From patchwork Wed May 4 01:44:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836816 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7D23C433F5 for ; Wed, 4 May 2022 01:47:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245458AbiEDBvY (ORCPT ); Tue, 3 May 2022 21:51:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245453AbiEDBvM (ORCPT ); Tue, 3 May 2022 21:51:12 -0400 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5FF6832ED5 for ; Tue, 3 May 2022 18:47:35 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id g3so21760pgg.3 for ; Tue, 03 May 2022 18:47:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+ZZ5vfFx25K1I7i1kYl8UxhLqvkhElnoRitD8+hKJmA=; b=DpRwgsc8k+bO9cXVHmU7ksT2E8T7R4om62xOunRq9j6F4/Hlmd+72tPALfSIkWpTBv 6ZsB/FoXumwXqUlvu94h7ehF0Poi6zQZRyL/SVAXWNru3D7CYZKN+GO4S+p3OYu8TvOf p5r4/HuAd0PoSIWCdxVFPC7ODUIYPeBjfKvmU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+ZZ5vfFx25K1I7i1kYl8UxhLqvkhElnoRitD8+hKJmA=; b=unV82qoMF2X9dy0Zbt9jzxrigvEpMFGKwpk/oBZ/13v0hQPwP9u+diYiI5Pn/OVhBL MKWGZtZyIEWKcR2D66GNzL7jx/77HImJ7mpibtvAHuO6FxFVoZn2KrkXY3KjAEEaKs0T y+5VSJzlIsHHSfUdgiFepl6uLdwFWyffNVTmX+SjlZOKO/s2cveKNZfFZdVCfXYqdcSX +mTuISECv2a5pfInmGgEGvATnHe9moCP3CtbeCM0XIO03Q2MFTgZScQaTkaLPa9+yNNo HzuziuluR3xKjwkKmTPd1ydTq9ifctCiHdYWepZO+eVMSMYABU6NTqVgXQlBYbEGY1rS kqYg== X-Gm-Message-State: AOAM532ALWA7FiEfH7srMaZ2nwgcUDYwlS7aV6jESBFLovAEtAl6hg30 DQPzOY3Px29sxc2Nc5oyOOitpw== X-Google-Smtp-Source: ABdhPJx1pk1Kj8VquWNvjueoOJF84IDUN+sdPy6JRVklo0yvv2jKaWOAa1dEeUA85vrZ210XI6GffA== X-Received: by 2002:aa7:962e:0:b0:50d:5ed8:aa23 with SMTP id r14-20020aa7962e000000b0050d5ed8aa23mr18603820pfg.43.1651628853848; Tue, 03 May 2022 18:47:33 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k8-20020a170902ce0800b0015e8d4eb283sm7000015plg.205.2022.05.03.18.47.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:33 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Rasmus Villemoes , "David S. Miller" , Jakub Kicinski , Rich Felker , Eric Dumazet , netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary Date: Tue, 3 May 2022 18:44:10 -0700 Message-Id: <20220504014440.3697851-2-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2198; h=from:subject; bh=m3+rrHA3rlt0sA4WgKzRJNTXeSTN4vWW0f0prUvbWYY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqAKYSI60YG7oB43Zm2qf2XEYFq9+0dv6JxgKQA Vag6ObOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagAAKCRCJcvTf3G3AJt+PD/ 4wYVpcKl2liC+Uc4jUmmdOovQey8J6/k2HmeHGxkjjuXUGIWCxvRqFTmpp0zt8q6NeCY1dzyQE7A9N PW2CVLlv5GLZfLyBlcsOWL4hofk/Ed905HvAky/Dx8yVe0LszOaIIrWGUii70nX0RIZBcDlNYaOY4k wGJaGLJ9XI5Abp/vMi8qzgEIVt5Qty6Z+cfnpAvETE9FFC0ibHAuxSsOCPhKMgvWgkyDjMAVgJQC6t TKGjSE1Rwow+68x8cxXa3ZsNgWXO0wHDaWWB4/QUxyVrq/AqCxOvgu3SljXBgVpaeUF41w+gB7rTXz Jpn7XXtJZLIDQT9yoNDAsj8yjQSIPdaKabA732knKP+dXXvoimMLj17LWxunuIrNQJ5Awl5Dz2jNa4 96eQ4Eabc5miPNc5+9VOK1Wc20FUE/uqW/VkQkBWzcnLXslpLRuJ2jNTFzk50BKZOJ20vutotuSmWf 5gqjyHzRfK+iajoBCEV6nUiWN7ewO8XDDayLZtzu5foCWXgFFwp2ZWksNnvY6M1djooGD0fU2cMDkZ HK9WR0ZfO5zv8cE5RCjDXb25deVhtGS6HRKU3vBlDmFx3drFqOEK/4zwTej6ttVyJqAspxBqEq7xpi JDgQOkTfh60YdtsNYhykruXCL3NnFuRLtxOeMGWD4IL6YtPwYfH3V6aFCljQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org In preparation for run-time memcpy() bounds checking, split the nlmsg copying for error messages (which crosses a previous unspecified flexible array boundary) in half. Avoids the future run-time warning: memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" (size 16) Creates an explicit flexible array at the end of nlmsghdr for the payload, named "nlmsg_payload". There is no impact on UAPI; the sizeof(struct nlmsghdr) does not change, but now the compiler can better reason about where things are being copied. Fixed-by: Rasmus Villemoes Link: https://lore.kernel.org/lkml/d7251d92-150b-5346-6237-52afc154bb00@rasmusvillemoes.dk Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Rich Felker Cc: Eric Dumazet Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/uapi/linux/netlink.h | 1 + net/netlink/af_netlink.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h index 855dffb4c1c3..47f9342d51bc 100644 --- a/include/uapi/linux/netlink.h +++ b/include/uapi/linux/netlink.h @@ -47,6 +47,7 @@ struct nlmsghdr { __u16 nlmsg_flags; /* Additional flags */ __u32 nlmsg_seq; /* Sequence number */ __u32 nlmsg_pid; /* Sending process port ID */ + __u8 nlmsg_payload[];/* Contents of message */ }; /* Flags values */ diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 1b5a9c2e1c29..09346aee1022 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -2445,7 +2445,10 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, NLMSG_ERROR, payload, flags); errmsg = nlmsg_data(rep); errmsg->error = err; - memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh)); + errmsg->msg = *nlh; + if (payload > sizeof(*errmsg)) + memcpy(errmsg->msg.nlmsg_payload, nlh->nlmsg_payload, + nlh->nlmsg_len - sizeof(*nlh)); if (nlk_has_extack && extack) { if (extack->_msg) { From patchwork Wed May 4 01:44:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836818 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F5EBC433F5 for ; Wed, 4 May 2022 01:48:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245550AbiEDBv7 (ORCPT ); Tue, 3 May 2022 21:51:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55164 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245360AbiEDBvR (ORCPT ); Tue, 3 May 2022 21:51:17 -0400 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92DED33E13 for ; Tue, 3 May 2022 18:47:36 -0700 (PDT) Received: by mail-pf1-x42c.google.com with SMTP id j6so16129787pfe.13 for ; Tue, 03 May 2022 18:47:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=5xrPLh8wlK0Awe/nxhZ3OTQkBfhB9ct4glfpE9UmuQA=; b=iR9L6Vqjlx1BryUCEPQzmXGsipsWNHmgM203Ex9fHJaxkwALa+U/8+AhC1W6u8Uu4S pdpKAydA7J6X8qY7ulBdTwd5M0XdedZwrLJ2rJGOBc8ssCMpRdfFdFzH/3OiOkWgs3nY iUUPR2F7rY3hlYziqOz651zfzNr5dc2NwLGx4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5xrPLh8wlK0Awe/nxhZ3OTQkBfhB9ct4glfpE9UmuQA=; b=DeZ29f/H1Q3WdYIEsw1j1pGtOVpkjj+KECd+RiTYPSgVavm3+WiZplVOBe55arV7CR 5MQUmAxL/yiEcECIhsqwEsRVcgZX60tgrCAqpo29Y1RV+4aqj6ls8r0eaaT8pEYrUAU+ YuJDwASyIkWTYkMaCaWfa0jTBcBooLBHfk/1DGtqnndVZgbZE7tZvfbpO6QzZQWTuF1u XaqYYFDC9X5hFNy6yPjD3PZj4xh3ShS+qJJXYO8XnEk8d6WB++w1RfDeZBwAxLggypSV XE/X5BMFFqQlJn5Pt3BxyUsJY9WCI9A4Y48ZjxiiP1E+b8yguOhoWP57hf91jrZoYHJe 4pJg== X-Gm-Message-State: AOAM532tgR/tf8B1MT2/ZNfVaA4mPbS9dWvm4py7EmqqcpS2NjWZ6p8p Wr30TPCGwW6YgCKwyrhtACwndg== X-Google-Smtp-Source: ABdhPJzib/cexR9qOBRQWi0TZaQ7u+6vvahjJ6rp6GPg08J/VVUxtTMZbieOFE0yPnP+NBkPsparuA== X-Received: by 2002:a62:a211:0:b0:50d:cdb2:87f4 with SMTP id m17-20020a62a211000000b0050dcdb287f4mr17774941pff.63.1651628855155; Tue, 03 May 2022 18:47:35 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y10-20020a170902864a00b0015e8d4eb254sm6924307plt.158.2022.05.03.18.47.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:33 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Keith Packard , Francis Laniel , Daniel Axtens , Dan Williams , Vincenzo Frascino , Guenter Roeck , Daniel Vetter , Tadeusz Struk , Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Takashi Iwai , Tom Rix , Udipto Goswami , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 02/32] Introduce flexible array struct memcpy() helpers Date: Tue, 3 May 2022 18:44:11 -0700 Message-Id: <20220504014440.3697851-3-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=31712; h=from:subject; bh=5cc80Yc5OXNqRAprch5bwZGcqXUCUMStKhnm0MOB3y0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBuKUviArqTxzH7Wyv/Nwvzm6EtfG7z8zEgd2S CFn/D26JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJpjQEA ChDXz4K07hJ0QiNbIT6owwYl55x0UIZFIMNeKxftQCbtR6Cl3MX4CkUi+/EJ8C8dPDo6mlzFTZqAxE XzATgYZNuJ523DOE/BPbCYmvKr4YAWPu6Wn7kbjIxVBMviz5nZcyJxQ+/XBUyAGJ3SxROvWBwUjV/6 F/JTDhfGISKpN7rStULVRZGpTFvhYy7KSGzeySPi7vdd0TzXBe/xWYm4+5OavNt9bEaQtWuPDsj44s DUlQOr5PRhiqMWKrzj0D2TzJNWzzHtyuSLO7/68u4AbQn8eb2UwqSoZd2dRkTgWpr3Z2V9/4cHhRDV WCmu8DVvZjtJESAMl+XTQPnpKn58oDlSpvOJbQQTA8KOSOou/Nci/P0W1rEVlYh0NojG6VCbAeBMrn rEVYhXf5v38RvldzmZdcHqvf8H1heVEsdF+y1ZbqUcAH22EtmZCnLmlHAi+20tUoXkU8VbgWEqvPJl Pah1xcPhbEcI1rbQunpPk4m/1qmImy9fuVUAyNvYMscpMdVdH4K0gKVYpQHZYsisa3jMvAsFcOOs2J iA/kdCWGFCI/JDzzU5cB8un6NJx/gQNXyzGdb41MWlUlEuoGJaqd6aYCuJPRtQbEQLLk/LJH0ABw65 j/jpppipk5fv9Ey1Hx63Ukkoh4P5ebCD0Gd8fn28BxsX/cCzBQE9z93YBRng== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org The compiler is not able to automatically perform bounds checking on structures that end in flexible arrays: __builtin_object_size() is compile-time only. Any possible run-time checks are currently short-circuited because there isn't an obvious common way to figure out the bounds of such a structure. C has no way (yet[1]) to signify which struct member holds the number of allocated flexible array elements (like exists in other languages). As a result, the kernel (and C projects generally) need to manually check the bounds, check the element size calculations, and perform sanity checking on all the associated variable types in between (e.g. 260 cannot be stored in a u8). This is extremely fragile. However, even if we could do all this through a magic memcpy(), the API itself doesn't provide meaningful feedback, which forces the kernel into an "all or nothing" approach: either do the copy or panic the system. Any failure conditions should be _detectable_, with API users able to gracefully recover. To deal with these needs, create a set of helper functions that do the work of memcpy() but perform the needed bounds checking based on the arguments given: flex_cpy(). The common pattern of "allocate and copy" is also included: flex_dup(). However, one of the most common patterns is deserialization: allocating and populating flexible array members from a byte array: mem_to_flex_dup(). And if the elements are already allocated: mem_to_flex(). The concept of a "flexible array structure" is introduced, which is a struct that has both a trailing flexible array member _and_ an element count member. If a struct lacks the element count member, it's just a blob: there are no bounds associated with it. The most common style of flexible array struct in the kernel is a "normal" one, where both the flex-array and element-count are present: struct flex_array_struct_example { ... /* arbitrary members */ u16 part_count; /* count of elements stored in "parts" below. */ ... /* arbitrary members */ u32 parts[]; /* flexible array with elements of type u32. */ }; Next are "encapsulating flexible array structs", which is just a struct that contains a flexible array struct as its final member: struct encapsulating_example { ... /* arbitrary members */ struct flex_array_struct_example fas; }; There are also "split" flex array structs, which have the element-count member in a separate struct level than the flex-array member: struct split_example { ... /* arbitrary members */ u16 part_count; /* count of elements stored in "parts" below. */ ... /* arbitrary members */ struct blob_example { ... /* other blob members */ u32 parts[];/* flexible array with elements of type u32. */ } blob; }; To have the helpers deal with these arbitrary layouts, the names of the flex-array and element-count members need to be specified with each use (since C lacks the array-with-length syntax[1] so the compiler cannot automatically determine them). However, for the "normal" (most common) case, we can get close to "automatic" by explicitly declaring common member aliases "__flex_array_elements", and "__flex_array_elements_count" respectively. The regular helpers use these members, but extended helpers exist to cover the other two code patterns. For example, using the most complicated helper, mem_to_flex_dup(): /* Flexible array struct with members identified. */ struct something { int mode; DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, how_many); unsigned long flags; DECLARE_FLEX_ARRAY_ELEMENTS(u32, value); }; ... struct something *instance = NULL; int rc; rc = mem_to_flex_dup(&instance, byte_array, count, GFP_KERNEL); if (rc) return rc; This will: - validate "instance" is non-NULL (no NULL dereference). - validate "*instance" is NULL (no memory allocation resource leak). - validate that "count" is: - non-negative (no arithmetic underflow). - has a value that can be stored in the "how_many" type (no value truncation). - calculate the bytes needed to store "count"-many trailing u32 elements (no arithmetic overflow/underflow). - calculate the bytes needed for a "struct something" with the above trailing elements (no arithmetic overflow/underflow). - allocate the memory and check the result (no NULL dereference). - initialize the non-flex-array portion of the struct to zero (no uninitialized memory usage). - copy from "buf" into the flexible array elements. If anything goes wrong, it returns a negative errno. With these helpers the kernel can move away from many of the open-coded patterns of using memcpy() with a dynamically-sized destination buffer. [1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1990.htm Cc: "Gustavo A. R. Silva" Cc: Keith Packard Cc: Francis Laniel Cc: Daniel Axtens Cc: Dan Williams Cc: Vincenzo Frascino Cc: Guenter Roeck Cc: Daniel Vetter Cc: Tadeusz Struk Signed-off-by: Kees Cook --- include/linux/flex_array.h | 637 ++++++++++++++++++++++++++++++++++++ include/linux/string.h | 1 + include/uapi/linux/stddef.h | 14 + 3 files changed, 652 insertions(+) create mode 100644 include/linux/flex_array.h diff --git a/include/linux/flex_array.h b/include/linux/flex_array.h new file mode 100644 index 000000000000..b2cf219f7b56 --- /dev/null +++ b/include/linux/flex_array.h @@ -0,0 +1,637 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_FLEX_ARRAY_H_ +#define _LINUX_FLEX_ARRAY_H_ + +#include +/* + * A "flexible array structure" is a struct which ends with a flexible + * array _and_ contains a member that represents how many array elements + * are present in the flexible array structure: + * + * struct flex_array_struct_example { + * ... // arbitrary members + * u16 part_count; // count of elements stored in "parts" below. + * .. // arbitrary members + * u32 parts[]; // flexible array with elements of type u32. + * }; + * + * Without the "count of elements" member, a structure ending with a + * flexible array has no way to check its own size, and should be + * considered just a blob of memory that is length-checked through some + * other means. Kernel structures with flexible arrays should strive to + * always be true flexible array structures so that they can be operated + * on with the flex*()-family of helpers defined below. + * + * An "encapsulating flexible array structure" is a structure that contains + * a full "flexible array structure" as its final struct member. These are + * used frequently when needing to pass around a copy of a flexible array + * structure, and track other things about the data outside of the scope of + * the flexible array structure itself: + * + * struct encapsulating_example { + * ... // other members + * struct flex_array_struct_example fas; + * }; + * + * For bounds checking operations on a flexible array structure, member + * aliases must be created so the helpers can always locate the associated + * members. Marking up the examples above would look like this: + * + * struct flex_array_struct_example { + * ... // arbitrary members + * // count of elements stored in "parts" below. + * DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u16, part_count); + * .. // arbitrary members + * // flexible array with elements of type u32. + * DECLARE_FLEX_ARRAY_ELEMENTS(u32, parts); + * }; + * + * The above creates the aliases for part_count as __flex_array_elements_count + * and parts as __flex_array_elements. + * + * For encapsulated flexible array structs, there are alternative helpers + * below where the flexible array struct member name can be explicitly + * included as an argument. (See the @dot_fas_member arguments below.) + * + * + * Examples: + * + * Using mem_to_flex(): + * + * struct single { + * u32 flags; + * u32 count; + * u8 data[]; + * }; + * struct single *ptr_single; + * + * struct encap { + * u16 info; + * struct single single; + * }; + * struct encap *ptr_encap; + * + * struct blob { + * u32 flags; + * u8 data[]; + * }; + * + * struct split { + * u32 count; + * struct blob blob; + * }; + * struct split *ptr_split; + * + * mem_to_flex(ptr_one, src, count); + * __mem_to_flex(ptr_encap, single.data, single.count, src, count); + * __mem_to_flex(ptr_split, count, blob.data, src, count); + * + */ + +/* These are wrappers around the UAPI macros. */ +#define DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(TYPE, NAME) \ + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(TYPE, NAME) + +#define DECLARE_FLEX_ARRAY_ELEMENTS(TYPE, NAME) \ + __DECLARE_FLEX_ARRAY_ELEMENTS(TYPE, NAME) + +/* All the helpers return negative on failure, as must be checked. */ +static inline int __must_check __must_check_errno(int err) +{ + return err; +} + +/** + * __fas_elements_bytes - Calculate potential size of the flexible + * array elements of a given flexible array + * structure. + * + * @p: Pointer to flexible array structure. + * @flex_member: Member name of the flexible array elements. + * @count_member: Member name of the flexible array elements count. + * @elements_count: Count of proposed number of @p->__flex_array_elements + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * Returns: 0 on successful calculation, -ve on error. + * + * This performs the same calculation as flex_array_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned. + */ +#define __fas_elements_bytes(p, flex_member, count_member, \ + elements_count, bytes) \ +__must_check_errno(({ \ + int __feb_err = -EINVAL; \ + size_t __feb_elements_count = (elements_count); \ + size_t __feb_elements_max = \ + type_max(typeof((p)->count_member)); \ + if (__feb_elements_count > __feb_elements_max || \ + check_mul_overflow(sizeof(*(p)->flex_member), \ + __feb_elements_count, bytes)) { \ + *(bytes) = 0; \ + __feb_err = -E2BIG; \ + } else { \ + __feb_err = 0; \ + } \ + __feb_err; \ +})) + +/** + * fas_elements_bytes - Calculate current size of the flexible array + * elements of a given flexible array structure. + * + * @p: Pointer to flexible array structure. + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * Returns: 0 on successful calculation, -ve on error. + * + * This performs the same calculation as flex_array_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned. + */ +#define fas_elements_bytes(p, bytes) \ + __fas_elements_bytes(p, __flex_array_elements, \ + __flex_array_elements_count, \ + (p)->__flex_array_elements_count, bytes) + +/** __fas_bytes - Calculate potential size of flexible array structure + * + * @p: Pointer to flexible array structure. + * @flex_member: Member name of the flexible array elements. + * @count_member: Member name of the flexible array elements count. + * @elements_count: Count of proposed number of @p->__flex_array_elements + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * Returns: 0 on successful calculation, -ve on error. + * + * This performs the same calculation as struct_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned. + */ +#define __fas_bytes(p, flex_member, count_member, elements_count, bytes)\ +__must_check_errno(({ \ + int __fasb_err; \ + typeof(*bytes) __fasb_bytes; \ + \ + if (__fas_elements_bytes(p, flex_member, count_member, \ + elements_count, &__fasb_bytes) || \ + check_add_overflow(sizeof(*(p)), __fasb_bytes, bytes)) { \ + *(bytes) = 0; \ + __fasb_err = -E2BIG; \ + } else { \ + __fasb_err = 0; \ + } \ + __fasb_err; \ +})) + +/** fas_bytes - Calculate current size of flexible array structure + * + * @p: Pointer to flexible array structure. + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * This performs the same calculation as struct_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned, using the current size of the flexible array + * structure (via @p->__flexible_array_elements_count). + * + * Returns: 0 on successful calculation, -ve on error. + */ +#define fas_bytes(p, bytes) \ + __fas_bytes(p, __flex_array_elements, \ + __flex_array_elements_count, \ + (p)->__flex_array_elements_count, bytes) + +/** flex_cpy - Copy from one flexible array struct into another with count conversion + * + * @dst: Destination pointer + * @src: Source pointer + * + * The full structure of @src will be copied to @dst, including all trailing + * flexible array elements. @dst->__flex_array_elements_count must be large + * enough to hold @src->__flex_array_elements_count. Any elements left over + * in @dst will be zero-wiped. + * + * Returns: 0 on successful calculation, -ve on error. + */ +#define flex_cpy(dst, src) __must_check_errno(({ \ + int __fc_err = -EINVAL; \ + typeof(*(dst)) *__fc_dst = (dst); \ + typeof(*(src)) *__fc_src = (src); \ + size_t __fc_dst_bytes, __fc_src_bytes; \ + \ + BUILD_BUG_ON(!__same_type(*(__fc_dst), *(__fc_src))); \ + \ + do { \ + if (fas_bytes(__fc_dst, &__fc_dst_bytes) || \ + fas_bytes(__fc_src, &__fc_src_bytes) || \ + __fc_dst_bytes < __fc_src_bytes) { \ + /* do we need to wipe dst here? */ \ + __fc_err = -E2BIG; \ + break; \ + } \ + __builtin_memcpy(__fc_dst, __fc_src, __fc_src_bytes); \ + /* __flex_array_elements_count is included in memcpy */ \ + /* Wipe any now-unused trailing elements in @dst: */ \ + __builtin_memset((u8 *)__fc_dst + __fc_src_bytes, 0, \ + __fc_dst_bytes - __fc_src_bytes); \ + __fc_err = 0; \ + } while (0); \ + __fc_err; \ +})) + +/** __flex_dup - Allocate and copy an arbitrarily encapsulated flexible + * array struct + * + * @alloc: Pointer to Pointer to hold to-be-allocated (optionally + * encapsulating) flexible array struct. + * @dot_fas_member: For encapsulating flexible arrays, the name of the + * flexible array struct member preceded with a literal + * dot (e.g. .foo.bar.flex_array_struct_name). For a + * regular flexible array struct, this macro arument is + * empty. + * @src: Pointer to source flexible array struct. + * @gfp: GFP allocation flags + * + * This copies the contents of one flexible array struct into another. + * The (**@alloc)@dot_fas_member and @src arguments must resolve to the + * same type. Everything prior to @dot_fas_member in *@alloc will be + * initialized to zero. + * + * Failure modes: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - Required allocation size is larger than size_t can hold. + * - No available memory to allocate @alloc. + * + * Returns: 0 on success, -ve on failure. + */ +#define __flex_dup(alloc, dot_fas_member, src, gfp) \ +__must_check_errno(({ \ + int __fd_err = -EINVAL; \ + typeof(*(src)) *__fd_src = (src); \ + typeof(**(alloc)) *__fd_alloc; \ + typeof((*__fd_alloc)dot_fas_member) *__fd_dst; \ + size_t __fd_alloc_bytes, __fd_copy_bytes; \ + \ + BUILD_BUG_ON(!__same_type(*(__fd_dst), *(__fd_src))); \ + \ + do { \ + if ((uintptr_t)(alloc) < 1 || *(alloc)) { \ + __fd_err = -EINVAL; \ + break; \ + } \ + if (fas_bytes(__fd_src, &__fd_copy_bytes) || \ + check_add_overflow(__fd_copy_bytes, \ + sizeof(*__fd_alloc) - \ + sizeof(*__fd_dst), \ + &__fd_alloc_bytes)) { \ + __fd_err = -E2BIG; \ + break; \ + } \ + __fd_alloc = kmalloc(__fd_alloc_bytes, gfp); \ + if (!