[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4603630c-3bb2-42b6-b0dd-79d500460ab4@embeddedor.com>
Date: Tue, 9 Jan 2024 08:35:37 -0600
From: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Kees Cook <keescook@...omium.org>,
Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>,
linux-hardening@...r.kernel.org, error27@...il.com, gustavoars@...nel.org,
Bryan Tan <bryantan@...are.com>, Vishnu Dasa <vdasa@...are.com>,
VMware PV-Drivers Reviewers <pv-drivers@...are.com>,
Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org, vegard.nossum@...cle.com,
darren.kenny@...cle.com, syzkaller <syzkaller@...glegroups.com>
Subject: Re: [PATCH v2 2/2] VMCI: Fix memcpy() run-time warning in
dg_dispatch_as_host()
On 1/9/24 07:22, Dan Carpenter wrote:
> On Tue, Jan 09, 2024 at 06:31:41AM -0600, Gustavo A. R. Silva wrote:
>>
>> You're arguing that fortify caused a problem.
>
> Yes.
>
> Before: Code working correctly
> After: Kernel Panic
>
> At first, I started to question if I was going mad, but then I looked
> through the email thread and Harshit tested it and proved that the
> kernel does actually panic depending on the .config.
>
> I mean realistically we should backport this patch to old kernels,
> right? And if we had to assign a Fixes tag to this it would need to be
> the commit which adds Fortify to the kernel. Prior to that commit the
> code was fine.
>
> Again, I'm not saying that Fortify is bad overall. Probably in DnD it
> would be Chaotic Good where it's overall good but sometimes a pain.
>
You know what, I think the discrepancy here lies in the fact that, before,
fortify didn't complain about writes across multiple members in the same
struct, as long as we remained between the boundaries of the struct. This
was done via __builtin_object_size(p, 0).
In recent times, that has changed, and now fortify has been tightened to warn
about writes beyond the boundaries of a single object. This is now done via
__builtin_dynamic_object_size(p, 1)/__builtin_object_size(p, 1).
And, if this patch is to be backported, _technically_, the Fixes tag should
probably be assigned to that change from __bos(p, 0) to __bos(p, 1):
commit f68f2ff91512 ("fortify: Detect struct member overflows in memcpy() at compile-time")
In any case, fortify should now emit this sort of warning, and that adds
an extra layer of hardening to the kernel.
Thanks
--
Gustavo
Powered by blists - more mailing lists