| Message ID | 20220927004033.1942992-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | d89318bbdf2b8f472d7f1225bbe44ead7b57c5e4 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | mlxsw: core_acl_flex_actions: Split memcpy() of struct flow_action_cookie flexible array | expand |
On Mon, Sep 26, 2022 at 05:40:33PM -0700, Kees Cook wrote: > To work around a misbehavior of the compiler's ability to see into > composite flexible array structs (as detailed in the coming memcpy() > hardening series[1]), split the memcpy() of the header and the payload > so no false positive run-time overflow warning will be generated. > > [1] https://lore.kernel.org/linux-hardening/20220901065914.1417829-2-keescook@chromium.org > > Cc: Ido Schimmel <idosch@nvidia.com> > Cc: Petr Machata <petrm@nvidia.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: Paolo Abeni <pabeni@redhat.com> > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org> Thanks! -- Gustavo > --- > drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c > index 636db9a87457..9dfe7148199f 100644 > --- a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c > +++ b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c > @@ -737,8 +737,9 @@ mlxsw_afa_cookie_create(struct mlxsw_afa *mlxsw_afa, > if (!cookie) > return ERR_PTR(-ENOMEM); > refcount_set(&cookie->ref_count, 1); > - memcpy(&cookie->fa_cookie, fa_cookie, > - sizeof(*fa_cookie) + fa_cookie->cookie_len); > + cookie->fa_cookie = *fa_cookie; > + memcpy(cookie->fa_cookie.cookie, fa_cookie->cookie, > + fa_cookie->cookie_len); > > err = rhashtable_insert_fast(&mlxsw_afa->cookie_ht, &cookie->ht_node, > mlxsw_afa_cookie_ht_params); > -- > 2.34.1 >
Kees Cook <keescook@chromium.org> writes: > To work around a misbehavior of the compiler's ability to see into > composite flexible array structs (as detailed in the coming memcpy() > hardening series[1]), split the memcpy() of the header and the payload > so no false positive run-time overflow warning will be generated. > > [1] https://lore.kernel.org/linux-hardening/20220901065914.1417829-2-keescook@chromium.org > > Cc: Ido Schimmel <idosch@nvidia.com> > Cc: Petr Machata <petrm@nvidia.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: Paolo Abeni <pabeni@redhat.com> > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Petr Machata <petrm@nvidia.com>
Hello: This patch was applied to netdev/net-next.git (master) by Jakub Kicinski <kuba@kernel.org>: On Mon, 26 Sep 2022 17:40:33 -0700 you wrote: > To work around a misbehavior of the compiler's ability to see into > composite flexible array structs (as detailed in the coming memcpy() > hardening series[1]), split the memcpy() of the header and the payload > so no false positive run-time overflow warning will be generated. > > [1] https://lore.kernel.org/linux-hardening/20220901065914.1417829-2-keescook@chromium.org > > [...] Here is the summary with links: - mlxsw: core_acl_flex_actions: Split memcpy() of struct flow_action_cookie flexible array https://git.kernel.org/netdev/net-next/c/d89318bbdf2b You are awesome, thank you!
diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c index 636db9a87457..9dfe7148199f 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c +++ b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c @@ -737,8 +737,9 @@ mlxsw_afa_cookie_create(struct mlxsw_afa *mlxsw_afa, if (!cookie) return ERR_PTR(-ENOMEM); refcount_set(&cookie->ref_count, 1); - memcpy(&cookie->fa_cookie, fa_cookie, - sizeof(*fa_cookie) + fa_cookie->cookie_len); + cookie->fa_cookie = *fa_cookie; + memcpy(cookie->fa_cookie.cookie, fa_cookie->cookie, + fa_cookie->cookie_len); err = rhashtable_insert_fast(&mlxsw_afa->cookie_ht, &cookie->ht_node, mlxsw_afa_cookie_ht_params);
To work around a misbehavior of the compiler's ability to see into composite flexible array structs (as detailed in the coming memcpy() hardening series[1]), split the memcpy() of the header and the payload so no false positive run-time overflow warning will be generated. [1] https://lore.kernel.org/linux-hardening/20220901065914.1417829-2-keescook@chromium.org Cc: Ido Schimmel <idosch@nvidia.com> Cc: Petr Machata <petrm@nvidia.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)