Dear Linux folks,
Running Linux v6.2-rc1+ on a motherboard using coreboot as firmware, the warning below is shown.
``` [ 1.630244] ------------[ cut here ]------------ [ 1.630249] memcpy: detected field-spanning write (size 168) of single field "&device->entry" at drivers/firmware/google/coreboot_table.c:103 (size 8) [ 1.630299] WARNING: CPU: 1 PID: 150 at drivers/firmware/google/coreboot_table.c:103 coreboot_table_probe+0x1ea/0x210 [coreboot_table] [ 1.630307] Modules linked in: coreboot_table(+) sg binfmt_misc fuse ipv6 autofs4 [ 1.630316] CPU: 1 PID: 150 Comm: systemd-udevd Not tainted 6.2.0-rc1-00097-gaebfba447cae #407 [ 1.630318] Hardware name: ASUS F2A85-M_PRO/F2A85-M_PRO, BIOS 4.18-4-gb3dd5af9c5 12/28/2022 [ 1.630320] RIP: 0010:coreboot_table_probe+0x1ea/0x210 [coreboot_table] [ 1.630326] Code: 08 00 00 00 4c 89 c6 4c 89 04 24 48 c7 c2 50 81 60 c0 48 c7 c7 98 81 60 c0 4c 89 4c 24 08 c6 05 ab 1e 00 00 01 e8 e1 ca 47 d3 <0f> 0b 4c 8b 4c 24 08 4c 8b 04 24 e9 35 ff ff ff 41 be ea ff ff ff [ 1.630329] RSP: 0018:ffffb409c046fc30 EFLAGS: 00010286 [ 1.630332] RAX: 0000000000000000 RBX: ffffb409c0175018 RCX: 0000000000000000 [ 1.630334] RDX: 0000000000000001 RSI: ffffffff94222bcd RDI: 00000000ffffffff [ 1.630336] RBP: ffff937a44a06c00 R08: 0000000000000000 R09: 00000000ffffdfff [ 1.630338] R10: ffffb409c046fad8 R11: ffffffff9452a948 R12: 0000000000000000 [ 1.630339] R13: ffffb409c0175000 R14: 0000000000000000 R15: ffff937a40beb410 [ 1.630341] FS: 0000000000000000(0000) GS:ffff937abb500000(0063) knlGS:00000000f7f43800 [ 1.630343] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 1.630345] CR2: 00000000f7e3c2cf CR3: 00000001046de000 CR4: 00000000000406e0 [ 1.630347] Call Trace: [ 1.630348] <TASK> [ 1.630351] platform_probe+0x3f/0xa0 [ 1.630357] really_probe+0xe1/0x390 [ 1.630361] ? pm_runtime_barrier+0x50/0x90 [ 1.630365] __driver_probe_device+0x78/0x180 [ 1.630369] driver_probe_device+0x1e/0x90 [ 1.630372] __driver_attach+0xd2/0x1c0 [ 1.630375] ? __pfx___driver_attach+0x10/0x10 [ 1.630378] bus_for_each_dev+0x78/0xc0 [ 1.630382] bus_add_driver+0x1a9/0x200 [ 1.630385] driver_register+0x8f/0xf0 [ 1.630387] ? __pfx_init_module+0x10/0x10 [coreboot_table] [ 1.630392] coreboot_table_driver_init+0x2d/0xff0 [coreboot_table] [ 1.630397] do_one_initcall+0x44/0x220 [ 1.630401] ? kmalloc_trace+0x25/0x90 [ 1.630405] do_init_module+0x4c/0x1f0 [ 1.630409] __do_sys_finit_module+0xb4/0x130 [ 1.630413] __do_fast_syscall_32+0x6f/0xf0 [ 1.630418] do_fast_syscall_32+0x2f/0x70 [ 1.630421] entry_SYSCALL_compat_after_hwframe+0x71/0x79 [ 1.630425] RIP: 0023:0xf7f49549 [ 1.630428] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 cd 0f 05 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 1.630430] RSP: 002b:00000000ffa7bbbc EFLAGS: 00200292 ORIG_RAX: 000000000000015e [ 1.630433] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 00000000f7f28e09 [ 1.630434] RDX: 0000000000000000 RSI: 00000000568cb4c0 RDI: 000000005689fc50 [ 1.630436] RBP: 0000000000000000 R08: 00000000ffa7bbbc R09: 0000000000000000 [ 1.630437] R10: 0000000000000000 R11: 0000000000200292 R12: 0000000000000000 [ 1.630439] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1.630442] </TASK> [ 1.630443] ---[ end trace 0000000000000000 ]--- ```
Another user reported this with Linux 6.1.1 in the Arch Linux forum [1].
