| Message ID | 20230214132831.2118392-1-arnd@kernel.org |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] scsi: ipr: work around fortify-string warning | expand |
On Tue, Feb 14, 2023 at 02:28:08PM +0100, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > The ipr_log_vpd_compact() function triggers a fortified memcpy() warning > about a potential string overflow with all versions of clang: Perhaps this is arch or config specific? I haven't been able to reproduce this for some reason.
On Tue, Feb 14, 2023, at 22:49, Kees Cook wrote: > On Tue, Feb 14, 2023 at 02:28:08PM +0100, Arnd Bergmann wrote: >> From: Arnd Bergmann <arnd@arndb.de> >> >> The ipr_log_vpd_compact() function triggers a fortified memcpy() warning >> about a potential string overflow with all versions of clang: > > Perhaps this is arch or config specific? I haven't been able to reproduce > this for some reason. I saw it on three arm32 randconfig builds out of a few thousand, with clang-15, clang-16 and clang-17. See [1] for one config that triggered it with recent linux-next based tree. Arnd [1] https://pastebin.com/c9FEjzKe
On 2/14/23 22:28, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > The ipr_log_vpd_compact() function triggers a fortified memcpy() warning > about a potential string overflow with all versions of clang: > > In file included from drivers/scsi/ipr.c:43: > In file included from include/linux/string.h:254: > include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] > __write_overflow_field(p_size_field, size); > ^ > include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] > 2 errors generated. > > I don't see anything actually wrong with the function, but this is the > only instance I can reproduce of the fortification going wrong in the > kernel at the moment, so the easiest solution may be to rewrite the > function into something that does not trigger the warning. > > Instead of having a combined buffer for vendor/device/serial strings, > use three separate local variables and just truncate the whitespace > individually. > > Fixes: 8cf093e275d0 ("[SCSI] ipr: Improved dual adapter errors") > Cc: Kees Cook <keescook@chromium.org> > Signed-off-by: Arnd Bergmann <arnd@arndb.de> Looks good to me. Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
On Tue, Feb 14, 2023 at 02:28:08PM +0100, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > The ipr_log_vpd_compact() function triggers a fortified memcpy() warning > about a potential string overflow with all versions of clang: > > In file included from drivers/scsi/ipr.c:43: > In file included from include/linux/string.h:254: > include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] > __write_overflow_field(p_size_field, size); > ^ > include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] > 2 errors generated. > > I don't see anything actually wrong with the function, but this is the > only instance I can reproduce of the fortification going wrong in the > kernel at the moment, so the easiest solution may be to rewrite the > function into something that does not trigger the warning. > > Instead of having a combined buffer for vendor/device/serial strings, > use three separate local variables and just truncate the whitespace > individually. > > Fixes: 8cf093e275d0 ("[SCSI] ipr: Improved dual adapter errors") > Cc: Kees Cook <keescook@chromium.org> > Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Kees Cook <keescook@chromium.org> Reproduced this locally -- I agree your fix looks like the best approach. I think Clang was seeing the old "i + 2" return as potentially overflowing in the case where there was no space-padding on any strings.
On 2/14/23 7:28 AM, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > The ipr_log_vpd_compact() function triggers a fortified memcpy() warning > about a potential string overflow with all versions of clang: > > In file included from drivers/scsi/ipr.c:43: > In file included from include/linux/string.h:254: > include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] > __write_overflow_field(p_size_field, size); > ^ > include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] > 2 errors generated. > > I don't see anything actually wrong with the function, but this is the > only instance I can reproduce of the fortification going wrong in the > kernel at the moment, so the easiest solution may be to rewrite the > function into something that does not trigger the warning. > > Instead of having a combined buffer for vendor/device/serial strings, > use three separate local variables and just truncate the whitespace > individually. > > Fixes: 8cf093e275d0 ("[SCSI] ipr: Improved dual adapter errors") > Cc: Kees Cook <keescook@chromium.org> > Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Brian King <brking@linux.vnet.ibm.com>
Arnd, > The ipr_log_vpd_compact() function triggers a fortified memcpy() > warning about a potential string overflow with all versions of clang: Applied to 6.3/scsi-staging, thanks!
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c index 198d3f20d682..f1f61705ccd5 100644 --- a/drivers/scsi/ipr.c +++ b/drivers/scsi/ipr.c @@ -1516,23 +1516,22 @@ static void ipr_process_ccn(struct ipr_cmnd *ipr_cmd) } /** - * strip_and_pad_whitespace - Strip and pad trailing whitespace. - * @i: index into buffer - * @buf: string to modify + * strip_whitespace - Strip and pad trailing whitespace. + * @i: size of buffer + * @buf: string to modify * - * This function will strip all trailing whitespace, pad the end - * of the string with a single space, and NULL terminate the string. + * This function will strip all trailing whitespace and + * NUL terminate the string. * - * Return value: - * new length of string **/ -static int strip_and_pad_whitespace(int i, char *buf) +static void strip_whitespace(int i, char *buf) { + if (i < 1) + return; + i--; while (i && buf[i] == ' ') i--; - buf[i+1] = ' '; - buf[i+2] = '\0'; - return i + 2; + buf[i+1] = '\0'; } /** @@ -1547,19 +1546,21 @@ static int strip_and_pad_whitespace(int i, char *buf) static void ipr_log_vpd_compact(char *prefix, struct ipr_hostrcb *hostrcb, struct ipr_vpd *vpd) { - char buffer[IPR_VENDOR_ID_LEN + IPR_PROD_ID_LEN + IPR_SERIAL_NUM_LEN + 3]; - int i = 0; + char vendor_id[IPR_VENDOR_ID_LEN + 1]; + char product_id[IPR_PROD_ID_LEN + 1]; + char sn[IPR_SERIAL_NUM_LEN + 1]; - memcpy(buffer, vpd->vpids.vendor_id, IPR_VENDOR_ID_LEN); - i = strip_and_pad_whitespace(IPR_VENDOR_ID_LEN - 1, buffer); + memcpy(vendor_id, vpd->vpids.vendor_id, IPR_VENDOR_ID_LEN); + strip_whitespace(IPR_VENDOR_ID_LEN, vendor_id); - memcpy(&buffer[i], vpd->vpids.product_id, IPR_PROD_ID_LEN); - i = strip_and_pad_whitespace(i + IPR_PROD_ID_LEN - 1, buffer); + memcpy(product_id, vpd->vpids.product_id, IPR_PROD_ID_LEN); + strip_whitespace(IPR_PROD_ID_LEN, product_id); - memcpy(&buffer[i], vpd->sn, IPR_SERIAL_NUM_LEN); - buffer[IPR_SERIAL_NUM_LEN + i] = '\0'; + memcpy(sn, vpd->sn, IPR_SERIAL_NUM_LEN); + strip_whitespace(IPR_SERIAL_NUM_LEN, sn); - ipr_hcam_err(hostrcb, "%s VPID/SN: %s\n", prefix, buffer); + ipr_hcam_err(hostrcb, "%s VPID/SN: %s %s %s\n", prefix, + vendor_id, product_id, sn); } /**