-Wattribute-warning in drivers/net/ethernet/huawei/hinic/hinic_devlink.c #1592

nathanchance · 2022-02-14T21:37:30Z

With both ARCH=arm64 allmodconfig and ARCH=x86_64 allmodconfig on linux-next, I see:

$ make -skj"$(nproc)" LLVM=1 mrproper allmodconfig drivers/net/ethernet/huawei/hinic/hinic_devlink.o
In file included from drivers/net/ethernet/huawei/hinic/hinic_devlink.c:15:
In file included from ./include/linux/netlink.h:7:
In file included from ./include/linux/skbuff.h:15:
In file included from ./include/linux/time.h:60:
In file included from ./include/linux/time32.h:13:
In file included from ./include/linux/timex.h:65:
In file included from ./arch/x86/include/asm/timex.h:5:
In file included from ./arch/x86/include/asm/processor.h:22:
In file included from ./arch/x86/include/asm/msr.h:11:
In file included from ./arch/x86/include/asm/cpumask.h:5:
In file included from ./include/linux/cpumask.h:12:
In file included from ./include/linux/bitmap.h:11:
In file included from ./include/linux/string.h:253:
./include/linux/fortify-string.h:328:4: error: call to __write_overflow_field declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
                        __write_overflow_field(p_size_field, size);
                        ^
1 error generated.

This comes from the new fortify checks. Specifically, it appears to come from the memcpy() in check_image_valid():

diff --git a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
index 60ae8bfc5f69..11a52cc375a2 100644
--- a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
+++ b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
@@ -43,9 +43,11 @@ static bool check_image_valid(struct hinic_devlink_priv *priv, const u8 *buf,

        for (i = 0; i < fw_image->fw_info.fw_section_cnt; i++) {
                len += fw_image->fw_section_info[i].fw_section_len;
+               /*
                memcpy(&host_image->image_section_info[i],
                       &fw_image->fw_section_info[i],
                       sizeof(struct fw_section_info_st));
+               */
        }

        if (len != fw_image->fw_len ||

static bool check_image_valid(struct hinic_devlink_priv *priv, const u8 *buf,
                  u32 image_size, struct host_image_st *host_image)
{
    struct fw_image_st *fw_image = NULL;
    u32 len = 0;
    u32 i;

    fw_image = (struct fw_image_st *)buf;

    if (fw_image->fw_magic != HINIC_MAGIC_NUM) {
        dev_err(&priv->hwdev->hwif->pdev->dev, "Wrong fw_magic read from file, fw_magic: 0x%x\n",
            fw_image->fw_magic);
        return false;
    }

    if (fw_image->fw_info.fw_section_cnt > MAX_FW_TYPE_NUM) {
        dev_err(&priv->hwdev->hwif->pdev->dev, "Wrong fw_type_num read from file, fw_type_num: 0x%x\n",
            fw_image->fw_info.fw_section_cnt);
        return false;
    }

    for (i = 0; i < fw_image->fw_info.fw_section_cnt; i++) {
        len += fw_image->fw_section_info[i].fw_section_len;
        memcpy(&host_image->image_section_info[i],
               &fw_image->fw_section_info[i],
               sizeof(struct fw_section_info_st));
    }
...

From drivers/net/ethernet/huawei/hinic/hinic_devlink.h:

...
#define MAX_FW_TYPE_NUM 30
...
struct fw_section_info_st {
	u32 fw_section_len;
	u32 fw_section_offset;
	u32 fw_section_version;
	u32 fw_section_type;
	u32 fw_section_crc;
};

struct fw_image_st {
	u32 fw_version;
	u32 fw_len;
	u32 fw_magic;
	struct {
		u32 fw_section_cnt:16;
		u32 resd:16;
	} fw_info;
	struct fw_section_info_st fw_section_info[MAX_FW_TYPE_NUM];
	u32 device_id;
	u32 res[101];
	void *bin_data;
};

struct host_image_st {
	struct fw_section_info_st image_section_info[MAX_FW_TYPE_NUM];
	struct {
		u32 up_total_len;
		u32 fw_version;
	} image_info;
	u32 section_type_num;
	u32 device_id;
};

I am struggling to see what clang finds problematic here?

cc @kees

The text was updated successfully, but these errors were encountered:

kees · 2022-02-15T03:37:45Z

Uuuhhh. That's weird. sizeof(host_image->image_section_info[i]) == sizeof(struct fw_section_info_st). And it doesn't happen with clang-13. Digging...

kees · 2022-02-15T04:04:48Z

https://godbolt.org/z/hvvvczjh9

I am disappointed in __bos()'s behavior generally with this array, and am confused about how to elicit the memcpy() warning. I was expecting the bos to return 600 or something...

