Re: [REGRESSION][BISECTED] erroneous buffer overflow detected in bch2_xattr_validate

From: Kees Cook
Date: Thu May 01 2025 - 14:11:08 EST

Next message: Kevin Hilman: "Re: [PATCH v1 1/1] bus: ti-sysc: PRUSS OCP configuration"
Previous message: Sean Christopherson: "[PATCH 3/3] x86/fred: KVM: VMX: Always use FRED for IRQs when CONFIG_X86_FRED=y"
In reply to: Jan Hendrik Farr: "Re: [REGRESSION][BISECTED] erroneous buffer overflow detected in bch2_xattr_validate"
Next in thread: Alan Huang: "Re: [REGRESSION][BISECTED] erroneous buffer overflow detected in bch2_xattr_validate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 01, 2025 at 07:58:53PM +0200, Jan Hendrik Farr wrote:
> So let's say you have a simple struct like so:
>
> struct foo{
> int val_len;
> char val[] __counted_by(val_len);
> }
>
> If val_len is 10 then foo->val[10] will be considered out of bounds.
> Even if you did a malloc for enough space.

Correct. The "counted_by" attribute takes precedence over the "alloc_size"
attribute (which is also generally limited only to the function-scope
where the allocation takes place).

--
Kees Cook

Next message: Kevin Hilman: "Re: [PATCH v1 1/1] bus: ti-sysc: PRUSS OCP configuration"
Previous message: Sean Christopherson: "[PATCH 3/3] x86/fred: KVM: VMX: Always use FRED for IRQs when CONFIG_X86_FRED=y"
In reply to: Jan Hendrik Farr: "Re: [REGRESSION][BISECTED] erroneous buffer overflow detected in bch2_xattr_validate"
Next in thread: Alan Huang: "Re: [REGRESSION][BISECTED] erroneous buffer overflow detected in bch2_xattr_validate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]