__fd_alloc) { \ + __fd_err = -ENOMEM; \ + break; \ + } \ + __fd_dst = &((*__fd_alloc)dot_fas_member); \ + /* Optimize away any unneeded memset. */ \ + if (sizeof(*__fd_alloc) != sizeof(*__fd_dst)) \ + __builtin_memset(__fd_alloc, 0, \ + __fd_alloc_bytes - \ + __fd_copy_bytes); \ + __builtin_memcpy(__fd_dst, src, __fd_copy_bytes); \ + /* __flex_array_elements_count is included in memcpy */ \ + *(alloc) = __fd_alloc; \ + __fd_err = 0; \ + } while (0); \ + __fd_err; \ +})) + +/** flex_dup - Allocate and copy a flexible array struct + * + * @alloc: Pointer to Pointer to hold to-be-allocated flexible array struct. + * @src: Pointer to source flexible array struct. + * @gfp: GFP allocation flags + * + * This copies the contents of one flexible array struct into another. + * The *@alloc and @src arguments must resolve to the same type. + * + * Failure modes: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - Required allocation size is larger than size_t can hold. + * - No available memory to allocate @alloc. + * + * Returns: 0 on success, -ve on failure. + */ +#define flex_dup(alloc, src, gfp) \ + __flex_dup(alloc, /* alloc itself */, src, gfp) + +/** __mem_to_flex - Copy from memory buffer into a flexible array structure's + * flexible array elements. + * + * @ptr: Pointer to already allocated flexible array struct. + * @flex_member: Member name of the flexible array elements. + * @count_member: Member name of the flexible array elements count. + * @src: Source memory pointer. + * @elements_count: Number of @ptr's flexible array elements to copy from + * @src into @ptr. + * + * Copies @elements_count-many elements from memory buffer at @src into + * @ptr->@flex_member, wipes any remaining elements, and updates + * @ptr->@count_member. + * + * This is essentially a simple deserializer. + * + * TODO: It would be nice to automatically discover the max bounds of @src + * besides @elements_count. There is currently no universal way to ask + * "what is the size of a given pointer's allocation?" So for + * now just use __builtin_object_size(@src, 1) to validate known + * compile-time too-large conditions. Perhaps in the future if + * __mtf_copy_bytes above is > PAGE_SIZE, perform a dynamic lookup + * using something similar to __check_heap_object(). + * + * Failure conditions: + * - The value of @elements_count cannot fit in the @ptr's @count_member + * type (e.g. 260 in a u8). + * - @ptr's @count_member value is smaller than @elements_count (e.g. not + * enough space was previously allocated). + * - @elements_count yields a byte count greater than: + * - INT_MAX (as a simple "too big" sanity check) + * - the compile-time size of @src (when it can be determined) + * + * Returns: 0 on success, -ve on error. + */ +#define __mem_to_flex(ptr, flex_member, count_member, src, \ + elements_count) \ +__must_check_errno(({ \ + int __mtf_err = -EINVAL; \ + typeof(*(ptr)) *__mtf_ptr = (ptr); \ + typeof(elements_count) __mtf_src_count = (elements_count); \ + size_t __mtf_copy_bytes, __mtf_dst_bytes; \ + u8 *__mtf_dst = (u8 *)__mtf_ptr->flex_member; \ + \ + do { \ + if (is_negative(__mtf_src_count) || \ + __fas_elements_bytes(__mtf_ptr, flex_member, \ + count_member, \ + __mtf_src_count, \ + &__mtf_copy_bytes) || \ + __mtf_copy_bytes > INT_MAX || \ + __mtf_copy_bytes > __builtin_object_size(src, 1) || \ + __fas_elements_bytes(__mtf_ptr, flex_member, \ + count_member, \ + __mtf_ptr->count_member, \ + &__mtf_dst_bytes) || \ + __mtf_dst_bytes < __mtf_copy_bytes) { \ + __mtf_err = -E2BIG; \ + break; \ + } \ + __builtin_memcpy(__mtf_dst, src, __mtf_copy_bytes); \ + /* Wipe any now-unused trailing elements in @dst: */ \ + __builtin_memset(__mtf_dst + __mtf_dst_bytes, 0, \ + __mtf_dst_bytes - __mtf_copy_bytes); \ + /* Make sure in-struct count of elements is updated: */ \ + __mtf_ptr->count_member = __mtf_src_count; \ + __mtf_err = 0; \ + } while (0); \ + __mtf_err; \ +})) + +#define mem_to_flex(ptr, src, elements_count) \ + __mem_to_flex(ptr, __flex_array_elements, \ + __flex_array_elements_count, src, elements_count) + +/** __mem_to_flex_dup - Allocate a flexible array structure and copy into + * its flexible array elements from a memory buffer. + * + * @alloc: Pointer to pointer to hold allocation for flexible array struct. + * @dot_fas_member: For encapsulating flexible array structs, the name of + * the flexible array struct member preceded with a + * literal dot (e.g. .foo.bar.flex_array_struct_name). + * For a regular flexible array struct, this macro arument + * is empty. + * @src: Source memory buffer pointer. + * @elements_count: Number of @alloc's flexible array elements to copy from + * @src into @ptr. + * @gfp: GFP allocation flags + * + * This behaves like mem_to_flex(), but allocates the needed space for + * a new flexible array struct and its trailing elements. + * + * This is essentially a simple allocating deserializer. + * + * TODO: It would be nice to automatically discover the max bounds of @src + * besides @elements_count. There is currently no universal way to ask + * "what is the size of a given pointer's allocation?" So for now just + * use __builtin_object_size(@src, 1) to validate known compile-time + * too-large conditions. Perhaps in the future if __mtfd_copy_bytes + * above is > PAGE_SIZE, perform a dynamic lookup using something + * similar to __check_heap_object(). + * + * Failure conditions: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - The value of @elements_count cannot fit in the @alloc's + * __flex_array_elements_count member type (e.g. 260 in u8). + * - @elements_count yields a byte count greater than: + * - INT_MAX (as a simple "too big" sanity check) + * - the compile-time size of @src (when it can be determined) + * - @alloc could not be allocated. + * + * Returns: 0 on success, -ve on error. + */ +#define __mem_to_flex_dup(alloc, dot_fas_member, src, elements_count, \ + gfp) \ +__must_check_errno(({ \ + int __mtfd_err = -EINVAL; \ + typeof(elements_count) __mtfd_src_count = (elements_count); \ + typeof(**(alloc)) *__mtfd_alloc; \ + typeof((*__mtfd_alloc)dot_fas_member) *__mtfd_fas; \ + u8 *__mtfd_dst; \ + size_t __mtfd_alloc_bytes, __mtfd_copy_bytes; \ + \ + do { \ + if ((uintptr_t)(alloc) < 1 || *(alloc)) { \ + __mtfd_err = -EINVAL; \ + break; \ + } \ + if (is_negative(__mtfd_src_count) || \ + __fas_elements_bytes(__mtfd_fas, \ + __flex_array_elements, \ + __flex_array_elements_count, \ + __mtfd_src_count, \ + &__mtfd_copy_bytes) || \ + __mtfd_copy_bytes > INT_MAX || \ + __mtfd_copy_bytes > __builtin_object_size(src, 1) ||\ + check_add_overflow(sizeof(*__mtfd_alloc), \ + __mtfd_copy_bytes, \ + &__mtfd_alloc_bytes)) { \ + __mtfd_err = -E2BIG; \ + break; \ + } \ + __mtfd_alloc = kmalloc(__mtfd_alloc_bytes, gfp); \ + if (!__mtfd_alloc) { \ + __mtfd_err = -ENOMEM; \ + break; \ + } \ + __mtfd_fas = &((*__mtfd_alloc)dot_fas_member); \ + __mtfd_dst = (u8 *)__mtfd_fas->__flex_array_elements; \ + __builtin_memset(__mtfd_alloc, 0, __mtfd_alloc_bytes - \ + __mtfd_copy_bytes); \ + __builtin_memcpy(__mtfd_dst, src, __mtfd_copy_bytes); \ + /* Make sure in-struct count of elements is updated: */ \ + __mtfd_fas->__flex_array_elements_count = \ + __mtfd_src_count; \ + *(alloc) = __mtfd_alloc; \ + __mtfd_err = 0; \ + } while (0); \ + __mtfd_err; \ +})) + +/** mem_to_flex_dup - Allocate a flexible array structure and copy + * into it from a memory buffer. + * + * @alloc: Pointer to pointer to hold allocation for flexible array struct. + * @src: Source memory pointer. + * @elements_count: Number of @alloc's flexible array elements to copy from + * @src into @alloc. + * @gfp: GFP allocation flags + * + * This behaves like mem_to_flex(), but allocates the needed space for + * a new flexible array struct and its trailing elements. + * + * This is essentially a simple allocating deserializer. + * + * TODO: It would be nice to automatically discover the max bounds of @src + * besides @elements_count. There is currently no universal way to ask + * "what is the size of a given pointer's allocation?" So for + * now just use __builtin_object_size(@src, 1) to validate known + * compile-time too-large conditions. Perhaps in the future if + * __mtf_copy_bytes above is > PAGE_SIZE, perform a dynamic lookup + * using something similar to __check_heap_object(). + * + * Failure conditions: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - The value of @elements_count cannot fit in the @alloc's + * __flex_array_elements_count member type (e.g. 260 in u8). + * - @elements_count yields a byte count greater than: + * - INT_MAX (as a simple "too big" sanity check) + * - the compile-time size of @src (when it can be determined) + * - @alloc could not be allocated. + * + * Returns: 0 on success, -ve on error. + */ +#define mem_to_flex_dup(alloc, src, elements_count, gfp) \ + __mem_to_flex_dup(alloc, /* alloc itself */, src, elements_count, gfp) + +/** flex_to_mem - Copy all flexible array structure elements into memory + * buffer. + * + * @dst: Destination buffer pointer. + * @bytes_available: How many bytes are available in @dst. + * @ptr: Pointer to allocated flexible array struct. + * @bytes_written: Pointer to variable to store how many bytes were written + * (may be NULL). + * + * Copies all of @ptr's flexible array elements into @dst. + * + * This is essentially a simple serializer. + * + * Failure conditions: + * - @bytes_available in @dst is any of: + * - negative. + * - larger than INT_MAX. + * - not large enough to hold the resulting copy. + * - @bytes_written's type cannot hold the size of the copy (e.g. 260 in u8). + * + * Return: 0 on success, -ve on failure. + * + */ +#define flex_to_mem(dst, bytes_available, ptr, bytes_written) \ +__must_check_errno(({ \ + int __ftm_err = -EINVAL; \ + typeof(*(ptr)) *__ftm_ptr = (ptr); \ + u8 *__ftm_src = (u8 *)__ftm_ptr->__flex_array_elements; \ + typeof(*(bytes_written)) *__ftm_written = (bytes_written); \ + size_t __ftm_written_max = type_max(typeof(*__ftm_written)); \ + typeof(bytes_available) __ftm_dst_bytes = (bytes_available); \ + size_t __ftm_copy_bytes; \ + \ + do { \ + if (is_negative(__ftm_dst_bytes) || \ + __ftm_dst_bytes > INT_MAX || \ + fas_elements_bytes(__ftm_ptr, &__ftm_copy_bytes) || \ + __ftm_dst_bytes < __ftm_copy_bytes || \ + (!__same_type(typeof(bytes_written), NULL) && \ + __ftm_copy_bytes > __ftm_written_max)) { \ + __ftm_err = -E2BIG; \ + break; \ + } \ + __builtin_memcpy(dst, __ftm_src, __ftm_copy_bytes); \ + if (__ftm_written) \ + *__ftm_written = __ftm_copy_bytes; \ + __ftm_err = 0; \ + } while (0); \ + __ftm_err; \ +})) + +/** flex_to_mem_dup - Copy entire flexible array structure into newly + * allocated memory buffer. + * + * @alloc: Pointer to pointer to newly allocated memory region to hold contents + * of the copy. + * @alloc_size: Pointer to variable to hold the size of the allocated memory. + * @ptr: Pointer to allocated flexible array struct. + * @gfp: GFP allocation flags + * + * Allocates @alloc and copies all of @ptr's flexible array elements. + * + * This is essentially a simple allocating serializer. + * + * Failure conditions: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - @alloc_size is NULL. + * - @alloc_size's type cannot hold the size of the copy (e.g. 260 in u8). + * - @alloc could not be allocated. + * + * Return: 0 on success, -ve on failure. + */ +#define flex_to_mem_dup(alloc, alloc_size, ptr, gfp) \ +__must_check_errno(({ \ + int __ftmd_err = -EINVAL; \ + typeof(**(alloc)) *__ftmd_alloc; \ + typeof(*(alloc_size)) *__ftmd_alloc_size = (alloc_size); \ + typeof(*(ptr)) *__ftmd_ptr = (ptr); \ + u8 *__ftmd_src = (u8 *)__ftmd_ptr->__flex_array_elements; \ + size_t __ftmd_alloc_max = type_max(typeof(*__ftmd_alloc_size)); \ + size_t __ftmd_copy_bytes; \ + \ + do { \ + if ((uintptr_t)(alloc) < 1 || *(alloc) || \ + (uintptr_t)(alloc_size) < 1) { \ + __ftmd_err = -EINVAL; \ + break; \ + } \ + if (fas_elements_bytes(__ftmd_ptr, \ + &__ftmd_copy_bytes) || \ + __ftmd_copy_bytes > __ftmd_alloc_max) { \ + __ftmd_err = -E2BIG; \ + break; \ + } \ + __ftmd_alloc = kmemdup(__ftmd_src, __ftmd_copy_bytes, \ + gfp); \ + if (!__ftmd_alloc) { \ + __ftmd_err = -ENOMEM; \ + break; \ + } \ + *__ftmd_alloc_size = __ftmd_copy_bytes; \ + *(alloc) = __ftmd_alloc; \ + __ftmd_err = 0; \ + } while (0); \ + __ftmd_err; \ +})) + +#endif /* _LINUX_FLEX_ARRAY_H_ */ diff --git a/include/linux/string.h b/include/linux/string.h index b6572aeca2f5..c01b76f73e99 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -252,6 +252,7 @@ static inline const char *kbasename(const char *path) #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) #include #endif +#include void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, int pad); diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h index 7837ba4fe728..04870274f33b 100644 --- a/include/uapi/linux/stddef.h +++ b/include/uapi/linux/stddef.h @@ -44,4 +44,18 @@ struct { } __empty_ ## NAME; \ TYPE NAME[]; \ } + +/* For use with flexible array structure helpers, in */ +#define __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(TYPE, NAME) \ + union { \ + TYPE __flex_array_elements_count; \ + TYPE NAME; \ + } + +#define __DECLARE_FLEX_ARRAY_ELEMENTS(TYPE, NAME) \ + union { \ + __DECLARE_FLEX_ARRAY(TYPE, __flex_array_elements); \ + __DECLARE_FLEX_ARRAY(TYPE, NAME); \ + } + #endif From patchwork Wed May 4 01:44:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836832 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CEFEBC4332F for ; Wed, 4 May 2022 01:52:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343552AbiEDBxi (ORCPT ); Tue, 3 May 2022 21:53:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56756 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245557AbiEDBw0 (ORCPT ); Tue, 3 May 2022 21:52:26 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C742E35DE2 for ; Tue, 3 May 2022 18:47:38 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id cq17-20020a17090af99100b001dc0386cd8fso3315pjb.5 for ; Tue, 03 May 2022 18:47:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=50F1hUbWFLfT5ENWUNJYEA3u7uQsl+qxaqqCeMwZnyU=; b=XJCNLp6T2hlq16vnGlmWmig5+GsVMxNRRvIbEOnN6HSW8yTRmnmgFn0bdfSDK1+nc+ /lIeg89b2qTVpmYFiDm9nYt9X28PYd7TpfNNYgxckwT1LfN0EOUF0w4hbizFZn5WO8zm t78WDusU+YL8An+v944Dg9g9tejsxP74BYxPU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=50F1hUbWFLfT5ENWUNJYEA3u7uQsl+qxaqqCeMwZnyU=; b=Uh3VBkHRsGmYE6tMxo3orPGGDkIfKijCnHUcPp3w8NjKmyrQW0mIq6lGh+RI/s9rwQ Q9Bw9p/tspb+Y0L8qZOLC3Lo7tMmuXPXY/HtnA4wh3WCJTPwqnRKsCFnZbYi4DJ1tyJ9 lfliZYk4/Gsf7amg9+ozacR5PaPbA6LR58zSIZkEq8gH1pxWw4xjwQzarX3dtCeRIr72 vTrSRWWJP3vOCy/jfcmXBkewfZ+aLQVPHKy6s88QSMmmRtc1eiswjYrizo8YN+iwQwBC XkcWTgM5Fw1gqxnkqwf5TcHRH1U7fEvU/MlloZybkMpZjmjAsUZ/TZFbAN6qMPe24Ozh qYDQ== X-Gm-Message-State: AOAM532lMjiC27eWUz6OFsV45wY9vnK9R4E5yZSqahN4b3FCt64X5J+F y4tAMMIZpsfeurE4hPmdNEN68A== X-Google-Smtp-Source: ABdhPJxaAI7hynD/Cs/9AHq7+rYd59XaObWpZBbgj2SNSYvwiT7TD7KGMP2kmwMed/Mr6SCnHAdnjA== X-Received: by 2002:a17:902:a707:b0:15b:6ea2:8ea2 with SMTP id w7-20020a170902a70700b0015b6ea28ea2mr19124120plq.134.1651628857306; Tue, 03 May 2022 18:47:37 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id o18-20020a170903301200b0015e8d4eb2ddsm6904392pla.295.2022.05.03.18.47.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:35 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , David Gow , kunit-dev@googlegroups.com, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 03/32] flex_array: Add Kunit tests Date: Tue, 3 May 2022 18:44:12 -0700 Message-Id: <20220504014440.3697851-4-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=19765; h=from:subject; bh=GG9nmr532r4pl7tVh2IFzW2uuFJ/hvJpUQj5i4N5B0I=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqB7/551GkKwZcI+OcZghRu66mEP7FMOhfFmE5a 67h/Z0iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJtfAEA CqSqFekHoLTEwm5Qyt0UbimHFpi/b/6zyOUB2KND396l+syWQ1mJIbLGjTios1NH/eIxHjGEKJ1syg U7L/zPIs4XJhvSt5mtK7HHfsD2jlgvLX3UL7IgUlEzTG1onpa1dDWN1UtoN81ahy1fct7CMGoD/1ll 3ngnIysZAbkbazroo7sUYB/JX8DX8bsjNn97JBfq+F0NovBSkT6UKeW29aHUk5FoZhWo+bijLKKQBA JrEW47fYiaZ04M3TcLGaKkKLllkiajq0N/9TLMbmHrUZphVEZCSiD9eikb/Kpr28WXz4NX00Fu4CGe kq7UO4JP9HeF1pCMUg3iVoEHddmrfhdENHsLrAQzNrTdnkG+Jt7b+DxWscqIxexQR8D0GFXA1TavBy c52biYoOXViqwEmvm12u6MNQYxMVN2/v5fbzbwkcdy4DlhOuLC0Wu4AmEcPHG6wFuSX5NdbPBBeIzQ 911ljxSY+UGfg0USsjIzhH6oqejgpYUmqqLAV0WoW7O8aSmtqBCOORogwfI680pWARJhsTuTVbZ5G4 KsZcDi9opJFLcoYlb9wuFYeQrydBbShjiVXqT/tU0kK4PWWlEc85sOiKq7Bd8cuiixIgJW5Zlc+4n+ 1sgKfTbiJo/zVmyCeEmrKxLCEoinmDvnxEdOeXRWpeTslL+4jMSgSaBMHUCw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Add tests for the new flexible array structure helpers. These can be run with: make ARCH=um mrproper ./tools/testing/kunit/kunit.py config ./tools/testing/kunit/kunit.py run flex_array Cc: David Gow Cc: kunit-dev@googlegroups.com Signed-off-by: Kees Cook Reviewed-by: David Gow --- lib/Kconfig.debug | 12 +- lib/Makefile | 1 + lib/flex_array_kunit.c | 523 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 531 insertions(+), 5 deletions(-) create mode 100644 lib/flex_array_kunit.c diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 9077bb38bc93..8bae6b169c50 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2551,11 +2551,6 @@ config OVERFLOW_KUNIT_TEST Builds unit tests for the check_*_overflow(), size_*(), allocation, and related functions. - For more information on KUnit and unit tests in general please refer - to the KUnit documentation in Documentation/dev-tools/kunit/. - - If unsure, say N. - config STACKINIT_KUNIT_TEST tristate "Test level of stack variable initialization" if !KUNIT_ALL_TESTS depends on KUNIT @@ -2567,6 +2562,13 @@ config STACKINIT_KUNIT_TEST CONFIG_GCC_PLUGIN_STRUCTLEAK, CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF, or CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL. +config FLEX_ARRAY_KUNIT_TEST + tristate "Test flex_*() family of helper functions at runtime" if !KUNIT_ALL_TESTS + depends on KUNIT + default KUNIT_ALL_TESTS + help + Builds unit tests for flexible array copy helper functions. + config TEST_UDELAY tristate "udelay test driver" help diff --git a/lib/Makefile b/lib/Makefile index 6b9ffc1bd1ee..9884318db330 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -366,6 +366,7 @@ obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable) obj-$(CONFIG_STACKINIT_KUNIT_TEST) += stackinit_kunit.o +obj-$(CONFIG_FLEX_ARRAY_KUNIT_TEST) += flex_array_kunit.o obj-$(CONFIG_GENERIC_LIB_DEVMEM_IS_ALLOWED) += devmem_is_allowed.o diff --git a/lib/flex_array_kunit.c b/lib/flex_array_kunit.c new file mode 100644 index 000000000000..48bee88945b4 --- /dev/null +++ b/lib/flex_array_kunit.c @@ -0,0 +1,523 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Test cases for flex_*() array manipulation helpers. + */ +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include +#include +#include +#include +#include + +#define COMPARE_STRUCTS(STRUCT_A, STRUCT_B) do { \ + STRUCT_A *ptr_A; \ + STRUCT_B *ptr_B; \ + int rc; \ + size_t size_A, size_B; \ + \ + /* matching types for flex array elements and count */ \ + KUNIT_EXPECT_EQ(test, sizeof(*ptr_A), sizeof(*ptr_B)); \ + KUNIT_EXPECT_TRUE(test, __same_type(*ptr_A->data, \ + *ptr_B->__flex_array_elements)); \ + KUNIT_EXPECT_TRUE(test, __same_type(ptr_A->datalen, \ + ptr_B->__flex_array_elements_count)); \ + KUNIT_EXPECT_EQ(test, sizeof(*ptr_A->data), \ + sizeof(*ptr_B->__flex_array_elements)); \ + KUNIT_EXPECT_EQ(test, offsetof(typeof(*ptr_A), data), \ + offsetof(typeof(*ptr_B), \ + __flex_array_elements)); \ + KUNIT_EXPECT_EQ(test, offsetof(typeof(*ptr_A), datalen), \ + offsetof(typeof(*ptr_B), \ + __flex_array_elements_count)); \ + \ + /* struct_size() vs __fas_bytes() */ \ + size_A = struct_size(ptr_A, data, 13); \ + rc = __fas_bytes(ptr_B, __flex_array_elements, \ + __flex_array_elements_count, 13, &size_B); \ + KUNIT_EXPECT_EQ(test, rc, 0); \ + KUNIT_EXPECT_EQ(test, size_A, size_B); \ + \ + /* flex_array_size() vs __fas_elements_bytes() */ \ + size_A = flex_array_size(ptr_A, data, 13); \ + rc = __fas_elements_bytes(ptr_B, __flex_array_elements, \ + __flex_array_elements_count, 13, &size_B); \ + KUNIT_EXPECT_EQ(test, rc, 0); \ + KUNIT_EXPECT_EQ(test, size_A, size_B); \ + \ + KUNIT_EXPECT_EQ(test, sizeof(*ptr_A) + size_A, \ + offsetof(typeof(*ptr_A), data) + \ + (sizeof(*ptr_A->data) * 13)); \ + KUNIT_EXPECT_EQ(test, sizeof(*ptr_B) + size_B, \ + offsetof(typeof(*ptr_B), \ + __flex_array_elements) + \ + (sizeof(*ptr_B->__flex_array_elements) * \ + 13)); \ +} while (0) + +struct normal { + size_t datalen; + u32 data[]; +}; + +struct decl_normal { + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, datalen); + DECLARE_FLEX_ARRAY_ELEMENTS(u32, data); +}; + +struct aligned { + unsigned short datalen; + char data[] __aligned(__alignof__(u64)); +}; + +struct decl_aligned { + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned short, datalen); + DECLARE_FLEX_ARRAY_ELEMENTS(char, data) __aligned(__alignof__(u64)); +}; + +static void struct_test(struct kunit *test) +{ + COMPARE_STRUCTS(struct normal, struct decl_normal); + COMPARE_STRUCTS(struct aligned, struct decl_aligned); +} + +/* Flexible array structure with internal padding. */ +struct flex_cpy_obj { + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, count); + unsigned long empty; + char induce_padding; + /* padding ends up here */ + unsigned long after_padding; + DECLARE_FLEX_ARRAY_ELEMENTS(u32, flex); +}; + +/* Encapsulating flexible array structure. */ +struct flex_dup_obj { + unsigned long flags; + int junk; + struct flex_cpy_obj fas; +}; + +/* Flexible array struct of only bytes. */ +struct tiny_flex { + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, count); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, byte_array); +}; + +#define CHECK_COPY(ptr) do { \ + typeof(*(ptr)) *_cc_dst = (ptr); \ + KUNIT_EXPECT_EQ(test, _cc_dst->induce_padding, 0); \ + memcpy(&padding, &_cc_dst->induce_padding + sizeof(_cc_dst->induce_padding), \ + sizeof(padding)); \ + /* Padding should be zero too. */ \ + KUNIT_EXPECT_EQ(test, padding, 0); \ + KUNIT_EXPECT_EQ(test, src->count, _cc_dst->count); \ + KUNIT_EXPECT_EQ(test, _cc_dst->count, TEST_TARGET); \ + for (i = 0; i < _cc_dst->count - 1; i++) { \ + /* 'A' is 0x41, and here repeated in a u32. */ \ + KUNIT_EXPECT_EQ(test, _cc_dst->flex[i], 0x41414141); \ + } \ + /* Last item should be different. */ \ + KUNIT_EXPECT_EQ(test, _cc_dst->flex[_cc_dst->count - 1], 0x14141414); \ +} while (0) + +/* Test copying from one flexible array struct into another. */ +static void flex_cpy_test(struct kunit *test) +{ +#define TEST_BOUNDS 13 +#define TEST_TARGET 12 +#define TEST_SMALL 10 + struct flex_cpy_obj *src, *dst; + unsigned long padding; + int i, rc; + + /* Prepare open-coded source. */ + src = kzalloc(struct_size(src, flex, TEST_BOUNDS), GFP_KERNEL); + src->count = TEST_BOUNDS; + memset(src->flex, 'A', flex_array_size(src, flex, TEST_BOUNDS)); + src->flex[src->count - 2] = 0x14141414; + src->flex[src->count - 1] = 0x24242424; + + /* Prepare open-coded destination, alloc only. */ + dst = kzalloc(struct_size(src, flex, TEST_BOUNDS), GFP_KERNEL); + /* Pre-fill with 0xFE marker. */ + memset(dst, 0xFE, struct_size(src, flex, TEST_BOUNDS)); + /* Pretend we're 1 element smaller. */ + dst->count = TEST_TARGET; + + /* Pretend to match the target destination size. */ + src->count = TEST_TARGET; + + rc = flex_cpy(dst, src); + KUNIT_EXPECT_EQ(test, rc, 0); + CHECK_COPY(dst); + /* Item past last copied item is unchanged from initial memset. */ + KUNIT_EXPECT_EQ(test, dst->flex[dst->count], 0xFEFEFEFE); + + /* Now trip overflow, and verify we didn't clobber beyond end. */ + src->count = TEST_BOUNDS; + rc = flex_cpy(dst, src); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Item past last copied item is unchanged from initial memset. */ + KUNIT_EXPECT_EQ(test, dst->flex[dst->count], 0xFEFEFEFE); + + /* Reset destination contents. */ + memset(dst, 0xFD, struct_size(src, flex, TEST_BOUNDS)); + dst->count = TEST_TARGET; + + /* Copy less than max. */ + src->count = TEST_SMALL; + rc = flex_cpy(dst, src); + KUNIT_EXPECT_EQ(test, rc, 0); + /* Verify count was adjusted. */ + KUNIT_EXPECT_EQ(test, dst->count, TEST_SMALL); + /* Verify element beyond src size was wiped. */ + KUNIT_EXPECT_EQ(test, dst->flex[TEST_SMALL], 0); + /* Verify element beyond original dst size was untouched. */ + KUNIT_EXPECT_EQ(test, dst->flex[TEST_TARGET], 0xFDFDFDFD); + + kfree(dst); + kfree(src); +#undef TEST_BOUNDS +#undef TEST_TARGET +#undef TEST_SMALL +} + +static void flex_dup_test(struct kunit *test) +{ +#define TEST_TARGET 12 + struct flex_cpy_obj *src, *dst = NULL, **null = NULL; + struct flex_dup_obj *encap = NULL; + unsigned long padding; + int i, rc; + + /* Prepare open-coded source. */ + src = kzalloc(struct_size(src, flex, TEST_TARGET), GFP_KERNEL); + src->count = TEST_TARGET; + memset(src->flex, 'A', flex_array_size(src, flex, TEST_TARGET)); + src->flex[src->count - 1] = 0x14141414; + + /* Reject NULL @alloc. */ + rc = flex_dup(null, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + + /* Check good copy. */ + rc = flex_dup(&dst, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_ASSERT_TRUE(test, dst != NULL); + CHECK_COPY(dst); + + /* Reject non-NULL *@alloc. */ + rc = flex_dup(&dst, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + + kfree(dst); + + /* Check good encap copy. */ + rc = __flex_dup(&encap, .fas, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_ASSERT_TRUE(test, dst != NULL); + CHECK_COPY(&encap->fas); + /* Check that items external to "fas" are zero. */ + KUNIT_EXPECT_EQ(test, encap->flags, 0); + KUNIT_EXPECT_EQ(test, encap->junk, 0); + kfree(encap); +#undef MAGIC_WORD +#undef TEST_TARGET +} + +static void mem_to_flex_test(struct kunit *test) +{ +#define TEST_TARGET 9 +#define TEST_MAX U8_MAX +#define MAGIC_WORD 0x03030303 + u8 magic_byte = MAGIC_WORD & 0xff; + struct flex_cpy_obj *dst; + size_t big = (size_t)INT_MAX + 1; + char small[] = "Hello"; + char *src; + u32 src_len; + int rc; + + /* Open coded allocations, 1 larger than actually used. */ + src_len = flex_array_size(dst, flex, TEST_MAX + 1); + src = kzalloc(src_len, GFP_KERNEL); + dst = kzalloc(struct_size(dst, flex, TEST_MAX + 1), GFP_KERNEL); + dst->count = TEST_TARGET; + + /* Fill source. */ + memset(src, magic_byte, src_len); + + /* Short copy is fine. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], 0); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + rc = mem_to_flex(dst, src, 1); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_EXPECT_EQ(test, dst->count, 1); + KUNIT_EXPECT_EQ(test, dst->after_padding, 0); + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + dst->count = TEST_TARGET; + + /* Reject negative elements count. */ + rc = mem_to_flex(dst, small, -1); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure dst is unchanged. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + + /* Reject compile-time read overflow. */ + rc = mem_to_flex(dst, small, 20); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure dst is unchanged. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + + /* Reject giant buffer source. */ + rc = mem_to_flex(dst, small, big); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure dst is unchanged. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + + /* Copy beyond storage size is rejected. */ + dst->count = TEST_MAX; + KUNIT_EXPECT_EQ(test, dst->flex[TEST_MAX - 1], 0); + KUNIT_EXPECT_EQ(test, dst->flex[TEST_MAX], 0); + rc = mem_to_flex(dst, src, TEST_MAX + 1); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure dst is unchanged. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + + kfree(dst); + kfree(src); +#undef MAGIC_WORD +#undef TEST_MAX +#undef TEST_TARGET +} + +static void mem_to_flex_dup_test(struct kunit *test) +{ +#define ELEMENTS_COUNT 259 +#define MAGIC_WORD 0xABABABAB + u8 magic_byte = MAGIC_WORD & 0xff; + struct flex_dup_obj *obj = NULL; + struct tiny_flex *tiny = NULL, **null = NULL; + size_t src_len, count, big = (size_t)INT_MAX + 1; + char small[] = "Hello"; + u8 *src; + int rc; + + src_len = struct_size(tiny, byte_array, ELEMENTS_COUNT); + src = kzalloc(src_len, GFP_KERNEL); + KUNIT_ASSERT_TRUE(test, src != NULL); + /* Fill with bytes. */ + memset(src, magic_byte, src_len); + KUNIT_EXPECT_EQ(test, src[0], magic_byte); + KUNIT_EXPECT_EQ(test, src[src_len / 2], magic_byte); + KUNIT_EXPECT_EQ(test, src[src_len - 1], magic_byte); + + /* Reject storage exceeding elements_count type. */ + count = ELEMENTS_COUNT; + rc = mem_to_flex_dup(&tiny, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, tiny == NULL); + + /* Reject negative elements count. */ + rc = mem_to_flex_dup(&tiny, src, -1, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, tiny == NULL); + + /* Reject compile-time read overflow. */ + rc = mem_to_flex_dup(&tiny, small, 20, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, tiny == NULL); + + /* Reject giant buffer source. */ + rc = mem_to_flex_dup(&tiny, small, big, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, tiny == NULL); + + /* Reject NULL @alloc. */ + rc = mem_to_flex_dup(null, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + + /* Allow reasonable count.