More tomorrow...

kees · 2022-03-25T21:47:25Z

This continues to be a problem, though only with Clang 14+.

nathanchance · 2022-03-25T22:43:11Z

I am guessing this is only visible with Clang 14+ because that is when the warning attribute was added, not because of a regression. I could try cherry-picking the warning attribute patch back to Clang 13 to see.

kees · 2022-03-25T22:44:44Z

AIUI, In Clang 13 and earlier, it should manifest as a link-time failure?

nathanchance · 2022-03-25T22:48:30Z

Hmmm, I don't think so, as __write_overflow_field() is defined in lib/string_helpers.c, unless you mean a different link-time failure?

kees · 2022-03-31T23:20:04Z

Well, well, well! This only manifests with -fsanitize=array-bounds.

nathanchance · 2022-06-15T21:20:18Z

Still an issue on 5.19-rc2. It should be possible to work around this with unsafe_memcpy():

diff --git a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
index 60ae8bfc5f69..4642d69b84ac 100644
--- a/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
+++ b/drivers/net/ethernet/huawei/hinic/hinic_devlink.c
@@ -43,9 +43,10 @@ static bool check_image_valid(struct hinic_devlink_priv *priv, const u8 *buf,

        for (i = 0; i < fw_image->fw_info.fw_section_cnt; i++) {
                len += fw_image->fw_section_info[i].fw_section_len;
-               memcpy(&host_image->image_section_info[i],
-                      &fw_image->fw_section_info[i],
-                      sizeof(struct fw_section_info_st));
+               unsafe_memcpy(&host_image->image_section_info[i],
+                             &fw_image->fw_section_info[i],
+                             sizeof(struct fw_section_info_st),
+                             "CONFIG_UBSAN_ARRAY_BOUNDS can confuse the fortify checks");
        }

        if (len != fw_image->fw_len ||

kees · 2022-06-16T05:24:02Z

    135f:       bf 10 00 00 00          mov    $0x10,%edi
    1364:       be 14 00 00 00          mov    $0x14,%esi
    1369:       e8 00 00 00 00          call   136e <hinic_devlink_flash_update+0x102e>
                        136a: R_X86_64_PLT32    __write_overflow_field-0x4

so:

p_size_field == 0x10
size == 0x14

size is correct. p_size_field is impossible. Nothing here is 0x10 in size! struct fw_section_info_st is 0x14.

And... omg, why did it take me so long to realize this could just be a direct assignment. Patch sent:
https://lore.kernel.org/linux-hardening/20220616052312.292861-1-keescook@chromium.org/T/#u

Under CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y, Clang is bugged here for calculating the size of the destination buffer (0x10 instead of 0x14). This copy is a fixed size (sizeof(struct fw_section_info_st)), with the source and dest being struct fw_section_info_st, so the memcpy should be safe, assuming the index is within bounds, which is UBSAN_BOUNDS's responsibility to figure out. Avoid the whole thing and just do a direct assignment. This results in no change to the executable code. Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Tom Rix <trix@redhat.com> Cc: Leon Romanovsky <leon@kernel.org> Cc: Jiri Pirko <jiri@nvidia.com> Cc: Vladimir Oltean <olteanv@gmail.com> Cc: Simon Horman <simon.horman@corigine.com> Cc: netdev@vger.kernel.org Cc: llvm@lists.linux.dev Link: ClangBuiltLinux#1592 Signed-off-by: Kees Cook <keescook@chromium.org>

nickdesaulniers · 2022-06-16T17:07:36Z

I wonder if perhaps some members of the struct are determined to be unused statically. Just a guess.

