[next] udf: Fix -Wstringop-overflow warnings

Message ID ZK7wKS0NgZPfqrZu@work
State New
Headers
Series [next] udf: Fix -Wstringop-overflow warnings |

Commit Message

Gustavo A. R. Silva July 12, 2023, 6:25 p.m. UTC
  Use unsigned type in call to macro mint_t(). This avoids confusing the
compiler about possible negative values that would cause the value in
_len_ to wrap around.

Fixes the following -Wstringop-warnings seen when building ARM
architecture with allyesconfig (GCC 13):
fs/udf/directory.c: In function 'udf_copy_fi':
include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' specified bound between 2147483648 and 4294967295 exceeds maximum object size 2147483647 [-Wstringop-overflow=]
   57 | #define __underlying_memcpy     __builtin_memcpy
      |                                 ^
include/linux/fortify-string.h:648:9: note: in expansion of macro '__underlying_memcpy'
  648 |         __underlying_##op(p, q, __fortify_size);                        \
      |         ^~~~~~~~~~~~~
include/linux/fortify-string.h:693:26: note: in expansion of macro '__fortify_memcpy_chk'
  693 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
      |                          ^~~~~~~~~~~~~~~~~~~~
fs/udf/directory.c:99:9: note: in expansion of macro 'memcpy'
   99 |         memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
      |         ^~~~~~
include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' specified bound between 2147483648 and 4294967295 exceeds maximum object size 2147483647 [-Wstringop-overflow=]
   57 | #define __underlying_memcpy     __builtin_memcpy
      |                                 ^
include/linux/fortify-string.h:648:9: note: in expansion of macro '__underlying_memcpy'
  648 |         __underlying_##op(p, q, __fortify_size);                        \
      |         ^~~~~~~~~~~~~
include/linux/fortify-string.h:693:26: note: in expansion of macro '__fortify_memcpy_chk'
  693 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
      |                          ^~~~~~~~~~~~~~~~~~~~
fs/udf/directory.c:99:9: note: in expansion of macro 'memcpy'
   99 |         memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
      |         ^~~~~~
  AR      fs/udf/built-in.a

This helps with the ongoing efforts to globally enable
-Wstringop-overflow.

Link: https://github.com/KSPP/linux/issues/329
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 fs/udf/directory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
  

Comments

Kees Cook July 12, 2023, 7:05 p.m. UTC | #1
On Wed, Jul 12, 2023 at 12:25:45PM -0600, Gustavo A. R. Silva wrote:
> Use unsigned type in call to macro mint_t(). This avoids confusing the
> compiler about possible negative values that would cause the value in
> _len_ to wrap around.
> 
> Fixes the following -Wstringop-warnings seen when building ARM
> architecture with allyesconfig (GCC 13):
> fs/udf/directory.c: In function 'udf_copy_fi':
> include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' specified bound between 2147483648 and 4294967295 exceeds maximum object size 2147483647 [-Wstringop-overflow=]
>    57 | #define __underlying_memcpy     __builtin_memcpy
>       |                                 ^
> include/linux/fortify-string.h:648:9: note: in expansion of macro '__underlying_memcpy'
>   648 |         __underlying_##op(p, q, __fortify_size);                        \
>       |         ^~~~~~~~~~~~~
> include/linux/fortify-string.h:693:26: note: in expansion of macro '__fortify_memcpy_chk'
>   693 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
>       |                          ^~~~~~~~~~~~~~~~~~~~
> fs/udf/directory.c:99:9: note: in expansion of macro 'memcpy'
>    99 |         memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
>       |         ^~~~~~
> include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' specified bound between 2147483648 and 4294967295 exceeds maximum object size 2147483647 [-Wstringop-overflow=]
>    57 | #define __underlying_memcpy     __builtin_memcpy
>       |                                 ^
> include/linux/fortify-string.h:648:9: note: in expansion of macro '__underlying_memcpy'
>   648 |         __underlying_##op(p, q, __fortify_size);                        \
>       |         ^~~~~~~~~~~~~
> include/linux/fortify-string.h:693:26: note: in expansion of macro '__fortify_memcpy_chk'
>   693 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
>       |                          ^~~~~~~~~~~~~~~~~~~~
> fs/udf/directory.c:99:9: note: in expansion of macro 'memcpy'
>    99 |         memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
>       |         ^~~~~~
>   AR      fs/udf/built-in.a
> 
> This helps with the ongoing efforts to globally enable
> -Wstringop-overflow.
> 
> Link: https://github.com/KSPP/linux/issues/329
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
>  fs/udf/directory.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/udf/directory.c b/fs/udf/directory.c
> index 1c775e072b2f..93153665eb37 100644
> --- a/fs/udf/directory.c
> +++ b/fs/udf/directory.c
> @@ -95,7 +95,7 @@ static int udf_copy_fi(struct udf_fileident_iter *iter)
>  	}
>  
>  	off = iter->pos & (blksize - 1);
> -	len = min_t(int, sizeof(struct fileIdentDesc), blksize - off);
> +	len = min_t(u32, sizeof(struct fileIdentDesc), blksize - off);
>  	memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
>  	if (len < sizeof(struct fileIdentDesc))
>  		memcpy((char *)(&iter->fi) + len, iter->bh[1]->b_data,

len is u32, "off" can't be less than blksize, so this all looks correct
to me. Thanks!

