From patchwork Wed May 4 01:44:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836668 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DCE4C4332F for ; Wed, 4 May 2022 01:47:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245456AbiEDBvY (ORCPT ); Tue, 3 May 2022 21:51:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245389AbiEDBvM (ORCPT ); Tue, 3 May 2022 21:51:12 -0400 Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5687A329AB for ; Tue, 3 May 2022 18:47:35 -0700 (PDT) Received: by mail-pg1-x52f.google.com with SMTP id t13so8531pgn.8 for ; Tue, 03 May 2022 18:47:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+ZZ5vfFx25K1I7i1kYl8UxhLqvkhElnoRitD8+hKJmA=; b=DpRwgsc8k+bO9cXVHmU7ksT2E8T7R4om62xOunRq9j6F4/Hlmd+72tPALfSIkWpTBv 6ZsB/FoXumwXqUlvu94h7ehF0Poi6zQZRyL/SVAXWNru3D7CYZKN+GO4S+p3OYu8TvOf p5r4/HuAd0PoSIWCdxVFPC7ODUIYPeBjfKvmU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+ZZ5vfFx25K1I7i1kYl8UxhLqvkhElnoRitD8+hKJmA=; b=jCycd7But6CjrYwqoje0u5Uct7ttM0YaEE7KUEG4/DZrtpNf2oqZU/WIXmWefzjsmr jdLTqi35OmmMWf21qWbENRR4urY2puiq8vCyXN3dRF4wAwNrCMkW1HigGaiRlUCtZ8we LnImiyY4/0/iXpAd4vdi1wEo0UafNtx0c5NHKTUzrIiTKJWSqG9eWkgZD9S5pu2wqiOo LyCCbhdclgyUSsFAr/rtDRLxJ8gglnlwEvbSkDd7QNSbU+NSSAPwIH3thUs8cBxJAlTX QGKIfh2y1yMA/JS2Zb2LLuw8TRARCIyNfuocD7IyKA0MP0C+BkrsjlxAWRMj08p8K92b niuw== X-Gm-Message-State: AOAM530n/ySogOPdSqbP3S/79CIJThlsMtUGC8agBvmHKZyst1tQDe5s Lr2EqgZE6Ia7wTuAOCJK1Cx3xQ== X-Google-Smtp-Source: ABdhPJx1pk1Kj8VquWNvjueoOJF84IDUN+sdPy6JRVklo0yvv2jKaWOAa1dEeUA85vrZ210XI6GffA== X-Received: by 2002:aa7:962e:0:b0:50d:5ed8:aa23 with SMTP id r14-20020aa7962e000000b0050d5ed8aa23mr18603820pfg.43.1651628853848; Tue, 03 May 2022 18:47:33 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k8-20020a170902ce0800b0015e8d4eb283sm7000015plg.205.2022.05.03.18.47.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:33 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Rasmus Villemoes , "David S. Miller" , Jakub Kicinski , Rich Felker , Eric Dumazet , netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary Date: Tue, 3 May 2022 18:44:10 -0700 Message-Id: <20220504014440.3697851-2-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2198; h=from:subject; bh=m3+rrHA3rlt0sA4WgKzRJNTXeSTN4vWW0f0prUvbWYY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqAKYSI60YG7oB43Zm2qf2XEYFq9+0dv6JxgKQA Vag6ObOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagAAKCRCJcvTf3G3AJt+PD/ 4wYVpcKl2liC+Uc4jUmmdOovQey8J6/k2HmeHGxkjjuXUGIWCxvRqFTmpp0zt8q6NeCY1dzyQE7A9N PW2CVLlv5GLZfLyBlcsOWL4hofk/Ed905HvAky/Dx8yVe0LszOaIIrWGUii70nX0RIZBcDlNYaOY4k wGJaGLJ9XI5Abp/vMi8qzgEIVt5Qty6Z+cfnpAvETE9FFC0ibHAuxSsOCPhKMgvWgkyDjMAVgJQC6t TKGjSE1Rwow+68x8cxXa3ZsNgWXO0wHDaWWB4/QUxyVrq/AqCxOvgu3SljXBgVpaeUF41w+gB7rTXz Jpn7XXtJZLIDQT9yoNDAsj8yjQSIPdaKabA732knKP+dXXvoimMLj17LWxunuIrNQJ5Awl5Dz2jNa4 96eQ4Eabc5miPNc5+9VOK1Wc20FUE/uqW/VkQkBWzcnLXslpLRuJ2jNTFzk50BKZOJ20vutotuSmWf 5gqjyHzRfK+iajoBCEV6nUiWN7ewO8XDDayLZtzu5foCWXgFFwp2ZWksNnvY6M1djooGD0fU2cMDkZ HK9WR0ZfO5zv8cE5RCjDXb25deVhtGS6HRKU3vBlDmFx3drFqOEK/4zwTej6ttVyJqAspxBqEq7xpi JDgQOkTfh60YdtsNYhykruXCL3NnFuRLtxOeMGWD4IL6YtPwYfH3V6aFCljQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: In preparation for run-time memcpy() bounds checking, split the nlmsg copying for error messages (which crosses a previous unspecified flexible array boundary) in half. Avoids the future run-time warning: memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" (size 16) Creates an explicit flexible array at the end of nlmsghdr for the payload, named "nlmsg_payload". There is no impact on UAPI; the sizeof(struct nlmsghdr) does not change, but now the compiler can better reason about where things are being copied. Fixed-by: Rasmus Villemoes Link: https://lore.kernel.org/lkml/d7251d92-150b-5346-6237-52afc154bb00@rasmusvillemoes.dk Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Rich Felker Cc: Eric Dumazet Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/uapi/linux/netlink.h | 1 + net/netlink/af_netlink.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h index 855dffb4c1c3..47f9342d51bc 100644 --- a/include/uapi/linux/netlink.h +++ b/include/uapi/linux/netlink.h @@ -47,6 +47,7 @@ struct nlmsghdr { __u16 nlmsg_flags; /* Additional flags */ __u32 nlmsg_seq; /* Sequence number */ __u32 nlmsg_pid; /* Sending process port ID */ + __u8 nlmsg_payload[];/* Contents of message */ }; /* Flags values */ diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 1b5a9c2e1c29..09346aee1022 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -2445,7 +2445,10 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, NLMSG_ERROR, payload, flags); errmsg = nlmsg_data(rep); errmsg->error = err; - memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh)); + errmsg->msg = *nlh; + if (payload > sizeof(*errmsg)) + memcpy(errmsg->msg.nlmsg_payload, nlh->nlmsg_payload, + nlh->nlmsg_len - sizeof(*nlh)); if (nlk_has_extack && extack) { if (extack->_msg) { From patchwork Wed May 4 01:44:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836667 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38683C433EF for ; Wed, 4 May 2022 01:47:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245398AbiEDBvX (ORCPT ); Tue, 3 May 2022 21:51:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55026 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245458AbiEDBvO (ORCPT ); Tue, 3 May 2022 21:51:14 -0400 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 486E933886 for ; Tue, 3 May 2022 18:47:36 -0700 (PDT) Received: by mail-pf1-x434.google.com with SMTP id p12so36719pfn.0 for ; Tue, 03 May 2022 18:47:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=5xrPLh8wlK0Awe/nxhZ3OTQkBfhB9ct4glfpE9UmuQA=; b=iR9L6Vqjlx1BryUCEPQzmXGsipsWNHmgM203Ex9fHJaxkwALa+U/8+AhC1W6u8Uu4S pdpKAydA7J6X8qY7ulBdTwd5M0XdedZwrLJ2rJGOBc8ssCMpRdfFdFzH/3OiOkWgs3nY iUUPR2F7rY3hlYziqOz651zfzNr5dc2NwLGx4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5xrPLh8wlK0Awe/nxhZ3OTQkBfhB9ct4glfpE9UmuQA=; b=m+ndBHD6LoxyT5+lnuWjvWCobgKXtuyjNQctunnoDGkB+w9k8crAlOJhXLT9j6I/s9 c88SpZdM3j8YBZBR8MizvkSXifNNeKIGo7iyY2AdRza+j9tLwEhcz4nzqgQ07lsvALoC GQA83GkYxb4NUj4BX5MxthPRm7ChIDW11lE6/5A2JlqB/P7S8L+05HeuJznoCcC6dN1w /89/JUroACA+YqReHSSERCRxZaTBy+z8seo9R+ic6QAHnmJLCRg1ZvG3xRkmWlEsEy6x fHE1qf1zzZMlbyhaPNU3d73FiQojUZuqq62hSTA5wcTt/mAXs3FeXISSloWz1VwLy3GY 5x6g== X-Gm-Message-State: AOAM531PvebHN+Rk1wfTRKu8gJguDLETb6X1m1dtw1RxFw9K2hrvX65o 9pTCm7MqhI04b4xvTYa34yAfCg== X-Google-Smtp-Source: ABdhPJzib/cexR9qOBRQWi0TZaQ7u+6vvahjJ6rp6GPg08J/VVUxtTMZbieOFE0yPnP+NBkPsparuA== X-Received: by 2002:a62:a211:0:b0:50d:cdb2:87f4 with SMTP id m17-20020a62a211000000b0050dcdb287f4mr17774941pff.63.1651628855155; Tue, 03 May 2022 18:47:35 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y10-20020a170902864a00b0015e8d4eb254sm6924307plt.158.2022.05.03.18.47.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:33 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Keith Packard , Francis Laniel , Daniel Axtens , Dan Williams , Vincenzo Frascino , Guenter Roeck , Daniel Vetter , Tadeusz Struk , Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Takashi Iwai , Tom Rix , Udipto Goswami , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 02/32] Introduce flexible array struct memcpy() helpers Date: Tue, 3 May 2022 18:44:11 -0700 Message-Id: <20220504014440.3697851-3-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=31712; h=from:subject; bh=5cc80Yc5OXNqRAprch5bwZGcqXUCUMStKhnm0MOB3y0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBuKUviArqTxzH7Wyv/Nwvzm6EtfG7z8zEgd2S CFn/D26JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJpjQEA ChDXz4K07hJ0QiNbIT6owwYl55x0UIZFIMNeKxftQCbtR6Cl3MX4CkUi+/EJ8C8dPDo6mlzFTZqAxE XzATgYZNuJ523DOE/BPbCYmvKr4YAWPu6Wn7kbjIxVBMviz5nZcyJxQ+/XBUyAGJ3SxROvWBwUjV/6 F/JTDhfGISKpN7rStULVRZGpTFvhYy7KSGzeySPi7vdd0TzXBe/xWYm4+5OavNt9bEaQtWuPDsj44s DUlQOr5PRhiqMWKrzj0D2TzJNWzzHtyuSLO7/68u4AbQn8eb2UwqSoZd2dRkTgWpr3Z2V9/4cHhRDV WCmu8DVvZjtJESAMl+XTQPnpKn58oDlSpvOJbQQTA8KOSOou/Nci/P0W1rEVlYh0NojG6VCbAeBMrn rEVYhXf5v38RvldzmZdcHqvf8H1heVEsdF+y1ZbqUcAH22EtmZCnLmlHAi+20tUoXkU8VbgWEqvPJl Pah1xcPhbEcI1rbQunpPk4m/1qmImy9fuVUAyNvYMscpMdVdH4K0gKVYpQHZYsisa3jMvAsFcOOs2J iA/kdCWGFCI/JDzzU5cB8un6NJx/gQNXyzGdb41MWlUlEuoGJaqd6aYCuJPRtQbEQLLk/LJH0ABw65 j/jpppipk5fv9Ey1Hx63Ukkoh4P5ebCD0Gd8fn28BxsX/cCzBQE9z93YBRng== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: The compiler is not able to automatically perform bounds checking on structures that end in flexible arrays: __builtin_object_size() is compile-time only. Any possible run-time checks are currently short-circuited because there isn't an obvious common way to figure out the bounds of such a structure. C has no way (yet[1]) to signify which struct member holds the number of allocated flexible array elements (like exists in other languages). As a result, the kernel (and C projects generally) need to manually check the bounds, check the element size calculations, and perform sanity checking on all the associated variable types in between (e.g. 260 cannot be stored in a u8). This is extremely fragile. However, even if we could do all this through a magic memcpy(), the API itself doesn't provide meaningful feedback, which forces the kernel into an "all or nothing" approach: either do the copy or panic the system. Any failure conditions should be _detectable_, with API users able to gracefully recover. To deal with these needs, create a set of helper functions that do the work of memcpy() but perform the needed bounds checking based on the arguments given: flex_cpy(). The common pattern of "allocate and copy" is also included: flex_dup(). However, one of the most common patterns is deserialization: allocating and populating flexible array members from a byte array: mem_to_flex_dup(). And if the elements are already allocated: mem_to_flex(). The concept of a "flexible array structure" is introduced, which is a struct that has both a trailing flexible array member _and_ an element count member. If a struct lacks the element count member, it's just a blob: there are no bounds associated with it. The most common style of flexible array struct in the kernel is a "normal" one, where both the flex-array and element-count are present: struct flex_array_struct_example { ... /* arbitrary members */ u16 part_count; /* count of elements stored in "parts" below. */ ... /* arbitrary members */ u32 parts[]; /* flexible array with elements of type u32. */ }; Next are "encapsulating flexible array structs", which is just a struct that contains a flexible array struct as its final member: struct encapsulating_example { ... /* arbitrary members */ struct flex_array_struct_example fas; }; There are also "split" flex array structs, which have the element-count member in a separate struct level than the flex-array member: struct split_example { ... /* arbitrary members */ u16 part_count; /* count of elements stored in "parts" below. */ ... /* arbitrary members */ struct blob_example { ... /* other blob members */ u32 parts[];/* flexible array with elements of type u32. */ } blob; }; To have the helpers deal with these arbitrary layouts, the names of the flex-array and element-count members need to be specified with each use (since C lacks the array-with-length syntax[1] so the compiler cannot automatically determine them). However, for the "normal" (most common) case, we can get close to "automatic" by explicitly declaring common member aliases "__flex_array_elements", and "__flex_array_elements_count" respectively. The regular helpers use these members, but extended helpers exist to cover the other two code patterns. For example, using the most complicated helper, mem_to_flex_dup(): /* Flexible array struct with members identified. */ struct something { int mode; DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, how_many); unsigned long flags; DECLARE_FLEX_ARRAY_ELEMENTS(u32, value); }; ... struct something *instance = NULL; int rc; rc = mem_to_flex_dup(&instance, byte_array, count, GFP_KERNEL); if (rc) return rc; This will: - validate "instance" is non-NULL (no NULL dereference). - validate "*instance" is NULL (no memory allocation resource leak). - validate that "count" is: - non-negative (no arithmetic underflow). - has a value that can be stored in the "how_many" type (no value truncation). - calculate the bytes needed to store "count"-many trailing u32 elements (no arithmetic overflow/underflow). - calculate the bytes needed for a "struct something" with the above trailing elements (no arithmetic overflow/underflow). - allocate the memory and check the result (no NULL dereference). - initialize the non-flex-array portion of the struct to zero (no uninitialized memory usage). - copy from "buf" into the flexible array elements. If anything goes wrong, it returns a negative errno. With these helpers the kernel can move away from many of the open-coded patterns of using memcpy() with a dynamically-sized destination buffer. [1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1990.htm Cc: "Gustavo A. R. Silva" Cc: Keith Packard Cc: Francis Laniel Cc: Daniel Axtens Cc: Dan Williams Cc: Vincenzo Frascino Cc: Guenter Roeck Cc: Daniel Vetter Cc: Tadeusz Struk Signed-off-by: Kees Cook --- include/linux/flex_array.h | 637 ++++++++++++++++++++++++++++++++++++ include/linux/string.h | 1 + include/uapi/linux/stddef.h | 14 + 3 files changed, 652 insertions(+) create mode 100644 include/linux/flex_array.h diff --git a/include/linux/flex_array.h b/include/linux/flex_array.h new file mode 100644 index 000000000000..b2cf219f7b56 --- /dev/null +++ b/include/linux/flex_array.h @@ -0,0 +1,637 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_FLEX_ARRAY_H_ +#define _LINUX_FLEX_ARRAY_H_ + +#include +/* + * A "flexible array structure" is a struct which ends with a flexible + * array _and_ contains a member that represents how many array elements + * are present in the flexible array structure: + * + * struct flex_array_struct_example { + * ... // arbitrary members + * u16 part_count; // count of elements stored in "parts" below. + * .. // arbitrary members + * u32 parts[]; // flexible array with elements of type u32. + * }; + * + * Without the "count of elements" member, a structure ending with a + * flexible array has no way to check its own size, and should be + * considered just a blob of memory that is length-checked through some + * other means. Kernel structures with flexible arrays should strive to + * always be true flexible array structures so that they can be operated + * on with the flex*()-family of helpers defined below. + * + * An "encapsulating flexible array structure" is a structure that contains + * a full "flexible array structure" as its final struct member. These are + * used frequently when needing to pass around a copy of a flexible array + * structure, and track other things about the data outside of the scope of + * the flexible array structure itself: + * + * struct encapsulating_example { + * ... // other members + * struct flex_array_struct_example fas; + * }; + * + * For bounds checking operations on a flexible array structure, member + * aliases must be created so the helpers can always locate the associated + * members. Marking up the examples above would look like this: + * + * struct flex_array_struct_example { + * ... // arbitrary members + * // count of elements stored in "parts" below. + * DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u16, part_count); + * .. // arbitrary members + * // flexible array with elements of type u32. + * DECLARE_FLEX_ARRAY_ELEMENTS(u32, parts); + * }; + * + * The above creates the aliases for part_count as __flex_array_elements_count + * and parts as __flex_array_elements. + * + * For encapsulated flexible array structs, there are alternative helpers + * below where the flexible array struct member