memcpy: detected field-spanning write (size 28) of single field "&t->event"

[munix9]

The problem has already been discussed here. It was fixed with the patch https://github.com/mkubecek/vmware-host-modules/commit/78b77816d39a77b1643426ece1ebd48776d83c1b for workstation-17.0.0, but occurs again in workstation-17.0.1 because the patch is missing there.

The patch is probably also not easy to apply, because among other things the definition VNet_EventHeader event; has been changed in workstation-17.0.1 to

   union {
       VNet_EventHeader header;
       VNet_LinkStateEvent lse;
   } event;

openSUSE Tumbleweed 20230310 Kernel 6.2.2-1-default vmware-host-modules branch workstation-17.0.1 VMware-Workstation-Full-17.0.1-21139696

[ 7858.057739] ------------[ cut here ]------------
[ 7858.057744] memcpy: detected field-spanning write (size 28) of single field "&t->event" at /home/abuild/rpmbuild/BUILD/vmware-host-modules-17.0.1+git.20230217.663ae4b/obj/default/vmnet-only/vnetUserListener.c:229 (size 20)
[ 7858.057775] WARNING: CPU: 2 PID: 31265 at /home/abuild/rpmbuild/BUILD/vmware-host-modules-17.0.1+git.20230217.663ae4b/obj/default/vmnet-only/vnetUserListener.c:229 VNetUserListenerEventHandler+0xd3/0xe0 [vmnet]
[ 7858.057796] Modules linked in: uas usb_storage loop rfcomm snd_seq_dummy snd_hrtimer af_packet nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat hid_cherry hid_generic usbhid nf_tables ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_mangle iptable_raw iptable_security vmnet(OE) ppdev parport_pc parport vmw_vsock_vmci_transport vsock vmw_vmci vmmon(OE) ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter bpfilter cmac algif_hash algif_skcipher af_alg bnep vboxnetadp(O) vboxnetflt(O) btusb btrtl btbcm btintel btmtk bluetooth ecdh_generic vboxdrv(O) qrtr snd_seq snd_seq_device binfmt_misc iwldvm snd_hda_codec_hdmi snd_hda_codec_via mac80211 snd_hda_codec_generic ledtrig_audio libarc4 snd_hda_intel
[ 7858.057895]  snd_intel_dspcfg intel_rapl_msr snd_intel_sdw_acpi intel_rapl_common snd_hda_codec x86_pkg_temp_thermal intel_powerclamp r8169 snd_hda_core coretemp snd_hwdep iwlwifi snd_pcm kvm_intel iTCO_wdt at24 mei_hdcp mei_pxp mei_wdt realtek snd_timer intel_pmc_bxt cfg80211 kvm iTCO_vendor_support i2c_i801 mdio_devres snd mei_me irqbypass i2c_smbus libphy lpc_ich rfkill mei thermal soundcore tiny_power_button ac button joydev fuse configfs dmi_sysfs ip_tables x_tables ext4 mbcache jbd2 i915 crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic gf128mul drm_buddy drm_display_helper ghash_clmulni_intel rtsx_pci_sdmmc xhci_pci cec xhci_pci_renesas sha512_ssse3 mmc_core rc_core xhci_hcd ehci_pci aesni_intel ehci_hcd crypto_simd cryptd rtsx_pci usbcore ttm battery video wmi serio_raw i2c_dev sg br_netfilter bridge stp llc dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua msr
[ 7858.058005] CPU: 2 PID: 31265 Comm: vmx-vcpu-0 Tainted: G           OE      6.2.2-1-default #1 openSUSE Tumbleweed d96a51c172c54c631a431306c0e33b18c609861e
[ 7858.058011] Hardware name: CLEVO CO.                        W55xEU                          /W55xEU                          , BIOS 4.6.5 11/02/2012
[ 7858.058015] RIP: 0010:VNetUserListenerEventHandler+0xd3/0xe0 [vmnet]
[ 7858.058031] Code: 3d 5b 6d 00 00 00 75 93 b9 14 00 00 00 48 c7 c2 50 c8 50 c1 4c 89 ee 48 c7 c7 e0 c8 50 c1 c6 05 3c 6d 00 00 01 e8 f5 a0 0f f8 <0f> 0b e9 6a ff ff ff 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90
[ 7858.058034] RSP: 0018:ffffb8cb882dbcb8 EFLAGS: 00010286
[ 7858.058038] RAX: 0000000000000000 RBX: ffff98e3b6604a00 RCX: 0000000000000027
[ 7858.058041] RDX: ffff98e64e2a24c8 RSI: 0000000000000001 RDI: ffff98e64e2a24c0
