| Message ID | 20240117014541.8887-1-yaolu@kylinos.cn |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-28440-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:42cf:b0:101:a8e8:374 with SMTP id q15csp637391dye;
Tue, 16 Jan 2024 17:46:20 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFiFI8qyhwLb+wKV9l7qDaI3oWrrOcdobPgdca+feNFPNnMZrAk7E03hknKt6mMTNaCaIgS
X-Received: by 2002:a05:6214:400a:b0:681:132c:8b8e with SMTP id
kd10-20020a056214400a00b00681132c8b8emr86871qvb.46.1705455979945;
Tue, 16 Jan 2024 17:46:19 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705455979; cv=pass;
d=google.com; s=arc-20160816;
b=EuucuEzrbebjY22l9E0Mh3qeb1l3H1QH4i8uI/akFDMRrDxXdDWCGQnatT6xkBe6SK
DNzhNL9wVrBH4hLX4yfWUFzmNjZz2BUCe+AvNHTNCJozWu7AOPeTwOj1O5mvnvijMdpV
zhBiija1dD8e3o3LGmKkLHd5XCMQug5RF4PCHU4DDsA6jqAk1vIk8E0Sc+5KtDPg91qq
1YgHwMgwZ/KL2cJmL10zqfKISLtmv20UDo0i+DvYHAG9JGI7eISU2eXBQNLfUqzUKUcB
Ca9MiIoh2jSDuoqKmDuboLy7qu1vpPOSfcRzttYOaGc+iFF82ZO+rHUvkmgyi6K95PCB
kxQg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from;
bh=k2mMSx3p66qkIv+hxwAyS0/xlBSMxzpJm1gO3ZSBmco=;
fh=UUTFhOqf21p8QAOraSnblS9+XnpUKqYmjOQcUaSN6/c=;
b=iuk7/zuI1WPXR7YuhuQ++YHV7aqc7X/TyXg/E7dImC8kWfpj2mQNfZQvvR1ThKFDdD
gQLXNOKlR2sXxylFJ4YDVgsZZDGbwEfnNkIAocj9E2YwT+O4rN3KebvLqvFOZkCWqG8/
uPuvWYw+mN3wouUQK9OzGDqaCODOSFxPCtsiH68JY4MnvJTBLyOWhGL/+doO6dJVkun9
3c2NOVJr8KEGZMsQcdFN8WL2p2b8yKHwQ4I0JNRWMjqr97TYhodPMW+ewfixjy0RVxld
quBb7LDiWZQc0tAIHZ8hA9Z+oXpLd6tYiI+4taK+t9oE93eSN5/mYNeG5VEL9QEIqr53
/yjQ==
ARC-Authentication-Results: i=2; mx.google.com;
arc=pass (i=1 spf=pass spfdomain=kylinos.cn);
spf=pass (google.com: domain of
linux-kernel+bounces-28440-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-28440-ouuuleilei=gmail.com@vger.kernel.org"
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
[2604:1380:45d1:ec00::1])
by mx.google.com with ESMTPS id
g13-20020a0cdf0d000000b0068171ee32basi1879500qvl.213.2024.01.16.17.46.19
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 16 Jan 2024 17:46:19 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-28440-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
arc=pass (i=1 spf=pass spfdomain=kylinos.cn);
spf=pass (google.com: domain of
linux-kernel+bounces-28440-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-28440-ouuuleilei=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ny.mirrors.kernel.org (Postfix) with ESMTPS id B85141C23DF8
for <ouuuleilei@gmail.com>; Wed, 17 Jan 2024 01:46:19 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 177984690;
Wed, 17 Jan 2024 01:46:06 +0000 (UTC)
Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA9081864;
Wed, 17 Jan 2024 01:45:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=124.126.103.232
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1705455964; cv=none;
b=AetgyY0t5dXtJKL3zqw/blDihMWkB+G1ZEBaKNT9gkX6gvYzQTbjHE65FWNcSaXz1ceonvhrk+OOkn7gmEGsGrmOB3C8OInC3yftU9klf6804yWnmbnJ+Z4z5dpIRhnm9GUrYI+w5+35gPGMUthlChFinDLSmk78sTmrNpaJEdk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1705455964; c=relaxed/simple;
bh=fgPwF9xhCsHvun6QMTgmDHGlC69r9M6BgvAyZFblfY0=;
h=X-UUID:X-CID-O-RULE:X-CID-RULE:X-CID-O-INFO:X-CID-INFO:X-CID-META:
X-CID-BVR:X-CID-BAS:X-CID-FACTOR:X-UUID:X-User:Received:From:To:Cc:
Subject:Date:Message-Id:X-Mailer:MIME-Version:Content-Type:
Content-Transfer-Encoding;
b=PR8HAIYk76xkzgZSgTwbwKg1Nzv9Ap2y2z54sM6KvRJOfvqkydPwGp8RN11gIw7YdkzW9SjsQL0g365WXzXANWdJf9EZ7q6JlZKFAF52ggRZEWI9KT5DT7rB0JFOr04n7gck1H8bnoCaBIIYGkc+6q8Zk5+2Bt6Rq5EEbK4aJ74=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=kylinos.cn;
spf=pass smtp.mailfrom=kylinos.cn; arc=none smtp.client-ip=124.126.103.232