name can be explicitly + * included as an argument. (See the @dot_fas_member arguments below.) + * + * + * Examples: + * + * Using mem_to_flex(): + * + * struct single { + * u32 flags; + * u32 count; + * u8 data[]; + * }; + * struct single *ptr_single; + * + * struct encap { + * u16 info; + * struct single single; + * }; + * struct encap *ptr_encap; + * + * struct blob { + * u32 flags; + * u8 data[]; + * }; + * + * struct split { + * u32 count; + * struct blob blob; + * }; + * struct split *ptr_split; + * + * mem_to_flex(ptr_one, src, count); + * __mem_to_flex(ptr_encap, single.data, single.count, src, count); + * __mem_to_flex(ptr_split, count, blob.data, src, count); + * + */ + +/* These are wrappers around the UAPI macros. */ +#define DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(TYPE, NAME) \ + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(TYPE, NAME) + +#define DECLARE_FLEX_ARRAY_ELEMENTS(TYPE, NAME) \ + __DECLARE_FLEX_ARRAY_ELEMENTS(TYPE, NAME) + +/* All the helpers return negative on failure, as must be checked. */ +static inline int __must_check __must_check_errno(int err) +{ + return err; +} + +/** + * __fas_elements_bytes - Calculate potential size of the flexible + * array elements of a given flexible array + * structure. + * + * @p: Pointer to flexible array structure. + * @flex_member: Member name of the flexible array elements. + * @count_member: Member name of the flexible array elements count. + * @elements_count: Count of proposed number of @p->__flex_array_elements + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * Returns: 0 on successful calculation, -ve on error. + * + * This performs the same calculation as flex_array_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned. + */ +#define __fas_elements_bytes(p, flex_member, count_member, \ + elements_count, bytes) \ +__must_check_errno(({ \ + int __feb_err = -EINVAL; \ + size_t __feb_elements_count = (elements_count); \ + size_t __feb_elements_max = \ + type_max(typeof((p)->count_member)); \ + if (__feb_elements_count > __feb_elements_max || \ + check_mul_overflow(sizeof(*(p)->flex_member), \ + __feb_elements_count, bytes)) { \ + *(bytes) = 0; \ + __feb_err = -E2BIG; \ + } else { \ + __feb_err = 0; \ + } \ + __feb_err; \ +})) + +/** + * fas_elements_bytes - Calculate current size of the flexible array + * elements of a given flexible array structure. + * + * @p: Pointer to flexible array structure. + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * Returns: 0 on successful calculation, -ve on error. + * + * This performs the same calculation as flex_array_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned. + */ +#define fas_elements_bytes(p, bytes) \ + __fas_elements_bytes(p, __flex_array_elements, \ + __flex_array_elements_count, \ + (p)->__flex_array_elements_count, bytes) + +/** __fas_bytes - Calculate potential size of flexible array structure + * + * @p: Pointer to flexible array structure. + * @flex_member: Member name of the flexible array elements. + * @count_member: Member name of the flexible array elements count. + * @elements_count: Count of proposed number of @p->__flex_array_elements + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * Returns: 0 on successful calculation, -ve on error. + * + * This performs the same calculation as struct_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned. + */ +#define __fas_bytes(p, flex_member, count_member, elements_count, bytes)\ +__must_check_errno(({ \ + int __fasb_err; \ + typeof(*bytes) __fasb_bytes; \ + \ + if (__fas_elements_bytes(p, flex_member, count_member, \ + elements_count, &__fasb_bytes) || \ + check_add_overflow(sizeof(*(p)), __fasb_bytes, bytes)) { \ + *(bytes) = 0; \ + __fasb_err = -E2BIG; \ + } else { \ + __fasb_err = 0; \ + } \ + __fasb_err; \ +})) + +/** fas_bytes - Calculate current size of flexible array structure + * + * @p: Pointer to flexible array structure. + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * This performs the same calculation as struct_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned, using the current size of the flexible array + * structure (via @p->__flexible_array_elements_count). + * + * Returns: 0 on successful calculation, -ve on error. + */ +#define fas_bytes(p, bytes) \ + __fas_bytes(p, __flex_array_elements, \ + __flex_array_elements_count, \ + (p)->__flex_array_elements_count, bytes) + +/** flex_cpy - Copy from one flexible array struct into another with count conversion + * + * @dst: Destination pointer + * @src: Source pointer + * + * The full structure of @src will be copied to @dst, including all trailing + * flexible array elements. @dst->__flex_array_elements_count must be large + * enough to hold @src->__flex_array_elements_count. Any elements left over + * in @dst will be zero-wiped. + * + * Returns: 0 on successful calculation, -ve on error. + */ +#define flex_cpy(dst, src) __must_check_errno(({ \ + int __fc_err = -EINVAL; \ + typeof(*(dst)) *__fc_dst = (dst); \ + typeof(*(src)) *__fc_src = (src); \ + size_t __fc_dst_bytes, __fc_src_bytes; \ + \ + BUILD_BUG_ON(!__same_type(*(__fc_dst), *(__fc_src))); \ + \ + do { \ + if (fas_bytes(__fc_dst, &__fc_dst_bytes) || \ + fas_bytes(__fc_src, &__fc_src_bytes) || \ + __fc_dst_bytes < __fc_src_bytes) { \ + /* do we need to wipe dst here? */ \ + __fc_err = -E2BIG; \ + break; \ + } \ + __builtin_memcpy(__fc_dst, __fc_src, __fc_src_bytes); \ + /* __flex_array_elements_count is included in memcpy */ \ + /* Wipe any now-unused trailing elements in @dst: */ \ + __builtin_memset((u8 *)__fc_dst + __fc_src_bytes, 0, \ + __fc_dst_bytes - __fc_src_bytes); \ + __fc_err = 0; \ + } while (0); \ + __fc_err; \ +})) + +/** __flex_dup - Allocate and copy an arbitrarily encapsulated flexible + * array struct + * + * @alloc: Pointer to Pointer to hold to-be-allocated (optionally + * encapsulating) flexible array struct. + * @dot_fas_member: For encapsulating flexible arrays, the name of the + * flexible array struct member preceded with a literal + * dot (e.g. .foo.bar.flex_array_struct_name). For a + * regular flexible array struct, this macro arument is + * empty. + * @src: Pointer to source flexible array struct. + * @gfp: GFP allocation flags + * + * This copies the contents of one flexible array struct into another. + * The (**@alloc)@dot_fas_member and @src arguments must resolve to the + * same type. Everything prior to @dot_fas_member in *@alloc will be + * initialized to zero. + * + * Failure modes: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - Required allocation size is larger than size_t can hold. + * - No available memory to allocate @alloc. + * + * Returns: 0 on success, -ve on failure. + */ +#define __flex_dup(alloc, dot_fas_member, src, gfp) \ +__must_check_errno(({ \ + int __fd_err = -EINVAL; \ + typeof(*(src)) *__fd_src = (src); \ + typeof(**(alloc)) *__fd_alloc; \ + typeof((*__fd_alloc)dot_fas_member) *__fd_dst; \ + size_t __fd_alloc_bytes, __fd_copy_bytes; \ + \ + BUILD_BUG_ON(!__same_type(*(__fd_dst), *(__fd_src))); \ + \ + do { \ + if ((uintptr_t)(alloc) < 1 || *(alloc)) { \ + __fd_err = -EINVAL; \ + break; \ + } \ + if (fas_bytes(__fd_src, &__fd_copy_bytes) || \ + check_add_overflow(__fd_copy_bytes, \ + sizeof(*__fd_alloc) - \ + sizeof(*__fd_dst), \ + &__fd_alloc_bytes)) { \ + __fd_err = -E2BIG; \ + break; \ + } \ + __fd_alloc = kmalloc(__fd_alloc_bytes, gfp); \ + if (!__fd_alloc) { \ + __fd_err = -ENOMEM; \ + break; \ + } \ + __fd_dst = &((*__fd_alloc)dot_fas_member); \ + /* Optimize away any unneeded memset. */ \ + if (sizeof(*__fd_alloc) != sizeof(*__fd_dst)) \ + __builtin_memset(__fd_alloc, 0, \ + __fd_alloc_bytes - \ + __fd_copy_bytes); \ + __builtin_memcpy(__fd_dst, src, __fd_copy_bytes); \ + /* __flex_array_elements_count is included in memcpy */ \ + *(alloc) = __fd_alloc; \ + __fd_err = 0; \ + } while (0); \ + __fd_err; \ +})) + +/** flex_dup - Allocate and copy a flexible array struct + * + * @alloc: Pointer to Pointer to hold to-be-allocated flexible array struct. + * @src: Pointer to source flexible array struct. + * @gfp: GFP allocation flags + * + * This copies the contents of one flexible array struct into another. + * The *@alloc and @src arguments must resolve to the same type. + * + * Failure modes: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - Required allocation size is larger than size_t can hold. + * - No available memory to allocate @alloc. + * + * Returns: 0 on success, -ve on failure. + */ +#define flex_dup(alloc, src, gfp) \ + __flex_dup(alloc, /* alloc itself */, src, gfp) + +/** __mem_to_flex - Copy from memory buffer into a flexible array structure's + * flexible array elements. + * + * @ptr: Pointer to already allocated flexible array struct. + * @flex_member: Member name of the flexible array elements. + * @count_member: Member name of the flexible array elements count. + * @src: Source memory pointer. + * @elements_count: Number of @ptr's flexible array elements to copy from + * @src into @ptr. + * + * Copies @elements_count-many elements from memory buffer at @src into + * @ptr->@flex_member, wipes any remaining elements, and updates + * @ptr->@count_member. + * + * This is essentially a simple deserializer. + * + * TODO: It would be nice to automatically discover the max bounds of @src + * besides @elements_count. There is currently no universal way to ask + * "what is the size of a given pointer's allocation?" So for + * now just use __builtin_object_size(@src, 1) to validate known + * compile-time too-large conditions. Perhaps in the future if + * __mtf_copy_bytes above is > PAGE_SIZE, perform a dynamic lookup + * using something similar to __check_heap_object(). + * + * Failure conditions: + * - The value of @elements_count cannot fit in the @ptr's @count_member + * type (e.g. 260 in a u8). + * - @ptr's @count_member value is smaller than @elements_count (e.g. not + * enough space was previously allocated). + * - @elements_count yields a byte count greater than: + * - INT_MAX (as a simple "too big" sanity check) + * - the compile-time size of @src (when it can be determined) + * + * Returns: 0 on success, -ve on error. + */ +#define __mem_to_flex(ptr, flex_member, count_member, src, \ + elements_count) \ +__must_check_errno(({ \ + int __mtf_err = -EINVAL; \ + typeof(*(ptr)) *__mtf_ptr = (ptr); \ + typeof(elements_count) __mtf_src_count = (elements_count); \ + size_t __mtf_copy_bytes, __mtf_dst_bytes; \ + u8 *__mtf_dst = (u8 *)__mtf_ptr->flex_member; \ + \ + do { \ + if (is_negative(__mtf_src_count) || \ + __fas_elements_bytes(__mtf_ptr, flex_member, \ + count_member, \ + __mtf_src_count, \ + &__mtf_copy_bytes) || \ + __mtf_copy_bytes > INT_MAX || \ + __mtf_copy_bytes > __builtin_object_size(src, 1) || \ + __fas_elements_bytes(__mtf_ptr, flex_member, \ + count_member, \ + __mtf_ptr->count_member, \ + &__mtf_dst_bytes) || \ + __mtf_dst_bytes < __mtf_copy_bytes) { \ + __mtf_err = -E2BIG; \ + break; \ + } \ + __builtin_memcpy(__mtf_dst, src, __mtf_copy_bytes); \ + /* Wipe any now-unused trailing elements in @dst: */ \ + __builtin_memset(__mtf_dst + __mtf_dst_bytes, 0, \ + __mtf_dst_bytes - __mtf_copy_bytes); \ + /* Make sure in-struct count of elements is updated: */ \ + __mtf_ptr->count_member = __mtf_src_count; \ + __mtf_err = 0; \ + } while (0); \ + __mtf_err; \ +})) + +#define mem_to_flex(ptr, src, elements_count) \ + __mem_to_flex(ptr, __flex_array_elements, \ + __flex_array_elements_count, src, elements_count) + +/** __mem_to_flex_dup - Allocate a flexible array structure and copy into + * its flexible array elements from a memory buffer. + * + * @alloc: Pointer to pointer to hold allocation for flexible array struct. + * @dot_fas_member: For encapsulating flexible array structs, the name of + * the flexible array struct member preceded with a + * literal dot (e.g. .foo.bar.flex_array_struct_name). + * For a regular flexible array struct, this macro arument + * is empty. + * @src: Source memory buffer pointer. + * @elements_count: Number of @alloc's flexible array elements to copy from + * @src into @ptr. + * @gfp: GFP allocation flags + * + * This behaves like mem_to_flex(), but allocates the needed space for + * a new flexible array struct and its trailing elements. + * + * This is essentially a simple allocating deserializer. + * + * TODO: It would be nice to automatically discover the max bounds of @src + * besides @elements_count. There is currently no universal way to ask + * "what is the size of a given pointer's allocation?" So for now just + * use __builtin_object_size(@src, 1) to validate known compile-time + * too-large conditions. Perhaps in the future if __mtfd_copy_bytes + * above is > PAGE_SIZE, perform a dynamic lookup using something + * similar to __check_heap_object(). + * + * Failure conditions: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - The value of @elements_count cannot fit in the @alloc's + * __flex_array_elements_count member type (e.g. 260 in u8). + * - @elements_count yields a byte count greater than: + * - INT_MAX (as a simple "too big" sanity check) + * - the compile-time size of @src (when it can be determined) + * - @alloc could not be allocated. + * + * Returns: 0 on success, -ve on error. + */ +#define __mem_to_flex_dup(alloc, dot_fas_member, src, elements_count, \ + gfp) \ +__must_check_errno(({ \ + int __mtfd_err = -EINVAL; \ + typeof(elements_count) __mtfd_src_count = (elements_count); \ + typeof(**(alloc)) *__mtfd_alloc; \ + typeof((*__mtfd_alloc)dot_fas_member) *__mtfd_fas; \ + u8 *__mtfd_dst; \ + size_t __mtfd_alloc_bytes, __mtfd_copy_bytes; \ + \ + do { \ + if ((uintptr_t)(alloc) < 1 || *(alloc)) { \ + __mtfd_err = -EINVAL; \ + break; \ + } \ + if (is_negative(__mtfd_src_count) || \ + __fas_elements_bytes(__mtfd_fas, \ + __flex_array_elements, \ + __flex_array_elements_count, \ + __mtfd_src_count, \ + &__mtfd_copy_bytes) || \ + __mtfd_copy_bytes > INT_MAX || \ + __mtfd_copy_bytes > __builtin_object_size(src, 1) ||\ + check_add_overflow(sizeof(*__mtfd_alloc), \ + __mtfd_copy_bytes, \ + &__mtfd_alloc_bytes)) { \ + __mtfd_err = -E2BIG; \ + break; \ + } \ + __mtfd_alloc = kmalloc(__mtfd_alloc_bytes, gfp); \ + if (!