Under CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y, Clang is bugged here for calculating the size of the destination buffer (0x10 instead of 0x14). This copy is a fixed size (sizeof(struct fw_section_info_st)), with the source and dest being struct fw_section_info_st, so the memcpy should be safe, assuming the index is within bounds, which is UBSAN_BOUNDS's responsibility to figure out. Avoid the whole thing and just do a direct assignment. This results in no change to the executable code. Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Tom Rix <trix@redhat.com> Cc: Leon Romanovsky <leon@kernel.org> Cc: Jiri Pirko <jiri@nvidia.com> Cc: Vladimir Oltean <olteanv@gmail.com> Cc: Simon Horman <simon.horman@corigine.com> Cc: netdev@vger.kernel.org Cc: llvm@lists.linux.dev Link: ClangBuiltLinux/linux#1592 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org> Tested-by: Nathan Chancellor <nathan@kernel.org> # build Signed-off-by: David S. Miller <davem@davemloft.net>

nathanchance · 2022-06-17T16:56:39Z

Patch accepted: https://git.kernel.org/netdev/net-next/c/2c0ab32b73cfe39a609192f338464e948fc39117

nickdesaulniers · 2022-06-22T18:00:01Z

In this case KCFLAGS=-Rpass=inline can give us some hints:

$ make LLVM=1 -j72 drivers/net/ethernet/huawei/hinic/hinic_devlink.o KCFLAGS=-Rpass=inline
...
drivers/net/ethernet/huawei/hinic/hinic_devlink.c:46:3: remark: '_Z18fortify_memcpy_chkmmmmmPKc' inlined into 'check_image_valid': always inline attribute at callsite check_image_valid:23:3; [-Rpass=inline]
                memcpy(&host_image->image_section_info[i],
                ^
...

It's not great, but until we have #1571 fixed, this will probably be the fastest way to identify such issues with clang.

nickdesaulniers · 2022-06-22T22:08:39Z

Also strange:

$ make LLVM=1 -j72 drivers/net/ethernet/huawei/hinic/hinic_devlink.ll

The only call to @memcpy in the source is:

%28 = call ptr @memcpy(ptr %arrayidx22125137.i.i, ptr %arrayidx118124139.i.i, i64 20)

(20 == 0x14)
In the disassembly, I also only see:

     566: ba 14 00 00 00                movl    $20, %edx   # i.e. n == 20 == 0x14
     56b: 48 8b 6c 24 28                movq    40(%rsp), %rbp
     570: 48 89 ef                      movq    %rbp, %rdi
     573: 4c 89 ee                      movq    %r13, %rsi
     576: e8 00 00 00 00                callq   0x57b <hinic_devlink_flash_update+0x23b>
                0000000000000577:  R_X86_64_PLT32       memcpy-0x4

Well, well, well! This only manifests with -fsanitize=array-bounds.

Ok, but defconfig + UBSAN_BOUNDS does not.

$ make LLVM=1 -j72 defconfig
$ ./scripts/config -e UBSAN -e UBSAN_BOUNDS -e NET_VENDOR_HUAWEI -e HINIC
$ make LLVM=1 -j72 olddefconfig drivers/net/ethernet/huawei/hinic/hinic_devlink.o

so it seems like CONFIG_UBSAN_BOUNDS plus some other currently-unknown flag from allmodconfig are tickling this.

nathanchance · 2022-06-22T22:13:38Z

Ok, but defconfig + UBSAN_BOUNDS does not.
$ make LLVM=1 -j72 defconfig
$ ./scripts/config -e UBSAN -e UBSAN_BOUNDS -e NET_VENDOR_HUAWEI -e HINIC
$ make LLVM=1 -j72 olddefconfig drivers/net/ethernet/huawei/hinic/hinic_devlink.o
so it seems like CONFIG_UBSAN_BOUNDS plus some other currently-unknown flag from allmodconfig are tickling this.

defconfig does not enable CONFIG_FORTIFY_SOURCE.

