lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <61b37f83-eb9e-cf81-c5e6-ca322f76f490@linux.intel.com>
Date:   Wed, 14 Apr 2021 13:24:07 +0800
From:   Lu Baolu <baolu.lu@...ux.intel.com>
To:     "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        David Woodhouse <dwmw2@...radead.org>,
        Joerg Roedel <joro@...tes.org>, Will Deacon <will@...nel.org>
Cc:     baolu.lu@...ux.intel.com, iommu@...ts.linux-foundation.org,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] iommu/vt-d: Fix out-bounds-warning in
 intel_svm_page_response()

Hi Gustavo,

On 4/14/21 3:54 AM, Gustavo A. R. Silva wrote:
> Replace call to memcpy() with just a couple of simple assignments in
> order to fix the following out-of-bounds warning:
> 
> drivers/iommu/intel/svm.c:1198:4: warning: 'memcpy' offset [25, 32] from the object at 'desc' is out of the bounds of referenced subobject 'qw2' with type 'long long unsigned int' at offset 16 [-Warray-bounds]
> 
> The problem is that the original code is trying to copy data into a
> couple of struct members adjacent to each other in a single call to
> memcpy(). This causes a legitimate compiler warning because memcpy()
> overruns the length of &desc.qw2.
> 
> This helps with the ongoing efforts to globally enable -Warray-bounds
> and get us closer to being able to tighten the FORTIFY_SOURCE routines
> on memcpy().
> 
> Link: https://github.com/KSPP/linux/issues/109
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
> ---
>   drivers/iommu/intel/svm.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c
> index 5165cea90421..65909f504c50 100644
> --- a/drivers/iommu/intel/svm.c
> +++ b/drivers/iommu/intel/svm.c
> @@ -1194,9 +1194,10 @@ int intel_svm_page_response(struct device *dev,
>   		desc.qw1 = QI_PGRP_IDX(prm->grpid) | QI_PGRP_LPIG(last_page);
>   		desc.qw2 = 0;
>   		desc.qw3 = 0;
> -		if (private_present)
> -			memcpy(&desc.qw2, prm->private_data,
> -			       sizeof(prm->private_data));

The same memcpy() is used in multiple places in this file. Did they
compile the same warnings? Or there are multiple patches to fix them
one by one?

Best regards,
baolu

> +		if (private_present) {
> +			desc.qw2 = prm->private_data[0];
> +			desc.qw3 = prm->private_data[1];
> +		}
>   
>   		qi_submit_sync(iommu, &desc, 1, 0);
>   	}
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