lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 24 Oct 2022 10:20:58 -0700
From:   Kees Cook <keescook@...omium.org>
To:     "Darrick J . Wong" <djwong@...nel.org>
Cc:     Kees Cook <keescook@...omium.org>, Zorro Lang <zlang@...hat.com>,
        linux-xfs@...r.kernel.org,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Keith Packard <keithp@...thp.com>,
        Francis Laniel <laniel_francis@...vacyrequired.com>,
        Daniel Axtens <dja@...ens.net>,
        Dan Williams <dan.j.williams@...el.com>,
        Vincenzo Frascino <vincenzo.frascino@....com>,
        Guenter Roeck <linux@...ck-us.net>,
        Daniel Vetter <daniel.vetter@...ll.ch>,
        Tadeusz Struk <tadeusz.struk@...aro.org>,
        Geert Uytterhoeven <geert@...ux-m68k.org>,
        Andy Shevchenko <andriy.shevchenko@...el.com>,
        Paolo Abeni <pabeni@...hat.com>, linux-kernel@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: [PATCH 2/2] xfs: Use flex_cpy() to check extent copying

Use flex_cpy() instead of memcpy() to copy the bui_fmt flexible array
structure, which will perform bounds checking internally. Avoids the
false positive warning seen under FORTIFY_SOURCE:

  memcpy: detected field-spanning write (size 48) of single field "dst_bui_fmt" at fs/xfs/xfs_bmap_item.c:628 (size 16)

Reported-by: Zorro Lang <zlang@...hat.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216563
Cc: "Darrick J. Wong" <djwong@...nel.org>
Cc: linux-xfs@...r.kernel.org
Signed-off-by: Kees Cook <keescook@...omium.org>
---
 fs/xfs/xfs_bmap_item.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c
index 51f66e982484..5f135893df66 100644
--- a/fs/xfs/xfs_bmap_item.c
+++ b/fs/xfs/xfs_bmap_item.c
@@ -24,6 +24,7 @@
 #include "xfs_error.h"
 #include "xfs_log_priv.h"
 #include "xfs_log_recover.h"
+#include <linux/flex_array.h>
 
 struct kmem_cache	*xfs_bui_cache;
 struct kmem_cache	*xfs_bud_cache;
@@ -624,10 +625,10 @@ xfs_bui_copy_format(
 	src_bui_fmt = buf->i_addr;
 	len = xfs_bui_log_format_sizeof(src_bui_fmt->bui_nextents);
 
-	if (buf->i_len == len) {
-		memcpy(dst_bui_fmt, src_bui_fmt, len);
+	if (buf->i_len == len &&
+	    __flex_cpy(dst_bui_fmt, src_bui_fmt,
+		       bui_extents, bui_nextents, __passthru) == 0)
 		return 0;
-	}
 	XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, NULL);
 	return -EFSCORRUPTED;
 }
-- 
2.34.1

Powered by blists - more mailing lists