*/ + count = ELEMENTS_COUNT / 2; + rc = mem_to_flex_dup(&tiny, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_ASSERT_TRUE(test, tiny != NULL); + /* Spot check the copy happened. */ + KUNIT_EXPECT_EQ(test, tiny->count, count); + KUNIT_EXPECT_EQ(test, tiny->byte_array[0], magic_byte); + KUNIT_EXPECT_EQ(test, tiny->byte_array[count / 2], magic_byte); + KUNIT_EXPECT_EQ(test, tiny->byte_array[count - 1], magic_byte); + + /* Reject non-NULL *@alloc. */ + rc = mem_to_flex_dup(&tiny, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + kfree(tiny); + + /* Works with encapsulation too. */ + count = ELEMENTS_COUNT / 10; + rc = __mem_to_flex_dup(&obj, .fas, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_ASSERT_TRUE(test, obj != NULL); + /* Spot check the copy happened. */ + KUNIT_EXPECT_EQ(test, obj->fas.count, count); + KUNIT_EXPECT_EQ(test, obj->fas.after_padding, 0); + KUNIT_EXPECT_EQ(test, obj->fas.flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, obj->fas.flex[count / 2], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, obj->fas.flex[count - 1], MAGIC_WORD); + /* Check members before flexible array struct are zero. */ + KUNIT_EXPECT_EQ(test, obj->flags, 0); + KUNIT_EXPECT_EQ(test, obj->junk, 0); + kfree(obj); +#undef MAGIC_WORD +#undef ELEMENTS_COUNT +} + +static void flex_to_mem_test(struct kunit *test) +{ +#define ELEMENTS_COUNT 200 +#define MAGIC_WORD 0xF1F2F3F4 + struct flex_cpy_obj *src; + typeof(*src->flex) *cast; + size_t src_len = struct_size(src, flex, ELEMENTS_COUNT); + size_t copy_len = flex_array_size(src, flex, ELEMENTS_COUNT); + int i, rc; + size_t bytes = 0; + u8 too_small; + u8 *dst; + + /* Create a filled flexible array struct. */ + src = kzalloc(src_len, GFP_KERNEL); + KUNIT_ASSERT_TRUE(test, src != NULL); + src->count = ELEMENTS_COUNT; + src->after_padding = 13; + for (i = 0; i < ELEMENTS_COUNT; i++) + src->flex[i] = MAGIC_WORD; + + /* Over-allocate space to do past-src_len checking. */ + dst = kzalloc(src_len * 2, GFP_KERNEL); + KUNIT_ASSERT_TRUE(test, dst != NULL); + cast = (void *)dst; + + /* Fail if dst is too small. */ + rc = flex_to_mem(dst, copy_len - 1, src, &bytes); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure nothing was copied. */ + KUNIT_EXPECT_EQ(test, bytes, 0); + KUNIT_EXPECT_EQ(test, cast[0], 0); + + /* Fail if type too small to hold size of copy. */ + KUNIT_EXPECT_GT(test, copy_len, type_max(typeof(too_small))); + rc = flex_to_mem(dst, copy_len, src, &too_small); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure nothing was copied. */ + KUNIT_EXPECT_EQ(test, bytes, 0); + KUNIT_EXPECT_EQ(test, cast[0], 0); + + /* Check good copy. */ + rc = flex_to_mem(dst, copy_len, src, &bytes); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_EXPECT_EQ(test, bytes, copy_len); + /* Spot check the copy */ + KUNIT_EXPECT_EQ(test, cast[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT / 2], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT - 1], MAGIC_WORD); + /* Make sure nothing was written after last element. */ + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT], 0); + + kfree(dst); + kfree(src); +#undef MAGIC_WORD +#undef ELEMENTS_COUNT +} + +static void flex_to_mem_dup_test(struct kunit *test) +{ +#define ELEMENTS_COUNT 210 +#define MAGIC_WORD 0xF0F1F2F3 + struct flex_dup_obj *obj, **null = NULL; + struct flex_cpy_obj *src; + typeof(*src->flex) *cast; + size_t obj_len = struct_size(obj, fas.flex, ELEMENTS_COUNT); + size_t src_len = struct_size(src, flex, ELEMENTS_COUNT); + size_t copy_len = flex_array_size(src, flex, ELEMENTS_COUNT); + int i, rc; + size_t bytes = 0; + u8 too_small = 0; + u8 *dst = NULL; + + /* Create a filled flexible array struct. */ + obj = kzalloc(obj_len, GFP_KERNEL); + KUNIT_ASSERT_TRUE(test, obj != NULL); + obj->fas.count = ELEMENTS_COUNT; + obj->fas.after_padding = 13; + for (i = 0; i < ELEMENTS_COUNT; i++) + obj->fas.flex[i] = MAGIC_WORD; + src = &obj->fas; + + /* Fail if type too small to hold size of copy. */ + KUNIT_EXPECT_GT(test, src_len, type_max(typeof(too_small))); + rc = flex_to_mem_dup(&dst, &too_small, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, dst == NULL); + KUNIT_EXPECT_EQ(test, too_small, 0); + + /* Fail if @alloc_size is NULL. */ + KUNIT_EXPECT_TRUE(test, dst == NULL); + rc = flex_to_mem_dup(&dst, dst, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + KUNIT_EXPECT_TRUE(test, dst == NULL); + + /* Fail if @alloc is NULL. */ + rc = flex_to_mem_dup(null, &bytes, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + KUNIT_EXPECT_TRUE(test, dst == NULL); + KUNIT_EXPECT_EQ(test, bytes, 0); + + /* Check good copy. */ + rc = flex_to_mem_dup(&dst, &bytes, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_EXPECT_TRUE(test, dst != NULL); + KUNIT_EXPECT_EQ(test, bytes, copy_len); + cast = (void *)dst; + /* Spot check the copy */ + KUNIT_EXPECT_EQ(test, cast[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT / 2], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT - 1], MAGIC_WORD); + + /* Fail if *@alloc is non-NULL. */ + bytes = 0; + rc = flex_to_mem_dup(&dst, &bytes, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + KUNIT_EXPECT_EQ(test, bytes, 0); + + kfree(dst); + kfree(obj); +#undef MAGIC_WORD +#undef ELEMENTS_COUNT +} + +static struct kunit_case flex_array_test_cases[] = { + KUNIT_CASE(struct_test), + KUNIT_CASE(flex_cpy_test), + KUNIT_CASE(flex_dup_test), + KUNIT_CASE(mem_to_flex_test), + KUNIT_CASE(mem_to_flex_dup_test), + KUNIT_CASE(flex_to_mem_test), + KUNIT_CASE(flex_to_mem_dup_test), + {} +}; + +static struct kunit_suite flex_array_test_suite = { + .name = "flex_array", + .test_cases = flex_array_test_cases, +}; + +kunit_test_suite(flex_array_test_suite); + +MODULE_LICENSE("GPL"); From patchwork Wed May 4 01:44:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836817 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89A8FC433EF for ; Wed, 4 May 2022 01:47:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245518AbiEDBva (ORCPT ); Tue, 3 May 2022 21:51:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245279AbiEDBvR (ORCPT ); Tue, 3 May 2022 21:51:17 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 799B02F002 for ; Tue, 3 May 2022 18:47:37 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id t11-20020a17090ad50b00b001d95bf21996so3935922pju.2 for ; Tue, 03 May 2022 18:47:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=911JnfKaG9oxLMZbIRJVKqmgZoLrOSfR0+bBHDgrI5Q=; b=XpaB8pfu8eVojSjAsTEUujhhPhU3ucUSWYxDz/8sQ6z59UWvf3i1yrd7kb6SWG2Tnt HAfw08l7QKrj5Y9xBESf9NlJZEn9vrEgx5ueLfnIKaMH/WYs9aAiD55J+sDOumyzi4NC ygqjXeva6u5ldSCOC93c/m2TPIGafNG0RRrsQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=911JnfKaG9oxLMZbIRJVKqmgZoLrOSfR0+bBHDgrI5Q=; b=VuKiZdE50GbfE/HdcwWF4DDkj1CvSvs7XO5s8wXVkRGzYh7J8EhAm3Cpll0QKgk3SS YKt+z+iK7sVojDJjLVUD+DTdAilllvl/UI42JSXqBE4DJyvpiNOsJf/31G0CpsBYP1Zp Fcf1zA86HCP3ePrTcLUuTK0Bac6Uhsl6ihmAyayRJkKume+2QxlxmwEgtNi2xVG1yRKs EJErc1XBodBBL1eRBXR6nbJ96qyBzJ8/KbL2e1mlX9Ry/HFUDLbqskmV/XRfVNrfQodF fssFzbWBF0rBCxZjh3AFksEmK0wgFuXFQPJKb7mSPBctzhLe/U7tkxT5Xq18Oy+2x7xC sLPA== X-Gm-Message-State: AOAM533kjiL8uh/TK+QwAJruBp8uzpx7h50/2UOzMIxke0FtWjT0OZZV opHgvH/kbNdhK8gaJGDekkPPqA== X-Google-Smtp-Source: ABdhPJxrHNegJmGAxW56M+/xNDI5Rp9q10uc3LuqY84v7Q4/SyroP5sNMa7kEu3GhSOoTkFJMy4yVA== X-Received: by 2002:a17:902:d4ce:b0:15e:90f8:216c with SMTP id o14-20020a170902d4ce00b0015e90f8216cmr17719945plg.65.1651628856716; Tue, 03 May 2022 18:47:36 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f6-20020a170902860600b0015e8d4eb2b8sm6950573plo.258.2022.05.03.18.47.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:35 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Nathan Chancellor , Nick Desaulniers , Tom Rix , linux-hardening@vger.kernel.org, llvm@lists.linux.dev, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , netdev@vger.kernel.org, =?utf-8?q?N?= =?utf-8?q?uno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 04/32] fortify: Add run-time WARN for cross-field memcpy() Date: Tue, 3 May 2022 18:44:13 -0700 Message-Id: <20220504014440.3697851-5-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7485; h=from:subject; bh=tR948KPQeb2PYDrDjEae6GxtJ84K9V5KxBtP7gPRR/0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBJdrO+OL3bCOY6akLjwosSFqhKtDoTb/Zh8Fy uzSMohWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJu6nD/ 4nHJdgb4XE8OHMjojOaPl9nULa44o03t//4waAm5Xj50QbDOyrBIKqeaRsc5tWg7tp/Z6v0nmG1RJ6 XSHy4AfPcewPHlkIjBTKQ1jbxZcS7qaEExIyWtMJtQ7GtiOD1AWiQbAW4KJ769iV/0me51Vamo+8Ip veorWN0jTQ+xDJ7fyb9mbxXsI7lvSOQUBdZzwAzPgJazmEXjwO8ozXnn0AaGKNv31py+LgyPwV3P64 KAQ04Gxp/rMnWduFhSm2pHXhcI6M++J1CvvtB/IPwWfRbr9CNUU4Jk3s04sG/XIIP/XCeyAn9u7lla 0QyhfHAuqHdIkCdiPXrp7mi2GKNlqOsemPZjnRNTm7F8RVQ7axjkLgPu/OdKyoIjcu4+Gxe1+1ddUe aX6mQB2mGmzNYtycr4ZILXoVPXUX2aUg4K+tE9BlmcAPTi2DTbr35TkFDaDVuBx1qu3sfaOS7h4cb8 ktu5OJHSekWrtF+UVSH3EdBatG6D2HeS6wxcx6SHUNtMwugLr34tjLkliqOflvnPJpRccxYFyzl9dZ qy69k3TaXevsfsMBn7XO5PIzGI74pL+vRzFTRl1RwbUS4WyKiQh9d4h/hZVD2tYMHxvgBj3q9keCdw H22GUCBSF28gbojQv8oqLHwc2cPU6T+4DFzfvbOlpZYHDcM7+2IPrnwnqyXQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Enable run-time checking of dynamic memcpy() and memmove() lengths, issuing a WARN when a write would exceed the size of the target struct member, when built with CONFIG_FORTIFY_SOURCE=y. This would have caught all of the memcpy()-based buffer overflows from 2018 through 2020, specifically covering all the cases where the destination buffer size is known at compile time. This change ONLY adds a run-time warning. As false positives are currently still expected, this will not block the overflow. The new warnings will look like this: memcpy: detected field-spanning write (size N) of single field "var->dest" (size M) WARNING: CPU: n PID: pppp at source/file/path.c:nr function+0xXX/0xXX [module] The false positives are most likely where intentional field-spanning writes are happening. These need to be addressed similarly to how the compile-time cases were addressed: add a struct_group(), split the memcpy(), use a flex_array.h helper, or some other refactoring. In order to make identifying/investigating instances of added runtime checks easier, each instance includes the destination variable name as a WARN argument, prefixed with 'field "'. Therefore, on any given build, it is trivial to inspect the artifacts to find instances. For example on an x86_64 defconfig build, there are 78 new run-time memcpy() bounds checks added: $ for i in vmlinux $(find . -name '*.ko'); do \ strings "$i" | grep '^field "'; done | wc -l 78 Currently, the common case where a destination buffer is known to be a dynamic size (i.e. has a trailing flexible array) does not generate a WARN. For example: struct normal_flex_array { void *a; int b; size_t array_size; u32 c; u8 flex_array[]; }; struct normal_flex_array *instance; ... /* These cases will be ignored for run-time bounds checking. */ memcpy(instance, src, len); memcpy(instance->flex_array, src, len); This code pattern will need to be addressed separately, likely by migrating to one of the flex_array.h family of helpers. Note that one of the dynamic-sized destination cases is irritatingly unable to be detected by the compiler: when using memcpy() to target a composite struct member which contains a trailing flexible array struct. For example: struct wrapper { int foo; char bar; struct normal_flex_array embedded; }; struct wrapper *instance; ... /* This will incorrectly WARN when len > sizeof(instance->embedded) */ memcpy(&instance->embedded, src, len); These cases end up appearing to the compiler to be sized as if the flexible array had 0 elements. :( For more details see: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832 https://godbolt.org/z/vW6x8vh4P Regardless, all cases of copying to/from flexible array structures should be migrated to using the new flex*()-family of helpers to gain their added safety checking, but priority will need to be given to the "composite flexible array structure destination" cases noted above. As mentioned, none of these bounds checks block any overflows currently. For users that have tested their workloads, do not encounter any warnings, and wish to make these checks stop any overflows, they can use a big hammer and set the sysctl panic_on_warn=1. Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Tom Rix Cc: linux-hardening@vger.kernel.org Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 70 ++++++++++++++++++++++++++++++++-- 1 file changed, 67 insertions(+), 3 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 295637a66c46..9f65527fff40 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -3,6 +3,7 @@ #define _LINUX_FORTIFY_STRING_H_ #include +#include #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable #define __RENAME(x) __asm__(#x) @@ -303,7 +304,7 @@ __FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size, * V = vulnerable to run-time overflow (will need refactoring to solve) * */ -__FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size, +__FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size, const size_t p_size, const size_t q_size, const size_t p_size_field, @@ -352,16 +353,79 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size, if ((p_size != (size_t)(-1) && p_size < size) || (q_size != (size_t)(-1) && q_size < size)) fortify_panic(func); + + /* + * Warn when writing beyond destination field size. + * + * We must ignore p_size_field == 0 and -1 for existing + * 0-element and flexible arrays, until they are all converted + * to flexible arrays and use the flex()-family of helpers. + * + * The implementation of __builtin_object_size() behaves + * like sizeof() when not directly referencing a flexible + * array member, which means there will be many bounds checks + * that will appear at run-time, without a way for them to be + * detected at compile-time (as can be done when the destination + * is specifically the flexible array member). + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832 + */ + if (p_size_field != 0 && p_size_field != (size_t)(-1) && + p_size != p_size_field && p_size_field < size) + return true; + + return false; } #define __fortify_memcpy_chk(p, q, size, p_size, q_size, \ p_size_field, q_size_field, op) ({ \ size_t __fortify_size = (size_t)(size); \ - fortify_memcpy_chk(__fortify_size, p_size, q_size, \ - p_size_field, q_size_field, #op); \ + WARN_ONCE(fortify_memcpy_chk(__fortify_size, p_size, q_size, \ + p_size_field, q_size_field, #op), \ + #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \ + __fortify_size, \ + "field \"" #p "\" at " __FILE__ ":" __stringify(__LINE__), \ + p_size_field); \ __underlying_##op(p, q, __fortify_size); \ }) +/* + * Notes about compile-time buffer size detection: + * + * With these types... + * + * struct middle { + * u16 a; + * u8 middle_buf[16]; + * int b; + * }; + * struct end { + * u16 a; + * u8 end_buf[16]; + * }; + * struct flex { + * int a; + * u8 flex_buf[]; + * }; + * + * void func(TYPE *ptr) { ... } + * + * Cases where destination size cannot be currently detected: + * - the size of ptr's object (seemingly by design, gcc & clang fail): + * __builtin_object_size(ptr, 1) == -1 + * - the size of flexible arrays in ptr's obj (by design, dynamic size): + * __builtin_object_size(ptr->flex_buf, 1) == -1 + * - the size of ANY array at the end of ptr's obj (gcc and clang bug): + * __builtin_object_size(ptr->end_buf, 1) == -1 + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 + * + * Cases where destination size is currently detected: + * - the size of non-array members within ptr's object: + * __builtin_object_size(ptr->a, 1) == 2 + * - the size of non-flexible-array in the middle of ptr's obj: + * __builtin_object_size(ptr->middle_buf, 1) == 16 + * + */ + /* * __builtin_object_size() must be captured here to avoid evaluating argument * side-effects further into the macro layers. From patchwork Wed May 4 01:44:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836819 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD07AC3527C for ; Wed, 4 May 2022 01:49:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343525AbiEDBwe (ORCPT ); Tue, 3 May 2022 21:52:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245575AbiEDBw1 (ORCPT ); Tue, 3 May 2022 21:52:27 -0400 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C9F41403DA for ; Tue, 3 May 2022 18:47:39 -0700 (PDT) Received: by mail-pl1-x629.google.com with SMTP id s14so154430plk.8 for ; Tue, 03 May 2022 18:47:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=szeqM9M0yrMyJS9vcuYR4tTzvEASeBs+sh1JgS4qPAo=; b=SNMym2HDPaFxMLeJFcK68nelvSK8kE0Z3iij6ppE4Nnk5PkLPyihqCWqJWEyxTK+Ad Wlo0fMMZpa7cEJ44ZnUWiYYlbNhSmn3I+2rzPJ3v+90je6UlKRw4Aqz10rVm1pygvoeV KVh5PeFOgavCCRafhGFy8OhJb2FMOsRW4OkVk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=szeqM9M0yrMyJS9vcuYR4tTzvEASeBs+sh1JgS4qPAo=; b=TCDJoYWnYeZ42T33lk39owZzt1HtEuQVxyiEjaSkJ6EH562hC9Tr+ouwveVrRsH5Y4 pnMgZ4UpEKB/HskcIC11qDaSjug1Bt39gzVoO4duIbY+of4czVjoHvt3C3p8ufbUHYl2 8Ql6/kMw0mlzmJ1rVsbFIIQFnnVBCyUIRvkReOjgVzFIdvRCjsJVOn1h3/ErhEDcYxmc 3Xsk+MUmFuuyufTPyLArIi2bMFYKHb/VDwrpHS+yOIokBx5jK1tweF9GCU4LOoQsN3WN Xu3itda9fzspkt4Z04CE7sWMg3JU7JsWLGxzFAgZZ/ZEQhbhKDbBATAw8vAtjY4MFc/V QjcQ== X-Gm-Message-State: AOAM530TxbVQXlFlwO2dl4RvHZT6A2/ozn9h22yMuTGTgSR/Z+6N9W/y VbzmwjmmwhZCjkOqbmLjW8bBDQ== X-Google-Smtp-Source: ABdhPJyLljkiQcnpMeBAkbABtu5tfsx1RQAtFvxNI6eRYUdVP5PUSieP/fvUB77typ12OdIz4mCUCg== X-Received: by 2002:a17:902:c952:b0:15e:9e3d:8e16 with SMTP id i18-20020a170902c95200b0015e9e3d8e16mr14572083pla.51.1651628858230; Tue, 03 May 2022 18:47:38 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k21-20020aa792d5000000b0050dc7628159sm6928738pfa.51.2022.05.03.18.47.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:37 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Arend van Spriel , Franky Lin , Hante Meuleman , Kalle Valo , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 05/32] brcmfmac: Use mem_to_flex_dup() with struct brcmf_fweh_queue_item Date: Tue, 3 May 2022 18:44:14 -0700 Message-Id: <20220504014440.3697851-6-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2425; h=from:subject; bh=LUlPP0dMftItb3yi/Nge8ZTfomS6k0b5Ud+psHgt9Uk=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBCnVywLtiCXwEUYb08oAOpk1h97YdS8IXrTwN m34sdVuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJokcD/ 944yjyiL4MM2Llyg3BhqwjaPE/1VNwGW9grsHKNIASpW8lInBdW90HjydT+vZ0wCt1VpknFi2upnQI XFtVoH0BT1G9pp4WHMjMMAaSqS3XB0bqdYs4DVvPzTKh5kGr5jX6k9+GTSve/itnWwnYDdM80IlUNt S0IhtkWMACqLlgyqGlt11fTu2Zpj0mRgIVFYh1FPaQRGj+skxj5+tzJqnIxOvBBPtzMq5leG8tzvRp gGF1ADH/0BhWsidIuY5CltVSgionGZ0at33CGy6Yb686fc3WZxfkwUqwKd4kWy0/RHSdYt4O0S9KnY r3h5ztCJtoyE+LsOyQfAjweyIO2LhMxNdieb0lZcJ/4W95rILXttIhcQ8iyf4yAsY69UgQuHPKDcAf nBH2PYzGNfEsEHmEr7bOtF2WG7xXUZXn6gi1luh2tpxiaDAkWSbwC0/Hg4An1+r4RDKB8TaO47Qgsp PG9QvJ1Ej3BAp6hSui4/P+qsMcNSEBBM0dZS2Ro11mi+jDDxK5En0Xgd/el0xn+qwqq+NFNlC0jKcW /QhhJ9GSxPsZzAT51pgi/Q//ZlDNoXI6Xmoho22SXd2se2PmaeWQDnuPK8bWnerpItxcrS1KP5jR9H przw+F/g76E2CP74njdcHJE58D4/zsqYKWbbLWi2QfpgIWTEZ+hV+/A44Ihw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Arend van Spriel Cc: Franky Lin Cc: Hante Meuleman Cc: Kalle Valo Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-wireless@vger.kernel.org Cc: brcm80211-dev-list.pdl@broadcom.com Cc: SHA-cyfmac-dev-list@infineon.com Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- .../net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c index bc3f4e4edcdf..bea798ca6466 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c @@ -32,8 +32,8 @@ struct brcmf_fweh_queue_item { u8 ifidx; u8 ifaddr[ETH_ALEN]; struct brcmf_event_msg_be emsg; - u32 datalen; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, datalen); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; /* @@ -395,7 +395,7 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, { enum brcmf_fweh_event_code code; struct brcmf_fweh_info *fweh = &drvr->fweh; - struct brcmf_fweh_queue_item *event; + struct brcmf_fweh_queue_item *event = NULL; void *data; u32 datalen; @@ -414,8 +414,7 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, datalen + sizeof(*event_packet) > packet_len) return; - event = kzalloc(sizeof(*event) + datalen, gfp); - if (!event) + if (mem_to_flex_dup(&event, data, datalen, gfp)) return; event->code = code; @@ -423,8 +422,6 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, /* use memcpy to get aligned event message */ memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg)); - memcpy(event->data, data, datalen); - event->datalen = datalen; memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN); brcmf_fweh_queue_event(fweh, event); From patchwork Wed May 4 01:44:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836825 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CFB0C433FE for ; Wed, 4 May 2022 01:50:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343551AbiEDBxd (ORCPT ); Tue, 3 May 2022 21:53:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245738AbiEDBwa (ORCPT ); Tue, 3 May 2022 21:52:30 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6EFFD434A9 for ; Tue, 3 May 2022 18:48:01 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id iq2-20020a17090afb4200b001d93cf33ae9so3905988pjb.5 for ; Tue, 03 May 2022 18:48:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/zjSzrQhFPsEVokcSsrv18uPDt/e1w8KitHmUEp+EKs=; b=mT+0HB76IN8PFmOQ4RQ3Shsn/xpSWIw4uZtDzm+qPL1ltT6DXjm7Tp880YLv6NTlX2 jzlnck4Hcy2b22tjZHTFIsFigeOwa/p0jwatnoLYw/6ZPZFoRjVJYcegxFjMo85nErfR VdOWk3eGpgUIVPQ45lqiYFZPzg8bYlpkvYlx8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/zjSzrQhFPsEVokcSsrv18uPDt/e1w8KitHmUEp+EKs=; b=mFIPnsp3AjWdBK7aV/oqLLSByxDWc+S77HJO66yCm9Jfr4lhGFnHrOw01+lBmDnOHq Pv3zZebFi/v3NQz9jbnCSyJJ2YVhTh2FQPnfKE4XrQCCc3PJzkfdXoNwhK1NWW/DOW7H NETY5biV03gorqAnzZ90iDSMAvhs5MFRjU4L3wnc/yT3izougjZEFzojRPQBYJ52z2xW cGJEkRitSkbEW6+yvhvaBwlyfNmrrlJP5NCGP7Rtxhh4zK5uGCAj64hhFAb7DVlwodYb 0XRmNZ3hy51dHxPbNW2wfBGZclby9qPjPR8oyMJIMXUebrvZuPkzOezN5AYofxY/ii7u SRiA== X-Gm-Message-State: AOAM531t718yIO+7fN8uK1tbwMXuYlJIVE2ENlRzt71MF7fEliIpIrzb Vo69mMT4b3b1ggXGzhrust0uEA== X-Google-Smtp-Source: ABdhPJyOr0EQoNiR5dd+jmHKxqNgfcIE1TFefrcTbIWooSZVsJlt5pNNEDAuc8WF2OoYtCYoNDFWgg== X-Received: by 2002:a17:90b:1b47:b0:1dc:3c0a:dde3 with SMTP id nv7-20020a17090b1b4700b001dc3c0adde3mr7829625pjb.52.1651628859205; Tue, 03 May 2022 18:47:39 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f21-20020a170902f39500b0015e8d4eb238sm6945583ple.130.2022.05.03.18.47.