Authentication-Results: smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=kylinos.cn
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=kylinos.cn
X-UUID: 711b0d93f1fa43b4b0a2a28e58723e95-20240117
X-CID-O-RULE: Release_Ham
X-CID-RULE: Release_Ham
X-CID-O-INFO: VERSION:1.1.35,REQID:003e1394-ef5b-4aef-aabe-c69c16c4d8b7,IP:5,U
RL:0,TC:0,Content:0,EDM:0,RT:0,SF:-15,FILE:0,BULK:0,RULE:Release_Ham,ACTIO
N:release,TS:-10
X-CID-INFO: VERSION:1.1.35,REQID:003e1394-ef5b-4aef-aabe-c69c16c4d8b7,IP:5,URL
:0,TC:0,Content:0,EDM:0,RT:0,SF:-15,FILE:0,BULK:0,RULE:Release_Ham,ACTION:
release,TS:-10
X-CID-META: VersionHash:5d391d7,CLOUDID:00573e2f-1ab8-4133-9780-81938111c800,B
ulkID:240117094108WJOCVTCR,BulkQuantity:1,Recheck:0,SF:38|24|17|19|44|66|1
02,TC:nil,Content:0,EDM:-3,IP:-2,URL:0,File:nil,Bulk:41,QS:nil,BEC:nil,COL
:0,OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0
X-CID-BVR: 0,NGT
X-CID-BAS: 0,NGT,0,_
X-CID-FACTOR: TF_CID_SPAM_FAS,TF_CID_SPAM_FSD,TF_CID_SPAM_FSI,TF_CID_SPAM_SNR
X-UUID: 711b0d93f1fa43b4b0a2a28e58723e95-20240117
X-User: yaolu@kylinos.cn
Received: from localhost.localdomain [(116.128.244.169)] by mailgw
(envelope-from <yaolu@kylinos.cn>)
(Generic MTA)
with ESMTP id 298752770; Wed, 17 Jan 2024 09:45:49 +0800
From: Lu Yao <yaolu@kylinos.cn>
To: paul@paul-moore.com,
jmorris@namei.org,
serge@hallyn.com
Cc: linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Lu Yao <yaolu@kylinos.cn>
Subject: [PATCH] lsm: Resolve compiling 'security.c' error
Date: Wed, 17 Jan 2024 09:45:41 +0800
Message-Id: <20240117014541.8887-1-yaolu@kylinos.cn>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788300209709047937
X-GMAIL-MSGID: 1788300209709047937
|
| Series |
lsm: Resolve compiling 'security.c' error
|
|
Commit Message
Lu Yao
Jan. 17, 2024, 1:45 a.m. UTC
The following error log is displayed during the current compilation > 'security/security.c:810:2: error: ‘memcpy’ offset 32 is > out of the bounds [0, 0] [-Werror=array-bounds]' GCC version is '10.3.0 (Ubuntu 10.3.0-1ubuntu1~18.04~1)' Signed-off-by: Lu Yao <yaolu@kylinos.cn> --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Tue, Jan 16, 2024 at 8:46 PM Lu Yao <yaolu@kylinos.cn> wrote: > > The following error log is displayed during the current compilation > > 'security/security.c:810:2: error: ‘memcpy’ offset 32 is > > out of the bounds [0, 0] [-Werror=array-bounds]' > > GCC version is '10.3.0 (Ubuntu 10.3.0-1ubuntu1~18.04~1)' > > Signed-off-by: Lu Yao <yaolu@kylinos.cn> > --- > security/security.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) I'm adding the linux-hardening folks to the to To: line as this has now come up multiple times and my best guess is that this is an issue with the struct_size() macro, compiler annotations, or something similar and I suspect they are the experts in that area. My understanding is that using the struct_size() macro is preferable to open coding the math, as this patch does, but if we have to do something like this to silence the warnings, that's okay with me. So linux-hardening folks, what do you say? > diff --git a/security/security.c b/security/security.c > index 0144a98d3712..37168f6bee25 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -792,7 +792,7 @@ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len, > size_t nctx_len; > int rc = 0; > > - nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *)); > + nctx_len = ALIGN(sizeof(struct lsm_ctx) + val_len, sizeof(void *)); > if (nctx_len > *uctx_len) { > rc = -E2BIG; > goto out; > -- > 2.25.1