Kind regards,
Paul
[1]: https://bbs.archlinux.org/viewtopic.php?id=282245 "6.1.1-arch1-1 - dmesg"
I can confirm that this warning is a false positive, at least. We're intentionally copying bytes from beyond the end of the header structure in this case.
I don't know what kind of kernel system detects this stuff at runtime and how to silence it. Probably need to add a void pointer cast or something?
On Thu, Dec 29, 2022 at 11:46 AM Paul Menzel pmenzel@molgen.mpg.de wrote:
Dear Linux folks,
Running Linux v6.2-rc1+ on a motherboard using coreboot as firmware, the warning below is shown.
[ 1.630244] ------------[ cut here ]------------ [ 1.630249] memcpy: detected field-spanning write (size 168) of single field "&device->entry" at drivers/firmware/google/coreboot_table.c:103 (size 8) [ 1.630299] WARNING: CPU: 1 PID: 150 at drivers/firmware/google/coreboot_table.c:103 coreboot_table_probe+0x1ea/0x210 [coreboot_table] [ 1.630307] Modules linked in: coreboot_table(+) sg binfmt_misc fuse ipv6 autofs4 [ 1.630316] CPU: 1 PID: 150 Comm: systemd-udevd Not tainted 6.2.0-rc1-00097-gaebfba447cae #407 [ 1.630318] Hardware name: ASUS F2A85-M_PRO/F2A85-M_PRO, BIOS 4.18-4-gb3dd5af9c5 12/28/2022 [ 1.630320] RIP: 0010:coreboot_table_probe+0x1ea/0x210 [coreboot_table] [ 1.630326] Code: 08 00 00 00 4c 89 c6 4c 89 04 24 48 c7 c2 50 81 60 c0 48 c7 c7 98 81 60 c0 4c 89 4c 24 08 c6 05 ab 1e 00 00 01 e8 e1 ca 47 d3 <0f> 0b 4c 8b 4c 24 08 4c 8b 04 24 e9 35 ff ff ff 41 be ea ff ff ff [ 1.630329] RSP: 0018:ffffb409c046fc30 EFLAGS: 00010286 [ 1.630332] RAX: 0000000000000000 RBX: ffffb409c0175018 RCX: 0000000000000000 [ 1.630334] RDX: 0000000000000001 RSI: ffffffff94222bcd RDI: 00000000ffffffff [ 1.630336] RBP: ffff937a44a06c00 R08: 0000000000000000 R09: 00000000ffffdfff [ 1.630338] R10: ffffb409c046fad8 R11: ffffffff9452a948 R12: 0000000000000000 [ 1.630339] R13: ffffb409c0175000 R14: 0000000000000000 R15: ffff937a40beb410 [ 1.630341] FS: 0000000000000000(0000) GS:ffff937abb500000(0063) knlGS:00000000f7f43800 [ 1.630343] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 1.630345] CR2: 00000000f7e3c2cf CR3: 00000001046de000 CR4: 00000000000406e0 [ 1.630347] Call Trace: [ 1.630348] <TASK> [ 1.630351] platform_probe+0x3f/0xa0 [ 1.630357] really_probe+0xe1/0x390 [ 1.630361] ? pm_runtime_barrier+0x50/0x90 [ 1.630365] __driver_probe_device+0x78/0x180 [ 1.630369] driver_probe_device+0x1e/0x90 [ 1.630372] __driver_attach+0xd2/0x1c0 [ 1.630375] ? __pfx___driver_attach+0x10/0x10 [ 1.630378] bus_for_each_dev+0x78/0xc0 [ 1.630382] bus_add_driver+0x1a9/0x200 [ 1.630385] driver_register+0x8f/0xf0 [ 1.630387] ? __pfx_init_module+0x10/0x10 [coreboot_table] [ 1.630392] coreboot_table_driver_init+0x2d/0xff0 [coreboot_table] [ 1.630397] do_one_initcall+0x44/0x220 [ 1.630401] ? kmalloc_trace+0x25/0x90 [ 1.630405] do_init_module+0x4c/0x1f0 [ 1.630409] __do_sys_finit_module+0xb4/0x130 [ 1.630413] __do_fast_syscall_32+0x6f/0xf0 [ 1.630418] do_fast_syscall_32+0x2f/0x70 [ 1.630421] entry_SYSCALL_compat_after_hwframe+0x71/0x79 [ 1.630425] RIP: 0023:0xf7f49549 [ 1.630428] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 