netfilter: fix stringop-overflow warning with UBSAN

Message ID 20170731100913.465530-1-arnd@arndb.de
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

Arnd Bergmann July 31, 2017, 10:09 a.m.
Using gcc-7 with UBSAN enabled, we get this false-positive warning:

net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get':
net/netfilter/ipset/ip_set_core.c:1998:3: error: 'strncpy' writing 32 bytes into a region of size 2 overflows the destination [-Werror=stringop-overflow=]
   strncpy(req_get->set.name, set ? set->name : "",
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    sizeof(req_get->set.name));
    ~~~~~~~~~~~~~~~~~~~~~~~~~~

This seems completely bogus, and I could not find a nice workaround.
To work around it in a less elegant way, I change the ?: operator
into an if()/else() construct.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 net/netfilter/ipset/ip_set_core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

David Laight Aug. 1, 2017, 9:25 a.m. | #1
From: Arnd Bergmann
> Sent: 31 July 2017 11:09
> Using gcc-7 with UBSAN enabled, we get this false-positive warning:
> 
> net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get':
> net/netfilter/ipset/ip_set_core.c:1998:3: error: 'strncpy' writing 32 bytes into a region of size 2
> overflows the destination [-Werror=stringop-overflow=]
>    strncpy(req_get->set.name, set ? set->name : "",
>    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>     sizeof(req_get->set.name));
>     ~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> This seems completely bogus, and I could not find a nice workaround.
> To work around it in a less elegant way, I change the ?: operator
> into an if()/else() construct.
> 
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>  net/netfilter/ipset/ip_set_core.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> index e495b5e484b1..d7ebb021003b 100644
> --- a/net/netfilter/ipset/ip_set_core.c
> +++ b/net/netfilter/ipset/ip_set_core.c
> @@ -1995,8 +1995,12 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
>  		}
>  		nfnl_lock(NFNL_SUBSYS_IPSET);
>  		set = ip_set(inst, req_get->set.index);
> -		strncpy(req_get->set.name, ,
> -			IPSET_MAXNAMELEN);
> +		if (set)
> +			strncpy(req_get->set.name, set->name,
> +				sizeof(req_get->set.name));
> +		else
> +			memset(req_get->set.name, '\0',
> +			       sizeof(req_get->set.name));

If you use strncpy() here, the compiler might optimise the code
back to 'how it was before'.

Or, maybe an explicit temporary: 'const char *name = set ? set->name : "";

	David

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jozsef Kadlecsik Oct. 4, 2017, 6:01 p.m. | #2
Hi,

[Sorry, at holiday I just cursory watched the mailing lists.]

On Tue, 1 Aug 2017, David Laight wrote:

> From: Arnd Bergmann
> > Sent: 31 July 2017 11:09
> > Using gcc-7 with UBSAN enabled, we get this false-positive warning:
> > 
> > net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get':
> > net/netfilter/ipset/ip_set_core.c:1998:3: error: 'strncpy' writing 32 bytes into a region of size 2
> > overflows the destination [-Werror=stringop-overflow=]
> >    strncpy(req_get->set.name, set ? set->name : "",
> >    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >     sizeof(req_get->set.name));
> >     ~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 
> > This seems completely bogus, and I could not find a nice workaround.
> > To work around it in a less elegant way, I change the ?: operator
> > into an if()/else() construct.
> > 
> > Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> > ---
> >  net/netfilter/ipset/ip_set_core.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> > index e495b5e484b1..d7ebb021003b 100644
> > --- a/net/netfilter/ipset/ip_set_core.c
> > +++ b/net/netfilter/ipset/ip_set_core.c
> > @@ -1995,8 +1995,12 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
> >  		}
> >  		nfnl_lock(NFNL_SUBSYS_IPSET);
> >  		set = ip_set(inst, req_get->set.index);
> > -		strncpy(req_get->set.name, ,
> > -			IPSET_MAXNAMELEN);
> > +		if (set)
> > +			strncpy(req_get->set.name, set->name,
> > +				sizeof(req_get->set.name));
> > +		else
> > +			memset(req_get->set.name, '\0',
> > +			       sizeof(req_get->set.name));
> 
> If you use strncpy() here, the compiler might optimise the code
> back to 'how it was before'.
> 
> Or, maybe an explicit temporary: 'const char *name = set ? set->name : "";

I think the best to go with the explicit temporary variable. The if-else 
construct is too much for such a case.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index e495b5e484b1..d7ebb021003b 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1995,8 +1995,12 @@  ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
 		}
 		nfnl_lock(NFNL_SUBSYS_IPSET);
 		set = ip_set(inst, req_get->set.index);
-		strncpy(req_get->set.name, set ? set->name : "",
-			IPSET_MAXNAMELEN);
+		if (set)
+			strncpy(req_get->set.name, set->name,
+				sizeof(req_get->set.name));
+		else
+			memset(req_get->set.name, '\0',
+			       sizeof(req_get->set.name));
 		nfnl_unlock(NFNL_SUBSYS_IPSET);
 		goto copy;
 	}