On Tue, Jan 03, 2023 at 11:31:02AM -0800, Brian Norris wrote:
On Thu, Dec 29, 2022 at 12:28:14PM -0800, Guenter Roeck wrote:
On Thu, Dec 29, 2022 at 6:43 AM Julius Werner jwerner@chromium.org wrote:
I can confirm that this warning is a false positive, at least. We're intentionally copying bytes from beyond the end of the header structure in this case.
I don't know what kind of kernel system detects this stuff at runtime and how to silence it. Probably need to add a void pointer cast or something?
This is part of kernel hardening code. Kees Cook might know what to do about it.
One could probably throw in casts, like this example did:
0d043351e5ba ext4: fix fortify warning in fs/ext4/fast_commit.c:1551
Or one could probably imitate this example, and insert an appropriate flexible array (possibly with yet another union?):
b43088f30db1 s390/zcrypt: fix warning about field-spanning write
Hi!
Just catching up on this now that I'm back from break. This looks like it might be easiest to split the copy up as done in some other places. This'll need some small changes to the struct. For example, adding a "data" flexible array member:
struct coreboot_table_entry { u32 tag; u32 size; u8 data[]; };
Side mostly-unrelated note: coreboot_table_populate() doesn't do any bounds checking that the individual entry copies don't overflow the table buffer size. We're _probably_ not that interested in recovering from a malicious (or even buggy) Coreboot, but it does seem like an area of improvement.
Right -- there's no bounds checking in this code that I could find. Though, yes, the "attack surface" is pretty small in the sense that it's parsing system resources. But adding sanity checking seems like it'd be a nice addition, as you say. How about something like this:
diff --git a/drivers/firmware/google/coreboot_table.h b/drivers/firmware/google/coreboot_table.h index 37f4d335a606..2a2cea79204b 100644 --- a/drivers/firmware/google/coreboot_table.h +++ b/drivers/firmware/google/coreboot_table.h @@ -29,6 +29,7 @@ struct coreboot_table_header { struct coreboot_table_entry { u32 tag; u32 size; + u8 data[]; /* Size here is: "size - (sizeof(u32) * 2)" */ };
/* Points to a CBMEM entry */ diff --git a/drivers/firmware/google/coreboot_table.c b/drivers/firmware/google/coreboot_table.c index 2652c396c423..f49f5a602b6b 100644 --- a/drivers/firmware/google/coreboot_table.c +++ b/drivers/firmware/google/coreboot_table.c @@ -93,6 +93,11 @@ static int coreboot_table_populate(struct device *dev, void *ptr) for (i = 0; i < header->table_entries; i++) { entry = ptr_entry;
+ if (entry->size < sizeof(*entry)) { + dev_warn(dev, "coreboot table entry too small!\n"); + return -EINVAL; + } + device = kzalloc(sizeof(struct device) + entry->size, GFP_KERNEL); if (!device) return -ENOMEM; @@ -100,7 +105,9 @@ static int coreboot_table_populate(struct device *dev, void *ptr) device->dev.parent = dev; device->dev.bus = &coreboot_bus_type; device->dev.release = coreboot_device_release; - memcpy(&device->entry, ptr_entry, entry->size); + device->entry = *ptr_entry; + memcpy(device->entry.data, ptr_entry->data, + entry->size - sizeof(*entry));
switch (device->entry.tag) { case LB_TAG_CBMEM_ENTRY:
-Kees
Brian
Guenter
On Thu, Dec 29, 2022 at 11:46 AM Paul Menzel pmenzel@molgen.mpg.de wrote:
Dear Linux folks,
Running Linux v6.2-rc1+ on a motherboard using coreboot as firmware, the warning below is shown.
[ 1.630244] ------------[ cut here ]------------ [ 1.630249] memcpy: detected field-spanning write (size 168) of single field "&device->entry" at drivers/firmware/google/coreboot_table.c:103 (size 8) [ 1.630299] WARNING: CPU: 1 PID: 150 at drivers/firmware/google/coreboot_table.c:103 coreboot_table_probe+0x1ea/0x210 [coreboot_table]
[...]