CC: [email protected] CC: [email protected] TO: Kees Cook <[email protected]>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git kspp/memcpy/next-20210726/v1 head: 831e05d47f76f6e7452fedbcb471dd405242bfaf commit: 831e05d47f76f6e7452fedbcb471dd405242bfaf [64/64] fortify: Add run-time WARN for cross-field memcpy() :::::: branch date: 11 days ago :::::: commit date: 11 days ago config: x86_64-randconfig-m001-20210804 (attached as .config) compiler: gcc-9 (Debian 9.3.0-22) 9.3.0 If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <[email protected]> Reported-by: Dan Carpenter <[email protected]> smatch warnings: net/can/j1939/transport.c:1838 j1939_xtp_rx_dat_one() warn: potential spectre issue 'tpdat' [r] vim +/tpdat +1838 net/can/j1939/transport.c 9d71dd0c700999 The j1939 authors 2018-10-08 1770 9d71dd0c700999 The j1939 authors 2018-10-08 1771 static void j1939_xtp_rx_dat_one(struct j1939_session *session, 9d71dd0c700999 The j1939 authors 2018-10-08 1772 struct sk_buff *skb) 9d71dd0c700999 The j1939 authors 2018-10-08 1773 { 9d71dd0c700999 The j1939 authors 2018-10-08 1774 struct j1939_priv *priv = session->priv; 9d71dd0c700999 The j1939 authors 2018-10-08 1775 struct j1939_sk_buff_cb *skcb; 2030043e616cab Oleksij Rempel 2021-05-21 1776 struct sk_buff *se_skb = NULL; 9d71dd0c700999 The j1939 authors 2018-10-08 1777 const u8 *dat; 9d71dd0c700999 The j1939 authors 2018-10-08 1778 u8 *tpdat; 9d71dd0c700999 The j1939 authors 2018-10-08 1779 int offset; 9d71dd0c700999 The j1939 authors 2018-10-08 1780 int nbytes; 9d71dd0c700999 The j1939 authors 2018-10-08 1781 bool final = false; 0ae18a82686f9b Zhang Changzhong 2020-08-05 1782 bool remain = false; 9d71dd0c700999 The j1939 authors 2018-10-08 1783 bool do_cts_eoma = false; 9d71dd0c700999 The j1939 authors 2018-10-08 1784 int packet; 9d71dd0c700999 The j1939 authors 2018-10-08 1785 9d71dd0c700999 The j1939 authors 2018-10-08 1786 skcb = j1939_skb_to_cb(skb); 9d71dd0c700999 The j1939 authors 2018-10-08 1787 dat = skb->data; 9d71dd0c700999 The j1939 authors 2018-10-08 1788 if (skb->len <= 1) 9d71dd0c700999 The j1939 authors 2018-10-08 1789 /* makes no sense */ 9d71dd0c700999 The j1939 authors 2018-10-08 1790 goto out_session_cancel; 9d71dd0c700999 The j1939 authors 2018-10-08 1791 9d71dd0c700999 The j1939 authors 2018-10-08 1792 switch (session->last_cmd) { 9d71dd0c700999 The j1939 authors 2018-10-08 1793 case 0xff: 9d71dd0c700999 The j1939 authors 2018-10-08 1794 break; 9d71dd0c700999 The j1939 authors 2018-10-08 1795 case J1939_ETP_CMD_DPO: 9d71dd0c700999 The j1939 authors 2018-10-08 1796 if (skcb->addr.type == J1939_ETP) 9d71dd0c700999 The j1939 authors 2018-10-08 1797 break; df561f6688fef7 Gustavo A. R. Silva 2020-08-23 1798 fallthrough; df561f6688fef7 Gustavo A. R. Silva 2020-08-23 1799 case J1939_TP_CMD_BAM: 9d71dd0c700999 The j1939 authors 2018-10-08 1800 case J1939_TP_CMD_CTS: /* fall through */ 9d71dd0c700999 The j1939 authors 2018-10-08 1801 if (skcb->addr.type != J1939_ETP) 9d71dd0c700999 The j1939 authors 2018-10-08 1802 break; df561f6688fef7 Gustavo A. R. Silva 2020-08-23 1803 fallthrough; 9d71dd0c700999 The j1939 authors 2018-10-08 1804 default: 9d71dd0c700999 The j1939 authors 2018-10-08 1805 netdev_info(priv->ndev, "%s: 0x%p: last %02x\n", __func__, 9d71dd0c700999 