lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 8 Apr 2024 16:36:23 +0200
From: Jan Kara <jack@...e.cz>
To: Arnd Bergmann <arnd@...nel.org>
Cc: linux-fsdevel@...r.kernel.org, Mike Marshall <hubcap@...ibond.com>,
	Arnd Bergmann <arnd@...db.de>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
	Martin Brandenburg <martin@...ibond.com>, devel@...ts.orangefs.org,
	Vlastimil Babka <vbabka@...e.cz>, Kees Cook <keescook@...omium.org>,
	Justin Stitt <justinstitt@...gle.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] [RESEND] orangefs: fix out-of-bounds fsid access

On Mon 08-04-24 09:50:43, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
> 
> orangefs_statfs() copies two consecutive fields of the superblock into
> the statfs structure, which triggers a warning from the string fortification
> helpers:
> 
> In file included from fs/orangefs/super.c:8:
> include/linux/fortify-string.h:592:4: error: call to '__read_overflow2_field' declared with 'warning' attribute: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
>                         __read_overflow2_field(q_size_field, size);
> 
> Change the memcpy() to an individual assignment of the two fields, which helps
> both the compiler and human readers understand better what it does.
> 
> Link: https://lore.kernel.org/all/20230622101701.3399585-1-arnd@kernel.org/
> Cc: Alexander Viro <viro@...iv.linux.org.uk>
> Cc: Christian Brauner <brauner@...nel.org>
> Cc: Jan Kara <jack@...e.cz>
> Cc: linux-fsdevel@...r.kernel.org
> Cc: Mike Marshall <hubcap@...ibond.com>
> Cc: Martin Brandenburg <martin@...ibond.com>
> Cc: devel@...ts.orangefs.org
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> Resending to VFS maintainers, I sent this a couple of times to the
> orangefs maintainers but never got a reply
> ---
>  fs/orangefs/super.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c
> index fb4d09c2f531..152478295766 100644
> --- a/fs/orangefs/super.c
> +++ b/fs/orangefs/super.c
> @@ -201,7 +201,10 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf)
>  		     (long)new_op->downcall.resp.statfs.files_avail);
>  
>  	buf->f_type = sb->s_magic;
> -	memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid));
> +	buf->f_fsid = (__kernel_fsid_t) {{
> +		ORANGEFS_SB(sb)->fs_id,
> +		ORANGEFS_SB(sb)->id,
> +	}};

Frankly, this initializer is hard to understand for me. Why not simple:

	buf->f_fsid[0] = ORANGEFS_SB(sb)->fs_id;
	buf->f_fsid[1] = ORANGEFS_SB(sb)->id;

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