CC: [email protected] BCC: [email protected] CC: [email protected] TO: Kees Cook <[email protected]>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git flexcpy/next-20220502 head: 1dbd8181297512b190aca23477043ac635daba4e commit: f72034cf9d13b64d3d457b6da825bde7fe758a27 [6/34] fortify: Add run-time WARN for cross-field memcpy() :::::: branch date: 9 hours ago :::::: commit date: 9 hours ago config: x86_64-randconfig-m001 (https://download.01.org/0day-ci/archive/20220504/[email protected]/config) compiler: gcc-11 (Debian 11.2.0-20) 11.2.0 If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <[email protected]> Reported-by: Dan Carpenter <[email protected]> New smatch warnings: net/ipv4/ip_options.c:154 __ip_options_echo() warn: potential spectre issue 'start' [r] net/ipv4/ip_options.c:616 ip_options_rcv_srr() warn: potential spectre issue 'optptr' [r] Old smatch warnings: net/ipv4/ip_options.c:547 ip_forward_options() warn: potential spectre issue 'optptr' [w] net/ipv4/ip_options.c:556 ip_forward_options() warn: possible spectre second half. 'srrptr' net/ipv4/ip_options.c:556 ip_forward_options() warn: possible spectre second half. 'srrspace' vim +/start +154 net/ipv4/ip_options.c ^1da177e4c3f41 Linus Torvalds 2005-04-16 67 ^1da177e4c3f41 Linus Torvalds 2005-04-16 68 /* ^1da177e4c3f41 Linus Torvalds 2005-04-16 69 * Provided (sopt, skb) points to received options, ^1da177e4c3f41 Linus Torvalds 2005-04-16 70 * build in dopt compiled option set appropriate for answering. ^1da177e4c3f41 Linus Torvalds 2005-04-16 71 * i.e. invert SRR option, copy anothers, ^1da177e4c3f41 Linus Torvalds 2005-04-16 72 * and grab room in RR/TS options. ^1da177e4c3f41 Linus Torvalds 2005-04-16 73 * ^1da177e4c3f41 Linus Torvalds 2005-04-16 74 * NOTE: dopt cannot point to skb. ^1da177e4c3f41 Linus Torvalds 2005-04-16 75 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 76 91ed1e666a4ea2 Paolo Abeni 2017-08-03 77 int __ip_options_echo(struct net *net, struct ip_options *dopt, 91ed1e666a4ea2 Paolo Abeni 2017-08-03 78 struct sk_buff *skb, const struct ip_options *sopt) ^1da177e4c3f41 Linus Torvalds 2005-04-16 79 { ^1da177e4c3f41 Linus Torvalds 2005-04-16 80 unsigned char *sptr, *dptr; ^1da177e4c3f41 Linus Torvalds 2005-04-16 81 int soffset, doffset; ^1da177e4c3f41 Linus Torvalds 2005-04-16 82 int optlen; ^1da177e4c3f41 Linus Torvalds 2005-04-16 83 ^1da177e4c3f41 Linus Torvalds 2005-04-16 84 memset(dopt, 0, sizeof(struct ip_options)); ^1da177e4c3f41 Linus Torvalds 2005-04-16 85 f6d8bd051c391c Eric Dumazet 2011-04-21 86 if (sopt->optlen == 0) ^1da177e4c3f41 Linus Torvalds 2005-04-16 87 return 0; ^1da177e4c3f41 Linus Torvalds 2005-04-16 88 d56f90a7c96da5 Arnaldo Carvalho de Melo 2007-04-10 89 sptr = skb_network_header(skb); ^1da177e4c3f41 Linus Torvalds 2005-04-16 90 dptr = dopt->__data; ^1da177e4c3f41 Linus Torvalds 2005-04-16 91 ^1da177e4c3f41 Linus Torvalds 2005-04-16 92 if (sopt->rr) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 93 optlen = sptr[sopt->rr+1]; ^1da177e4c3f41 Linus Torvalds 2005-04-16 94 soffset = sptr[sopt->rr+2]; ^1da177e4c3f41 Linus Torvalds 2005-04-16 95 dopt->rr = dopt->optlen + sizeof(struct iphdr); ^1da177e4c3f41 Linus Torvalds 2005-04-16 96 memcpy(dptr, sptr+sopt->rr, optlen); ^1da177e4c3f41 Linus