__mtfd_alloc) { \ + __mtfd_err = -ENOMEM; \ + break; \ + } \ + __mtfd_fas = &((*__mtfd_alloc)dot_fas_member); \ + __mtfd_dst = (u8 *)__mtfd_fas->__flex_array_elements; \ + __builtin_memset(__mtfd_alloc, 0, __mtfd_alloc_bytes - \ + __mtfd_copy_bytes); \ + __builtin_memcpy(__mtfd_dst, src, __mtfd_copy_bytes); \ + /* Make sure in-struct count of elements is updated: */ \ + __mtfd_fas->__flex_array_elements_count = \ + __mtfd_src_count; \ + *(alloc) = __mtfd_alloc; \ + __mtfd_err = 0; \ + } while (0); \ + __mtfd_err; \ +})) + +/** mem_to_flex_dup - Allocate a flexible array structure and copy + * into it from a memory buffer. + * + * @alloc: Pointer to pointer to hold allocation for flexible array struct. + * @src: Source memory pointer. + * @elements_count: Number of @alloc's flexible array elements to copy from + * @src into @alloc. + * @gfp: GFP allocation flags + * + * This behaves like mem_to_flex(), but allocates the needed space for + * a new flexible array struct and its trailing elements. + * + * This is essentially a simple allocating deserializer. + * + * TODO: It would be nice to automatically discover the max bounds of @src + * besides @elements_count. There is currently no universal way to ask + * "what is the size of a given pointer's allocation?" So for + * now just use __builtin_object_size(@src, 1) to validate known + * compile-time too-large conditions. Perhaps in the future if + * __mtf_copy_bytes above is > PAGE_SIZE, perform a dynamic lookup + * using something similar to __check_heap_object(). + * + * Failure conditions: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - The value of @elements_count cannot fit in the @alloc's + * __flex_array_elements_count member type (e.g. 260 in u8). + * - @elements_count yields a byte count greater than: + * - INT_MAX (as a simple "too big" sanity check) + * - the compile-time size of @src (when it can be determined) + * - @alloc could not be allocated. + * + * Returns: 0 on success, -ve on error. + */ +#define mem_to_flex_dup(alloc, src, elements_count, gfp) \ + __mem_to_flex_dup(alloc, /* alloc itself */, src, elements_count, gfp) + +/** flex_to_mem - Copy all flexible array structure elements into memory + * buffer. + * + * @dst: Destination buffer pointer. + * @bytes_available: How many bytes are available in @dst. + * @ptr: Pointer to allocated flexible array struct. + * @bytes_written: Pointer to variable to store how many bytes were written + * (may be NULL). + * + * Copies all of @ptr's flexible array elements into @dst. + * + * This is essentially a simple serializer. + * + * Failure conditions: + * - @bytes_available in @dst is any of: + * - negative. + * - larger than INT_MAX. + * - not large enough to hold the resulting copy. + * - @bytes_written's type cannot hold the size of the copy (e.g. 260 in u8). + * + * Return: 0 on success, -ve on failure. + * + */ +#define flex_to_mem(dst, bytes_available, ptr, bytes_written) \ +__must_check_errno(({ \ + int __ftm_err = -EINVAL; \ + typeof(*(ptr)) *__ftm_ptr = (ptr); \ + u8 *__ftm_src = (u8 *)__ftm_ptr->__flex_array_elements; \ + typeof(*(bytes_written)) *__ftm_written = (bytes_written); \ + size_t __ftm_written_max = type_max(typeof(*__ftm_written)); \ + typeof(bytes_available) __ftm_dst_bytes = (bytes_available); \ + size_t __ftm_copy_bytes; \ + \ + do { \ + if (is_negative(__ftm_dst_bytes) || \ + __ftm_dst_bytes > INT_MAX || \ + fas_elements_bytes(__ftm_ptr, &__ftm_copy_bytes) || \ + __ftm_dst_bytes < __ftm_copy_bytes || \ + (!__same_type(typeof(bytes_written), NULL) && \ + __ftm_copy_bytes > __ftm_written_max)) { \ + __ftm_err = -E2BIG; \ + break; \ + } \ + __builtin_memcpy(dst, __ftm_src, __ftm_copy_bytes); \ + if (__ftm_written) \ + *__ftm_written = __ftm_copy_bytes; \ + __ftm_err = 0; \ + } while (0); \ + __ftm_err; \ +})) + +/** flex_to_mem_dup - Copy entire flexible array structure into newly + * allocated memory buffer. + * + * @alloc: Pointer to pointer to newly allocated memory region to hold contents + * of the copy. + * @alloc_size: Pointer to variable to hold the size of the allocated memory. + * @ptr: Pointer to allocated flexible array struct. + * @gfp: GFP allocation flags + * + * Allocates @alloc and copies all of @ptr's flexible array elements. + * + * This is essentially a simple allocating serializer. + * + * Failure conditions: + * - @alloc is NULL. + * - *@alloc is not NULL (something was already allocated). + * - @alloc_size is NULL. + * - @alloc_size's type cannot hold the size of the copy (e.g. 260 in u8). + * - @alloc could not be allocated. + * + * Return: 0 on success, -ve on failure. + */ +#define flex_to_mem_dup(alloc, alloc_size, ptr, gfp) \ +__must_check_errno(({ \ + int __ftmd_err = -EINVAL; \ + typeof(**(alloc)) *__ftmd_alloc; \ + typeof(*(alloc_size)) *__ftmd_alloc_size = (alloc_size); \ + typeof(*(ptr)) *__ftmd_ptr = (ptr); \ + u8 *__ftmd_src = (u8 *)__ftmd_ptr->__flex_array_elements; \ + size_t __ftmd_alloc_max = type_max(typeof(*__ftmd_alloc_size)); \ + size_t __ftmd_copy_bytes; \ + \ + do { \ + if ((uintptr_t)(alloc) < 1 || *(alloc) || \ + (uintptr_t)(alloc_size) < 1) { \ + __ftmd_err = -EINVAL; \ + break; \ + } \ + if (fas_elements_bytes(__ftmd_ptr, \ + &__ftmd_copy_bytes) || \ + __ftmd_copy_bytes > __ftmd_alloc_max) { \ + __ftmd_err = -E2BIG; \ + break; \ + } \ + __ftmd_alloc = kmemdup(__ftmd_src, __ftmd_copy_bytes, \ + gfp); \ + if (!__ftmd_alloc) { \ + __ftmd_err = -ENOMEM; \ + break; \ + } \ + *__ftmd_alloc_size = __ftmd_copy_bytes; \ + *(alloc) = __ftmd_alloc; \ + __ftmd_err = 0; \ + } while (0); \ + __ftmd_err; \ +})) + +#endif /* _LINUX_FLEX_ARRAY_H_ */ diff --git a/include/linux/string.h b/include/linux/string.h index b6572aeca2f5..c01b76f73e99 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -252,6 +252,7 @@ static inline const char *kbasename(const char *path) #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) #include #endif +#include void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, int pad); diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h index 7837ba4fe728..04870274f33b 100644 --- a/include/uapi/linux/stddef.h +++ b/include/uapi/linux/stddef.h @@ -44,4 +44,18 @@ struct { } __empty_ ## NAME; \ TYPE NAME[]; \ } + +/* For use with flexible array structure helpers, in */ +#define __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(TYPE, NAME) \ + union { \ + TYPE __flex_array_elements_count; \ + TYPE NAME; \ + } + +#define __DECLARE_FLEX_ARRAY_ELEMENTS(TYPE, NAME) \ + union { \ + __DECLARE_FLEX_ARRAY(TYPE, __flex_array_elements); \ + __DECLARE_FLEX_ARRAY(TYPE, NAME); \ + } + #endif From patchwork Wed May 4 01:44:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836670 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2352FC3527E for ; Wed, 4 May 2022 01:49:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243623AbiEDBwb (ORCPT ); Tue, 3 May 2022 21:52:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56086 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245389AbiEDBw0 (ORCPT ); Tue, 3 May 2022 21:52:26 -0400 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC93D31DD1 for ; Tue, 3 May 2022 18:47:38 -0700 (PDT) Received: by mail-pl1-x62d.google.com with SMTP id i1so157219plg.7 for ; Tue, 03 May 2022 18:47:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=50F1hUbWFLfT5ENWUNJYEA3u7uQsl+qxaqqCeMwZnyU=; b=XJCNLp6T2hlq16vnGlmWmig5+GsVMxNRRvIbEOnN6HSW8yTRmnmgFn0bdfSDK1+nc+ /lIeg89b2qTVpmYFiDm9nYt9X28PYd7TpfNNYgxckwT1LfN0EOUF0w4hbizFZn5WO8zm t78WDusU+YL8An+v944Dg9g9tejsxP74BYxPU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=50F1hUbWFLfT5ENWUNJYEA3u7uQsl+qxaqqCeMwZnyU=; b=xZnuSDt0FBinT0Jl/I77D0aip++2yPDUf/EAq7GKzC8kdr6N+znnliSY0B0JBqTKHB QA3pTzVFH2kLMs4iXAI8aNyN0xdcxv4GOHff1BvB0gp8sY+iVURc1i+C8ftoXmbDnzZY CAEf6u+LheivGhkORQsA9vg8CodL8izjpTzZO/c9Rwct/7BbNAJaf80a6xeOAjZ1MhK9 rYnjxr/y0aqHAO4PHAKJGM69Fgbb7d0PwiWn+3l4TdkRRmqQZjh2pUFuQFnP+Pc268nJ rBzgORHi9KT/ErB8AdvUWTGVj2y1zG0xZ/KAcpPcxzdBwcAJaWXW2sWZygW+VH70wsnQ /HdQ== X-Gm-Message-State: AOAM530me18MKBaKWAemnqiMYgZMMmO3s5kd8id39rqSUtkQWuPw2t1R SqxX+qSd0HXNui2MRffcFj7tRw== X-Google-Smtp-Source: ABdhPJxaAI7hynD/Cs/9AHq7+rYd59XaObWpZBbgj2SNSYvwiT7TD7KGMP2kmwMed/Mr6SCnHAdnjA== X-Received: by 2002:a17:902:a707:b0:15b:6ea2:8ea2 with SMTP id w7-20020a170902a70700b0015b6ea28ea2mr19124120plq.134.1651628857306; Tue, 03 May 2022 18:47:37 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id o18-20020a170903301200b0015e8d4eb2ddsm6904392pla.295.2022.05.03.18.47.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:35 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , David Gow , kunit-dev@googlegroups.com, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 03/32] flex_array: Add Kunit tests Date: Tue, 3 May 2022 18:44:12 -0700 Message-Id: <20220504014440.3697851-4-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=19765; h=from:subject; bh=GG9nmr532r4pl7tVh2IFzW2uuFJ/hvJpUQj5i4N5B0I=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqB7/551GkKwZcI+OcZghRu66mEP7FMOhfFmE5a 67h/Z0iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJtfAEA CqSqFekHoLTEwm5Qyt0UbimHFpi/b/6zyOUB2KND396l+syWQ1mJIbLGjTios1NH/eIxHjGEKJ1syg U7L/zPIs4XJhvSt5mtK7HHfsD2jlgvLX3UL7IgUlEzTG1onpa1dDWN1UtoN81ahy1fct7CMGoD/1ll 3ngnIysZAbkbazroo7sUYB/JX8DX8bsjNn97JBfq+F0NovBSkT6UKeW29aHUk5FoZhWo+bijLKKQBA JrEW47fYiaZ04M3TcLGaKkKLllkiajq0N/9TLMbmHrUZphVEZCSiD9eikb/Kpr28WXz4NX00Fu4CGe kq7UO4JP9HeF1pCMUg3iVoEHddmrfhdENHsLrAQzNrTdnkG+Jt7b+DxWscqIxexQR8D0GFXA1TavBy c52biYoOXViqwEmvm12u6MNQYxMVN2/v5fbzbwkcdy4DlhOuLC0Wu4AmEcPHG6wFuSX5NdbPBBeIzQ 911ljxSY+UGfg0USsjIzhH6oqejgpYUmqqLAV0WoW7O8aSmtqBCOORogwfI680pWARJhsTuTVbZ5G4 KsZcDi9opJFLcoYlb9wuFYeQrydBbShjiVXqT/tU0kK4PWWlEc85sOiKq7Bd8cuiixIgJW5Zlc+4n+ 1sgKfTbiJo/zVmyCeEmrKxLCEoinmDvnxEdOeXRWpeTslL+4jMSgSaBMHUCw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: Add tests for the new flexible array structure helpers. These can be run with: make ARCH=um mrproper ./tools/testing/kunit/kunit.py config ./tools/testing/kunit/kunit.py run flex_array Cc: David Gow Cc: kunit-dev@googlegroups.com Signed-off-by: Kees Cook Reviewed-by: David Gow --- lib/Kconfig.debug | 12 +- lib/Makefile | 1 + lib/flex_array_kunit.c | 523 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 531 insertions(+), 5 deletions(-) create mode 100644 lib/flex_array_kunit.c diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 9077bb38bc93..8bae6b169c50 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2551,11 +2551,6 @@ config OVERFLOW_KUNIT_TEST Builds unit tests for the check_*_overflow(), size_*(), allocation, and related functions. - For more information on KUnit and unit tests in general please refer - to the KUnit documentation in Documentation/dev-tools/kunit/. - - If unsure, say N. - config STACKINIT_KUNIT_TEST tristate "Test level of stack variable initialization" if !KUNIT_ALL_TESTS depends on KUNIT @@ -2567,6 +2562,13 @@ config STACKINIT_KUNIT_TEST CONFIG_GCC_PLUGIN_STRUCTLEAK, CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF, or CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL. +config FLEX_ARRAY_KUNIT_TEST + tristate "Test flex_*() family of helper functions at runtime" if !KUNIT_ALL_TESTS + depends on KUNIT + default KUNIT_ALL_TESTS + help + Builds unit tests for flexible array copy helper functions. + config TEST_UDELAY tristate "udelay test driver" help diff --git a/lib/Makefile b/lib/Makefile index 6b9ffc1bd1ee..9884318db330 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -366,6 +366,7 @@ obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable) obj-$(CONFIG_STACKINIT_KUNIT_TEST) += stackinit_kunit.o +obj-$(CONFIG_FLEX_ARRAY_KUNIT_TEST) += flex_array_kunit.o obj-$(CONFIG_GENERIC_LIB_DEVMEM_IS_ALLOWED) += devmem_is_allowed.o diff --git a/lib/flex_array_kunit.c b/lib/flex_array_kunit.c new file mode 100644 index 000000000000..48bee88945b4 --- /dev/null +++ b/lib/flex_array_kunit.c @@ -0,0 +1,523 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Test cases for flex_*() array manipulation helpers. + */ +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include +#include +#include +#include +#include + +#define COMPARE_STRUCTS(STRUCT_A, STRUCT_B) do { \ + STRUCT_A *ptr_A; \ + STRUCT_B *ptr_B; \ + int rc; \ + size_t size_A, size_B; \ + \ + /* matching types for flex array elements and count */ \ + KUNIT_EXPECT_EQ(test, sizeof(*ptr_A), sizeof(*ptr_B)); \ + KUNIT_EXPECT_TRUE(test, __same_type(*ptr_A->data, \ + *ptr_B->__flex_array_elements)); \ + KUNIT_EXPECT_TRUE(test, __same_type(ptr_A->datalen, \ + ptr_B->__flex_array_elements_count)); \ + KUNIT_EXPECT_EQ(test, sizeof(*ptr_A->data), \ + sizeof(*ptr_B->__flex_array_elements)); \ + KUNIT_EXPECT_EQ(test, offsetof(typeof(*ptr_A), data), \ + offsetof(typeof(*ptr_B), \ + __flex_array_elements)); \ + KUNIT_EXPECT_EQ(test, offsetof(typeof(*ptr_A), datalen), \ + offsetof(typeof(*ptr_B), \ + __flex_array_elements_count)); \ + \ + /* struct_size() vs __fas_bytes() */ \ + size_A = struct_size(ptr_A, data, 13); \ + rc = __fas_bytes(ptr_B, __flex_array_elements, \ + __flex_array_elements_count, 13, &size_B); \ + KUNIT_EXPECT_EQ(test, rc, 0); \ + KUNIT_EXPECT_EQ(test, size_A, size_B); \ + \ + /* flex_array_size() vs __fas_elements_bytes() */ \ + size_A = flex_array_size(ptr_A, data, 13); \ + rc = __fas_elements_bytes(ptr_B, __flex_array_elements, \ + __flex_array_elements_count, 13, &size_B); \ + KUNIT_EXPECT_EQ(test, rc, 0); \ + KUNIT_EXPECT_EQ(test, size_A, size_B); \ + \ + KUNIT_EXPECT_EQ(test, sizeof(*ptr_A) + size_A, \ + offsetof(typeof(*ptr_A), data) + \ + (sizeof(*ptr_A->data) * 13)); \ + KUNIT_EXPECT_EQ(test, sizeof(*ptr_B) + size_B, \ + offsetof(typeof(*ptr_B), \ + __flex_array_elements) + \ + (sizeof(*ptr_B->__flex_array_elements) * \ + 13)); \ +} while (0) + +struct normal { + size_t datalen; + u32 data[]; +}; + +struct decl_normal { + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, datalen); + DECLARE_FLEX_ARRAY_ELEMENTS(u32, data); +}; + +struct aligned { + unsigned short datalen; + char data[] __aligned(__alignof__(u64)); +}; + +struct decl_aligned { + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned short, datalen); + DECLARE_FLEX_ARRAY_ELEMENTS(char, data) __aligned(__alignof__(u64)); +}; + +static void struct_test(struct kunit *test) +{ + COMPARE_STRUCTS(struct normal, struct decl_normal); + COMPARE_STRUCTS(struct aligned, struct decl_aligned); +} + +/* Flexible array structure with internal padding. */ +struct flex_cpy_obj { + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, count); + unsigned long empty; + char induce_padding; + /* padding ends up here */ + unsigned long after_padding; + DECLARE_FLEX_ARRAY_ELEMENTS(u32, flex); +}; + +/* Encapsulating flexible array structure. */ +struct flex_dup_obj { + unsigned long flags; + int junk; + struct flex_cpy_obj fas; +}; + +/* Flexible array struct of only bytes. */ +struct tiny_flex { + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, count); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, byte_array); +}; + +#define CHECK_COPY(ptr) do { \ + typeof(*(ptr)) *_cc_dst = (ptr); \ + KUNIT_EXPECT_EQ(test, _cc_dst->induce_padding, 0); \ + memcpy(&padding, &_cc_dst->induce_padding + sizeof(_cc_dst->induce_padding), \ + sizeof(padding)); \ + /* Padding should be zero too. */ \ + KUNIT_EXPECT_EQ(test, padding, 0); \ + KUNIT_EXPECT_EQ(test, src->count, _cc_dst->count); \ + KUNIT_EXPECT_EQ(test, _cc_dst->count, TEST_TARGET); \ + for (i = 0; i < _cc_dst->count - 1; i++) { \ + /* 'A' is 0x41, and here repeated in a u32. */ \ + KUNIT_EXPECT_EQ(test, _cc_dst->flex[i], 0x41414141); \ + } \ + /* Last item should be different. */ \ + KUNIT_EXPECT_EQ(test, _cc_dst->flex[_cc_dst->count - 1], 0x14141414); \ +} while (0) + +/* Test copying from one flexible array struct into another. */ +static void flex_cpy_test(struct kunit *test) +{ +#define TEST_BOUNDS 13 +#define TEST_TARGET 12 +#define TEST_SMALL 10 + struct flex_cpy_obj *src, *dst; + unsigned long padding; + int i, rc; + + /* Prepare open-coded source. */ + src = kzalloc(struct_size(src, flex, TEST_BOUNDS), GFP_KERNEL); + src->count = TEST_BOUNDS; + memset(src->flex, 'A', flex_array_size(src, flex, TEST_BOUNDS)); + src->flex[src->count - 2] = 0x14141414; + src->flex[src->count - 1] = 0x24242424; + + /* Prepare open-coded destination, alloc only. */ + dst = kzalloc(struct_size(src, flex, TEST_BOUNDS), GFP_KERNEL); + /* Pre-fill with 0xFE marker. */ + memset(dst, 0xFE, struct_size(src, flex, TEST_BOUNDS)); + /* Pretend we're 1 element smaller. */ + dst->count = TEST_TARGET; + + /* Pretend to match the target destination size. */ + src->count = TEST_TARGET; + + rc = flex_cpy(dst, src); + KUNIT_EXPECT_EQ(test, rc, 0); + CHECK_COPY(dst); + /* Item past last copied item is unchanged from initial memset. */ + KUNIT_EXPECT_EQ(test, dst->flex[dst->count], 0xFEFEFEFE); + + /* Now trip overflow, and verify we didn't clobber beyond end. */ + src->count = TEST_BOUNDS; + rc = flex_cpy(dst, src); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Item past last copied item is unchanged from initial memset. */ + KUNIT_EXPECT_EQ(test, dst->flex[dst->count], 0xFEFEFEFE); + + /* Reset destination contents. */ + memset(dst, 0xFD, struct_size(src, flex, TEST_BOUNDS)); + dst->count = TEST_TARGET; + + /* Copy less than max. */ + src->count = TEST_SMALL; + rc = flex_cpy(dst, src); + KUNIT_EXPECT_EQ(test, rc, 0); + /* Verify count was adjusted. */ + KUNIT_EXPECT_EQ(test, dst->count, TEST_SMALL); + /* Verify element beyond src size was wiped. */ + KUNIT_EXPECT_EQ(test, dst->flex[TEST_SMALL], 0); + /* Verify element beyond original dst size was untouched. */ + KUNIT_EXPECT_EQ(test, dst->flex[TEST_TARGET], 0xFDFDFDFD); + + kfree(dst); + kfree(src); +#undef TEST_BOUNDS +#undef TEST_TARGET +#undef TEST_SMALL +} + +static void flex_dup_test(struct kunit *test) +{ +#define TEST_TARGET 12 + struct flex_cpy_obj *src, *dst = NULL, **null = NULL; + struct flex_dup_obj *encap = NULL; + unsigned long padding; + int i, rc; + + /* Prepare open-coded source. */ + src = kzalloc(struct_size(src, flex, TEST_TARGET), GFP_KERNEL); + src->count = TEST_TARGET; + memset(src->flex, 'A', flex_array_size(src, flex, TEST_TARGET)); + src->flex[src->count - 1] = 0x14141414; + + /* Reject NULL @alloc. */ + rc = flex_dup(null, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + + /* Check good copy. */ + rc = flex_dup(&dst, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_ASSERT_TRUE(test, dst != NULL); + CHECK_COPY(dst); + + /* Reject non-NULL *@alloc. */ + rc = flex_dup(&dst, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + + kfree(dst); + + /* Check good encap copy. */ + rc = __flex_dup(&encap, .fas, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_ASSERT_TRUE(test, dst != NULL); + CHECK_COPY(&encap->fas); + /* Check that items external to "fas" are zero. */ + KUNIT_EXPECT_EQ(test, encap->flags, 0); + KUNIT_EXPECT_EQ(test, encap->junk, 0); + kfree(encap); +#undef MAGIC_WORD +#undef TEST_TARGET +} + +static void mem_to_flex_test(struct kunit *test) +{ +#define TEST_TARGET 9 +#define TEST_MAX U8_MAX +#define MAGIC_WORD 0x03030303 + u8 magic_byte = MAGIC_WORD & 0xff; + struct flex_cpy_obj *dst; + size_t big = (size_t)INT_MAX + 1; + char small[] = "Hello"; + char *src; + u32 src_len; + int rc; + + /* Open coded allocations, 1 larger than actually used. */ + src_len = flex_array_size(dst, flex, TEST_MAX + 1); + src = kzalloc(src_len, GFP_KERNEL); + dst = kzalloc(struct_size(dst, flex, TEST_MAX + 1), GFP_KERNEL); + dst->count = TEST_TARGET; + + /* Fill source. */ + memset(src, magic_byte, src_len); + + /* Short copy is fine. