
> Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
> Cc: "Gustavo A. R. Silva" <[email protected]>
> Cc: Kees Cook <[email protected]>
> Signed-off-by: Arnd Bergmann <[email protected]>
> ---
> drivers/edac/thunderx_edac.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
Applied, thanks.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette