Message ID | 20210727205855.411487-43-keescook@chromium.org (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Johannes Berg |
Headers | show |
Series | Introduce strict memcpy() bounds checking | expand |
On Tue, Jul 27, 2021 at 01:58:33PM -0700, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memset(), avoid intentionally writing across > neighboring fields. > > Use memset_after() so memset() doesn't get confused about writing > beyond the destination member that is intended to be the starting point > of zeroing through the end of the struct. > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > The old code seems to be doing the wrong thing: starting from not the > first member, but sized for the whole struct. Which is correct? Quick ping on this question. The old code seems to be doing the wrong thing: it starts from the second member and writes beyond int_info, clobbering qede_lock: struct qede_dev { ... struct qed_int_info int_info; /* Smaller private variant of the RTNL lock */ struct mutex qede_lock; ... struct qed_int_info { struct msix_entry *msix; u8 msix_cnt; /* This should be updated by the protocol driver */ u8 used_cnt; }; Should this also clear the "msix" member, or should this not write beyond int_info? This patch does the latter. -Kees > --- > drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c > index 01ac1e93d27a..309dfe8c94fb 100644 > --- a/drivers/net/ethernet/qlogic/qede/qede_main.c > +++ b/drivers/net/ethernet/qlogic/qede/qede_main.c > @@ -2419,7 +2419,7 @@ static int qede_load(struct qede_dev *edev, enum qede_load_mode mode, > goto out; > err4: > qede_sync_free_irqs(edev); > - memset(&edev->int_info.msix_cnt, 0, sizeof(struct qed_int_info)); > + memset_after(&edev->int_info, 0, msix); > err3: > qede_napi_disable_remove(edev); > err2: > -- > 2.30.2 >
diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c index 01ac1e93d27a..309dfe8c94fb 100644 --- a/drivers/net/ethernet/qlogic/qede/qede_main.c +++ b/drivers/net/ethernet/qlogic/qede/qede_main.c @@ -2419,7 +2419,7 @@ static int qede_load(struct qede_dev *edev, enum qede_load_mode mode, goto out; err4: qede_sync_free_irqs(edev); - memset(&edev->int_info.msix_cnt, 0, sizeof(struct qed_int_info)); + memset_after(&edev->int_info, 0, msix); err3: qede_napi_disable_remove(edev); err2:
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Use memset_after() so memset() doesn't get confused about writing beyond the destination member that is intended to be the starting point of zeroing through the end of the struct. Signed-off-by: Kees Cook <keescook@chromium.org> --- The old code seems to be doing the wrong thing: starting from not the first member, but sized for the whole struct. Which is correct? --- drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)