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:37 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Luca Coelho , "David S. Miller" , Jakub Kicinski , Lee Jones , Johannes Berg , Gregory Greenman , Kalle Valo , Eric Dumazet , Paolo Abeni , Andy Lavr , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 06/32] iwlwifi: calib: Prepare to use mem_to_flex_dup() Date: Tue, 3 May 2022 18:44:15 -0700 Message-Id: <20220504014440.3697851-7-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4285; h=from:subject; bh=3rsHreun4MVxtWWXTu1WNAZSbES1/vQKrpGvwiRs9tU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBVRPLVwI+Gac+Hu63Hjdxl/T8wFFeQtpYoExL lGTHr0KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJls/D/ 437IfHiRN/O/WyQZtpBUHVGUgP169cUmMhP62Pg0E7Hm7/o39zhQLTQ6d/zK2YTBo7GmHkrgW8+U89 K5ocyNlNeKiAOXNNyYjAKY0hINeYBOJbO+yP8Qb7dZ/ehdVAMXsZ5FjQQj2vRKXsiXBoCT4SNc7+7q 9k8nWm0scS/uHdUFonlvWzm3U/glq/QdTO6+M+RL75mqVm3Z2pZVYd2zeERbawqDVM7cuH2Zg17Avr WdhGyjfTAsPULi+qZBWVUvqc6X+iQ4DfUXZsJix/xvmINZyl3qG1d9TC92K8dHMKiRgdQpvnR+FE6Q WFBlvLGlrizcMolOVSXOkMFCRZ74YilAy+JISkDbLH5XPWP7v8ecKO+KApQCuxSqbyQ5G2zKND3+pY XoycBgIvvVGCy6VqLKW/gevPTpcBLR3Co4zh7nUKJffVspyQUE2M+5pLQBir/tmUVL54XdaUlMD4Tn pwD2p93A7KSHATImTFhq4PX2SS6jGi0V6Il1OHQS6pknXDGlaqxdwNO9EjP+edRb938jKgEGXypou9 S7mjGxWZ8I5Vu1E04fw2ClHZt4VH4Yas0mafjkRAPt2hiDdKF7TGiEg+awmLwQxN4tzHXDSsSGnmAv D9O1AcRWlYNF1HE1jUt/Y9dXMSZUe1atungkrYoabVpF4z5SrVEEglZiUKow== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org In preparation for replacing an open-coded memcpy() of a dynamically side buffer, rearrange the structures to pass enough information into the calling function to examine the bounds of the struct. Rearrange the argument passing to use "cmd", rather than "hdr", since "res" expects to operate on the "data" flex array in "cmd" (that follows "hdr"). Cc: Luca Coelho Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Lee Jones Cc: Johannes Berg Cc: Gregory Greenman Cc: Kalle Valo Cc: Eric Dumazet Cc: Paolo Abeni Cc: Andy Lavr Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intel/iwlwifi/dvm/agn.h | 2 +- drivers/net/wireless/intel/iwlwifi/dvm/calib.c | 10 +++++----- drivers/net/wireless/intel/iwlwifi/dvm/ucode.c | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/agn.h b/drivers/net/wireless/intel/iwlwifi/dvm/agn.h index abb8696ba294..744e111d2ea3 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/agn.h +++ b/drivers/net/wireless/intel/iwlwifi/dvm/agn.h @@ -112,7 +112,7 @@ int iwl_load_ucode_wait_alive(struct iwl_priv *priv, enum iwl_ucode_type ucode_type); int iwl_send_calib_results(struct iwl_priv *priv); int iwl_calib_set(struct iwl_priv *priv, - const struct iwl_calib_hdr *cmd, int len); + const struct iwl_calib_cmd *cmd, int len); void iwl_calib_free_results(struct iwl_priv *priv); int iwl_dump_nic_event_log(struct iwl_priv *priv, bool full_log, char **buf); diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c index a11884fa254b..ae1f0cf560e2 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c +++ b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c @@ -19,7 +19,7 @@ struct iwl_calib_result { struct list_head list; size_t cmd_len; - struct iwl_calib_hdr hdr; + struct iwl_calib_cmd cmd; /* data follows */ }; @@ -43,12 +43,12 @@ int iwl_send_calib_results(struct iwl_priv *priv) int ret; hcmd.len[0] = res->cmd_len; - hcmd.data[0] = &res->hdr; + hcmd.data[0] = &res->cmd; hcmd.dataflags[0] = IWL_HCMD_DFL_NOCOPY; ret = iwl_dvm_send_cmd(priv, &hcmd); if (ret) { IWL_ERR(priv, "Error %d on calib cmd %d\n", - ret, res->hdr.op_code); + ret, res->cmd.hdr.op_code); return ret; } } @@ -57,7 +57,7 @@ int iwl_send_calib_results(struct iwl_priv *priv) } int iwl_calib_set(struct iwl_priv *priv, - const struct iwl_calib_hdr *cmd, int len) + const struct iwl_calib_cmd *cmd, int len) { struct iwl_calib_result *res, *tmp; @@ -69,7 +69,7 @@ int iwl_calib_set(struct iwl_priv *priv, res->cmd_len = len; list_for_each_entry(tmp, &priv->calib_results, list) { - if (tmp->hdr.op_code == res->hdr.op_code) { + if (tmp->cmd.hdr.op_code == res->cmd.hdr.op_code) { list_replace(&tmp->list, &res->list); kfree(tmp); return 0; diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c b/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c index 4b27a53d0bb4..bb13ca5d666c 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c +++ b/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c @@ -356,18 +356,18 @@ static bool iwlagn_wait_calib(struct iwl_notif_wait_data *notif_wait, struct iwl_rx_packet *pkt, void *data) { struct iwl_priv *priv = data; - struct iwl_calib_hdr *hdr; + struct iwl_calib_cmd *cmd; if (pkt->hdr.cmd != CALIBRATION_RES_NOTIFICATION) { WARN_ON(pkt->hdr.cmd != CALIBRATION_COMPLETE_NOTIFICATION); return true; } - hdr = (struct iwl_calib_hdr *)pkt->data; + cmd = (struct iwl_calib_cmd *)pkt->data; - if (iwl_calib_set(priv, hdr, iwl_rx_packet_payload_len(pkt))) + if (iwl_calib_set(priv, cmd, iwl_rx_packet_payload_len(pkt))) IWL_ERR(priv, "Failed to record calibration data %d\n", - hdr->op_code); + cmd->hdr.op_code); return false; } From patchwork Wed May 4 01:44:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836826 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0C0AC433FE for ; Wed, 4 May 2022 01:50:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242396AbiEDBxg (ORCPT ); Tue, 3 May 2022 21:53:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55440 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245581AbiEDBw1 (ORCPT ); Tue, 3 May 2022 21:52:27 -0400 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D12BB403DB for ; Tue, 3 May 2022 18:47:39 -0700 (PDT) Received: by mail-pj1-x102f.google.com with SMTP id p6so16903239pjm.1 for ; Tue, 03 May 2022 18:47:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xU+lft0xYFj1fS1yuTZSbozxjgBGk0a+m2yFd6VoFH8=; b=a+tRkUtoblEDLjvFId++UphGjoZEaQCYI3Vk83Wii7jOQPjtu5Lszr9szx/ri1HX51 wV1jt/Of6XxA4HH6Vf9VLVYuUYeTQ2uz41Vd4xndvpOP8cB9qurXZHACinwkcuuAVoNS S4kXDV6k7pYw97SFuBD/SAZ91ynDl2QAdaG/0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xU+lft0xYFj1fS1yuTZSbozxjgBGk0a+m2yFd6VoFH8=; b=opCwFw4so9JvuBvE4JfCSBL5lcJydLH/Bt+lkoKrrHKhyGPAlgrR5C3VKrLrXI30JJ dgn8fEuPGYsc9xryQBeCikd3J2Dr4eDLNkxvMvIFPo7FDn9X5bczeQIxTwOcF3M3EZXa S63LGToMo6VhnjDn1Emei41RvWOTwMofYocjG3n82qDVxVPsi7Y2hcVoZ7PmN6hAMfys izvgcphlhkK81QI+D1H39sFRNFKCWzeK+1LCqKTmdC5V9y5p9anlGIEjpZQf3A5RzGan E1W1RhjxN/kDVgVp7wE/42Mnvo5HOJ9pbawgsFVt9/s7XGncZ/BtDc4LgJAT1ZkVDu7O 9X/w== X-Gm-Message-State: AOAM530FVpKM/YVG1V+xEN0D5EpJvis4bMY2QjB/tkvCorXxpQRTfTUz pFomqcyyNQg0PhCUFxsGOYArlg== X-Google-Smtp-Source: ABdhPJym7M+DImW/Jqb3OQWBvYlyqklXqWcPP05A/qCeDGaoGZArCRBHN6sBE2ZReqB74PMUZr0+qw== X-Received: by 2002:a17:90a:730c:b0:1da:4630:518e with SMTP id m12-20020a17090a730c00b001da4630518emr7902816pjk.239.1651628857841; Tue, 03 May 2022 18:47:37 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id c21-20020aa781d5000000b0050dc7628163sm6917221pfn.61.2022.05.03.18.47.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:37 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Andy Lavr , Luca Coelho , Kalle Valo , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Gregory Greenman , Eric Dumazet , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 07/32] iwlwifi: calib: Use mem_to_flex_dup() with struct iwl_calib_result Date: Tue, 3 May 2022 18:44:16 -0700 Message-Id: <20220504014440.3697851-8-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2309; h=from:subject; bh=WpodBqq01jqwxM1KRcJO62uugaWovPAJ5k8Asd34efc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCGKNTo/e4rYqRS6JHFIWEcMsPl6ZUWQBFBFL/ Wqla2nSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJvqCD/ 9KMmQRVL3p5s+EO2ziT+OnA/bWRcfyVrpdD2apYiZrAvV6jv+ChcK5o9LNvgU6liqmGQvBK56XO3bQ qrNnEnu62KEpY0aEShwY6YNXdwdTLw3FEMK42jV6f34XbajiPo0MoQoS/x/QSbL1eIG6JO5d4TRjIe 0/Q48qkArPdlLvI5pKeSr1lsEVPndfc9NGHCI6nA2+bBonwbXOWfAC7HZPfrpPcmTgLfoKTkBLXai4 ePDPJtwC3/jzsxtTC7J9DHOmQvRPHeYKpPXefkrkgeOaZf2ToPQ3uG49rEHXnkAeJVNemhQ1DJPNcQ HudzUsakTefZTR7ato8r+9r+0+ie8aFfQEAagdWcpPFVR9EyXHXbSWIWZPdHaXSsvv+zcH2BVwp+lX PHt2bIY0X/x3Uouh1It3/uSZlg30A1qnqeXxqNsMc6p4qaHY4pJywV1EkrsZwZd1PdBaiWc6LsdWnm g/rpEfcleSaFr5QGOmd7i7ErfwdtNTNDj5n6eo7f/rD6qfq1dEAIa3IkdH7xRECGPpT/2qd+a747A7 vm2gjfh13/ghhPAbVTSZORt9oZN46upeJxwm83wHp0XHC4gVbEH+bjDqXYQAWbhNyUaOA8Ua7uIonu l7HgMXAQ7eoMMallt3TbHeAxvHxkwxcyt1LUHi517rK5CcCYO26DROhVZXYw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Avoids future false-positive warning when strict run-time memcpy() bounds checking is enabled: memcpy: detected field-spanning write (size 8) of single field "&res->hdr" (size 4) Adds an additional size check since the minimum isn't 0. Reported-by: Andy Lavr Cc: Luca Coelho Cc: Kalle Valo Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Gregory Greenman Cc: Eric Dumazet Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intel/iwlwifi/dvm/calib.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c index ae1f0cf560e2..7480c19d7af0 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c +++ b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c @@ -18,8 +18,11 @@ /* Opaque calibration results */ struct iwl_calib_result { struct list_head list; - size_t cmd_len; - struct iwl_calib_cmd cmd; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, cmd_len); + union { + struct iwl_calib_cmd cmd; + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); + }; /* data follows */ }; @@ -59,14 +62,10 @@ int iwl_send_calib_results(struct iwl_priv *priv) int iwl_calib_set(struct iwl_priv *priv, const struct iwl_calib_cmd *cmd, int len) { - struct iwl_calib_result *res, *tmp; + struct iwl_calib_result *res = NULL, *tmp; - res = kmalloc(sizeof(*res) + len - sizeof(struct iwl_calib_hdr), - GFP_ATOMIC); - if (!res) + if (len < sizeof(*cmd) || mem_to_flex_dup(&res, cmd, len, GFP_ATOMIC)) return -ENOMEM; - memcpy(&res->hdr, cmd, len); - res->cmd_len = len; list_for_each_entry(tmp, &priv->calib_results, list) { if (tmp->cmd.hdr.op_code == res->cmd.hdr.op_code) { From patchwork Wed May 4 01:44:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836823 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46E38C433F5 for ; Wed, 4 May 2022 01:49:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343734AbiEDBxH (ORCPT ); Tue, 3 May 2022 21:53:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343571AbiEDBwe (ORCPT ); Tue, 3 May 2022 21:52:34 -0400 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B7C744759 for ; Tue, 3 May 2022 18:48:19 -0700 (PDT) Received: by mail-pj1-x1036.google.com with SMTP id cq17-20020a17090af99100b001dc0386cd8fso3364pjb.5 for ; Tue, 03 May 2022 18:48:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xT+5hQcq61BvthAgaoVmL+Iixyk9Kz6M9vS9nNgwYZE=; b=foxymm92zvgmK0ETJD/OF52F7nwlYYgJQ8oVdho7r9BzWtgtuSGYfDYK5MhNshEOoZ 2wn0h0u9CPuexCbq87DKe80piTtxK5R6ZpJwSBGXRNF7rOHEPYzOtCIu9lKjSdiUbhe+ r2DkWtw3UKhrg5w4I5ukgiJdOnG5MzFcAx9yc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xT+5hQcq61BvthAgaoVmL+Iixyk9Kz6M9vS9nNgwYZE=; b=t5521vYF3IUQpvO1rx6J7x+N+nWD1nQ5IPXdXNdzYf0YqEKUcQmW+HdQ8m2dZiDpvw 52JrPXq01eqrbQ3cCbesLdgHhb6IdnxZSA6porbPLy+R+1rl/u5Zb9Pwt6CIUNHqV92M kYnGX7yiULaNvCAN90PZrfYMRpMQHkEPKuOvHgSAZols/fxsRNU0cBB1NsNcLsb9b266 DMGr+zoB3Kzm5Ge0EwSD7ndfbmghtmeHGPVHURP0k4eWBUQnPaRXpISDdMYEl7MZy1Gj T7zqSU0v6m4kvvAzS0+fYec08mEnUSFpirnDzaH8unGQ6mxiEg1twDSnMX1JtT8EQTNm MXfQ== X-Gm-Message-State: AOAM531327PIscq5tKFLIM4Czebf6209r0nAKqahbwYTeKd8SBUfsvf4 4YOjJhrL52YR5TiJqTjQuiPY7A== X-Google-Smtp-Source: ABdhPJycw4EcllNGdcYu/hsnVxTNLEqPs1svu/l7N5hfPruKY3mWUaTfGlJqogJnY0zHUzGi9AG+AQ== X-Received: by 2002:a17:90b:4d8f:b0:1db:d41d:9336 with SMTP id oj15-20020a17090b4d8f00b001dbd41d9336mr7719381pjb.29.1651628859970; Tue, 03 May 2022 18:47:39 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s11-20020a170902b18b00b0015e8d4eb258sm7004776plr.162.2022.05.03.18.47.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:39 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Luca Coelho , Kalle Valo , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Johannes Berg , Gregory Greenman , Eric Dumazet , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 08/32] iwlwifi: mvm: Use mem_to_flex_dup() with struct ieee80211_key_conf Date: Tue, 3 May 2022 18:44:17 -0700 Message-Id: <20220504014440.3697851-9-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2437; h=from:subject; bh=kqrSs6qCwh+Lec2OX97eOmuBYGTxbYZO/oveyYvsSyU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCYob8Le101GWyzNPT8SUQLcWbnMdLaBLnNMKi PFuQ5FWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJrrrD/ 41pLe3vLmy1DT131k402AnWkbvKKTeLHCfdZOZOBG/caJXqmnpOxwil6RAxg5u6hN5hKr+gqoQg3jM PjxMAKOnj4UigmA4/hMbFkpe2UAFQce0nHR1yDX9KirGdKMvnAq1KmeZTOvAK12ubsFuw1otFOoOY9 il9bAkoOcb67DGRv3WnjeBeJAIZesPeob+hkdIGXBLwjDM9HsKNWnS0CO4faN9H2UB5yHtan5AE3fY ejNDT+faux7HktJ5LMXGuFK8hNTMT6DzsBUJMh/VqnJUQfz4J8NZnt1C2fhjm2UKTMJJXaSL2VTIls +E869VhJZmwXhnjNOoXxgs2ypZPdZn7bJMJt9MVXQCWOJ/r5Z4HL//NjQwlMsxa5eN/OtY6fhuJmQa Kt081e3mYWawz+yHoGLyrxfgEVcaxPetNNZbtFWAguSAm+2kDAVJoYtbd1P/PeFNxjV9iclz5KMbsR vfwg2FoAJ4/UE7uv/e9hwMg874lDgZBVxecyw2BfPg0CFqa9KiQ4QmpYRs8HaRBhJQv/jDtfxWqnVh RhanF8E/YIf8Mwjneo+/nQykVNYJP+mnin2t2PXGGQTtyZfdgc4mogRxpnvnUcDOoGAndvfOm8tHL7 lnC6lEffqiIvIoLzddv1Yrb2IU0R/a/tFtHusn7zJ+WlS695vP3r1pDWMDUg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Luca Coelho Cc: Kalle Valo Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Johannes Berg Cc: Gregory Greenman Cc: Eric Dumazet Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 8 ++------ include/net/mac80211.h | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c index 406f0a50a5bf..23cade528dcf 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c @@ -4108,7 +4108,7 @@ int iwl_mvm_add_pasn_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif, int ret; u16 queue; struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); - struct ieee80211_key_conf *keyconf; + struct ieee80211_key_conf *keyconf = NULL; ret = iwl_mvm_allocate_int_sta(mvm, sta, 0, NL80211_IFTYPE_UNSPECIFIED, @@ -4122,15 +4122,11 @@ int iwl_mvm_add_pasn_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif, if (ret) goto out; - keyconf = kzalloc(sizeof(*keyconf) + key_len, GFP_KERNEL); - if (!keyconf) { + if (mem_to_flex_dup(&keyconf, key, key_len, GFP_KERNEL)) { ret = -ENOBUFS; goto out; } - keyconf->cipher = cipher; - memcpy(keyconf->key, key, key_len); - keyconf->keylen = key_len; ret = iwl_mvm_send_sta_key(mvm, sta->sta_id, keyconf, false, 0, NULL, 0, 0, true); diff --git a/include/net/mac80211.h b/include/net/mac80211.h index 75880fc70700..4abe52963a96 100644 --- a/include/net/mac80211.h +++ b/include/net/mac80211.h @@ -1890,8 +1890,8 @@ struct ieee80211_key_conf { u8 hw_key_idx; s8 keyidx; u16 flags; - u8 keylen; - u8 key[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, keylen); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, key); }; #define IEEE80211_MAX_PN_LEN 16 From patchwork Wed May 4 01:44:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836946 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C8C8C4332F for ; Wed, 4 May 2022 01:56:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343512AbiEDB7l (ORCPT ); Tue, 3 May 2022 21:59:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39398 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343692AbiEDB6y (ORCPT ); Tue, 3 May 2022 21:58:54 -0400 Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1041149CB5 for ; Tue, 3 May 2022 18:53:01 -0700 (PDT) Received: by mail-pg1-x52a.google.com with SMTP id 7so5135pga.12 for ; Tue, 03 May 2022 18:53:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=z9UACyPlKQMpsfBiUxRNSWJwLKyqQ0BVbIzFlqTVpEg=; b=VrQ6dmSQ7VwQQlIfvwbiI2ql0BVm4J4y9LnkKFZwetWH13cFjtZDcQhXtoigM+PS1n cWMsbR1tWdnyAFxVTIwv3Ub+HJcEvYJUmHiHKdd7Tvd9COj+RhcM0WyuPg5dj9PivY8a z6yX6sb9Wvgoc2VwmZES4MbGCx8+oyfzVBgW4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=z9UACyPlKQMpsfBiUxRNSWJwLKyqQ0BVbIzFlqTVpEg=; b=Y6oyaKzS4mEKwN3nmT6K9vm7Zf7t4ycU2EH0PoYzcMwafLktPsmibFQ4NHqazNmdN2 mLcjnw1HcWNIHwtpvi7ZUchki/pcFkQeIwECtKG8L3Kzr+pthjmLOoi0TNOzrnYGSNWc d2DZcmXw6ELVdZIMW62ZoUL09O134vmeG9an3DhYgrcQU0w53zpw1zY9FfJmh1/6GAF9 8YxQFd6KkigJuqKBRbPP3ECvvsD5G3HMwei3nWrCZzdyVMeaOQJ0IfCGE4PV+IWPOG18 g2YCUdeGIIICHDFjuz/AtGbymVSCopqVNCp36EL+UDmX28keND9NSDHx/hmjnAppUose LtQg== X-Gm-Message-State: AOAM533qQnn7QkMqsCrojhXB1lIfKuje7aaUmIamOKPdVY9dwomJQUdS cPI9Vfe8JvQNVvDGLcFiVr+XEA== X-Google-Smtp-Source: ABdhPJzVcWQGsHn59vPaROucz1ySXZ5cZciM95zHzlrdtXApKNM9/OxOMaJu00isogLV6p+6gAjquw== X-Received: by 2002:a63:2b01:0:b0:3c2:4b0b:e1c6 with SMTP id r1-20020a632b01000000b003c24b0be1c6mr8066903pgr.288.1651629165524; Tue, 03 May 2022 18:52:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p6-20020a170902780600b0015e8d4eb1cesm6917631pll.24.2022.05.03.18.52.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Christian Lamparter , Kalle Valo , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 09/32] p54: Use mem_to_flex_dup() with struct p54_cal_database Date: Tue, 3 May 2022 18:44:18 -0700 Message-Id: <20220504014440.3697851-10-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2429; h=from:subject; bh=nMnYI58OZL/NYqqBGThX6X9At9N55AKclw2PdmxLkv8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCpEYc7sUWDpluF0bUB90CkVbrB3/z8O0fymGg eduju0uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJkJoEA CB3d+CRBr1VkScrlHfbIs1LkNyymQ0HwJgl7p4QyueseREG9Mt5326Iwc7RqKF+Rn+YzyWk8dFShzv z6gbI8PNrGAqBPz5BIqLg3dYYHVK5dPPYcYrISNYxFwyXlYH5CnwM8gllN72k9RJxbWzAxh0A+60N/ jviJWlHykiM1Zhxd/qazs6ZevTYO060Zif3DN8WCX/LuwNHp30u5sclQ55oDW3betiobkSC6Ov1eP6 Hi7uDPuaVPlM2ZtdStVUbJUtmb0ddMSgxtTLjFPmzu+/igOg0pwYTovc41hbeEbBnxlRHIoUJWYLEF 9HwXpVeVj29IIka07Wj1DhYds+eo/zSM1UgogveTLy1YqauYGa0HDWQq9oUmlyE1DVBtfNlwDKfQFw abW5WTkLqlaK1bDWZEM/2f5rXJ6Qb2wLF8985KU4MwKaSdM+Jib4Npl3mdvg3RTIqLUDL5C0EsnPZd jx7VWu4NuZxHBeVOpG042kcl9h6NgrzPV4i2lneNTdK9Mf4aIUBuhXuEi0RjjZPRX5KWBWDETa+SHA xIpk2sXTFarSyRcDwvPPRN7FWxxM5y5OPAGRGPRQhj9zCDB+Eh+NAEZe1GFUTZYOWu4PHtyiVVuH0q lf+bEbHqDfX8rt+XVzeUsKcH3bW7KZvEkMLgB/C70MIwPtiUdXvWDMDbvCRw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Christian Lamparter Cc: Kalle Valo Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intersil/p54/eeprom.c | 8 ++------ drivers/net/wireless/intersil/p54/p54.h | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/intersil/p54/eeprom.c b/drivers/net/wireless/intersil/p54/eeprom.c index 5bd35c147e19..bd9b3ea327b9 100644 --- a/drivers/net/wireless/intersil/p54/eeprom.c +++ b/drivers/net/wireless/intersil/p54/eeprom.c @@ -702,7 +702,7 @@ static int p54_convert_output_limits(struct ieee80211_hw *dev, static struct p54_cal_database *p54_convert_db(struct pda_custom_wrapper *src, size_t total_len) { - struct p54_cal_database *dst; + struct p54_cal_database *dst = NULL; size_t payload_len, entries, entry_size, offset; payload_len = le16_to_cpu(src->len); @@ -713,16 +713,12 @@ static struct p54_cal_database *p54_convert_db(struct pda_custom_wrapper *src, (payload_len + sizeof(*src) != total_len)) return NULL; - dst = kmalloc(sizeof(*dst) + payload_len, GFP_KERNEL); - if (!dst) + if (mem_to_flex_dup(&dst, src->data, payload_len, GFP_KERNEL)) return NULL; dst->entries = entries; dst->entry_size = entry_size; dst->offset = offset; - dst->len = payload_len; - - memcpy(dst->data, src->data, payload_len); return dst; } diff --git a/drivers/net/wireless/intersil/p54/p54.h b/drivers/net/wireless/intersil/p54/p54.h index 3356ea708d81..22bbb6d28245 100644 --- a/drivers/net/wireless/intersil/p54/p54.h +++ b/drivers/net/wireless/intersil/p54/p54.h @@ -125,8 +125,8 @@ struct p54_cal_database { size_t entries; size_t entry_size; size_t offset; - size_t len; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; #define EEPROM_READBACK_LEN 0x3fc From patchwork Wed May 4 01:44:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836820 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 401E8C433EF for ; Wed, 4 May 2022 01:49:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237510AbiEDBwy (ORCPT ); Tue, 3 May 2022 21:52:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245632AbiEDBw1 (ORCPT ); Tue, 3 May 2022 21:52:27 -0400 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3D3E41618 for ; Tue, 3 May 2022 18:47:41 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id j70so26911pge.1 for ; Tue, 03 May 2022 18:47:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=OUtFJC5/TKCmTq7i/wF9dXPYB7F9m5Fe+Glt57epyug=; b=LA1DuW2pq5PcEvMCaSGHJyuI7WWCw3brL8SvS9+2zVb7L13DgPnUJao9oTWLzzgmb0 FDFEPcC6DrQfzS+lsrgByCwuE3V59hlwMRxN4HndNJubDx+3EuT5ltBW8juSZqsKA86J 6Mk0HEWOn29+r/VVptC8G26Rp5mKAXoQSht84= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OUtFJC5/TKCmTq7i/wF9dXPYB7F9m5Fe+Glt57epyug=; b=u7z6nro3Wsgngj5XtmTGMYGSt2rWbfQ2Tp2pGudqyBi/nnLc0ed0uoWrYLHhugHYR6 lKt2cSUWRymg2rD11429wB8JhZMVkAv594xAzBKLcrDPlD0sQ/QpjZyhd+8B98u3Y6XC 1RVHgbD9ywEdQPLmMCgCX8S7smwb6GHKnuSGrB7q+mzGd8Dcn9IzRIz780n49PpAYBW7 3ZYI0yJngm0/0G6G71dQhd6Q3hqMxSdtuAPQHvCszsQcxoDJd/CIQ/GPHf8UjU6gzXuW liQ0DCyE5lRFMoiiDwScpgYq4DLvIx2YSI/oPek0QFirN0UlBdFsMWJCa71LTXkKWqWk 5MPA== X-Gm-Message-State: AOAM530KJCfiJKuHx2ExJ289xKP9wTwsaEFZrEaQc2bNWhTOWJ1RZ016 kgR7wt1TV9FODEraTHUfuqa7hw== X-Google-Smtp-Source: ABdhPJwT+HpwroAcLEOh/whz+04BMlDA8QRyKASs96Yn7JFIogcBzSznpVM6BSo5Oye2dEgT1IAP3A== X-Received: by 2002:a63:de12:0:b0:3ab:7c33:2894 with SMTP id f18-20020a63de12000000b003ab7c332894mr15993343pgg.187.1651628861170; Tue, 03 May 2022 18:47:41 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d14-20020aa7868e000000b0050dc76281a3sm6929562pfo.125.2022.05.03.18.47.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:39 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Loic Poulain , Kalle Valo , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , wcn36xx@lists.infradead.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 10/32] wcn36xx: Use mem_to_flex_dup() with struct wcn36xx_hal_ind_msg Date: Tue, 3 May 2022 18:44:19 -0700 Message-Id: <20220504014440.3697851-11-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2631; h=from:subject; bh=Msy2+XfnfeHEfU9VZJ5tdjPuaYOOARhkHxIAzZX3hrE=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCU5cwj3opYKUJRuHiQ6yrF7a8I32dTqix7rZH epN2AJmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJlHYD/ wPCLYVdBQwlOASKzq0go8+yQ9WXYDGyw7A8O0OnAVu3fIR1Fz5Lc4pY5x32WjVh8glBxJBPELf/CJL MNaKgMdTHQ7NA2hxtEc7bQM+t4sMdVV5x1MYPoH8LFiI3+Tvt13YvoQ+E1WZ0t2qqUC8zhxbH36dxW Bc0wCumlz/0FK9T//W8qmXHq+YCTZhpOj4lIosW7Ic80QXG9vfEguHz+8nSw2PXbpXiLtiKMXYVPis NcxiHBa5qoFp2VamsSe418quush6XqJxmFvLZl7mtiboKYYYu2/qPzI5A37FAbPIGCru3jMXR/tCbm Q/hHT9bgmoM7Gg13G5tslRAOTf4pY5AWKIKHlUwbJswOg2FEBoabSKGh058NrhtgM0MjsUnbiDiOZ5 aO0FKd7cJsVfNFB7uZ3+4sBW8mA109abyB33FJQ/eJ+s21q6pPofkO9ECLZme3sqINH5kUfMBZEGbc CCwh1fPl5ZjvS1fXH/PGcDGjsAPJyMdcuEmaFNP9/8CuF7AfC9V9oEUOZ4lm0ofCSU0/fD12keSaj3 IHfhVbZKNV1ZZFfOUd6M2qngKUJR4ZbYTuwFlDxka/MvOQ2XJ1z5dhL/T/KTejeZjeDoZmMeDtRSc8 Toe4QQtXjKsYj/+iwJSz5/80d1lP2aqDJFhk1y/i4XSNcgPBCqcyBiQzMbsQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Loic Poulain Cc: Kalle Valo Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: wcn36xx@lists.infradead.org Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/ath/wcn36xx/smd.c | 8 ++------ drivers/net/wireless/ath/wcn36xx/smd.h | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c index dc3805609284..106af0a2ffc4 100644 --- a/drivers/net/wireless/ath/wcn36xx/smd.c +++ b/drivers/net/wireless/ath/wcn36xx/smd.c @@ -3343,7 +3343,7 @@ int wcn36xx_smd_rsp_process(struct rpmsg_device *rpdev, const struct wcn36xx_hal_msg_header *msg_header = buf; struct ieee80211_hw *hw = priv; struct wcn36xx *wcn = hw->priv; - struct wcn36xx_hal_ind_msg *msg_ind; + struct wcn36xx_hal_ind_msg *msg_ind = NULL; wcn36xx_dbg_dump(WCN36XX_DBG_SMD_DUMP, "SMD <<< ", buf, len); switch (msg_header->msg_type) { @@ -3407,16 +3407,12 @@ int wcn36xx_smd_rsp_process(struct rpmsg_device *rpdev, case WCN36XX_HAL_DELETE_STA_CONTEXT_IND: case WCN36XX_HAL_PRINT_REG_INFO_IND: case WCN36XX_HAL_SCAN_OFFLOAD_IND: - msg_ind = kmalloc(struct_size(msg_ind, msg, len), GFP_ATOMIC); - if (!msg_ind) { + if (mem_to_flex_dup(&msg_ind, buf, len, GFP_ATOMIC)) { wcn36xx_err("Run out of memory while handling SMD_EVENT (%d)\n", msg_header->msg_type); return -ENOMEM; } - msg_ind->msg_len = len; - memcpy(msg_ind->msg, buf, len); - spin_lock(&wcn->hal_ind_lock); list_add_tail(&msg_ind->list, &wcn->hal_ind_queue); queue_work(wcn->hal_ind_wq, &wcn->hal_ind_work); diff --git a/drivers/net/wireless/ath/wcn36xx/smd.h b/drivers/net/wireless/ath/wcn36xx/smd.h index 3fd598ac2a27..76ecac46f36b 100644 --- a/drivers/net/wireless/ath/wcn36xx/smd.h +++ b/drivers/net/wireless/ath/wcn36xx/smd.h @@ -46,8 +46,8 @@ struct wcn36xx_fw_msg_status_rsp { struct wcn36xx_hal_ind_msg { struct list_head list; - size_t msg_len; - u8 msg[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, msg_len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, msg); }; struct wcn36xx; From patchwork Wed May 4 01:44:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836822 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF569C4321E for ; Wed, 4 May 2022 01:49:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343590AbiEDBxF (ORCPT ); Tue, 3 May 2022 21:53:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56746 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343593AbiEDBwg (ORCPT ); Tue, 3 May 2022 21:52:36 -0400 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8CDA44A03 for ; Tue, 3 May 2022 18:48:22 -0700 (PDT) Received: by mail-pl1-x62e.google.com with SMTP id c11so140253plg.13 for ; Tue, 03 May 2022 18:48:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=P7uM3xoAcE7zuGNsfEYVdWWhl8RQOVkTgxnXHqQm9tk=; b=Ttm1udnLhK1uzAB04KBRSr/POGM0kwPI1bs4XPEU6UEtgK8/23ubm+dxeV4+X853RT 0+Il5Jok8kr0+FDj5VV/8TyC5lx1HeS1NOnJkl2lVk9pme8hyn7Y1lYALOBUqbtoGYi3 cAWN4x8Bl4pcx02o/CTto17Eyhwd5u2uMzQSw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=P7uM3xoAcE7zuGNsfEYVdWWhl8RQOVkTgxnXHqQm9tk=; b=v/YiiORMq6T330q6fbKJGK6+0U0jBbRIytQa0swxXorWeAxIIXWwKCNX//+Msh3Pgf Uz1Ytu5rGLLgz6HlsJw9HWCLBK+nCwX74WuoO3F2GhqskDG8BhdpVmI9e5MiS6bFV3Zq eX3zBtr3tqe+1TBljJrA5amKmcpW/Tdiv7AlVVrE2X0VR0GgFlIGYT8oSyd6p+XFLd3L 82A+W3axddQbIRTfoPVXpGDK2v12RWDUx2Hx49aUFfs3YN/4u9O9l2HPkrCU5XsIrz8N 6FHlMLr64I8TtYxEeWyUCAKtkG7htHf/HZLPaTSotkgwONtU46iAnTLDWyeKd/noPCwR v2Ig== X-Gm-Message-State: AOAM530IUJLZGf2wlX7Kr34h4Cep+P2dDsoYbmqr1CquC9W/19/APrKd Z/mbYdpdp+5iLPZIwxv4KN+pMg== X-Google-Smtp-Source: ABdhPJxlINiFv6UJHBX+/eJqyerMOceaIDiYJHkzj2pPV40RgErLtQ31Acn4ZOqZFTEIOPf1xFj0AA== X-Received: by 2002:a17:90b:3b42:b0:1dc:5cdf:5649 with SMTP id ot2-20020a17090b3b4200b001dc5cdf5649mr7783206pjb.239.1651628861490; Tue, 03 May 2022 18:47:41 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id on13-20020a17090b1d0d00b001d9acbc3b4esm2003067pjb.47.2022.05.03.18.47.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:39 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Johannes Berg , "David S. Miller" , Jakub Kicinski , Paolo Abeni , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Eric Dumazet , Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 11/32] nl80211: Use mem_to_flex_dup() with struct cfg80211_cqm_config Date: Tue, 3 May 2022 18:44:20 -0700 Message-Id: <20220504014440.3697851-12-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2217; h=from:subject; bh=rRfAu1/k1e5caQg21/8VBHhysNqsP1FR5GA2AHrLW6w=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDYqJpVuI+Da24TYyn7rK2cAZcih+2ZRWaGUhg VviQcPmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJjdwD/ 9GoZycFvhK6h6fbIQwuLO60vgqzr+JFBMz2boSXTBJSryctNsbZrwuvUuiBZUKC1y9sGE+SgzQm0T7 WzDZtyTlGmT1CZjKFpgdCfMbuMLVROkIwwyYoraeYFirZmIIRURYhLoAsJh4ZeL+hi8jOWnaV5ClMm GpAX4WW1YsM9YRJimQri0QE7pLQKGb80KxVsDgul4e0OUj1wYZTYbTgr98Zpysc1nSby6oGnxfPJ5B GvVh8QA/SYaCCMlYyUKr3bjTLrKOZ0NSnt6bAW38OpCXj8344D0TsfmO6tGo0jkheFbpEhSFjRi0Lj 1/+lxcBQ3jvc7zB+0Q5hpVWgX0kC+MxgbmIRdXF66gXOY9KMZzGl6dt9Fdm0xQWH6kFZlX7zpOBeHx To/pgX+EVE7aw6zudBInH3vlkkTYIklAIL/O9ajINZfL2HKHTp1XgnQdpa0KDyxqJilBhkXXekcKjn s7KJFzs28RJWqn+YgyJ+4W4uA6XLQvHdqVGZu5zS748KLU05KkgCeTW+Wm195aiMdUvqPG1QyqpCX5 1oMep8SXDkjOyDi6DnWcfFivJfrpKBqXU3oWsvXdBRhX+fVXmfr/E7qrARl1smC7xBgqWCcJf152Rh nwFocx9Hoo9dTUkHbkM4z/OFi36I6ENfaPOS+x9fFE1riA7xPsrh1gW6nwwA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Johannes Berg Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Cc: Eric Dumazet Signed-off-by: Kees Cook --- net/wireless/core.h | 4 ++-- net/wireless/nl80211.c | 15 ++++----------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/net/wireless/core.h b/net/wireless/core.h index 3a7dbd63d8c6..899d111993c6 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -295,8 +295,8 @@ struct cfg80211_beacon_registration { struct cfg80211_cqm_config { u32 rssi_hyst; s32 last_rssi_event_value; - int n_rssi_thresholds; - s32 rssi_thresholds[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, n_rssi_thresholds); + DECLARE_FLEX_ARRAY_ELEMENTS(s32, rssi_thresholds); }; void cfg80211_destroy_ifaces(struct cfg80211_registered_device *rdev); diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 945ed87d12e0..70df7132cce8 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -12096,21 +12096,14 @@ static int nl80211_set_cqm_rssi(struct genl_info *info, wdev_lock(wdev); if (n_thresholds) { - struct cfg80211_cqm_config *cqm_config; + struct cfg80211_cqm_config *cqm_config = NULL; - cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds, - n_thresholds), - GFP_KERNEL); - if (!cqm_config) { - err = -ENOMEM; + err = mem_to_flex_dup(&cqm_config, thresholds, n_thresholds, + GFP_KERNEL); + if (err) goto unlock; - } cqm_config->rssi_hyst = hysteresis; - cqm_config->n_rssi_thresholds = n_thresholds; - memcpy(cqm_config->rssi_thresholds, thresholds, - flex_array_size(cqm_config, rssi_thresholds, - n_thresholds)); wdev->cqm_config = cqm_config; } From patchwork Wed May 4 01:44:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836824 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA28CC43217 for ; Wed, 4 May 2022 01:49:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245697AbiEDBx3 (ORCPT ); Tue, 3 May 2022 21:53:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245519AbiEDBwa (ORCPT ); Tue, 3 May 2022 21:52:30 -0400 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56AC643EC0 for ; Tue, 3 May 2022 18:48:05 -0700 (PDT) Received: by mail-pj1-x1035.google.com with SMTP id cq17-20020a17090af99100b001dc0386cd8fso3348pjb.5 for ; Tue, 03 May 2022 18:48:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jHmaho/x33MqcwhAHjzMaEbYW3Sn2ucNcqc26yK2kNU=; b=P8OaWDj1i9vMS2YXwPGohhK4T/Iw+CyPZ/W6hEEhH6k1LaC96jgeOuZ+dQGCL7k52R 9vedbYNUSwVa5cTgkoS7mq60UIXNgrNEh8xt0xCvSUKOkKMHizwfjhRvtgim24nhUgRa 9onXSvEkUpL1rmnA+09r2XcsNzTJwLrKjOBuk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jHmaho/x33MqcwhAHjzMaEbYW3Sn2ucNcqc26yK2kNU=; b=SyjQu8/AtY/fx0nQpFnmnLBg82s5q+j12MDGtEXu64FA3mAy3NyYeIuUNevkOakhD+ 9H67iw/vEk6AUNo6n+oiukmmtWfl1IXncVjb6phXgI914klkDbV3uYbLYJp/yNNvzeXS f1150C88R38vEdn5MU4f10t+pbDmQT2U86sr3EiIYLpVfO9sdn+PASxdrju3j1FPpm2A mCnOWN0PbwCfLQzHLjaLmR7U5lx+85mmrwefi+M+LmQfDzx3zU/YDls5hHklWX/fTrG9 3xZEx3WqK7afu48DGy9xqphrffyrQBYyJV6WbtyOUhqa7dMuAxW9jqW4/nwmfU6MGVny EnPQ== X-Gm-Message-State: AOAM531HJ1O4xJsE7Xp7deZQb0TusBsgDrkJ/W3k9sJnrPO61bNACjB8 lbTMtOz+J1kTKYvb3JfoPS8Dlg== X-Google-Smtp-Source: ABdhPJw/YslU2yUBia+w/4PurFJMBiRJ5IDYAc+d7ObCpClWIglgELelEBFuL7QqIQfyj8Do+oUJyg== X-Received: by 2002:a17:903:248:b0:155:e660:b774 with SMTP id j8-20020a170903024800b00155e660b774mr19737712plh.174.1651628859441; Tue, 03 May 2022 18:47:39 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x5-20020aa79a45000000b004fa743ba3f9sm7108890pfj.2.2022.05.03.18.47.