[10/12] vhost/crypto: fix build with GCC 12
Checks
Commit Message
GCC 12 raises the following warning:
In file included from ../lib/mempool/rte_mempool.h:46,
from ../lib/mbuf/rte_mbuf.h:38,
from ../lib/vhost/vhost_crypto.c:7:
../lib/vhost/vhost_crypto.c: In function ‘rte_vhost_crypto_fetch_requests’:
../lib/eal/x86/include/rte_memcpy.h:371:9: warning: array subscript 1 is
outside array bounds of ‘struct virtio_crypto_op_data_req[1]’
[-Warray-bounds]
371 | rte_mov32((uint8_t *)dst + 3 * 32, (const uint8_t *)src + 3 * 32);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/vhost/vhost_crypto.c:1178:42: note: while referencing ‘req’
1178 | struct virtio_crypto_op_data_req req;
| ^~~
Check that copied length is within req boundaries.
Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
Cc: stable@dpdk.org
Signed-off-by: David Marchand <david.marchand@redhat.com>
---
lib/vhost/vhost_crypto.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
Comments
On Wed, May 18, 2022 at 12:16:55PM +0200, David Marchand wrote:
> GCC 12 raises the following warning:
>
> In file included from ../lib/mempool/rte_mempool.h:46,
> from ../lib/mbuf/rte_mbuf.h:38,
> from ../lib/vhost/vhost_crypto.c:7:
> ../lib/vhost/vhost_crypto.c: In function ‘rte_vhost_crypto_fetch_requests’:
> ../lib/eal/x86/include/rte_memcpy.h:371:9: warning: array subscript 1 is
> outside array bounds of ‘struct virtio_crypto_op_data_req[1]’
> [-Warray-bounds]
> 371 | rte_mov32((uint8_t *)dst + 3 * 32, (const uint8_t *)src + 3 * 32);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ../lib/vhost/vhost_crypto.c:1178:42: note: while referencing ‘req’
> 1178 | struct virtio_crypto_op_data_req req;
> | ^~~
>
> Check that copied length is within req boundaries.
>
> Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
> Cc: stable@dpdk.org
>
> Signed-off-by: David Marchand <david.marchand@redhat.com>
> ---
> lib/vhost/vhost_crypto.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/lib/vhost/vhost_crypto.c b/lib/vhost/vhost_crypto.c
> index b1c0eb6a0f..83325b7042 100644
> --- a/lib/vhost/vhost_crypto.c
> +++ b/lib/vhost/vhost_crypto.c
> @@ -576,16 +576,16 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
> uint32_t to_copy;
> uint8_t *data = dst_data;
> uint8_t *src;
> - int left = size;
> + uint32_t left = size;
>
> - to_copy = RTE_MIN(desc->len, (uint32_t)left);
> + to_copy = RTE_MIN(desc->len, left);
> dlen = to_copy;
> src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
> VHOST_ACCESS_RO);
Tracking the functions which end up being called by this macro, the dlen
parameter ends up being of type "uint64_t *", passing a value of int * or
uint32_t * seems wrong to me. If we are changing the type from int to
uint32_t, I think it should be promoted all the way to uint64_t.
> - if (unlikely(!src || !dlen))
> + if (unlikely(!src || !dlen || dlen > left))
> return -1;
>
If this change is omitted, does the compiler still give warnings. Looking
through the called code, the dlen parameter can only ever be reduced, not
incremented (function rte_vhost_va_from_guest_pa() in rte_vhost.h).
> - rte_memcpy((uint8_t *)data, src, dlen);
> + rte_memcpy(data, src, dlen);
> data += dlen;
>
> if (unlikely(dlen < to_copy)) {
> --
> 2.36.1
>
On Wed, 18 May 2022 12:16:55 +0200
David Marchand <david.marchand@redhat.com> wrote:
> GCC 12 raises the following warning:
>
> In file included from ../lib/mempool/rte_mempool.h:46,
> from ../lib/mbuf/rte_mbuf.h:38,
> from ../lib/vhost/vhost_crypto.c:7:
> ../lib/vhost/vhost_crypto.c: In function ‘rte_vhost_crypto_fetch_requests’:
> ../lib/eal/x86/include/rte_memcpy.h:371:9: warning: array subscript 1 is
> outside array bounds of ‘struct virtio_crypto_op_data_req[1]’
> [-Warray-bounds]
> 371 | rte_mov32((uint8_t *)dst + 3 * 32, (const uint8_t *)src + 3 * 32);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ../lib/vhost/vhost_crypto.c:1178:42: note: while referencing ‘req’
> 1178 | struct virtio_crypto_op_data_req req;
> | ^~~
>
> Check that copied length is within req boundaries.
