lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240225121929.2e3fdc1b@jic23-huawei>
Date: Sun, 25 Feb 2024 12:19:29 +0000
From: Jonathan Cameron <jic23@...nel.org>
To: Arnd Bergmann <arnd@...nel.org>
Cc: Arnd Bergmann <arnd@...db.de>, Lars-Peter Clausen <lars@...afoo.de>,
 Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers
 <ndesaulniers@...gle.com>, Bill Wendling <morbo@...gle.com>, Justin Stitt
 <justinstitt@...gle.com>, Uwe Kleine-König
 <u.kleine-koenig@...gutronix.de>, linux-iio@...r.kernel.org,
 linux-kernel@...r.kernel.org, llvm@...ts.linux.dev
Subject: Re: [PATCH] iio: avoid fortify-string overflow error

On Sat, 24 Feb 2024 13:11:34 +0100
Arnd Bergmann <arnd@...nel.org> wrote:

> From: Arnd Bergmann <arnd@...db.de>
> 
> The memcpy() call in dlhl60d.c triggers a check with clang-19:
> 
> In file included from drivers/iio/pressure/dlhl60d.c:11:
> In file included from include/linux/module.h:17:
> include/linux/fortify-string.h:553:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
>   553 |                         __write_overflow_field(p_size_field, size);
>       |                         ^
> 
> It writes into a two member array from a loop over a linked list
> that likely has some indication of having more than two entries.
> 
> Add a conditional check there to avoid the overflow.
> 
> Signed-off-by: Arnd Bergmann <arnd@...db.de>

Hi Arnd,

It's a false positive, but the compiler has no way to tell that only bits
0 and 1 can be set.
https://lore.kernel.org/linux-iio/20240222222335.work.759-kees@kernel.org/
for discussion on why + the missing zero initialization bug Kees noticed whilst
looking at this code.

Kees proposed an alternative way to suppress the warning that I've just applied.
https://lore.kernel.org/linux-iio/20240223172936.it.875-kees@kernel.org/

Your solution also works but leaves the implication of a real path to
overflow the buffer when there isn't one, hence I prefer what Kees had unless
some future version of clang trips over that in which case we can revisit.

Thanks

Jonathan

> ---
>  drivers/iio/pressure/dlhl60d.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/iio/pressure/dlhl60d.c b/drivers/iio/pressure/dlhl60d.c
> index 28c8269ba65d..a43ecda849db 100644
> --- a/drivers/iio/pressure/dlhl60d.c
> +++ b/drivers/iio/pressure/dlhl60d.c
> @@ -262,6 +262,8 @@ static irqreturn_t dlh_trigger_handler(int irq, void *private)
>  			&st->rx_buf[1] + chn * DLH_NUM_DATA_BYTES,
>  			DLH_NUM_DATA_BYTES);
>  		i++;
> +		if (i >= ARRAY_SIZE(tmp_buf))
> +			break;
>  	}
>  
>  	iio_push_to_buffers(indio_dev, tmp_buf);


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