| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMuHMdU3MazCqD6PaeyLTW1P8mVZr6BVEConT713cTHe830bTQ@mail.gmail.com>
Date: Tue, 18 Feb 2025 09:08:04 +0100
From: Geert Uytterhoeven <geert@...ux-m68k.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: Philip Li <philip.li@...el.com>, Elizabeth Figura <zfigura@...eweavers.com>,
kernel test robot <lkp@...el.com>, oe-kbuild-all@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: include/linux/thread_info.h:259:25: error: call to
'__bad_copy_to' declared with attribute error: copy destination size is too small
Hi Arnd,
On Fri, 14 Feb 2025 at 12:26, Arnd Bergmann <arnd@...db.de> wrote:
> On Fri, Feb 14, 2025, at 09:44, Philip Li wrote:
> > On Mon, Feb 10, 2025 at 02:39:46PM -0600, Elizabeth Figura wrote:
> >> On Friday, 7 February 2025 06:11:47 CST kernel test robot wrote:
> >> > In file included from include/linux/spinlock.h:60,
> >> > from include/linux/wait.h:9,
> >> > from include/linux/wait_bit.h:8,
> >> > from include/linux/fs.h:6,
> >> > from drivers/misc/ntsync.c:11:
> >> > In function 'check_copy_size',
> >> > inlined from 'copy_from_user' at include/linux/uaccess.h:207:7,
> >> > inlined from 'setup_wait' at drivers/misc/ntsync.c:888:6:
> >> > >> include/linux/thread_info.h:259:25: error: call to '__bad_copy_to' declared with attribute error: copy destination size is too small
> >> > 259 | __bad_copy_to();
> >> > | ^~~~~~~~~~~~~~~
> >>
> >> This was caught before and mentioned in [1]. The suggestion there of changing "args->count" to "count" doesn't help.
> >>
> >> Somehow gcc 12 thinks that the array_size(count, sizeof(*fds)) parameter is constant, although it's finnicky and depends on exactly where __builtin_constant_p() is evaluated.
> >>
> >> The bug goes away with gcc 13. Is this worth trying to work around? I don't have any ideas for how to do so.
> >
> > Thanks for the info, at bot side, we will ignore this error to
> > avoid further reporting on old gcc.
>
> gcc-12 isn't really "old", we support gcc-5 through gcc-14 at the moment.
>
> Maybe the change below would address it? (Not sure I handled the
> "+1" right here, but something like that should make it obvious
> to the compiler what the check is).
>
> Arnd
>
> diff --git a/drivers/misc/ntsync.c b/drivers/misc/ntsync.c
> index 055395cde42b..ae13aae9194b 100644
> --- a/drivers/misc/ntsync.c
> +++ b/drivers/misc/ntsync.c
> @@ -873,6 +873,7 @@ static int setup_wait(struct ntsync_device *dev,
> {
> int fds[NTSYNC_MAX_WAIT_COUNT + 1];
> const __u32 count = args->count;
> + size_t size = count * sizeof(fds[0]);
array_size(), to keep the multiplication overflow check?
> struct ntsync_q *q;
> __u32 total_count;
> __u32 i, j;
> @@ -880,15 +881,14 @@ static int setup_wait(struct ntsync_device *dev,
> if (args->pad || (args->flags & ~NTSYNC_WAIT_REALTIME))
> return -EINVAL;
>
> - if (args->count > NTSYNC_MAX_WAIT_COUNT)
> + if (size >= sizeof(fds))
> return -EINVAL;
>
> total_count = count;
> if (args->alert)
> total_count++;
>
> - if (copy_from_user(fds, u64_to_user_ptr(args->objs),
> - array_size(count, sizeof(*fds))))
> + if (copy_from_user(fds, u64_to_user_ptr(args->objs), size))
> return -EFAULT;
> if (args->alert)
> fds[count] = args->alert;
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
Powered by blists - more mailing lists