diff options
author | Kees Cook <[email protected]> | 2022-09-27 08:37:01 -0700 |
---|---|---|
committer | Jakub Kicinski <[email protected]> | 2022-09-29 18:44:07 -0700 |
commit | 7cba18332e3635aaae60e4e7d4e52849de50d91b (patch) | |
tree | 8b18c900a236a5a65f6c612d0728687c5ef4abcd | |
parent | 5361660af6d35f2b84926f5fcbf0491a9c21d82e (diff) |
net: sched: cls_u32: Avoid memcpy() false-positive warning
To work around a misbehavior of the compiler's ability to see into
composite flexible array structs (as detailed in the coming memcpy()
hardening series[1]), use unsafe_memcpy(), as the sizing,
bounds-checking, and allocation are all very tightly coupled here.
This silences the false-positive reported by syzbot:
memcpy: detected field-spanning write (size 80) of single field "&n->sel" at net/sched/cls_u32.c:1043 (size 16)
[1] https://lore.kernel.org/linux-hardening/[email protected]
Cc: Cong Wang <[email protected]>
Cc: Jiri Pirko <[email protected]>
Reported-by: [email protected]
Link: https://lore.kernel.org/lkml/[email protected]/
Signed-off-by: Kees Cook <[email protected]>
Reviewed-by: Jamal Hadi Salim <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
-rw-r--r-- | net/sched/cls_u32.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 58c7680faabd..0b3d909214b8 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -1040,7 +1040,11 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, } #endif - memcpy(&n->sel, s, sel_size); + unsafe_memcpy(&n->sel, s, sel_size, + /* A composite flex-array structure destination, + * which was correctly sized with struct_size(), + * bounds-checked against nla_len(), and allocated + * above. */); RCU_INIT_POINTER(n->ht_up, ht); n->handle = handle; n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0; |