lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202210281526.B32C79C4@keescook>
Date:   Fri, 28 Oct 2022 15:56:37 -0700
From:   Kees Cook <keescook@...omium.org>
To:     "Dr. David Alan Gilbert" <linux@...blig.org>
Cc:     shaggy@...nel.org, jfs-discussion@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org,
        syzbot+5fc38b2ddbbca7f5c680@...kaller.appspotmail.com
Subject: Re: [PATCH] jfs: Fix fortify moan in symlink

On Mon, Oct 24, 2022 at 07:49:17PM +0100, Dr. David Alan Gilbert wrote:
> * Kees Cook (keescook@...omium.org) wrote:
> > On Sat, Oct 22, 2022 at 09:39:14PM +0100, linux@...blig.org wrote:
> > > From: "Dr. David Alan Gilbert" <linux@...blig.org>
> > > 
> > > JFS has in jfs_incore.h:
> > > 
> > >       /* _inline may overflow into _inline_ea when needed */
> > >       /* _inline_ea may overlay the last part of
> > >        * file._xtroot if maxentry = XTROOTINITSLOT
> > >        */
> > >       union {
> > >         struct {
> > >           /* 128: inline symlink */
> > >           unchar _inline[128];
> > >           /* 128: inline extended attr */
> > >           unchar _inline_ea[128];
> > >         };
> > >         unchar _inline_all[256];
> > > 
> > > and currently the symlink code copies into _inline;
> > > if this is larger than 128 bytes it triggers a fortify warning of the
> > > form:
> > > 
> > >   memcpy: detected field-spanning write (size 132) of single field
> > >      "ip->i_link" at fs/jfs/namei.c:950 (size 18446744073709551615)
> > 
> > Which compiler are you using for this build?
> 
> I think that report was the same on gcc on Fedora 37 and whatever
> syzkaller was running.
> 
> > This size report (SIZE_MAX)
> > should be impossible to reach. But also, the size is just wrong --
> > i_inline is 128 bytes, not SIZE_MAX. So, the detection is working
> > (132 > 128), but the report is broken, and I can't see how...
> 
> Yeh, and led me down a blind alley for a while thinking something had
> really managed to screwup the strlen somehow.

This looks like a GCC bug (going at least back to GCC 10.2)[1], but some
extra care around the macro appears to make it go away, so the reporting
variable doesn't get confused/re-evaluated:

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index 09a032f6ce6b..9e2d96993c30 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -550,13 +550,18 @@ __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size,
 
 #define __fortify_memcpy_chk(p, q, size, p_size, q_size,		\
 			     p_size_field, q_size_field, op) ({		\
-	size_t __fortify_size = (size_t)(size);				\
-	WARN_ONCE(fortify_memcpy_chk(__fortify_size, p_size, q_size,	\
-				     p_size_field, q_size_field, #op),	\
+	const size_t __fortify_size = (size_t)(size);			\
+	const size_t __p_size = (p_size);				\
+	const size_t __q_size = (q_size);				\
+	const size_t __p_size_field = (p_size_field);			\
+	const size_t __q_size_field = (q_size_field);			\
+	WARN_ONCE(fortify_memcpy_chk(__fortify_size, __p_size,		\
+				     __q_size, __p_size_field,		\
+				     __q_size_field, #op),		\
 		  #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \
 		  __fortify_size,					\
 		  "field \"" #p "\" at " __FILE__ ":" __stringify(__LINE__), \
-		  p_size_field);					\
+		  __p_size_field);					\
 	__underlying_##op(p, q, __fortify_size);			\
 })
 


[1] https://syzkaller.appspot.com/bug?id=23d613df5259b977dac1696bec77f61a85890e3d

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