$ git show -s --format='%h ("%s")'
de5c208d533a ("Merge tag 'linux-kselftest-fixes-5.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest")

$ make -skj"$(nproc)" LLVM=1 mrproper defconfig

$ scripts/config -e UBSAN -e UBSAN_BOUNDS -e NET_VENDOR_HUAWEI -e HINIC -e FORTIFY_SOURCE

$ make -skj"$(nproc)" LLVM=1 olddefconfig drivers/net/ethernet/huawei/hinic/hinic_devlink.o
In file included from drivers/net/ethernet/huawei/hinic/hinic_devlink.c:15:
In file included from ./include/linux/netlink.h:7:
In file included from ./include/linux/skbuff.h:15:
In file included from ./include/linux/time.h:60:
In file included from ./include/linux/time32.h:13:
In file included from ./include/linux/timex.h:67:
In file included from ./arch/x86/include/asm/timex.h:5:
In file included from ./arch/x86/include/asm/processor.h:22:
In file included from ./arch/x86/include/asm/msr.h:11:
In file included from ./arch/x86/include/asm/cpumask.h:5:
In file included from ./include/linux/cpumask.h:12:
In file included from ./include/linux/bitmap.h:11:
In file included from ./include/linux/string.h:253:
./include/linux/fortify-string.h:344:4: error: call to __write_overflow_field declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
                        __write_overflow_field(p_size_field, size);
                        ^
1 error generated.
...

nathanchance · 2022-06-23T15:43:38Z

This warning is fixed in mainline: https://git.kernel.org/linus/1e70212e031528918066a631c9fdccda93a1ffaa

I'll request a stable backport on Monday to give it a little soak time in mainline.

nickdesaulniers · 2022-06-23T16:50:05Z

So in this case the compile thinks that __builtin_object_size(&host_image->image_section_info[i], 1) < sizeof(struct fw_section_info_st). @kees do you remember what the rules are for BOS(1)? (I don't).

kees · 2022-06-23T19:56:36Z

So in this case the compile thinks that __builtin_object_size(&host_image->image_section_info[i], 1) < sizeof(struct fw_section_info_st). @kees do you remember what the rules are for BOS(1)? (I don't).

Right; this seems impossible. The struct is 5 u32s (0x14), but it resolves to 0x10. There's no padding, there are no hole, etc, etc.

commit 1e70212 upstream. Under CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y, Clang is bugged here for calculating the size of the destination buffer (0x10 instead of 0x14). This copy is a fixed size (sizeof(struct fw_section_info_st)), with the source and dest being struct fw_section_info_st, so the memcpy should be safe, assuming the index is within bounds, which is UBSAN_BOUNDS's responsibility to figure out. Avoid the whole thing and just do a direct assignment. This results in no change to the executable code. [This is a duplicate of commit 2c0ab32 ("hinic: Replace memcpy() with direct assignment") which was applied to net-next.] Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Tom Rix <trix@redhat.com> Cc: llvm@lists.linux.dev Link: ClangBuiltLinux/linux#1592 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org> Tested-by: Nathan Chancellor <nathan@kernel.org> # build Link: https://lore.kernel.org/r/20220616052312.292861-1-keescook@chromium.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 066b1302f2a9f07d268da73ef5557b886d4dee25) Signed-off-by: Jack Vogel <jack.vogel@oracle.com>

[ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

Source: Kernel.org MR: 123931 Type: Integration Disposition: Backport from git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable linux-5.10.y ChangeID: 1f730d4ae6f9ea8aa3b5e0c6c338fe8903b4647d Description: [ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Armin Kuster <akuster@mvista.com>

[ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

kees · 2023-01-06T03:54:48Z

Here are two other cases of the mysterious shrinking __bos:

[ Upstream commit 3e1730842f142add55dc658929221521a9ea62b6 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

BugLink: https://bugs.launchpad.net/bugs/1996825 [ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

