| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Jan 2023 15:01:26 -0800
From: Kees Cook <keescook@...omium.org>
To: Jason Gunthorpe <jgg@...pe.ca>
Cc: Yupeng Li <liyupeng@...los.com>, tariqt@...dia.com,
davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, netdev@...r.kernel.org,
linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org,
Caicai <caizp2008@....com>
Subject: Re: [PATCH 1/1] net/mlx4: Fix build error use array_size() helper in
copy_to_user()
On Fri, Jan 13, 2023 at 10:41:01AM -0800, Kees Cook wrote:
> On Mon, Jan 09, 2023 at 09:51:18AM -0400, Jason Gunthorpe wrote:
> > On Sat, Jan 07, 2023 at 03:27:25PM +0800, Yupeng Li wrote:
> > > When CONFIG_64BIT was disabled, check_copy_size() was declared with
> > > attribute error: copy source size is too small, array_size() for 32BIT
> > > was wrong size, some compiled msg with error like:
> > >
> > > CALL scripts/checksyscalls.sh
> > > CC [M] drivers/net/ethernet/mellanox/mlx4/cq.o
> > > In file included from ./arch/x86/include/asm/preempt.h:7,
> > > from ./include/linux/preempt.h:78,
> > > from ./include/linux/percpu.h:6,
> > > from ./include/linux/context_tracking_state.h:5,
> > > from ./include/linux/hardirq.h:5,
> > > from drivers/net/ethernet/mellanox/mlx4/cq.c:37:
> > > In function ‘check_copy_size’,
> > > inlined from ‘copy_to_user’ at ./include/linux/uaccess.h:168:6,
> > > inlined from ‘mlx4_init_user_cqes’ at drivers/net/ethernet/mellanox/mlx4/cq.c:317:9,
> > > inlined from ‘mlx4_cq_alloc’ at drivers/net/ethernet/mellanox/mlx4/cq.c:394:10:
> > > ./include/linux/thread_info.h:228:4: error: call to ‘__bad_copy_from’ declared with attribute error: copy source size is too small
> > > 228 | __bad_copy_from();
> > > | ^~~~~~~~~~~~~~~~~
> > > make[6]: *** [scripts/Makefile.build:250:drivers/net/ethernet/mellanox/mlx4/cq.o] 错误 1
> > > make[5]: *** [scripts/Makefile.build:500:drivers/net/ethernet/mellanox/mlx4] 错误 2
> > > make[5]: *** 正在等待未完成的任务....
> > > make[4]: *** [scripts/Makefile.build:500:drivers/net/ethernet/mellanox] 错误 2
> > > make[3]: *** [scripts/Makefile.build:500:drivers/net/ethernet] 错误 2
> > > make[3]: *** 正在等待未完成的任务....
> > > make[2]: *** [scripts/Makefile.build:500:drivers/net] 错误 2
> > > make[2]: *** 正在等待未完成的任务....
> > > make[1]: *** [scripts/Makefile.build:500:drivers] 错误 2
> > > make: *** [Makefile:1992:.] 错误 2
> > >
> > > Signed-off-by: Yupeng Li <liyupeng@...los.com>
> > > Reviewed-by: Caicai <caizp2008@....com>
> > > ---
> > > drivers/net/ethernet/mellanox/mlx4/cq.c | 4 ++++
> > > 1 file changed, 4 insertions(+)
> > >
> > > diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
> > > index 4d4f9cf9facb..7dadd7227480 100644
> > > --- a/drivers/net/ethernet/mellanox/mlx4/cq.c
> > > +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
> > > @@ -315,7 +315,11 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
> > > }
> > > } else {
> > > err = copy_to_user((void __user *)buf, init_ents,
> > > +#ifdef CONFIG_64BIT
> > > array_size(entries, cqe_size)) ?
> > > +#else
> > > + entries * cqe_size) ?
> > > +#endif
> > > -EFAULT : 0;
> >
> > This can't possibly make sense, Kees?
>
> Uuuuh, that's really weird. What compiler version and arch? I'll see if
> I can reproduce this.
I can't reproduce this. I'm assuming this is being seen on a 32-bit
loongarch build? I have no idea how to get that compiler. Neither Debian
nor Fedora seem to package it. (It looks like it was added in GCC 12?)
Perhaps it's just "mips"? But I also can't figure out how to choose a
32-bit mips build. Wheee.
Anyway, I would assume this is a compiler bug around inlining or the
check_mul_overflow implementation?
static inline size_t __must_check size_mul(size_t factor1, size_t factor2)
{
size_t bytes;
if (check_mul_overflow(factor1, factor2, &bytes))
return SIZE_MAX;
return bytes;
}
#define array_size(a, b) size_mul(a, b)
-Kees
--
Kees Cook
Powered by blists - more mailing lists