lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y0WK3MZvxpoXS24n@work>
Date:   Tue, 11 Oct 2022 10:25:16 -0500
From:   "Gustavo A. R. Silva" <gustavoars@...nel.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     Trond Myklebust <trond.myklebust@...merspace.com>,
        kernel test robot <yujie.liu@...el.com>,
        Anna Schumaker <anna@...nel.org>, linux-nfs@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] NFS: Avoid memcpy() run-time warning for struct sockaddr
 overflows

On Mon, Oct 10, 2022 at 11:52:43PM -0700, Kees Cook wrote:
> The 'nfs_server' and 'mount_server' structures include a union of
> 'struct sockaddr' (with the older 16 bytes max address size) and
> 'struct sockaddr_storage' which is large enough to hold all the supported
> sa_family types (128 bytes max size). The runtime memcpy() buffer overflow
> checker is seeing attempts to write beyond the 16 bytes as an overflow,
> but the actual expected size is that of 'struct sockaddr_storage'. Adjust
> the pointers to the correct union member. Avoids this false positive
> run-time warning under CONFIG_FORTIFY_SOURCE:
> 
>   memcpy: detected field-spanning write (size 28) of single field "&ctx->nfs_server.address" at fs/nfs/namespace.c:178 (size 16)
> 
> Reported-by: kernel test robot <yujie.liu@...el.com>
> Link: https://lore.kernel.org/all/202210110948.26b43120-yujie.liu@intel.com
> Cc: Trond Myklebust <trond.myklebust@...merspace.com>
> Cc: Anna Schumaker <anna@...nel.org>
> Cc: linux-nfs@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>

Reviewed-by: Gustavo A. R. Silva <gustavoars@...nel.org>

Thanks!
--
Gustavo

> ---
>  fs/nfs/fs_context.c | 2 +-
>  fs/nfs/namespace.c  | 2 +-
>  fs/nfs/super.c      | 4 ++--
>  3 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c
> index 4da701fd1424..bffa31bb35b9 100644
> --- a/fs/nfs/fs_context.c
> +++ b/fs/nfs/fs_context.c
> @@ -1540,7 +1540,7 @@ static int nfs_init_fs_context(struct fs_context *fc)
>  		ctx->version		= nfss->nfs_client->rpc_ops->version;
>  		ctx->minorversion	= nfss->nfs_client->cl_minorversion;
>  
> -		memcpy(&ctx->nfs_server.address, &nfss->nfs_client->cl_addr,
> +		memcpy(&ctx->nfs_server._address, &nfss->nfs_client->cl_addr,
>  			ctx->nfs_server.addrlen);
>  
>  		if (fc->net_ns != net) {
> diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
> index 3295af4110f1..2f336ace7555 100644
> --- a/fs/nfs/namespace.c
> +++ b/fs/nfs/namespace.c
> @@ -175,7 +175,7 @@ struct vfsmount *nfs_d_automount(struct path *path)
>  	}
>  
>  	/* for submounts we want the same server; referrals will reassign */
> -	memcpy(&ctx->nfs_server.address, &client->cl_addr, client->cl_addrlen);
> +	memcpy(&ctx->nfs_server._address, &client->cl_addr, client->cl_addrlen);
>  	ctx->nfs_server.addrlen	= client->cl_addrlen;
>  	ctx->nfs_server.port	= server->port;
>  
> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> index 82944e14fcea..8ea7dfdea427 100644
> --- a/fs/nfs/super.c
> +++ b/fs/nfs/super.c
> @@ -823,7 +823,7 @@ static int nfs_request_mount(struct fs_context *fc,
>  	struct nfs_fs_context *ctx = nfs_fc2context(fc);
>  	struct nfs_mount_request request = {
>  		.sap		= (struct sockaddr *)
> -						&ctx->mount_server.address,
> +						&ctx->mount_server._address,
>  		.dirpath	= ctx->nfs_server.export_path,
>  		.protocol	= ctx->mount_server.protocol,
>  		.fh		= root_fh,
> @@ -854,7 +854,7 @@ static int nfs_request_mount(struct fs_context *fc,
>  	 * Construct the mount server's address.
>  	 */
>  	if (ctx->mount_server.address.sa_family == AF_UNSPEC) {
> -		memcpy(request.sap, &ctx->nfs_server.address,
> +		memcpy(request.sap, &ctx->nfs_server._address,
>  		       ctx->nfs_server.addrlen);
>  		ctx->mount_server.addrlen = ctx->nfs_server.addrlen;
>  	}
> -- 
> 2.34.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