[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20230207120745.56r6ok4llwr2sz7t@quack3>
Date: Tue, 7 Feb 2023 13:07:45 +0100
From: Jan Kara <jack@...e.cz>
To: Kees Cook <keescook@...omium.org>
Cc: Jan Kara <jack@...e.com>, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] udf: Use unsigned variables for size calculations
On Sat 04-02-23 10:34:27, Kees Cook wrote:
> To avoid confusing the compiler about possible negative sizes, switch
> various size variables that can never be negative from int to u32. Seen
> with GCC 13:
>
> ../fs/udf/directory.c: In function 'udf_copy_fi':
> ../include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' pointer overflow between offset 80 and size [-2147483648, -1] [-Warray-bounds=]
> 57 | #define __underlying_memcpy __builtin_memcpy
> | ^
> ...
> ../fs/udf/directory.c:102:9: note: in expansion of macro 'memcpy'
> 102 | memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
> | ^~~~~~
>
> Cc: Jan Kara <jack@...e.com>
> Signed-off-by: Kees Cook <keescook@...omium.org>
Sigh. OK, applied but I really wish gcc was more clever because the
arithmetics making sure we cannot see negative values there is literaly in
two lines above the memcpy...
Honza
> ---
> fs/udf/directory.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/fs/udf/directory.c b/fs/udf/directory.c
> index 2e13c4b5fb81..e0bb73d414dd 100644
> --- a/fs/udf/directory.c
> +++ b/fs/udf/directory.c
> @@ -71,8 +71,9 @@ static int udf_verify_fi(struct udf_fileident_iter *iter)
> static int udf_copy_fi(struct udf_fileident_iter *iter)
> {
> struct udf_inode_info *iinfo = UDF_I(iter->dir);
> - int blksize = 1 << iter->dir->i_blkbits;
> - int err, off, len, nameoff;
> + u32 blksize = 1 << iter->dir->i_blkbits;
> + u32 off, len, nameoff;
> + int err;
>
> /* Skip copying when we are at EOF */
> if (iter->pos >= iter->dir->i_size) {
> --
> 2.34.1
>
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
Powered by blists - more mailing lists