| Message ID | 20230809074503.1323102-1-gongruiqi@huaweicloud.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | a7ed3465daa240bdf01a5420f64336fee879c09d |
| Headers | show |
| Series | [v3] netfilter: ebtables: fix fortify warnings in size_entry_mwt() | expand |
On Wed, Aug 09, 2023 at 03:45:03PM +0800, GONG, Ruiqi wrote: > From: "GONG, Ruiqi" <gongruiqi1@huawei.com> > > When compiling with gcc 13 and CONFIG_FORTIFY_SOURCE=y, the following > warning appears: > > In function ‘fortify_memcpy_chk’, > inlined from ‘size_entry_mwt’ at net/bridge/netfilter/ebtables.c:2118:2: > ./include/linux/fortify-string.h:592:25: error: call to ‘__read_overflow2_field’ > declared with attribute warning: detected read beyond size of field (2nd parameter); > maybe use struct_group()? [-Werror=attribute-warning] > 592 | __read_overflow2_field(q_size_field, size); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The compiler is complaining: > > memcpy(&offsets[1], &entry->watchers_offset, > sizeof(offsets) - sizeof(offsets[0])); > > where memcpy reads beyong &entry->watchers_offset to copy nit: beyong -> beyond ...
On Wed, Aug 09, 2023 at 03:45:03PM +0800, GONG, Ruiqi wrote: > From: "GONG, Ruiqi" <gongruiqi1@huawei.com> > > When compiling with gcc 13 and CONFIG_FORTIFY_SOURCE=y, the following > warning appears: > > In function ‘fortify_memcpy_chk’, > inlined from ‘size_entry_mwt’ at net/bridge/netfilter/ebtables.c:2118:2: > ./include/linux/fortify-string.h:592:25: error: call to ‘__read_overflow2_field’ > declared with attribute warning: detected read beyond size of field (2nd parameter); > maybe use struct_group()? [-Werror=attribute-warning] > 592 | __read_overflow2_field(q_size_field, size); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The compiler is complaining: > > memcpy(&offsets[1], &entry->watchers_offset, > sizeof(offsets) - sizeof(offsets[0])); > > where memcpy reads beyong &entry->watchers_offset to copy > {watchers,target,next}_offset altogether into offsets[]. Silence the > warning by wrapping these three up via struct_group(). > > Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com> If a v4 is sent, please fix the "beyong" typo that was pointed out. Otherwise, it looks okay to me: Reviewed-by: Kees Cook <keescook@chromium.org>
diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h index a494cf43a755..b0caad82b693 100644 --- a/include/uapi/linux/netfilter_bridge/ebtables.h +++ b/include/uapi/linux/netfilter_bridge/ebtables.h @@ -182,12 +182,14 @@ struct ebt_entry { unsigned char sourcemsk[ETH_ALEN]; unsigned char destmac[ETH_ALEN]; unsigned char destmsk[ETH_ALEN]; - /* sizeof ebt_entry + matches */ - unsigned int watchers_offset; - /* sizeof ebt_entry + matches + watchers */ - unsigned int target_offset; - /* sizeof ebt_entry + matches + watchers + target */ - unsigned int next_offset; + __struct_group(/* no tag */, offsets, /* no attrs */, + /* sizeof ebt_entry + matches */ + unsigned int watchers_offset; + /* sizeof ebt_entry + matches + watchers */ + unsigned int target_offset; + /* sizeof ebt_entry + matches + watchers + target */ + unsigned int next_offset; + ); unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); }; diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 757ec46fc45a..aa23479b20b2 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2115,8 +2115,7 @@ static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *ba return ret; offsets[0] = sizeof(struct ebt_entry); /* matches come first */ - memcpy(&offsets[1], &entry->watchers_offset, - sizeof(offsets) - sizeof(offsets[0])); + memcpy(&offsets[1], &entry->offsets, sizeof(entry->offsets)); if (state->buf_kern_start) { buf_start = state->buf_kern_start + state->buf_kern_offset;