Re: memcpy: detected field-spanning write (size 168) of single field "&device->entry" at drivers/firmware/google/coreboot_table.c:103 (size 8)

From: Guenter Roeck
Date: Thu Dec 29 2022 - 15:28:31 EST


On Thu, Dec 29, 2022 at 6:43 AM Julius Werner <jwerner@xxxxxxxxxxxx> wrote:
>
> I can confirm that this warning is a false positive, at least. We're
> intentionally copying bytes from beyond the end of the header
> structure in this case.
>
> I don't know what kind of kernel system detects this stuff at runtime
> and how to silence it. Probably need to add a void pointer cast or
> something?
>

This is part of kernel hardening code. Kees Cook might know what to do about it.

Guenter

> On Thu, Dec 29, 2022 at 11:46 AM Paul Menzel <pmenzel@xxxxxxxxxxxxx> wrote:
> >
> > Dear Linux folks,
> >
> >
> > Running Linux v6.2-rc1+ on a motherboard using coreboot as firmware, the
> > warning below is shown.
> >
> > ```
> > [ 1.630244] ------------[ cut here ]------------
> > [ 1.630249] memcpy: detected field-spanning write (size 168) of
> > single field "&device->entry" at
> > drivers/firmware/google/coreboot_table.c:103 (size 8)
> > [ 1.630299] WARNING: CPU: 1 PID: 150 at
> > drivers/firmware/google/coreboot_table.c:103
> > coreboot_table_probe+0x1ea/0x210 [coreboot_table]
> > [ 1.630307] Modules linked in: coreboot_table(+) sg binfmt_misc fuse
> > ipv6 autofs4
> > [ 1.630316] CPU: 1 PID: 150 Comm: systemd-udevd Not tainted
> > 6.2.0-rc1-00097-gaebfba447cae #407
> > [ 1.630318] Hardware name: ASUS F2A85-M_PRO/F2A85-M_PRO, BIOS
> > 4.18-4-gb3dd5af9c5 12/28/2022
> > [ 1.630320] RIP: 0010:coreboot_table_probe+0x1ea/0x210 [coreboot_table]
> > [ 1.630326] Code: 08 00 00 00 4c 89 c6 4c 89 04 24 48 c7 c2 50 81 60
> > c0 48 c7 c7 98 81 60 c0 4c 89 4c 24 08 c6 05 ab 1e 00 00 01 e8 e1 ca 47
> > d3 <0f> 0b 4c 8b 4c 24 08 4c 8b 04 24 e9 35 ff ff ff 41 be ea ff ff ff
> > [ 1.630329] RSP: 0018:ffffb409c046fc30 EFLAGS: 00010286
> > [ 1.630332] RAX: 0000000000000000 RBX: ffffb409c0175018 RCX:
> > 0000000000000000
> > [ 1.630334] RDX: 0000000000000001 RSI: ffffffff94222bcd RDI:
> > 00000000ffffffff
> > [ 1.630336] RBP: ffff937a44a06c00 R08: 0000000000000000 R09:
> > 00000000ffffdfff
> > [ 1.630338] R10: ffffb409c046fad8 R11: ffffffff9452a948 R12:
> > 0000000000000000
> > [ 1.630339] R13: ffffb409c0175000 R14: 0000000000000000 R15:
> > ffff937a40beb410
> > [ 1.630341] FS: 0000000000000000(0000) GS:ffff937abb500000(0063)
> > knlGS:00000000f7f43800
> > [ 1.630343] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
> > [ 1.630345] CR2: 00000000f7e3c2cf CR3: 00000001046de000 CR4:
> > 00000000000406e0
> > [ 1.630347] Call Trace:
> > [ 1.630348] <TASK>
> > [ 1.630351] platform_probe+0x3f/0xa0
> > [ 1.630357] really_probe+0xe1/0x390
> > [ 1.630361] ? pm_runtime_barrier+0x50/0x90
> > [ 1.630365] __driver_probe_device+0x78/0x180
> > [ 1.630369] driver_probe_device+0x1e/0x90
> > [ 1.630372] __driver_attach+0xd2/0x1c0
> > [ 1.630375] ? __pfx___driver_attach+0x10/0x10
> > [ 1.630378] bus_for_each_dev+0x78/0xc0
> > [ 1.630382] bus_add_driver+0x1a9/0x200
> > [ 1.630385] driver_register+0x8f/0xf0
> > [ 1.630387] ? __pfx_init_module+0x10/0x10 [coreboot_table]
> > [ 1.630392] coreboot_table_driver_init+0x2d/0xff0 [coreboot_table]
> > [ 1.630397] do_one_initcall+0x44/0x220
> > [ 1.630401] ? kmalloc_trace+0x25/0x90
> > [ 1.630405] do_init_module+0x4c/0x1f0
> > [ 1.630409] __do_sys_finit_module+0xb4/0x130
> > [ 1.630413] __do_fast_syscall_32+0x6f/0xf0
> > [ 1.630418] do_fast_syscall_32+0x2f/0x70
> > [ 1.630421] entry_SYSCALL_compat_after_hwframe+0x71/0x79
> > [ 1.630425] RIP: 0023:0xf7f49549
> > [ 1.630428] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10
> > 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 cd 0f 05 cd
> > 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> > [ 1.630430] RSP: 002b:00000000ffa7bbbc EFLAGS: 00200292 ORIG_RAX:
> > 000000000000015e
> > [ 1.630433] RAX: ffffffffffffffda RBX: 0000000000000010 RCX:
> > 00000000f7f28e09
> > [ 1.630434] RDX: 0000000000000000 RSI: 00000000568cb4c0 RDI:
> > 000000005689fc50
> > [ 1.630436] RBP: 0000000000000000 R08: 00000000ffa7bbbc R09:
> > 0000000000000000
> > [ 1.630437] R10: 0000000000000000 R11: 0000000000200292 R12:
> > 0000000000000000
> > [ 1.630439] R13: 0000000000000000 R14: 0000000000000000 R15:
> > 0000000000000000
> > [ 1.630442] </TASK>
> > [ 1.630443] ---[ end trace 0000000000000000 ]---
> > ```
> >
> > Another user reported this with Linux 6.1.1 in the Arch Linux forum [1].
> >
> >
> > Kind regards,
> >
> > Paul
> >
> >
> > [1]: https://bbs.archlinux.org/viewtopic.php?id=282245
> > "6.1.1-arch1-1 - dmesg"