>
> Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
> Cc: stable@dpdk.org
>
> Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
On Thu, Jun 2, 2022 at 12:09 PM Bruce Richardson
<bruce.richardson@intel.com> wrote:
>
> On Wed, May 18, 2022 at 12:16:55PM +0200, David Marchand wrote:
> > GCC 12 raises the following warning:
> >
> > In file included from ../lib/mempool/rte_mempool.h:46,
> > from ../lib/mbuf/rte_mbuf.h:38,
> > from ../lib/vhost/vhost_crypto.c:7:
> > ../lib/vhost/vhost_crypto.c: In function ‘rte_vhost_crypto_fetch_requests’:
> > ../lib/eal/x86/include/rte_memcpy.h:371:9: warning: array subscript 1 is
> > outside array bounds of ‘struct virtio_crypto_op_data_req[1]’
> > [-Warray-bounds]
> > 371 | rte_mov32((uint8_t *)dst + 3 * 32, (const uint8_t *)src + 3 * 32);
> > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > ../lib/vhost/vhost_crypto.c:1178:42: note: while referencing ‘req’
> > 1178 | struct virtio_crypto_op_data_req req;
> > | ^~~
> >
> > Check that copied length is within req boundaries.
> >
> > Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: David Marchand <david.marchand@redhat.com>
> > ---
> > lib/vhost/vhost_crypto.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/lib/vhost/vhost_crypto.c b/lib/vhost/vhost_crypto.c
> > index b1c0eb6a0f..83325b7042 100644
> > --- a/lib/vhost/vhost_crypto.c
> > +++ b/lib/vhost/vhost_crypto.c
> > @@ -576,16 +576,16 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
> > uint32_t to_copy;
> > uint8_t *data = dst_data;
> > uint8_t *src;
> > - int left = size;
> > + uint32_t left = size;
> >
> > - to_copy = RTE_MIN(desc->len, (uint32_t)left);
> > + to_copy = RTE_MIN(desc->len, left);
> > dlen = to_copy;
> > src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
> > VHOST_ACCESS_RO);
>
> Tracking the functions which end up being called by this macro, the dlen
> parameter ends up being of type "uint64_t *", passing a value of int * or
> uint32_t * seems wrong to me. If we are changing the type from int to
> uint32_t, I think it should be promoted all the way to uint64_t.
Indeed.
I'll update in v2.
We already had some CVE on this part of the code, a careful review is needed.
>
> > - if (unlikely(!src || !dlen))
> > + if (unlikely(!src || !dlen || dlen > left))
> > return -1;
> >
>
> If this change is omitted, does the compiler still give warnings. Looking
> through the called code, the dlen parameter can only ever be reduced, not
> incremented (function rte_vhost_va_from_guest_pa() in rte_vhost.h).
If I promote to_copy and left variables as uint64_t, gcc is still
unhappy, for the same reason.
The check on dlen > left seems necessary.
>
> > - rte_memcpy((uint8_t *)data, src, dlen);
> > + rte_memcpy(data, src, dlen);
> > data += dlen;
> >
> > if (unlikely(dlen < to_copy)) {
> > --
> > 2.36.1
> >
>
On Tue, Jun 14, 2022 at 11:22:24AM +0200, David Marchand wrote:
> On Thu, Jun 2, 2022 at 12:09 PM Bruce Richardson
> <bruce.richardson@intel.com> wrote:
> >
> > On Wed, May 18, 2022 at 12:16:55PM +0200, David Marchand wrote:
> > > GCC 12 raises the following warning:
> > >
> > > In file included from ../lib/mempool/rte_mempool.h:46,
> > > from ../lib/mbuf/rte_mbuf.h:38,
> > > from ../lib/vhost/vhost_crypto.c:7:
> > > ../lib/vhost/vhost_crypto.c: In function ‘rte_vhost_crypto_fetch_requests’:
> > > ../lib/eal/x86/include/rte_memcpy.h:371:9: warning: array subscript 1 is
> > > outside array bounds of ‘struct virtio_crypto_op_data_req[1]’
> > > [-Warray-bounds]
> > > 371 | rte_mov32((uint8_t *)dst + 3 * 32, (const uint8_t *)src + 3 * 32);
> > > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > ../lib/vhost/vhost_crypto.c:1178:42: note: while referencing ‘req’
> > > 1178 | struct virtio_crypto_op_data_req req;
> > > | ^~~
> > >
> > > Check that copied length is within req boundaries.
