1. Patchew
  2. linux
  3. View series

[PATCH] net/ncsi: Silence runtime memcpy() false positive warning

Kees Cook posted 1 patch 1 year, 4 months ago 
net/ncsi/ncsi-cmd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] net/ncsi: Silence runtime memcpy() false positive warning
Posted by Kees Cook 1 year, 4 months ago 
The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
flexible array structure that overlapping with non-flex-array members
(mfr_id) intentionally. Since the mem_to_flex() API is not finished,
temporarily silence this warning, since it is a false positive, using
unsafe_memcpy().

Reported-by: Joel Stanley <joel@jms.id.au>
Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 net/ncsi/ncsi-cmd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c
index dda8b76b7798..fd2236ee9a79 100644
--- a/net/ncsi/ncsi-cmd.c
+++ b/net/ncsi/ncsi-cmd.c
@@ -228,7 +228,8 @@ static int ncsi_cmd_handler_oem(struct sk_buff *skb,
 	len += max(payload, padding_bytes);
 
 	cmd = skb_put_zero(skb, len);
-	memcpy(&cmd->mfr_id, nca->data, nca->payload);
+	unsafe_memcpy(&cmd->mfr_id, nca->data, nca->payload,
+		      /* skb allocated with enough to load the payload */);
 	ncsi_cmd_build_header(&cmd->cmd.common, nca);
 
 	return 0;
-- 
2.34.1
Re: [PATCH] net/ncsi: Silence runtime memcpy() false positive warning
Posted by Joel Stanley 1 year, 3 months ago 
On Fri, 2 Dec 2022 at 21:24, Kees Cook <keescook@chromium.org> wrote:
>
> The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
> flexible array structure that overlapping with non-flex-array members
> (mfr_id) intentionally. Since the mem_to_flex() API is not finished,
> temporarily silence this warning, since it is a false positive, using
> unsafe_memcpy().

Thanks for sending the fix Kees. I got a bit busy towards the end of the year.

I spent some time looking at how the netlink api was used, and tried
to convince myself that a user couldn't send an OEM command that
triggered the overflow. It all got a bit tangled up so I didn't come
to a conclusion.

Cheers,

Joel

>
> Reported-by: Joel Stanley <joel@jms.id.au>
> Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
> Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  net/ncsi/ncsi-cmd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c
> index dda8b76b7798..fd2236ee9a79 100644
> --- a/net/ncsi/ncsi-cmd.c
> +++ b/net/ncsi/ncsi-cmd.c
> @@ -228,7 +228,8 @@ static int ncsi_cmd_handler_oem(struct sk_buff *skb,
>         len += max(payload, padding_bytes);
>
>         cmd = skb_put_zero(skb, len);
> -       memcpy(&cmd->mfr_id, nca->data, nca->payload);
> +       unsafe_memcpy(&cmd->mfr_id, nca->data, nca->payload,
> +                     /* skb allocated with enough to load the payload */);
>         ncsi_cmd_build_header(&cmd->cmd.common, nca);
>
>         return 0;
> --
> 2.34.1
>
Re: [PATCH] net/ncsi: Silence runtime memcpy() false positive warning
Posted by patchwork-bot+netdevbpf@kernel.org 1 year, 4 months ago 
Hello:

This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Fri,  2 Dec 2022 13:24:22 -0800 you wrote:
> The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
> flexible array structure that overlapping with non-flex-array members
> (mfr_id) intentionally. Since the mem_to_flex() API is not finished,
> temporarily silence this warning, since it is a false positive, using
> unsafe_memcpy().
> 
> Reported-by: Joel Stanley <joel@jms.id.au>
> Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
> Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> 
> [...]

Here is the summary with links:
  - net/ncsi: Silence runtime memcpy() false positive warning
    https://git.kernel.org/netdev/net-next/c/b93884eea26f

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Re: [PATCH] net/ncsi: Silence runtime memcpy() false positive warning
Posted by Paolo Abeni 1 year, 4 months ago 
Hello,

On Fri, 2022-12-02 at 13:24 -0800, Kees Cook wrote:
> The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
> flexible array structure that overlapping with non-flex-array members
> (mfr_id) intentionally. Since the mem_to_flex() API is not finished,
> temporarily silence this warning, since it is a false positive, using
> unsafe_memcpy().
> 
> Reported-by: Joel Stanley <joel@jms.id.au>
> Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
> Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Is this for the -net or the -net-next tree? It applies to both...

It you are targetting the -net tree, I think it would be nicer adding a
suitable Fixes tag.

Thanks!

Paolo
Re: [PATCH] net/ncsi: Silence runtime memcpy() false positive warning
Posted by Kees Cook 1 year, 4 months ago 
On Tue, Dec 06, 2022 at 11:36:54AM +0100, Paolo Abeni wrote:
> Hello,
> 
> On Fri, 2022-12-02 at 13:24 -0800, Kees Cook wrote:
> > The memcpy() in ncsi_cmd_handler_oem deserializes nca->data into a
> > flexible array structure that overlapping with non-flex-array members
> > (mfr_id) intentionally. Since the mem_to_flex() API is not finished,
> > temporarily silence this warning, since it is a false positive, using
> > unsafe_memcpy().
> > 
> > Reported-by: Joel Stanley <joel@jms.id.au>
> > Link: https://lore.kernel.org/netdev/CACPK8Xdfi=OJKP0x0D1w87fQeFZ4A2DP2qzGCRcuVbpU-9=4sQ@mail.gmail.com/
> > Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
> > Cc: "David S. Miller" <davem@davemloft.net>
> > Cc: Eric Dumazet <edumazet@google.com>
> > Cc: Jakub Kicinski <kuba@kernel.org>
> > Cc: Paolo Abeni <pabeni@redhat.com>
> > Cc: netdev@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> 
> Is this for the -net or the -net-next tree? It applies to both...
> 
> It you are targetting the -net tree, I think it would be nicer adding a
> suitable Fixes tag.

-net-next (v6.2) is fine -- this is where the warning manifests.

-Kees

-- 
Kees Cook

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.