On Wed, Oct 16, 2024 at 01:26:24PM +0200, Alexandre Ghiti wrote: > On 16/10/2024 00:04, Jessica Clarke wrote: > > Is the problem in [1] not just that the early boot path uses memcpy on > > the result of ALT_OLD_PTR, which is a wildly out-of-bounds pointer from > > the compiler’s perspective? If so, it would seem better to use > > unsafe_memcpy for that one call site rather than use the big > > __NO_FORTIFY hammer, surely? > > Not sure why fortify complains here, and I have just seen that I forgot to > cc Kees (done now). I haven't had time to investigate this -- something is confusing the compiler about the object size. It's likely that it has decided that "char *" is literally pointing to a single byte. (Instead of being unable to determine the origin of the pointer and being forced to return SIZE_MAX for the object size -- "unknown" size.) In other cases, we've been able to convert "char *ptr" to "char ptr[]" and that tells the compiler it's an array of unknown size. That didn't look very possible here. > [...] > And I believe that enabling fortify and using the unsafe_*() variants is > error-prone since we'd have to make sure that all the "fortified" functions > used in that code use the unsafe_*() variants. > > So to me, it's way easier in terms of maintenance to just disabling fortify. I would agree: there's no way to report a fortify failure, so best to turn it off here. -- Kees Cook
