lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+hmzGDGRTOv9RBe8Kt9b8LdKpHLiGNTA5DkivatraXigWbDjg@mail.gmail.com>
Date:   Mon, 20 Feb 2023 03:09:51 +0100
From:   Josef Oskera <joskera@...hat.com>
To:     Tariq Toukan <ttoukan.linux@...il.com>
Cc:     Kees Cook <keescook@...omium.org>,
        Tariq Toukan <tariqt@...dia.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Yishai Hadas <yishaih@...dia.com>, netdev@...r.kernel.org,
        linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH] net/mlx4_en: Introduce flexible array to silence overflow warning

I've tried Kees's patch and it works for me. I am able to compile mlx4
without the fortify warning.

ne 19. 2. 2023 v 10:43 odesílatel Tariq Toukan <ttoukan.linux@...il.com> napsal:
>
>
>
> On 18/02/2023 20:38, Kees Cook wrote:
> > The call "skb_copy_from_linear_data(skb, inl + 1, spc)" triggers a FORTIFY
> > memcpy() warning on ppc64 platform:
> >
> > In function ‘fortify_memcpy_chk’,
> >      inlined from ‘skb_copy_from_linear_data’ at ./include/linux/skbuff.h:4029:2,
> >      inlined from ‘build_inline_wqe’ at drivers/net/ethernet/mellanox/mlx4/en_tx.c:722:4,
> >      inlined from ‘mlx4_en_xmit’ at drivers/net/ethernet/mellanox/mlx4/en_tx.c:1066:3:
> > ./include/linux/fortify-string.h:513:25: error: call to ‘__write_overflow_field’ declared with
> > attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()?
> > [-Werror=attribute-warning]
> >    513 |                         __write_overflow_field(p_size_field, size);
> >        |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Same behaviour on x86 you can get if you use "__always_inline" instead of
> > "inline" for skb_copy_from_linear_data() in skbuff.h
> >
> > The call here copies data into inlined tx destricptor, which has 104
> > bytes (MAX_INLINE) space for data payload. In this case "spc" is known
> > in compile-time but the destination is used with hidden knowledge
> > (real structure of destination is different from that the compiler
> > can see). That cause the fortify warning because compiler can check
> > bounds, but the real bounds are different.  "spc" can't be bigger than
> > 64 bytes (MLX4_INLINE_ALIGN), so the data can always fit into inlined
> > tx descriptor. The fact that "inl" points into inlined tx descriptor is
> > determined earlier in mlx4_en_xmit().
> >
> > Avoid confusing the compiler with "inl + 1" constructions to get to past
> > the inl header by introducing a flexible array "data" to the struct so
> > that the compiler can see that we are not dealing with an array of inl
> > structs, but rather, arbitrary data following the structure. There are
> > no changes to the structure layout reported by pahole, and the resulting
> > machine code is actually smaller.
> >
> > Reported-by: Josef Oskera <joskera@...hat.com>
> > Link: https://lore.kernel.org/lkml/20230217094541.2362873-1-joskera@redhat.com
> > Fixes: f68f2ff91512 ("fortify: Detect struct member overflows in memcpy() at compile-time")
> > Cc: Tariq Toukan <tariqt@...dia.com>
> > Cc: "David S. Miller" <davem@...emloft.net>
> > Cc: Eric Dumazet <edumazet@...gle.com>
> > Cc: Jakub Kicinski <kuba@...nel.org>
> > Cc: Paolo Abeni <pabeni@...hat.com>
> > Cc: Yishai Hadas <yishaih@...dia.com>
> > Cc: netdev@...r.kernel.org
> > Cc: linux-rdma@...r.kernel.org
> > Signed-off-by: Kees Cook <keescook@...omium.org>
> > ---
> >   drivers/net/ethernet/mellanox/mlx4/en_tx.c | 22 +++++++++++-----------
> >   include/linux/mlx4/qp.h                    |  1 +
> >   2 files changed, 12 insertions(+), 11 deletions(-)
> >
>
> Just saw your patch now, after commenting on the other thread. :)
>
> So you choose not to fix similar usages in RDMA driver
> drivers/infiniband/hw/mlx4/qp.c, like:
>
> 3204         spc = MLX4_INLINE_ALIGN -
> 3205                 ((unsigned long) (inl + 1) & (MLX4_INLINE_ALIGN - 1));
> 3206         if (header_size <= spc) {
> 3207                 inl->byte_count = cpu_to_be32(1 << 31 | header_size);
> 3208                 memcpy(inl + 1, sqp->header_buf, header_size);
> 3209                 i = 1;
> 3210         } else {
> 3211                 inl->byte_count = cpu_to_be32(1 << 31 | spc);
> 3212                 memcpy(inl + 1, sqp->header_buf, spc);
> 3213
> 3214                 inl = (void *) (inl + 1) + spc;
> 3215                 memcpy(inl + 1, sqp->header_buf + spc, header_size
> - spc);
>
> This keeps the patch minimal indeed.
