| Message ID | 20211118183807.1283332-1-keescook@chromium.org |
|---|---|
| State | New |
| Headers | show |
| Series | sata_fsl: Use struct_group() for memcpy() region | expand |
On 2021/11/19 3:38, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally writing across neighboring fields. > > Use struct_group() in struct command_desc around members acmd and fill, > so they can be referenced together. This will allow memset(), memcpy(), > and sizeof() to more easily reason about sizes, improve readability, > and avoid future warnings about writing beyond the end of acmd: > > In function 'fortify_memset_chk', > inlined from 'sata_fsl_qc_prep' at drivers/ata/sata_fsl.c:534:3: > ./include/linux/fortify-string.h:199:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] > 199 | __write_overflow_field(); > | ^~~~~~~~~~~~~~~~~~~~~~~~ > > Signed-off-by: Kees Cook <keescook@chromium.org> This lacks some context with regard to FORTIFY_SOURCE and struct_group(). Is that already in 5.16 ? It sounds like it is not. Do you want a ack ? Or do you want me to queue this up for 5.17 ? Cheers. > --- > drivers/ata/sata_fsl.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c > index e5838b23c9e0..fec3c9032606 100644 > --- a/drivers/ata/sata_fsl.c > +++ b/drivers/ata/sata_fsl.c > @@ -246,8 +246,10 @@ enum { > struct command_desc { > u8 cfis[8 * 4]; > u8 sfis[8 * 4]; > - u8 acmd[4 * 4]; > - u8 fill[4 * 4]; > + struct_group(cdb, > + u8 acmd[4 * 4]; > + u8 fill[4 * 4]; > + ); > u32 prdt[SATA_FSL_MAX_PRD_DIRECT * 4]; > u32 prdt_indirect[(SATA_FSL_MAX_PRD - SATA_FSL_MAX_PRD_DIRECT) * 4]; > }; > @@ -531,8 +533,8 @@ static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc) > /* setup "ACMD - atapi command" in cmd. desc. if this is ATAPI cmd */ > if (ata_is_atapi(qc->tf.protocol)) { > desc_info |= ATAPI_CMD; > - memset((void *)&cd->acmd, 0, 32); > - memcpy((void *)&cd->acmd, qc->cdb, qc->dev->cdb_len); > + memset(&cd->cdb, 0, sizeof(cd->cdb)); > + memcpy(&cd->cdb, qc->cdb, qc->dev->cdb_len); > } > > if (qc->flags & ATA_QCFLAG_DMAMAP) >
On Fri, Nov 19, 2021 at 08:17:14AM +0900, Damien Le Moal wrote: > On 2021/11/19 3:38, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid > > intentionally writing across neighboring fields. > > > > Use struct_group() in struct command_desc around members acmd and fill, > > so they can be referenced together. This will allow memset(), memcpy(), > > and sizeof() to more easily reason about sizes, improve readability, > > and avoid future warnings about writing beyond the end of acmd: > > > > In function 'fortify_memset_chk', > > inlined from 'sata_fsl_qc_prep' at drivers/ata/sata_fsl.c:534:3: > > ./include/linux/fortify-string.h:199:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] > > 199 | __write_overflow_field(); > > | ^~~~~~~~~~~~~~~~~~~~~~~~ > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > This lacks some context with regard to FORTIFY_SOURCE and struct_group(). Is > that already in 5.16 ? It sounds like it is not. Do you want a ack ? Or do you > want me to queue this up for 5.17 ? Ah yes, some details are here in the earlier "big" series cover letter here: https://lore.kernel.org/linux-hardening/20210818060533.3569517-1-keescook@chromium.org/ One of the requests from earlier review was to split it up for separate trees for the maintainers that wanted to take stuff via their trees directly. The new