From patchwork Tue Aug 1 12:04:04 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 109142 Delivered-To: patch@linaro.org Received: by 10.140.101.6 with SMTP id t6csp1408149qge; Tue, 1 Aug 2017 05:05:15 -0700 (PDT) X-Received: by 10.98.73.70 with SMTP id w67mr19263717pfa.294.1501589115279; Tue, 01 Aug 2017 05:05:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1501589115; cv=none; d=google.com; s=arc-20160816; b=s1N4vBUqzQgWfVmUmuo5gcwiV8QAHR8uUSqF56ROKuXCplVvMMNEboCqZNOBNgqUMo jDgHLOOiY4VGXY7Y31uPzfKGszTF1ktdC/IjtjEjqt6R4eCvH0nigNzmIdyxCyG/KjHT OkdX3zlOrKhGh3QAwCncVWuqMM/aLdJb9aiQAdORzetn9EtuVICiBU+nNy4//S3esT7I j30jeFlvBkL6j6341z6RvVBCTEyGEqUUsO/3e1vm9/fYTm1n4Z9WumvB2eSHiA08cDGv C6Eo/3z3E8syukn7lAMxmsTD7NAPfA4wsdAt7qqnHK7tcsZhmy/PXOUUnQCjFmIAcU0V 4MeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:in-reply-to:message-id:date :subject:cc:from:arc-authentication-results; bh=WPuZ6O8taDfIRRqsyCcDU0J0r9odKCAncm84lsg0Qps=; b=SGZn+GS7/m1UGGtSGVs+gfjsSJQYuIgKd/7e8J/1VUiAxo1oXX5paplm1VgBwKFmsS kD58FoszlADTH/lrFDQkNHDYEZgKit4U/lFwjb2QV/ZxpKt8hTnSmNXTYa8XnSxzUU01 /rER8J0w7msDfgqpNnyZQJH+AuzJzxwioL5O3MCdNRl3h3Wg8Qy2gA7zzDDwStXkdpiS roHPS8USKH/KW88BRZKCxorssgq8GxSy/zgyrWugfJrqcx8fyUiabaQB+5crP6lkx4Jr +27VrNW2zWfFmnKqxRmQVkyP4uWK/Ja9wfOWC0CEamq2CBipeY2Jn0qo7HeaKNk6sdfW 9xlA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o79si13758909pfi.625.2017.08.01.05.05.14; Tue, 01 Aug 2017 05:05:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751941AbdHAMFN (ORCPT + 26 others); Tue, 1 Aug 2017 08:05:13 -0400 Received: from mout.kundenserver.de ([212.227.17.24]:50330 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751768AbdHAMFL (ORCPT ); Tue, 1 Aug 2017 08:05:11 -0400 Received: from wuerfel.lan ([78.43.238.10]) by mrelayeu.kundenserver.de (mreue103 [212.227.15.145]) with ESMTPA (Nemesis) id 0Lvywf-1dbjFB3NVt-017lTa; Tue, 01 Aug 2017 14:05:08 +0200 From: Arnd Bergmann Cc: Kees Cook , Andrew Morton , Arnd Bergmann , linux-kernel@vger.kernel.org Subject: [PATCH 2/2] adfs: use 'unsigned' types for memcpy length Date: Tue, 1 Aug 2017 14:04:04 +0200 Message-Id: <20170801120438.1582336-2-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20170801120438.1582336-1-arnd@arndb.de> References: <20170726185219.GA57833@beast> <20170801120438.1582336-1-arnd@arndb.de> X-Provags-ID: V03:K0:OTkLSYNPHfZFNtNM/8W8tHWHDLemw88CN2mkvromL7NKAxwYPRF rC9wwImmac4X0ie3TvMYMgaoyZEzssyvZ2EdqF7MRLb6CB0sODllcsh85huoiZ/GNhZdOJs fo2DuHtlEbuKzKORNbewYVlQ7RmTgiNwvnaO1JGkMtI5R/xR0Ww7RAyi3PGIw/p5lY4TnPa