Torvalds 2005-04-16 97 if (sopt->rr_needaddr && soffset <= optlen) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 98 if (soffset + 3 > optlen) ^1da177e4c3f41 Linus Torvalds 2005-04-16 99 return -EINVAL; ^1da177e4c3f41 Linus Torvalds 2005-04-16 100 dptr[2] = soffset + 4; ^1da177e4c3f41 Linus Torvalds 2005-04-16 101 dopt->rr_needaddr = 1; ^1da177e4c3f41 Linus Torvalds 2005-04-16 102 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 103 dptr += optlen; ^1da177e4c3f41 Linus Torvalds 2005-04-16 104 dopt->optlen += optlen; ^1da177e4c3f41 Linus Torvalds 2005-04-16 105 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 106 if (sopt->ts) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 107 optlen = sptr[sopt->ts+1]; ^1da177e4c3f41 Linus Torvalds 2005-04-16 108 soffset = sptr[sopt->ts+2]; ^1da177e4c3f41 Linus Torvalds 2005-04-16 109 dopt->ts = dopt->optlen + sizeof(struct iphdr); ^1da177e4c3f41 Linus Torvalds 2005-04-16 110 memcpy(dptr, sptr+sopt->ts, optlen); ^1da177e4c3f41 Linus Torvalds 2005-04-16 111 if (soffset <= optlen) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 112 if (sopt->ts_needaddr) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 113 if (soffset + 3 > optlen) ^1da177e4c3f41 Linus Torvalds 2005-04-16 114 return -EINVAL; ^1da177e4c3f41 Linus Torvalds 2005-04-16 115 dopt->ts_needaddr = 1; ^1da177e4c3f41 Linus Torvalds 2005-04-16 116 soffset += 4; ^1da177e4c3f41 Linus Torvalds 2005-04-16 117 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 118 if (sopt->ts_needtime) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 119 if (soffset + 3 > optlen) ^1da177e4c3f41 Linus Torvalds 2005-04-16 120 return -EINVAL; ^1da177e4c3f41 Linus Torvalds 2005-04-16 121 if ((dptr[3]&0xF) != IPOPT_TS_PRESPEC) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 122 dopt->ts_needtime = 1; ^1da177e4c3f41 Linus Torvalds 2005-04-16 123 soffset += 4; ^1da177e4c3f41 Linus Torvalds 2005-04-16 124 } else { ^1da177e4c3f41 Linus Torvalds 2005-04-16 125 dopt->ts_needtime = 0; ^1da177e4c3f41 Linus Torvalds 2005-04-16 126 8628bd8af7c4c1 Jan Luebbe 2011-03-24 127 if (soffset + 7 <= optlen) { fd683222097480 Al Viro 2006-09-26 128 __be32 addr; ^1da177e4c3f41 Linus Torvalds 2005-04-16 129 8628bd8af7c4c1 Jan Luebbe 2011-03-24 130 memcpy(&addr, dptr+soffset-1, 4); 91ed1e666a4ea2 Paolo Abeni 2017-08-03 131 if (inet_addr_type(net, addr) != RTN_UNICAST) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 132 dopt->ts_needtime = 1; ^1da177e4c3f41 Linus Torvalds 2005-04-16 133 soffset += 8; ^1da177e4c3f41 Linus Torvalds 2005-04-16 134 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 135 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 136 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 137 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 138 dptr[2] = soffset; ^1da177e4c3f41 Linus Torvalds 2005-04-16 139 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 140 dptr += optlen; ^1da177e4c3f41 Linus Torvalds 2005-04-16 141 dopt->optlen += optlen; ^1da177e4c3f41 Linus Torvalds 2005-04-16 142 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 143 if (sopt->srr) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 144 unsigned char *start = sptr+sopt->srr; 3ca3c68e76686b Al Viro 2006-09-27 145 __be32 faddr; ^1da177e4c3f41 Linus Torvalds 2005-04-16 146 ^1da177e4c3f41 Linus Torvalds 2005-04-16 147 optlen = start[1]; ^1da177e4c3f41 Linus Torvalds 2005-04-16 148 soffset = start[2]; ^1da177e4c3f41 Linus Torvalds 2005-04-16 149 doffset = 0; ^1da177e4c3f41 Linus Torvalds 2005-04-16 150 if (soffset > optlen) ^1da177e4c3f41 Linus Torvalds 2005-04-16 151 soffset = optlen + 1; ^1da177e4c3f41 Linus Torvalds 2005-04-16 152 soffset -= 4; ^1da177e4c3f41 Linus Torvalds 2005-04-16 153 if (soffset > 3) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 @154 memcpy(&faddr, &start[soffset-1], 4); ^1da177e4c3f41 Linus Torvalds 2005-04-16 155 for (soffset -= 4, doffset = 4; soffset > 3; soffset -= 4, doffset += 4) ^1da177e4c3f41 Linus Torvalds 2005-04-16 156 memcpy(&dptr[doffset-1], &start[soffset-1], 4); ^1da177e4c3f41 Linus Torvalds 2005-04-16 157 /* ^1da177e4c3f41 Linus Torvalds 2005-04-16 158 * RFC1812 requires to fix illegal source routes. ^1da177e4c3f41 Linus Torvalds 2005-04-16 159 */ eddc9ec53be2ec Arnaldo Carvalho de Melo 2007-04-20 160 if (memcmp(&ip_hdr(skb)->saddr, eddc9ec53be2ec Arnaldo Carvalho de Melo 2007-04-20 161 &start[soffset + 3], 4) == 0) ^1da177e4c3f41 Linus Torvalds 2005-04-16 162 doffset -= 4; ^1da177e4c3f41 Linus Torvalds 2005-04-16 163 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 164 if (doffset > 3) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 165 dopt->faddr = faddr; ^1da177e4c3f41 Linus Torvalds 2005-04-16 166 dptr[0] = start[0]; ^1da177e4c3f41 Linus Torvalds 2005-04-16 167 dptr[1] = doffset+3; ^1da177e4c3f41 Linus Torvalds 2005-04-16 168 dptr[2] = 4; ^1da177e4c3f41 Linus Torvalds 2005-04-16 169 dptr += doffset+3; ^1da177e4c3f41 Linus Torvalds 2005-04-16 170 dopt->srr = dopt->optlen + sizeof(struct iphdr); ^1da177e4c3f41 Linus Torvalds 2005-04-16 171 dopt->optlen += doffset+3; ^1da177e4c3f41 Linus Torvalds 2005-04-16 172 dopt->is_strictroute = sopt->is_strictroute; ^1da177e4c3f41 Linus Torvalds 2005-04-16 173 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 174 } 11a03f78fbf15a Paul Moore 2006-08-03 175 if (sopt->cipso) { 11a03f78fbf15a Paul Moore 2006-08-03 176 optlen = sptr[sopt->cipso+1]; 11a03f78fbf15a Paul Moore 2006-08-03 177 dopt->cipso = dopt->optlen+sizeof(struct iphdr); 11a03f78fbf15a Paul Moore 2006-08-03 178 memcpy(dptr, sptr+sopt->cipso, optlen); 11a03f78fbf15a Paul Moore 2006-08-03 179 dptr += optlen; 11a03f78fbf15a Paul Moore 2006-08-03 180 dopt->optlen += optlen; 11a03f78fbf15a Paul Moore 2006-08-03 181 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 182 while (dopt->optlen & 3) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 183 *dptr++ = IPOPT_END; ^1da177e4c3f41 Linus Torvalds 2005-04-16 184 dopt->optlen++; ^1da177e4c3f41 Linus Torvalds 2005-04-16 185 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 186 return 0; ^1da177e4c3f41 Linus Torvalds 2005-04-16 187 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 188 :::::: The code at line 154 was first introduced by commit :::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2 :::::: TO: Linus Torvalds <[email protected]> :::::: CC: Linus Torvalds <[email protected]> -- 0-DAY CI Kernel Test Service https://01.org/lkp _______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
