| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Jun 2023 18:10:36 -0700
From: Justin Tee <justintee8345@...il.com>
To: "Gustavo A. R. Silva" <gustavoars@...nel.org>,
Kees Cook <keescook@...omium.org>
Cc: James Smart <james.smart@...adcom.com>,
Dick Kennedy <dick.kennedy@...adcom.com>,
Justin Tee <justin.tee@...adcom.com>,
"James E.J. Bottomley" <jejb@...ux.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2][next] scsi: lpfc: Avoid -Wstringop-overflow warning
Thanks Gustavo and Kees.
Reviewed-by: Justin Tee <justin.tee@...adcom.com>
On Thu, Jun 1, 2023 at 4:43 PM Gustavo A. R. Silva
<gustavoars@...nel.org> wrote:
>
> Prevent any potential integer wrapping issue, and avoid a
> -Wstringop-overflow warning by using the check_mul_overflow() helper.
>
> drivers/scsi/lpfc/lpfc.h:
> 837:#define LPFC_RAS_MIN_BUFF_POST_SIZE (256 * 1024)
>
> drivers/scsi/lpfc/lpfc_debugfs.c:
> 2266 size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize;
>
> this can wrap to negative if cfg_ras_fwlog_buffsize is large
> enough. And even when in practice this is not possible (due to
> phba->cfg_ras_fwlog_buffsize never being larger than 4[1]), the
> compiler is legitimately warning us about potentially buggy code.
>
> Fix the following warning seen under GCC-13:
> In function ‘lpfc_debugfs_ras_log_data’,
> inlined from ‘lpfc_debugfs_ras_log_open’ at drivers/scsi/lpfc/lpfc_debugfs.c:2271:15:
> drivers/scsi/lpfc/lpfc_debugfs.c:2210:25: warning: ‘memcpy’ specified bound between 18446744071562067968 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=]
> 2210 | memcpy(buffer + copied, dmabuf->virt,
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 2211 | size - copied - 1);
> | ~~~~~~~~~~~~~~~~~~
>
> Link: https://github.com/KSPP/linux/issues/305
> Link: https://lore.kernel.org/linux-hardening/CABPRKS8zyzrbsWt4B5fp7kMowAZFiMLKg5kW26uELpg1cDKY3A@mail.gmail.com/ [1]
> Co-developed-by: Kees Cook <keescook@...omium.org>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
> ---
> Changes in v2:
> - Use check_mul_overflow() helper (Kees).
>
> v1:
> - Link: https://lore.kernel.org/linux-hardening/ZHZq7AV9Q2WG1xRB@work/
>
> drivers/scsi/lpfc/lpfc_debugfs.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
> index bdf34af4ef36..7f9b221e7c34 100644
> --- a/drivers/scsi/lpfc/lpfc_debugfs.c
> +++ b/drivers/scsi/lpfc/lpfc_debugfs.c
> @@ -2259,11 +2259,15 @@ lpfc_debugfs_ras_log_open(struct inode *inode, struct file *file)
> goto out;
> }
> spin_unlock_irq(&phba->hbalock);
> - debug = kmalloc(sizeof(*debug), GFP_KERNEL);
> +
> + if (check_mul_overflow(LPFC_RAS_MIN_BUFF_POST_SIZE,
> + phba->cfg_ras_fwlog_buffsize, &size))
> + goto out;
> +
> + debug = kzalloc(sizeof(*debug), GFP_KERNEL);
> if (!debug)
> goto out;
>
> - size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize;
> debug->buffer = vmalloc(size);
> if (!debug->buffer)
> goto free_debug;
> --
> 2.34.1
>
Powered by blists - more mailing lists