BugLink: https://bugs.launchpad.net/bugs/1994179 [ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>

stable inclusion from stable-v5.10.150 commit 1f730d4ae6f9ea8aa3b5e0c6c338fe8903b4647d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0XA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1f730d4ae6f9ea8aa3b5e0c6c338fe8903b4647d -------------------------------- [ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

stable inclusion from stable-v5.10.150 commit 1f730d4ae6f9ea8aa3b5e0c6c338fe8903b4647d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0XA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1f730d4ae6f9ea8aa3b5e0c6c338fe8903b4647d -------------------------------- [ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> (cherry picked from commit 703d644)

stable inclusion from stable-v5.10.150 commit 1f730d4ae6f9ea8aa3b5e0c6c338fe8903b4647d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0XA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1f730d4ae6f9ea8aa3b5e0c6c338fe8903b4647d -------------------------------- [ Upstream commit 3e17308 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

[ Upstream commit 3e1730842f142add55dc658929221521a9ea62b6 ] Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic offset. Work around this by using a direct assignment of an empty instance. Avoids this warning: ../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat tribute-warning] __write_overflow_field(p_size_field, size); ^ which was isolated to the memset() call in xen_load_idt(). Note that this looks very much like another bug that was worked around: ClangBuiltLinux/linux#1592 Cc: Juergen Gross <jgross@suse.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: xen-devel@lists.xenproject.org Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

nathanchance added -Wattribute-warning [BUG] linux-next This is an issue only seen in linux-next labels Feb 14, 2022

nathanchance added [BUG] linux A bug that should be fixed in the mainline kernel. and removed [BUG] linux-next This is an issue only seen in linux-next labels Apr 19, 2022

nathanchance added the CONFIG_WERROR Has in an error with CONFIG_WERROR (all{mod,yes}config) (or emits a non-compiler warning) label Jun 15, 2022

kees added the [PATCH] Submitted A patch has been submitted for review label Jun 16, 2022

nathanchance added [PATCH] Accepted A submitted patch has been accepted upstream and removed [PATCH] Submitted A patch has been submitted for review labels Jun 17, 2022

kees added the [__bos] miscalculation This bug was due to an undiagnosed problem with __builtin_object_size label Jan 6, 2023

kees added the loop unroller label Feb 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

-Wattribute-warning in drivers/net/ethernet/huawei/hinic/hinic_devlink.c #1592

-Wattribute-warning in drivers/net/ethernet/huawei/hinic/hinic_devlink.c #1592

nathanchance commented Feb 14, 2022

kees commented Feb 15, 2022

kees commented Feb 15, 2022

kees commented Mar 25, 2022

nathanchance commented Mar 25, 2022

kees commented Mar 25, 2022

nathanchance commented Mar 25, 2022

kees commented Mar 31, 2022

nathanchance commented Jun 15, 2022

kees commented Jun 16, 2022 •

edited

Loading

nickdesaulniers commented Jun 16, 2022

nathanchance commented Jun 17, 2022

nickdesaulniers commented Jun 22, 2022

nickdesaulniers commented Jun 22, 2022

nathanchance commented Jun 22, 2022

nathanchance commented Jun 23, 2022

nickdesaulniers commented Jun 23, 2022

kees commented Jun 23, 2022

kees commented Jan 6, 2023 •

edited

Loading

-Wattribute-warning in drivers/net/ethernet/huawei/hinic/hinic_devlink.c #1592

-Wattribute-warning in drivers/net/ethernet/huawei/hinic/hinic_devlink.c #1592

Comments

nathanchance commented Feb 14, 2022

kees commented Feb 15, 2022

kees commented Feb 15, 2022

kees commented Mar 25, 2022

nathanchance commented Mar 25, 2022

kees commented Mar 25, 2022

nathanchance commented Mar 25, 2022

kees commented Mar 31, 2022

nathanchance commented Jun 15, 2022

kees commented Jun 16, 2022 • edited Loading

nickdesaulniers commented Jun 16, 2022

nathanchance commented Jun 17, 2022

nickdesaulniers commented Jun 22, 2022

nickdesaulniers commented Jun 22, 2022

nathanchance commented Jun 22, 2022

nathanchance commented Jun 23, 2022

nickdesaulniers commented Jun 23, 2022

kees commented Jun 23, 2022

kees commented Jan 6, 2023 • edited Loading

kees commented Jun 16, 2022 •

edited

Loading

kees commented Jan 6, 2023 •

edited

Loading