On Wed, Jan 17, 2024 at 09:32:33AM -0500, Paul Moore wrote: > On Tue, Jan 16, 2024 at 8:46 PM Lu Yao <yaolu@kylinos.cn> wrote: > > > > The following error log is displayed during the current compilation > > > 'security/security.c:810:2: error: ‘memcpy’ offset 32 is > > > out of the bounds [0, 0] [-Werror=array-bounds]' > > > > GCC version is '10.3.0 (Ubuntu 10.3.0-1ubuntu1~18.04~1)' As an aside, Ubuntu 18.04 went out of support back in June 2023, and never officially supported gcc 10: https://launchpad.net/ubuntu/+source/gcc-10 That said, I still see this error with gcc 10.5 on supported Ubuntu releases. I'm surprised this is the first time I've seen this error! > > > > Signed-off-by: Lu Yao <yaolu@kylinos.cn> > > --- > > security/security.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > I'm adding the linux-hardening folks to the to To: line as this has > now come up multiple times and my best guess is that this is an issue > with the struct_size() macro, compiler annotations, or something > similar and I suspect they are the experts in that area. My > understanding is that using the struct_size() macro is preferable to > open coding the math, as this patch does, but if we have to do > something like this to silence the warnings, that's okay with me. > > So linux-hardening folks, what do you say? This is a GCC bug -- it thinks nctx_len could be 0, so it gets mad about the array bounds. > > > diff --git a/security/security.c b/security/security.c > > index 0144a98d3712..37168f6bee25 100644 > > --- a/security/security.c > > +++ b/security/security.c > > @@ -792,7 +792,7 @@ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len, > > size_t nctx_len; > > int rc = 0; > > > > - nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *)); > > + nctx_len = ALIGN(sizeof(struct lsm_ctx) + val_len, sizeof(void *)); > > if (nctx_len > *uctx_len) { > > rc = -E2BIG; > > goto out; Please don't do this -- it regresses the efforts to make sure we can never wrap the math on here. We need to pick one of these two diffs instead. The first disables -Warray-bounds for GCC 10.* also (since we keep having false positives). The latter silences this 1 particular case by explicitly checking nctx_len for 0: diff --git a/init/Kconfig b/init/Kconfig index 8d4e836e1b6b..af4833430aca 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -874,7 +874,7 @@ config GCC11_NO_ARRAY_BOUNDS config CC_NO_ARRAY_BOUNDS bool - default y if CC_IS_GCC && GCC_VERSION >= 110000 && GCC11_NO_ARRAY_BOUNDS + default y if CC_IS_GCC && GCC_VERSION >= 100000 && GCC11_NO_ARRAY_BOUNDS # Currently, disable -Wstringop-overflow for GCC 11, globally. config GCC11_NO_STRINGOP_OVERFLOW diff --git a/security/security.c b/security/security.c index 0144a98d3712..ab403136958f 100644 --- a/security/security.c +++ b/security/security.c @@ -793,7 +793,7 @@ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len, int rc = 0; nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *)); - if (nctx_len > *uctx_len) { + if (nctx_len == 0 || nctx_len > *uctx_len) { rc = -E2BIG; goto out; }
On Wed, Jan 17, 2024 at 3:51 PM Kees Cook <keescook@chromium.org> wrote: > On Wed, Jan 17, 2024 at 09:32:33AM -0500, Paul Moore wrote: > > On Tue, Jan 16, 2024 at 8:46 PM Lu Yao <yaolu@kylinos.cn> wrote: > > > > > > The following error log is displayed during the current compilation > > > > 'security/security.c:810:2: error: ‘memcpy’ offset 32 is > > > > out of the bounds [0, 0] [-Werror=array-bounds]' > > > > > > GCC version is '10.3.0 (Ubuntu 10.3.0-1ubuntu1~18.04~1)' > > As an aside, Ubuntu 18.04 went out of support back in June 2023, and > never officially supported gcc 10: > https://launchpad.net/ubuntu/+source/gcc-10 > > That said, I still see this error with gcc 10.5 on supported Ubuntu > releases. I'm surprised this is the first time I've seen this error! > > > > > > > Signed-off-by: Lu Yao <yaolu@kylinos.cn> > > > --- > > > security/security.