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:39 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Johannes Berg , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Eric Dumazet , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct cfg80211_bss_ies Date: Tue, 3 May 2022 18:44:21 -0700 Message-Id: <20220504014440.3697851-13-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4271; h=from:subject; bh=zLIoLyad9bBq8i+CHRJcAMhW5JgPaoyM4x0VIL3Wjf8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDR3XqoFSprf0Mf1o1HYj7dBBBP7wDZ118xdTx ToM0RNGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJpDCD/ wMlRRCUB8XTmCXlLdvPCGb5ACTTMa3Km0myBmfsx6i7FkHxAEfNtllJsJZ1xGdv/WP8g4XEUJ0zuGC 7wsRbPVl7sHYNyFiAu9iXMMSYvJVG0G1YrRXdH2A3UhX8o4+JfEVNj7XazhRyhM9cIwvTR0hQBUIKJ OO0TtkviYxesRpL1xBvgYIcCWjxEvNdpsGjAfF7Wn6Ml1dOstypUTb2ulq7hIf7BX8w63KuqOXZx6V eQKW4gi3cQO3gPoEWsv9zeDktQzxWbaMN212KDtDCB76/UH1i+QQg8eLLlaSQ/55nnf45kUX75sHkI zDmnUC7uL8hJaFE7/98/TeYKsLAgbyP1/MwzniEWgtSaLkPJj+BDTLhK4+jBB7zxpXsyQsyJXmfWnN 69jBTE8Z6ldaOWiCaA2dwzQcHNWXsHvzTspOWk/Tiv7AIUHd8Nqe4ecJtsbDBBxQU21ogSn3TNlfat 3ZCTfW1XDttiZNSK2Rit27Gb0LCzE4nKpVwxT5qmFoGk/jjq2ZfP1uWkMyv4TOb/bfGw5ZiXtTJwtA 22mI6CUOQ9lCD1lIB2WdB8z0yibGypy9fbuDpeqzg6v+weYYD4cY0Q38ZtkdzpABByyOAlmZm7iXIU /hIQA44hD8/vgfuYEgBfavnXALP3koZt6viHAklNZAsuY6wiAG9ZgR2ZT8XQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Johannes Berg Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Eric Dumazet Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/cfg80211.h | 4 ++-- net/wireless/scan.c | 21 ++++++--------------- 2 files changed, 8 insertions(+), 17 deletions(-) diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h index 68713388b617..fa236015f6ef 100644 --- a/include/net/cfg80211.h +++ b/include/net/cfg80211.h @@ -2600,9 +2600,9 @@ struct cfg80211_inform_bss { struct cfg80211_bss_ies { u64 tsf; struct rcu_head rcu_head; - int len; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); bool from_beacon; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; /** diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 4a6d86432910..9f53d05c6aaa 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1932,7 +1932,7 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, gfp_t gfp) { struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); - struct cfg80211_bss_ies *ies; + struct cfg80211_bss_ies *ies = NULL; struct ieee80211_channel *channel; struct cfg80211_internal_bss tmp = {}, *res; int bss_type; @@ -1978,13 +1978,10 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, * override the IEs pointer should we have received an earlier * indication of Probe Response data. */ - ies = kzalloc(sizeof(*ies) + ielen, gfp); - if (!ies) + if (mem_to_flex_dup(&ies, ie, ielen, gfp)) return NULL; - ies->len = ielen; ies->tsf = tsf; ies->from_beacon = false; - memcpy(ies->data, ie, ielen); switch (ftype) { case CFG80211_BSS_FTYPE_BEACON: @@ -2277,7 +2274,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, size_t ielen = len - offsetof(struct ieee80211_mgmt, u.probe_resp.variable); size_t new_ie_len; - struct cfg80211_bss_ies *new_ies; + struct cfg80211_bss_ies *new_ies = NULL; const struct cfg80211_bss_ies *old; u8 cpy_len; @@ -2314,8 +2311,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, if (!new_ie) return; - new_ies = kzalloc(sizeof(*new_ies) + new_ie_len, GFP_ATOMIC); - if (!new_ies) + if (mem_to_flex_dup(&new_ies, new_ie, new_ie_len, GFP_ATOMIC)) goto out_free; pos = new_ie; @@ -2333,10 +2329,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, memcpy(pos, mbssid + cpy_len, ((ie + ielen) - (mbssid + cpy_len))); /* update ie */ - new_ies->len = new_ie_len; new_ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); new_ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control); - memcpy(new_ies->data, new_ie, new_ie_len); if (ieee80211_is_probe_resp(mgmt->frame_control)) { old = rcu_access_pointer(nontrans_bss->proberesp_ies); rcu_assign_pointer(nontrans_bss->proberesp_ies, new_ies); @@ -2363,7 +2357,7 @@ cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy, gfp_t gfp) { struct cfg80211_internal_bss tmp = {}, *res; - struct cfg80211_bss_ies *ies; + struct cfg80211_bss_ies *ies = NULL; struct ieee80211_channel *channel; bool signal_valid; struct ieee80211_ext *ext = NULL; @@ -2442,14 +2436,11 @@ cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy, capability = le16_to_cpu(mgmt->u.probe_resp.capab_info); } - ies = kzalloc(sizeof(*ies) + ielen, gfp); - if (!ies) + if (mem_to_flex_dup(&ies, variable, ielen, gfp)) return NULL; - ies->len = ielen; ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control) || ieee80211_is_s1g_beacon(mgmt->frame_control); - memcpy(ies->data, variable, ielen); if (ieee80211_is_probe_resp(mgmt->frame_control)) rcu_assign_pointer(tmp.pub.proberesp_ies, ies); From patchwork Wed May 4 01:44:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836948 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 229D4C433F5 for ; Wed, 4 May 2022 01:56:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344291AbiEDB7s (ORCPT ); Tue, 3 May 2022 21:59:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343865AbiEDB64 (ORCPT ); Tue, 3 May 2022 21:58:56 -0400 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C43B419A6 for ; Tue, 3 May 2022 18:53:09 -0700 (PDT) Received: by mail-pg1-x52d.google.com with SMTP id j70so33571pge.1 for ; Tue, 03 May 2022 18:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mP4n/1nXKyry8BA7O9b2ZHkrsFy8iWlCifKEx03rFnY=; b=KHTjDn10FYAC4WZ7g7q0AiHpgmThRRwNrbm62hmsBLY/2xCOlkENwcyXQ7aBQDInHn 4dM/qCI2Tdd2RF0pF33RCRgUwHIp4H4DbO/aaCcleZepYJ5vWn77BhvgITsj4rJQjCoy BKAgqDEuTpx8EMb/HQ18TpUE/vAD2m0OUQRDA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mP4n/1nXKyry8BA7O9b2ZHkrsFy8iWlCifKEx03rFnY=; b=qysUVg95F9CSUASEVcmlD+t3lwGxog/Oi2PfI+ikcbSSZmfudlJTo7AXpoyjKxAFCV k3IokKZVFdh/gDN+y5MqQFAkFlqxjVxt0lidvk/uwWPqy/5CHp4TDuQwdr4I1wKXZaJY 5N6tH2MvtMbvw+DN2LuVDxooGrWEH1lUhk179XKjPkU0n0cWfrL5j9pachIZQFw+xykd 7mmWN2gR9pMhgAN/Bel7dG0l8NLtgurEEx69XPuLD8IigtKCNRebY+R6FBYuP8/gPcgO o+z/oUSZKhpMGvzWXfOaHz+Sja4mIX1LCQC/eJngHraGZPX+tfS4hWneD3cOUw4a/JI1 zu9g== X-Gm-Message-State: AOAM533+9zbO+ByfRCF+X1r4psesPxFo1c//piKvZX2sLKz046g78QpU pT+OnblysIgk1aZJK733frc1jw== X-Google-Smtp-Source: ABdhPJzUSy3U+8rwgzAr/sj8yR4Fp6xF6K+q2DzcNSLrX9k+1afSBMzKvEfV6BFVNR+tlb7A2wmzdw== X-Received: by 2002:a63:5c6:0:b0:3ab:a0ef:9711 with SMTP id 189-20020a6305c6000000b003aba0ef9711mr15918624pgf.426.1651629165641; Tue, 03 May 2022 18:52:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s7-20020a170902988700b0015eb6d49679sm1918908plp.62.2022.05.03.18.52.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Johannes Berg , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 13/32] mac80211: Use mem_to_flex_dup() with several structs Date: Tue, 3 May 2022 18:44:22 -0700 Message-Id: <20220504014440.3697851-14-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4296; h=from:subject; bh=pufTBCpv1+FASDh6fZcOJeIhSO8YXc6ZD3a299NrZm4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDYrX5tu9Go+cvYwIXEOTpZneB8YhW9dUC3sac ck3ML8KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJq+JD/ 0X3AbEhtjv68HS2Qdhx7xmo3K/uONkt1yj8h+vION6AHfDmeZPu5bBaCsLzt2TEAHsBPpBRc/uejYa E5pfehOGAmVM9Fmpr+oP9ly2RkyPTwtNTxFzb4xd27IkVD6UCFORNFDveBYD2VZmO04Vlo9STZ2Bva Ya86oVZEXAhbCZ0AKH2Z49cpjz9VZgyDJ90DrfDKvzm96gavfrOqU0IVXkfUaaZ2QIO1JKI1ll5mvN bjuyTdXnOlMf6CsLwcLHMMb3wDPPpFe8MXv8dayu3NC1pfidvNqoPkozVAiGWacsIqIp8awptGqHH3 yZM3uXcRJhmG01Xnag1yX2F7KLQmdLxTX6Hbi08mVFLjqUHf68oJ6AVzIx7EMO+10VCaS/VKc3pV3a pK6YmhDCo4DAFS2qS/uEZXisfMRLsJ/cNqfILKDs5PJ0Es4D+au1dZbccNyNOsuJKBeugjRZ5yxcT7 MJKOMLVY1PqPEf5qN8rvFBbg71fUmT5dpnBhj5KXWGXisWBxjiXBivh+CA2Ejt0B6LRCEsIE3FDe5W KUS1oA4CkivV4K+FG1LXa3Rjg0Q3XEjfoJZfQnEJWIevZxzJmOPWarLDNgPdL+D9ql+ZHO2xZ2SL6R x2yZO7FnhS+Q3p1vFXul6o0tnRCpX7VXjQMb8yEVgGi33g8kkzRVmWX114lw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying: struct probe_resp struct fils_discovery_data struct unsol_bcast_probe_resp_data Cc: Johannes Berg Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- net/mac80211/cfg.c | 22 ++++++---------------- net/mac80211/ieee80211_i.h | 12 ++++++------ 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index f1d211e61e49..355edbf41707 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -867,20 +867,16 @@ ieee80211_set_probe_resp(struct ieee80211_sub_if_data *sdata, const struct ieee80211_csa_settings *csa, const struct ieee80211_color_change_settings *cca) { - struct probe_resp *new, *old; + struct probe_resp *new = NULL, *old; if (!resp || !resp_len) return 1; old = sdata_dereference(sdata->u.ap.probe_resp, sdata); - new = kzalloc(sizeof(struct probe_resp) + resp_len, GFP_KERNEL); - if (!new) + if (mem_to_flex_dup(&new, resp, resp_len, GFP_KERNEL)) return -ENOMEM; - new->len = resp_len; - memcpy(new->data, resp, resp_len); - if (csa) memcpy(new->cntdwn_counter_offsets, csa->counter_offsets_presp, csa->n_counter_offsets_presp * @@ -898,7 +894,7 @@ ieee80211_set_probe_resp(struct ieee80211_sub_if_data *sdata, static int ieee80211_set_fils_discovery(struct ieee80211_sub_if_data *sdata, struct cfg80211_fils_discovery *params) { - struct fils_discovery_data *new, *old = NULL; + struct fils_discovery_data *new = NULL, *old = NULL; struct ieee80211_fils_discovery *fd; if (!params->tmpl || !params->tmpl_len) @@ -909,11 +905,8 @@ static int ieee80211_set_fils_discovery(struct ieee80211_sub_if_data *sdata, fd->max_interval = params->max_interval; old = sdata_dereference(sdata->u.ap.fils_discovery, sdata); - new = kzalloc(sizeof(*new) + params->tmpl_len, GFP_KERNEL); - if (!new) + if (mem_to_flex_dup(&new, params->tmpl, params->tmpl_len, GFP_KERNEL)) return -ENOMEM; - new->len = params->tmpl_len; - memcpy(new->data, params->tmpl, params->tmpl_len); rcu_assign_pointer(sdata->u.ap.fils_discovery, new); if (old) @@ -926,17 +919,14 @@ static int ieee80211_set_unsol_bcast_probe_resp(struct ieee80211_sub_if_data *sdata, struct cfg80211_unsol_bcast_probe_resp *params) { - struct unsol_bcast_probe_resp_data *new, *old = NULL; + struct unsol_bcast_probe_resp_data *new = NULL, *old = NULL; if (!params->tmpl || !params->tmpl_len) return -EINVAL; old = sdata_dereference(sdata->u.ap.unsol_bcast_probe_resp, sdata); - new = kzalloc(sizeof(*new) + params->tmpl_len, GFP_KERNEL); - if (!new) + if (mem_to_flex_dup(&new, params->tmpl, params->tmpl_len, GFP_KERNEL)) return -ENOMEM; - new->len = params->tmpl_len; - memcpy(new->data, params->tmpl, params->tmpl_len); rcu_assign_pointer(sdata->u.ap.unsol_bcast_probe_resp, new); if (old) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index d4a7ba4a8202..2e9bbfb12c0d 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -263,21 +263,21 @@ struct beacon_data { struct probe_resp { struct rcu_head rcu_head; - int len; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); u16 cntdwn_counter_offsets[IEEE80211_MAX_CNTDWN_COUNTERS_NUM]; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; struct fils_discovery_data { struct rcu_head rcu_head; - int len; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; struct unsol_bcast_probe_resp_data { struct rcu_head rcu_head; - int len; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; struct ps_data { From patchwork Wed May 4 01:44:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836821 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 068F0C4332F for ; Wed, 4 May 2022 01:49:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343652AbiEDBw4 (ORCPT ); Tue, 3 May 2022 21:52:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56832 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245655AbiEDBw2 (ORCPT ); Tue, 3 May 2022 21:52:28 -0400 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 662FD33A3B for ; Tue, 3 May 2022 18:47:44 -0700 (PDT) Received: by mail-pg1-x530.google.com with SMTP id k14so43025pga.0 for ; Tue, 03 May 2022 18:47:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dMAADGqtkadGyWtiMmUAPEm8bORo1cOmSuHFnzFIe9g=; b=HdhwV0WkvXZw3hjS8p1tFCKs9cZKJFJ7k5obLNyUKACusCcW1RzcVwG/3AkN25wPjr MN1c4fbIR9x0erwQN9MET5VRJYx8dh+R8g2fLDUMIFlB05v/yh9SmtiE3TYb5zg7tp+O AetyTzERcbfGEy31+di4TAAiEqxWduNa5FUWY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dMAADGqtkadGyWtiMmUAPEm8bORo1cOmSuHFnzFIe9g=; b=D2963vOSJjDlgg6aHkyrpJEao0Iu5qHz1mgru4/A5uCE4da0cI3EdErpsls4QAJsvz lSA/fyUZ9TXLHmMypjQrOgmO+87hkFxKP++Zi+9jrhXEzyrlue6dgz/AWhJpbSU3ZMRp INJ0PgCiGraOKsXhF0Qja++UuuZEd+Cykyr54Ob4D/nGmIWSCFZkyH9thcVpN/jCh99v 0GZic5GOQeJxgMEhoABqrg3f6hk9n9n8JYqZKbjzdoum/X0UeAce/9LDhhtGQ+/yNukS EMSct3zY0Emtg8UkVoS/yDP7wS4AyRNOklDkOi56KPTRyTTVXOX01knxuqQ6zCKpq6zr r23g== X-Gm-Message-State: AOAM530S67XVK8mUlCS4uHyZwE8UXhFFmedVcpO/cdGXpcOtXcK2QWj8 nXKlkUQiYyF74zKTUMBwC1nUtA== X-Google-Smtp-Source: ABdhPJzJgAADMFFc6IgYXUwxUbgxm7TVuxaF377qcwdaawZlHxybyGrud242lBwhZCdVFfq7tPWaqA== X-Received: by 2002:a63:86c6:0:b0:3ab:2c2c:42e9 with SMTP id x189-20020a6386c6000000b003ab2c2c42e9mr15878387pgd.230.1651628864123; Tue, 03 May 2022 18:47:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j10-20020a62b60a000000b0050dc762817dsm6922289pff.87.2022.05.03.18.47.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:41 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Kuniyuki Iwashima , Alexei Starovoitov , Cong Wang , Al Viro , netdev@vger.kernel.org, alsa-devel@alsa-project.org, Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 14/32] af_unix: Use mem_to_flex_dup() with struct unix_address Date: Tue, 3 May 2022 18:44:23 -0700 Message-Id: <20220504014440.3697851-15-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2272; h=from:subject; bh=8b5W7mEG2Sah1C3FkS/UxctivFJh7iOzV6P8ujUbZM8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDcR3znMx51jViMoq05/q58V2/1rXjoJjYBmJ4 CKXc5kiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJp8ZEA CTZiOebtApgRIMQFGfvlsj7s1U7ENKry+y1qCoH7clKk+kIHUFtKQuToAucuA7HnBVAIDqbBHa+dtu b1A4bqv4cHK21pPyhZmiE0VCyP00EYC8X6VbBCMRrhOvgKIRCQKYCDRRU3x3+zdTamMi+Cw4QRLFbr KeEVo3vWRxKFNYlUY6py6WsFnpaTCP45A1Rt2Mk1ONM+4tvkRlgJQKibXiiVxMmNJiq7diRyS43UyZ xdZzOY9N/SsdVs+DBAetVCVJfwnmWSxup+qwrjzAenumL1egb53niPav19Uu0KPGAkzqPtS4NDain6 T5G8UOgj2W4S/ZIxVzp3AEI0v7Q07cg9AUILFEUOEn2Ga7m2xtn/dn5Hqt0Gq5ryDybbgCBb0FW6nE apZrvb6JoF5ZEkWIMx0CD3b/SEJCPUMr1n+n/nlozI3/5uYk+uJuq11ezAU6BWwGeaiQi5MNENuLtJ f2iVuD520n1Ne+0aDX0g+6Bxq6CjD/3mk3NtQkdQZ1W7jF6hmMJWqPx/GWYvlmDlmSQNEQ659WICV6 styiy2WjRaD2LhpwT9sZHwcdpjjTGhsJ3rXcC+FrO5v7LrNOaE49f+5vGV2+PdIn7TzyijsyYCwjfC sD4MdxKc4Kc8wvaGgok8h676GkR5iOBRUeFIUjcwGTrf9mDGBR6ew5hwb4cQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Kuniyuki Iwashima Cc: Alexei Starovoitov Cc: Cong Wang Cc: Al Viro Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/af_unix.h | 14 ++++++++++++-- net/unix/af_unix.c | 7 ++----- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/include/net/af_unix.h b/include/net/af_unix.h index a7ef624ed726..422535b71295 100644 --- a/include/net/af_unix.h +++ b/include/net/af_unix.h @@ -25,8 +25,18 @@ extern struct hlist_head unix_socket_table[2 * UNIX_HASH_SIZE]; struct unix_address { refcount_t refcnt; - int len; - struct sockaddr_un name[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); + union { + DECLARE_FLEX_ARRAY(struct sockaddr_un, name); + /* + * While a struct is used to access the flexible + * array, it may only be partially populated, and + * "len" above is actually tracking bytes, not a + * count of struct sockaddr_un elements, so also + * include a byte-size flexible array. + */ + DECLARE_FLEX_ARRAY_ELEMENTS(u8, bytes); + }; }; struct unix_skb_parms { diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index e1dd9e9c8452..8410cbc82ded 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -244,15 +244,12 @@ EXPORT_SYMBOL_GPL(unix_peer_get); static struct unix_address *unix_create_addr(struct sockaddr_un *sunaddr, int addr_len) { - struct unix_address *addr; + struct unix_address *addr = NULL; - addr = kmalloc(sizeof(*addr) + addr_len, GFP_KERNEL); - if (!addr) + if (mem_to_flex_dup(&addr, sunaddr, addr_len, GFP_KERNEL)) return NULL; refcount_set(&addr->refcnt, 1); - addr->len = addr_len; - memcpy(addr->name, sunaddr, addr_len); return addr; } From patchwork Wed May 4 01:44:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836943 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D341C4332F for ; Wed, 4 May 2022 01:55:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343799AbiEDB6u (ORCPT ); Tue, 3 May 2022 21:58:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39166 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243423AbiEDB6n (ORCPT ); Tue, 3 May 2022 21:58:43 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BA1249909 for ; Tue, 3 May 2022 18:52:44 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id e24so16911116pjt.2 for ; Tue, 03 May 2022 18:52:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KYZx+y1oKNSP1oqgJrB6Tz6rT9EWA8WKaERG51foz1A=; b=bz1Sh9MVCXyP0oQlo8D6xVMzQ27pV4R6B//UGDTL8nzMS3F7Sze+JRYFVh2IBIaTFl BrDTiNFs4Nw3sFWGEkG5ftS8E8tnvlsvZL9PIbvMFVJ2Ru0EtHqoxpqbupakHeJmxqdO iZ/yeqiNZ245qldJTLvXJrPu0t4+xuvhNmFB4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KYZx+y1oKNSP1oqgJrB6Tz6rT9EWA8WKaERG51foz1A=; b=Up5wDTbqrwsiDtCDsPjXD8zBjJA/FsvFrUsGgLEqV1MzdZpMbUAgQ4pJyDwPObLVVM u/i2eLDyqLOReye/ShlGcNBb8Ur+9qf0qtzmZ356amHKL+V8gUJt5UpjBblIPFFJW8r9 DcgPTNV7hWBpUYSwusb1V0r+pRJRbcQMyZ0jfITiJE7y9WDHcuAaFydDd0g1ghUnuAd+ Iv4akcTUO1J3B/37bVPkkTDBG0myxgf5htw0y9Mp7sGyEQFxYdg6neCx3EtT/YlxSq6+ qB5xNcgZNIbisGD120PszUbPkIJlBATSJuhgYTTL8RbZgNenCHzlCR/6veYnI4EaZyIR 3joA== X-Gm-Message-State: AOAM533DShYrunC3bqnQOQF2j9HQY7cwX64T+wXaDrCxL+39AcQC6qzt rDJABW1edRK+9GZGBu4QASTulQ== X-Google-Smtp-Source: ABdhPJwtjdTcb6qV1Xl5Vzy/9VvPreEN/EABD7sYxuaK1s+XxEIiaFWGiGBVAvDZ6TrtSaJT9nKYmw== X-Received: by 2002:a17:902:ce8d:b0:15e:a95d:b4b0 with SMTP id f13-20020a170902ce8d00b0015ea95db4b0mr11612235plg.153.1651629163571; Tue, 03 May 2022 18:52:43 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j5-20020a654d45000000b003c14af50621sm13543498pgt.57.2022.05.03.18.52.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:43 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Hulk Robot , Yang Yingliang , netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng Subject: [PATCH 15/32] 802/garp: Use mem_to_flex_dup() with struct garp_attr Date: Tue, 3 May 2022 18:44:24 -0700 Message-Id: <20220504014440.3697851-16-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2053; h=from:subject; bh=g6mLY++H2BfqQCK003F0EjItFkVyhehgYOIo/aZQtaQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqEjjw/bjk+w/BAp5zZGN/lLOysTcemUiPR49xS rdNJyZqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJkdZD/ 9ULlU2HE7dyOGGZcxoTDzzzQ0RkAnTOaJ+RVqmjII2Tv1VoPm6QRB0LGPVIKf/ajMgajI22eW2yGjV dV/acgUammYsccOQLPxTPzsPUVFZFU0hxMis5Oq9JqjehQPY4nErl1wT/Zymsur2YjD5pHbuIEHC00 ++wwwIwEXX7l/PdVNJ+PMRIdE9atC0npYUgWrpfpDQWjeDdc8adknigoQ33ZyiQZNgrZVYTO9/59Qg 8KXYHO+zkVTrXNgaZRW0wDjH3ltz+pKJr0geOSSbUhz6LlZjAauJ/rC2ZsYG+CUN5gZKKeQGMACl+O utmoGfrkJAMo4fchbVPoySQfEI4RycU3tPyq3AjrjHPoEOk1up5kNYJrBZjwNIsdxzt2klrR6QtXyt bfI8wU27DsqhelPlsyi6UMtKYVW917c/eUpFGiSJstE8AvpEEc7fwbwOkpO95+zogvhdjqrPwm0ODF hO4WSuDl0qqoSCqmphywXtHTbvP3/SyHQqpHk+XFWlqObHfRedTUudfAq0fRt/wpoTokjndugHxbB3 vPHZIR/QvpGV0TdPvLZ2ykBHieWoDTJLdsmeVjUv1/KqeUr4N1QQRZM24ry1hMmkrjPTDYRPSVjN1n 2Idl5GOStpor5uc8wuqfeiXlQfP7X+6iC5KJi+Kgwt8eOaWFgTn89ibYrF3g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Hulk Robot Cc: Yang Yingliang Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/garp.h | 4 ++-- net/802/garp.c | 9 +++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/include/net/garp.h b/include/net/garp.h index 4d9a0c6a2e5f..ec087ae534e7 100644 --- a/include/net/garp.h +++ b/include/net/garp.h @@ -80,8 +80,8 @@ struct garp_attr { struct rb_node node; enum garp_applicant_state state; u8 type; - u8 dlen; - unsigned char data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, dlen); + DECLARE_FLEX_ARRAY_ELEMENTS(unsigned char, data); }; enum garp_applications { diff --git a/net/802/garp.c b/net/802/garp.c index f6012f8e59f0..72743ed00a54 100644 --- a/net/802/garp.c +++ b/net/802/garp.c @@ -168,7 +168,7 @@ static struct garp_attr *garp_attr_create(struct garp_applicant *app, const void *data, u8 len, u8 type) { struct rb_node *parent = NULL, **p = &app->gid.rb_node; - struct garp_attr *attr; + struct garp_attr *attr = NULL; int d; while (*p) { @@ -184,13 +184,10 @@ static struct garp_attr *garp_attr_create(struct garp_applicant *app, return attr; } } - attr = kmalloc(sizeof(*attr) + len, GFP_ATOMIC); - if (!attr) - return attr; + if (mem_to_flex_dup(&attr, data, len, GFP_ATOMIC)) + return NULL; attr->state = GARP_APPLICANT_VO; attr->type = type; - attr->dlen = len; - memcpy(attr->data, data, len); rb_link_node(&attr->node, parent, p); rb_insert_color(&attr->node, &app->gid); From patchwork Wed May 4 01:44:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836831 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CAC8C433F5 for ; Wed, 4 May 2022 01:51:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343627AbiEDBzR (ORCPT ); Tue, 3 May 2022 21:55:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343621AbiEDBxl (ORCPT ); Tue, 3 May 2022 21:53:41 -0400 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DFBD457A9 for ; Tue, 3 May 2022 18:48:40 -0700 (PDT) Received: by mail-pj1-x102a.google.com with SMTP id w5-20020a17090aaf8500b001d74c754128so3953121pjq.0 for ; Tue, 03 May 2022 18:48:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hCvG0k88HO9y5mV8jIlfDaOoiV0I/JnHiEgOfadNreI=; b=nTykdqnni29IYFP/aKlZ1tz+wSZFndNhf6nwtWAlZtsI1+zfxgtaBvH+tz4Jq/XHTo 7HJGSNs/F64gdmokeo6uSP6KePJfQuFps/a+uVb9CQhG7Wm+ptt1Wr19Dv7sboM4E5DX 5fllnhK611XRrQM46REzeI6j7l3nMzBYK6UHc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hCvG0k88HO9y5mV8jIlfDaOoiV0I/JnHiEgOfadNreI=; b=JBs47YWJLdUDhLfMVQMN1r6wiE65+ECoUseJHZ85nsfVLdR5tU87nIQyvXbOmig1M5 TAFMAbiOBFKQQ65KNdauCC0cs0j+WsIAZ0Py+m7CpR1qkGZ4/G8t5IRMbge37rQVVDzO m29MeFCIhF+CDTEOLbvUwkL6aR+p1L4hBH+btMQPsxO9quU/9G2cJfIOO0DQnqhif5F+ dGyj2R7KRBBi6TOWtkVSsM8MhFqEN/Z1NpXF8Or/mhnLhmjR+hsGVIj5zZ/QVKYkxxMH FBzaonUJiXAuK9vjmVO8J4smgf60MQM5SAq63eWkbiRP85QvT3GDVgH7a1e1UIPi8T+7 3pTw== X-Gm-Message-State: AOAM531jGWaMC0IJRQvZLRfBZnB+g2nDJGsLq27edXPNGoowg34chBs0 a60ZgJQxNb4XQvhaxwQW1UmUjA== X-Google-Smtp-Source: ABdhPJwgYtUgRfXFStndc6tc8aWOhj34n+I6ph52sEva3s1BDogx8/opvP6kUhmqSBitrWDSodtTYw== X-Received: by 2002:a17:90a:4581:b0:1bc:d215:8722 with SMTP id v1-20020a17090a458100b001bcd2158722mr7760505pjg.149.1651628864924; Tue, 03 May 2022 18:47:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id v12-20020a65568c000000b003c2f9540127sm1039683pgs.93.2022.05.03.18.47.