Re: "kyber: add tracepoints" causes write beyond size of object

Wed, 14 Nov 2018 16:06:12 -0800 

On Wed, Nov 14, 2018 at 05:23:06PM -0600, Kees Cook wrote:
> On Sat, Nov 10, 2018 at 8:15 AM, Jordan Glover
> <golden_mille...@protonmail.ch> wrote:
> > Hello,
> >
> > Commit 6c3b7af1c975b87b86dcb2af233d1ae21eb05107 ("kyber: add 
> > tracepoints")[1] causes write beyond size of object. This was detected by 
> > "FORTIFY_SOURCE intra-object overflow checking"[2] feature which is part of 
> > linux-hardened out-of-tree patchset designed to catch such errors.
> >
> > The specific error is:
> >
> > In file included from ./include/linux/bitmap.h:9,
> >                  from ./include/linux/cpumask.h:12,
> >                  from ./arch/x86/include/asm/cpumask.h:5,
> >                  from ./arch/x86/include/asm/msr.h:11,
> >                  from ./arch/x86/include/asm/processor.h:21,
> >                  from ./arch/x86/include/asm/cpufeature.h:8,
> >                  from ./arch/x86/include/asm/thread_info.h:53,
> >                  from ./include/linux/thread_info.h:38,
> >                  from ./arch/x86/include/asm/preempt.h:7,
> >                  from ./include/linux/preempt.h:81,
> >                  from ./include/linux/rcupdate.h:40,
> >                  from ./include/linux/rculist.h:11,
> >                  from ./include/linux/pid.h:5,
> >                  from ./include/linux/sched.h:14,
> >                  from ./include/linux/blkdev.h:5,
> >                  from block/kyber-iosched.c:21:
> > In function ‘strlcpy’,
> >     inlined from ‘perf_trace_kyber_latency’ at 
> > ./include/trace/events/kyber.h:14:1:
> > ./include/linux/string.h:310:4: error: call to ‘__write_overflow’ declared 
> > with attribute error: detected write beyond size of object passed as 1st 
> > parameter
> >     __write_overflow();
> >     ^~~~~~~~~~~~~~~~~~
> > In function ‘strlcpy’,
> >     inlined from ‘trace_event_raw_event_kyber_latency’ at 
> > ./include/trace/events/kyber.h:14:1:
> > ./include/linux/string.h:310:4: error: call to ‘__write_overflow’ declared 
> > with attribute error: detected write beyond size of object passed as 1st 
> > parameter
> >     __write_overflow();
> >     ^~~~~~~~~~~~~~~~~~
> > make[1]: *** [scripts/Makefile.build:293: block/kyber-iosched.o] Error 1
> > make: *** [Makefile:1063: block] Error 2
> > make: *** Waiting for unfinished jobs....
> >
> > Using 'strlcpy' function is generally not recommended[3][4].
> 
> Due to the macros, this was a little tricky to find, but it looks like
> a cut/paste typo:
> 
> #define DOMAIN_LEN              16
> #define LATENCY_TYPE_LEN        8
> 
>                 strlcpy(__entry->domain, domain, DOMAIN_LEN);
>                 strlcpy(__entry->type, type, DOMAIN_LEN);
> 
> This should use strscpy() regardless, and should use sizeof(dst)
> instead of separate literals. The primary bug is using DOMAIN_LEN for
> __entry->type when it is actually LATENCY_TYPE_LEN bytes.
> 
> Can you build a patch for this? I'm happy to review.
> 
> Thanks for finding this!

Sorry, I forgot to reply to this thread, but Jens queued up a fix for
this already:

http://git.kernel.dk/cgit/linux-block/commit/?h=for-linus&id=18e962ac0781bcb70d433de3b2a325ff792b4288

Reply via email to