> > >
> > > Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
> > > Cc: stable@dpdk.org
> > >
> > > Signed-off-by: David Marchand <david.marchand@redhat.com>
> > > ---
> > > lib/vhost/vhost_crypto.c | 8 ++++----
> > > 1 file changed, 4 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/lib/vhost/vhost_crypto.c b/lib/vhost/vhost_crypto.c
> > > index b1c0eb6a0f..83325b7042 100644
> > > --- a/lib/vhost/vhost_crypto.c
> > > +++ b/lib/vhost/vhost_crypto.c
> > > @@ -576,16 +576,16 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
> > > uint32_t to_copy;
> > > uint8_t *data = dst_data;
> > > uint8_t *src;
> > > - int left = size;
> > > + uint32_t left = size;
> > >
> > > - to_copy = RTE_MIN(desc->len, (uint32_t)left);
> > > + to_copy = RTE_MIN(desc->len, left);
> > > dlen = to_copy;
> > > src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
> > > VHOST_ACCESS_RO);
> >
> > Tracking the functions which end up being called by this macro, the dlen
> > parameter ends up being of type "uint64_t *", passing a value of int * or
> > uint32_t * seems wrong to me. If we are changing the type from int to
> > uint32_t, I think it should be promoted all the way to uint64_t.
>
> Indeed.
> I'll update in v2.
>
> We already had some CVE on this part of the code, a careful review is needed.
>
>
> >
> > > - if (unlikely(!src || !dlen))
> > > + if (unlikely(!src || !dlen || dlen > left))
> > > return -1;
> > >
> >
> > If this change is omitted, does the compiler still give warnings. Looking
> > through the called code, the dlen parameter can only ever be reduced, not
> > incremented (function rte_vhost_va_from_guest_pa() in rte_vhost.h).
>
> If I promote to_copy and left variables as uint64_t, gcc is still
> unhappy, for the same reason.
> The check on dlen > left seems necessary.
>
>
Ok, just thought I'd ask anyway. I wonder if we need to check for
wrap-around in the reduction case, since we are dealing with unsigned
values. This additional check should catch that anyway if it does occur.
/Bruce
On Tue, Jun 14, 2022 at 11:25 AM Bruce Richardson
<bruce.richardson@intel.com> wrote:
> > > > - if (unlikely(!src || !dlen))
> > > > + if (unlikely(!src || !dlen || dlen > left))
> > > > return -1;
> > > >
> > >
> > > If this change is omitted, does the compiler still give warnings. Looking
> > > through the called code, the dlen parameter can only ever be reduced, not
> > > incremented (function rte_vhost_va_from_guest_pa() in rte_vhost.h).
> >
> > If I promote to_copy and left variables as uint64_t, gcc is still
> > unhappy, for the same reason.
> > The check on dlen > left seems necessary.
> >
> >
> Ok, just thought I'd ask anyway. I wonder if we need to check for
> wrap-around in the reduction case, since we are dealing with unsigned
> values. This additional check should catch that anyway if it does occur.
I had a fresh look at this code and went with some splitting / simplification.
This makes the code clearer, and there is no added check.
I'll send a v2.
@@ -576,16 +576,16 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
uint32_t to_copy;
uint8_t *data = dst_data;
uint8_t *src;
- int left = size;
+ uint32_t left = size;
- to_copy = RTE_MIN(desc->len, (uint32_t)left);
+ to_copy = RTE_MIN(desc->len, left);
dlen = to_copy;
src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
VHOST_ACCESS_RO);
- if (unlikely(!src || !dlen))
+ if (unlikely(!src || !dlen || dlen > left))
return -1;
- rte_memcpy((uint8_t *)data, src, dlen);
+ rte_memcpy(data, src, dlen);
data += dlen;
if (unlikely(dlen < to_copy)) {