helpers are landed as of v5.16-rc1, so it can go either way, but given that the merge window is closed, I would expect this to be for v5.17. I am happy to to carry it in my fortify topic branch that I'm expecting to send for 5.17, but totally up to you. Some folks like to take these changes via their trees, others would rather not be bothered with it. :) Thanks! -Kees > > Cheers. > > > --- > > drivers/ata/sata_fsl.c | 10 ++++++---- > > 1 file changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c > > index e5838b23c9e0..fec3c9032606 100644 > > --- a/drivers/ata/sata_fsl.c > > +++ b/drivers/ata/sata_fsl.c > > @@ -246,8 +246,10 @@ enum { > > struct command_desc { > > u8 cfis[8 * 4]; > > u8 sfis[8 * 4]; > > - u8 acmd[4 * 4]; > > - u8 fill[4 * 4]; > > + struct_group(cdb, > > + u8 acmd[4 * 4]; > > + u8 fill[4 * 4]; > > + ); > > u32 prdt[SATA_FSL_MAX_PRD_DIRECT * 4]; > > u32 prdt_indirect[(SATA_FSL_MAX_PRD - SATA_FSL_MAX_PRD_DIRECT) * 4]; > > }; > > @@ -531,8 +533,8 @@ static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc) > > /* setup "ACMD - atapi command" in cmd. desc. if this is ATAPI cmd */ > > if (ata_is_atapi(qc->tf.protocol)) { > > desc_info |= ATAPI_CMD; > > - memset((void *)&cd->acmd, 0, 32); > > - memcpy((void *)&cd->acmd, qc->cdb, qc->dev->cdb_len); > > + memset(&cd->cdb, 0, sizeof(cd->cdb)); > > + memcpy(&cd->cdb, qc->cdb, qc->dev->cdb_len); > > } > > > > if (qc->flags & ATA_QCFLAG_DMAMAP) > > > > > -- > Damien Le Moal > Western Digital Research
On 2021/11/19 8:39, Kees Cook wrote: > On Fri, Nov 19, 2021 at 08:17:14AM +0900, Damien Le Moal wrote: >> On 2021/11/19 3:38, Kees Cook wrote: >>> In preparation for FORTIFY_SOURCE performing compile-time and run-time >>> field bounds checking for memcpy(), memmove(), and memset(), avoid >>> intentionally writing across neighboring fields. >>> >>> Use struct_group() in struct command_desc around members acmd and fill, >>> so they can be referenced together. This will allow memset(), memcpy(), >>> and sizeof() to more easily reason about sizes, improve readability, >>> and avoid future warnings about writing beyond the end of acmd: >>> >>> In function 'fortify_memset_chk', >>> inlined from 'sata_fsl_qc_prep' at drivers/ata/sata_fsl.c:534:3: >>> ./include/linux/fortify-string.h:199:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] >>> 199 | __write_overflow_field(); >>> | ^~~~~~~~~~~~~~~~~~~~~~~~ >>> >>> Signed-off-by: Kees Cook <keescook@chromium.org> >> >> This lacks some context with regard to FORTIFY_SOURCE and struct_group(). Is >> that already in 5.16 ? It sounds like it is not. Do you want a ack ? Or do you >> want me to queue this up for 5.17 ? > > Ah yes, some details are here in the earlier "big" series cover letter > here: > https://lore.kernel.org/linux-hardening/20210818060533.3569517-1-keescook@chromium.org/ > > One of the requests from earlier review was to split it up for separate > trees for the maintainers that wanted to take stuff via their trees > directly. > > The new helpers are landed as of v5.16-rc1, so it can go either way, but > given that the merge window is closed, I would expect this to be for > v5.17. > > I am happy to to carry it in my fortify topic branch that I'm expecting > to send for 5.17, but totally up to you. Some folks like to take these > changes via their trees, others would rather not be bothered with it. :) OK. Since it