When compiling with LTO (Link Time Optimization) enabled, GCC's
interprocedural analysis produces false positive warnings about
potential buffer overflow in mlx5dr_action_prepare_decap_l3_data():
In function 'mlx5dr_action_prepare_decap_l3_data',
inlined from 'mlx5dr_action_handle_tunnel_l3_to_l2',
inlined from 'mlx5dr_action_create_reformat_hws':
warning: writing 4 bytes into a region of size 0 [-Wstringop-overflow=]
memcpy(dst, e_src, MLX5DR_ACTION_INLINE_DATA_SIZE);
note: at offset [140, 524248] into destination object 'mh_data' of size 64
With LTO, the function chain is fully inlined, giving GCC visibility
into the 64-byte stack buffer 'mh_data'. However, GCC's static analysis
cannot determine that num_of_actions is constrained to either
DECAP_L3_NUM_ACTIONS_W_NO_VLAN (6) or DECAP_L3_NUM_ACTIONS_W_VLAN (7)
by the callers. It assumes worst-case bounds that greatly exceed the
buffer size.
Fix this by adding an explicit bounds check at function entry. The
valid values for num_of_actions are 6 (no VLAN) or 7 (with VLAN),
which produce maximum buffer usage well under 64 bytes:
- offset 12 + (num_of_actions-3) * 8 + 2 = max 46 bytes for 7 actions
This provides GCC with the proof it needs that subsequent memcpy
operations are safe.
This is not a data path function - it executes only during flow rule
creation, so the additional check has no performance impact.
Signed-off-by: Stephen Hemminger <[email protected]>
---
drivers/net/mlx5/hws/mlx5dr_action.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/net/mlx5/hws/mlx5dr_action.c
b/drivers/net/mlx5/hws/mlx5dr_action.c
index b35bf07c3c..3b12506577 100644
--- a/drivers/net/mlx5/hws/mlx5dr_action.c
+++ b/drivers/net/mlx5/hws/mlx5dr_action.c
@@ -3620,6 +3620,20 @@ mlx5dr_action_prepare_decap_l3_data(uint8_t *src,
uint8_t *dst,
uint8_t *e_src;
int i;
+ /*
+ * Bounds check to help GCC LTO static analysis.
+ *
+ * When LTO inlines this into mlx5dr_action_handle_tunnel_l3_to_l2(),
+ * GCC sees the 64-byte mh_data buffer but cannot prove num_of_actions
+ * is bounded, causing false -Wstringop-overflow warnings.
+ *
+ * Valid num_of_actions values are DECAP_L3_NUM_ACTIONS_W_NO_VLAN (6)
+ * or DECAP_L3_NUM_ACTIONS_W_VLAN (7). This check gives GCC the proof
+ * it needs that the loop iterations stay within buffer bounds.
+ */
+ if (unlikely(num_of_actions > DECAP_L3_NUM_ACTIONS_W_VLAN))
+ return;
+
/* num_of_actions = remove l3l2 + 4/5 inserts + remove extra 2 bytes
* copy from end of src to the start of dst.
* move to the end, 2 is the leftover from 14B or 18B
--
2.51.0
