From e52432e164230929fe1f7b5a67bda0cc870f66d5 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 19 Jan 2022 10:43:54 -0800 Subject: [PATCH] tpm: vtpm_proxy: Check length to avoid compiler warning When building with -Warray-bounds under GCC 11.2, this warning was emitted: In function 'memset', inlined from 'vtpm_proxy_fops_read' at drivers/char/tpm/tpm_vtpm_proxy.c:102:2: ./include/linux/fortify-string.h:43:33: warning: '__builtin_memset' pointer overflow between offset 164 and size [2147483648, 4294967295] [-Warray-bounds] 43 | #define __underlying_memset __builtin_memset | ^ This warning appears to be triggered due to the "count < len" check in vtpm_proxy_fops_read() splitting the CFG[1], and the compiler attempting to reason about the possible value range in len compared to the buffer size. In order to silence this warning, and to keep this code robust if the use of proxy_dev->req_len ever changes in the future, explicitly check the size of len before reaching the memset(). [1] https://lore.kernel.org/lkml/CAG48ez1iTF9KegKJrW5a3WzXgCPZJ73nS2_e5esKJRppdzvv8g@mail.gmail.com Cc: Peter Huewe Cc: Jarkko Sakkinen Cc: Jason Gunthorpe Cc: linux-integrity@vger.kernel.org Reviewed-by: Stefan Berger Link: https://lore.kernel.org/lkml/4b59d305-6858-1514-751a-37853ad777be@linux.ibm.com Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220119184354.3367603-1-keescook@chromium.org --- drivers/char/tpm/tpm_vtpm_proxy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm_vtpm_proxy.c b/drivers/char/tpm/tpm_vtpm_proxy.c index 91c772e38bb5..5c865987ba5c 100644 --- a/drivers/char/tpm/tpm_vtpm_proxy.c +++ b/drivers/char/tpm/tpm_vtpm_proxy.c @@ -91,7 +91,7 @@ static ssize_t vtpm_proxy_fops_read(struct file *filp, char __user *buf, len = proxy_dev->req_len; - if (count < len) { + if (count < len || len > sizeof(proxy_dev->buffer)) { mutex_unlock(&proxy_dev->buf_lock); pr_debug("Invalid size in recv: count=%zd, req_len=%zd\n", count, len);