On Wed 03-04-24 14:54:03, Kees Cook wrote:
> With adding __counted_by(handle_bytes) to struct file_handle, we need
> to explicitly set it in the one place it wasn't yet happening prior to
> accessing the flex array "f_handle".
>
> Fixes: 1b43c4629756 ("fs: Annotate struct file_handle with __counted_by() and use struct_size()")
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
OK, so this isn't really a functional bug AFAIU but the compiler will
wrongly complain we are accessing handle->f_handle beyond claimed array
size (because handle->handle_bytes == 0 at that point). Am I right? If
that's the case, please add a short comment explaining this (because it
looks odd we set handle->handle_bytes and then reset it a few lines later).
With the comment feel free to add:
Reviewed-by: Jan Kara <jack@xxxxxxx>
Honza
> ---
> Cc: Christian Brauner <brauner@xxxxxxxxxx>
> Cc: "Gustavo A. R. Silva" <gustavoars@xxxxxxxxxx>
> Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
> Cc: Jan Kara <jack@xxxxxxx>
> Cc: Chuck Lever <chuck.lever@xxxxxxxxxx>
> Cc: Jeff Layton <jlayton@xxxxxxxxxx>
> Cc: Amir Goldstein <amir73il@xxxxxxxxx>
> Cc: linux-fsdevel@xxxxxxxxxxxxxxx
> Cc: linux-nfs@xxxxxxxxxxxxxxx
> Cc: linux-hardening@xxxxxxxxxxxxxxx
> ---
> fs/fhandle.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/fhandle.c b/fs/fhandle.c
> index 53ed54711cd2..08ec2340dd22 100644
> --- a/fs/fhandle.c
> +++ b/fs/fhandle.c
> @@ -40,6 +40,7 @@ static long do_sys_name_to_handle(const struct path *path,
> GFP_KERNEL);
> if (!handle)
> return -ENOMEM;
> + handle->handle_bytes = f_handle.handle_bytes;
>
> /* convert handle size to multiple of sizeof(u32) */
> handle_dwords = f_handle.handle_bytes >> 2;
> --
> 2.34.1
>
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