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], 0); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + rc = mem_to_flex(dst, src, 1); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_EXPECT_EQ(test, dst->count, 1); + KUNIT_EXPECT_EQ(test, dst->after_padding, 0); + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + dst->count = TEST_TARGET; + + /* Reject negative elements count. */ + rc = mem_to_flex(dst, small, -1); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure dst is unchanged. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + + /* Reject compile-time read overflow. */ + rc = mem_to_flex(dst, small, 20); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure dst is unchanged. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + + /* Reject giant buffer source. */ + rc = mem_to_flex(dst, small, big); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure dst is unchanged. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + + /* Copy beyond storage size is rejected. */ + dst->count = TEST_MAX; + KUNIT_EXPECT_EQ(test, dst->flex[TEST_MAX - 1], 0); + KUNIT_EXPECT_EQ(test, dst->flex[TEST_MAX], 0); + rc = mem_to_flex(dst, src, TEST_MAX + 1); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure dst is unchanged. */ + KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, dst->flex[1], 0); + + kfree(dst); + kfree(src); +#undef MAGIC_WORD +#undef TEST_MAX +#undef TEST_TARGET +} + +static void mem_to_flex_dup_test(struct kunit *test) +{ +#define ELEMENTS_COUNT 259 +#define MAGIC_WORD 0xABABABAB + u8 magic_byte = MAGIC_WORD & 0xff; + struct flex_dup_obj *obj = NULL; + struct tiny_flex *tiny = NULL, **null = NULL; + size_t src_len, count, big = (size_t)INT_MAX + 1; + char small[] = "Hello"; + u8 *src; + int rc; + + src_len = struct_size(tiny, byte_array, ELEMENTS_COUNT); + src = kzalloc(src_len, GFP_KERNEL); + KUNIT_ASSERT_TRUE(test, src != NULL); + /* Fill with bytes. */ + memset(src, magic_byte, src_len); + KUNIT_EXPECT_EQ(test, src[0], magic_byte); + KUNIT_EXPECT_EQ(test, src[src_len / 2], magic_byte); + KUNIT_EXPECT_EQ(test, src[src_len - 1], magic_byte); + + /* Reject storage exceeding elements_count type. */ + count = ELEMENTS_COUNT; + rc = mem_to_flex_dup(&tiny, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, tiny == NULL); + + /* Reject negative elements count. */ + rc = mem_to_flex_dup(&tiny, src, -1, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, tiny == NULL); + + /* Reject compile-time read overflow. */ + rc = mem_to_flex_dup(&tiny, small, 20, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, tiny == NULL); + + /* Reject giant buffer source. */ + rc = mem_to_flex_dup(&tiny, small, big, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, tiny == NULL); + + /* Reject NULL @alloc. */ + rc = mem_to_flex_dup(null, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + + /* Allow reasonable count.*/ + count = ELEMENTS_COUNT / 2; + rc = mem_to_flex_dup(&tiny, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_ASSERT_TRUE(test, tiny != NULL); + /* Spot check the copy happened. */ + KUNIT_EXPECT_EQ(test, tiny->count, count); + KUNIT_EXPECT_EQ(test, tiny->byte_array[0], magic_byte); + KUNIT_EXPECT_EQ(test, tiny->byte_array[count / 2], magic_byte); + KUNIT_EXPECT_EQ(test, tiny->byte_array[count - 1], magic_byte); + + /* Reject non-NULL *@alloc. */ + rc = mem_to_flex_dup(&tiny, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + kfree(tiny); + + /* Works with encapsulation too. */ + count = ELEMENTS_COUNT / 10; + rc = __mem_to_flex_dup(&obj, .fas, src, count, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_ASSERT_TRUE(test, obj != NULL); + /* Spot check the copy happened. */ + KUNIT_EXPECT_EQ(test, obj->fas.count, count); + KUNIT_EXPECT_EQ(test, obj->fas.after_padding, 0); + KUNIT_EXPECT_EQ(test, obj->fas.flex[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, obj->fas.flex[count / 2], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, obj->fas.flex[count - 1], MAGIC_WORD); + /* Check members before flexible array struct are zero. */ + KUNIT_EXPECT_EQ(test, obj->flags, 0); + KUNIT_EXPECT_EQ(test, obj->junk, 0); + kfree(obj); +#undef MAGIC_WORD +#undef ELEMENTS_COUNT +} + +static void flex_to_mem_test(struct kunit *test) +{ +#define ELEMENTS_COUNT 200 +#define MAGIC_WORD 0xF1F2F3F4 + struct flex_cpy_obj *src; + typeof(*src->flex) *cast; + size_t src_len = struct_size(src, flex, ELEMENTS_COUNT); + size_t copy_len = flex_array_size(src, flex, ELEMENTS_COUNT); + int i, rc; + size_t bytes = 0; + u8 too_small; + u8 *dst; + + /* Create a filled flexible array struct. */ + src = kzalloc(src_len, GFP_KERNEL); + KUNIT_ASSERT_TRUE(test, src != NULL); + src->count = ELEMENTS_COUNT; + src->after_padding = 13; + for (i = 0; i < ELEMENTS_COUNT; i++) + src->flex[i] = MAGIC_WORD; + + /* Over-allocate space to do past-src_len checking. */ + dst = kzalloc(src_len * 2, GFP_KERNEL); + KUNIT_ASSERT_TRUE(test, dst != NULL); + cast = (void *)dst; + + /* Fail if dst is too small. */ + rc = flex_to_mem(dst, copy_len - 1, src, &bytes); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure nothing was copied. */ + KUNIT_EXPECT_EQ(test, bytes, 0); + KUNIT_EXPECT_EQ(test, cast[0], 0); + + /* Fail if type too small to hold size of copy. */ + KUNIT_EXPECT_GT(test, copy_len, type_max(typeof(too_small))); + rc = flex_to_mem(dst, copy_len, src, &too_small); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + /* Make sure nothing was copied. */ + KUNIT_EXPECT_EQ(test, bytes, 0); + KUNIT_EXPECT_EQ(test, cast[0], 0); + + /* Check good copy. */ + rc = flex_to_mem(dst, copy_len, src, &bytes); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_EXPECT_EQ(test, bytes, copy_len); + /* Spot check the copy */ + KUNIT_EXPECT_EQ(test, cast[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT / 2], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT - 1], MAGIC_WORD); + /* Make sure nothing was written after last element. */ + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT], 0); + + kfree(dst); + kfree(src); +#undef MAGIC_WORD +#undef ELEMENTS_COUNT +} + +static void flex_to_mem_dup_test(struct kunit *test) +{ +#define ELEMENTS_COUNT 210 +#define MAGIC_WORD 0xF0F1F2F3 + struct flex_dup_obj *obj, **null = NULL; + struct flex_cpy_obj *src; + typeof(*src->flex) *cast; + size_t obj_len = struct_size(obj, fas.flex, ELEMENTS_COUNT); + size_t src_len = struct_size(src, flex, ELEMENTS_COUNT); + size_t copy_len = flex_array_size(src, flex, ELEMENTS_COUNT); + int i, rc; + size_t bytes = 0; + u8 too_small = 0; + u8 *dst = NULL; + + /* Create a filled flexible array struct. */ + obj = kzalloc(obj_len, GFP_KERNEL); + KUNIT_ASSERT_TRUE(test, obj != NULL); + obj->fas.count = ELEMENTS_COUNT; + obj->fas.after_padding = 13; + for (i = 0; i < ELEMENTS_COUNT; i++) + obj->fas.flex[i] = MAGIC_WORD; + src = &obj->fas; + + /* Fail if type too small to hold size of copy. */ + KUNIT_EXPECT_GT(test, src_len, type_max(typeof(too_small))); + rc = flex_to_mem_dup(&dst, &too_small, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -E2BIG); + KUNIT_EXPECT_TRUE(test, dst == NULL); + KUNIT_EXPECT_EQ(test, too_small, 0); + + /* Fail if @alloc_size is NULL. */ + KUNIT_EXPECT_TRUE(test, dst == NULL); + rc = flex_to_mem_dup(&dst, dst, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + KUNIT_EXPECT_TRUE(test, dst == NULL); + + /* Fail if @alloc is NULL. */ + rc = flex_to_mem_dup(null, &bytes, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + KUNIT_EXPECT_TRUE(test, dst == NULL); + KUNIT_EXPECT_EQ(test, bytes, 0); + + /* Check good copy. */ + rc = flex_to_mem_dup(&dst, &bytes, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, 0); + KUNIT_EXPECT_TRUE(test, dst != NULL); + KUNIT_EXPECT_EQ(test, bytes, copy_len); + cast = (void *)dst; + /* Spot check the copy */ + KUNIT_EXPECT_EQ(test, cast[0], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT / 2], MAGIC_WORD); + KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT - 1], MAGIC_WORD); + + /* Fail if *@alloc is non-NULL. */ + bytes = 0; + rc = flex_to_mem_dup(&dst, &bytes, src, GFP_KERNEL); + KUNIT_EXPECT_EQ(test, rc, -EINVAL); + KUNIT_EXPECT_EQ(test, bytes, 0); + + kfree(dst); + kfree(obj); +#undef MAGIC_WORD +#undef ELEMENTS_COUNT +} + +static struct kunit_case flex_array_test_cases[] = { + KUNIT_CASE(struct_test), + KUNIT_CASE(flex_cpy_test), + KUNIT_CASE(flex_dup_test), + KUNIT_CASE(mem_to_flex_test), + KUNIT_CASE(mem_to_flex_dup_test), + KUNIT_CASE(flex_to_mem_test), + KUNIT_CASE(flex_to_mem_dup_test), + {} +}; + +static struct kunit_suite flex_array_test_suite = { + .name = "flex_array", + .test_cases = flex_array_test_cases, +}; + +kunit_test_suite(flex_array_test_suite); + +MODULE_LICENSE("GPL"); From patchwork Wed May 4 01:44:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836669 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AACC2C43219 for ; Wed, 4 May 2022 01:48:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245453AbiEDBwB (ORCPT ); Tue, 3 May 2022 21:52:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55432 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245514AbiEDBv2 (ORCPT ); Tue, 3 May 2022 21:51:28 -0400 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8013D340DF for ; Tue, 3 May 2022 18:47:37 -0700 (PDT) Received: by mail-pj1-x1030.google.com with SMTP id a15-20020a17090ad80f00b001dc2e23ad84so3912123pjv.4 for ; Tue, 03 May 2022 18:47:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=911JnfKaG9oxLMZbIRJVKqmgZoLrOSfR0+bBHDgrI5Q=; b=XpaB8pfu8eVojSjAsTEUujhhPhU3ucUSWYxDz/8sQ6z59UWvf3i1yrd7kb6SWG2Tnt HAfw08l7QKrj5Y9xBESf9NlJZEn9vrEgx5ueLfnIKaMH/WYs9aAiD55J+sDOumyzi4NC ygqjXeva6u5ldSCOC93c/m2TPIGafNG0RRrsQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=911JnfKaG9oxLMZbIRJVKqmgZoLrOSfR0+bBHDgrI5Q=; b=W4X6rHfu5AIZli78iaT6wcyS5cXV27me5k1SCZc2Qng7yJEeDAuQfMwTFRelEq9cA3 Uu7G2NyRdddg6anOVqsTKY8fPIi/JiIkkEP6wezSA17MygvQfm38R9kdGubBu9w+rjul AeGva1ZnbGn2dEnBcaau7khcu/yFX+zfLpLNeqUnljvZjfg6iiGzLFuA/wvJPfVGj6+V nRK4FT2C9dErYPCpLyyuGbyEbwkBYiki6KJatX/p6aKaYMSJaij2IZmpuYtE0hiqmS/2 dY/P0YNqkSwlZKQUPxsjlrXvM1rdYGMuEPh5Tb33b64ajmLqAHR0wsKYryRYsMqFpRCF g7Fw== X-Gm-Message-State: AOAM530ETvw0yEBfTxLQ+kPzOmv1vdO5n4KLBeGuaNXsakjZj4L7KCBl ro/nul8xjlUMULbPraiFsPJsj2vt2M2Uvg== X-Google-Smtp-Source: ABdhPJxrHNegJmGAxW56M+/xNDI5Rp9q10uc3LuqY84v7Q4/SyroP5sNMa7kEu3GhSOoTkFJMy4yVA== X-Received: by 2002:a17:902:d4ce:b0:15e:90f8:216c with SMTP id o14-20020a170902d4ce00b0015e90f8216cmr17719945plg.65.1651628856716; Tue, 03 May 2022 18:47:36 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f6-20020a170902860600b0015e8d4eb2b8sm6950573plo.258.2022.05.03.18.47.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:35 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Nathan Chancellor , Nick Desaulniers , Tom Rix , linux-hardening@vger.kernel.org, llvm@lists.linux.dev, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , netdev@vger.kernel.org, =?utf-8?q?N?= =?utf-8?q?uno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 04/32] fortify: Add run-time WARN for cross-field memcpy() Date: Tue, 3 May 2022 18:44:13 -0700 Message-Id: <20220504014440.3697851-5-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7485; h=from:subject; bh=tR948KPQeb2PYDrDjEae6GxtJ84K9V5KxBtP7gPRR/0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBJdrO+OL3bCOY6akLjwosSFqhKtDoTb/Zh8Fy uzSMohWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJu6nD/ 4nHJdgb4XE8OHMjojOaPl9nULa44o03t//4waAm5Xj50QbDOyrBIKqeaRsc5tWg7tp/Z6v0nmG1RJ6 XSHy4AfPcewPHlkIjBTKQ1jbxZcS7qaEExIyWtMJtQ7GtiOD1AWiQbAW4KJ769iV/0me51Vamo+8Ip veorWN0jTQ+xDJ7fyb9mbxXsI7lvSOQUBdZzwAzPgJazmEXjwO8ozXnn0AaGKNv31py+LgyPwV3P64 KAQ04Gxp/rMnWduFhSm2pHXhcI6M++J1CvvtB/IPwWfRbr9CNUU4Jk3s04sG/XIIP/XCeyAn9u7lla 0QyhfHAuqHdIkCdiPXrp7mi2GKNlqOsemPZjnRNTm7F8RVQ7axjkLgPu/OdKyoIjcu4+Gxe1+1ddUe aX6mQB2mGmzNYtycr4ZILXoVPXUX2aUg4K+tE9BlmcAPTi2DTbr35TkFDaDVuBx1qu3sfaOS7h4cb8 ktu5OJHSekWrtF+UVSH3EdBatG6D2HeS6wxcx6SHUNtMwugLr34tjLkliqOflvnPJpRccxYFyzl9dZ qy69k3TaXevsfsMBn7XO5PIzGI74pL+vRzFTRl1RwbUS4WyKiQh9d4h/hZVD2tYMHxvgBj3q9keCdw H22GUCBSF28gbojQv8oqLHwc2cPU6T+4DFzfvbOlpZYHDcM7+2IPrnwnqyXQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: Enable run-time checking of dynamic memcpy() and memmove() lengths, issuing a WARN when a write would exceed the size of the target struct member, when built with CONFIG_FORTIFY_SOURCE=y. This would have caught all of the memcpy()-based buffer overflows from 2018 through 2020, specifically covering all the cases where the destination buffer size is known at compile time. This change ONLY adds a run-time warning. As false positives are currently still expected, this will not block the overflow. The new warnings will look like this: memcpy: detected field-spanning write (size N) of single field "var->dest" (size M) WARNING: CPU: n PID: pppp at source/file/path.c:nr function+0xXX/0xXX [module] The false positives are most likely where intentional field-spanning writes are happening. These need to be addressed similarly to how the compile-time cases were addressed: add a struct_group(), split the memcpy(), use a flex_array.h helper, or some other refactoring. In order to make identifying/investigating instances of added runtime checks easier, each instance includes the destination variable name as a WARN argument, prefixed with 'field "'. Therefore, on any given build, it is trivial to inspect the artifacts to find instances. For example on an x86_64 defconfig build, there are 78 new run-time memcpy() bounds checks added: $ for i in vmlinux $(find . -name '*.ko'); do \ strings "$i" | grep '^field "'; done | wc -l 78 Currently, the common case where a destination buffer is known to be a dynamic size (i.e. has a trailing flexible array) does not generate a WARN. For example: struct normal_flex_array { void *a; int b; size_t array_size; u32 c; u8 flex_array[]; }; struct normal_flex_array *instance; ... /* These cases will be ignored for run-time bounds checking. */ memcpy(instance, src, len); memcpy(instance->flex_array, src, len); This code pattern will need to be addressed separately, likely by migrating to one of the flex_array.h family of helpers. Note that one of the dynamic-sized destination cases is irritatingly unable to be detected by the compiler: when using memcpy() to target a composite struct member which contains a trailing flexible array struct. For example: struct wrapper { int foo; char bar; struct normal_flex_array embedded; }; struct wrapper *instance; ... /* This will incorrectly WARN when len > sizeof(instance->embedded) */ memcpy(&instance->embedded, src, len); These cases end up appearing to the compiler to be sized as if the flexible array had 0 elements. :( For more details see: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832 https://godbolt.org/z/vW6x8vh4P Regardless, all cases of copying to/from flexible array structures should be migrated to using the new flex*()-family of helpers to gain their added safety checking, but priority will need to be given to the "composite flexible array structure destination" cases noted above. As mentioned, none of these bounds checks block any overflows currently. For users that have tested their workloads, do not encounter any warnings, and wish to make these checks stop any overflows, they can use a big hammer and set the sysctl panic_on_warn=1. Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Tom Rix Cc: linux-hardening@vger.kernel.org Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook --- include/linux/fortify-string.h | 70 ++++++++++++++++++++++++++++++++-- 1 file changed, 67 insertions(+), 3 deletions(-) diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h index 295637a66c46..9f65527fff40 100644 --- a/include/linux/fortify-string.h +++ b/include/linux/fortify-string.h @@ -3,6 +3,7 @@ #define _LINUX_FORTIFY_STRING_H_ #include +#include #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable #define __RENAME(x) __asm__(#x) @@ -303,7 +304,7 @@ __FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size, * V = vulnerable to run-time overflow (will need refactoring to solve) * */ -__FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size, +__FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size, const size_t p_size, const size_t q_size, const size_t p_size_field, @@ -352,16 +353,79 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size, if ((p_size != (size_t)(-1) && p_size < size) || (q_size != (size_t)(-1) && q_size < size)) fortify_panic(func); + + /* + * Warn when writing beyond destination field size. + * + * We must ignore p_size_field == 0 and -1 for existing + * 0-element and flexible arrays, until they are all converted + * to flexible arrays and use the flex()-family of helpers. + * + * The implementation of __builtin_object_size() behaves + * like sizeof() when not directly referencing a flexible + * array member, which means there will be many bounds checks + * that will appear at run-time, without a way for them to be + * detected at compile-time (as can be done when the destination + * is specifically the flexible array member). + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832 + */ + if (p_size_field != 0 && p_size_field != (size_t)(-1) && + p_size != p_size_field && p_size_field < size) + return true; + + return false; } #define __fortify_memcpy_chk(p, q, size, p_size, q_size, \ p_size_field, q_size_field, op) ({ \ size_t __fortify_size = (size_t)(size); \ - fortify_memcpy_chk(__fortify_size, p_size, q_size, \ - p_size_field, q_size_field, #op); \ + WARN_ONCE(fortify_memcpy_chk(__fortify_size, p_size, q_size, \ + p_size_field, q_size_field, #op), \ + #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \ + __fortify_size, \ + "field \"" #p "\" at " __FILE__ ":" __stringify(__LINE__), \ + p_size_field); \ __underlying_##op(p, q, __fortify_size); \ }) +/* + * Notes about compile-time buffer size detection: + * + * With these types... + * + * struct middle { + * u16 a; + * u8 middle_buf[16]; + * int b; + * }; + * struct end { + * u16 a; + * u8 end_buf[16]; + * }; + * struct flex { + * int a; + * u8 flex_buf[]; + * }; + * + * void func(TYPE *ptr) { ... } + * + * Cases where destination size cannot be currently detected: + * - the size of ptr's object (seemingly by design, gcc & clang fail): + * __builtin_object_size(ptr, 1) == -1 + * - the size of flexible arrays in ptr's obj (by design, dynamic size): + * __builtin_object_size(ptr->flex_buf, 1) == -1 + * - the size of ANY array at the end of ptr's obj (gcc and clang bug): + * __builtin_object_size(ptr->end_buf, 1) == -1 + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 + * + * Cases where destination size is currently detected: + * - the size of non-array members within ptr's object: + * __builtin_object_size(ptr->a, 1) == 2 + * - the size of non-flexible-array in the middle of ptr's obj: + * __builtin_object_size(ptr->middle_buf, 1) == 16 + * + */ + /* * __builtin_object_size() must be captured here to avoid evaluating argument * side-effects further into the macro layers. From patchwork Wed May 4 01:44:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836672 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4833C433EF for ; Wed, 4 May 2022 01:49:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245665AbiEDBwu (ORCPT ); Tue, 3 May 2022 21:52:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56088 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235945AbiEDBw2 (ORCPT ); Tue, 3 May 2022 21:52:28 -0400 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1C9B41992 for ; Tue, 3 May 2022 18:47:42 -0700 (PDT) Received: by mail-pl1-x62f.google.com with SMTP id i1so157257plg.7 for ; Tue, 03 May 2022 18:47:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=szeqM9M0yrMyJS9vcuYR4tTzvEASeBs+sh1JgS4qPAo=; b=SNMym2HDPaFxMLeJFcK68nelvSK8kE0Z3iij6ppE4Nnk5PkLPyihqCWqJWEyxTK+Ad Wlo0fMMZpa7cEJ44ZnUWiYYlbNhSmn3I+2rzPJ3v+90je6UlKRw4Aqz10rVm1pygvoeV KVh5PeFOgavCCRafhGFy8OhJb2FMOsRW4OkVk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=szeqM9M0yrMyJS9vcuYR4tTzvEASeBs+sh1JgS4qPAo=; b=AvDB+HsdRTFpUyO5El/hnO8QIf0d/Ti402i5NewznwJNlT1wnq5KdIyyjXNdqbCm6a 0Y6KyDWSOPhkV2rAX/rZI7nti03a6Mg7e8qb97zCzOGobPEe5W7yn8951klpvsE83315 fIOm/zNP/DCNYRJ1j6uwQMvGat9cJn7qFRGSJ2ZHzbHO9+PT90/iD1sf9gRmqYnTZUKW BQ5HXNdKvxIAqsTDvEhbonTb+BoeMxi5Wx6fSRBihRvsrt+FdONxJbRcXT91bQQSGU/y ZOlnmQfAQJAnbyTwxTcxkqUKdy/ggsCHJKiS0rWTg4wPop8+r8+Db6dE+jyTZVB7wN2c hcMg== X-Gm-Message-State: AOAM532//CVCJNtUKPC7BIQtj/nTrFAM1xQDTXypqUS5CAdHLQPOffr4 8kracI2Zn1Xo/vO15CWgC3OEiw== X-Google-Smtp-Source: ABdhPJyLljkiQcnpMeBAkbABtu5tfsx1RQAtFvxNI6eRYUdVP5PUSieP/fvUB77typ12OdIz4mCUCg== X-Received: by 2002:a17:902:c952:b0:15e:9e3d:8e16 with SMTP id i18-20020a170902c95200b0015e9e3d8e16mr14572083pla.51.1651628858230; Tue, 03 May 2022 18:47:38 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k21-20020aa792d5000000b0050dc7628159sm6928738pfa.51.2022.05.03.18.47.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:37 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Arend van Spriel , Franky Lin , Hante Meuleman , Kalle Valo , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 05/32] brcmfmac: Use mem_to_flex_dup() with struct brcmf_fweh_queue_item Date: Tue, 3 May 2022 18:44:14 -0700 Message-Id: <20220504014440.3697851-6-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2425; h=from:subject; bh=LUlPP0dMftItb3yi/Nge8ZTfomS6k0b5Ud+psHgt9Uk=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBCnVywLtiCXwEUYb08oAOpk1h97YdS8IXrTwN m34sdVuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJokcD/ 944yjyiL4MM2Llyg3BhqwjaPE/1VNwGW9grsHKNIASpW8lInBdW90HjydT+vZ0wCt1VpknFi2upnQI XFtVoH0BT1G9pp4WHMjMMAaSqS3XB0bqdYs4DVvPzTKh5kGr5jX6k9+GTSve/itnWwnYDdM80IlUNt S0IhtkWMACqLlgyqGlt11fTu2Zpj0mRgIVFYh1FPaQRGj+skxj5+tzJqnIxOvBBPtzMq5leG8tzvRp gGF1ADH/0BhWsidIuY5CltVSgionGZ0at33CGy6Yb686fc3WZxfkwUqwKd4kWy0/RHSdYt4O0S9KnY r3h5ztCJtoyE+LsOyQfAjweyIO2LhMxNdieb0lZcJ/4W95rILXttIhcQ8iyf4yAsY69UgQuHPKDcAf nBH2PYzGNfEsEHmEr7bOtF2WG7xXUZXn6gi1luh2tpxiaDAkWSbwC0/Hg4An1+r4RDKB8TaO47Qgsp PG9QvJ1Ej3BAp6hSui4/P+qsMcNSEBBM0dZS2Ro11mi+jDDxK5En0Xgd/el0xn+qwqq+NFNlC0jKcW /QhhJ9GSxPsZzAT51pgi/Q//ZlDNoXI6Xmoho22SXd2se2PmaeWQDnuPK8bWnerpItxcrS1KP5jR9H przw+F/g76E2CP74njdcHJE58D4/zsqYKWbbLWi2QfpgIWTEZ+hV+/A44Ihw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Arend van Spriel Cc: Franky Lin Cc: Hante Meuleman Cc: Kalle Valo Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-wireless@vger.kernel.org Cc: brcm80211-dev-list.pdl@broadcom.com Cc: SHA-cyfmac-dev-list@infineon.com Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- .../net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c index bc3f4e4edcdf..bea798ca6466 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c @@ -32,8 +32,8 @@ struct brcmf_fweh_queue_item { u8 ifidx; u8 ifaddr[ETH_ALEN]; struct brcmf_event_msg_be emsg; - u32 datalen; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, datalen); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; /* @@ -395,7 +395,7 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, { enum brcmf_fweh_event_code code; struct brcmf_fweh_info *fweh = &drvr->fweh; - struct brcmf_fweh_queue_item *event; + struct brcmf_fweh_queue_item *event = NULL; void *data; u32 datalen; @@ -414,8 +414,7 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, datalen + sizeof(*event_packet) > packet_len) return; - event = kzalloc(sizeof(*event) + datalen, gfp); - if (!event) + if (mem_to_flex_dup(&event, data, datalen, gfp)) return; event->code = code; @@ -423,8 +422,6 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, /* use memcpy to get aligned event message */ memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg)); - memcpy(event->data, data, datalen); - event->datalen = datalen; memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN); brcmf_fweh_queue_event(fweh, event); From patchwork Wed May 4 01:44:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836676 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81817C43219 for ; Wed, 4 May 2022 01:49:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343501AbiEDBxa (ORCPT ); Tue, 3 May 2022 21:53:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245750AbiEDBwa (ORCPT ); Tue, 3 May 2022 21:52:30 -0400 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F404642EF6 for ; Tue, 3 May 2022 18:48:01 -0700 (PDT) Received: by mail-pl1-x630.google.com with SMTP id d17so192529plg.0 for ; Tue, 03 May 2022 18:48:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/zjSzrQhFPsEVokcSsrv18uPDt/e1w8KitHmUEp+EKs=; b=mT+0HB76IN8PFmOQ4RQ3Shsn/xpSWIw4uZtDzm+qPL1ltT6DXjm7Tp880YLv6NTlX2 jzlnck4Hcy2b22tjZHTFIsFigeOwa/p0jwatnoLYw/6ZPZFoRjVJYcegxFjMo85nErfR VdOWk3eGpgUIVPQ45lqiYFZPzg8bYlpkvYlx8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/zjSzrQhFPsEVokcSsrv18uPDt/e1w8KitHmUEp+EKs=; b=NS/TJoJYFthmbFgUEYzbjg6gsg6o3mO0xxJQZaRUoZ1/HnpEY4/EnMTY4dHPlrYMKx ODMePz3joPdwzDjeS6tC+a02n0tkbz0urpd0JM5zvHczPkMcmfAH+w00xVWJhpbrnoCD MOtpI4CBUzobV10u7MRgyMmYztdJKYD8O4SsvnOCZp8W71fi3E9B+k+OIWyOFfkcfB2N Ed1FiKirCA/BF+Rlq+m+kr+oMfcVZnMIxd4UnnTM4f5p0Mok6L9AhzC2Z/SZQ504g+T/ F40Rk0u2YwOHorIbOV3fckMAAIeviMvMzQdiek1MylSELZPnU0eu2i6IpI7SgeW+lEsv QlcA== X-Gm-Message-State: AOAM5305R9IK4+xQjnPWlRrYSgoe1IjkGcZOsmOrQDCHQPspphfObIIc v0PJJSX99KP8vfAI+6IcMrY+cw== X-Google-Smtp-Source: ABdhPJyOr0EQoNiR5dd+jmHKxqNgfcIE1TFefrcTbIWooSZVsJlt5pNNEDAuc8WF2OoYtCYoNDFWgg== X-Received: by 2002:a17:90b:1b47:b0:1dc:3c0a:dde3 with SMTP id nv7-20020a17090b1b4700b001dc3c0adde3mr7829625pjb.52.1651628859205; Tue, 03 May 2022 18:47:39 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f21-20020a170902f39500b0015e8d4eb238sm6945583ple.130.2022.05.03.18.47.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:37 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Luca Coelho , "David S. Miller" , Jakub Kicinski , Lee Jones , Johannes Berg , Gregory Greenman , Kalle Valo , Eric Dumazet , Paolo Abeni , Andy Lavr , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 06/32] iwlwifi: calib: Prepare to use mem_to_flex_dup() Date: Tue, 3 May 2022 18:44:15 -0700 Message-Id: <20220504014440.3697851-7-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4285; h=from:subject; bh=3rsHreun4MVxtWWXTu1WNAZSbES1/vQKrpGvwiRs9tU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBVRPLVwI+Gac+Hu63Hjdxl/T8wFFeQtpYoExL lGTHr0KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJls/D/ 437IfHiRN/O/WyQZtpBUHVGUgP169cUmMhP62Pg0E7Hm7/o39zhQLTQ6d/zK2YTBo7GmHkrgW8+U89 K5ocyNlNeKiAOXNNyYjAKY0hINeYBOJbO+yP8Qb7dZ/ehdVAMXsZ5FjQQj2vRKXsiXBoCT4SNc7+7q 9k8nWm0scS/uHdUFonlvWzm3U/glq/QdTO6+M+RL75mqVm3Z2pZVYd2zeERbawqDVM7cuH2Zg17Avr WdhGyjfTAsPULi+qZBWVUvqc6X+iQ4DfUXZsJix/xvmINZyl3qG1d9TC92K8dHMKiRgdQpvnR+FE6Q WFBlvLGlrizcMolOVSXOkMFCRZ74YilAy+JISkDbLH5XPWP7v8ecKO+KApQCuxSqbyQ5G2zKND3+pY XoycBgIvvVGCy6VqLKW/gevPTpcBLR3Co4zh7nUKJffVspyQUE2M+5pLQBir/tmUVL54XdaUlMD4Tn pwD2p93A7KSHATImTFhq4PX2SS6jGi0V6Il1OHQS6pknXDGlaqxdwNO9EjP+edRb938jKgEGXypou9 S7mjGxWZ8I5Vu1E04fw2ClHZt4VH4Yas0mafjkRAPt2hiDdKF7TGiEg+awmLwQxN4tzHXDSsSGnmAv D9O1AcRWlYNF1HE1jUt/Y9dXMSZUe1atungkrYoabVpF4z5SrVEEglZiUKow== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: In preparation for replacing an open-coded memcpy() of a dynamically side buffer, rearrange the structures to pass enough information into the calling function to examine the bounds of the struct. Rearrange the argument passing to use "cmd", rather than "hdr", since "res" expects to operate on the "data" flex array in "cmd" (that follows "hdr"). Cc: Luca Coelho Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Lee Jones Cc: Johannes Berg Cc: Gregory Greenman Cc: Kalle Valo Cc: Eric Dumazet Cc: Paolo Abeni Cc: Andy Lavr Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intel/iwlwifi/dvm/agn.h | 2 +- drivers/net/wireless/intel/iwlwifi/dvm/calib.c | 10 +++++----- drivers/net/wireless/intel/iwlwifi/dvm/ucode.c | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/agn.h b/drivers/net/wireless/intel/iwlwifi/dvm/agn.h index abb8696ba294..744e111d2ea3 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/agn.h +++ b/drivers/net/wireless/intel/iwlwifi/dvm/agn.h @@ -112,7 +112,7 @@ int iwl_load_ucode_wait_alive(struct iwl_priv *priv, enum iwl_ucode_type ucode_type); int iwl_send_calib_results(struct iwl_priv *priv); int iwl_calib_set(struct iwl_priv *priv, - const struct iwl_calib_hdr *cmd, int len); + const struct iwl_calib_cmd *cmd, int len); void iwl_calib_free_results(struct iwl_priv *priv); int iwl_dump_nic_event_log(struct iwl_priv *priv, bool full_log, char **buf); diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c index a11884fa254b..ae1f0cf560e2 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c +++ b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c @@ -19,7 +19,7 @@ struct iwl_calib_result { struct list_head list; size_t cmd_len; - struct iwl_calib_hdr hdr; + struct iwl_calib_cmd cmd; /* data follows */ }; @@ -43,12 +43,12 @@ int iwl_send_calib_results(struct iwl_priv *priv) int ret; hcmd.len[0] = res->cmd_len; - hcmd.data[0] = &res->hdr; + hcmd.data[0] = &res->cmd; hcmd.dataflags[0] = IWL_HCMD_DFL_NOCOPY; ret = iwl_dvm_send_cmd(priv, &hcmd); if (ret) { IWL_ERR(priv, "Error %d on calib cmd %d\n", - ret, res->hdr.op_code); + ret, res->cmd.hdr.op_code); return ret; } } @@ -57,7 +57,7 @@ int iwl_send_calib_results(struct iwl_priv *priv) } int iwl_calib_set(struct iwl_priv *priv, - const struct iwl_calib_hdr *cmd, int len) + const struct iwl_calib_cmd *cmd, int len) { struct iwl_calib_result *res, *tmp; @@ -69,7 +69,7 @@ int iwl_calib_set(struct iwl_priv *priv, res->cmd_len = len; list_for_each_entry(tmp, &priv->calib_results, list) { - if (tmp->hdr.op_code == res->hdr.op_code) { + if (tmp->cmd.hdr.op_code == res->cmd.hdr.op_code) { list_replace(&tmp->list, &res->list); kfree(tmp); return 0; diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c b/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c index 4b27a53d0bb4..bb13ca5d666c 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c +++ b/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c @@ -356,18 +356,18 @@ static bool iwlagn_wait_calib(struct iwl_notif_wait_data *notif_wait, struct iwl_rx_packet *pkt, void *data) { struct iwl_priv *priv = data; - struct iwl_calib_hdr *hdr; + struct iwl_calib_cmd *cmd; if (pkt->hdr.cmd != CALIBRATION_RES_NOTIFICATION) { WARN_ON(pkt->hdr.cmd != CALIBRATION_COMPLETE_NOTIFICATION); return true; } - hdr = (struct iwl_calib_hdr *)pkt->data; + cmd = (struct iwl_calib_cmd *)pkt->data; - if (iwl_calib_set(priv, hdr, iwl_rx_packet_payload_len(pkt))) + if (iwl_calib_set(priv, cmd, iwl_rx_packet_payload_len(pkt))) IWL_ERR(priv, "Failed to record calibration data %d\n", - hdr->op_code); + cmd->hdr.op_code); return false; } From patchwork Wed May 4 01:44:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836677 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F0C2C433EF for ; Wed, 4 May 2022 01:50:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229619AbiEDByX (ORCPT ); Tue, 3 May 2022 21:54:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55442 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245568AbiEDBw0 (ORCPT ); Tue, 3 May 2022 21:52:26 -0400 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 391B63B3FA for ; Tue, 3 May 2022 18:47:39 -0700 (PDT) Received: by mail-pj1-x102f.google.com with SMTP id fv2so16890743pjb.4 for ; Tue, 03 May 2022 18:47:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xU+lft0xYFj1fS1yuTZSbozxjgBGk0a+m2yFd6VoFH8=; b=a+tRkUtoblEDLjvFId++UphGjoZEaQCYI3Vk83Wii7jOQPjtu5Lszr9szx/ri1HX51 wV1jt/Of6XxA4HH6Vf9VLVYuUYeTQ2uz41Vd4xndvpOP8cB9qurXZHACinwkcuuAVoNS S4kXDV6k7pYw97SFuBD/SAZ91ynDl2QAdaG/0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xU+lft0xYFj1fS1yuTZSbozxjgBGk0a+m2yFd6VoFH8=; b=nfNjGMd1O42E2P6k3eNgB2UMrR2zyHnzpzhKXNe9kQozQuUNyxZem1iX54mv3QpwCA kqUP34yeH3mheL4JXxf211Uo7aMnepaLqJq2LjW75khoUW/dyh8PmCxCf+T81w7zrMYz P+nB6f94oQRriibDQlxQzXVxF5EXiptBB7a00/XExlbD+wAQwbnLNns/bsRfcXAL+Khd ppOQqiPXQqq8WkCH3zIYY5p8Rk+QAs4b0IP4r1f/lE6B5LxB8YipkHuVPpljHsqYqyvU AUVRPsD4r2gmxxGMPNBfiFMVlpgnWLs7xO542KA6QfQmmus7GtcFwHyGWZFmgCpuJwRH tIbQ== X-Gm-Message-State: AOAM531cJvkBCEWrs8Trjn63LnCEH83JA/nxW9h0AyXtWMwyFG2opRW/ trv+1p0d8H09PAoRPg0j9/KbFw== X-Google-Smtp-Source: ABdhPJym7M+DImW/Jqb3OQWBvYlyqklXqWcPP05A/qCeDGaoGZArCRBHN6sBE2ZReqB74PMUZr0+qw== X-Received: by 2002:a17:90a:730c:b0:1da:4630:518e with SMTP id m12-20020a17090a730c00b001da4630518emr7902816pjk.239.1651628857841; Tue, 03 May 2022 18:47:37 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id c21-20020aa781d5000000b0050dc7628163sm6917221pfn.61.2022.05.03.18.47.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:37 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Andy Lavr , Luca Coelho , Kalle Valo , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Gregory Greenman , Eric Dumazet , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 07/32] iwlwifi: calib: Use mem_to_flex_dup() with struct iwl_calib_result Date: Tue, 3 May 2022 18:44:16 -0700 Message-Id: <20220504014440.3697851-8-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2309; h=from:subject; bh=WpodBqq01jqwxM1KRcJO62uugaWovPAJ5k8Asd34efc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCGKNTo/e4rYqRS6JHFIWEcMsPl6ZUWQBFBFL/ Wqla2nSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJvqCD/ 9KMmQRVL3p5s+EO2ziT+OnA/bWRcfyVrpdD2apYiZrAvV6jv+ChcK5o9LNvgU6liqmGQvBK56XO3bQ qrNnEnu62KEpY0aEShwY6YNXdwdTLw3FEMK42jV6f34XbajiPo0MoQoS/x/QSbL1eIG6JO5d4TRjIe 0/Q48qkArPdlLvI5pKeSr1lsEVPndfc9NGHCI6nA2+bBonwbXOWfAC7HZPfrpPcmTgLfoKTkBLXai4 ePDPJtwC3/jzsxtTC7J9DHOmQvRPHeYKpPXefkrkgeOaZf2ToPQ3uG49rEHXnkAeJVNemhQ1DJPNcQ HudzUsakTefZTR7ato8r+9r+0+ie8aFfQEAagdWcpPFVR9EyXHXbSWIWZPdHaXSsvv+zcH2BVwp+lX PHt2bIY0X/x3Uouh1It3/uSZlg30A1qnqeXxqNsMc6p4qaHY4pJywV1EkrsZwZd1PdBaiWc6LsdWnm g/rpEfcleSaFr5QGOmd7i7ErfwdtNTNDj5n6eo7f/rD6qfq1dEAIa3IkdH7xRECGPpT/2qd+a747A7 vm2gjfh13/ghhPAbVTSZORt9oZN46upeJxwm83wHp0XHC4gVbEH+bjDqXYQAWbhNyUaOA8Ua7uIonu l7HgMXAQ7eoMMallt3TbHeAxvHxkwxcyt1LUHi517rK5CcCYO26DROhVZXYw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Avoids future false-positive warning when strict run-time memcpy() bounds checking is enabled: memcpy: detected field-spanning write (size 8) of single field "&res->hdr" (size 4) Adds an additional size check since the minimum isn't 0. Reported-by: Andy Lavr Cc: Luca Coelho Cc: Kalle Valo Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Gregory Greenman Cc: Eric Dumazet Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intel/iwlwifi/dvm/calib.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c index ae1f0cf560e2..7480c19d7af0 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c +++ b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c @@ -18,8 +18,11 @@ /* Opaque calibration results */ struct iwl_calib_result { struct list_head list; - size_t cmd_len; - struct iwl_calib_cmd cmd; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, cmd_len); + union { + struct iwl_calib_cmd cmd; + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); + }; /* data follows */ }; @@ -59,14 +62,10 @@ int iwl_send_calib_results(struct iwl_priv *priv) int iwl_calib_set(struct iwl_priv *priv, const struct iwl_calib_cmd *cmd, int len) { - struct iwl_calib_result *res, *tmp; + struct iwl_calib_result *res = NULL, *tmp; - res = kmalloc(sizeof(*res) + len - sizeof(struct iwl_calib_hdr), - GFP_ATOMIC); - if (!res) + if (len < sizeof(*cmd) || mem_to_flex_dup(&res, cmd, len, GFP_ATOMIC)) return -ENOMEM; - memcpy(&res->hdr, cmd, len); - res->cmd_len = len; list_for_each_entry(tmp, &priv->calib_results, list) { if (tmp->cmd.hdr.op_code == res->cmd.hdr.op_code) { From patchwork Wed May 4 01:44:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836674 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F2ABC4332F for ; Wed, 4 May 2022 01:49:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229628AbiEDBxZ (ORCPT ); Tue, 3 May 2022 21:53:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343555AbiEDBwe (ORCPT ); Tue, 3 May 2022 21:52:34 -0400 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B330443FB for ; Tue, 3 May 2022 18:48:16 -0700 (PDT) Received: by mail-pl1-x62d.google.com with SMTP id s14so154468plk.8 for ; Tue, 03 May 2022 18:48:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xT+5hQcq61BvthAgaoVmL+Iixyk9Kz6M9vS9nNgwYZE=; b=foxymm92zvgmK0ETJD/OF52F7nwlYYgJQ8oVdho7r9BzWtgtuSGYfDYK5MhNshEOoZ 2wn0h0u9CPuexCbq87DKe80piTtxK5R6ZpJwSBGXRNF7rOHEPYzOtCIu9lKjSdiUbhe+ r2DkWtw3UKhrg5w4I5ukgiJdOnG5MzFcAx9yc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xT+5hQcq61BvthAgaoVmL+Iixyk9Kz6M9vS9nNgwYZE=; b=Pw8F6AFI4EHUsDfPX/na6BrZpD0IUL3fiJKrfZtTeUQYyuGODsK4CRMpPWJFZHg7JN 3ta4FXMmxK9WXtycamAa2FHUpyR/k90pY6ilZeM0F2xGIy/0BfjvATzcf9GH6gnaQ0y/ TwL8dTmwad+2tBHLo7RugW7nfBAY1XV3BOOfFluwTMOWemhp3y6xyA/FEfWOCzn6rEEN OgOyfQFgBiFjLhkPmufxVmRXSvoPXMKkn4g7bN9++TEfucWx76a+jZss7+amW+87HuT1 6K99kyaT9pJRKnijVXIPXUMoYAEUS8qL/yLpr5BF+nq3hU3u+F/QaaXeDUT4OHPiqNd3 n0bg== X-Gm-Message-State: AOAM533QPr4JNOmBKVhhJmXT8jFbKhVANHh/lwCehJ+MfdFgonF8ehCk RyoBKADeab0KPTFz4dvfxqYPAw== X-Google-Smtp-Source: ABdhPJycw4EcllNGdcYu/hsnVxTNLEqPs1svu/l7N5hfPruKY3mWUaTfGlJqogJnY0zHUzGi9AG+AQ== X-Received: by 2002:a17:90b:4d8f:b0:1db:d41d:9336 with SMTP id oj15-20020a17090b4d8f00b001dbd41d9336mr7719381pjb.29.1651628859970; Tue, 03 May 2022 18:47:39 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s11-20020a170902b18b00b0015e8d4eb258sm7004776plr.162.2022.05.03.18.47.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:39 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Luca Coelho , Kalle Valo , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Johannes Berg , Gregory Greenman , Eric Dumazet , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 08/32] iwlwifi: mvm: Use mem_to_flex_dup() with struct ieee80211_key_conf Date: Tue, 3 May 2022 18:44:17 -0700 Message-Id: <20220504014440.3697851-9-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2437; h=from:subject; bh=kqrSs6qCwh+Lec2OX97eOmuBYGTxbYZO/oveyYvsSyU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCYob8Le101GWyzNPT8SUQLcWbnMdLaBLnNMKi PFuQ5FWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJrrrD/ 41pLe3vLmy1DT131k402AnWkbvKKTeLHCfdZOZOBG/caJXqmnpOxwil6RAxg5u6hN5hKr+gqoQg3jM PjxMAKOnj4UigmA4/hMbFkpe2UAFQce0nHR1yDX9KirGdKMvnAq1KmeZTOvAK12ubsFuw1otFOoOY9 il9bAkoOcb67DGRv3WnjeBeJAIZesPeob+hkdIGXBLwjDM9HsKNWnS0CO4faN9H2UB5yHtan5AE3fY ejNDT+faux7HktJ5LMXGuFK8hNTMT6DzsBUJMh/VqnJUQfz4J8NZnt1C2fhjm2UKTMJJXaSL2VTIls +E869VhJZmwXhnjNOoXxgs2ypZPdZn7bJMJt9MVXQCWOJ/r5Z4HL//NjQwlMsxa5eN/OtY6fhuJmQa Kt081e3mYWawz+yHoGLyrxfgEVcaxPetNNZbtFWAguSAm+2kDAVJoYtbd1P/PeFNxjV9iclz5KMbsR vfwg2FoAJ4/UE7uv/e9hwMg874lDgZBVxecyw2BfPg0CFqa9KiQ4QmpYRs8HaRBhJQv/jDtfxWqnVh RhanF8E/YIf8Mwjneo+/nQykVNYJP+mnin2t2PXGGQTtyZfdgc4mogRxpnvnUcDOoGAndvfOm8tHL7 lnC6lEffqiIvIoLzddv1Yrb2IU0R/a/tFtHusn7zJ+WlS695vP3r1pDWMDUg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Luca Coelho Cc: Kalle Valo Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Johannes Berg Cc: Gregory Greenman Cc: Eric Dumazet Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 8 ++------ include/net/mac80211.h | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c index 406f0a50a5bf..23cade528dcf 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c @@ -4108,7 +4108,7 @@ int iwl_mvm_add_pasn_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif, int ret; u16 queue; struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); - struct ieee80211_key_conf *keyconf; + struct ieee80211_key_conf *keyconf = NULL; ret = iwl_mvm_allocate_int_sta(mvm, sta, 0, NL80211_IFTYPE_UNSPECIFIED, @@ -4122,15 +4122,11 @@ int iwl_mvm_add_pasn_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif, if (ret) goto out; - keyconf = kzalloc(sizeof(*keyconf) + key_len, GFP_KERNEL); - if (!keyconf) { + if (mem_to_flex_dup(&keyconf, key, key_len, GFP_KERNEL)) { ret = -ENOBUFS; goto out; } - keyconf->cipher = cipher; - memcpy(keyconf->key, key, key_len); - keyconf->keylen = key_len; ret = iwl_mvm_send_sta_key(mvm, sta->sta_id, keyconf, false, 0, NULL, 0, 0, true); diff --git a/include/net/mac80211.h b/include/net/mac80211.h index 75880fc70700..4abe52963a96 100644 --- a/include/net/mac80211.h +++ b/include/net/mac80211.h @@ -1890,8 +1890,8 @@ struct ieee80211_key_conf { u8 hw_key_idx; s8 keyidx; u16 flags; - u8 keylen; - u8 key[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, keylen); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, key); }; #define IEEE80211_MAX_PN_LEN 16 From patchwork Wed May 4 01:44:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836962 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0DF2C433F5 for ; Wed, 4 May 2022 01:56:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343834AbiEDCAI (ORCPT ); Tue, 3 May 2022 22:00:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343701AbiEDB6y (ORCPT ); Tue, 3 May 2022 21:58:54 -0400 Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2D413B3FA for ; Tue, 3 May 2022 18:53:01 -0700 (PDT) Received: by mail-pf1-x42a.google.com with SMTP id i24so12897pfa.7 for ; Tue, 03 May 2022 18:53:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=z9UACyPlKQMpsfBiUxRNSWJwLKyqQ0BVbIzFlqTVpEg=; b=VrQ6dmSQ7VwQQlIfvwbiI2ql0BVm4J4y9LnkKFZwetWH13cFjtZDcQhXtoigM+PS1n cWMsbR1tWdnyAFxVTIwv3Ub+HJcEvYJUmHiHKdd7Tvd9COj+RhcM0WyuPg5dj9PivY8a z6yX6sb9Wvgoc2VwmZES4MbGCx8+oyfzVBgW4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=z9UACyPlKQMpsfBiUxRNSWJwLKyqQ0BVbIzFlqTVpEg=; b=fq1csmj3tn0NnVFGus/WFYvosD74Dm3RcrYdbYszOiC8kmvKywFxzAf2x5IzQahHEg DtWqe2v9niV2YVJgw5aE8iNTWne2KIRX+nN6T3L76EgKKFMzRM7YOwGL3h+7PiTPKrT0 lcq1ywjy0TJjBvkTqEJgYs+xRBh7Y60Wc78x2TCwwNSNo17qx168x3HyAuKwjlDdqwg9 eezdmJ2NfR+8IzfjiqcUV8L/6T2esLsF6S/Y4IifMrh6d3qwEcGgbdXYbKszyJfikmrJ wuK5Qr5Pr/WYAoOKFxDcgFdqHoS9/qb7ilxbazuNn9eaT1qm/daJhdZk/6yjCKAMbZQl 6TYw== X-Gm-Message-State: AOAM533EyccesxitYc+VI615kwtFF2F9JAJKqY5xoSqadglQPPHyqvAx tXfhrG0JXI916tnZmm+bvaYDJA== X-Google-Smtp-Source: ABdhPJzVcWQGsHn59vPaROucz1ySXZ5cZciM95zHzlrdtXApKNM9/OxOMaJu00isogLV6p+6gAjquw== X-Received: by 2002:a63:2b01:0:b0:3c2:4b0b:e1c6 with SMTP id r1-20020a632b01000000b003c24b0be1c6mr8066903pgr.288.1651629165524; Tue, 03 May 2022 18:52:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p6-20020a170902780600b0015e8d4eb1cesm6917631pll.24.2022.05.03.18.52.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Christian Lamparter , Kalle Valo , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 09/32] p54: Use mem_to_flex_dup() with struct p54_cal_database Date: Tue, 3 May 2022 18:44:18 -0700 Message-Id: <20220504014440.3697851-10-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2429; h=from:subject; bh=nMnYI58OZL/NYqqBGThX6X9At9N55AKclw2PdmxLkv8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCpEYc7sUWDpluF0bUB90CkVbrB3/z8O0fymGg eduju0uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJkJoEA CB3d+CRBr1VkScrlHfbIs1LkNyymQ0HwJgl7p4QyueseREG9Mt5326Iwc7RqKF+Rn+YzyWk8dFShzv z6gbI8PNrGAqBPz5BIqLg3dYYHVK5dPPYcYrISNYxFwyXlYH5CnwM8gllN72k9RJxbWzAxh0A+60N/ jviJWlHykiM1Zhxd/qazs6ZevTYO060Zif3DN8WCX/LuwNHp30u5sclQ55oDW3betiobkSC6Ov1eP6 Hi7uDPuaVPlM2ZtdStVUbJUtmb0ddMSgxtTLjFPmzu+/igOg0pwYTovc41hbeEbBnxlRHIoUJWYLEF 9HwXpVeVj29IIka07Wj1DhYds+eo/zSM1UgogveTLy1YqauYGa0HDWQq9oUmlyE1DVBtfNlwDKfQFw abW5WTkLqlaK1bDWZEM/2f5rXJ6Qb2wLF8985KU4MwKaSdM+Jib4Npl3mdvg3RTIqLUDL5C0EsnPZd jx7VWu4NuZxHBeVOpG042kcl9h6NgrzPV4i2lneNTdK9Mf4aIUBuhXuEi0RjjZPRX5KWBWDETa+SHA xIpk2sXTFarSyRcDwvPPRN7FWxxM5y5OPAGRGPRQhj9zCDB+Eh+NAEZe1GFUTZYOWu4PHtyiVVuH0q lf+bEbHqDfX8rt+XVzeUsKcH3bW7KZvEkMLgB/C70MIwPtiUdXvWDMDbvCRw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Christian Lamparter Cc: Kalle Valo Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intersil/p54/eeprom.c | 8 ++------ drivers/net/wireless/intersil/p54/p54.h | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/intersil/p54/eeprom.c b/drivers/net/wireless/intersil/p54/eeprom.c index 5bd35c147e19..bd9b3ea327b9 100644 --- a/drivers/net/wireless/intersil/p54/eeprom.c +++ b/drivers/net/wireless/intersil/p54/eeprom.c @@ -702,7 +702,7 @@ static int p54_convert_output_limits(struct ieee80211_hw *dev, static struct p54_cal_database *p54_convert_db(struct pda_custom_wrapper *src, size_t total_len) { - struct p54_cal_database *dst; + struct p54_cal_database *dst = NULL; size_t payload_len, entries, entry_size, offset; payload_len = le16_to_cpu(src->len); @@ -713,16 +713,12 @@ static struct p54_cal_database *p54_convert_db(struct pda_custom_wrapper *src, (payload_len + sizeof(*src) != total_len)) return NULL; - dst = kmalloc(sizeof(*dst) + payload_len, GFP_KERNEL); - if (!dst) + if (mem_to_flex_dup(&dst, src->data, payload_len, GFP_KERNEL)) return NULL; dst->entries = entries; dst->entry_size = entry_size; dst->offset = offset; - dst->len = payload_len; - - memcpy(dst->data, src->data, payload_len); return dst; } diff --git a/drivers/net/wireless/intersil/p54/p54.h b/drivers/net/wireless/intersil/p54/p54.h index 3356ea708d81..22bbb6d28245 100644 --- a/drivers/net/wireless/intersil/p54/p54.h +++ b/drivers/net/wireless/intersil/p54/p54.h @@ -125,8 +125,8 @@ struct p54_cal_database { size_t entries; size_t entry_size; size_t offset; - size_t len; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; #define EEPROM_READBACK_LEN 0x3fc From patchwork Wed May 4 01:44:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836673 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 828BDC433F5 for ; Wed, 4 May 2022 01:49:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235945AbiEDBww (ORCPT ); Tue, 3 May 2022 21:52:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245639AbiEDBw1 (ORCPT ); Tue, 3 May 2022 21:52:27 -0400 Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A929041622 for ; Tue, 3 May 2022 18:47:41 -0700 (PDT) Received: by mail-pg1-x531.google.com with SMTP id a191so24627pge.2 for ; Tue, 03 May 2022 18:47:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=OUtFJC5/TKCmTq7i/wF9dXPYB7F9m5Fe+Glt57epyug=; b=LA1DuW2pq5PcEvMCaSGHJyuI7WWCw3brL8SvS9+2zVb7L13DgPnUJao9oTWLzzgmb0 FDFEPcC6DrQfzS+lsrgByCwuE3V59hlwMRxN4HndNJubDx+3EuT5ltBW8juSZqsKA86J 6Mk0HEWOn29+r/VVptC8G26Rp5mKAXoQSht84= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OUtFJC5/TKCmTq7i/wF9dXPYB7F9m5Fe+Glt57epyug=; b=rtj9v7TJQHr4Zj/anJDjn61WZi+51m4/o63rtWB26iSBRCvX0xTTO57Fb6tIvCtkqr dm8xywT5f82ueYEIEU6dqMv/QlblxEdI8h5AQDn0G1l8bAGBU3p8JvhLGE4+bw5t9WTJ F/Do3m/Z8iVehtMdb5Wo2Eksbq87RetNgXAuR59P+iABqqKa/fggDY+piQg/cW9B9cJR Mspl1YGNYeRh6SUm89z7saz5ucaCbDPxKTNfjVf7trYA8dPNUXdb6Mx0BkSppE2tquZn m6dlBxws99/nPOP/dfvheN9A/1FmsxSxAWaDsJlh3fSkzWPIY/0p0b6qsSaK/QaW+CJn bTUg== X-Gm-Message-State: AOAM530IonpaLzTiIcSCqpkdCJLQcIzzo16xC/usRizrDIb0OtWwIAn1 cBTJm3RFy6Axam2twDig441bXA== X-Google-Smtp-Source: ABdhPJwT+HpwroAcLEOh/whz+04BMlDA8QRyKASs96Yn7JFIogcBzSznpVM6BSo5Oye2dEgT1IAP3A== X-Received: by 2002:a63:de12:0:b0:3ab:7c33:2894 with SMTP id f18-20020a63de12000000b003ab7c332894mr15993343pgg.187.1651628861170; Tue, 03 May 2022 18:47:41 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d14-20020aa7868e000000b0050dc76281a3sm6929562pfo.125.2022.05.03.18.47.