Re: [PATCH] jfs: Fix fortify moan in symlink

From: Dr. David Alan Gilbert
Date: Sat Oct 29 2022 - 08:48:19 EST


* Kees Cook (keescook@xxxxxxxxxxxx) wrote:
> On Mon, Oct 24, 2022 at 07:49:17PM +0100, Dr. David Alan Gilbert wrote:
> > * Kees Cook (keescook@xxxxxxxxxxxx) wrote:
> > > On Sat, Oct 22, 2022 at 09:39:14PM +0100, linux@xxxxxxxxxxx wrote:
> > > > From: "Dr. David Alan Gilbert" <linux@xxxxxxxxxxx>
> > > >
> > > > JFS has in jfs_incore.h:
> > > >
> > > > /* _inline may overflow into _inline_ea when needed */
> > > > /* _inline_ea may overlay the last part of
> > > > * file._xtroot if maxentry = XTROOTINITSLOT
> > > > */
> > > > union {
> > > > struct {
> > > > /* 128: inline symlink */
> > > > unchar _inline[128];
> > > > /* 128: inline extended attr */
> > > > unchar _inline_ea[128];
> > > > };
> > > > unchar _inline_all[256];
> > > >
> > > > and currently the symlink code copies into _inline;
> > > > if this is larger than 128 bytes it triggers a fortify warning of the
> > > > form:
> > > >
> > > > memcpy: detected field-spanning write (size 132) of single field
> > > > "ip->i_link" at fs/jfs/namei.c:950 (size 18446744073709551615)
> > >
> > > Which compiler are you using for this build?
> >
> > I think that report was the same on gcc on Fedora 37 and whatever
> > syzkaller was running.
> >
> > > This size report (SIZE_MAX)
> > > should be impossible to reach. But also, the size is just wrong --
> > > i_inline is 128 bytes, not SIZE_MAX. So, the detection is working
> > > (132 > 128), but the report is broken, and I can't see how...
> >
> > Yeh, and led me down a blind alley for a while thinking something had
> > really managed to screwup the strlen somehow.
>
> This looks like a GCC bug (going at least back to GCC 10.2)[1], but some
> extra care around the macro appears to make it go away, so the reporting
> variable doesn't get confused/re-evaluated:

Thanks for chasing that; are you also going to file a gcc bug?

Dave

> diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> index 09a032f6ce6b..9e2d96993c30 100644
> --- a/include/linux/fortify-string.h
> +++ b/include/linux/fortify-string.h
> @@ -550,13 +550,18 @@ __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size,
>
> #define __fortify_memcpy_chk(p, q, size, p_size, q_size, \
> p_size_field, q_size_field, op) ({ \
> - size_t __fortify_size = (size_t)(size); \
> - WARN_ONCE(fortify_memcpy_chk(__fortify_size, p_size, q_size, \
> - p_size_field, q_size_field, #op), \
> + const size_t __fortify_size = (size_t)(size); \
> + const size_t __p_size = (p_size); \
> + const size_t __q_size = (q_size); \
> + const size_t __p_size_field = (p_size_field); \
> + const size_t __q_size_field = (q_size_field); \
> + WARN_ONCE(fortify_memcpy_chk(__fortify_size, __p_size, \
> + __q_size, __p_size_field, \
> + __q_size_field, #op), \
> #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \
> __fortify_size, \
> "field \"" #p "\" at " __FILE__ ":" __stringify(__LINE__), \
> - p_size_field); \
> + __p_size_field); \
> __underlying_##op(p, q, __fortify_size); \
> })
>
>
>
> [1] https://syzkaller.appspot.com/bug?id=23d613df5259b977dac1696bec77f61a85890e3d
>
> --
> Kees Cook
--
-----Open up your eyes, open up your mind, open up your code -------
/ Dr. David Alan Gilbert | Running GNU/Linux | Happy \
\ dave @ treblig.org | | In Hex /
\ _________________________|_____ http://www.treblig.org |_______/