lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <AD7C74D0-D13E-479E-91D1-2FB3B6CD85FE@linux.ibm.com>
Date:   Thu, 22 Sep 2022 11:01:06 +0530
From:   Sachin Sant <sachinp@...ux.ibm.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH] scsi: scsi_transport_fc: Adjust struct fc_nl_event flex
 array usage



> On 22-Sep-2022, at 2:21 AM, Kees Cook <keescook@...omium.org> wrote:
> 
> In order to help the compiler reason about the destination buffer in
> struct fc_nl_event, add a flexible array member for this purpose.
> However, since the header is UAPI, it must not change size or layout, so
> a union is used.
> 
> The allocation size calculations are also corrected (it was potentially
> allocating an extra 8 bytes), and the padding is zeroed to avoid leaking
> kernel heap memory contents.
> 
> Detected at run-time by the recently added memcpy() bounds checking:
> 
>  memcpy: detected field-spanning write (size 8) of single field "&event->event_data" at drivers/scsi/scsi_transport_fc.c:581 (size 4)
> 
> Reported-by: Sachin Sant <sachinp@...ux.ibm.com>
> Link: https://lore.kernel.org/linux-next/42404B5E-198B-4FD3-94D6-5E16CF579EF3@linux.ibm.com/
> Cc: "James E.J. Bottomley" <jejb@...ux.ibm.com>
> Cc: "Martin K. Petersen" <martin.petersen@...cle.com>
> Cc: linux-scsi@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---

Thanks for the fix. With this patch applied the warning is no longer seen.

Tested-by: Sachin Sant <sachinp@...ux.ibm.com>

> drivers/scsi/scsi_transport_fc.c    | 8 +++++---
> include/uapi/scsi/scsi_netlink_fc.h | 7 +++++--
> 2 files changed, 10 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c
> index a2524106206d..0d798f11dc34 100644
> --- a/drivers/scsi/scsi_transport_fc.c
> +++ b/drivers/scsi/scsi_transport_fc.c
> @@ -543,7 +543,7 @@ fc_host_post_fc_event(struct Scsi_Host *shost, u32 event_number,
> 	struct nlmsghdr	*nlh;
> 	struct fc_nl_event *event;
> 	const char *name;
> -	u32 len;
> +	size_t len, padding;
> 	int err;
> 
> 	if (!data_buf || data_len < 4)
> @@ -554,7 +554,7 @@ fc_host_post_fc_event(struct Scsi_Host *shost, u32 event_number,
> 		goto send_fail;
> 	}
> 
> -	len = FC_NL_MSGALIGN(sizeof(*event) + data_len);
> +	len = FC_NL_MSGALIGN(sizeof(*event) - sizeof(event->event_data) + data_len);
> 
> 	skb = nlmsg_new(len, GFP_KERNEL);
> 	if (!skb) {
> @@ -578,7 +578,9 @@ fc_host_post_fc_event(struct Scsi_Host *shost, u32 event_number,
> 	event->event_num = event_number;
> 	event->event_code = event_code;
> 	if (data_len)
> -		memcpy(&event->event_data, data_buf, data_len);
> +		memcpy(event->event_data_flex, data_buf, data_len);
> +	padding = len - offsetof(typeof(*event), event_data_flex) - data_len;
> +	memset(event->event_data_flex + data_len, 0, padding);
> 
> 	nlmsg_multicast(scsi_nl_sock, skb, 0, SCSI_NL_GRP_FC_EVENTS,
> 			GFP_KERNEL);
> diff --git a/include/uapi/scsi/scsi_netlink_fc.h b/include/uapi/scsi/scsi_netlink_fc.h
> index 7535253f1a96..b46e9cbeb001 100644
> --- a/include/uapi/scsi/scsi_netlink_fc.h
> +++ b/include/uapi/scsi/scsi_netlink_fc.h
> @@ -35,7 +35,7 @@
>  * FC Transport Broadcast Event Message :
>  *   FC_NL_ASYNC_EVENT
>  *
> - * Note: if Vendor Unique message, &event_data will be  start of
> + * Note: if Vendor Unique message, event_data_flex will be start of
>  * 	 vendor unique payload, and the length of the payload is
>  *       per event_datalen
>  *
> @@ -50,7 +50,10 @@ struct fc_nl_event {
> 	__u16 event_datalen;
> 	__u32 event_num;
> 	__u32 event_code;
> -	__u32 event_data;
> +	union {
> +		__u32 event_data;
> +		__DECLARE_FLEX_ARRAY(__u8, event_data_flex);
> +	};
> } __attribute__((aligned(sizeof(__u64))));
> 
> 
> -- 
> 2.34.1
> 

Powered by blists - more mailing lists