The j1939 authors 2018-10-08 1806 session, session->last_cmd); 9d71dd0c700999 The j1939 authors 2018-10-08 1807 goto out_session_cancel; 9d71dd0c700999 The j1939 authors 2018-10-08 1808 } 9d71dd0c700999 The j1939 authors 2018-10-08 1809 9d71dd0c700999 The j1939 authors 2018-10-08 1810 packet = (dat[0] - 1 + session->pkt.dpo); 9d71dd0c700999 The j1939 authors 2018-10-08 1811 if (packet > session->pkt.total || 9d71dd0c700999 The j1939 authors 2018-10-08 1812 (session->pkt.rx + 1) > session->pkt.total) { 9d71dd0c700999 The j1939 authors 2018-10-08 1813 netdev_info(priv->ndev, "%s: 0x%p: should have been completed\n", 9d71dd0c700999 The j1939 authors 2018-10-08 1814 __func__, session); 9d71dd0c700999 The j1939 authors 2018-10-08 1815 goto out_session_cancel; 9d71dd0c700999 The j1939 authors 2018-10-08 1816 } 840835c9281215 Oleksij Rempel 2020-08-07 1817 2030043e616cab Oleksij Rempel 2021-05-21 1818 se_skb = j1939_session_skb_get_by_offset(session, packet * 7); 9d71dd0c700999 The j1939 authors 2018-10-08 1819 if (!se_skb) { 9d71dd0c700999 The j1939 authors 2018-10-08 1820 netdev_warn(priv->ndev, "%s: 0x%p: no skb found\n", __func__, 9d71dd0c700999 The j1939 authors 2018-10-08 1821 session); 9d71dd0c700999 The j1939 authors 2018-10-08 1822 goto out_session_cancel; 9d71dd0c700999 The j1939 authors 2018-10-08 1823 } 9d71dd0c700999 The j1939 authors 2018-10-08 1824 9d71dd0c700999 The j1939 authors 2018-10-08 1825 skcb = j1939_skb_to_cb(se_skb); 9d71dd0c700999 The j1939 authors 2018-10-08 1826 offset = packet * 7 - skcb->offset; 9d71dd0c700999 The j1939 authors 2018-10-08 1827 nbytes = se_skb->len - offset; 9d71dd0c700999 The j1939 authors 2018-10-08 1828 if (nbytes > 7) 9d71dd0c700999 The j1939 authors 2018-10-08 1829 nbytes = 7; 9d71dd0c700999 The j1939 authors 2018-10-08 1830 if (nbytes <= 0 || (nbytes + 1) > skb->len) { 9d71dd0c700999 The j1939 authors 2018-10-08 1831 netdev_info(priv->ndev, "%s: 0x%p: nbytes %i, len %i\n", 9d71dd0c700999 The j1939 authors 2018-10-08 1832 __func__, session, nbytes, skb->len); 9d71dd0c700999 The j1939 authors 2018-10-08 1833 goto out_session_cancel; 9d71dd0c700999 The j1939 authors 2018-10-08 1834 } 9d71dd0c700999 The j1939 authors 2018-10-08 1835 9d71dd0c700999 The j1939 authors 2018-10-08 1836 tpdat = se_skb->data; e052d0540298bf Oleksij Rempel 2020-08-07 1837 if (!session->transmission) { 9d71dd0c700999 The j1939 authors 2018-10-08 @1838 memcpy(&tpdat[offset], &dat[1], nbytes); e052d0540298bf Oleksij Rempel 2020-08-07 1839 } else { e052d0540298bf Oleksij Rempel 2020-08-07 1840 int err; e052d0540298bf Oleksij Rempel 2020-08-07 1841 e052d0540298bf Oleksij Rempel 2020-08-07 1842 err = memcmp(&tpdat[offset], &dat[1], nbytes); e052d0540298bf Oleksij Rempel 2020-08-07 1843 if (err) e052d0540298bf Oleksij Rempel 2020-08-07 1844 netdev_err_once(priv->ndev, e052d0540298bf Oleksij Rempel 2020-08-07 1845 "%s: 0x%p: Data of RX-looped back packet (%*ph) doesn't match TX data (%*ph)!