FrIO1Lfahw4NabxBpMbfA== X-UI-Out-Filterresults: notjunk:1; V01:K0:ZBOpraHh6g4=:fBeHYnUw3MhsUAVLBhWZqs Unx+XoflV/ibvlLaQC0q68Cn8v4Iw7M6a62xPvgg7a4KW8iXeuaNvgWcvPuarMxS+5WrxFBcP V6Z8WUgHJ3LmbViTSQa5ctzIb4+rOgOcnlwBkicAKeH90PY9BySzsa54TXuyba+9HgOGK67Vu f+ZKLUIiUKv/nbk7N+IY5dkTQ4Elp7FJH35FQad54jqFHxbPkXpIcmME4l7mdcQ806TjhRuKd G3mzuSSJwSG0ITvEty0+684JMhm9PM8w4f9fMa3StuSX/rtLBdHo5D9R0RGC94rhmE1oNSLTq uZdSf2rp1PQK/fFRTXBUuPtbl9CvwiW5eFPgkWIXsdqQYMYTDJlfpeP+Fe8uFR31VqaxCXxFH HdY7qOyhuv7CjHmEv+pJTksU4cJIr4wdtNDSmmslkYKGnuIRoqhTu2ieXk+/+jkSdE8slbhKj BpTWBfphxULM2pwcKEIZ5dMnMJqDcTnALdVUgNYCGlQUvRW0sIFQyPk5eWmMq09ZgOvRNQpXV ec75Ifuif9ljGqli5qTJjC1oQoizdt/wQFqJUnPbqyP21etPIaSBuRtZimnuGcjlD1GfNCrRB XmOnWB5aKoUeUrQmyG5QzH1mLeT9d873plnZj5NQna2JKDisODfKJTQyHXIZbQSK09Dnhz59x FbPZ0KIIgrYguQRe6QQAz0HoEHHssMTVzdf6zGJ5JviKDZKz9LTCXo+P3iNJ1+fkYbucPx0/1 lF4PE/SF5WZkp3S6Z0GWGAHKBjV1bZu10pU5ag== To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org After commit 62d1034f53e3 ("fortify: use WARN instead of BUG for now"), we get a warning in adfs about a possible buffer overflow: In function 'memcpy', inlined from '__adfs_dir_put' at fs/adfs/dir_f.c:318:2, inlined from 'adfs_f_update' at fs/adfs/dir_f.c:403:2: include/linux/string.h:305:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter __read_overflow2(); ^~~~~~~~~~~~~~~~~~ The warning is correct in the sense that a negative 'pos' argument to the function would have that result. However, this is not a bug, as we know the position is always positive (in fact, between 5 and 2007, inclusive) when the function gets called. Changing the variable to a unsigned type avoids the problem. I decided to use 'unsigned int' for the position in the directory and the block number, as they are both counting things, but use size_t for the offset and length that get passed into memcpy. This shuts up the warning. Signed-off-by: Arnd Bergmann --- fs/adfs/dir_f.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.9.0 Acked-by: Kees Cook diff --git a/fs/adfs/dir_f.c b/fs/adfs/dir_f.c index 0fbfd0b04ae0..dab3595a1ecc 100644 --- a/fs/adfs/dir_f.c +++ b/fs/adfs/dir_f.c @@ -283,11 +283,12 @@ __adfs_dir_get(struct adfs_dir *dir, int pos, struct object_info *obj) } static int -__adfs_dir_put(struct adfs_dir *dir, int pos, struct object_info *obj) +__adfs_dir_put(struct adfs_dir *dir, unsigned int pos, struct object_info *obj) { struct super_block *sb = dir->sb; struct adfs_direntry de; - int thissize, buffer, offset; + unsigned int buffer; + size_t thissize, offset; buffer = pos >> sb->s_blocksize_bits;