[ 7858.058044] RBP: ffff98e3db717780 R08: 0000000000000000 R09: ffffb8cb882dbb70
[ 7858.058046] R10: 0000000000000003 R11: ffff98e65e5385a8 R12: ffff98e387ae4ec8
[ 7858.058048] R13: 000000000000001c R14: ffff98e3db717788 R15: ffff98e387ae4ec0
[ 7858.058051] FS:  00007fabaf6f86c0(0000) GS:ffff98e64e280000(0000) knlGS:0000000000000000
[ 7858.058054] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7858.058057] CR2: 0000558a4e3c3f80 CR3: 00000001ebd90002 CR4: 00000000001706e0
[ 7858.058061] Call Trace:
[ 7858.058064]  <TASK>
[ 7858.058069]  ? __pfx_VNetUserListenerEventHandler+0x10/0x10 [vmnet 660dc14d9026c4783717d32eeaea1612c8e55336]
[ 7858.058083]  VNetEvent_CreateListener+0xac/0x100 [vmnet 660dc14d9026c4783717d32eeaea1612c8e55336]
[ 7858.058099]  VNetUserListener_Create+0x160/0x182 [vmnet 660dc14d9026c4783717d32eeaea1612c8e55336]
[ 7858.058113]  VNetFileOpUnlockedIoctl+0x2b2/0x680 [vmnet 660dc14d9026c4783717d32eeaea1612c8e55336]
[ 7858.058127]  ? __kmem_cache_alloc_node+0x172/0x360
[ 7858.058135]  ? security_prepare_creds+0xc5/0xe0
[ 7858.058141]  ? security_prepare_creds+0xc5/0xe0
[ 7858.058145]  ? VNetFileOpUnlockedIoctl+0x90/0x680 [vmnet 660dc14d9026c4783717d32eeaea1612c8e55336]
[ 7858.058157]  ? __kmalloc+0x49/0x150
[ 7858.058163]  ? make_kuid+0xf/0x20
[ 7858.058167]  ? cap_task_fix_setuid+0x6e/0x170
[ 7858.058174]  ? commit_creds+0x110/0x2a0
[ 7858.058178]  ? __sys_setresuid+0x162/0x410
[ 7858.058185]  __x64_sys_ioctl+0x8d/0xd0
[ 7858.058192]  do_syscall_64+0x58/0x80
[ 7858.058199]  ? __x64_sys_ioctl+0xa8/0xd0
[ 7858.058204]  ? syscall_exit_to_user_mode+0x17/0x40
[ 7858.058232]  ? do_syscall_64+0x67/0x80
[ 7858.058237]  ? do_syscall_64+0x67/0x80
[ 7858.058242]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 7858.058249] RIP: 0033:0x7fad14604abf
[ 7858.058252] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 7858.058256] RSP: 002b:00007fabaf6f4530 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 7858.058260] RAX: ffffffffffffffda RBX: 00007faba0008660 RCX: 00007fad14604abf
[ 7858.058263] RDX: 00007fabaf6f4598 RSI: 00000000400899e2 RDI: 00000000000000a6
[ 7858.058266] RBP: 0000000000000001 R08: 00007faba0008678 R09: 00007fabaf6f5168
[ 7858.058268] R10: 00007faba00269c0 R11: 0000000000000246 R12: 0000000000000000
[ 7858.058271] R13: 00007fabaf6f4600 R14: 00000000004c4b40 R15: 00000000000186a0
[ 7858.058276]  </TASK>
[ 7858.058278] ---[ end trace 0000000000000000 ]---

[mkubecek]

This is surprising, I have 17.0.1 on a 6.3-rc1 kernel (and 6.2 before that) and never hit the field spanning check. Does this happen right after loading the module (as it used to with unpatched 17.0.0) or do you need to do something specific to trigger it?

[munix9]

As far as I can see, it only shows up when a VM is started, not when the module itself is loaded.

I'm still checking to see if it only occurs under certain VM's, would be odd but nothing is impossible. But this may take some time.

[mkubecek]

I can see it now... Sadly, VMware developers used the union wrapper to get rid of the more obvious warning in VNetEvent_Send() but they ignored that exactly the same problem exists also in VNetUserListenerEventHandler() except it only shows on a VM start rather than on module load.

Current workstation-17.0.1 head (commit 650fb3abeb82) should fix that, can you give it a try?

[munix9]

Ah, ok, wonderful and thanks for the possible solution. I will try it out and report back, but it may take some time.

[munix9]

It looks good, thanks for the solution.

[mkubecek]

Thank you for the feedback. (And for an actual issue report, unfortunately those are quite rare here.)