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:41 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Yang Yingliang , netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng Subject: [PATCH 16/32] 802/mrp: Use mem_to_flex_dup() with struct mrp_attr Date: Tue, 3 May 2022 18:44:25 -0700 Message-Id: <20220504014440.3697851-17-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1997; h=from:subject; bh=OvOiYjzm/q6KNaMl+//jdZvtdGx65Whv0+J0OvbhHK4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqE83ulc8i1Me+2H60c4+E7txzeLZOhw3piKY/N AW6WeVaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJhJeD/ oCosU8dkvX3qhHC1w07Zs/6TYmI5gdPsPSk8ZM0TFXbvewK/h3P8F3y3Nj710vMoVm4HKj2kaEgTOk 2f2b5GE4O8jpZqRExVAK8Rw2Cf/+lieahxnXSaeHUcCSE5w7f3XjMdbU5lVFfxvOwj5yiCJ8AmC0h6 PKlej2yANnnifLBAy1vCwATP2HMjRoJK8z8V8EPZWY5Ak8cwN5N+W8aRpKReFLT56NqrSMNdex1APu dJQyH++TBuJBuyERb/vZdPxaz6qQCAzya/hpIBykyOqwSpa+BuzC5eaQePNcGDlTxES1vpgiLcnpCY ylYUXLQ+/MEaj/+FNFhQb44VMXSJW6mBxFuV9yP0MGuTLCFYQ2tjlsr0dWXoGDaFAaazyGNVjsWTdX POY6oata9LsQMBKZIVM5ROcKCdIv711ZQR5lFNVAIwLL/QUuyvkWtdQwSvdywSC8oK7xwBWlABXbox I9fjkKMnE1RYapMRtAmf2VKQ0RghvNMYTAPgLGO7OYoWbeGSQ2hIfI655r9udNZNdyoNBAjzqo0qLR QOmey3V+dlX3CiVaAbQTmtt3Nc5u/EhyJdE/xxV8TqqMA3btOXCemNQBKKIif6kQD22YoS7IRqY0J5 q1bRyY9izDrZQAwPOQpXq88UsmOMBlUHokCiJyT9thFEfc5wcLBU5JMv7gIA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Yang Yingliang Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/mrp.h | 4 ++-- net/802/mrp.c | 9 +++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/include/net/mrp.h b/include/net/mrp.h index 1c308c034e1a..211670bb46f2 100644 --- a/include/net/mrp.h +++ b/include/net/mrp.h @@ -91,8 +91,8 @@ struct mrp_attr { struct rb_node node; enum mrp_applicant_state state; u8 type; - u8 len; - unsigned char value[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, len); + DECLARE_FLEX_ARRAY_ELEMENTS(unsigned char, value); }; enum mrp_applications { diff --git a/net/802/mrp.c b/net/802/mrp.c index 35e04cc5390c..8b9b2e685a42 100644 --- a/net/802/mrp.c +++ b/net/802/mrp.c @@ -257,7 +257,7 @@ static struct mrp_attr *mrp_attr_create(struct mrp_applicant *app, const void *value, u8 len, u8 type) { struct rb_node *parent = NULL, **p = &app->mad.rb_node; - struct mrp_attr *attr; + struct mrp_attr *attr = NULL; int d; while (*p) { @@ -273,13 +273,10 @@ static struct mrp_attr *mrp_attr_create(struct mrp_applicant *app, return attr; } } - attr = kmalloc(sizeof(*attr) + len, GFP_ATOMIC); - if (!attr) - return attr; + if (mem_to_flex_dup(&attr, value, len, GFP_ATOMIC)) + return NULL; attr->state = MRP_APPLICANT_VO; attr->type = type; - attr->len = len; - memcpy(attr->value, value, len); rb_link_node(&attr->node, parent, p); rb_insert_color(&attr->node, &app->mad); From patchwork Wed May 4 01:44:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836947 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4191DC43217 for ; Wed, 4 May 2022 01:56:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344308AbiEDB7n (ORCPT ); Tue, 3 May 2022 21:59:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343876AbiEDB64 (ORCPT ); Tue, 3 May 2022 21:58:56 -0400 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 38F0D427FD for ; Tue, 3 May 2022 18:53:14 -0700 (PDT) Received: by mail-pj1-x1030.google.com with SMTP id r9so16881096pjo.5 for ; Tue, 03 May 2022 18:53:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=vEhg+UN+nvvIRlNnvIoleDYLxzWI/4j+AXJ2OBahvyQ=; b=E5bLX9p+4KMQ7dCXesW/uSO4Z3TzhqBoNV2cnwQ6UenYFaZTatAXLltuILaNWlnTeH ZPF9bsRL6MA89tW5PvZIMCIKWfhOmFJwJGsxRwJiF9IEfmjgBCchcmHUHUKuUjfJgzaf xdp24lDnEh6QoNKPI3Ft2lTJ+h48bMoBlTL80= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vEhg+UN+nvvIRlNnvIoleDYLxzWI/4j+AXJ2OBahvyQ=; b=u0/w6zjq0GZnLaV1OqrienMUI7qNKxDR2qoH7VlR2fgIEJaVk1BTcCodV+w1Qxb4fU bzAADBYT3ANEDaDVdmFWxZOACrWXOBXF9qu+7dgcnWhwl9ALPTLOTxDfFIbE7kwdghdM T6+y8F6sEfVYkGSJjmIUb1sd41kKi8eEz1/BxptyTayBBUejsmrro4uI28Aw7m+BEI9l vlFuDPgtUAQN3q3GlqqCaOPy9Piie2V05zxVthOESsAZ8xE1chCR/rL9OJOwjTeetMr4 BLOp5I8HUSGcd1ZPEhlnJacKIe/YEiOTMAP9tMatgmJ/s7apcimU5zu+CSVVb1mrZ4OM dErA== X-Gm-Message-State: AOAM530ZgFONAr2DnSSD4kyA263HFeYuAaVcCG5UcbzYWOF229WFUFK1 MM/8I542WdQWElXGgelUmJbpkw== X-Google-Smtp-Source: ABdhPJzI4IiRrxPSXkixkcvlB8cGm8brcWRiM4L1KUnKofXLRSVRJRXFkv6QdN0IforxNoZJSUOL5w== X-Received: by 2002:a17:903:2d1:b0:156:7ceb:b56f with SMTP id s17-20020a17090302d100b001567cebb56fmr19656689plk.11.1651629165975; Tue, 03 May 2022 18:52:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id o1-20020a170902778100b0015e8d4eb2cbsm7014958pll.277.2022.05.03.18.52.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Baowen Zheng , Eli Cohen , Louis Peens , Simon Horman , netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 17/32] net/flow_offload: Use mem_to_flex_dup() with struct flow_action_cookie Date: Tue, 3 May 2022 18:44:26 -0700 Message-Id: <20220504014440.3697851-18-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1993; h=from:subject; bh=PrKJ7fngslFAVnoAR+kxxSWcyzyvUbqj4Z3UXnDbHJY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqEQoFbddPpYBIL178hMkYpivETQV90l3JHFEnm 7J1thjCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJtw3EA C0LNh89YqDNrcJCXsCKfSbcHlFxrq44D7OA0sCgHExo+fXdaECb+Xj3tfEkQFm9bgvn/VnNhpCwqMV U8VQzGL6UaTCr267IE8XzSzkQJ6Uu2Nn+oM8/g6gDst8U7DsXu/1M4XVa8NK32yL6cBvV8PVBTcChy j8jyHBC43g8+Lg9oLs4UB/SO8Tb2ObCEpGf+h+/rD6v1mUrkoYKhvITvEAQ6BXgJ7NMeKfMd5TbnLL n7fyJaP0DKQoiMbMCMPhOnbaBLKTz9JjJ2/U07j/wfD/U5vjQBmTOZvo7vv3sex/J3PimMP/LVVrgg rZ19XaTiGULGLnmPuJjPt4zppdXAE7bED4queSk/tjdOsuMkougu3osd+yKLNrkqDRGxwMqxHn6Adg VL64IdPA3BY3aE8mOXGUxTLKtJs1pv7lv1msRzE5gUB7RTMHQ1//cIMC8EgdL5FVxZNtm4Nrhurpsb fvUFe8jDSjzE++5RHGWvAqbIheq7tgJhhaDmUF+rUmIMNowlHUeWcz7qDRxFSgMiX+xi/ZX4sJtg/V tnoPJ9uGluYyVnNod6v2TAn0dMpQirNr3BrADN1GRZ9iYaSt2xYRiifwpxLWUpi4DIfHGqb2y4ockX o/g9MpGsEistTYeWgK8HQdvJO+YhqSNADTeBhz9hngLOsUZU3CcUlT8pVg2A== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Baowen Zheng Cc: Eli Cohen Cc: Louis Peens Cc: Simon Horman Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/flow_offload.h | 4 ++-- net/core/flow_offload.c | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h index 021778a7e1af..ca5db457a0bc 100644 --- a/include/net/flow_offload.h +++ b/include/net/flow_offload.h @@ -190,8 +190,8 @@ enum flow_action_hw_stats { typedef void (*action_destr)(void *priv); struct flow_action_cookie { - u32 cookie_len; - u8 cookie[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, cookie_len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, cookie); }; struct flow_action_cookie *flow_action_cookie_create(void *data, diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c index 73f68d4625f3..e23c8d05b828 100644 --- a/net/core/flow_offload.c +++ b/net/core/flow_offload.c @@ -199,13 +199,10 @@ struct flow_action_cookie *flow_action_cookie_create(void *data, unsigned int len, gfp_t gfp) { - struct flow_action_cookie *cookie; + struct flow_action_cookie *cookie = NULL; - cookie = kmalloc(sizeof(*cookie) + len, gfp); - if (!cookie) + if (mem_to_flex_dup(&cookie, data, len, gfp)) return NULL; - cookie->cookie_len = len; - memcpy(cookie->cookie, data, len); return cookie; } EXPORT_SYMBOL(flow_action_cookie_create); From patchwork Wed May 4 01:44:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836945 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0F5DC433FE for ; Wed, 4 May 2022 01:56:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343806AbiEDB6y (ORCPT ); Tue, 3 May 2022 21:58:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343764AbiEDB6q (ORCPT ); Tue, 3 May 2022 21:58:46 -0400 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 80B0149C87 for ; Tue, 3 May 2022 18:52:52 -0700 (PDT) Received: by mail-pj1-x1030.google.com with SMTP id gj17-20020a17090b109100b001d8b390f77bso3946471pjb.1 for ; Tue, 03 May 2022 18:52:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=c1Rtb5BPD8+4OzMMFAYya8AfbyIngu3+nEeMZt3y0UI=; b=PPT74quvAq5PeXKx/MiU6TPQu9k3CNU13XJUuKL0EyoDADIEUu/0flA/RnFvgA1c7X mBDEtN+hqIFmsdnm+Z9MnOUhAzMjdHFmhT3p34uRueOVQQXniPBqP+mbSA7EtL7aqOIy RKCLgSNE4LzNp+Ti/YBiXR973K5zL+mViu9iQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=c1Rtb5BPD8+4OzMMFAYya8AfbyIngu3+nEeMZt3y0UI=; b=iIHwehTh/WR42EJYWXLC7KKA+v9aR0Q98ELvvWRQvSzs072M+ZWdMFr4UMMG+i1ju/ op8BmdvezwGedwulF2N0Ylpwp3cA1wPFUL3Gvf18nbJDxpb8g6UgQw9rbtO4TtEqsNN7 q667zT/TX/f8SyCjAOkH+qM+aNYIfJWrKz/gvMFjhqZQFqUoKigIMcjz8Qm5/iVRAOXy 7w2Ko95x2jB185goOw2vz9NN9Y9c/1WBcj/4y5NAtgaYkPOO8kitviSf1G+tOWZHxIXw xdHqVs4kBm9qYpjhxWXzGaXqDfoz1XlQ1uT/VM8Ztdjk54HRYbtLtZZbpXFB9/YKUics MXkw== X-Gm-Message-State: AOAM533EyqUnpIgkkzDW+Dp/VPqq23gxrJWXbIi5nOVZj68FwUOlrrqY GPFdjd4/tabuxyZ1YxQWE8ba2Q== X-Google-Smtp-Source: ABdhPJy9YM6KtZZ5wMsnV4yFFcSNCX9KYL1ZJOPPB5wyJaSy9z58GLFzajXm3Uww6qTcq0KIE+eXxw== X-Received: by 2002:a17:90b:33ca:b0:1d7:d322:9aa2 with SMTP id lk10-20020a17090b33ca00b001d7d3229aa2mr7746156pjb.21.1651629164562; Tue, 03 May 2022 18:52:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id t10-20020a170902d14a00b0015eb200cc00sm2752880plt.138.2022.05.03.18.52.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Stefan Richter , linux1394-devel@lists.sourceforge.net, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 18/32] firewire: Use __mem_to_flex_dup() with struct iso_interrupt_event Date: Tue, 3 May 2022 18:44:27 -0700 Message-Id: <20220504014440.3697851-19-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2017; h=from:subject; bh=En62c6cYeUTmU8jbvcTu7IkYSFHpDUIXfTMNPx9PLGc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqEY3t8cFKELeYkm2NJIduUgR+ZPwYvLuYXHKSq h9RlNwCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJmzQD/ 40OwL2hRSWj9CwaOb0EjwNMYNrEpXdJJUx4PtLsO50tNm7kViyp0rIIENwt0Refm3UMfgJOd4uhpAP UnN8m9LoCHDWTn2Ip+vIMDS3s7F5W2nAcbk5hF/C+qyUcxpZ01AbHR+GyZjxwzVt9qEG+TAXzPRQnp dfwWrtSjiyM2jKV9PjBNt6qRhM7Jxt/+wokWBFK4eM8IKP5wMTPXf0n1BGa/3mFi6dkoZD+yXtl4IT q4PePWOvlJ8zihIyMKu6xe3P2Cd5gPfwiDcsKwkrzufOJPHAEhY8riHbDxYytvqLGG7bw341elDFvM fFg+b/yC+gowOuz1miET0BDC+cA6vVe4BMDspdtGoFbNEJfsp72+AkNfwxKDENX6TekjFRU3iHzOci lPoBqEyf2AILOQko5Kh9u3twT5Z6Azf7bj/NRatR/QKpZXBkjRcvBCR8SN8nlgdnYckPdhxRBU5YUS IHSagdIFo3kzcAF1P/Aq785Nakdj4SMvQp66HlJm0gKK57rvSGhQtlRXIDROMfObo/Dar+MBASK/fr qWo15PcDT/tqMlbzcrYAAB4BcvmIgHfXG5riesv5IcmZv6ehMHVZTaM4Sf1wIA6V0OWztJpmHeUVBs 1l35/YNa44KeLfFackz/5o7jU6Cqxn/jknqaXV6GkQkL2jafxDjZYhz781sQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Stefan Richter Cc: linux1394-devel@lists.sourceforge.net Signed-off-by: Kees Cook --- drivers/firewire/core-cdev.c | 7 ++----- include/uapi/linux/firewire-cdev.h | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c index c9fe5903725a..7e884c61e12e 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c @@ -913,17 +913,14 @@ static void iso_callback(struct fw_iso_context *context, u32 cycle, size_t header_length, void *header, void *data) { struct client *client = data; - struct iso_interrupt_event *e; + struct iso_interrupt_event *e = NULL; - e = kmalloc(sizeof(*e) + header_length, GFP_ATOMIC); - if (e == NULL) + if (__mem_to_flex_dup(&e, .interrupt, header, header_length, GFP_ATOMIC)) return; e->interrupt.type = FW_CDEV_EVENT_ISO_INTERRUPT; e->interrupt.closure = client->iso_closure; e->interrupt.cycle = cycle; - e->interrupt.header_length = header_length; - memcpy(e->interrupt.header, header, header_length); queue_event(client, &e->event, &e->interrupt, sizeof(e->interrupt) + header_length, NULL, 0); } diff --git a/include/uapi/linux/firewire-cdev.h b/include/uapi/linux/firewire-cdev.h index 5effa9832802..22c5f59e9dfa 100644 --- a/include/uapi/linux/firewire-cdev.h +++ b/include/uapi/linux/firewire-cdev.h @@ -264,8 +264,8 @@ struct fw_cdev_event_iso_interrupt { __u64 closure; __u32 type; __u32 cycle; - __u32 header_length; - __u32 header[0]; + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u32, header_length); + __DECLARE_FLEX_ARRAY_ELEMENTS(__u32, header); }; /** From patchwork Wed May 4 01:44:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836833 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C27E0C4167E for ; Wed, 4 May 2022 01:52:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343660AbiEDBzw (ORCPT ); Tue, 3 May 2022 21:55:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343717AbiEDBxF (ORCPT ); Tue, 3 May 2022 21:53:05 -0400 Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B0B6D45780 for ; Tue, 3 May 2022 18:48:35 -0700 (PDT) Received: by mail-pl1-x633.google.com with SMTP id k1so167794pll.4 for ; Tue, 03 May 2022 18:48:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ifZyQ0FGREg3J5AlhSr1XwF8hVhKkYa2p2S/5EeDNQo=; b=oI9BqoXIzDP9CoImflntgKhs0kNacYAtoqQVKtiTaZQIfSzE3upaJIyWSMVlJB9jX5 Uzgry9KW4Gc+1VYbvAKoSW8Y7tDSPleB46+D+uoXs4vfR0muKw9a9urjnLYWGuq+yUxW TpztkzpLBXFj1c/3e7LzufWdk2zzK47xh6GHU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ifZyQ0FGREg3J5AlhSr1XwF8hVhKkYa2p2S/5EeDNQo=; b=0WdswD7SkkF8KmW9SJJ9/BJmaa5V+g2eH/Dwe2hwU2RPvlgJk3mDXe290pPDfVGR1C f8/4wLEJT0WLZyTjBsCrTDeZ8tsjwJLMih4Wuvop0sptY72WUIVHaQc+zsYn1cfteVJd aAU7/XqjD1JgyPfKkg6yl6YIIe1G7bQeIBWQ2krL/A8J4wmPvdJUJ8k21frO+1BkbKGk v5HLBS7JFAm6e3XPdd5hxZ6QQlzjkR1kTlSuaIAh2ZvTR0FS0ehWi6miKY2EeO3MttLE /i/CfRuxnb97ooHQ/2+AQGgFiW+uOYiFStBDFRKVp3jBegPLBHAf4b1nWZV1bYpHSlCa LXMw== X-Gm-Message-State: AOAM532jEVVXcDH8nNRuok0eC4AiKC57hMte2bQtA696Zi8joJO8qxs3 doR1zDZk6CUzY3jkfDfMMwUCDA== X-Google-Smtp-Source: ABdhPJw0m5mVFCOgCUpCE8GLC3GlwaR4OoV/F1PJE/v/+oOh0kg89xS/hIyuryWJooLw39F8A8MZEA== X-Received: by 2002:a17:902:9a81:b0:158:1c91:4655 with SMTP id w1-20020a1709029a8100b001581c914655mr20008107plp.162.1651628863597; Tue, 03 May 2022 18:47:43 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p7-20020aa78607000000b0050dc762814dsm6945126pfn.39.2022.05.03.18.47.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:43 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , David Howells , Marc Dionne , linux-afs@lists.infradead.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl Date: Tue, 3 May 2022 18:44:28 -0700 Message-Id: <20220504014440.3697851-20-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1709; h=from:subject; bh=saaNwrN23mX+OUTBowMD9D5OUm7L78VX128VXuwjwK4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFfM0vuwTYMUTv7e3BZX/iyY3njPgklra+Pkd2 Z4Ou11+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJnn8D/ 0T93KRcb7qCWTB465n1/YTnsBy2jNLz/U2OLVBzcDFt0AYoA7buN0/1goMxvPhSLi6bjE8UGxc7Fm2 xx2FN5ysX9H/h+AK/cJ3DkHLeBbkc/PToOz1Rhf5ASBW2+V7+qa6CVBSwtSMKSrvj1IM0/N6ioBB18 MCYPkmQ5qhj0A1T1FA5/P3wK+c+Ifo0Yti2zuuDAIo5vSlw/g2lJmCFOlKoVoRmzWGn3UyVXJ9I2UQ xKVYebiH78lPg6s6N8CPVfENvu4vx//FaBlyLvf4NFhRMP18HACQP44Qc0JxstvU7LUJDijflXIFRi grE+kmE6e8bz3l6xfmcLLCVVxLK6kcbN3OPR+1k6kH5962HfiJPZd9T/oRuzkyyoFrBDpqQaKr2g97 9t3Z++vXgvnHcsU1cXdQfiWNAJpoV7p0N66Awn9yJJxP+n2LKF+1g7vkk1gkZ2hlcco2zbVq1FoTnd Kq1+DAU+g1ED0hIHLj9KRfnow47QSvPnc3E3GtLGWqIqKnDHNqPKkcdMSkOm3B6mDT3H0KPxEPrXSQ e1b3nOgGEcTvPf2Pm2gSCNuMfjkK4yrpVG4rvDniz6n+9MLWIpAAWJQjbptVRYhcyt8n75fxNua/sq zBQRxeXk3BLz5v/Hfp5qbE1czFgBcqhDqrr0pErXoP5/DINTx+J9WdEMY0DQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: David Howells Cc: Marc Dionne Cc: linux-afs@lists.infradead.org Signed-off-by: Kees Cook --- fs/afs/internal.h | 4 ++-- fs/afs/xattr.c | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/fs/afs/internal.h b/fs/afs/internal.h index 7a72e9c60423..83014d20b6b3 100644 --- a/fs/afs/internal.h +++ b/fs/afs/internal.h @@ -1125,8 +1125,8 @@ extern bool afs_fs_get_capabilities(struct afs_net *, struct afs_server *, extern void afs_fs_inline_bulk_status(struct afs_operation *); struct afs_acl { - u32 size; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, size); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; extern void afs_fs_fetch_acl(struct afs_operation *); diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c index 7751b0b3f81d..77b3af283d49 100644 --- a/fs/afs/xattr.c +++ b/fs/afs/xattr.c @@ -73,16 +73,13 @@ static int afs_xattr_get_acl(const struct xattr_handler *handler, static bool afs_make_acl(struct afs_operation *op, const void *buffer, size_t size) { - struct afs_acl *acl; + struct afs_acl *acl = NULL; - acl = kmalloc(sizeof(*acl) + size, GFP_KERNEL); - if (!acl) { + if (mem_to_flex_dup(&acl, buffer, size, GFP_KERNEL)) { afs_op_nomem(op); return false; } - acl->size = size; - memcpy(acl->data, buffer, size); op->acl = acl; return true; } From patchwork Wed May 4 01:44:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836944 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 734EBC43217 for ; Wed, 4 May 2022 01:55:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343666AbiEDB6w (ORCPT ); Tue, 3 May 2022 21:58:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39190 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343679AbiEDB6o (ORCPT ); Tue, 3 May 2022 21:58:44 -0400 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F2AC49922 for ; Tue, 3 May 2022 18:52:47 -0700 (PDT) Received: by mail-pf1-x434.google.com with SMTP id p12so43884pfn.0 for ; Tue, 03 May 2022 18:52:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=tkQJNMDRPVcNM81JGzyx6JZrZP+sXh6Sgsv2ZLlrcME=; b=TYzsMmP+/eI9TqO4+QAx6yxqi3QYWePclkTlbFjhG/HlibMiAybufg/zrz+rLu5OQM GYSNJAX6L87NNLI9qdgxro62vFxqE/fqrqJQw8CwHhp/9rH1kcR4jgxtvHzWUzWEYP1/ vfXC+WsSf1WXNAAHPYjXFPor5Evr5tOPUQrMM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tkQJNMDRPVcNM81JGzyx6JZrZP+sXh6Sgsv2ZLlrcME=; b=DhOGIYc4i7qr6UnCdm5PZRlheZlOPyosnKsQmz10QakU3b2ggUDu3/f8uXr3RxLUhi 1+fU81qKExE9997RhWqu8C/fmhbgcuUwzMYvHshyHZjNCyQYVw/uDpca5WT5rJTE/f4u 5mHabaxYVjKfWRC/rI8omLp+nfnCDLLbbifKS0YmI3zqkM0SG4nzqjMSdNTl02NhZqfz MXva3n5JVop+mBQLiQyhAgd3/5lmgHzr9l+rBxjRFtcFDCZ8iG5zfX9feJ7oNiJFMGyK 3SpqeuWYIK0t7whSnncudjleCufUc9QEKBe71c89VXTUU64lGZKgNXHFfSMXTyHWN/BP M3HA== X-Gm-Message-State: AOAM531rB2doYA5WtoOFW6wNloYJxXGuNCTIGtdg8wHPaAMLw/kLNya1 3xothOj7Q1xb7oHM5/y5aW5YVQ== X-Google-Smtp-Source: ABdhPJzd2GOAjzGn3dHyifeB61yC1hzuZZRMfExezpGzXB0ryyiVV1/iB3lQu0jt+CvyiQCWH3gZ9w== X-Received: by 2002:a05:6a00:1307:b0:4b0:b1c:6fd9 with SMTP id j7-20020a056a00130700b004b00b1c6fd9mr18835684pfu.27.1651629164498; Tue, 03 May 2022 18:52:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id c6-20020a170902c2c600b0015e8d4eb250sm6979470pla.154.2022.05.03.18.52.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Lars-Peter Clausen , =?utf-8?q?Nuno_S=C3=A1?= , Liam Girdwood , Mark Brown , Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org, Alexei Starovoitov , Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lee Jones , Leon Romanovsky , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 20/32] ASoC: sigmadsp: Use mem_to_flex_dup() with struct sigmadsp_data Date: Tue, 3 May 2022 18:44:29 -0700 Message-Id: <20220504014440.3697851-21-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2019; h=from:subject; bh=6F6KuGFShxf4JxPYrPXKFZeMoWxJdOn30za8QMiNMmc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFlVM0+m4mgxXYHmim1KeQeXuOmDGRSbqn4CM/ nO+6V12JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJlsGD/ wObp4TF0rjxUnDl2XU/AX62Kx0wgUSNaGDsaAeFZLHsspTJNlI1xRmKN2zRi+snj0mrEhw1q9Yh76Z 6xSGswQmdh9uemezB9oVUp2GxxN8WyMWOAR+OlnbPY//H6lChfwlnFARSS1Rkb2ZmcX//rZQZhHCXc svCtT3KSBt+VremyDJs9eQY7zKQWSEjl94vDal0JxS0GbWRYV672gtwgzYHATTiXJfZNK9Hnh5x9cI gP5/UtCpxOgh6ebk6PFJurz7rwB5cHVPIkhz8fgbd1cA/0ybs2wrCYj6JpgihAXuZtV18lAdnt8ND/ zB2f7mC3x32cU4603jCCh3lhtKY74eDhUyxc2qxDVBIyLoOufW0rNL12ZmPb/ZqzHlvwvJRNsgVIeo SLXEWPzSRWl4K2DFX2+37Xle5LxGv8rC5oIP/GCWXKXR98j60QjzBdcMWXTL+hc6sVS7VKBDtIDKQO bT+6D7J9MgSyuvsB8QDDWA1XfDXpj4PrZoT1fpgmZGGO+E9p7LhEd5TGmvmWF4EiqePthKxEq+ytkN iIM2UomARrjFWKhMiO7lt831EjVuWu1bB4+YBjMve73RZhWrYBTG1Fi4daezhQ+AyJvye8gqJgbfNu RIcWAmcfFgGhsp4VDM+sRhA/KybFzkFbvrxBwlwAx/rdq4RJkgf/AFGMfR9g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Lars-Peter Clausen Cc: "Nuno Sá" Cc: Liam Girdwood Cc: Mark Brown Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: alsa-devel@alsa-project.org Signed-off-by: Kees Cook Acked-by: Mark Brown --- sound/soc/codecs/sigmadsp.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/sound/soc/codecs/sigmadsp.c b/sound/soc/codecs/sigmadsp.c index b992216aee55..648bdc73c5d9 100644 --- a/sound/soc/codecs/sigmadsp.c +++ b/sound/soc/codecs/sigmadsp.c @@ -42,8 +42,8 @@ struct sigmadsp_data { struct list_head head; uint32_t samplerates; unsigned int addr; - unsigned int length; - uint8_t data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, length); + DECLARE_FLEX_ARRAY_ELEMENTS(uint8_t, data); }; struct sigma_fw_chunk { @@ -263,7 +263,7 @@ static int sigma_fw_load_data(struct sigmadsp *sigmadsp, const struct sigma_fw_chunk *chunk, unsigned int length) { const struct sigma_fw_chunk_data *data_chunk; - struct sigmadsp_data *data; + struct sigmadsp_data *data = NULL; if (length <= sizeof(*data_chunk)) return -EINVAL; @@ -272,14 +272,11 @@ static int sigma_fw_load_data(struct sigmadsp *sigmadsp, length -= sizeof(*data_chunk); - data = kzalloc(sizeof(*data) + length, GFP_KERNEL); - if (!data) + if (mem_to_flex_dup(&data, data_chunk->data, length, GFP_KERNEL)) return -ENOMEM; data->addr = le16_to_cpu(data_chunk->addr); - data->length = length; data->samplerates = le32_to_cpu(chunk->samplerates); - memcpy(data->data, data_chunk->data, length); list_add_tail(&data->head, &sigmadsp->data_list); return 0; From patchwork Wed May 4 01:44:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836830 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0BAB6C433FE for ; Wed, 4 May 2022 01:51:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245568AbiEDBzO (ORCPT ); Tue, 3 May 2022 21:55:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343820AbiEDByQ (ORCPT ); Tue, 3 May 2022 21:54:16 -0400 Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A14B0326E2 for ; Tue, 3 May 2022 18:48:56 -0700 (PDT) Received: by mail-pf1-x42d.google.com with SMTP id d25so3306512pfo.10 for ; Tue, 03 May 2022 18:48:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=tt+uE/qYWOs3CEanZOjmvMoORa5i/xMNqAO3DwAd5m4=; b=YmT1lNTRttmLRyn/WOgpT0DAFWD3BvjkOIsApwxFa4B3Com0bh2yQqIJO66Wiak8Tt rwU+QSbZtL4swuVhrV8kkivMWLyJT9AqfxXpJ4Lm9ZibQLMBbHjNrpcN7FDNu1QRPCS+ uiBQnyfLBZT2SNnaE6twmHxSxmZ2FlIbgcsF8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tt+uE/qYWOs3CEanZOjmvMoORa5i/xMNqAO3DwAd5m4=; b=TLMpQIxf1jT1Ow14YWRlKuzGiEBqSfbjjjm3varxx/I/5JbJvgY982r/Sse7UPNYKS 8dM2v0pavKqzNiiLjvU3IZDGbY9zDYG8y6GjyhpjwSK1sYjllsk0YduG0lOOlZm4y7ea CyuqEZGTuEZngs2h8azvnhOQnzP3M24bT/dtk/VXyuOkp5bPryprM89uOUrmJbmdaLEK Y3cNr6kOHJPVLs/9R8C8RuLk/bLi9jW8wu9SbGDqV3/JzxDqUWXKA6Vuak1f6n+BS4V8 fiEbDnAtYkxdeB8TeLVAyZZFV5i4wWRwrPunpVMaE/tEYA4i7e63scAoNhz8XRTCTkz8 Dm8w== X-Gm-Message-State: AOAM532pvx6iPxt2NPs08+QvhyDXzS4W3sloDHlZJjLoibXdqG4BLneO GULfux0BAApOhYQH8xs1zyy73Q== X-Google-Smtp-Source: ABdhPJyaDNAFsbp7ZFwZAoK9Xc4UX4Pztt8PjVEG/vpKdBDmGO/KaYu31SJFp8S1HaJxz30qr/Lnug== X-Received: by 2002:a05:6a00:1c5c:b0:505:7469:134a with SMTP id s28-20020a056a001c5c00b005057469134amr19088479pfw.16.1651628867093; Tue, 03 May 2022 18:47:47 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q26-20020a63505a000000b003aa8b87feb5sm13939242pgl.0.2022.05.03.18.47.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Andy Gross , Bjorn Andersson , linux-arm-msm@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Lavr , Arend van Spriel , Baowen Zheng , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 21/32] soc: qcom: apr: Use mem_to_flex_dup() with struct apr_rx_buf Date: Tue, 3 May 2022 18:44:30 -0700 Message-Id: <20220504014440.3697851-22-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1693; h=from:subject; bh=f797ezn2sQWsQcALbTjtcz0/uVJxqqsdCbEE9J5EL4c=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFcya5M1Ba7xKOXe16qG7jIlVI8ph+ibFXwwOp nrqS7nGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJhB6D/ 4mAanYpWDhhzP0wFox6ZgqAP9umNDzMV7dRX4Y08wPvedXkTuo/N0jclu6EdK/Bs4KaQilIZSFkLno xsM8xXSf4UqStJoT27N7DzjgnXKUJuyB5HZu1PfC+8PJ3QEnqiU5wE/l/2KdIJiAa7Xrj82dQB2cOe f9cgwxVbs3UnZy77Wv+k8FP5dMShK5yfzH0kpSd88R+/mDgZ6PLzi6zr8ZQiGCGdehQ7yp7ahiIA+i aAsDm3/+QhB0XaYdbqgAm2IAn+ouEdBPFgeXFzXqJwdi8AEfwBoByO06B8F23M3UCLdd6ZTRuaYeVQ kIZhzXstlVWDB9mIUnTP7dpfIY0lC+xzWyCLtZeT4bAvCwQB9CAAEWnSx7qfxwfOCYH1OjKUWJ+Xo4 5bWdci/vlaLQLD13TFP2X8QMY+seDM4SmnQAjgo5eITKrQ8RREz044kssPiR5qrnynNMOFWoNryxir 5TxsUJqEcElCuxyYstu2GZWqRpIeTKHVnaCu6XWtUkfQXhXikks9R9eVs6gSl+qIiVvgsVs7Tv/R9N rFtDfCJB155p3+TaJfCxSA/1e92fAlkjvrq+Ar3n/Jqs+/JGlPFT7Zy0qsgxzMjclrsboCWAvbLZZ2 OSexYpHjEn8jykFiHVbn1z48UtV3JdplNzCir+Gph+mH4axRJfHc0k7gYzyA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Andy Gross Cc: Bjorn Andersson Cc: linux-arm-msm@vger.kernel.org Signed-off-by: Kees Cook --- drivers/soc/qcom/apr.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c index 3caabd873322..6cf6f6df276e 100644 --- a/drivers/soc/qcom/apr.c +++ b/drivers/soc/qcom/apr.c @@ -40,8 +40,8 @@ struct packet_router { struct apr_rx_buf { struct list_head node; - int len; - uint8_t buf[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); + DECLARE_FLEX_ARRAY_ELEMENTS(uint8_t, buf); }; /** @@ -162,7 +162,7 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf, int len, void *priv, u32 addr) { struct packet_router *apr = dev_get_drvdata(&rpdev->dev); - struct apr_rx_buf *abuf; + struct apr_rx_buf *abuf = NULL; unsigned long flags; if (len <= APR_HDR_SIZE) { @@ -171,13 +171,9 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf, return -EINVAL; } - abuf = kzalloc(sizeof(*abuf) + len, GFP_ATOMIC); - if (!abuf) + if (mem_to_flex_dup(&abuf, buf, len, GFP_ATOMIC)) return -ENOMEM; - abuf->len = len; - memcpy(abuf->buf, buf, len); - spin_lock_irqsave(&apr->rx_lock, flags); list_add_tail(&abuf->node, &apr->rx_list); spin_unlock_irqrestore(&apr->rx_lock, flags); From patchwork Wed May 4 01:44:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12837035 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC269C35274 for ; Wed, 4 May 2022 01:58:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344048AbiEDCCF (ORCPT ); Tue, 3 May 2022 22:02:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343927AbiEDCBw (ORCPT ); Tue, 3 May 2022 22:01:52 -0400 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2161244778 for ; Tue, 3 May 2022 18:57:44 -0700 (PDT) Received: by mail-pj1-x102d.google.com with SMTP id qe3-20020a17090b4f8300b001dc24e4da73so2762148pjb.1 for ; Tue, 03 May 2022 18:57:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=t4tLOfp2E2B9sgaGczz1NwPmHgtmRYBWoAQq16bLzJ0=; b=I3H3+WN+4U2IJzWLbxbA/bIvmhwpU+qBCw+gT1kFMomBbMNpQHZRW5m4AyP4iYFi7B wO7Fc+96Bo7pEAoDQ9bMSzGw32N3zXUa3Gz+3UCf0arCmNNwPy4jlH+xYNM+a196cQiM uiF0kR4EmYLRMWy1Z3PDmpbPfAtknr37xwrFY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=t4tLOfp2E2B9sgaGczz1NwPmHgtmRYBWoAQq16bLzJ0=; b=UC6+TVKj/T1y7I9Xr80R3ojUZZt3ZDVczJSp9aRXlD6/Wk+DPYZVXAoc7dtvDabSJL qu8mD6XvJiCaeaFe+2SbFHm8e/GSU7/f4JX2HK865qHz1alWF78MTNN1Y2ek8eboYb8v Kq7OpknbYDUVhTvj1Ni5eDXFyD/3phuAegeZHxf6a1g+b7x7p+4yjO9bfwFOMYqrjSDT ZweMiJPw1LtG/0xT5hzRnQFxNuHZcZZImvxKiN5ajo0hVKF4leMu23gGs2/RShGAiZw/ 5QhI7IRTJf2Nk7D/cdbLjj9NOnZC7RVBIzWBx5hyBIS7gLegDTeUC+Mnu4syVw1DpKpY t4EA== X-Gm-Message-State: AOAM53044nf0ut5efMrUbwUKkGMbvQxDFcpXzkq5hCdtxNtdddzJhrB1 Yft/FP841lWTsrE902yJqC3Otw== X-Google-Smtp-Source: ABdhPJx5GxTWGrvbJaA2kolqR8TFLUvWJ4fmGcS69vZKSOwUJMVbyE8LZKawL0KBG4S0vewpbcjD/w== X-Received: by 2002:a17:90b:1bd1:b0:1dc:7118:cf28 with SMTP id oa17-20020a17090b1bd100b001dc7118cf28mr7983557pjb.3.1651629463545; Tue, 03 May 2022 18:57:43 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id v1-20020a170902ca8100b0015e8d4eb1c7sm6977097pld.17.2022.05.03.18.57.