This is a note to let you know that I've just added the patch titled ovl: Use "buf" flexible array for memcpy() destination to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ovl-use-buf-flexible-array-for-memcpy-destination.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From cf8aa9bf97cadf85745506c6a3e244b22c268d63 Mon Sep 17 00:00:00 2001 From: Kees Cook <keescook@xxxxxxxxxxxx> Date: Sat, 24 Sep 2022 00:33:15 -0700 Subject: ovl: Use "buf" flexible array for memcpy() destination From: Kees Cook <keescook@xxxxxxxxxxxx> commit cf8aa9bf97cadf85745506c6a3e244b22c268d63 upstream. The "buf" flexible array needs to be the memcpy() destination to avoid false positive run-time warning from the recent FORTIFY_SOURCE hardening: memcpy: detected field-spanning write (size 93) of single field "&fh->fb" at fs/overlayfs/export.c:799 (size 21) Reported-by: syzbot+9d14351a171d0d1c7955@xxxxxxxxxxxxxxxxxxxxxxxxx Link: https://lore.kernel.org/all/000000000000763a6c05e95a5985@xxxxxxxxxx/ Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Reviewed-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx> Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/overlayfs/export.c | 2 +- fs/overlayfs/overlayfs.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/fs/overlayfs/export.c +++ b/fs/overlayfs/export.c @@ -796,7 +796,7 @@ static struct ovl_fh *ovl_fid_to_fh(stru return ERR_PTR(-ENOMEM); /* Copy unaligned inner fh into aligned buffer */ - memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET); + memcpy(fh->buf, fid, buflen - OVL_FH_WIRE_OFFSET); return fh; } --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -108,7 +108,7 @@ struct ovl_fh { u8 padding[3]; /* make sure fb.fid is 32bit aligned */ union { struct ovl_fb fb; - u8 buf[0]; + DECLARE_FLEX_ARRAY(u8, buf); }; } __packed; Patches currently in stable-queue which might be from keescook@xxxxxxxxxxxx are queue-6.1/ovl-use-buf-flexible-array-for-memcpy-destination.patch queue-6.1/bcache-silence-memcpy-run-time-false-positive-warnin.patch queue-6.1/highmem-round-down-the-address-passed-to-kunmap_flush_on_unmap.patch