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > I'm adding the linux-hardening folks to the to To: line as this has > > now come up multiple times and my best guess is that this is an issue > > with the struct_size() macro, compiler annotations, or something > > similar and I suspect they are the experts in that area. My > > understanding is that using the struct_size() macro is preferable to > > open coding the math, as this patch does, but if we have to do > > something like this to silence the warnings, that's okay with me. > > > > So linux-hardening folks, what do you say? > > This is a GCC bug -- it thinks nctx_len could be 0, so it gets mad about > the array bounds. Ah ha, thanks for that. > > > diff --git a/security/security.c b/security/security.c > > > index 0144a98d3712..37168f6bee25 100644 > > > --- a/security/security.c > > > +++ b/security/security.c > > > @@ -792,7 +792,7 @@ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len, > > > size_t nctx_len; > > > int rc = 0; > > > > > > - nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *)); > > > + nctx_len = ALIGN(sizeof(struct lsm_ctx) + val_len, sizeof(void *)); > > > if (nctx_len > *uctx_len) { > > > rc = -E2BIG; > > > goto out; > > Please don't do this -- it regresses the efforts to make sure we can > never wrap the math on here. I didn't want to apply that change, hence my To/CC to you guys. If there was no other option to silence the warning then we would probably have to do it, but it looks like we have options. > We need to pick one of these two diffs > instead. The first disables -Warray-bounds for GCC 10.* also (since we > keep having false positives). The latter silences this 1 particular > case by explicitly checking nctx_len for 0: > > diff --git a/init/Kconfig b/init/Kconfig > index 8d4e836e1b6b..af4833430aca 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -874,7 +874,7 @@ config GCC11_NO_ARRAY_BOUNDS > > config CC_NO_ARRAY_BOUNDS > bool > - default y if CC_IS_GCC && GCC_VERSION >= 110000 && GCC11_NO_ARRAY_BOUNDS > + default y if CC_IS_GCC && GCC_VERSION >= 100000 && GCC11_NO_ARRAY_BOUNDS > > # Currently, disable -Wstringop-overflow for GCC 11, globally. > config GCC11_NO_STRINGOP_OVERFLOW It sounds like lsm_fill_user_ctx() is not the only one having problems with GCC v10 so I'm guessing you're going to submit a patch like the above up to Linus? I think that's preferable to adding extra checks we don't really need just to silence a buggy compiler. > diff --git a/security/security.c b/security/security.c > index 0144a98d3712..ab403136958f 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -793,7 +793,7 @@ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len, > int rc = 0; > > nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *)); > - if (nctx_len > *uctx_len) { > + if (nctx_len == 0 || nctx_len > *uctx_len) { > rc = -E2BIG; > goto out; > } > > -- > Kees Cook
diff --git a/security/security.c b/security/security.c index 0144a98d3712..37168f6bee25 100644 --- a/security/security.c +++ b/security/security.c @@ -792,7 +792,7 @@ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len, size_t nctx_len; int rc = 0; - nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *)); + nctx_len = ALIGN(sizeof(struct lsm_ctx) + val_len, sizeof(void *)); if (nctx_len > *uctx_len) { rc = -E2BIG; goto out;