diff mbox series

net/ncsi: Silence runtime memcpy() false positive warning

Message ID 20221202212418.never.837-kees@kernel.org (mailing list archive)
State Accepted
Commit b93884eea26f97a3dc4c1df8c64389cbb0673001
Delegated to: Netdev Maintainers
Headers show
Series net/ncsi: Silence runtime memcpy() false positive warning | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 5 this patch: 5
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Kees Cook Dec. 2, 2022, 9:24 p.m. UTC 
The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
flexible array structure that overlapping with non-flex-array members
(mfr_id) intentionally. Since the mem_to_flex() API is not finished,
temporarily silence this warning, since it is a false positive, using
unsafe_memcpy().

Reported-by: Joel Stanley <joel@jms.id.au>
Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 net/ncsi/ncsi-cmd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Paolo Abeni Dec. 6, 2022, 10:36 a.m. UTC | #1 
Hello,

On Fri, 2022-12-02 at 13:24 -0800, Kees Cook wrote:
> The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
> flexible array structure that overlapping with non-flex-array members
> (mfr_id) intentionally. Since the mem_to_flex() API is not finished,
> temporarily silence this warning, since it is a false positive, using
> unsafe_memcpy().
> 
> Reported-by: Joel Stanley <joel@jms.id.au>
> Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
> Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Is this for the -net or the -net-next tree? It applies to both...

It you are targetting the -net tree, I think it would be nicer adding a
suitable Fixes tag.

Thanks!

Paolo
Kees Cook Dec. 6, 2022, 11:29 p.m. UTC | #2 
On Tue, Dec 06, 2022 at 11:36:54AM +0100, Paolo Abeni wrote:
> Hello,
> 
> On Fri, 2022-12-02 at 13:24 -0800, Kees Cook wrote:
> > The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
> > flexible array structure that overlapping with non-flex-array members
> > (mfr_id) intentionally. Since the mem_to_flex() API is not finished,
> > temporarily silence this warning, since it is a false positive, using
> > unsafe_memcpy().
> > 
> > Reported-by: Joel Stanley <joel@jms.id.au>
> > Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
> > Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
> > Cc: "David S. Miller" <davem@davemloft.net>
> > Cc: Eric Dumazet <edumazet@google.com>
> > Cc: Jakub Kicinski <kuba@kernel.org>
> > Cc: Paolo Abeni <pabeni@redhat.com>
> > Cc: netdev@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> 
> Is this for the -net or the -net-next tree? It applies to both...
> 
> It you are targetting the -net tree, I think it would be nicer adding a
> suitable Fixes tag.

-net-next (v6.2) is fine -- this is where the warning manifests.

-Kees
patchwork-bot+netdevbpf@kernel.org Dec. 7, 2022, 2:10 a.m. UTC | #3 
Hello:

This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Fri,  2 Dec 2022 13:24:22 -0800 you wrote:
> The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
> flexible array structure that overlapping with non-flex-array members
> (mfr_id) intentionally. Since the mem_to_flex() API is not finished,
> temporarily silence this warning, since it is a false positive, using
> unsafe_memcpy().
> 
> Reported-by: Joel Stanley <joel@jms.id.au>
> Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
> Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> 
> [...]

Here is the summary with links:
  - net/ncsi: Silence runtime memcpy() false positive warning
    https://git.kernel.org/netdev/net-next/c/b93884eea26f

You are awesome, thank you!
Joel Stanley Jan. 18, 2023, 2:38 a.m. UTC | #4 
On Fri, 2 Dec 2022 at 21:24, Kees Cook <keescook@chromium.org> wrote:
>
> The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
> flexible array structure that overlapping with non-flex-array members
> (mfr_id) intentionally. Since the mem_to_flex() API is not finished,
> temporarily silence this warning, since it is a false positive, using
> unsafe_memcpy().

Thanks for sending the fix Kees. I got a bit busy towards the end of the year.

I spent some time looking at how the netlink api was used, and tried
to convince myself that a user couldn't send an OEM command that
triggered the overflow. It all got a bit tangled up so I didn't come
to a conclusion.

Cheers,

Joel

>
> Reported-by: Joel Stanley <joel@jms.id.au>
> Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
> Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  net/ncsi/ncsi-cmd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c
> index dda8b76b7798..fd2236ee9a79 100644
> --- a/net/ncsi/ncsi-cmd.c
> +++ b/net/ncsi/ncsi-cmd.c
> @@ -228,7 +228,8 @@ static int ncsi_cmd_handler_oem(struct sk_buff *skb,
>         len += max(payload, padding_bytes);
>
>         cmd = skb_put_zero(skb, len);
> -       memcpy(&cmd->mfr_id, nca->data, nca->payload);
> +       unsafe_memcpy(&cmd->mfr_id, nca->data, nca->payload,
> +                     /* skb allocated with enough to load the payload */);
>         ncsi_cmd_build_header(&cmd->cmd.common, nca);
>
>         return 0;
> --
> 2.34.1
>
diff mbox series

Patch

diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c
index dda8b76b7798..fd2236ee9a79 100644
--- a/net/ncsi/ncsi-cmd.c
+++ b/net/ncsi/ncsi-cmd.c
@@ -228,7 +228,8 @@  static int ncsi_cmd_handler_oem(struct sk_buff *skb,
 	len += max(payload, padding_bytes);
 
 	cmd = skb_put_zero(skb, len);
-	memcpy(&cmd->mfr_id, nca->data, nca->payload);
+	unsafe_memcpy(&cmd->mfr_id, nca->data, nca->payload,
+		      /* skb allocated with enough to load the payload */);
 	ncsi_cmd_build_header(&cmd->cmd.common, nca);
 
 	return 0;