lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202209251949.D718072@keescook>
Date:   Sun, 25 Sep 2022 19:52:22 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     Jamal Hadi Salim <jhs@...atatu.com>,
        syzbot <syzbot+a2c4601efc75848ba321@...kaller.appspotmail.com>,
        David Miller <davem@...emloft.net>,
        Jiri Pirko <jiri@...nulli.us>,
        Jakub Kicinski <kuba@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>, Paolo Abeni <pabeni@...hat.com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>
Subject: Re: [syzbot] WARNING in u32_change

On Sun, Sep 25, 2022 at 07:39:23PM -0700, Kees Cook wrote:
> On Sun, Sep 25, 2022 at 10:34:37AM -0700, Eric Dumazet wrote:
> > Sure, please look at:
> > 
> > commit 54d9469bc515dc5fcbc20eecbe19cea868b70d68
> > Author: Kees Cook <keescook@...omium.org>
> > Date:   Thu Jun 24 15:39:26 2021 -0700
> > 
> >     fortify: Add run-time WARN for cross-field memcpy()
> > [...]
> > Here, we might switch to unsafe_memcpy() instead of memcpy()
> 
> I would tend to agree. Something like:
> 
> diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
> index 4d27300c287c..21e0e6206ecc 100644
> --- a/net/sched/cls_u32.c
> +++ b/net/sched/cls_u32.c
> @@ -1040,7 +1040,9 @@ static int u32_change(struct net *net, struct sk_buff *in_skb,
>  	}
>  #endif
>  
> -	memcpy(&n->sel, s, sel_size);
> +	unsafe_memcpy(&n->sel, s, sel_size,
> +		      /* A composite flex-array structure destination,
> +		       * which was correctly sized and allocated above. */);
>  	RCU_INIT_POINTER(n->ht_up, ht);
>  	n->handle = handle;
>  	n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0;

Ah, there is another in the same source file, in u32_init_knode():

        memcpy(&new->sel, s, struct_size(s, keys, s->nkeys));

(I've been trying to convince Coccinelle to produce a list of all the
composite structure targets, but I keep running into weird glitches.
That it hadn't found this one let me track down the latest issue, so now
I should be able to find more! Whew.)

-- 
Kees Cook

Powered by blists - more mailing lists