From patchwork Wed Feb 15 00:08:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13141062 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA649C05027 for ; Wed, 15 Feb 2023 00:08:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229460AbjBOAIp (ORCPT ); Tue, 14 Feb 2023 19:08:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50452 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229524AbjBOAIo (ORCPT ); Tue, 14 Feb 2023 19:08:44 -0500 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 657F527D65 for ; Tue, 14 Feb 2023 16:08:42 -0800 (PST) Received: by mail-pl1-x631.google.com with SMTP id e12so1161423plh.6 for ; Tue, 14 Feb 2023 16:08:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=VxG4N8PzLkPc0vDSLoqNXiqyTBDIgpVhsV6d59BMzSg=; b=WueVfT8DXeKh7+/KQGe6fIVcKtPcNA+0VGgbcSpRjiayzwcHh5vtmLWtv8TszdLcd3 C4LjYJAIZlfyLU0/L05Dkvbmpy+6w6i5lZu9OSrzcSElBOMma1z4mgJ5H7p7qagovExs CLV/FtWPGPpX5bEJH4Hxgk71JaOr6HzLikNrQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VxG4N8PzLkPc0vDSLoqNXiqyTBDIgpVhsV6d59BMzSg=; b=GcELml9+zNUdHOMS+7DWzGz/U9GPQK56c5707cSsTnXpT+yCUbSoXlByXPAhFnN3WZ 7hyd7tVwZJVra1CEc40DYoMnOUQmR/FIJyGh6zFyf/VO3vYc2OB+IPEnwL16DtwoN+2c ZnAKZu9o7aVL2q8mIFRDj6Irpjky1IamnvBq8NW1tHygC1ECw37Cqh+jHZR3U41qCuB2 nfuNnT5XygJHK6c2+5eZHVzEbi1t0iQRc92NYo3xEAJJTb0KT8I9GKBCVyk6S3DeqhSQ KWj5tvMNcDD4pSFSgMW7Uk3LHZ8R16P2K6gb4mN/ZpcbYrgdufySlc7VgId33Ja4G4Db l5OQ== X-Gm-Message-State: AO0yUKXco+xMtsN5KKg66uztr69Jgs9dIb9LeaC3FFvdIubAlp3P4RAp /5zZ1q8KXHqQ0pj2m+wQn5r7bA== X-Google-Smtp-Source: AK7set/fyH0LeMY2/crHVF7BOUEQwZkkChzm5MJidDzHITjbmY8kKLPnM4kkaanp+hwWysH9rP7Y5g== X-Received: by 2002:a17:903:27cb:b0:199:2f53:4d95 with SMTP id km11-20020a17090327cb00b001992f534d95mr378010plb.50.1676419721872; Tue, 14 Feb 2023 16:08:41 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id g16-20020a1709029f9000b0019956f23fc1sm2405240plq.302.2023.02.14.16.08.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Feb 2023 16:08:41 -0800 (PST) From: Kees Cook To: Steve French Cc: Kees Cook , Paulo Alcantara , Ronnie Sahlberg , Shyam Prasad N , Tom Talpey , linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] cifs: Convert struct fealist away from 1-element array Date: Tue, 14 Feb 2023 16:08:39 -0800 Message-Id: <20230215000832.never.591-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4124; h=from:subject:message-id; bh=jqIsD80bMJDk1XqkJe3Sc40HJ5FAdsyjBn9hLNVmULM=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBj7CKH+pQf5dk94hA6PFbwjKhv8ExX9aeQG46PTqh+ 9rz66KaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY+wihwAKCRCJcvTf3G3AJnznD/ 4lMO8A8/qzYQTT+7xufFPL/9ivvAOFPepsTV9c/Bumigc+7ssN7JnACYigLRJl2sMcQRdQC2SZJkIG ZSeSHO5gXR6ErRcSsZu36XzQUqg3psITGcRg5OBAeeghIx5ZYX+AutbyMfDJF7B7S3IDIG3g6Gy+5l HFUsLuNjk/9MH3o2wpBtlrFDYgW2HTjLrWmO4QFrLajU/6abkHX048DoJ+YSdU371H0U0zZ3j+WoZO rv1Na1JhgtU6vVYrAHxtfV8nohrsa1KDr8/SotfPG3oJZPsfRmSPwNmQ+yeXhmoUkDJ1FZn7X3mx5G C7Spndceqhr6t82mflXatzITG2hhnTz61rKPqnwhmnUwxET5FSB99ixjZxaj9ShLk51ya224F0pIYQ 79Im51loc5fMQE+Q7XhtFff/2wWDnJNLh5UVvhZeiXwue9ymyqFoYWxwM59fzVacmaWTOsoMgcIlgP HYlwP0XEEohKMCAQv+LFsYixCgzjOdQIvg1o62lP9uiVBxXCDAt6AHqOT+JwX2Y99GbK7u4nZwYb91 Zi3SnMMW+fyl+opsuplnLK0VICQAiIUsKl7wOKVg+v+E0Nrs9H3zsFxfFqrogXlD5UXv3PPz0lsv94 www8b0+u+rb5O8wgeG93+WVO9FJsXHajpWDxu61fcClGwUnMTfNL9b/pqm3g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org The kernel is globally removing the ambiguous 0-length and 1-element arrays in favor of flexible arrays, so that we can gain both compile-time and run-time array bounds checking[1]. While struct