looks like the compilation warning will trigger only when your big series land in 5.17, I will queue this in for-5.17 (still need to create than one). Is it ok with you ? > > Thanks! > > -Kees > >> >> Cheers. >> >>> --- >>> drivers/ata/sata_fsl.c | 10 ++++++---- >>> 1 file changed, 6 insertions(+), 4 deletions(-) >>> >>> diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c >>> index e5838b23c9e0..fec3c9032606 100644 >>> --- a/drivers/ata/sata_fsl.c >>> +++ b/drivers/ata/sata_fsl.c >>> @@ -246,8 +246,10 @@ enum { >>> struct command_desc { >>> u8 cfis[8 * 4]; >>> u8 sfis[8 * 4]; >>> - u8 acmd[4 * 4]; >>> - u8 fill[4 * 4]; >>> + struct_group(cdb, >>> + u8 acmd[4 * 4]; >>> + u8 fill[4 * 4]; >>> + ); >>> u32 prdt[SATA_FSL_MAX_PRD_DIRECT * 4]; >>> u32 prdt_indirect[(SATA_FSL_MAX_PRD - SATA_FSL_MAX_PRD_DIRECT) * 4]; >>> }; >>> @@ -531,8 +533,8 @@ static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc) >>> /* setup "ACMD - atapi command" in cmd. desc. if this is ATAPI cmd */ >>> if (ata_is_atapi(qc->tf.protocol)) { >>> desc_info |= ATAPI_CMD; >>> - memset((void *)&cd->acmd, 0, 32); >>> - memcpy((void *)&cd->acmd, qc->cdb, qc->dev->cdb_len); >>> + memset(&cd->cdb, 0, sizeof(cd->cdb)); >>> + memcpy(&cd->cdb, qc->cdb, qc->dev->cdb_len); >>> } >>> >>> if (qc->flags & ATA_QCFLAG_DMAMAP) >>> >> >> >> -- >> Damien Le Moal >> Western Digital Research >
On Fri, Nov 19, 2021 at 08:52:36AM +0900, Damien Le Moal wrote: > On 2021/11/19 8:39, Kees Cook wrote: > > On Fri, Nov 19, 2021 at 08:17:14AM +0900, Damien Le Moal wrote: > >> On 2021/11/19 3:38, Kees Cook wrote: > >>> In preparation for FORTIFY_SOURCE performing compile-time and run-time > >>> field bounds checking for memcpy(), memmove(), and memset(), avoid > >>> intentionally writing across neighboring fields. > >>> > >>> Use struct_group() in struct command_desc around members acmd and fill, > >>> so they can be referenced together. This will allow memset(), memcpy(), > >>> and sizeof() to more easily reason about sizes, improve readability, > >>> and avoid future warnings about writing beyond the end of acmd: > >>> > >>> In function 'fortify_memset_chk', > >>> inlined from 'sata_fsl_qc_prep' at drivers/ata/sata_fsl.c:534:3: > >>> ./include/linux/fortify-string.h:199:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] > >>> 199 | __write_overflow_field(); > >>> | ^~~~~~~~~~~~~~~~~~~~~~~~ > >>> > >>> Signed-off-by: Kees Cook <keescook@chromium.org> > >> > >> This lacks some context with regard to FORTIFY_SOURCE and struct_group(). Is > >> that already in 5.16 ? It sounds like it is not. Do you want a ack ? Or do you > >> want me to queue this up for 5.17 ? > > > > Ah yes, some details are here in the earlier "big" series cover letter > > here: > > https://lore.kernel.org/linux-hardening/20210818060533.3569517-1-keescook@chromium.org/ > > > > One of the requests from earlier review was to split it up for separate > > trees for the maintainers that wanted to take stuff via their trees > > directly. > > > > The new helpers are landed as of v5.16-rc1, so it can go either way, but > > given that the merge window is closed, I would expect this to be for > > v5.17. > > > > I am happy to to carry it in my fortify topic branch that I'm expecting > > to send for 5.17, but totally up to you. Some folks like to take these > > changes via their trees, others would rather not be bothered with it. :) > > OK. Since it looks like the compilation warning will trigger only when your big > series land in 5.17, I will queue this in for-5.17 (still need to create than > one). Is it ok with you ? Yup, that works for me. Thanks! -Kees
