| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Apr 2024 11:45:54 +0200
From: Michal Swiatkowski <michal.swiatkowski@...ux.intel.com>
To: Arnd Bergmann <arnd@...db.de>
Cc: Alexander Lobakin <aleksander.lobakin@...el.com>,
"David S . Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Yury Norov <yury.norov@...il.com>,
Alexander Potapenko <glider@...gle.com>,
nex.sw.ncis.osdt.itp.upstreaming@...el.com,
"intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>,
Netdev <netdev@...r.kernel.org>, linux-kernel@...r.kernel.org,
Marcin Szycik <marcin.szycik@...ux.intel.com>,
Simon Horman <horms@...nel.org>, Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH net-next v6 19/21] pfcp: always set pfcp metadata
On Wed, Apr 03, 2024 at 10:59:36PM +0200, Arnd Bergmann wrote:
> On Wed, Mar 27, 2024, at 16:23, Alexander Lobakin wrote:
>
> > +static int pfcp_encap_recv(struct sock *sk, struct sk_buff *skb)
> > +{
> > + IP_TUNNEL_DECLARE_FLAGS(flags) = { };
> > + struct metadata_dst *tun_dst;
> > + struct pfcp_metadata *md;
> > + struct pfcphdr *unparsed;
> > + struct pfcp_dev *pfcp;
> > +
> > + if (unlikely(!pskb_may_pull(skb, PFCP_HLEN)))
> > + goto drop;
> > +
> > + pfcp = rcu_dereference_sk_user_data(sk);
> > + if (unlikely(!pfcp))
> > + goto drop;
> > +
> > + unparsed = pfcp_hdr(skb);
> > +
> > + ip_tunnel_flags_zero(flags);
> > + tun_dst = udp_tun_rx_dst(skb, sk->sk_family, flags, 0,
> > + sizeof(*md));
> > + if (unlikely(!tun_dst))
> > + goto drop;
> > +
> > + md = ip_tunnel_info_opts(&tun_dst->u.tun_info);
> > + if (unlikely(!md))
> > + goto drop;
> > +
> > + if (unparsed->flags & PFCP_SEID_FLAG)
> > + pfcp_session_recv(pfcp, skb, md);
> > + else
> > + pfcp_node_recv(pfcp, skb, md);
> > +
> > + __set_bit(IP_TUNNEL_PFCP_OPT_BIT, flags);
> > + ip_tunnel_info_opts_set(&tun_dst->u.tun_info, md, sizeof(*md),
> > + flags);
> > +
>
> The memcpy() in the ip_tunnel_info_opts_set() causes
> a string.h fortification warning, with at least gcc-13:
>
> In function 'fortify_memcpy_chk',
> inlined from 'ip_tunnel_info_opts_set' at include/net/ip_tunnels.h:619:3,
> inlined from 'pfcp_encap_recv' at drivers/net/pfcp.c:84:2:
> include/linux/fortify-string.h:553:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
> 553 | __write_overflow_field(p_size_field, size);
>
> As far as I can tell, the warning is caused by the
> ambiguity of the union, but what I noticed is that
> it also seems to copy a buffer to itself, as 'md'
> is initialized to tun_dst->u.tun_info as well.
>
> Is this intentional?
I used ip_tunnel_info_opts_set() to set options_len and flags.
You are right that it can and probably should be changed to:
__set_bit(IP_TUNNEL_PFCP_OPT_BIT, tun_dst->u.tun_info.key.tun_flags);
tun_dst->u.tun_info.options_len = sizeof(*md);
instead of copying the buffer. Thanks for pointing it.
Should I sent a fix to the net or patch to the maintainer? Sorry, don't
know how this kind of situations are being solved.
Michal
>
> Arnd
Powered by blists - more mailing lists