fealist is defined as a "fake" flexible array (via a 1-element array), it is only used for examination of the first array element. Walking the list is performed separately, so there is no reason to treat the "list" member of struct fealist as anything other than a single entry. Adjust the struct and code to match. Additionally, struct fea uses the "name" member either as a dynamic string, or is manually calculated from the start of the struct. Redefine the member as a flexible array. No machine code output differences are produced after these changes. [1] For lots of details, see both: https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays https://people.kernel.org/kees/bounded-flexible-arrays-in-c Cc: Steve French Cc: Paulo Alcantara Cc: Ronnie Sahlberg Cc: Shyam Prasad N Cc: Tom Talpey Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Signed-off-by: Kees Cook --- fs/cifs/cifspdu.h | 4 ++-- fs/cifs/cifssmb.c | 16 ++++++++-------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/fs/cifs/cifspdu.h b/fs/cifs/cifspdu.h index 623caece2b10..add73be4902c 100644 --- a/fs/cifs/cifspdu.h +++ b/fs/cifs/cifspdu.h @@ -2583,7 +2583,7 @@ struct fea { unsigned char EA_flags; __u8 name_len; __le16 value_len; - char name[1]; + char name[]; /* optionally followed by value */ } __attribute__((packed)); /* flags for _FEA.fEA */ @@ -2591,7 +2591,7 @@ struct fea { struct fealist { __le32 list_len; - struct fea list[1]; + struct fea list; } __attribute__((packed)); /* used to hold an arbitrary blob of data */ diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 60dd4e37030a..7c587157d030 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c @@ -5787,7 +5787,7 @@ CIFSSMBQAllEAs(const unsigned int xid, struct cifs_tcon *tcon, /* account for ea list len */ list_len -= 4; - temp_fea = ea_response_data->list; + temp_fea = &ea_response_data->list; temp_ptr = (char *)temp_fea; while (list_len > 0) { unsigned int name_len; @@ -5902,7 +5902,7 @@ CIFSSMBSetEA(const unsigned int xid, struct cifs_tcon *tcon, else name_len = strnlen(ea_name, 255); - count = sizeof(*parm_data) + ea_value_len + name_len; + count = sizeof(*parm_data) + 1 + ea_value_len + name_len; pSMB->MaxParameterCount = cpu_to_le16(2); /* BB find max SMB PDU from sess */ pSMB->MaxDataCount = cpu_to_le16(1000); @@ -5926,14 +5926,14 @@ CIFSSMBSetEA(const unsigned int xid, struct cifs_tcon *tcon, byte_count = 3 /* pad */ + params + count; pSMB->DataCount = cpu_to_le16(count); parm_data->list_len = cpu_to_le32(count); - parm_data->list[0].EA_flags = 0; + parm_data->list.EA_flags = 0; /* we checked above that name len is less than 255 */ - parm_data->list[0].name_len = (__u8)name_len; + parm_data->list.name_len = (__u8)name_len; /* EA names are always ASCII */ if (ea_name) - strncpy(parm_data->list[0].name, ea_name, name_len); - parm_data->list[0].name[name_len] = 0; - parm_data->list[0].value_len = cpu_to_le16(ea_value_len); + strncpy(parm_data->list.name, ea_name, name_len); + parm_data->list.name[name_len] = '\0'; + parm_data->list.value_len = cpu_to_le16(ea_value_len); /* caller ensures that ea_value_len is less than 64K but we need to ensure that it fits within the smb */ @@ -5941,7 +5941,7 @@ CIFSSMBSetEA(const unsigned int xid, struct cifs_tcon *tcon, negotiated SMB buffer size BB */ /* if (ea_value_len > buffer_size - 512 (enough for header)) */ if (ea_value_len) - memcpy(parm_data->list[0].name+name_len+1, + memcpy(parm_data->list.name + name_len + 1, ea_value, ea_value_len); pSMB->TotalDataCount = pSMB->DataCount;