:::::: :::::: Manual check reason: "low confidence bisect report" :::::: Manual check reason: "low confidence static check first_new_problem: arch/arm/include/asm/uaccess.h:574:9: warning: use of NULL 'to' where non-null expected [CWE-476] [-Wanalyzer-null-argument]" ::::::
CC: [email protected] BCC: [email protected] CC: [email protected] TO: "Michał Kępień" <[email protected]> CC: Miquel Raynal <[email protected]> tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: b13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3 commit: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 mtdchar: prevent unbounded allocation in MEMWRITE ioctl date: 6 months ago :::::: branch date: 2 days ago :::::: commit date: 6 months ago config: arm-randconfig-c002-20220611 (https://download.01.org/0day-ci/archive/20220614/[email protected]/config) compiler: arm-linux-gnueabi-gcc (GCC) 11.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git git fetch --no-tags linus master git checkout 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 # save the config file ARCH=arm KBUILD_USERCFLAGS='-fanalyzer -Wno-error' If you fix the issue, kindly add following tag where applicable Reported-by: kernel test robot <[email protected]> gcc-analyzer warnings: (new ones prefixed by >>) In file included from include/linux/uaccess.h:11, from include/linux/sched/task.h:11, from include/linux/sched/signal.h:9, from include/linux/rcuwait.h:6, from include/linux/percpu-rwsem.h:7, from include/linux/fs.h:33, from drivers/mtd/mtdchar.c:7: include/linux/mtd/mtd.h: In function '_copy_from_user': >> arch/arm/include/asm/uaccess.h:574:9: warning: use of NULL 'to' where >> non-null expected [CWE-476] [-Wanalyzer-null-argument] 574 | memcpy(to, (const void __force *)from, n); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'mtdchar_unlocked_ioctl': events 1-2 | |drivers/mtd/mtdchar.c:1089:13: | 1089 | static long mtdchar_unlocked_ioctl(struct file *file, u_int cmd, u_long arg) | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to 'mtdchar_unlocked_ioctl' |...... | 1097 | ret = mtdchar_ioctl(file, cmd, arg); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling 'mtdchar_ioctl' from 'mtdchar_unlocked_ioctl' | +--> 'mtdchar_ioctl': events 3-8 | | 688 | static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg) | | ^~~~~~~~~~~~~ | | | | | (3) entry to 'mtdchar_ioctl' |...... | 734 | if (!(file->f_mode & FMODE_WRITE)) | | ~ | | | | | (4) following 'false' branch... |...... | 742 | switch (cmd) { | | ~~~~~~ | | | | | (5) ...to here | | (6) following 'case 4713:' branch... |...... | 877 | case MEMWRITE: | | ~~~~ | | | | | (7) ...to here | 878 | { | 879 | ret = mtdchar_write_ioctl(mtd, | | ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) calling 'mtdchar_write_ioctl' from 'mtdchar_ioctl' | 880 | (struct mtd_write_req __user *)arg); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | +--> 'mtdchar_write_ioctl': events 9-14 | | 593 | static int mtdchar_write_ioctl(struct mtd_info *mtd, | | ^~~~~~~~~~~~~~~~~~~ | | | | | (9) entry to 'mtdchar_write_ioctl' |...... | 603 | if (copy_from_user(&req, argp, sizeof(req))) | | ~ | | | | | (10) following 'false' branch (when 'n == 0')... |...... | 606 | usr_data = (const void __user *)(uintptr_t)req.usr_data; | | ~~~~~~~~~~~~ | | | | | (11) ...to here |...... | 609 | if (!master->_write_oob) | | ~ | | | | | (12) following 'false' branch... |...... | 612 | if (!usr_data) | | ~ | | | | | (13) ...to here |...... | 618 | if (req.start + req.len > mtd->size) | | ~ | | | | | (14) following 'false' branch... | 'mtdchar_write_ioctl': event 15 | |include/linux/compiler-gcc.h:42:45: | 42 | #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) | | ^~~~~~~~~~~~ | | | | | (15) ...to here include/linux/minmax.h:31:27: note: in definition of macro '__cmp_once' | 31 | typeof(x) unique_x = (x); \ | | ^~~~~~~~ include/linux/compiler_types.h:60:22: note: in expansion of macro '___PASTE' | 60 | #define __PASTE(a,b) ___PASTE(a,b) | | ^~~~~~~~ include/linux/compiler-gcc.h:42:29: note: in expansion of macro '__PASTE' | 42 | #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) | | ^~~~~~~ include/linux/compiler_types.h:60:22: note: in expansion of macro '___PASTE' | 60 | #define __PASTE(a,b) ___PASTE(a,b) | | ^~~~~~~~ include/linux/compiler-gcc.h:42:37: note: in expansion of macro '__PASTE' | 42 | #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) | | ^~~~~~~ include/linux/minmax.h:38:34: note: in expansion of macro '__UNIQUE_ID' vim +/to +574 arch/arm/include/asm/uaccess.h 3fba7e23f754a9 arch/arm/include/asm/uaccess.h Russell King 2015-08-19 569 9641c7cc5a7f6d include/asm-arm/uaccess.h Russell King 2006-06-21 570 #else 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 571 static inline unsigned long 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 572 raw_copy_from_user(void *to, const void __user *from, unsigned long n) 32b143637e8180 arch/arm/include/asm/uaccess.h Kees Cook 2017-02-16 573 { 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 @574 memcpy(to, (const void __force *)from, n); 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 575 return 0; 32b143637e8180 arch/arm/include/asm/uaccess.h Kees Cook 2017-02-16 576 } 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 577 static inline unsigned long 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 578 raw_copy_to_user(void __user *to, const void *from, unsigned long n) 32b143637e8180 arch/arm/include/asm/uaccess.h Kees Cook 2017-02-16 579 { 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 580 memcpy((void __force *)to, from, n); 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 581 return 0; ^1da177e4c3f41 include/asm-arm/uaccess.h Linus Torvalds 2005-04-16 582 } 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 583 #define __clear_user(addr, n) (memset((void __force *)addr, 0, n), 0) 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 584 #endif 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 585 #define INLINE_COPY_TO_USER 4de5b63e76b2e6 arch/arm/include/asm/uaccess.h Al Viro 2017-03-21 586 #define INLINE_COPY_FROM_USER ^1da177e4c3f41 include/asm-arm/uaccess.h Linus Torvalds 2005-04-16 587 :::::: The code at line 574 was first introduced by commit :::::: 4de5b63e76b2e672478e49622dabe2666b7f727f arm: switch to RAW_COPY_USER :::::: TO: Al Viro <[email protected]> :::::: CC: Al Viro <[email protected]> -- 0-DAY CI Kernel Test Service https://01.org/lkp _______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
