lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <211c9e57-ed0b-4945-9194-ad776bc386bd@app.fastmail.com>
Date: Wed, 21 Feb 2024 17:51:23 +0100
From: "Arnd Bergmann" <arnd@...db.de>
To: "Naresh Kamboju" <naresh.kamboju@...aro.org>,
 "open list" <linux-kernel@...r.kernel.org>, Netdev <netdev@...r.kernel.org>,
 lkft-triage@...ts.linaro.org
Cc: "Kees Cook" <keescook@...omium.org>, "Hao Luo" <haoluo@...gle.com>,
 "Miguel Ojeda" <ojeda@...nel.org>, "Nathan Chancellor" <nathan@...nel.org>,
 "Peter Zijlstra" <peterz@...radead.org>,
 "Justin Stitt" <justinstitt@...gle.com>
Subject: Re: x86: fortify-string.h:63:33: error: '__builtin_memcmp' specified bound
 exceeds maximum object size

On Wed, Feb 21, 2024, at 16:32, Naresh Kamboju wrote:
> The x86 / i386 compilations encountered errors due to additional Kconfigs
> incorporated from the selftests/net/*/config in the Linux next version.
> The issue first appeared with the next-20240213 tag. This problem affects
> the Linux next branch, but not the mainline Linus master branch.
>
> Reported-by: Linux Kernel Functional Testing <lkft@...aro.org>
>
> The bisection points to the following commit id,
> # first bad commit: [64259ce2a20ce2dcc585a2cb83d1366fb04a6008] ubsan:
> reintroduce signed overflow sanitizer
>
> Build errors:
> -------------
> In function 'memcmp',
>     inlined from 'nft_pipapo_insert' at
> /builds/linux/net/netfilter/nft_set_pipapo.c:1258:7:
> /builds/linux/include/linux/fortify-string.h:63:33: error:
> '__builtin_memcmp' specified bound 18446744071562067968 exceeds
> maximum object size 9223372036854775807 [-Werror=stringop-overread]
>    63 | #define __underlying_memcmp     __builtin_memcmp
>       |                                 ^
> /builds/linux/include/linux/fortify-string.h:655:16: note: in
> expansion of macro '__underlying_memcmp'
>   655 |         return __underlying_memcmp(p, q, size);
>       |                ^~~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors

The size 18446744071562067968 is equal to (u64)INT_MIN, so something
goes wrong with the length conversion when a negative length
might be passed into memcmp().

I don't see any relevant changes to this file that
are likely causes, but these warnings are sometimes
sensitive to compiler optimization, so it's possible that
some unrelated change such as 7395dfacfff6 ("netfilter:
nf_tables: use timestamp to check for set element timeout")
just changed the inlining behavior in a way such that
either a warning is now detected when it was previously
hidden and the compiler now sees more about the
state, or it seems less about the state and can no longer
prove that this does not happen.

I have so far not seen the same issue in randconfig builds
on today's linux-next with gcc-13.2.0, but I would guess
that a patch like

diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index aa1d9e93a9a0..c284522f64c4 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1252,11 +1252,12 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
        start_p = start;
        end_p = end;
        nft_pipapo_for_each_field(f, i, m) {
+               unsigned length = f->groups / NFT_PIPAPO_GROUPS_PER_BYTE(f);
+
                if (f->rules >= (unsigned long)NFT_PIPAPO_RULE0_MAX)
                        return -ENOSPC;
 
-               if (memcmp(start_p, end_p,
-                          f->groups / NFT_PIPAPO_GROUPS_PER_BYTE(f)) > 0)
+               if (memcmp(start_p, end_p, length)) > 0)
                        return -EINVAL;
 
                start_p += NFT_PIPAPO_GROUPS_PADDED_SIZE(f);


will hide the issue again.

     Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