>
> Did you repro the issue and test this solution?
> Maybe Josef can also verify it works for him?
>
> > diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
> > index c5758637b7be..2f79378fbf6e 100644
> > --- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
> > +++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
> > @@ -699,32 +699,32 @@ static void build_inline_wqe(struct mlx4_en_tx_desc *tx_desc,
> >                       inl->byte_count = cpu_to_be32(1 << 31 | skb->len);
> >               } else {
> >                       inl->byte_count = cpu_to_be32(1 << 31 | MIN_PKT_LEN);
> > -                     memset(((void *)(inl + 1)) + skb->len, 0,
> > +                     memset(inl->data + skb->len, 0,
> >                              MIN_PKT_LEN - skb->len);
> >               }
> > -             skb_copy_from_linear_data(skb, inl + 1, hlen);
> > +             skb_copy_from_linear_data(skb, inl->data, hlen);
> >               if (shinfo->nr_frags)
> > -                     memcpy(((void *)(inl + 1)) + hlen, fragptr,
> > +                     memcpy(inl->data + hlen, fragptr,
> >                              skb_frag_size(&shinfo->frags[0]));
> >
> >       } else {
> >               inl->byte_count = cpu_to_be32(1 << 31 | spc);
> >               if (hlen <= spc) {
> > -                     skb_copy_from_linear_data(skb, inl + 1, hlen);
> > +                     skb_copy_from_linear_data(skb, inl->data, hlen);
> >                       if (hlen < spc) {
> > -                             memcpy(((void *)(inl + 1)) + hlen,
> > +                             memcpy(inl->data + hlen,
> >                                      fragptr, spc - hlen);
> >                               fragptr +=  spc - hlen;
> >                       }
> > -                     inl = (void *) (inl + 1) + spc;
> > -                     memcpy(((void *)(inl + 1)), fragptr, skb->len - spc);
> > +                     inl = (void *)inl->data + spc;
> > +                     memcpy(inl->data, fragptr, skb->len - spc);
> >               } else {
> > -                     skb_copy_from_linear_data(skb, inl + 1, spc);
> > -                     inl = (void *) (inl + 1) + spc;
> > -                     skb_copy_from_linear_data_offset(skb, spc, inl + 1,
> > +                     skb_copy_from_linear_data(skb, inl->data, spc);
> > +                     inl = (void *)inl->data + spc;
>
> No need now for all these (void *) castings.
>
> > +                     skb_copy_from_linear_data_offset(skb, spc, inl->data,
> >                                                        hlen - spc);
> >                       if (shinfo->nr_frags)
> > -                             memcpy(((void *)(inl + 1)) + hlen - spc,
> > +                             memcpy(inl->data + hlen - spc,
> >                                      fragptr,
> >                                      skb_frag_size(&shinfo->frags[0]));
> >               }
> > diff --git a/include/linux/mlx4/qp.h b/include/linux/mlx4/qp.h
> > index c78b90f2e9a1..b9a7b1319f5d 100644
> > --- a/include/linux/mlx4/qp.h
> > +++ b/include/linux/mlx4/qp.h
> > @@ -446,6 +446,7 @@ enum {
> >
> >   struct mlx4_wqe_inline_seg {
> >       __be32                  byte_count;
> > +     __u8                    data[];
> >   };
> >
> >   enum mlx4_update_qp_attr {
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