| Message ID | 20210324141635.22335-1-rrichter@amd.com |
|---|---|
| State | Accepted |
| Commit | 392be0bda730df3c71241b2a16bbecac78ee627d |
| Headers | show |
| Series | cxl/mem: Force array size of mem_commands[] to CXL_MEM_COMMAND_ID_MAX | expand |
On Wed, Mar 24, 2021 at 03:16:35PM +0100, Robert Richter wrote: > Typically the mem_commands[] array is in sync with 'enum { CXL_CMDS }'. > Current code works well. > > However, the array size of mem_commands[] may not strictly be the same > as CXL_MEM_COMMAND_ID_MAX. E.g. if a new CXL_CMD() is added that is > guarded by #ifdefs, the array could be shorter. This could lead then > further to an out-of-bounds array access in cxl_validate_cmd_from_user(). > > Fix this by forcing the array size to CXL_MEM_COMMAND_ID_MAX. This > also adds range checks for array items in mem_commands[] at compile > time. Can't we use ARRAY_SIZE? Ira > > Signed-off-by: Robert Richter <rrichter@amd.com> > --- > drivers/cxl/mem.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c > index 244cb7d89678..ecfc9ccdba8d 100644 > --- a/drivers/cxl/mem.c > +++ b/drivers/cxl/mem.c > @@ -169,7 +169,7 @@ struct cxl_mem_command { > * table will be validated against the user's input. For example, if size_in is > * 0, and the user passed in 1, it is an error. > */ > -static struct cxl_mem_command mem_commands[] = { > +static struct cxl_mem_command mem_commands[CXL_MEM_COMMAND_ID_MAX] = { > CXL_CMD(IDENTIFY, 0, 0x43, CXL_CMD_FLAG_FORCE_ENABLE), > #ifdef CONFIG_CXL_MEM_RAW_COMMANDS > CXL_CMD(RAW, ~0, ~0, 0), > -- > 2.29.2 >
On Wed, Mar 24, 2021 at 7:17 AM Robert Richter <rrichter@amd.com> wrote: > > Typically the mem_commands[] array is in sync with 'enum { CXL_CMDS }'. > Current code works well. > > However, the array size of mem_commands[] may not strictly be the same > as CXL_MEM_COMMAND_ID_MAX. E.g. if a new CXL_CMD() is added that is > guarded by #ifdefs, the array could be shorter. This could lead then > further to an out-of-bounds array access in cxl_validate_cmd_from_user(). Good catch. > > Fix this by forcing the array size to CXL_MEM_COMMAND_ID_MAX. This > also adds range checks for array items in mem_commands[] at compile > time. > > Signed-off-by: Robert Richter <rrichter@amd.com> Thanks, applied.
On Wed, Mar 24, 2021 at 11:43 AM Ira Weiny <ira.weiny@intel.com> wrote: > > On Wed, Mar 24, 2021 at 03:16:35PM +0100, Robert Richter wrote: > > Typically the mem_commands[] array is in sync with 'enum { CXL_CMDS }'. > > Current code works well. > > > > However, the array size of mem_commands[] may not strictly be the same > > as CXL_MEM_COMMAND_ID_MAX. E.g. if a new CXL_CMD() is added that is > > guarded by #ifdefs, the array could be shorter. This could lead then > > further to an out-of-bounds array access in cxl_validate_cmd_from_user(). > > > > Fix this by forcing the array size to CXL_MEM_COMMAND_ID_MAX. This > > also adds range checks for array items in mem_commands[] at compile > > time. > > Can't we use ARRAY_SIZE? An ARRAY_SIZE() check in cxl_validate_cmd_from_user() would work too, but it wouldn't give the compiler protection that Robert mentions for going the other way where mem_commands tries to add an entry that is out of bounds relative to CXL_CMDS.
On 24.03.21 12:08:20, Dan Williams wrote: > On Wed, Mar 24, 2021 at 11:43 AM Ira Weiny <ira.weiny@intel.com> wrote: > > Can't we use ARRAY_SIZE? > > An ARRAY_SIZE() check in cxl_validate_cmd_from_user() would work too, > but it wouldn't give the compiler protection that Robert mentions for > going the other way where mem_commands tries to add an entry that is > out of bounds relative to CXL_CMDS. I was considering that too. Another reason apart from above was to treat 'holes' in the array caused by #ifdefs the same regardless its position in the array. Thus, all should show up as being zeroed instead of cutting those at the end from the array. Thanks for applying, -Robert
diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c index 244cb7d89678..ecfc9ccdba8d 100644 --- a/drivers/cxl/mem.c +++ b/drivers/cxl/mem.c @@ -169,7 +169,7 @@ struct cxl_mem_command { * table will be validated against the user's input. For example, if size_in is * 0, and the user passed in 1, it is an error. */ -static struct cxl_mem_command mem_commands[] = { +static struct cxl_mem_command mem_commands[CXL_MEM_COMMAND_ID_MAX] = { CXL_CMD(IDENTIFY, 0, 0x43, CXL_CMD_FLAG_FORCE_ENABLE), #ifdef CONFIG_CXL_MEM_RAW_COMMANDS CXL_CMD(RAW, ~0, ~0, 0),
Typically the mem_commands[] array is in sync with 'enum { CXL_CMDS }'. Current code works well. However, the array size of mem_commands[] may not strictly be the same as CXL_MEM_COMMAND_ID_MAX. E.g. if a new CXL_CMD() is added that is guarded by #ifdefs, the array could be shorter. This could lead then further to an out-of-bounds array access in cxl_validate_cmd_from_user(). Fix this by forcing the array size to CXL_MEM_COMMAND_ID_MAX. This also adds range checks for array items in mem_commands[] at compile time. Signed-off-by: Robert Richter <rrichter@amd.com> --- drivers/cxl/mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)