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:42 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Russell King , Christian Brauner , Andrew Morton , Muchun Song , linux-arm-kernel@lists.infradead.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 22/32] atags_proc: Use mem_to_flex_dup() with struct buffer Date: Tue, 3 May 2022 18:44:31 -0700 Message-Id: <20220504014440.3697851-23-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1766; h=from:subject; bh=LnjqklrPVWNNMfpJjCRO96xv5LhFHHWzp99zKaiUXqg=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFIMxxbq1Hf+xelWQa6dzkOUxczwNZ6gqGtZgE u/xEciiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJpySD/ 9y19Eohym3FvBZ0fkG9198v9dbCdm6Pjk18VavszBLhJaXRQM+HUC12vTL4roysA9+j7Y6cR3Kj+wq mOj198L6Vf/kLphe9xK9VW8LUtIBMSqwCe6Jb9KvCOzeJt1MCby6s4CLjMwjVk9Xf0ZpbPwyghODjv Ol/fkTTE1L9VOXyhYqOagbjRt1ZyTMdInfVLCEui8yUpYiaclByI9CIWaHVkeTDP+2pgEibaH/4OYF wScQ0s9UBHmLFAqRyw73xHGYEHN7DaT9kxcQ0VZMiNRcYxnu5o5CdcqgHDnW0Ws1fLC8PN0uMYp4N2 rNatCh14EdFNyQewdpkHW8VlGj373tjOHjfpHC0RkrDel6FJ4Ac7ipDJypBfD/E0/Apg/I1MwDDPaC nZOn83UTZag+wJyrVfm5yRqNeeoaLNiS9PzD+ARWL40QVrGBA61Ch7hLljKEu7HPfOeufLqsruBVa/ IGTYZbtUKTu+xZFocXg9FmT3/XFiJqva79//82c/nDPbB0Oek/1d/nHiv6e1p5qQeyDcF/lH9dR7Vc v6zhxqG/em6APpkkhmZtA3GMlJqi13XwAKn0eZ/nS06JrCIy8Cq+02xWpUwqJV6SZ63AviU8SrK86H cYVB3yY3zLGR0ABTEsKF2Yo/EaE3tvZgUnPk5p2jx3782+uMiis96Fb2iKQw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Russell King Cc: Christian Brauner Cc: Andrew Morton Cc: Muchun Song Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Kees Cook --- arch/arm/kernel/atags_proc.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/arch/arm/kernel/atags_proc.c b/arch/arm/kernel/atags_proc.c index 3ec2afe78423..638bbb616daa 100644 --- a/arch/arm/kernel/atags_proc.c +++ b/arch/arm/kernel/atags_proc.c @@ -6,8 +6,8 @@ #include struct buffer { - size_t size; - char data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, size); + DECLARE_FLEX_ARRAY_ELEMENTS(char, data); }; static ssize_t atags_read(struct file *file, char __user *buf, @@ -38,7 +38,7 @@ static int __init init_atags_procfs(void) */ struct proc_dir_entry *tags_entry; struct tag *tag = (struct tag *)atags_copy; - struct buffer *b; + struct buffer *b = NULL; size_t size; if (tag->hdr.tag != ATAG_CORE) { @@ -54,13 +54,9 @@ static int __init init_atags_procfs(void) WARN_ON(tag->hdr.tag != ATAG_NONE); - b = kmalloc(sizeof(*b) + size, GFP_KERNEL); - if (!b) + if (mem_to_flex_dup(&b, atags_copy, size, GFP_KERNEL)) goto nomem; - b->size = size; - memcpy(b->data, atags_copy, size); - tags_entry = proc_create_data("atags", 0400, NULL, &atags_proc_ops, b); if (!tags_entry) goto nomem; From patchwork Wed May 4 01:44:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836829 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EAFFC433FE for ; Wed, 4 May 2022 01:51:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245620AbiEDBzK (ORCPT ); Tue, 3 May 2022 21:55:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55412 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343819AbiEDByQ (ORCPT ); Tue, 3 May 2022 21:54:16 -0400 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A16A032EE1 for ; Tue, 3 May 2022 18:48:56 -0700 (PDT) Received: by mail-pj1-x1036.google.com with SMTP id w17-20020a17090a529100b001db302efed6so6388pjh.4 for ; Tue, 03 May 2022 18:48:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=QnKXHDo7FoS6A9KJnTSD5KrVSbLLoX11tytSVaJywLg=; b=I1CnhqzTuM3VIMYb3RIInFBjlZ/Kx1CC2nOaz3zCzGfRz66UhpKktUjcUf1DB5iFHu gfyX0fG10mb1nZrZrHamW6VaM5Mxf2xxMafia1jAkPA8Cn5ohLG+uBumAmwOSdS3hISM a4JzdC7Fo3kAKeDLIrkA80T/ZAttaFcZAV7gI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QnKXHDo7FoS6A9KJnTSD5KrVSbLLoX11tytSVaJywLg=; b=3GixYeRHhEFFJVUu+L9qBMQrpc/VVRDhkmUSsgrxUFPvAtwXPxXVZVBctvRsZKBl4m Y+p2Q34X10nXch5Iq5Cq1BOpMIgOvPpu7rQmlg/VGq8CjTUqvsumHQ4yM5j5/t5LFQuB FezUbmPbOKvP0fJ6gmJePk3E2bLS/N+cMGpcjJaH8hfIaZz1r/cue+JzrrKLHWqf155b NLFUOFw3YJXZAnccAztdXzQndTZHW5jfCbbmdGtHandmCCpOVjSbA0c2/aV1AMBGB9G4 y8aCvJvYf+1TpKHXWarAhuB/mgBW1Ofm+yCTG+5zTa3l8t0UWqNPS0qQyFzkREH8A26J KsBg== X-Gm-Message-State: AOAM532ggn2XdG8GdIxlh2HFG/BWcJgGyICma9ihVQEoZdaDeeREnKvA 4buhaYZGlWc988KOHjephZ3tLA== X-Google-Smtp-Source: ABdhPJwfTAxyAJFgY1oitylR/Cmm8/uATlVgjIuVTmKRpsuPoxTiwANwfO0lQwCtHkRUnQW8wKiN6Q== X-Received: by 2002:a17:90b:180d:b0:1dc:6c19:afd3 with SMTP id lw13-20020a17090b180d00b001dc6c19afd3mr7816856pjb.84.1651628867653; Tue, 03 May 2022 18:47:47 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x16-20020a1709027c1000b0015e8d4eb294sm6998452pll.222.2022.05.03.18.47.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Marc Dionne , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 23/32] Bluetooth: Use mem_to_flex_dup() with struct hci_op_configure_data_path Date: Tue, 3 May 2022 18:44:32 -0700 Message-Id: <20220504014440.3697851-24-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2134; h=from:subject; bh=wkblXI7lu8DePbBEkrWcF6TPvSCY+fsd3+cJcm8lUX8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFhAG+9XZipSZhJ97uz0MVZAPm9ikLEayXBQca tSbucr2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJuQgD/ 0RkSBHvTdsmM6uGZhl5vuzw4/t8A08lVzH+n9delDb7Snc4rClp98T7EnMak/i+Ne5YZV/OBum0+Ri 2Rso0KTZ7bgngl/ZWjToI21GZHTx0BvhmyN92pCyMRw8Q5g2WKeqI0pNWy8pO+tdkj+OZBI+kBTpzB DSCicDcFGgdZrS4ClZfIJ3ul5GuyH628GJbhzyj2IkHnbcVJTgVXEYTZfa9CUXIk5OxX0tgeN5hgKI YhvXiesuoZ4ZeGkGoBZgoWkyhWZg61taY7sMsK18JUdPuD2jO1Ziy7pPKMcmqr1QC1dxYBE2bshZ+7 3zm60sMtOhDVJc9pY0GGXTh83THBv9el1PLd8R1i03dHlFU+DYzQrq0OMEQ82DXkr9t89m7UmRpPNh UlFCgY75idmpPhVdKyd4ETvQlZtXZLEj7o98G9BByjCzXoXREee+09IWrA/DOZh7zHcuLHY4mwot7j j2JWq1nvZO0OVDBDjoUB6FMPShLAPZiPeGYn+67y9JU7lL1VFHN8sVsxBLq08bQ/HI32D+rAgZCCsn fVZ7tajhB6zkfYibttaD+E5RLSV+adLK+eXnFBqoQttbtNsKxuiZQF0dJZusj9dnKk/M5l3Ud90Uiq FXQeX6fOpiALefTfw5/ocOvMAHAP7Hz1WKgKO3NK7KYNbxbmS5+syYfDxdWQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Marcel Holtmann Cc: Johan Hedberg Cc: Luiz Augusto von Dentz Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-bluetooth@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/bluetooth/hci.h | 4 ++-- net/bluetooth/hci_request.c | 9 ++------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h index 62a9bb022aed..7b398ef0b46d 100644 --- a/include/net/bluetooth/hci.h +++ b/include/net/bluetooth/hci.h @@ -1321,8 +1321,8 @@ struct hci_rp_read_local_oob_ext_data { struct hci_op_configure_data_path { __u8 direction; __u8 data_path_id; - __u8 vnd_len; - __u8 vnd_data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u8, vnd_len); + DECLARE_FLEX_ARRAY_ELEMENTS(__u8, vnd_data); } __packed; #define HCI_OP_READ_LOCAL_VERSION 0x1001 diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c index f4afe482e300..e29be3810b93 100644 --- a/net/bluetooth/hci_request.c +++ b/net/bluetooth/hci_request.c @@ -2435,19 +2435,14 @@ int hci_req_configure_datapath(struct hci_dev *hdev, struct bt_codec *codec) if (err < 0) goto error; - cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); - if (!cmd) { - err = -ENOMEM; + err = mem_to_flex_dup(&cmd, vnd_data, vnd_len, GFP_KERNEL); + if (err < 0) goto error; - } err = hdev->get_data_path_id(hdev, &cmd->data_path_id); if (err < 0) goto error; - cmd->vnd_len = vnd_len; - memcpy(cmd->vnd_data, vnd_data, vnd_len); - cmd->direction = 0x00; hci_req_add(&req, HCI_CONFIGURE_DATA_PATH, sizeof(*cmd) + vnd_len, cmd); From patchwork Wed May 4 01:44:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12837037 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 675E7C433FE for ; Wed, 4 May 2022 01:58:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343964AbiEDCCZ (ORCPT ); Tue, 3 May 2022 22:02:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343976AbiEDCBy (ORCPT ); Tue, 3 May 2022 22:01:54 -0400 Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 215FE44A33 for ; Tue, 3 May 2022 18:57:46 -0700 (PDT) Received: by mail-pf1-x42f.google.com with SMTP id g8so24362pfh.5 for ; Tue, 03 May 2022 18:57:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=gAffb2dB7AJw8ctZpf7uy/Kjt0ZfUPuqpFj+O/VUlMc=; b=Hd3jrxU8+XlRdXnNJ6BuxLBWU0ZKLG70m7wHx4jqP+VfQJII0AB4HJY2PvK+TXUYom id9ML06dSBRB1VVnBWjBz+2v5YDaqSJHQM5Ls3McxesxCE+qRmiHqxTVev9Mnq0iPJTj hb0i3oZtBtCUvWZopE6bN0CU7y3IuWgie3Mk8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gAffb2dB7AJw8ctZpf7uy/Kjt0ZfUPuqpFj+O/VUlMc=; b=ubiJNnkaczanAlBLRF/oTq7C/Xg6BC4Vj1RJkcS6lIfj/jWvv6ptxRrWFQiK2BA3fL KK6Yap/IJx1QdYpCR/HQAPrgD4Oun90Jjje+mpkC9d5aCnjx6A2K+2RWmf81Ha++1j2O 6g67eHEMlWG+A34pkVFxIRHjXQRgYLw2sXHo1R1SswoyR57/oRfV0ns96l7hzynah6bW 7AC5zBZQiOqBftcNq2gVedIX1NcUbHtycJSEvO4SdssgTkAyHfsi4ltcxzaKpQiVWC08 hOZfwQk8laA0zYeQ8MkOVjPYwA2Uruu+s+cJU06OkcNNgnHt6C9gnpgWWPbtbi78BkW3 xWUg== X-Gm-Message-State: AOAM532yhmRptn3wiJQHHTxpvzoxzkv2g09EGO+LzH+XlMG6/ZaJpUuw A/G9IVU71i06V392YrE17YlICA== X-Google-Smtp-Source: ABdhPJxlBLRlfGSyNuTVAnetkTua0ronzL5456WpZJAiTHWkRGz8uFL5gIV5Iqbc+GrBy/+PUt+kRw== X-Received: by 2002:a05:6a00:194a:b0:50d:aef0:fb44 with SMTP id s10-20020a056a00194a00b0050daef0fb44mr18390643pfk.77.1651629465325; Tue, 03 May 2022 18:57:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a4-20020aa780c4000000b0050dc76281d9sm7179167pfn.179.2022.05.03.18.57.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Dennis Dalessandro , Jason Gunthorpe , Leon Romanovsky , linux-rdma@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 24/32] IB/hfi1: Use mem_to_flex_dup() for struct tid_rb_node Date: Tue, 3 May 2022 18:44:33 -0700 Message-Id: <20220504014440.3697851-25-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2597; h=from:subject; bh=j5qqa5iL1lvOORaDlLtm9UR9x0OLEu0XOUmPN1O3Ohg=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqGK+oIIr5PEnTJbsZIIE6wDFvul9czcGBuCOb4 OJUbtUyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJlPpD/ 0VwfEZeptxhwXvC03S8kaKbVzD8jf4H7HBP2WwjQ4ovXcZoeEPoHk43gm5ko9ZHxsEuhVYfSsNabEv KwzfkX+Be0SZ1mudTtAQCrxBnFPmMKxMszwt9mMNZtm6E/XnP2w7B2+1rA358f0MYJXzvFe7/kn3VU 5iBgnGpNGOZgXOG+jBcjTyiKQiMSXDSUp0cIXvVQpsePyQMfJGh/eu5bFCRNrwstStCte4Ow73c4Va IaWYSGyLDy4kuX78W5f19yAQR3uD4X1ryr/AVwZV0/P/jnJmz5EmCKU1qFe2YNVe7kF2+3nxmDxawo cvJJ0SuVsX0ZNg8KDkjZEG/9wBeWjiXSyoD0G6pP/WshlZoegMuvye4fFyhyKmatyVqt3t8c7FD223 F60swFGSkgfSg6J4GMTvGe3/d8QAl3MTq2ZH18n8DlcYgMk+3J2vMunZUU58h8auD6hXcni1nXgoMb GZApmHHYK5s4Fqge2j1uqJVBjHZOX3fK3YaZhKtoTqm6FUuJw+H1P3nVYfkcXshsd8t27NuIM2hLa9 jZnMgeaYhLQAUUWWjOKVskE6/+GP5gz4+qjVUI/Alev5kHFOWsbWXBC5JGCSrGBZtpMfJqMcYVqTxZ tS3tgiujwVPsRJdYvH3X2NotOyhjEtEFR8egS3/g8M+hET9UITd8x/6NqLnw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Dennis Dalessandro Cc: Jason Gunthorpe Cc: Leon Romanovsky Cc: linux-rdma@vger.kernel.org Signed-off-by: Kees Cook --- drivers/infiniband/hw/hfi1/user_exp_rcv.c | 7 ++----- drivers/infiniband/hw/hfi1/user_exp_rcv.h | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c index 186d30291260..f14846662ac9 100644 --- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c +++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c @@ -683,7 +683,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd, { int ret; struct hfi1_ctxtdata *uctxt = fd->uctxt; - struct tid_rb_node *node; + struct tid_rb_node *node = NULL; struct hfi1_devdata *dd = uctxt->dd; dma_addr_t phys; struct page **pages = tbuf->pages + pageidx; @@ -692,8 +692,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd, * Allocate the node first so we can handle a potential * failure before we've programmed anything. */ - node = kzalloc(struct_size(node, pages, npages), GFP_KERNEL); - if (!node) + if (mem_to_flex_dup(&node, pages, npages, GFP_KERNEL)) return -ENOMEM; phys = dma_map_single(&dd->pcidev->dev, __va(page_to_phys(pages[0])), @@ -707,12 +706,10 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd, node->fdata = fd; node->phys = page_to_phys(pages[0]); - node->npages = npages; node->rcventry = rcventry; node->dma_addr = phys; node->grp = grp; node->freed = false; - memcpy(node->pages, pages, flex_array_size(node, pages, npages)); if (fd->use_mn) { ret = mmu_interval_notifier_insert( diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.h b/drivers/infiniband/hw/hfi1/user_exp_rcv.h index 8c53e416bf84..4be3446c4d25 100644 --- a/drivers/infiniband/hw/hfi1/user_exp_rcv.h +++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.h @@ -32,8 +32,8 @@ struct tid_rb_node { u32 rcventry; dma_addr_t dma_addr; bool freed; - unsigned int npages; - struct page *pages[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, npages); + DECLARE_FLEX_ARRAY_ELEMENTS(struct page *, pages); }; static inline int num_user_pages(unsigned long addr, From patchwork Wed May 4 01:44:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836827 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E778C433EF for ; Wed, 4 May 2022 01:51:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343798AbiEDBzE (ORCPT ); Tue, 3 May 2022 21:55:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55432 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235796AbiEDByO (ORCPT ); Tue, 3 May 2022 21:54:14 -0400 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39EE845AEA for ; Tue, 3 May 2022 18:48:53 -0700 (PDT) Received: by mail-pg1-x52c.google.com with SMTP id 202so6391pgc.9 for ; Tue, 03 May 2022 18:48:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dWvrJlxp0hfwq/rpuMGCsTJMwzo7GNCIoJATWYPCVJE=; b=OW0yn3aPFgkfwn8L35EyIBf488Ir3oPRdcuBBy8HPNsH5M0x5CXqSqshhOTKtpKq5L QF/xhc9eykoWhvFmZW6nwgo8tyY5Hha7nsaQ+7vI7aAIrUuE+pM/MYF4FAAKrs9ERjRM nEcriHnnehj4N7XQ40GlCVy2op0vzdnIn84H4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dWvrJlxp0hfwq/rpuMGCsTJMwzo7GNCIoJATWYPCVJE=; b=jIZWqBNTTwUrEx1idmAfVIVzTI14wLqCL0KWc1mvFdNTK03MgPp0B0f5TO4RiQoX14 OTf5CBxqXgGM+kVTmNBJqRxnZujjBQVQ6arYeNjgTMBxrbCnDfypSirNCrjrRcVMXIjc v7hU6SwrfWywTAEOKg96i4OahJsZhBvLBfcBkhbkZpTTTNTUiNjErBwfED9xFynxvy77 YMMlRoAbSS8qhOLIGfK5ydg6aV6103fWek2J7B6Enw5oXxOoEp7OpMSI2Z3fsilZqz5l 1EMLwFMy3zEZ6BZ+T2lTfdMY6SBCThro/bzMYmZpG12nDVBcIFzQYAWR98QExIz+i1Sg 3SzA== X-Gm-Message-State: AOAM5336H1FK8n4vpJ1jTy3fkavv35g9N1VW26gDrFx36ESjw/8gCLlu Z0c8NQ/X3UX3jzWwMk96UJ7qSg== X-Google-Smtp-Source: ABdhPJzOaa5v3jlqumCDj5Itb35H5nm0wuuZNJDbIPaJqouQiWes+awOwCXnf4apYBS42dQvscreqA== X-Received: by 2002:a65:6216:0:b0:39d:5e6c:7578 with SMTP id d22-20020a656216000000b0039d5e6c7578mr15924526pgv.114.1651628868778; Tue, 03 May 2022 18:47:48 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s5-20020a17090aa10500b001d287fd3f79sm1950057pjp.46.2022.05.03.18.47.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:47 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "K. Y. Srinivasan" , Haiyang Zhang , Stephen Hemminger , Wei Liu , Dexuan Cui , linux-hyperv@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 25/32] Drivers: hv: utils: Use mem_to_flex_dup() with struct cn_msg Date: Tue, 3 May 2022 18:44:34 -0700 Message-Id: <20220504014440.3697851-26-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2219; h=from:subject; bh=dgFYdMqTm4tBMA+d8KWXYde/YMvArhgtiTydpKgqF6s=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqGpwfENVCD78xIrOKs07wFk+8+2VNIIqaIzTy/ MQg5zx6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJlkID/ 9xYgI2yUTmOqWGUHwjPg6PRpPwUj6yqPTnvHBjZmeB6GcMkb/J1qYZ0We4QMX2FKo8/RxUIZmkpsBI ghlT5pXLwU+EL9vLRAtiKFcmM6HmLrpDOA+H7c/+3yz3nLeExs5il9FvDhAWsAneG2E6lymkjrtZwB PmGHZ1SbLjt7dlHn9zzeTTcBLGvqVG+t1HbL1yM0qT9sxR33bwrS1/XY/VbQ9ZBwXv5G1ci/UQYTn+ IxWJQyTz1WY3n4gGJIy12AX3Gg0SC3bdx9m5pnqgXmSvY3uw+gAkf+Jq+ITd7t+YW8zrXaiMMGPmhC +dn4j7Pvv4hNJ6R/d9/lrj8cAs53cQUbwW3e/7yRsiZb37BKs643K8RW97bKNemjiBUk2NngqjWaOl FzxBm7iGLEjOq989XZeJNEB+MQLecqtGjX+/LxzzzpvAKeMi9bXDiSJAfPG2yxB7wzIUCmUUxW3kKq 5ITIvocBuuqbJzokzh+M+VX/4LsefOVBxhkljlxxgFvwnLhsXHSrMa9c7vd07TAikSiJ0Vi6xYDuv0 m4TiF4oEz1DuG0oiUI9BpM7VSTL+S8V/5GoKv/V+vcO7lhrDKhfS7G8kPKHplhyqNqe7RD2pCIVyOI ++T7/zqpV+vaRd4iu+z+vgmLDrCZcODKGwvjXW2ZeAEW8baladN7FbwkDLDA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Stephen Hemminger Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Kees Cook --- drivers/hv/hv_utils_transport.c | 7 ++----- include/uapi/linux/connector.h | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/hv/hv_utils_transport.c b/drivers/hv/hv_utils_transport.c index 832885198643..43b4f8893cc0 100644 --- a/drivers/hv/hv_utils_transport.c +++ b/drivers/hv/hv_utils_transport.c @@ -217,20 +217,17 @@ static void hvt_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp) int hvutil_transport_send(struct hvutil_transport *hvt, void *msg, int len, void (*on_read_cb)(void)) { - struct cn_msg *cn_msg; + struct cn_msg *cn_msg = NULL; int ret = 0; if (hvt->mode == HVUTIL_TRANSPORT_INIT || hvt->mode == HVUTIL_TRANSPORT_DESTROY) { return -EINVAL; } else if (hvt->mode == HVUTIL_TRANSPORT_NETLINK) { - cn_msg = kzalloc(sizeof(*cn_msg) + len, GFP_ATOMIC); - if (!cn_msg) + if (mem_to_flex_dup(&cn_msg, msg, len, GFP_ATOMIC)) return -ENOMEM; cn_msg->id.idx = hvt->cn_id.idx; cn_msg->id.val = hvt->cn_id.val; - cn_msg->len = len; - memcpy(cn_msg->data, msg, len); ret = cn_netlink_send(cn_msg, 0, 0, GFP_ATOMIC); kfree(cn_msg); /* diff --git a/include/uapi/linux/connector.h b/include/uapi/linux/connector.h index 3738936149a2..b85bbe753dae 100644 --- a/include/uapi/linux/connector.h +++ b/include/uapi/linux/connector.h @@ -73,9 +73,9 @@ struct cn_msg { __u32 seq; __u32 ack; - __u16 len; /* Length of the following data */ + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, len); __u16 flags; - __u8 data[0]; + __DECLARE_FLEX_ARRAY_ELEMENTS(__u8, data); }; #endif /* _UAPI__CONNECTOR_H */ From patchwork Wed May 4 01:44:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836828 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACDA2C4332F for ; Wed, 4 May 2022 01:51:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343771AbiEDBzI (ORCPT ); Tue, 3 May 2022 21:55:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55440 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343778AbiEDByN (ORCPT ); Tue, 3 May 2022 21:54:13 -0400 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3575645AE6 for ; Tue, 3 May 2022 18:48:51 -0700 (PDT) Received: by mail-pl1-x629.google.com with SMTP id d22so151613plr.9 for ; Tue, 03 May 2022 18:48:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RgEz4A26uAC0tPMSdTdWzcdcPMkc9MyjUZa57zGhp5c=; b=THMBXiotwI/HtB6w2vZ4AUJ2BjQh4hIPsHX7+RZwOa1PHLlgiT/9TXJjWzKZ2YkERx +jSME8ruQzJrkosl9qqzWHjBRc3gpjhe8YYA4SgiQV2fs5uQIJ4ItuKhnxn0qRtTRwig 4dauL4e9jCHwc/wxp5WYhLqZAsMtRYdbGk0Nk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RgEz4A26uAC0tPMSdTdWzcdcPMkc9MyjUZa57zGhp5c=; b=sFZHusjVmaA+LK/c6z4emvWOml7V/YWKZu0lm0pwoYMD1zGWDjOIdqdoeUPX3tD1jJ vaXw7jxNFLxebuHe0oBehNA8+He5y+ja1PIRgv+a3BOzpOcXLe5qtp+TGVECiaA01uv+ xl9OPlz2uiqDIAxg8CBbXKPp5sTpZgN+27E5rdeFnZtfYKGOfKhhZgVVA+1vQDnVAPqG ydE0S0ER+uGOO1Fc3H2xxOOBIbBv+jvG3i7tBWPhryj/DhoSyNx0eOFT0q1GVCSKhP+L AWjy6A68cbCKs0B8GH5YIFSvYOi18o1a5gRNRT/BCPBpoA+madIINaPD195/aQkQRT3w I5sA== X-Gm-Message-State: AOAM533q8hEC4eCoOR9ZrmJn64HY9Y4v9X23kqvpoWTIEcAscZVCxNR3 pBLP2/WZLwqrdBovia66IcrqZw== X-Google-Smtp-Source: ABdhPJxzrexxW/yf0eI3tzcv3meb1lpVecV0BZq4fTM2Rm6r9dsZwj3LUHAp+WFhmr0b7U1/sntV2Q== X-Received: by 2002:a17:902:da8b:b0:15e:aba7:43fe with SMTP id j11-20020a170902da8b00b0015eaba743femr10560505plx.9.1651628869143; Tue, 03 May 2022 18:47:49 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id n21-20020aa78a55000000b0050dc76281c2sm6940054pfa.156.2022.05.03.18.47.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:47 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Mimi Zohar , Dmitry Kasatkin , James Morris , "Serge E. Hallyn" , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 26/32] ima: Use mem_to_flex_dup() with struct modsig Date: Tue, 3 May 2022 18:44:35 -0700 Message-Id: <20220504014440.3697851-27-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2212; h=from:subject; bh=0OJGwcsHhKZ90NmLpvzscbvuHwuTm4ffAc9aRODTTVY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqG62vfnuT12WKQv0IVuyRZyZzMX4U3Y+bYmap0 sx6VNCCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJp8HEA CsjdGpDagpIubOZwh4SIwzLI0mQ71SVDOmeVgjaMH3wCaEUbVyUbQcZCwMkSSQkmaYi0JHdt186r90 KEdAes66ANgHJSwIbVxb19utRynHoJDFwO5gfVuTp2sVSu0AKP3KnJZajTXsyucbZynSVAJNanMloi v43qXD0nlRXkU0gX5ADpraYNTEc4DmC1I4QdBks60+U4wHFdhcjQvwo5U7V+5dzuva3RK7ldVtXJrB VeE5PpJQ5Xc1tmru3dEvFHv9MKipcoi+cf2u17BgJcgfDnUcb/oIr/jZVk1w2GF8Ilp5rtUyr0DM8m Na/yIL9jeaPARJok7fgLZP9afaRB6ZwWwE4H2uMjCy1cT6gasjHiZsGre3gXlWVcsFQqLjohy6kCxW rBj7pLN4d++yrxKprYmKAt3zeatf5EMTvrLIgqFUOrk/sAwpHwlXmgGTkAeWNhT8J5VVKpaeshrS8f gKI9RgmhD5seOLoAZLEOSns1PPAdryQb5THkD3O+72gLN08L6etoAPODJ68wd7fcwq7Wg5n5/+AkF2 1jkeaI8b1sgNrwkPOtdnKDQm4yxesI//AmfFdH7EEjbVd52gAVu+rbz7yhcBh1dHRczes2IJW3soaR v4zCatjhXz33SY1+Zru2qRrDvhgaoAqzqRxMbwi9eNYoszXDTRyDKQ8NgEFg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- security/integrity/ima/ima_modsig.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c index fb25723c65bc..200c080d36de 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -28,8 +28,8 @@ struct modsig { * This is what will go to the measurement list if the template requires * storing the signature. */ - int raw_pkcs7_len; - u8 raw_pkcs7[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, raw_pkcs7_len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, raw_pkcs7); }; /* @@ -42,7 +42,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, { const size_t marker_len = strlen(MODULE_SIG_STRING); const struct module_signature *sig; - struct modsig *hdr; + struct modsig *hdr = NULL; size_t sig_len; const void *p; int rc; @@ -65,8 +65,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, buf_len -= sig_len + sizeof(*sig); /* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */ - hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL); - if (!hdr) + if (mem_to_flex_dup(&hdr, buf + buf_len, sig_len, GFP_KERNEL)) return -ENOMEM; hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len); @@ -76,9 +75,6 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, return rc; } - memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len); - hdr->raw_pkcs7_len = sig_len; - /* We don't know the hash algorithm yet. */ hdr->hash_algo = HASH_ALGO__LAST; From patchwork Wed May 4 01:44:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12837038 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A5D8C433F5 for ; Wed, 4 May 2022 01:58:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344002AbiEDCC1 (ORCPT ); Tue, 3 May 2022 22:02:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235050AbiEDCBy (ORCPT ); Tue, 3 May 2022 22:01:54 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D772944A24 for ; Tue, 3 May 2022 18:57:45 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id gj17-20020a17090b109100b001d8b390f77bso3953338pjb.1 for ; Tue, 03 May 2022 18:57:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=01xJZEdKekiitPaj8shKdCy94myHgVaNNGs/evnqdOM=; b=SvMNDAvPtTxF809bZoNNzl6o2LENxUqxJ8mipssp3LG3CBJ8QbgPBB5oXpfBBM0oF0 mrxvm9m9xVoCbf+yK4esflyfRaDRIsoJWH6TXY5t/ov9rXMP+/iMpbnHqj0C62OZCoN6 UGJtRe8MarqA1Hj1HXhO/p0X4vXAnV3Tj8zaI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=01xJZEdKekiitPaj8shKdCy94myHgVaNNGs/evnqdOM=; b=l6tjlixnQMBBNsC+yc9quSLDiIiQ3CizC8wa8V8AkuhoxAnZaZGCPjTtrC1aoWh8ET 34TW696IPi3mHtMROgGIHhcjJ8wF8ZKmPlTO+J3eZr8nCT2Gc5i9eUPRdM/BcL3HXVgP xMAPk7hXLucCFWFX4SIhCo+W6+nTXMqHNt+mv9k/5Y3UK2lHdSLq2088xm75CuXIloMn 7rXzAVn7CuLmNgnkoJs4oN3dKeMucacbC2CvFaFSHAIvQIzbnKtmsX0Sm0QeoBY9SfUb 2X50pJLmdn0N46IjYy7WFP8sKUqdnSoAHe0za5LWPVQWuBz4vVoMOuywS6pORUB8ByND WLMg== X-Gm-Message-State: AOAM53310MyW7c6OX5gm7GUex9K++x4OMi0SJskNNzCbQ6wR8W86JRrx wsN3ZjNo85jiAVIPMNmQrdv8+Q== X-Google-Smtp-Source: ABdhPJzqn2WxKVt7rWNzi+965SEqw7JTWEb+lKAff5WyHkMUjA5nI6RYV6fsBZImK2fATViZPprHkA== X-Received: by 2002:a17:902:748b:b0:15c:3d1b:8a4d with SMTP id h11-20020a170902748b00b0015c3d1b8a4dmr19589131pll.85.1651629464893; Tue, 03 May 2022 18:57:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e7-20020a62ee07000000b0050dc7628187sm7109908pfi.97.2022.05.03.18.57.