cd 0f 05 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 1.630430] RSP: 002b:00000000ffa7bbbc EFLAGS: 00200292 ORIG_RAX: 000000000000015e [ 1.630433] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 00000000f7f28e09 [ 1.630434] RDX: 0000000000000000 RSI: 00000000568cb4c0 RDI: 000000005689fc50 [ 1.630436] RBP: 0000000000000000 R08: 00000000ffa7bbbc R09: 0000000000000000 [ 1.630437] R10: 0000000000000000 R11: 0000000000200292 R12: 0000000000000000 [ 1.630439] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1.630442] </TASK> [ 1.630443] ---[ end trace 0000000000000000 ]---
Another user reported this with Linux 6.1.1 in the Arch Linux forum [1].
Kind regards,
Paul
On Thu, Dec 29, 2022 at 6:43 AM Julius Werner jwerner@chromium.org wrote:
I can confirm that this warning is a false positive, at least. We're intentionally copying bytes from beyond the end of the header structure in this case.
I don't know what kind of kernel system detects this stuff at runtime and how to silence it. Probably need to add a void pointer cast or something?
This is part of kernel hardening code. Kees Cook might know what to do about it.
Guenter
On Thu, Dec 29, 2022 at 11:46 AM Paul Menzel pmenzel@molgen.mpg.de wrote:
Dear Linux folks,
Running Linux v6.2-rc1+ on a motherboard using coreboot as firmware, the warning below is shown.
[ 1.630244] ------------[ cut here ]------------ [ 1.630249] memcpy: detected field-spanning write (size 168) of single field "&device->entry" at drivers/firmware/google/coreboot_table.c:103 (size 8) [ 1.630299] WARNING: CPU: 1 PID: 150 at drivers/firmware/google/coreboot_table.c:103 coreboot_table_probe+0x1ea/0x210 [coreboot_table] [ 1.630307] Modules linked in: coreboot_table(+) sg binfmt_misc fuse ipv6 autofs4 [ 1.630316] CPU: 1 PID: 150 Comm: systemd-udevd Not tainted 6.2.0-rc1-00097-gaebfba447cae #407 [ 1.630318] Hardware name: ASUS F2A85-M_PRO/F2A85-M_PRO, BIOS 4.18-4-gb3dd5af9c5 12/28/2022 [ 1.630320] RIP: 0010:coreboot_table_probe+0x1ea/0x210 [coreboot_table] [ 1.630326] Code: 08 00 00 00 4c 89 c6 4c 89 04 24 48 c7 c2 50 81 60 c0 48 c7 c7 98 81 60 c0 4c 89 4c 24 08 c6 05 ab 1e 00 00 01 e8 e1 ca 47 d3 <0f> 0b 4c 8b 4c 24 08 4c 8b 04 24 e9 35 ff ff ff 41 be ea ff ff ff [ 1.630329] RSP: 0018:ffffb409c046fc30 EFLAGS: 00010286 [ 1.630332] RAX: 0000000000000000 RBX: ffffb409c0175018 RCX: 0000000000000000 [ 1.630334] RDX: 0000000000000001 RSI: ffffffff94222bcd RDI: 00000000ffffffff [ 1.630336] RBP: ffff937a44a06c00 R08: 0000000000000000 R09: 00000000ffffdfff [ 1.630338] R10: ffffb409c046fad8 R11: ffffffff9452a948 R12: 0000000000000000 [ 1.630339] R13: ffffb409c0175000 R14: 0000000000000000 R15: ffff937a40beb410 [ 1.630341] FS: 0000000000000000(0000) GS:ffff937abb500000(0063) knlGS:00000000f7f43800 [ 1.630343] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 1.630345] CR2: 00000000f7e3c2cf CR3: 00000001046de000 CR4: 00000000000406e0 [ 1.630347] Call Trace: [ 1.630348] <TASK> [ 1.630351] platform_probe+0x3f/0xa0 [ 1.630357] really_probe+0xe1/0x390 [ 1.630361] ? pm_runtime_barrier+0x50/0x90 [ 1.630365] __driver_probe_device+0x78/0x180 [ 