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:39 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Loic Poulain , Kalle Valo , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , wcn36xx@lists.infradead.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 10/32] wcn36xx: Use mem_to_flex_dup() with struct wcn36xx_hal_ind_msg Date: Tue, 3 May 2022 18:44:19 -0700 Message-Id: <20220504014440.3697851-11-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2631; h=from:subject; bh=Msy2+XfnfeHEfU9VZJ5tdjPuaYOOARhkHxIAzZX3hrE=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCU5cwj3opYKUJRuHiQ6yrF7a8I32dTqix7rZH epN2AJmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJlHYD/ wPCLYVdBQwlOASKzq0go8+yQ9WXYDGyw7A8O0OnAVu3fIR1Fz5Lc4pY5x32WjVh8glBxJBPELf/CJL MNaKgMdTHQ7NA2hxtEc7bQM+t4sMdVV5x1MYPoH8LFiI3+Tvt13YvoQ+E1WZ0t2qqUC8zhxbH36dxW Bc0wCumlz/0FK9T//W8qmXHq+YCTZhpOj4lIosW7Ic80QXG9vfEguHz+8nSw2PXbpXiLtiKMXYVPis NcxiHBa5qoFp2VamsSe418quush6XqJxmFvLZl7mtiboKYYYu2/qPzI5A37FAbPIGCru3jMXR/tCbm Q/hHT9bgmoM7Gg13G5tslRAOTf4pY5AWKIKHlUwbJswOg2FEBoabSKGh058NrhtgM0MjsUnbiDiOZ5 aO0FKd7cJsVfNFB7uZ3+4sBW8mA109abyB33FJQ/eJ+s21q6pPofkO9ECLZme3sqINH5kUfMBZEGbc CCwh1fPl5ZjvS1fXH/PGcDGjsAPJyMdcuEmaFNP9/8CuF7AfC9V9oEUOZ4lm0ofCSU0/fD12keSaj3 IHfhVbZKNV1ZZFfOUd6M2qngKUJR4ZbYTuwFlDxka/MvOQ2XJ1z5dhL/T/KTejeZjeDoZmMeDtRSc8 Toe4QQtXjKsYj/+iwJSz5/80d1lP2aqDJFhk1y/i4XSNcgPBCqcyBiQzMbsQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Loic Poulain Cc: Kalle Valo Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: wcn36xx@lists.infradead.org Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/ath/wcn36xx/smd.c | 8 ++------ drivers/net/wireless/ath/wcn36xx/smd.h | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c index dc3805609284..106af0a2ffc4 100644 --- a/drivers/net/wireless/ath/wcn36xx/smd.c +++ b/drivers/net/wireless/ath/wcn36xx/smd.c @@ -3343,7 +3343,7 @@ int wcn36xx_smd_rsp_process(struct rpmsg_device *rpdev, const struct wcn36xx_hal_msg_header *msg_header = buf; struct ieee80211_hw *hw = priv; struct wcn36xx *wcn = hw->priv; - struct wcn36xx_hal_ind_msg *msg_ind; + struct wcn36xx_hal_ind_msg *msg_ind = NULL; wcn36xx_dbg_dump(WCN36XX_DBG_SMD_DUMP, "SMD <<< ", buf, len); switch (msg_header->msg_type) { @@ -3407,16 +3407,12 @@ int wcn36xx_smd_rsp_process(struct rpmsg_device *rpdev, case WCN36XX_HAL_DELETE_STA_CONTEXT_IND: case WCN36XX_HAL_PRINT_REG_INFO_IND: case WCN36XX_HAL_SCAN_OFFLOAD_IND: - msg_ind = kmalloc(struct_size(msg_ind, msg, len), GFP_ATOMIC); - if (!msg_ind) { + if (mem_to_flex_dup(&msg_ind, buf, len, GFP_ATOMIC)) { wcn36xx_err("Run out of memory while handling SMD_EVENT (%d)\n", msg_header->msg_type); return -ENOMEM; } - msg_ind->msg_len = len; - memcpy(msg_ind->msg, buf, len); - spin_lock(&wcn->hal_ind_lock); list_add_tail(&msg_ind->list, &wcn->hal_ind_queue); queue_work(wcn->hal_ind_wq, &wcn->hal_ind_work); diff --git a/drivers/net/wireless/ath/wcn36xx/smd.h b/drivers/net/wireless/ath/wcn36xx/smd.h index 3fd598ac2a27..76ecac46f36b 100644 --- a/drivers/net/wireless/ath/wcn36xx/smd.h +++ b/drivers/net/wireless/ath/wcn36xx/smd.h @@ -46,8 +46,8 @@ struct wcn36xx_fw_msg_status_rsp { struct wcn36xx_hal_ind_msg { struct list_head list; - size_t msg_len; - u8 msg[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, msg_len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, msg); }; struct wcn36xx; From patchwork Wed May 4 01:44:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836872 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4DE0DC433F5 for ; Wed, 4 May 2022 01:52:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343562AbiEDBzr (ORCPT ); Tue, 3 May 2022 21:55:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343656AbiEDBw4 (ORCPT ); Tue, 3 May 2022 21:52:56 -0400 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE5FA44A3B for ; Tue, 3 May 2022 18:48:27 -0700 (PDT) Received: by mail-pl1-x62d.google.com with SMTP id n18so164336plg.5 for ; Tue, 03 May 2022 18:48:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=P7uM3xoAcE7zuGNsfEYVdWWhl8RQOVkTgxnXHqQm9tk=; b=Ttm1udnLhK1uzAB04KBRSr/POGM0kwPI1bs4XPEU6UEtgK8/23ubm+dxeV4+X853RT 0+Il5Jok8kr0+FDj5VV/8TyC5lx1HeS1NOnJkl2lVk9pme8hyn7Y1lYALOBUqbtoGYi3 cAWN4x8Bl4pcx02o/CTto17Eyhwd5u2uMzQSw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=P7uM3xoAcE7zuGNsfEYVdWWhl8RQOVkTgxnXHqQm9tk=; b=JDNRSKbtnXivFf2ls8fGS2jqpAe6f+ftx4QC0Q4Hi+KjfrdxuoxZ2g7aRebzrz+tn5 a8St/6UQHEBJmnnwfZXz9reLnsDwegIcJECQ4i0Pu6t4Kg5vLiU3BamSQlBmAjulfW6B YmVAxmFrHUwxiqF9DT68V49CSndJCn+BTwQnlRQsMjR0zzAokQWqaideLwmOeTm9iWxa XFzCXguMgVnzsGsdowyB3Vt0YuySOmsq4ehxIZAOCrsltL0Y0blBvs4r8ehmisNvPPFv 26/69Sk7Lfa01plb/RXVrJKU5DPn6C0eCOMfaWP7bO4k2cYY4HhcyhBTx1jo/UotKMuz qO0g== X-Gm-Message-State: AOAM531na2ZNb6BszXYWJ7MdeYSS0MNgw/frUZJST/Lutp7VDnSe0vnG 5uUpZGc3avnqIxAOAc+6Fz0zHQ== X-Google-Smtp-Source: ABdhPJxlINiFv6UJHBX+/eJqyerMOceaIDiYJHkzj2pPV40RgErLtQ31Acn4ZOqZFTEIOPf1xFj0AA== X-Received: by 2002:a17:90b:3b42:b0:1dc:5cdf:5649 with SMTP id ot2-20020a17090b3b4200b001dc5cdf5649mr7783206pjb.239.1651628861490; Tue, 03 May 2022 18:47:41 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id on13-20020a17090b1d0d00b001d9acbc3b4esm2003067pjb.47.2022.05.03.18.47.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:39 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Johannes Berg , "David S. Miller" , Jakub Kicinski , Paolo Abeni , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Eric Dumazet , Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 11/32] nl80211: Use mem_to_flex_dup() with struct cfg80211_cqm_config Date: Tue, 3 May 2022 18:44:20 -0700 Message-Id: <20220504014440.3697851-12-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2217; h=from:subject; bh=rRfAu1/k1e5caQg21/8VBHhysNqsP1FR5GA2AHrLW6w=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDYqJpVuI+Da24TYyn7rK2cAZcih+2ZRWaGUhg VviQcPmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJjdwD/ 9GoZycFvhK6h6fbIQwuLO60vgqzr+JFBMz2boSXTBJSryctNsbZrwuvUuiBZUKC1y9sGE+SgzQm0T7 WzDZtyTlGmT1CZjKFpgdCfMbuMLVROkIwwyYoraeYFirZmIIRURYhLoAsJh4ZeL+hi8jOWnaV5ClMm GpAX4WW1YsM9YRJimQri0QE7pLQKGb80KxVsDgul4e0OUj1wYZTYbTgr98Zpysc1nSby6oGnxfPJ5B GvVh8QA/SYaCCMlYyUKr3bjTLrKOZ0NSnt6bAW38OpCXj8344D0TsfmO6tGo0jkheFbpEhSFjRi0Lj 1/+lxcBQ3jvc7zB+0Q5hpVWgX0kC+MxgbmIRdXF66gXOY9KMZzGl6dt9Fdm0xQWH6kFZlX7zpOBeHx To/pgX+EVE7aw6zudBInH3vlkkTYIklAIL/O9ajINZfL2HKHTp1XgnQdpa0KDyxqJilBhkXXekcKjn s7KJFzs28RJWqn+YgyJ+4W4uA6XLQvHdqVGZu5zS748KLU05KkgCeTW+Wm195aiMdUvqPG1QyqpCX5 1oMep8SXDkjOyDi6DnWcfFivJfrpKBqXU3oWsvXdBRhX+fVXmfr/E7qrARl1smC7xBgqWCcJf152Rh nwFocx9Hoo9dTUkHbkM4z/OFi36I6ENfaPOS+x9fFE1riA7xPsrh1gW6nwwA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Johannes Berg Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Cc: Eric Dumazet Signed-off-by: Kees Cook --- net/wireless/core.h | 4 ++-- net/wireless/nl80211.c | 15 ++++----------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/net/wireless/core.h b/net/wireless/core.h index 3a7dbd63d8c6..899d111993c6 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -295,8 +295,8 @@ struct cfg80211_beacon_registration { struct cfg80211_cqm_config { u32 rssi_hyst; s32 last_rssi_event_value; - int n_rssi_thresholds; - s32 rssi_thresholds[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, n_rssi_thresholds); + DECLARE_FLEX_ARRAY_ELEMENTS(s32, rssi_thresholds); }; void cfg80211_destroy_ifaces(struct cfg80211_registered_device *rdev); diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 945ed87d12e0..70df7132cce8 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -12096,21 +12096,14 @@ static int nl80211_set_cqm_rssi(struct genl_info *info, wdev_lock(wdev); if (n_thresholds) { - struct cfg80211_cqm_config *cqm_config; + struct cfg80211_cqm_config *cqm_config = NULL; - cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds, - n_thresholds), - GFP_KERNEL); - if (!cqm_config) { - err = -ENOMEM; + err = mem_to_flex_dup(&cqm_config, thresholds, n_thresholds, + GFP_KERNEL); + if (err) goto unlock; - } cqm_config->rssi_hyst = hysteresis; - cqm_config->n_rssi_thresholds = n_thresholds; - memcpy(cqm_config->rssi_thresholds, thresholds, - flex_array_size(cqm_config, rssi_thresholds, - n_thresholds)); wdev->cqm_config = cqm_config; } From patchwork Wed May 4 01:44:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836675 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F7CEC433FE for ; Wed, 4 May 2022 01:49:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245574AbiEDBx2 (ORCPT ); Tue, 3 May 2022 21:53:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55442 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343490AbiEDBwa (ORCPT ); Tue, 3 May 2022 21:52:30 -0400 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DD8F43ECE for ; Tue, 3 May 2022 18:48:11 -0700 (PDT) Received: by mail-pl1-x62b.google.com with SMTP id s14so154455plk.8 for ; Tue, 03 May 2022 18:48:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jHmaho/x33MqcwhAHjzMaEbYW3Sn2ucNcqc26yK2kNU=; b=P8OaWDj1i9vMS2YXwPGohhK4T/Iw+CyPZ/W6hEEhH6k1LaC96jgeOuZ+dQGCL7k52R 9vedbYNUSwVa5cTgkoS7mq60UIXNgrNEh8xt0xCvSUKOkKMHizwfjhRvtgim24nhUgRa 9onXSvEkUpL1rmnA+09r2XcsNzTJwLrKjOBuk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jHmaho/x33MqcwhAHjzMaEbYW3Sn2ucNcqc26yK2kNU=; b=aazNm7qh97RiywjoWwwTLGuAxiGk2KTUgmm+JLq4TsNWFUxBsfK8D8o86blu3gU4tN iXZtOWTuWkBkB9KPnMNNpEMuhR37V2757OHCH4WmHU0Uix/FMkyJshOcnKZfaEtdMYsp vFc53pLovE8VkcE9BaSxp6OzunjCoObP+ZvjPr0Cilh8YGMWvVtm1MC3n4RPBUu8VglY SXv8X46/8bdgssFr+loGYx0ZVcOKYvI/7vO1jMaH3ojl6s9ix6Y0qIX06rm3sNjHAewM xVm0pnOxyEOFFVPAjFJdRmGVewxe94k3+DP1w0DRUd5YR1zMnZjrPfcJWKs6yCNR0Ttd i4hw== X-Gm-Message-State: AOAM530DyNRR8n8uxejU/VWptHTB5xhhb1g2brTVVDtmMKeERaE6ZAwZ GQTuRNOY5xXzuxRRrb+9CpOx5g== X-Google-Smtp-Source: ABdhPJw/YslU2yUBia+w/4PurFJMBiRJ5IDYAc+d7ObCpClWIglgELelEBFuL7QqIQfyj8Do+oUJyg== X-Received: by 2002:a17:903:248:b0:155:e660:b774 with SMTP id j8-20020a170903024800b00155e660b774mr19737712plh.174.1651628859441; Tue, 03 May 2022 18:47:39 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x5-20020aa79a45000000b004fa743ba3f9sm7108890pfj.2.2022.05.03.18.47.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:39 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Johannes Berg , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Eric Dumazet , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct cfg80211_bss_ies Date: Tue, 3 May 2022 18:44:21 -0700 Message-Id: <20220504014440.3697851-13-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4271; h=from:subject; bh=zLIoLyad9bBq8i+CHRJcAMhW5JgPaoyM4x0VIL3Wjf8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDR3XqoFSprf0Mf1o1HYj7dBBBP7wDZ118xdTx ToM0RNGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJpDCD/ wMlRRCUB8XTmCXlLdvPCGb5ACTTMa3Km0myBmfsx6i7FkHxAEfNtllJsJZ1xGdv/WP8g4XEUJ0zuGC 7wsRbPVl7sHYNyFiAu9iXMMSYvJVG0G1YrRXdH2A3UhX8o4+JfEVNj7XazhRyhM9cIwvTR0hQBUIKJ OO0TtkviYxesRpL1xBvgYIcCWjxEvNdpsGjAfF7Wn6Ml1dOstypUTb2ulq7hIf7BX8w63KuqOXZx6V eQKW4gi3cQO3gPoEWsv9zeDktQzxWbaMN212KDtDCB76/UH1i+QQg8eLLlaSQ/55nnf45kUX75sHkI zDmnUC7uL8hJaFE7/98/TeYKsLAgbyP1/MwzniEWgtSaLkPJj+BDTLhK4+jBB7zxpXsyQsyJXmfWnN 69jBTE8Z6ldaOWiCaA2dwzQcHNWXsHvzTspOWk/Tiv7AIUHd8Nqe4ecJtsbDBBxQU21ogSn3TNlfat 3ZCTfW1XDttiZNSK2Rit27Gb0LCzE4nKpVwxT5qmFoGk/jjq2ZfP1uWkMyv4TOb/bfGw5ZiXtTJwtA 22mI6CUOQ9lCD1lIB2WdB8z0yibGypy9fbuDpeqzg6v+weYYD4cY0Q38ZtkdzpABByyOAlmZm7iXIU /hIQA44hD8/vgfuYEgBfavnXALP3koZt6viHAklNZAsuY6wiAG9ZgR2ZT8XQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Johannes Berg Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Eric Dumazet Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/cfg80211.h | 4 ++-- net/wireless/scan.c | 21 ++++++--------------- 2 files changed, 8 insertions(+), 17 deletions(-) diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h index 68713388b617..fa236015f6ef 100644 --- a/include/net/cfg80211.h +++ b/include/net/cfg80211.h @@ -2600,9 +2600,9 @@ struct cfg80211_inform_bss { struct cfg80211_bss_ies { u64 tsf; struct rcu_head rcu_head; - int len; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); bool from_beacon; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; /** diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 4a6d86432910..9f53d05c6aaa 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1932,7 +1932,7 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, gfp_t gfp) { struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); - struct cfg80211_bss_ies *ies; + struct cfg80211_bss_ies *ies = NULL; struct ieee80211_channel *channel; struct cfg80211_internal_bss tmp = {}, *res; int bss_type; @@ -1978,13 +1978,10 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, * override the IEs pointer should we have received an earlier * indication of Probe Response data. */ - ies = kzalloc(sizeof(*ies) + ielen, gfp); - if (!ies) + if (mem_to_flex_dup(&ies, ie, ielen, gfp)) return NULL; - ies->len = ielen; ies->tsf = tsf; ies->from_beacon = false; - memcpy(ies->data, ie, ielen); switch (ftype) { case CFG80211_BSS_FTYPE_BEACON: @@ -2277,7 +2274,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, size_t ielen = len - offsetof(struct ieee80211_mgmt, u.probe_resp.variable); size_t new_ie_len; - struct cfg80211_bss_ies *new_ies; + struct cfg80211_bss_ies *new_ies = NULL; const struct cfg80211_bss_ies *old; u8 cpy_len; @@ -2314,8 +2311,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, if (!new_ie) return; - new_ies = kzalloc(sizeof(*new_ies) + new_ie_len, GFP_ATOMIC); - if (!new_ies) + if (mem_to_flex_dup(&new_ies, new_ie, new_ie_len, GFP_ATOMIC)) goto out_free; pos = new_ie; @@ -2333,10 +2329,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, memcpy(pos, mbssid + cpy_len, ((ie + ielen) - (mbssid + cpy_len))); /* update ie */ - new_ies->len = new_ie_len; new_ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); new_ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control); - memcpy(new_ies->data, new_ie, new_ie_len); if (ieee80211_is_probe_resp(mgmt->frame_control)) { old = rcu_access_pointer(nontrans_bss->proberesp_ies); rcu_assign_pointer(nontrans_bss->proberesp_ies, new_ies); @@ -2363,7 +2357,7 @@ cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy, gfp_t gfp) { struct cfg80211_internal_bss tmp = {}, *res; - struct cfg80211_bss_ies *ies; + struct