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , David Howells , Jarkko Sakkinen , James Morris , "Serge E. Hallyn" , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 27/32] KEYS: Use mem_to_flex_dup() with struct user_key_payload Date: Tue, 3 May 2022 18:44:36 -0700 Message-Id: <20220504014440.3697851-28-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2171; h=from:subject; bh=+EMqJweUKHRI+p140UR53z0ouyFfaCeLO7XO6/7BouU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqGhXIUX0opXFG+79dwIKeyeoTVzZjDz3s4gqRG WcoAdoCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJpigD/ 9+hUDrqvhbexCJ+LI5xyfbONc0He6AfGv1OpoTuMyM/EDr+8Hlw69lTHvEd33pGAWnTcfLgvPFr5do SNqT7Ky9GohochNniXjI7VRAtZrFkRiG4130PztKwnvQ1ESHLdO+N8oQLoe0xNaVekFqVoLBQkU9ev NHp8YraJs7P1h9w8Pzngx6LtwE4pUvGsFmXmsBhmx5Uk1uiQ2UWzwtYPWYzdgEo1mTJ+BX1FT2/meR Eat9ZR2zS06PJ4uns7jc0qp4FerfBCuZHWMHvuzUrZLKj8YxmjyZPUn166vO9ypE2CX9eBtY3kFi3n EmX0Ryqm38lbokKGz+VyWMmMBepuljd3Kfm8eTAac9jztiqctLEmKqxMqXkQxGfDluj5udRd3fZOOR lag1NSmzJGGy19dHbynOZKZH+nGjFmGobp3C/7rBrswBDkGAbM9kHRt0+D9nPRbomIChQdinr+YNdi taMC+Zbtg73jiBg4SNGk9uXdxHdHcrvUozaxfZNwaBq19qR/CzNl695UzIFzTsoHUgCgp8UNwQOrIX 147/aQi6XAgsy4OrML7xnIyf5cn/Lol5s3J5+7HAqw9FmH4FhWg/atdWEZT71eREnRWKn+j7VQWUSS sH4Cq8R0Hlz39XjL9tHdhH6lg4wbDgAXnwYK6YZ7bEVdBr2fYMufUIc2hMWw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: David Howells Cc: Jarkko Sakkinen Cc: James Morris Cc: "Serge E. Hallyn" Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/keys/user-type.h | 4 ++-- security/keys/user_defined.c | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/include/keys/user-type.h b/include/keys/user-type.h index 386c31432789..4e67ff902a32 100644 --- a/include/keys/user-type.h +++ b/include/keys/user-type.h @@ -26,8 +26,8 @@ */ struct user_key_payload { struct rcu_head rcu; /* RCU destructor */ - unsigned short datalen; /* length of this data */ - char data[] __aligned(__alignof__(u64)); /* actual data */ + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned short, datalen); + DECLARE_FLEX_ARRAY_ELEMENTS(char, data) __aligned(__alignof__(u64)); }; extern struct key_type key_type_user; diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index 749e2a4dcb13..2fb84894cdaa 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c @@ -58,21 +58,18 @@ EXPORT_SYMBOL_GPL(key_type_logon); */ int user_preparse(struct key_preparsed_payload *prep) { - struct user_key_payload *upayload; + struct user_key_payload *upayload = NULL; size_t datalen = prep->datalen; if (datalen <= 0 || datalen > 32767 || !prep->data) return -EINVAL; - upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL); - if (!upayload) + if (mem_to_flex_dup(&upayload, prep->data, datalen, GFP_KERNEL)) return -ENOMEM; /* attach the data */ prep->quotalen = datalen; prep->payload.data[0] = upayload; - upayload->datalen = datalen; - memcpy(upayload->data, prep->data, datalen); return 0; } EXPORT_SYMBOL_GPL(user_preparse); From patchwork Wed May 4 01:44:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12837034 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66EDAC43217 for ; Wed, 4 May 2022 01:58:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344002AbiEDCCE (ORCPT ); Tue, 3 May 2022 22:02:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46614 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232957AbiEDCBw (ORCPT ); Tue, 3 May 2022 22:01:52 -0400 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DCB81443CC for ; Tue, 3 May 2022 18:57:43 -0700 (PDT) Received: by mail-pf1-x42b.google.com with SMTP id z16so29171pfh.3 for ; Tue, 03 May 2022 18:57:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rbuuZeQPYS/ZqiRJTOL0fJFLrNpJQKS6QwLbS0JMY/Y=; b=Aydv/AU/AZjVEPtiqBONRpzT2Ty39Vvxt2nRw4lRsRTiChjbuH3CBtpVpPkeZSBFK6 zdgmOm2O/OwYN3+guV5vUjUfuHrQcdlBHjoZJkVx9D3VoYUSW8m0vG5AtNFTLXP40SJ0 Ys4mhsjMHxsUEY5V0SeB81DJET0W6jrFHyAsM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rbuuZeQPYS/ZqiRJTOL0fJFLrNpJQKS6QwLbS0JMY/Y=; b=Lu6XTMEg6ZnIH2TwIStfTcErOEjrNFGNAbpqZfLR3fqKqIM43/R9CjHnvxDfsgyHin kvPwhfLiR0jR/jAQm3NEJYFLyQKiA2SCQrGwIY9uO68ARpplgA+i/+AI3P34rjrh4oUO rw0ax4VawBt+26pI8WCN1bqEmsgOG1GF22efXtAg3l0ma3II7A6tr4BCcwPMI48wRCMj cbxKeDQy8zJcMdS4ACvftTVqrI4xnIJzML6gaFVSqtzYG9ulWrIhP4xmzamFd62xLPrk pEQglF6xIKRSb1VsPZw/8t9FbFrDEh+MA+qC/rG2pV0dspsDTKaFA+juMqu9uQehbssT SJJQ== X-Gm-Message-State: AOAM532bQmNVEE+zwGqoQrM75QQQxr7avnC9wcXD28sIs2vTTcGB/FUo Hv4R7lJIRNthxolt+Z1wrzl6yA== X-Google-Smtp-Source: ABdhPJwuyR3D3gjHOuMQAe4uLwpskO6bXcMzL1OMGNpp5ZYff9umCciU4RQpJsR0YF0M5vkWDSaqfA== X-Received: by 2002:a63:b45:0:b0:3c1:9a7c:8cb2 with SMTP id a5-20020a630b45000000b003c19a7c8cb2mr15872848pgl.197.1651629463449; Tue, 03 May 2022 18:57:43 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id h3-20020a62b403000000b0050dc7628181sm7143868pfn.91.2022.05.03.18.57.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:42 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Steffen Klassert , Herbert Xu , "David S. Miller" , Paul Moore , Stephen Smalley , Eric Paris , Nick Desaulniers , Xiu Jianfeng , =?utf-8?q?Christian_G=C3=B6ttsche?= , netdev@vger.kernel.org, selinux@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Rich Felker , Rob Herring , Russell King , "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Stephen Hemminger , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Yang Yingliang Subject: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab Date: Tue, 3 May 2022 18:44:37 -0700 Message-Id: <20220504014440.3697851-29-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3696; h=from:subject; bh=lo77E+k1d7CC41pTHDyzxO7V17zZAZU2RAD4DG2zlf8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqHYGDosyWmB9LoZ/xyfTluExkJdmxRYXDGGUpK LWQR5yOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJtEtD/ 9q7isByvmnLJbF2Mqtm1GQLY5WfrgpLpjGz0wPZPFjTuIQg5cBR9sDT+aFaBgykC00RI3PI08gsS9x JTi9K5ZLLk5xSHCb0CjZKLo+ARF0awusiFxdJwvbSdnvd44xlkRwQcTwLZJVGqr2yqy1jJvW1u/3Yh ZZdqt4uhJJpDu5ukdXw+OwIsu09yrTMufSFBgGUsU5+73BimHVDJD+/bAZBGxLMHaKK06iBuF62hS+ XVkvSjBaytrB7eplhA3FHdoU+z/LeETfQYkjmOeYJe6qC/4XyTzzuTjmlkj3sUYna+gIZzZHw5lCgK e8ZKUtmmyjY5P/B2T6F7kreBUKh5iZLQ2r0VwfwJfpJuk13DSHdvjCQuhl4Gt013zBd9fWhQZJesS5 o9IMVFaMGKiFrS1RpL2iZHNi9XVb32DwtShUKjyeEw7ioOL0wYGhna0Kp6zzMgnwjmSeJYnd7Rpifr zM2tyFEjE6tpop237tnM6UbRdzm3XRg4GDWTpvqG9hsvcQcDOk1Wp2/aCUi8Xgzl8dNl2Fr8PklFs5 z9ZW1ImUkK8q5k+Zy0o0VYflt1WZnHugXEEA8b/AT3xAXNqa3BayfVHOM7lLNNWJLV4rSY9HRRJDtf tRpTY3p7aW3hTdJeb21upjhDTPNqM9cBLjUh0Pb2AymaADYZ1hqLMPlC3M+Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying: struct xfrm_sec_ctx struct sidtab_str_cache Cc: Steffen Klassert Cc: Herbert Xu Cc: "David S. Miller" Cc: Paul Moore Cc: Stephen Smalley Cc: Eric Paris Cc: Nick Desaulniers Cc: Xiu Jianfeng Cc: "Christian Göttsche" Cc: netdev@vger.kernel.org Cc: selinux@vger.kernel.org Signed-off-by: Kees Cook --- include/uapi/linux/xfrm.h | 4 ++-- security/selinux/ss/sidtab.c | 9 +++------ security/selinux/xfrm.c | 7 ++----- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h index 65e13a099b1a..4a6fa2beff6a 100644 --- a/include/uapi/linux/xfrm.h +++ b/include/uapi/linux/xfrm.h @@ -31,9 +31,9 @@ struct xfrm_id { struct xfrm_sec_ctx { __u8 ctx_doi; __u8 ctx_alg; - __u16 ctx_len; + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, ctx_len); __u32 ctx_sid; - char ctx_str[0]; + __DECLARE_FLEX_ARRAY_ELEMENTS(char, ctx_str); }; /* Security Context Domains of Interpretation */ diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index a54b8652bfb5..a9d434e8cff7 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -23,8 +23,8 @@ struct sidtab_str_cache { struct rcu_head rcu_member; struct list_head lru_member; struct sidtab_entry *parent; - u32 len; - char str[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, len); + DECLARE_FLEX_ARRAY_ELEMENTS(char, str); }; #define index_to_sid(index) ((index) + SECINITSID_NUM + 1) @@ -570,8 +570,7 @@ void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry, goto out_unlock; } - cache = kmalloc(struct_size(cache, str, str_len), GFP_ATOMIC); - if (!cache) + if (mem_to_flex_dup(&cache, str, str_len, GFP_ATOMIC)) goto out_unlock; if (s->cache_free_slots == 0) { @@ -584,8 +583,6 @@ void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry, s->cache_free_slots--; } cache->parent = entry; - cache->len = str_len; - memcpy(cache->str, str, str_len); list_add(&cache->lru_member, &s->cache_lru_list); rcu_assign_pointer(entry->cache, cache); diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index c576832febc6..bc7a54bf8f0d 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -345,7 +345,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, struct xfrm_sec_ctx *polsec, u32 secid) { int rc; - struct xfrm_sec_ctx *ctx; + struct xfrm_sec_ctx *ctx = NULL; char *ctx_str = NULL; u32 str_len; @@ -360,8 +360,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, if (rc) return rc; - ctx = kmalloc(struct_size(ctx, ctx_str, str_len), GFP_ATOMIC); - if (!ctx) { + if (mem_to_flex_dup(&ctx, ctx_str, str_len, GFP_ATOMIC)) { rc = -ENOMEM; goto out; } @@ -369,8 +368,6 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, ctx->ctx_doi = XFRM_SC_DOI_LSM; ctx->ctx_alg = XFRM_SC_ALG_SELINUX; ctx->ctx_sid = secid; - ctx->ctx_len = str_len; - memcpy(ctx->ctx_str, ctx_str, str_len); x->security = ctx; atomic_inc(&selinux_xfrm_refcount); From patchwork Wed May 4 01:44:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836834 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4DE29C433FE for ; Wed, 4 May 2022 01:53:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343675AbiEDB4k (ORCPT ); Tue, 3 May 2022 21:56:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56774 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343692AbiEDBy4 (ORCPT ); Tue, 3 May 2022 21:54:56 -0400 Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 471B9419AA for ; Tue, 3 May 2022 18:49:06 -0700 (PDT) Received: by mail-pg1-f172.google.com with SMTP id x12so11871pgj.7 for ; Tue, 03 May 2022 18:49:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=e+5qnKpu1VsQ22oucG43AL+WcjSiOIWtbY50R7ZcVWE=; b=g9AcrkR+3RVkYkCjXueQwetC04MS+NoxVmpAB9VicL40p720LPQhGGdx5xmKktKIDM zPigxQLAL6TBhbYLJe+5LnwPNyPpBp4uN8e2a1B/ZwWxWPLLj/iqfcDi30QcFjJ9kn/S 1QG2VSMrqeLVVCmXWD35ETUMI7QbOsGkL0vw4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=e+5qnKpu1VsQ22oucG43AL+WcjSiOIWtbY50R7ZcVWE=; b=m4W4LyZXvpJeRtmMdVXFkg2Eih8XD/ONbD/b+JIPYe3xrebvXeT9nisF2qHR7XMEPF UhIa+8TSEQeaKk1l23XYqmwATwIEaIzoAi/30+sBvPIRp+D3f0CjjQZ2Vu4Rotkh3lIc Y2BbZycCf742UZwDszRdpQlYOMOVYRrmTuRnSs05jaZvDwhG/TxaBRbf8tzthMhghl11 XWlaVC1Fso0uHIaDFt42pgUZCOjZebfrQvYumPpbbb514u7FpFfv1daxhZoAOC1xP/rS lolh1zIor3rTyW3Z15OjcRpRaxHPJv9bIWhF7+vKvqqgDxhgFolSAYIGho2LTgPmVlm0 g0pA== X-Gm-Message-State: AOAM533b9D7kqrAZA1zp2QbSDs6h+ElMYZXSqURZ5WPZE7RESZEv8b0r vwaKam9wcAmglQDrAeYeu+MXhQ== X-Google-Smtp-Source: ABdhPJxuJ/TfKZwNU1g++1UcAgI1lzggjLoAsNP8bmvKj2yDlBKxIJ0pcPTbnZZuzJvhc8NJkTRvgQ== X-Received: by 2002:a05:6a00:230d:b0:4f6:ec4f:35ff with SMTP id h13-20020a056a00230d00b004f6ec4f35ffmr18919434pfh.53.1651628868717; Tue, 03 May 2022 18:47:48 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d11-20020a170902b70b00b0015e8d4eb2casm7025311pls.276.2022.05.03.18.47.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:47 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Chris Zankel , Max Filippov , Rob Herring , Frank Rowand , Guenter Roeck , linux-xtensa@linux-xtensa.org, devicetree@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 29/32] xtensa: Use mem_to_flex_dup() with struct property Date: Tue, 3 May 2022 18:44:38 -0700 Message-Id: <20220504014440.3697851-30-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2507; h=from:subject; bh=Sq6uxCkPHvMJ5JYb1gf1A6wcVxIwkSOLKZO2iCrXvzo=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqHU+zS6KGRXLibFnc06yiYHvM6h9+r1i1/xDqh sS9tPM6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJio4D/ 9e7/PUFE5eJVA+iwP4RNPRrwfTbaso73y3UIDDhSBi7DWpVecGpxBZFhq8AZJnACJZ6+0txfLVZrgC Hf9yN6InooZL//+CTSXiiLI0odsJS5G7VPzg8jqFheAUvfc33Ayl7CE4IjUesDTHb8MJcD6pRcV301 BkdC9bu9R9O1wfXjDMG6LGijqVC44/VnATk0Fj2osA9aCT7hCW4+9Y2AhfOuja15+dIryUwqZtX2nq ec7DFRbWbwCMxIvSe2M9T/eENcPFBDRzyY24sIHLdTtdM3+mq1w0JC+v5z47HvtBxdp6Ab4AjGQ6AH +XYDv1NkFrQYotIcm5C43jbDrqJMKe7MsguTTl2SqeeyJm0j16c29CoaUYxAFDubw9ldqYXLp5WTjS purW5BkSiZew9UjQYOHstIZ3tkzqccDABlxOoJx6Jeg7kYmdQqE4PnV7je2MA/jAMh7Hm3WqyHFS4l uZ6AZ4qsuZ3GaLee5riE9Nh9OXqTK8uWuL7aIKJHegYL1BtPlvOB5J6yMZJ+U/rhYZD5ZxqQ0LXB2z BwWGEo9PhEtkSWKk2TiOybFLVH2xKxpJfcQV806Jj+7f6Kq059naUze9XagBDSL7sUoMR34BvbOeER oRxCHL5YzBGrQi45jMVYuRuMcPsrrlr2vvkyx+TWc4h0GZl7w6C6OGv59wRA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Chris Zankel Cc: Max Filippov Cc: Rob Herring Cc: Frank Rowand Cc: Guenter Roeck Cc: linux-xtensa@linux-xtensa.org Cc: devicetree@vger.kernel.org Signed-off-by: Kees Cook --- arch/xtensa/platforms/xtfpga/setup.c | 9 +++------ include/linux/of.h | 3 ++- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/arch/xtensa/platforms/xtfpga/setup.c b/arch/xtensa/platforms/xtfpga/setup.c index 538e6748e85a..31c1fa4ba4ec 100644 --- a/arch/xtensa/platforms/xtfpga/setup.c +++ b/arch/xtensa/platforms/xtfpga/setup.c @@ -102,7 +102,7 @@ CLK_OF_DECLARE(xtfpga_clk, "cdns,xtfpga-clock", xtfpga_clk_setup); #define MAC_LEN 6 static void __init update_local_mac(struct device_node *node) { - struct property *newmac; + struct property *newmac = NULL; const u8* macaddr; int prop_len; @@ -110,19 +110,16 @@ static void __init update_local_mac(struct device_node *node) if (macaddr == NULL || prop_len != MAC_LEN) return; - newmac = kzalloc(sizeof(*newmac) + MAC_LEN, GFP_KERNEL); - if (newmac == NULL) + if (mem_to_flex_dup(&newmac, macaddr, MAC_LEN, GFP_KERNEL)) return; - newmac->value = newmac + 1; - newmac->length = MAC_LEN; + newmac->value = newmac->contents; newmac->name = kstrdup("local-mac-address", GFP_KERNEL); if (newmac->name == NULL) { kfree(newmac); return; } - memcpy(newmac->value, macaddr, MAC_LEN); ((u8*)newmac->value)[5] = (*(u32*)DIP_SWITCHES_VADDR) & 0x3f; of_update_property(node, newmac); } diff --git a/include/linux/of.h b/include/linux/of.h index 17741eee0ca4..efb0f419fd1f 100644 --- a/include/linux/of.h +++ b/include/linux/of.h @@ -30,7 +30,7 @@ typedef u32 ihandle; struct property { char *name; - int length; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, length); void *value; struct property *next; #if defined(CONFIG_OF_DYNAMIC) || defined(CONFIG_SPARC) @@ -42,6 +42,7 @@ struct property { #if defined(CONFIG_OF_KOBJ) struct bin_attribute attr; #endif + DECLARE_FLEX_ARRAY_ELEMENTS(u8, contents); }; #if defined(CONFIG_SPARC) From patchwork Wed May 4 01:44:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12837039 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26F92C433FE for ; Wed, 4 May 2022 01:59:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236991AbiEDCCk (ORCPT ); Tue, 3 May 2022 22:02:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48940 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343833AbiEDCB6 (ORCPT ); Tue, 3 May 2022 22:01:58 -0400 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DD4F45797 for ; Tue, 3 May 2022 18:57:49 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id i17so162543pla.10 for ; Tue, 03 May 2022 18:57:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/QgTacQ+A83oLfMgc7AcEsbfIOOMUUn/07ShQ/z1lc0=; b=OEKPNTKscDvuMfuoT9d4JeIvnRRtddZvUR90FLHTaY6dqJ3WoEedmmXxG6udDH4ll2 hQ3xVWzIJux8F2/IVGnkOvoKvzigrtb6PN+WIk/nKNi6EuEO6/f9y41IdVZKJ50O2w0U wl96xKQAPtHy1YFDiqJxnzLe5ZISnsn0F+m/k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/QgTacQ+A83oLfMgc7AcEsbfIOOMUUn/07ShQ/z1lc0=; b=SU7UB8ijXvk/1Fb9WOPXC3aQh3GvD9/NFvxM64pHDUb3H8vKvxtDhTUUXmjjrW2QqX VZv/SHWn03rSHuI3zPXyXnmo4fcLbpskF5Pun1sx/+m73BBc09+GInAWx3gjyDX4T5ih QtcOzAiS7YsuYzsTkhFOiK12mSIfaHxr4mJ0RQ7ozVLfD4HRnAaZanr+cPBPoIg0ij6U NvhlrSlhgRfji+R6D3TcC7tif56j8/2vqgyygY/tfyQNRbza2IC5wLD2RgBSj7vPkSHz mEN0iFwVISjMl9J6xDejATEFoM7k79z7hvVGfOg8Ry4t8byNfc/d5HhjZ4NEb8WGGdx8 nEOQ== X-Gm-Message-State: AOAM533apTe5X3pOVz+7y1PeC/WoQhl/EdyS9E9NSgNIn4OW9GKFfglS ipq/z0AiujFjCy/N8ELBxLBO6w== X-Google-Smtp-Source: ABdhPJx8aKMSjL++Bpt30on0DM0NaXAHkv4OnZme/XsKFvFNTXlI9dAida62sUR6NL+CxtZNwLd4Dg== X-Received: by 2002:a17:90b:1a88:b0:1dc:8e84:9133 with SMTP id ng8-20020a17090b1a8800b001dc8e849133mr4261692pjb.231.1651629467464; Tue, 03 May 2022 18:57:47 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d10-20020a170902e14a00b0015e8d4eb23fsm6979600pla.137.2022.05.03.18.57.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:46 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Felipe Balbi , Greg Kroah-Hartman , Eugeniu Rosca , John Keeping , Jens Axboe , Udipto Goswami , Andrew Gabbasov , linux-usb@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Francis Laniel , Frank Rowand , Franky Lin , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Johan Hedberg , Johannes Berg , Johannes Berg , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 30/32] usb: gadget: f_fs: Use mem_to_flex_dup() with struct ffs_buffer Date: Tue, 3 May 2022 18:44:39 -0700 Message-Id: <20220504014440.3697851-31-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2095; h=from:subject; bh=LoG608ySlb2xL5QEVpZpmYP+iWI9TrvgD0EbU83Sc1E=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqHiYfLCw3gedIJSUEv2AjZro9JsQDzVs6+PWv3 Jf25uuWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJtOuD/ 44mR9b5DwvccUUG6HIlhBLAsn/BfAVzBmuRK+yPZ9MioNDOL4TpD4dZaBBpGG0hJon5radolumfj0P VNZW46qoLbHEBiSScw3XJnUUVFGSv9GbDDKBVRxmIWevrrYcSx9Ey7v8r/vqablkY0Kzx4Q+fL+nnh 4X55duw+qKqgzFtzT5kMl5IKcf/sFUgv1r2jts0fmdh4Bu2jfLlkfdmjQhJ4Af2db1+OF6UjtoOy5R 6BRYL6DkOEkVM3vSV8rlDM6yldlZogrtVEpiQUvbkDi2LerWROmCrkpPzwbukN6gYwmAh2v78g4BDT Asjg/ynqVVAPardAHgI8QUQbZeI1y2iXC5u4FfFaeEUSCVddHgdjugXVWOiP7s+phDof4Ke2yI+sBV QfV5yaD/w1jelv5AZidP9asc2fTSb8ASrFF+lKcuVilfbgIn9krQvLJqB8gjrr8OyJ8falxCUPu3i9 l/P190yQNXc+sUM1kJVb0JaQYSk6mxyyCv3suqH72zxRXkDKeNa7lGgBW+tH8Of1c6RUkdJZYUe0pH L7tc/j/ocIEHXPRHlkHrndofVZCRhIQ2XiFWxCEfSW4N1fXtuDO+O77rmlbdYwwwgsTLusPjWPXhon 642xzSjREIl8aWgxlvRZ5ty8QQFJP8TbxfkMEUHUpitb1yMsa0xo6z3WBFcA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Eugeniu Rosca Cc: John Keeping Cc: Jens Axboe Cc: Udipto Goswami Cc: Andrew Gabbasov Cc: linux-usb@vger.kernel.org Signed-off-by: Kees Cook --- drivers/usb/gadget/function/f_fs.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 4585ee3a444a..bb0ff41dabd2 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -202,9 +202,9 @@ struct ffs_epfile { }; struct ffs_buffer { - size_t length; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, length); char *data; - char storage[]; + DECLARE_FLEX_ARRAY_ELEMENTS(char, storage); }; /* ffs_io_data structure ***************************************************/ @@ -905,7 +905,7 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile, void *data, int data_len, struct iov_iter *iter) { - struct ffs_buffer *buf; + struct ffs_buffer *buf = NULL; ssize_t ret = copy_to_iter(data, data_len, iter); if (data_len == ret) @@ -919,12 +919,9 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile, data_len, ret); data_len -= ret; - buf = kmalloc(struct_size(buf, storage, data_len), GFP_KERNEL); - if (!buf) + if (mem_to_flex_dup(&buf, data + ret, data_len, GFP_KERNEL)) return -ENOMEM; - buf->length = data_len; buf->data = buf->storage; - memcpy(buf->storage, data + ret, flex_array_size(buf, storage, data_len)); /* * At this point read_buffer is NULL or READ_BUFFER_DROP (if From patchwork Wed May 4 01:44:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12837040 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7931C4332F for ; Wed, 4 May 2022 01:59:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343555AbiEDCCs (ORCPT ); Tue, 3 May 2022 22:02:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46680 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344001AbiEDCCE (ORCPT ); Tue, 3 May 2022 22:02:04 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC9A745505 for ; Tue, 3 May 2022 18:57:47 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id iq10so16933765pjb.0 for ; Tue, 03 May 2022 18:57:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Lxy/SBBLbAnketd1perUQv/dnI2mQxvvkPs8DufKeQc=; b=i0Oww6FXAlmLjZL2Xo7+cZyQbZSuVhJcrUz8A4NqwsB3mnE9GxrQbFM3pG+OqIOvr/ bRoZsADS+tsQKhBZ6qjjGQ8wPq6NgM7w5LLDy+9US9EqrP5Wl9gOulV8iAxG2VM68w2h ys5/rKlySYl9/8SCzquZGEIldbBkfJX1v+C7U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Lxy/SBBLbAnketd1perUQv/dnI2mQxvvkPs8DufKeQc=; b=g72ub3z3s7vuuHmfkn0HY9axeeSd0WXIgKEZ/xd0fxlsWXZqWdbI9K+OoZ8vPf2gTG OOnT1HOLhQZEQajx0nJptYmrLL/eklJRbYW/B2Or/gyh6j9/CLDUpsFnox2zsjl4vIul TQ6v/rFIYzwfT/Sw0DbhGShphxP7BK3fPAFRy/baek0pL4qbr1gjFt3SABaQe9cbAC9+ EHwoBMUAE23kTW9f+6t1PibR0Z0lgzPKniKdQWFcavxHuF8MSf1ehoJadaD9690G+/nY Gdvd29KdGjes7hzNu2uuTckBUpKS6DrVvfm20Unyf6xAB2rJkl88H0QkI1Y1uRYegZzq j9RQ== X-Gm-Message-State: AOAM5337eeDdMi9SiWzZIWKxY205MnUERVcJ5WEVR5Ck985zGp3lzpyi ms7QKq4PvHp1igYxplua71M0wg== X-Google-Smtp-Source: ABdhPJzhM04gq6nD0c5tfEzafVhISMI33h/ClQtHEphkZhIwNd5i7iupeZ7DVVEJ9BDZdeqkD8opZQ== X-Received: by 2002:a17:90b:78b:b0:1d9:6cd6:3f4c with SMTP id l11-20020a17090b078b00b001d96cd63f4cmr7782216pjz.240.1651629467009; Tue, 03 May 2022 18:57:47 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z5-20020a170903018500b0015e8d4eb223sm7040663plg.109.2022.05.03.18.57.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:46 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Boris Ostrovsky , Juergen Gross , Stefano Stabellini , xen-devel@lists.xenproject.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , Xiu Jianfeng , Yang Yingliang Subject: [PATCH 31/32] xenbus: Use mem_to_flex_dup() with struct read_buffer Date: Tue, 3 May 2022 18:44:40 -0700 Message-Id: <20220504014440.3697851-32-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1723; h=from:subject; bh=Af40/wtrXz82sQZ3gkXc9sqO1MKE/dCxzKzVkZCyPBE=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqH+KXwBf+62Kz/ptxhFXwkt9WosiEBHko2iuOB 0fcNum2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJvLPD/ 9BhjziZJhS9xD2GsjrelNYz/xp7Z6XtKNgFRofwy/p+e4IFCpDHMNYQmpP3WVjlkD9FyouGOGLk+Sf 0i6cJgn02GGl9DKJH1kqxbUikzY6c8wzuc6v3W7+teBaTIZXxJ4Bg0xxroKqmZVZTUvN34ouMFIb2p ++rnq2J7531VZeebMPx+6kezaUVTaUGe1VFKBUuccT4/6mp2R8HqzWVgmSai8ZyNi4Z0nnObREm+rJ u1d6VjniOCRmOGgG7QCuuF+cUE4d+Isa6moThhkOv0m//DMJYGT/djpuk6W+kWlcJs+nrsoX1AByJu zD1O0Fk/hh4ooTDaA3lQmWtVq+gJIaYvCBILFRlDcGFC0oo/EM3wXTGcFGjgMgTNiEXK62PdLF9dZf kRieucxaOIdVPYz+BN9o4ps+oSWfIYaQYOYAOwTAA01RA6l3cElUd3dfgBE1lOqQNUDIkcTD8rOm+l 8JdhxGwQaeetRebI0mGQru7qvbnW4s+raN3cR8JtJ36LlEBzqobHNRhVRK3K2dZQhOPhKgr3OWpCOE anL307TAv51pZ7CNDf9iEaZPdoVXALMDtkTpnwemX7C4Lc94fH0b/AmlH5YOCpb8DGFa9BJnGzvzbc FPmLrSOPa5hu9l1uVEcpEaQHDzIfRLtxISX0mmsQ1VLswRk+mwBJcKd8a+7w== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Boris Ostrovsky Cc: Juergen Gross Cc: Stefano Stabellini Cc: xen-devel@lists.xenproject.org Signed-off-by: Kees Cook --- drivers/xen/xenbus/xenbus_dev_frontend.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c index 597af455a522..4267aaef33fb 100644 --- a/drivers/xen/xenbus/xenbus_dev_frontend.c +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c @@ -81,8 +81,8 @@ struct xenbus_transaction_holder { struct read_buffer { struct list_head list; unsigned int cons; - unsigned int len; - char msg[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, len); + DECLARE_FLEX_ARRAY_ELEMENTS(char, msg); }; struct xenbus_file_priv { @@ -188,21 +188,17 @@ static ssize_t xenbus_file_read(struct file *filp, */ static int queue_reply(struct list_head *queue, const void *data, size_t len) { - struct read_buffer *rb; + struct read_buffer *rb = NULL; if (len == 0) return 0; if (len > XENSTORE_PAYLOAD_MAX) return -EINVAL; - rb = kmalloc(sizeof(*rb) + len, GFP_KERNEL); - if (rb == NULL) + if (mem_to_flex_dup(&rb, data, len, GFP_KERNEL)) return -ENOMEM; rb->cons = 0; - rb->len = len; - - memcpy(rb->msg, data, len); list_add_tail(&rb->list, queue); return 0; From patchwork Wed May 4 01:44:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12837036 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2A97C4332F for ; Wed, 4 May 2022 01:58:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344066AbiEDCCN (ORCPT ); Tue, 3 May 2022 22:02:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46608 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343676AbiEDCB6 (ORCPT ); Tue, 3 May 2022 22:01:58 -0400 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39BB44505E for ; Tue, 3 May 2022 18:57:47 -0700 (PDT) Received: by mail-pj1-x1033.google.com with SMTP id j8-20020a17090a060800b001cd4fb60dccso35945pjj.2 for ; Tue, 03 May 2022 18:57:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rmxrp/UxOFb8piH92Vxf3rNJk8bX2cfzoG0Wa8qHsPs=; b=M/yQls1bpyaiOjU76efK5Yp3KeWPaKFU4zmgVp0hnDPVEvcbG0Yr2VZsk9GtUI6EW2 P3x8PrWJUASQzTlrmV7uEWLEbManT0y+Zg+pt3XuYEBjyOBd/MkDra9+mVvndIuuMdNV ADaMqJRFecvzQ2p2BbgcShyTVJWmeZm5rse6o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rmxrp/UxOFb8piH92Vxf3rNJk8bX2cfzoG0Wa8qHsPs=; b=pqXCLWvoQM/iMEI2jUbFT2dhDnXQgVHBjcywyjJ77l14Xu3SsCOPlSrj16yhH0u7UD 3C9xILQt1GvhqO/+As9W8MvnRL54CPUEia4CPImA5URySg+k7tikqKExkeZW/A5wkqDh pb9tzCjbGJ0iDZUfJsRyOM76nO+wiUJEAdvbA+6GF6JwSYl7CWlGm1FoOQCZpdfTJthu 3H92HcRAt7RSbcP6xW6Z8dQZrVLlkKLr9BstRF/IcCnXOOga09cxaF8ue4hzfae1ShK/ anjcDkKqrfuS9Ena/0bApGiRMipUZXhTqggBEb3exu6rCx7ZCLfB9yTw8eSn5Tdbreek XTXg== X-Gm-Message-State: AOAM531O77+HfvBWyTbPfgOETB2fsxpKX/BoYmxcB6WngRwBw3PiO9tQ jerh1Hm+rCqSHzByy46xW6dHcQ== X-Google-Smtp-Source: ABdhPJw5UH+zE7V//6n7buLSwyzvbe4dXHNIfzHZYUp5Gsqm2kqmkk896GY+p9QRLPq6Ee7dPP32pg== X-Received: by 2002:a17:902:d1cd:b0:15d:1483:6ed6 with SMTP id g13-20020a170902d1cd00b0015d14836ed6mr20296811plb.58.1651629466374; Tue, 03 May 2022 18:57:46 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q3-20020a17090311c300b0015e8d4eb2e9sm6671462plh.307.2022.05.03.18.57.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Bradley Grove , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 32/32] esas2r: Use __mem_to_flex() with struct atto_ioctl Date: Tue, 3 May 2022 18:44:41 -0700 Message-Id: <20220504014440.3697851-33-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1840; h=from:subject; bh=wclXkCNzL8tWkFiLRsyBirHZGs1pS2ud8xMfF2Bbgys=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqIM8CXiBVoq1vvnq9rbFmtFRUsN4irOoYa4gS1 0IJEQ2KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaiAAKCRCJcvTf3G3AJgOdD/ sEBkA9QLnBKc64IqIq4YxEg4VNWAmPZGOznytqC/Owjod/71puJ/xtUz+R2WjO80ATXotNqfvtWe/d 9/yCjwl54Xp//OjYlRlQVLKBx2Q11FBqi4MBsooAiVirzGDDTHxmU1iuq6Wz2ZIdZlghDO60VBIerY f7y/tG7dD7LIfF4hLq69yeIQaG4gx8rz9gY1ntSTDKIZg+3A+cCuG7GHCLE4hzM9XcCNdcjNHkLLzM U6m0NaS7W7NFnR0mxnwloGXZVChfb884A/O/wC2lhgRNoxndIkrhF+x2NIhSvpQQmje9R235snuAfX mTZgHUaiYXSuSt8YrUbWAYgqP95oux1CHcGbFo6OSfvzri3R22Sizw6iJPckU4HcHFbxLD7v2eEMVp 3ECGtyv2+WAG63yJy/2YJm4mTGZKQM9ZC/lL6nR/U6EYIjrevoE7kTnSKMDTU+PS27rxgE+Rh1Hg9K ipwZmZh4bV/Xed50s1aJAocNChxua0lDl5jjP3QaZBpQGTlt8ls0YY8i1DswPFLAiSj88j/CGJOPOK +82q4/Et8Wn6QjhXmaRuef6bFcOHFRRdfpp1PZEOD91CPvnpq0Q9e/WXiAbsnkg/diZHdL5A9LVD0O L6xVqhkIsupraaLBcdxfoyPChtyfc0T1x/f55UeM/J7IkMaJAzAUEKGWn+Gg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. This requires adding the flexible array explicitly. Cc: Bradley Grove Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-scsi@vger.kernel.org Signed-off-by: Kees Cook --- drivers/scsi/esas2r/atioctl.h | 1 + drivers/scsi/esas2r/esas2r_ioctl.c | 11 +++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/esas2r/atioctl.h b/drivers/scsi/esas2r/atioctl.h index ff2ad9b38575..dd3437412ffc 100644 --- a/drivers/scsi/esas2r/atioctl.h +++ b/drivers/scsi/esas2r/atioctl.h @@ -831,6 +831,7 @@ struct __packed atto_hba_trace { u32 total_length; u32 trace_mask; u8 reserved2[48]; + u8 contents[]; }; #define ATTO_FUNC_SCSI_PASS_THRU 0x04 diff --git a/drivers/scsi/esas2r/esas2r_ioctl.c b/drivers/scsi/esas2r/esas2r_ioctl.c index 08f4e43c7d9e..9310b54b1575 100644 --- a/drivers/scsi/esas2r/esas2r_ioctl.c +++ b/drivers/scsi/esas2r/esas2r_ioctl.c @@ -947,11 +947,14 @@ static int hba_ioctl_callback(struct esas2r_adapter *a, break; } - memcpy(trc + 1, - a->fw_coredump_buff + offset, - len); + if (__mem_to_flex(hi, data.trace.contents, + data_length, + a->fw_coredump_buff + offset, + len)) { + hi->status = ATTO_STS_INV_FUNC; + break; + } - hi->data_length = len; } else if (trc->trace_func == ATTO_TRC_TF_RESET) { memset(a->fw_coredump_buff, 0, ESAS2R_FWCOREDUMP_SZ);