Commit cf8aa9bf authored Sep 24, 2022 by Kees Cook Committed by Miklos Szeredi Dec 08, 2022

ovl: Use "buf" flexible array for memcpy() destination



The "buf" flexible array needs to be the memcpy() destination to avoid
false positive run-time warning from the recent FORTIFY_SOURCE
hardening:

  memcpy: detected field-spanning write (size 93) of single field "&fh->fb"
  at fs/overlayfs/export.c:799 (size 21)

Reported-by:  <syzbot+9d14351a171d0d1c7955@syzkaller.appspotmail.com>
Link: https://lore.kernel.org/all/000000000000763a6c05e95a5985@google.com/


Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

parent 456b59e7

fs/overlayfs/export.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -796,7 +796,7 @@ static struct ovl_fh ovl_fid_to_fh(struct fid fid, int buflen, int fh_type)
		return ERR_PTR(-ENOMEM);

		/* Copy unaligned inner fh into aligned buffer */
		memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET);
		memcpy(fh->buf, fid, buflen - OVL_FH_WIRE_OFFSET);
		return fh;
		}

fs/overlayfs/overlayfs.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -108,7 +108,7 @@ struct ovl_fh {
		u8 padding[3]; /* make sure fb.fid is 32bit aligned */
		union {
		struct ovl_fb fb;
		u8 buf[0];
		DECLARE_FLEX_ARRAY(u8, buf);
		};
		} __packed;