Patch "ovl: Use "buf" flexible array for memcpy() destination" has been added to the 6.1-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Tue, 07 Feb 2023 13:41:31 +0100

This is a note to let you know that I've just added the patch titled

    ovl: Use "buf" flexible array for memcpy() destination

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ovl-use-buf-flexible-array-for-memcpy-destination.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From cf8aa9bf97cadf85745506c6a3e244b22c268d63 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@xxxxxxxxxxxx>
Date: Sat, 24 Sep 2022 00:33:15 -0700
Subject: ovl: Use "buf" flexible array for memcpy() destination

From: Kees Cook <keescook@xxxxxxxxxxxx>

commit cf8aa9bf97cadf85745506c6a3e244b22c268d63 upstream.

The "buf" flexible array needs to be the memcpy() destination to avoid
false positive run-time warning from the recent FORTIFY_SOURCE
hardening:

  memcpy: detected field-spanning write (size 93) of single field "&fh->fb"
  at fs/overlayfs/export.c:799 (size 21)

Reported-by: syzbot+9d14351a171d0d1c7955@xxxxxxxxxxxxxxxxxxxxxxxxx
Link: https://lore.kernel.org/all/000000000000763a6c05e95a5985@xxxxxxxxxx/
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/overlayfs/export.c    |    2 +-
 fs/overlayfs/overlayfs.h |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/fs/overlayfs/export.c
+++ b/fs/overlayfs/export.c
@@ -796,7 +796,7 @@ static struct ovl_fh *ovl_fid_to_fh(stru
 		return ERR_PTR(-ENOMEM);
 
 	/* Copy unaligned inner fh into aligned buffer */
-	memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET);
+	memcpy(fh->buf, fid, buflen - OVL_FH_WIRE_OFFSET);
 	return fh;
 }
 
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -108,7 +108,7 @@ struct ovl_fh {
 	u8 padding[3];	/* make sure fb.fid is 32bit aligned */
 	union {
 		struct ovl_fb fb;
-		u8 buf[0];
+		DECLARE_FLEX_ARRAY(u8, buf);
 	};
 } __packed;
 


Patches currently in stable-queue which might be from keescook@xxxxxxxxxxxx are

queue-6.1/ovl-use-buf-flexible-array-for-memcpy-destination.patch
queue-6.1/bcache-silence-memcpy-run-time-false-positive-warnin.patch
queue-6.1/highmem-round-down-the-address-passed-to-kunmap_flush_on_unmap.patch






