Message ID | 20220120222933.GA35155@embeddedor (mailing list archive) |
---|---|
State | Accepted |
Commit | 4213e92ef7ec24b52e34f8a869e4213abca3dc6e |
Headers | show |
Series | [next] usb: gadget: f_fs: Use struct_size() and flex_array_size() helpers | expand |
On Thu, Jan 20, 2022 at 04:29:33PM -0600, Gustavo A. R. Silva wrote: > Make use of the struct_size() and flex_array_size() helpers instead of > an open-coded version, in order to avoid any potential type mistakes > or integer overflows that, in the worst scenario, could lead to heap > overflows. > > Also, address the following sparse warnings: > drivers/usb/gadget/function/f_fs.c:922:23: warning: using sizeof on a flexible structure > > Link: https://github.com/KSPP/linux/issues/174 > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> > --- > drivers/usb/gadget/function/f_fs.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index 25ad1e97a458..7461d27e9604 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -919,12 +919,12 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile, > data_len, ret); > > data_len -= ret; > - buf = kmalloc(sizeof(*buf) + data_len, GFP_KERNEL); > + buf = kmalloc(struct_size(buf, storage, data_len), GFP_KERNEL); > if (!buf) > return -ENOMEM; > buf->length = data_len; > buf->data = buf->storage; > - memcpy(buf->storage, data + ret, data_len); > + memcpy(buf->storage, data + ret, flex_array_size(buf, storage, data_len)); Looks good to me. This is a place where I think we'll be back later to fix up the alloc/deserialize-from-memory pattern with a future helper, but in the meantime, yes, let's get this covered by struct_size(). Reviewed-by: Kees Cook <keescook@chromium.org> > > /* > * At this point read_buffer is NULL or READ_BUFFER_DROP (if > -- > 2.27.0 >
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 25ad1e97a458..7461d27e9604 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -919,12 +919,12 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile, data_len, ret); data_len -= ret; - buf = kmalloc(sizeof(*buf) + data_len, GFP_KERNEL); + buf = kmalloc(struct_size(buf, storage, data_len), GFP_KERNEL); if (!buf) return -ENOMEM; buf->length = data_len; buf->data = buf->storage; - memcpy(buf->storage, data + ret, data_len); + memcpy(buf->storage, data + ret, flex_array_size(buf, storage, data_len)); /* * At this point read_buffer is NULL or READ_BUFFER_DROP (if
Make use of the struct_size() and flex_array_size() helpers instead of an open-coded version, in order to avoid any potential type mistakes or integer overflows that, in the worst scenario, could lead to heap overflows. Also, address the following sparse warnings: drivers/usb/gadget/function/f_fs.c:922:23: warning: using sizeof on a flexible structure Link: https://github.com/KSPP/linux/issues/174 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> --- drivers/usb/gadget/function/f_fs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)