\n", e052d0540298bf Oleksij Rempel 2020-08-07 1846 __func__, session, e052d0540298bf Oleksij Rempel 2020-08-07 1847 nbytes, &dat[1], e052d0540298bf Oleksij Rempel 2020-08-07 1848 nbytes, &tpdat[offset]); e052d0540298bf Oleksij Rempel 2020-08-07 1849 } e052d0540298bf Oleksij Rempel 2020-08-07 1850 9d71dd0c700999 The j1939 authors 2018-10-08 1851 if (packet == session->pkt.rx) 9d71dd0c700999 The j1939 authors 2018-10-08 1852 session->pkt.rx++; 9d71dd0c700999 The j1939 authors 2018-10-08 1853 9d71dd0c700999 The j1939 authors 2018-10-08 1854 if (skcb->addr.type != J1939_ETP && 9d71dd0c700999 The j1939 authors 2018-10-08 1855 j1939_cb_is_broadcast(&session->skcb)) { 9d71dd0c700999 The j1939 authors 2018-10-08 1856 if (session->pkt.rx >= session->pkt.total) 9d71dd0c700999 The j1939 authors 2018-10-08 1857 final = true; 0ae18a82686f9b Zhang Changzhong 2020-08-05 1858 else 0ae18a82686f9b Zhang Changzhong 2020-08-05 1859 remain = true; 9d71dd0c700999 The j1939 authors 2018-10-08 1860 } else { 9d71dd0c700999 The j1939 authors 2018-10-08 1861 /* never final, an EOMA must follow */ 9d71dd0c700999 The j1939 authors 2018-10-08 1862 if (session->pkt.rx >= session->pkt.last) 9d71dd0c700999 The j1939 authors 2018-10-08 1863 do_cts_eoma = true; 9d71dd0c700999 The j1939 authors 2018-10-08 1864 } 9d71dd0c700999 The j1939 authors 2018-10-08 1865 9d71dd0c700999 The j1939 authors 2018-10-08 1866 if (final) { e8b17653088f28 Zhang Changzhong 2020-08-05 1867 j1939_session_timers_cancel(session); 9d71dd0c700999 The j1939 authors 2018-10-08 1868 j1939_session_completed(session); 0ae18a82686f9b Zhang Changzhong 2020-08-05 1869 } else if (remain) { 0ae18a82686f9b Zhang Changzhong 2020-08-05 1870 if (!session->transmission) 0ae18a82686f9b Zhang Changzhong 2020-08-05 1871 j1939_tp_set_rxtimeout(session, 750); 9d71dd0c700999 The j1939 authors 2018-10-08 1872 } else if (do_cts_eoma) { 9d71dd0c700999 The j1939 authors 2018-10-08 1873 j1939_tp_set_rxtimeout(session, 1250); 9d71dd0c700999 The j1939 authors 2018-10-08 1874 if (!session->transmission) 9d71dd0c700999 The j1939 authors 2018-10-08 1875 j1939_tp_schedule_txtimer(session, 0); 9d71dd0c700999 The j1939 authors 2018-10-08 1876 } else { c6eea1c8bda567 Zhang Changzhong 2021-07-06 1877 j1939_tp_set_rxtimeout(session, 750); 9d71dd0c700999 The j1939 authors 2018-10-08 1878 } 9d71dd0c700999 The j1939 authors 2018-10-08 1879 session->last_cmd = 0xff; 2030043e616cab Oleksij Rempel 2021-05-21 1880 consume_skb(se_skb); 9d71dd0c700999 The j1939 authors 2018-10-08 1881 j1939_session_put(session); 9d71dd0c700999 The j1939 authors 2018-10-08 1882 9d71dd0c700999 The j1939 authors 2018-10-08 1883 return; 9d71dd0c700999 The j1939 authors 2018-10-08 1884 9d71dd0c700999 The j1939 authors 2018-10-08 1885 out_session_cancel: 2030043e616cab Oleksij Rempel 2021-05-21 1886 kfree_skb(se_skb); 9d71dd0c700999 The j1939 authors 2018-10-08 1887 j1939_session_timers_cancel(session); 9d71dd0c700999 The j1939 authors 2018-10-08 1888 j1939_session_cancel(session, J1939_XTP_ABORT_FAULT); 9d71dd0c700999 The j1939 authors 2018-10-08 1889 j1939_session_put(session); 9d71dd0c700999 The j1939 authors 2018-10-08 1890 } 9d71dd0c700999 The j1939 authors 2018-10-08 1891 :::::: The code at line 1838 was first introduced by commit :::::: 9d71dd0c70099914fcd063135da3c580865e924c can: add support of SAE J1939 protocol :::::: TO: The j1939 authors <[email protected]> :::::: CC: Marc Kleine-Budde <[email protected]> --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/[email protected]
.config.gz
Description: application/gzip
_______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
