lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <202301131453.D93C967D4@keescook>
Date:   Fri, 13 Jan 2023 15:01:26 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Jason Gunthorpe <jgg@...pe.ca>
Cc:     Yupeng Li <liyupeng@...los.com>, tariqt@...dia.com,
        davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, netdev@...r.kernel.org,
        linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org,
        Caicai <caizp2008@....com>
Subject: Re: [PATCH 1/1] net/mlx4: Fix build error use array_size() helper in
 copy_to_user()

On Fri, Jan 13, 2023 at 10:41:01AM -0800, Kees Cook wrote:
> On Mon, Jan 09, 2023 at 09:51:18AM -0400, Jason Gunthorpe wrote:
> > On Sat, Jan 07, 2023 at 03:27:25PM +0800, Yupeng Li wrote:
> > > When CONFIG_64BIT was disabled, check_copy_size() was declared with
> > > attribute error: copy source size is too small, array_size() for 32BIT
> > > was wrong size, some compiled msg with error like:
> > > 
> > >   CALL    scripts/checksyscalls.sh
> > >   CC [M]  drivers/net/ethernet/mellanox/mlx4/cq.o
> > > In file included from ./arch/x86/include/asm/preempt.h:7,
> > >                  from ./include/linux/preempt.h:78,
> > >                  from ./include/linux/percpu.h:6,
> > >                  from ./include/linux/context_tracking_state.h:5,
> > >                  from ./include/linux/hardirq.h:5,
> > >                  from drivers/net/ethernet/mellanox/mlx4/cq.c:37:
> > > In function ‘check_copy_size’,
> > >     inlined from ‘copy_to_user’ at ./include/linux/uaccess.h:168:6,
> > >     inlined from ‘mlx4_init_user_cqes’ at drivers/net/ethernet/mellanox/mlx4/cq.c:317:9,
> > >     inlined from ‘mlx4_cq_alloc’ at drivers/net/ethernet/mellanox/mlx4/cq.c:394:10:
> > > ./include/linux/thread_info.h:228:4: error: call to ‘__bad_copy_from’ declared with attribute error: copy source size is too small
> > >   228 |    __bad_copy_from();
> > >       |    ^~~~~~~~~~~~~~~~~
> > > make[6]: *** [scripts/Makefile.build:250:drivers/net/ethernet/mellanox/mlx4/cq.o] 错误 1
> > > make[5]: *** [scripts/Makefile.build:500:drivers/net/ethernet/mellanox/mlx4] 错误 2
> > > make[5]: *** 正在等待未完成的任务....
> > > make[4]: *** [scripts/Makefile.build:500:drivers/net/ethernet/mellanox] 错误 2
> > > make[3]: *** [scripts/Makefile.build:500:drivers/net/ethernet] 错误 2
> > > make[3]: *** 正在等待未完成的任务....
> > > make[2]: *** [scripts/Makefile.build:500:drivers/net] 错误 2
> > > make[2]: *** 正在等待未完成的任务....
> > > make[1]: *** [scripts/Makefile.build:500:drivers] 错误 2
> > > make: *** [Makefile:1992:.] 错误 2
> > > 
> > > Signed-off-by: Yupeng Li <liyupeng@...los.com>
> > > Reviewed-by: Caicai <caizp2008@....com>
> > > ---
> > >  drivers/net/ethernet/mellanox/mlx4/cq.c | 4 ++++
> > >  1 file changed, 4 insertions(+)
> > > 
> > > diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
> > > index 4d4f9cf9facb..7dadd7227480 100644
> > > --- a/drivers/net/ethernet/mellanox/mlx4/cq.c
> > > +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
> > > @@ -315,7 +315,11 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
> > >  		}
> > >  	} else {
> > >  		err = copy_to_user((void __user *)buf, init_ents,
> > > +#ifdef CONFIG_64BIT
> > >  				   array_size(entries, cqe_size)) ?
> > > +#else
> > > +				   entries * cqe_size) ?
> > > +#endif
> > >  			-EFAULT : 0;
> > 
> > This can't possibly make sense, Kees?
> 
> Uuuuh, that's really weird. What compiler version and arch? I'll see if
> I can reproduce this.

I can't reproduce this. I'm assuming this is being seen on a 32-bit
loongarch build? I have no idea how to get that compiler. Neither Debian
nor Fedora seem to package it. (It looks like it was added in GCC 12?)
Perhaps it's just "mips"? But I also can't figure out how to choose a
32-bit mips build. Wheee.

Anyway, I would assume this is a compiler bug around inlining or the
check_mul_overflow implementation?

static inline size_t __must_check size_mul(size_t factor1, size_t factor2)
{
        size_t bytes;

        if (check_mul_overflow(factor1, factor2, &bytes))
                return SIZE_MAX;

        return bytes;
}

#define array_size(a, b)        size_mul(a, b)


-Kees

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