lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202509081440.526A41768@keescook>
Date: Mon, 8 Sep 2025 14:43:06 -0700
From: Kees Cook <kees@...nel.org>
To: Anders Roxell <anders.roxell@...aro.org>
Cc: Bjorn Helgaas <bhelgaas@...gle.com>,
	Linux Kernel Functional Testing <lkft@...aro.org>,
	Naresh Kamboju <naresh.kamboju@...aro.org>,
	lkft-triage@...ts.linaro.org,
	Linux Regressions <regressions@...ts.linux.dev>,
	Arnd Bergmann <arnd@...db.de>,
	Dan Carpenter <dan.carpenter@...aro.org>,
	Ben Copeland <benjamin.copeland@...aro.org>,
	linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
	"Peter Zijlstra (Intel)" <peterz@...radead.org>,
	linux-hardening@...r.kernel.org
Subject: Re: [PATCH] PCI: Test for bit underflow in pcie_set_readrq()

On Fri, Sep 05, 2025 at 10:16:33AM +0200, Anders Roxell wrote:
> > -       v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
> > +       firstbit = ffs(rq);
> > +       if (firstbit < 8)
> > +               return -EINVAL;
> > +       v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, firstbit - 8);
> 
> Hi Kees,
> 
> Thank you for looking into this.
> 
> These warnings are not a one time thing.  the later versions of gcc
> can figure it
> out that firstbit is at least 8 based on the "rq < 128" (i guess), so
> we're adding
> bogus code.  maybe we should just disable the check for gcc-8.

I think the issue is that GCC thinks it knows the range for ffs is not
the entire [0..UINT_MAX], but it _doesn't_ know how "rq" affects the
outcome. (The range checker warnings kick in when it's not the whole
range of a given type.) But I am just guessing, based on what how I've
seen in behave in the past.

> Maybe something like this:
> 
> diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h
> index 5355f8f806a9..4716025c98c7 100644
> --- a/include/linux/bitfield.h
> +++ b/include/linux/bitfield.h
> @@ -65,9 +65,20 @@
>                 BUILD_BUG_ON_MSG(!__builtin_constant_p(_mask),          \
>                                  _pfx "mask is not constant");          \
>                 BUILD_BUG_ON_MSG((_mask) == 0, _pfx "mask is zero");    \
> -               BUILD_BUG_ON_MSG(__builtin_constant_p(_val) ?           \
> -                                ~((_mask) >> __bf_shf(_mask)) &        \
> -                                       (0 + (_val)) : 0,               \
> +               /* Value validation disabled for gcc < 9 due to
> __attribute_const__ issues.
> +                */ \
> +               BUILD_BUG_ON_MSG(__GNUC__ >= 9 &&
> __builtin_constant_p(_val) ?  \
> +                                ~((_mask) >> __bf_shf(_mask)) &
>          \
> +                                       (0 + (_val)) : 0,
>          \
>                                  _pfx "value too large for the field"); \
>                 BUILD_BUG_ON_MSG(__bf_cast_unsigned(_mask, _mask) >     \
>                                  __bf_cast_unsigned(_reg, ~0ull),       \
> 
> I found similar patterns with ffs and FIELD_PREP here
> drivers/dma/uniphier-xdmac.c row 156 and 165
> drivers/gpu/drm/i915/display/intel_cursor_regs.h row 17

You got warnings for these?

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