Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use flex array destination for memcpy() in drivers/infiniband/ulp/srpt/ib_srpt.c #201

Closed
GustavoARSilva opened this issue Sep 8, 2022 · 2 comments
Closed

Use flex array destination for memcpy() in drivers/infiniband/ulp/srpt/ib_srpt.c #201

GustavoARSilva opened this issue Sep 8, 2022 · 2 comments
Assignees
@GustavoARSilva
Labels
[Linux] -next Present in linux-next; expected for next Linux release [PATCH] Accepted A submitted patch has been accepted upstream [PATCH] Exists A patch exists to address the issue

Comments

@GustavoARSilva
Copy link
Collaborator

GustavoARSilva commented Sep 8, 2022
edited
Loading

srp_rsp is a pointer to a flexible structure (a structure that contains a trailing flexible-array member). Use the flexible-array member as destination in memcpy(), explicitly.

include/scsi/srp.h:
256 struct srp_rsp {
257         u8      opcode;
258         u8      sol_not;
...
267         __be32  sense_data_len;
268         __be32  resp_data_len;
269         u8      data[];
270 };

drivers/infiniband/ulp/srpt/ib_srpt.c:
1424                 memcpy(srp_rsp + 1, sense_data, sense_data_len);

Reported-by: https://github.com/HBh25Y
@GustavoARSilva GustavoARSilva self-assigned this Sep 8, 2022
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue Sep 9, 2022
@HBh25Y @intel-lab-lkp
infiniband: ulp: srpt: Use flex array destination for memcpy()
8d09086 
In preparation for FORTIFY_SOURCE performing run-time destination buffer
bounds checking for memcpy(), specify the destination output buffer
explicitly, instead of asking memcpy() to write past the end of what looked
like a fixed-size object.

Notice that srp_rsp[] is a pointer to a structure that contains
flexible-array member data[]:

struct srp_rsp {
	...
	__be32	sense_data_len;
	__be32	resp_data_len;
	u8	data[];
};

link: KSPP#201
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
@HBh25Y
Copy link

HBh25Y commented Sep 9, 2022

Hi, I send a patch for this:
https://lore.kernel.org/all/20220909022943.8896-1-hbh25y@gmail.com/T/#u

@GustavoARSilva
Copy link
Collaborator Author

Awesome. Thanks!

@GustavoARSilva GustavoARSilva added the [PATCH] Exists A patch exists to address the issue label Sep 9, 2022
ammarfaizi2 pushed a commit to ammarfaizi2/linux-block that referenced this issue Sep 20, 2022
@HBh25Y @rleon
RDMA/srpt: Use flex array destination for memcpy()
4b46a60 
In preparation for FORTIFY_SOURCE performing run-time destination buffer
bounds checking for memcpy(), specify the destination output buffer
explicitly, instead of asking memcpy() to write past the end of what looked
like a fixed-size object.

Notice that srp_rsp[] is a pointer to a structure that contains
flexible-array member data[]:

struct srp_rsp {
	...
	__be32	sense_data_len;
	__be32	resp_data_len;
	u8	data[];
};

link: KSPP/linux#201
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Link: https://lore.kernel.org/r/20220909022943.8896-1-hbh25y@gmail.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
@GustavoARSilva GustavoARSilva added the [Linux] -next Present in linux-next; expected for next Linux release label Sep 22, 2022
@GustavoARSilva GustavoARSilva added the [PATCH] Accepted A submitted patch has been accepted upstream label Feb 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GustavoARSilva GustavoARSilva

Labels
[Linux] -next Present in linux-next; expected for next Linux release [PATCH] Accepted A submitted patch has been accepted upstream [PATCH] Exists A patch exists to address the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GustavoARSilva @HBh25Y