1.630369] driver_probe_device+0x1e/0x90 [ 1.630372] __driver_attach+0xd2/0x1c0 [ 1.630375] ? __pfx___driver_attach+0x10/0x10 [ 1.630378] bus_for_each_dev+0x78/0xc0 [ 1.630382] bus_add_driver+0x1a9/0x200 [ 1.630385] driver_register+0x8f/0xf0 [ 1.630387] ? __pfx_init_module+0x10/0x10 [coreboot_table] [ 1.630392] coreboot_table_driver_init+0x2d/0xff0 [coreboot_table] [ 1.630397] do_one_initcall+0x44/0x220 [ 1.630401] ? kmalloc_trace+0x25/0x90 [ 1.630405] do_init_module+0x4c/0x1f0 [ 1.630409] __do_sys_finit_module+0xb4/0x130 [ 1.630413] __do_fast_syscall_32+0x6f/0xf0 [ 1.630418] do_fast_syscall_32+0x2f/0x70 [ 1.630421] entry_SYSCALL_compat_after_hwframe+0x71/0x79 [ 1.630425] RIP: 0023:0xf7f49549 [ 1.630428] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 cd 0f 05 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 1.630430] RSP: 002b:00000000ffa7bbbc EFLAGS: 00200292 ORIG_RAX: 000000000000015e [ 1.630433] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 00000000f7f28e09 [ 1.630434] RDX: 0000000000000000 RSI: 00000000568cb4c0 RDI: 000000005689fc50 [ 1.630436] RBP: 0000000000000000 R08: 00000000ffa7bbbc R09: 0000000000000000 [ 1.630437] R10: 0000000000000000 R11: 0000000000200292 R12: 0000000000000000 [ 1.630439] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1.630442] </TASK> [ 1.630443] ---[ end trace 0000000000000000 ]---
Another user reported this with Linux 6.1.1 in the Arch Linux forum [1].
Kind regards,
Paul
On Thu, Dec 29, 2022 at 12:28:14PM -0800, Guenter Roeck wrote:
On Thu, Dec 29, 2022 at 6:43 AM Julius Werner jwerner@chromium.org wrote:
I can confirm that this warning is a false positive, at least. We're intentionally copying bytes from beyond the end of the header structure in this case.
I don't know what kind of kernel system detects this stuff at runtime and how to silence it. Probably need to add a void pointer cast or something?
This is part of kernel hardening code. Kees Cook might know what to do about it.
One could probably throw in casts, like this example did:
0d043351e5ba ext4: fix fortify warning in fs/ext4/fast_commit.c:1551
Or one could probably imitate this example, and insert an appropriate flexible array (possibly with yet another union?):
b43088f30db1 s390/zcrypt: fix warning about field-spanning write
Side mostly-unrelated note: coreboot_table_populate() doesn't do any bounds checking that the individual entry copies don't overflow the table buffer size. We're _probably_ not that interested in recovering from a malicious (or even buggy) Coreboot, but it does seem like an area of improvement.
Brian
Guenter
On Thu, Dec 29, 2022 at 11:46 AM Paul Menzel pmenzel@molgen.mpg.de wrote:
Dear Linux folks,
Running Linux v6.2-rc1+ on a motherboard using coreboot as firmware, the warning below is shown.
[ 1.630244] ------------[ cut here ]------------ [ 1.630249] memcpy: detected field-spanning write (size 168) of single field "&device->entry" at drivers/firmware/google/coreboot_table.c:103 (size 8) [ 1.630299] WARNING: CPU: 1 PID: 150 at drivers/firmware/google/coreboot_table.c:103 coreboot_table_probe+0x1ea/0x210 [coreboot_table]
[...]