On 2021/11/19 3:38, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally writing across neighboring fields. > > Use struct_group() in struct command_desc around members acmd and fill, > so they can be referenced together. This will allow memset(), memcpy(), > and sizeof() to more easily reason about sizes, improve readability, > and avoid future warnings about writing beyond the end of acmd: > > In function 'fortify_memset_chk', > inlined from 'sata_fsl_qc_prep' at drivers/ata/sata_fsl.c:534:3: > ./include/linux/fortify-string.h:199:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] > 199 | __write_overflow_field(); > | ^~~~~~~~~~~~~~~~~~~~~~~~ > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > drivers/ata/sata_fsl.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c > index e5838b23c9e0..fec3c9032606 100644 > --- a/drivers/ata/sata_fsl.c > +++ b/drivers/ata/sata_fsl.c > @@ -246,8 +246,10 @@ enum { > struct command_desc { > u8 cfis[8 * 4]; > u8 sfis[8 * 4]; > - u8 acmd[4 * 4]; > - u8 fill[4 * 4]; > + struct_group(cdb, > + u8 acmd[4 * 4]; > + u8 fill[4 * 4]; > + ); > u32 prdt[SATA_FSL_MAX_PRD_DIRECT * 4]; > u32 prdt_indirect[(SATA_FSL_MAX_PRD - SATA_FSL_MAX_PRD_DIRECT) * 4]; > }; > @@ -531,8 +533,8 @@ static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc) > /* setup "ACMD - atapi command" in cmd. desc. if this is ATAPI cmd */ > if (ata_is_atapi(qc->tf.protocol)) { > desc_info |= ATAPI_CMD; > - memset((void *)&cd->acmd, 0, 32); > - memcpy((void *)&cd->acmd, qc->cdb, qc->dev->cdb_len); > + memset(&cd->cdb, 0, sizeof(cd->cdb)); > + memcpy(&cd->cdb, qc->cdb, qc->dev->cdb_len); > } > > if (qc->flags & ATA_QCFLAG_DMAMAP) > Applied to for-5.17. Thanks.
diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c index e5838b23c9e0..fec3c9032606 100644 --- a/drivers/ata/sata_fsl.c +++ b/drivers/ata/sata_fsl.c @@ -246,8 +246,10 @@ enum { struct command_desc { u8 cfis[8 * 4]; u8 sfis[8 * 4]; - u8 acmd[4 * 4]; - u8 fill[4 * 4]; + struct_group(cdb, + u8 acmd[4 * 4]; + u8 fill[4 * 4]; + ); u32 prdt[SATA_FSL_MAX_PRD_DIRECT * 4]; u32 prdt_indirect[(SATA_FSL_MAX_PRD - SATA_FSL_MAX_PRD_DIRECT) * 4]; }; @@ -531,8 +533,8 @@ static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc) /* setup "ACMD - atapi command" in cmd. desc. if this is ATAPI cmd */ if (ata_is_atapi(qc->tf.protocol)) { desc_info |= ATAPI_CMD; - memset((void *)&cd->acmd, 0, 32); - memcpy((void *)&cd->acmd, qc->cdb, qc->dev->cdb_len); + memset(&cd->cdb, 0, sizeof(cd->cdb)); + memcpy(&cd->cdb, qc->cdb, qc->dev->cdb_len); } if (qc->flags & ATA_QCFLAG_DMAMAP)
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct command_desc around members acmd and fill, so they can be referenced together. This will allow memset(), memcpy(), and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of acmd: In function 'fortify_memset_chk', inlined from 'sata_fsl_qc_prep' at drivers/ata/sata_fsl.c:534:3: ./include/linux/fortify-string.h:199:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] 199 | __write_overflow_field(); | ^~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/ata/sata_fsl.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)