From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: [linux-next:master 9409/10134] lib/fortify_kunit.c:443 fortify_test_strcpy() error: strcpy() 'src' too large for 'pad.buf' (33 vs 32)
Date: Thu, 2 May 2024 04:38:22 +0800 [thread overview]
Message-ID: <202405020451.cgCahkAL-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: Linux Memory Management List <linux-mm@kvack.org>
TO: Kees Cook <keescook@chromium.org>
Hi Kees,
FYI, the error/warning was bisected to this commit, please ignore it if it's irrelevant.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: f68868ba718e30594165879cc3020607165b0761
commit: 63228e09bd3128589a98b5eb9fa2ece4dd804c31 [9409/10134] kunit/fortify: Rename tests to use recommended conventions
:::::: branch date: 10 hours ago
:::::: commit date: 2 days ago
config: i386-randconfig-141-20240501 (https://download.01.org/0day-ci/archive/20240502/202405020451.cgCahkAL-lkp@intel.com/config)
compiler: gcc-13 (Ubuntu 13.2.0-4ubuntu3) 13.2.0
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202405020451.cgCahkAL-lkp@intel.com/
New smatch warnings:
lib/fortify_kunit.c:443 fortify_test_strcpy() error: strcpy() 'src' too large for 'pad.buf' (33 vs 32)
Old smatch warnings:
lib/fortify_kunit.c:454 fortify_test_strcpy() error: strcpy() 'src' too large for 'pad.buf' (33 vs 32)
lib/fortify_kunit.c:467 fortify_test_strcpy() error: strcpy() 'src' too large for 'pad.buf' (33 vs 32)
vim +443 lib/fortify_kunit.c
fa4a3f86d4982b Kees Cook 2023-04-07 424
63228e09bd3128 Kees Cook 2024-04-29 425 static void fortify_test_strcpy(struct kunit *test)
fa4a3f86d4982b Kees Cook 2023-04-07 426 {
fa4a3f86d4982b Kees Cook 2023-04-07 427 struct fortify_padding pad = { };
fa4a3f86d4982b Kees Cook 2023-04-07 428 char src[sizeof(pad.buf) + 1] = { };
fa4a3f86d4982b Kees Cook 2023-04-07 429 int i;
fa4a3f86d4982b Kees Cook 2023-04-07 430
fa4a3f86d4982b Kees Cook 2023-04-07 431 /* Fill 31 bytes with valid characters. */
fa4a3f86d4982b Kees Cook 2023-04-07 432 for (i = 0; i < sizeof(src) - 2; i++)
fa4a3f86d4982b Kees Cook 2023-04-07 433 src[i] = i + '0';
fa4a3f86d4982b Kees Cook 2023-04-07 434
fa4a3f86d4982b Kees Cook 2023-04-07 435 /* Destination is %NUL-filled to start with. */
fa4a3f86d4982b Kees Cook 2023-04-07 436 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
fa4a3f86d4982b Kees Cook 2023-04-07 437 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 438 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 439 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 440 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
fa4a3f86d4982b Kees Cook 2023-04-07 441
fa4a3f86d4982b Kees Cook 2023-04-07 442 /* Legitimate strcpy() 1 less than of max size. */
fa4a3f86d4982b Kees Cook 2023-04-07 @443 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
fa4a3f86d4982b Kees Cook 2023-04-07 444 == pad.buf);
fa4a3f86d4982b Kees Cook 2023-04-07 445 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
fa4a3f86d4982b Kees Cook 2023-04-07 446 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
fa4a3f86d4982b Kees Cook 2023-04-07 447 /* Only last byte should be %NUL */
fa4a3f86d4982b Kees Cook 2023-04-07 448 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 449 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 450 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 451
fa4a3f86d4982b Kees Cook 2023-04-07 452 src[sizeof(src) - 2] = 'A';
fa4a3f86d4982b Kees Cook 2023-04-07 453 /* But now we trip the overflow checking. */
fa4a3f86d4982b Kees Cook 2023-04-07 454 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
fa4a3f86d4982b Kees Cook 2023-04-07 455 == pad.buf);
fa4a3f86d4982b Kees Cook 2023-04-07 456 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
fa4a3f86d4982b Kees Cook 2023-04-07 457 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
fa4a3f86d4982b Kees Cook 2023-04-07 458 /* Trailing %NUL -- thanks to FORTIFY. */
fa4a3f86d4982b Kees Cook 2023-04-07 459 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 460 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 461 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 462 /* And we will not have gone beyond. */
fa4a3f86d4982b Kees Cook 2023-04-07 463 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
fa4a3f86d4982b Kees Cook 2023-04-07 464
fa4a3f86d4982b Kees Cook 2023-04-07 465 src[sizeof(src) - 1] = 'A';
fa4a3f86d4982b Kees Cook 2023-04-07 466 /* And for sure now, two bytes past. */
fa4a3f86d4982b Kees Cook 2023-04-07 467 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
fa4a3f86d4982b Kees Cook 2023-04-07 468 == pad.buf);
fa4a3f86d4982b Kees Cook 2023-04-07 469 /*
fa4a3f86d4982b Kees Cook 2023-04-07 470 * Which trips both the strlen() on the unterminated src,
fa4a3f86d4982b Kees Cook 2023-04-07 471 * and the resulting copy attempt.
fa4a3f86d4982b Kees Cook 2023-04-07 472 */
fa4a3f86d4982b Kees Cook 2023-04-07 473 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
fa4a3f86d4982b Kees Cook 2023-04-07 474 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
fa4a3f86d4982b Kees Cook 2023-04-07 475 /* Trailing %NUL -- thanks to FORTIFY. */
fa4a3f86d4982b Kees Cook 2023-04-07 476 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 477 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 478 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
fa4a3f86d4982b Kees Cook 2023-04-07 479 /* And we will not have gone beyond. */
fa4a3f86d4982b Kees Cook 2023-04-07 480 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
fa4a3f86d4982b Kees Cook 2023-04-07 481 }
fa4a3f86d4982b Kees Cook 2023-04-07 482
:::::: The code at line 443 was first introduced by commit
:::::: fa4a3f86d4982b603865ccb97dde82f0ae1e3302 fortify: Add KUnit tests for runtime overflows
:::::: TO: Kees Cook <keescook@chromium.org>
:::::: CC: Kees Cook <keescook@chromium.org>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
reply other threads:[~2024-05-01 20:38 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202405020451.cgCahkAL-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).