| Message ID | 20210818043912.1466447-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | Bluetooth: mgmt: Pessimize compile-time bounds-check | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 7 of 7 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 2 this patch: 2 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 8 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 2 this patch: 2 |
| netdev/header_inline | success | Link |
Hi Kees, > After gaining __alloc_size hints, GCC thinks it can reach a memcpy() > with eir_len == 0 (since it can't see into the rewrite of status). > Instead, check eir_len == 0, avoiding this future warning: > > In function 'eir_append_data', > inlined from 'read_local_oob_ext_data_complete' at net/bluetooth/mgmt.c:7210:12: > ./include/linux/fortify-string.h:54:29: warning: '__builtin_memcpy' offset 5 is out of the bounds [0, 3] [-Warray-bounds] > ... > net/bluetooth/hci_request.h:133:2: note: in expansion of macro 'memcpy' > 133 | memcpy(&eir[eir_len], data, data_len); > | ^~~~~~ > > Cc: Marcel Holtmann <marcel@holtmann.org> > Cc: Johan Hedberg <johan.hedberg@gmail.com> > Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: linux-bluetooth@vger.kernel.org > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > net/bluetooth/mgmt.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) patch has been applied to bluetooth-next tree. Regards Marcel
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 1e21e014efd2..cea01e275f1e 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -7204,7 +7204,7 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, u8 status, if (!mgmt_rp) goto done; - if (status) + if (eir_len == 0) goto send_rsp; eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
After gaining __alloc_size hints, GCC thinks it can reach a memcpy() with eir_len == 0 (since it can't see into the rewrite of status). Instead, check eir_len == 0, avoiding this future warning: In function 'eir_append_data', inlined from 'read_local_oob_ext_data_complete' at net/bluetooth/mgmt.c:7210:12: ./include/linux/fortify-string.h:54:29: warning: '__builtin_memcpy' offset 5 is out of the bounds [0, 3] [-Warray-bounds] ... net/bluetooth/hci_request.h:133:2: note: in expansion of macro 'memcpy' 133 | memcpy(&eir[eir_len], data, data_len); | ^~~~~~ Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: linux-bluetooth@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- net/bluetooth/mgmt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)