Message ID | ZQSfze9HgfLDkFPV@work (mailing list archive) |
---|---|
State | Accepted |
Commit | d692873cbe861a870cdc9cbfb120eefd113c3dfd |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [next] gve: Use size_add() in call to struct_size() | expand |
On Fri, Sep 15, 2023 at 12:17:49PM -0600, Gustavo A. R. Silva wrote: > If, for any reason, `tx_stats_num + rx_stats_num` wraps around, the > protection that struct_size() adds against potential integer overflows > is defeated. Fix this by hardening call to struct_size() with size_add(). > > Fixes: 691f4077d560 ("gve: Replace zero-length array with flexible-array member") > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Thanks, yes, this will maintain SIZE_MAX saturation if it happens. Reviewed-by: Kees Cook <keescook@chromium.org>
Hello: This patch was applied to netdev/net-next.git (main) by David S. Miller <davem@davemloft.net>: On Fri, 15 Sep 2023 12:17:49 -0600 you wrote: > If, for any reason, `tx_stats_num + rx_stats_num` wraps around, the > protection that struct_size() adds against potential integer overflows > is defeated. Fix this by hardening call to struct_size() with size_add(). > > Fixes: 691f4077d560 ("gve: Replace zero-length array with flexible-array member") > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> > > [...] Here is the summary with links: - [next] gve: Use size_add() in call to struct_size() https://git.kernel.org/netdev/net-next/c/d692873cbe86 You are awesome, thank you!
diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c index 5704b5f57cd0..83b09dcfafc4 100644 --- a/drivers/net/ethernet/google/gve/gve_main.c +++ b/drivers/net/ethernet/google/gve/gve_main.c @@ -190,7 +190,7 @@ static int gve_alloc_stats_report(struct gve_priv *priv) rx_stats_num = (GVE_RX_STATS_REPORT_NUM + NIC_RX_STATS_REPORT_NUM) * priv->rx_cfg.num_queues; priv->stats_report_len = struct_size(priv->stats_report, stats, - tx_stats_num + rx_stats_num); + size_add(tx_stats_num, rx_stats_num)); priv->stats_report = dma_alloc_coherent(&priv->pdev->dev, priv->stats_report_len, &priv->stats_report_bus, GFP_KERNEL);
If, for any reason, `tx_stats_num + rx_stats_num` wraps around, the protection that struct_size() adds against potential integer overflows is defeated. Fix this by hardening call to struct_size() with size_add(). Fixes: 691f4077d560 ("gve: Replace zero-length array with flexible-array member") Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> --- drivers/net/ethernet/google/gve/gve_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)