net/ncsi/ncsi-cmd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
flexible array structure that overlapping with non-flex-array members
(mfr_id) intentionally. Since the mem_to_flex() API is not finished,
temporarily silence this warning, since it is a false positive, using
unsafe_memcpy().
Reported-by: Joel Stanley <joel@jms.id.au>
Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
net/ncsi/ncsi-cmd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c
index dda8b76b7798..fd2236ee9a79 100644
--- a/net/ncsi/ncsi-cmd.c
+++ b/net/ncsi/ncsi-cmd.c
@@ -228,7 +228,8 @@ static int ncsi_cmd_handler_oem(struct sk_buff *skb,
len += max(payload, padding_bytes);
cmd = skb_put_zero(skb, len);
- memcpy(&cmd->mfr_id, nca->data, nca->payload);
+ unsafe_memcpy(&cmd->mfr_id, nca->data, nca->payload,
+ /* skb allocated with enough to load the payload */);
ncsi_cmd_build_header(&cmd->cmd.common, nca);
return 0;
--
2.34.1
On Fri, 2 Dec 2022 at 21:24, Kees Cook <keescook@chromium.org> wrote: > > The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a > flexible array structure that overlapping with non-flex-array members > (mfr_id) intentionally. Since the mem_to_flex() API is not finished, > temporarily silence this warning, since it is a false positive, using > unsafe_memcpy(). Thanks for sending the fix Kees. I got a bit busy towards the end of the year. I spent some time looking at how the netlink api was used, and tried to convince myself that a user couldn't send an OEM command that triggered the overflow. It all got a bit tangled up so I didn't come to a conclusion. Cheers, Joel > > Reported-by: Joel Stanley <joel@jms.id.au> > Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/ > Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: Paolo Abeni <pabeni@redhat.com> > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > net/ncsi/ncsi-cmd.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c > index dda8b76b7798..fd2236ee9a79 100644 > --- a/net/ncsi/ncsi-cmd.c > +++ b/net/ncsi/ncsi-cmd.c > @@ -228,7 +228,8 @@ static int ncsi_cmd_handler_oem(struct sk_buff *skb, > len += max(payload, padding_bytes); > > cmd = skb_put_zero(skb, len); > - memcpy(&cmd->mfr_id, nca->data, nca->payload); > + unsafe_memcpy(&cmd->mfr_id, nca->data, nca->payload, > + /* skb allocated with enough to load the payload */); > ncsi_cmd_build_header(&cmd->cmd.common, nca); > > return 0; > -- > 2.34.1 >
Hello: This patch was applied to netdev/net-next.git (master) by Jakub Kicinski <kuba@kernel.org>: On Fri, 2 Dec 2022 13:24:22 -0800 you wrote: > The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a > flexible array structure that overlapping with non-flex-array members > (mfr_id) intentionally. Since the mem_to_flex() API is not finished, > temporarily silence this warning, since it is a false positive, using > unsafe_memcpy(). > > Reported-by: Joel Stanley <joel@jms.id.au> > Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/ > Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: Paolo Abeni <pabeni@redhat.com> > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > > [...] Here is the summary with links: - net/ncsi: Silence runtime memcpy() false positive warning https://git.kernel.org/netdev/net-next/c/b93884eea26f You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
Hello, On Fri, 2022-12-02 at 13:24 -0800, Kees Cook wrote: > The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a > flexible array structure that overlapping with non-flex-array members > (mfr_id) intentionally. Since the mem_to_flex() API is not finished, > temporarily silence this warning, since it is a false positive, using > unsafe_memcpy(). > > Reported-by: Joel Stanley <joel@jms.id.au> > Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/ > Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: Paolo Abeni <pabeni@redhat.com> > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> Is this for the -net or the -net-next tree? It applies to both... It you are targetting the -net tree, I think it would be nicer adding a suitable Fixes tag. Thanks! Paolo
On Tue, Dec 06, 2022 at 11:36:54AM +0100, Paolo Abeni wrote: > Hello, > > On Fri, 2022-12-02 at 13:24 -0800, Kees Cook wrote: > > The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a > > flexible array structure that overlapping with non-flex-array members > > (mfr_id) intentionally. Since the mem_to_flex() API is not finished, > > temporarily silence this warning, since it is a false positive, using > > unsafe_memcpy(). > > > > Reported-by: Joel Stanley <joel@jms.id.au> > > Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/ > > Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com> > > Cc: "David S. Miller" <davem@davemloft.net> > > Cc: Eric Dumazet <edumazet@google.com> > > Cc: Jakub Kicinski <kuba@kernel.org> > > Cc: Paolo Abeni <pabeni@redhat.com> > > Cc: netdev@vger.kernel.org > > Signed-off-by: Kees Cook <keescook@chromium.org> > > Is this for the -net or the -net-next tree? It applies to both... > > It you are targetting the -net tree, I think it would be nicer adding a > suitable Fixes tag. -net-next (v6.2) is fine -- this is where the warning manifests. -Kees -- Kees Cook
© 2016 - 2024 Red Hat, Inc.