Reviewed-by: Kees Cook <keescook@chromium.org>
  
Jan Kara July 31, 2023, 2:35 p.m. UTC | #2
On Wed 12-07-23 12:05:34, Kees Cook wrote:
> On Wed, Jul 12, 2023 at 12:25:45PM -0600, Gustavo A. R. Silva wrote:
> > Use unsigned type in call to macro mint_t(). This avoids confusing the
> > compiler about possible negative values that would cause the value in
> > _len_ to wrap around.
> > 
> > Fixes the following -Wstringop-warnings seen when building ARM
> > architecture with allyesconfig (GCC 13):
> > fs/udf/directory.c: In function 'udf_copy_fi':
> > include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' specified bound between 2147483648 and 4294967295 exceeds maximum object size 2147483647 [-Wstringop-overflow=]
> >    57 | #define __underlying_memcpy     __builtin_memcpy
> >       |                                 ^
> > include/linux/fortify-string.h:648:9: note: in expansion of macro '__underlying_memcpy'
> >   648 |         __underlying_##op(p, q, __fortify_size);                        \
> >       |         ^~~~~~~~~~~~~
> > include/linux/fortify-string.h:693:26: note: in expansion of macro '__fortify_memcpy_chk'
> >   693 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
> >       |                          ^~~~~~~~~~~~~~~~~~~~
> > fs/udf/directory.c:99:9: note: in expansion of macro 'memcpy'
> >    99 |         memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
> >       |         ^~~~~~
> > include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' specified bound between 2147483648 and 4294967295 exceeds maximum object size 2147483647 [-Wstringop-overflow=]
> >    57 | #define __underlying_memcpy     __builtin_memcpy
> >       |                                 ^
> > include/linux/fortify-string.h:648:9: note: in expansion of macro '__underlying_memcpy'
> >   648 |         __underlying_##op(p, q, __fortify_size);                        \
> >       |         ^~~~~~~~~~~~~
> > include/linux/fortify-string.h:693:26: note: in expansion of macro '__fortify_memcpy_chk'
> >   693 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
> >       |                          ^~~~~~~~~~~~~~~~~~~~
> > fs/udf/directory.c:99:9: note: in expansion of macro 'memcpy'
> >    99 |         memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
> >       |         ^~~~~~
> >   AR      fs/udf/built-in.a
> > 
> > This helps with the ongoing efforts to globally enable
> > -Wstringop-overflow.
> > 
> > Link: https://github.com/KSPP/linux/issues/329
> > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> > ---
> >  fs/udf/directory.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/fs/udf/directory.c b/fs/udf/directory.c
> > index 1c775e072b2f..93153665eb37 100644
> > --- a/fs/udf/directory.c
> > +++ b/fs/udf/directory.c
> > @@ -95,7 +95,7 @@ static int udf_copy_fi(struct udf_fileident_iter *iter)
> >  	}
> >  
> >  	off = iter->pos & (blksize - 1);
> > -	len = min_t(int, sizeof(struct fileIdentDesc), blksize - off);
> > +	len = min_t(u32, sizeof(struct fileIdentDesc), blksize - off);
> >  	memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
> >  	if (len < sizeof(struct fileIdentDesc))
> >  		memcpy((char *)(&iter->fi) + len, iter->bh[1]->b_data,
> 
> len is u32, "off" can't be less than blksize, so this all looks correct
> to me. Thanks!
> 
> Reviewed-by: Kees Cook <keescook@chromium.org>

Thanks! I've merged the patch to my tree.

								Honza
  

Patch

diff --git a/fs/udf/directory.c b/fs/udf/directory.c
index 1c775e072b2f..93153665eb37 100644
--- a/fs/udf/directory.c
+++ b/fs/udf/directory.c
@@ -95,7 +95,7 @@  static int udf_copy_fi(struct udf_fileident_iter *iter)
 	}
 
 	off = iter->pos & (blksize - 1);
-	len = min_t(int, sizeof(struct fileIdentDesc), blksize - off);
+	len = min_t(u32, sizeof(struct fileIdentDesc), blksize - off);
 	memcpy(&iter->fi, iter->bh[0]->b_data + off, len);
 	if (len < sizeof(struct fileIdentDesc))
 		memcpy((char *)(&iter->fi) + len, iter->bh[1]->b_data,