From: Arnd Bergmann <arnd@xxxxxxxx> Subject: adfs: use 'unsigned' types for memcpy length After 62d1034f53e3 ("fortify: use WARN instead of BUG for now"), we get a warning in adfs about a possible buffer overflow: In function 'memcpy', inlined from '__adfs_dir_put' at fs/adfs/dir_f.c:318:2, inlined from 'adfs_f_update' at fs/adfs/dir_f.c:403:2: include/linux/string.h:305:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter __read_overflow2(); ^~~~~~~~~~~~~~~~~~ The warning is correct in the sense that a negative 'pos' argument to the function would have that result. However, this is not a bug, as we know the position is always positive (in fact, between 5 and 2007, inclusive) when the function gets called. Changing the variable to a unsigned type avoids the problem. I decided to use 'unsigned int' for the position in the directory and the block number, as they are both counting things, but use size_t for the offset and length that get passed into memcpy. This shuts up the warning. Link: http://lkml.kernel.org/r/20170801120438.1582336-2-arnd@xxxxxxxx Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx> Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> Cc: Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/adfs/dir_f.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff -puN fs/adfs/dir_f.c~adfs-use-unsigned-types-for-memcpy-length fs/adfs/dir_f.c --- a/fs/adfs/dir_f.c~adfs-use-unsigned-types-for-memcpy-length +++ a/fs/adfs/dir_f.c @@ -283,11 +283,12 @@ __adfs_dir_get(struct adfs_dir *dir, int } static int -__adfs_dir_put(struct adfs_dir *dir, int pos, struct object_info *obj) +__adfs_dir_put(struct adfs_dir *dir, unsigned int pos, struct object_info *obj) { struct super_block *sb = dir->sb; struct adfs_direntry de; - int thissize, buffer, offset; + unsigned int buffer; + size_t thissize, offset; buffer = pos >> sb->s_blocksize_bits; _ -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html