On Tue, Jan 03, 2023 at 11:31:02AM -0800, Brian Norris wrote:
On Thu, Dec 29, 2022 at 12:28:14PM -0800, Guenter Roeck wrote:
On Thu, Dec 29, 2022 at 6:43 AM Julius Werner jwerner@chromium.org wrote:
I can confirm that this warning is a false positive, at least. We're intentionally copying bytes from beyond the end of the header structure in this case.
I don't know what kind of kernel system detects this stuff at runtime and how to silence it. Probably need to add a void pointer cast or something?
This is part of kernel hardening code. Kees Cook might know what to do about it.
One could probably throw in casts, like this example did:
0d043351e5ba ext4: fix fortify warning in fs/ext4/fast_commit.c:1551
Or one could probably imitate this example, and insert an appropriate flexible array (possibly with yet another union?):
b43088f30db1 s390/zcrypt: fix warning about field-spanning write
Hi!
Just catching up on this now that I'm back from break. This looks like it might be easiest to split the copy up as done in some other places. This'll need some small changes to the struct. For example, adding a "data" flexible array member:
struct coreboot_table_entry { u32 tag; u32 size; u8 data[]; };
Side mostly-unrelated note: coreboot_table_populate() doesn't do any bounds checking that the individual entry copies don't overflow the table buffer size. We're _probably_ not that interested in recovering from a malicious (or even buggy) Coreboot, but it does seem like an area of improvement.
Right -- there's no bounds checking in this code that I could find. Though, yes, the "attack surface" is pretty small in the sense that it's parsing system resources. But adding sanity checking seems like it'd be a nice addition, as you say. How about something like this:
diff --git a/drivers/firmware/google/coreboot_table.h b/drivers/firmware/google/coreboot_table.h index 37f4d335a606..2a2cea79204b 100644 --- a/drivers/firmware/google/coreboot_table.h +++ b/drivers/firmware/google/coreboot_table.h @@ -29,6 +29,7 @@ struct coreboot_table_header { struct coreboot_table_entry { u32 tag; u32 size; + u8 data[]; /* Size here is: "size - (sizeof(u32) * 2)" */ };
/* Points to a CBMEM entry */ diff --git a/drivers/firmware/google/coreboot_table.c b/drivers/firmware/google/coreboot_table.c index 2652c396c423..f49f5a602b6b 100644 --- a/drivers/firmware/google/coreboot_table.c +++ b/drivers/firmware/google/coreboot_table.c @@ -93,6 +93,11 @@ static int coreboot_table_populate(struct device *dev, void *ptr) for (i = 0; i < header->table_entries; i++) { entry = ptr_entry;
+ if (entry->size < sizeof(*entry)) { + dev_warn(dev, "coreboot table entry too small!\n"); + return -EINVAL; + } + device = kzalloc(sizeof(struct device) + entry->size, GFP_KERNEL); if (!device) return -ENOMEM; @@ -100,7 +105,9 @@ static int coreboot_table_populate(struct device *dev, void *ptr) device->dev.parent = dev; device->dev.bus = &coreboot_bus_type; device->dev.release = coreboot_device_release; - memcpy(&device->entry, ptr_entry, entry->size); + device->entry = *ptr_entry; + memcpy(device->entry.data, ptr_entry->data, + entry->size - sizeof(*entry));
switch (device->entry.tag) { case LB_TAG_CBMEM_ENTRY:
-Kees
Brian
Guenter
On Thu, Dec 29, 2022 at 11:46 AM Paul Menzel pmenzel@molgen.mpg.de wrote:
Dear Linux folks,
Running Linux v6.2-rc1+ on a motherboard using coreboot as firmware, the warning below is shown.
[ 1.630244] ------------[ cut here ]------------ [ 1.630249] memcpy: detected field-spanning write (size 168) of single field "&device->entry" at drivers/firmware/google/coreboot_table.c:103 (size 8) [ 1.630299] WARNING: CPU: 1 PID: 150 at drivers/firmware/google/coreboot_table.c:103 coreboot_table_probe+0x1ea/0x210 [coreboot_table]
[...]