cfg80211_bss_ies *ies = NULL; struct ieee80211_channel *channel; bool signal_valid; struct ieee80211_ext *ext = NULL; @@ -2442,14 +2436,11 @@ cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy, capability = le16_to_cpu(mgmt->u.probe_resp.capab_info); } - ies = kzalloc(sizeof(*ies) + ielen, gfp); - if (!ies) + if (mem_to_flex_dup(&ies, variable, ielen, gfp)) return NULL; - ies->len = ielen; ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control) || ieee80211_is_s1g_beacon(mgmt->frame_control); - memcpy(ies->data, variable, ielen); if (ieee80211_is_probe_resp(mgmt->frame_control)) rcu_assign_pointer(tmp.pub.proberesp_ies, ies); From patchwork Wed May 4 01:44:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836963 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6015CC433EF for ; Wed, 4 May 2022 01:56:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245466AbiEDCAK (ORCPT ); Tue, 3 May 2022 22:00:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343856AbiEDB64 (ORCPT ); Tue, 3 May 2022 21:58:56 -0400 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BEC04198E for ; Tue, 3 May 2022 18:53:08 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id bo5so20587pfb.4 for ; Tue, 03 May 2022 18:53:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mP4n/1nXKyry8BA7O9b2ZHkrsFy8iWlCifKEx03rFnY=; b=KHTjDn10FYAC4WZ7g7q0AiHpgmThRRwNrbm62hmsBLY/2xCOlkENwcyXQ7aBQDInHn 4dM/qCI2Tdd2RF0pF33RCRgUwHIp4H4DbO/aaCcleZepYJ5vWn77BhvgITsj4rJQjCoy BKAgqDEuTpx8EMb/HQ18TpUE/vAD2m0OUQRDA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mP4n/1nXKyry8BA7O9b2ZHkrsFy8iWlCifKEx03rFnY=; b=UgGxV7Ef45ooIOJeoWRO1nIEGPysuIMRanb7MfJC6VtOCqAwTFGQg+ZUcdbh4m5yiK quLkMPvhAALwlMfZbdbep8UeoHFIaTrFXmXknTFxkmcBBqKuwTy01tf3azT+67CqeYAA r028IxsEs5A+Uc8gou8DdUTjOZOV/oVox2mRKJWvISjTAdifDqyqo7Je00p6RbBlesw8 wbrNESDQQQksb3PasWPekfaIRtOGh6gry60s94b41gGcqqBWsieTPgUAQKOuw6XZK6ys nzsk6+haFY4Chk6Ouc55YSs1WHv0eFwJXyibUznjOC1FFxU4Mw+dv0fQW4s23CZkewul 1CTw== X-Gm-Message-State: AOAM531YAS57dRK+n/irleFGXzIdcgZ3K0acMXDV6d9c9rqU058awPX/ NVY63lVoZI1SerTqGRcGxHbNDg== X-Google-Smtp-Source: ABdhPJzUSy3U+8rwgzAr/sj8yR4Fp6xF6K+q2DzcNSLrX9k+1afSBMzKvEfV6BFVNR+tlb7A2wmzdw== X-Received: by 2002:a63:5c6:0:b0:3ab:a0ef:9711 with SMTP id 189-20020a6305c6000000b003aba0ef9711mr15918624pgf.426.1651629165641; Tue, 03 May 2022 18:52:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s7-20020a170902988700b0015eb6d49679sm1918908plp.62.2022.05.03.18.52.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Johannes Berg , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 13/32] mac80211: Use mem_to_flex_dup() with several structs Date: Tue, 3 May 2022 18:44:22 -0700 Message-Id: <20220504014440.3697851-14-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4296; h=from:subject; bh=pufTBCpv1+FASDh6fZcOJeIhSO8YXc6ZD3a299NrZm4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDYrX5tu9Go+cvYwIXEOTpZneB8YhW9dUC3sac ck3ML8KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJq+JD/ 0X3AbEhtjv68HS2Qdhx7xmo3K/uONkt1yj8h+vION6AHfDmeZPu5bBaCsLzt2TEAHsBPpBRc/uejYa E5pfehOGAmVM9Fmpr+oP9ly2RkyPTwtNTxFzb4xd27IkVD6UCFORNFDveBYD2VZmO04Vlo9STZ2Bva Ya86oVZEXAhbCZ0AKH2Z49cpjz9VZgyDJ90DrfDKvzm96gavfrOqU0IVXkfUaaZ2QIO1JKI1ll5mvN bjuyTdXnOlMf6CsLwcLHMMb3wDPPpFe8MXv8dayu3NC1pfidvNqoPkozVAiGWacsIqIp8awptGqHH3 yZM3uXcRJhmG01Xnag1yX2F7KLQmdLxTX6Hbi08mVFLjqUHf68oJ6AVzIx7EMO+10VCaS/VKc3pV3a pK6YmhDCo4DAFS2qS/uEZXisfMRLsJ/cNqfILKDs5PJ0Es4D+au1dZbccNyNOsuJKBeugjRZ5yxcT7 MJKOMLVY1PqPEf5qN8rvFBbg71fUmT5dpnBhj5KXWGXisWBxjiXBivh+CA2Ejt0B6LRCEsIE3FDe5W KUS1oA4CkivV4K+FG1LXa3Rjg0Q3XEjfoJZfQnEJWIevZxzJmOPWarLDNgPdL+D9ql+ZHO2xZ2SL6R x2yZO7FnhS+Q3p1vFXul6o0tnRCpX7VXjQMb8yEVgGi33g8kkzRVmWX114lw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying: struct probe_resp struct fils_discovery_data struct unsol_bcast_probe_resp_data Cc: Johannes Berg Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- net/mac80211/cfg.c | 22 ++++++---------------- net/mac80211/ieee80211_i.h | 12 ++++++------ 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index f1d211e61e49..355edbf41707 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -867,20 +867,16 @@ ieee80211_set_probe_resp(struct ieee80211_sub_if_data *sdata, const struct ieee80211_csa_settings *csa, const struct ieee80211_color_change_settings *cca) { - struct probe_resp *new, *old; + struct probe_resp *new = NULL, *old; if (!resp || !resp_len) return 1; old = sdata_dereference(sdata->u.ap.probe_resp, sdata); - new = kzalloc(sizeof(struct probe_resp) + resp_len, GFP_KERNEL); - if (!new) + if (mem_to_flex_dup(&new, resp, resp_len, GFP_KERNEL)) return -ENOMEM; - new->len = resp_len; - memcpy(new->data, resp, resp_len); - if (csa) memcpy(new->cntdwn_counter_offsets, csa->counter_offsets_presp, csa->n_counter_offsets_presp * @@ -898,7 +894,7 @@ ieee80211_set_probe_resp(struct ieee80211_sub_if_data *sdata, static int ieee80211_set_fils_discovery(struct ieee80211_sub_if_data *sdata, struct cfg80211_fils_discovery *params) { - struct fils_discovery_data *new, *old = NULL; + struct fils_discovery_data *new = NULL, *old = NULL; struct ieee80211_fils_discovery *fd; if (!params->tmpl || !params->tmpl_len) @@ -909,11 +905,8 @@ static int ieee80211_set_fils_discovery(struct ieee80211_sub_if_data *sdata, fd->max_interval = params->max_interval; old = sdata_dereference(sdata->u.ap.fils_discovery, sdata); - new = kzalloc(sizeof(*new) + params->tmpl_len, GFP_KERNEL); - if (!new) + if (mem_to_flex_dup(&new, params->tmpl, params->tmpl_len, GFP_KERNEL)) return -ENOMEM; - new->len = params->tmpl_len; - memcpy(new->data, params->tmpl, params->tmpl_len); rcu_assign_pointer(sdata->u.ap.fils_discovery, new); if (old) @@ -926,17 +919,14 @@ static int ieee80211_set_unsol_bcast_probe_resp(struct ieee80211_sub_if_data *sdata, struct cfg80211_unsol_bcast_probe_resp *params) { - struct unsol_bcast_probe_resp_data *new, *old = NULL; + struct unsol_bcast_probe_resp_data *new = NULL, *old = NULL; if (!params->tmpl || !params->tmpl_len) return -EINVAL; old = sdata_dereference(sdata->u.ap.unsol_bcast_probe_resp, sdata); - new = kzalloc(sizeof(*new) + params->tmpl_len, GFP_KERNEL); - if (!new) + if (mem_to_flex_dup(&new, params->tmpl, params->tmpl_len, GFP_KERNEL)) return -ENOMEM; - new->len = params->tmpl_len; - memcpy(new->data, params->tmpl, params->tmpl_len); rcu_assign_pointer(sdata->u.ap.unsol_bcast_probe_resp, new); if (old) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index d4a7ba4a8202..2e9bbfb12c0d 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -263,21 +263,21 @@ struct beacon_data { struct probe_resp { struct rcu_head rcu_head; - int len; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); u16 cntdwn_counter_offsets[IEEE80211_MAX_CNTDWN_COUNTERS_NUM]; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; struct fils_discovery_data { struct rcu_head rcu_head; - int len; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; struct unsol_bcast_probe_resp_data { struct rcu_head rcu_head; - int len; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; struct ps_data { From patchwork Wed May 4 01:44:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836671 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9E80C4167B for ; Wed, 4 May 2022 01:49:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245668AbiEDBwt (ORCPT ); Tue, 3 May 2022 21:52:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245664AbiEDBw2 (ORCPT ); Tue, 3 May 2022 21:52:28 -0400 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E555419A6 for ; Tue, 3 May 2022 18:47:44 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id g3so21760pgg.3 for ; Tue, 03 May 2022 18:47:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dMAADGqtkadGyWtiMmUAPEm8bORo1cOmSuHFnzFIe9g=; b=HdhwV0WkvXZw3hjS8p1tFCKs9cZKJFJ7k5obLNyUKACusCcW1RzcVwG/3AkN25wPjr MN1c4fbIR9x0erwQN9MET5VRJYx8dh+R8g2fLDUMIFlB05v/yh9SmtiE3TYb5zg7tp+O AetyTzERcbfGEy31+di4TAAiEqxWduNa5FUWY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dMAADGqtkadGyWtiMmUAPEm8bORo1cOmSuHFnzFIe9g=; b=48xGtVrBsVNVtGNFPPu86vqJ0R9Xi8PNAXenIBdzW3febfWjwV4Rz4s4ZCTMWcn9Dk 9dDXwiVBCAiZ7CLf80NCVE5V437/gGgqgRjNIaSc2SSdcgdej6XeaoFU0NyNABf2UugT Ai4wYke2T7Ny/DECV1N376LscM4y9t1ugFvOZaA05rZAEWBUCS1do2zS9sVLBsLieY+a 9bSAJE1r+mz4YBZinzF/PClbMOmiqlmNBIddQyX1ZqU9HNf5HoIWJA1ElIYGRBZ4ck6W 4p7gxWpbClgyq1LLrPRrKSST3VnuAzoFSSzQKjZZQyD0f6X4G8vvdcVuRG2AhZEn5Mu5 iqlg== X-Gm-Message-State: AOAM532wqtYsIA6nMgJOQhw8XjLzpcMxEvIr86+oOWRlQ8zl7G87qYx1 OJoKOfXecYNr7wL3cjh60kL/Kg== X-Google-Smtp-Source: ABdhPJzJgAADMFFc6IgYXUwxUbgxm7TVuxaF377qcwdaawZlHxybyGrud242lBwhZCdVFfq7tPWaqA== X-Received: by 2002:a63:86c6:0:b0:3ab:2c2c:42e9 with SMTP id x189-20020a6386c6000000b003ab2c2c42e9mr15878387pgd.230.1651628864123; Tue, 03 May 2022 18:47:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j10-20020a62b60a000000b0050dc762817dsm6922289pff.87.2022.05.03.18.47.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:41 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Kuniyuki Iwashima , Alexei Starovoitov , Cong Wang , Al Viro , netdev@vger.kernel.org, alsa-devel@alsa-project.org, Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 14/32] af_unix: Use mem_to_flex_dup() with struct unix_address Date: Tue, 3 May 2022 18:44:23 -0700 Message-Id: <20220504014440.3697851-15-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2272; h=from:subject; bh=8b5W7mEG2Sah1C3FkS/UxctivFJh7iOzV6P8ujUbZM8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDcR3znMx51jViMoq05/q58V2/1rXjoJjYBmJ4 CKXc5kiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJp8ZEA CTZiOebtApgRIMQFGfvlsj7s1U7ENKry+y1qCoH7clKk+kIHUFtKQuToAucuA7HnBVAIDqbBHa+dtu b1A4bqv4cHK21pPyhZmiE0VCyP00EYC8X6VbBCMRrhOvgKIRCQKYCDRRU3x3+zdTamMi+Cw4QRLFbr KeEVo3vWRxKFNYlUY6py6WsFnpaTCP45A1Rt2Mk1ONM+4tvkRlgJQKibXiiVxMmNJiq7diRyS43UyZ xdZzOY9N/SsdVs+DBAetVCVJfwnmWSxup+qwrjzAenumL1egb53niPav19Uu0KPGAkzqPtS4NDain6 T5G8UOgj2W4S/ZIxVzp3AEI0v7Q07cg9AUILFEUOEn2Ga7m2xtn/dn5Hqt0Gq5ryDybbgCBb0FW6nE apZrvb6JoF5ZEkWIMx0CD3b/SEJCPUMr1n+n/nlozI3/5uYk+uJuq11ezAU6BWwGeaiQi5MNENuLtJ f2iVuD520n1Ne+0aDX0g+6Bxq6CjD/3mk3NtQkdQZ1W7jF6hmMJWqPx/GWYvlmDlmSQNEQ659WICV6 styiy2WjRaD2LhpwT9sZHwcdpjjTGhsJ3rXcC+FrO5v7LrNOaE49f+5vGV2+PdIn7TzyijsyYCwjfC sD4MdxKc4Kc8wvaGgok8h676GkR5iOBRUeFIUjcwGTrf9mDGBR6ew5hwb4cQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Kuniyuki Iwashima Cc: Alexei Starovoitov Cc: Cong Wang Cc: Al Viro Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/af_unix.h | 14 ++++++++++++-- net/unix/af_unix.c | 7 ++----- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/include/net/af_unix.h b/include/net/af_unix.h index a7ef624ed726..422535b71295 100644 --- a/include/net/af_unix.h +++ b/include/net/af_unix.h @@ -25,8 +25,18 @@ extern struct hlist_head unix_socket_table[2 * UNIX_HASH_SIZE]; struct unix_address { refcount_t refcnt; - int len; - struct sockaddr_un name[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); + union { + DECLARE_FLEX_ARRAY(struct sockaddr_un, name); + /* + * While a struct is used to access the flexible + * array, it may only be partially populated, and + * "len" above is actually tracking bytes, not a + * count of struct sockaddr_un elements, so also + * include a byte-size flexible array. + */ + DECLARE_FLEX_ARRAY_ELEMENTS(u8, bytes); + }; }; struct unix_skb_parms { diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index e1dd9e9c8452..8410cbc82ded 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -244,15 +244,12 @@ EXPORT_SYMBOL_GPL(unix_peer_get); static struct unix_address *unix_create_addr(struct sockaddr_un *sunaddr, int addr_len) { - struct unix_address *addr; + struct unix_address *addr = NULL; - addr = kmalloc(sizeof(*addr) + addr_len, GFP_KERNEL); - if (!addr) + if (mem_to_flex_dup(&addr, sunaddr, addr_len, GFP_KERNEL)) return NULL; refcount_set(&addr->refcnt, 1); - addr->len = addr_len; - memcpy(addr->name, sunaddr, addr_len); return addr; } From patchwork Wed May 4 01:44:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836961 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68802C41535 for ; Wed, 4 May 2022 01:56:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343709AbiEDCAH (ORCPT ); Tue, 3 May 2022 22:00:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343555AbiEDB6n (ORCPT ); Tue, 3 May 2022 21:58:43 -0400 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1BCA749911 for ; Tue, 3 May 2022 18:52:45 -0700 (PDT) Received: by mail-pj1-x102f.google.com with SMTP id gj17-20020a17090b109100b001d8b390f77bso3946450pjb.1 for ; Tue, 03 May 2022 18:52:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KYZx+y1oKNSP1oqgJrB6Tz6rT9EWA8WKaERG51foz1A=; b=bz1Sh9MVCXyP0oQlo8D6xVMzQ27pV4R6B//UGDTL8nzMS3F7Sze+JRYFVh2IBIaTFl BrDTiNFs4Nw3sFWGEkG5ftS8E8tnvlsvZL9PIbvMFVJ2Ru0EtHqoxpqbupakHeJmxqdO iZ/yeqiNZ245qldJTLvXJrPu0t4+xuvhNmFB4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KYZx+y1oKNSP1oqgJrB6Tz6rT9EWA8WKaERG51foz1A=; b=bFHH8RC/gM/XwY84R7/m7Qxok6krS1bBSyseaKMHxVIhRlAf2iTldktbPYZ7KRJA2o 5Nm3mVRq2yrmf6gW5JUF8BP9a3AoqerHy7PhYjWQ+7PJbfrWbjAlak9/UVyAFqoVsmtM 2sHiXKk0IcTcH81NBIbNniswP4QYmuPRivq3/Ky2ZJlJOxJaMRcrO7f8J91Q+QW1/yNl Wa8eej1bqM5hYQfyYSDT1JYAaithvczqkG8+BdAClx0xjvjUOkzFez81362RUDQ8En2Z upfMqnCguHwpIXTrgvCEBfb/c190MBjZRbpM0oVTOqjz7ebUWWnVia08zP9dvMNfrAXi hQag== X-Gm-Message-State: AOAM5305CBOJull+edVzwWhSw/0jgBb7UlF6+mVSZxZqhINQGQGaLKwW hQ7XUy6QBtMpNOaI5UpKosG4oQ== X-Google-Smtp-Source: ABdhPJwtjdTcb6qV1Xl5Vzy/9VvPreEN/EABD7sYxuaK1s+XxEIiaFWGiGBVAvDZ6TrtSaJT9nKYmw== X-Received: by 2002:a17:902:ce8d:b0:15e:a95d:b4b0 with SMTP id f13-20020a170902ce8d00b0015ea95db4b0mr11612235plg.153.1651629163571; Tue, 03 May 2022 18:52:43 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j5-20020a654d45000000b003c14af50621sm13543498pgt.57.2022.05.03.18.52.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:43 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Hulk Robot , Yang Yingliang , netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng Subject: [PATCH 15/32] 802/garp: Use mem_to_flex_dup() with struct garp_attr Date: Tue, 3 May 2022 18:44:24 -0700 Message-Id: <20220504014440.3697851-16-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2053; h=from:subject; bh=g6mLY++H2BfqQCK003F0EjItFkVyhehgYOIo/aZQtaQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqEjjw/bjk+w/BAp5zZGN/lLOysTcemUiPR49xS rdNJyZqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJkdZD/ 9ULlU2HE7dyOGGZcxoTDzzzQ0RkAnTOaJ+RVqmjII2Tv1VoPm6QRB0LGPVIKf/ajMgajI22eW2yGjV dV/acgUammYsccOQLPxTPzsPUVFZFU0hxMis5Oq9JqjehQPY4nErl1wT/Zymsur2YjD5pHbuIEHC00 ++wwwIwEXX7l/PdVNJ+PMRIdE9atC0npYUgWrpfpDQWjeDdc8adknigoQ33ZyiQZNgrZVYTO9/59Qg 8KXYHO+zkVTrXNgaZRW0wDjH3ltz+pKJr0geOSSbUhz6LlZjAauJ/rC2ZsYG+CUN5gZKKeQGMACl+O utmoGfrkJAMo4fchbVPoySQfEI4RycU3tPyq3AjrjHPoEOk1up5kNYJrBZjwNIsdxzt2klrR6QtXyt bfI8wU27DsqhelPlsyi6UMtKYVW917c/eUpFGiSJstE8AvpEEc7fwbwOkpO95+zogvhdjqrPwm0ODF hO4WSuDl0qqoSCqmphywXtHTbvP3/SyHQqpHk+XFWlqObHfRedTUudfAq0fRt/wpoTokjndugHxbB3 vPHZIR/QvpGV0TdPvLZ2ykBHieWoDTJLdsmeVjUv1/KqeUr4N1QQRZM24ry1hMmkrjPTDYRPSVjN1n 2Idl5GOStpor5uc8wuqfeiXlQfP7X+6iC5KJi+Kgwt8eOaWFgTn89ibYrF3g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Hulk Robot Cc: Yang Yingliang Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/garp.h | 4 ++-- net/802/garp.c | 9 +++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/include/net/garp.h b/include/net/garp.h index 4d9a0c6a2e5f..ec087ae534e7 100644 --- a/include/net/garp.h +++ b/include/net/garp.h @@ -80,8 +80,8 @@ struct garp_attr { struct rb_node node; enum garp_applicant_state state; u8 type; - u8 dlen; - unsigned char data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, dlen); + DECLARE_FLEX_ARRAY_ELEMENTS(unsigned char, data); }; enum garp_applications { diff --git a/net/802/garp.c b/net/802/garp.c index f6012f8e59f0..72743ed00a54 100644 --- a/net/802/garp.c +++ b/net/802/garp.c @@ -168,7 +168,7 @@ static struct garp_attr *garp_attr_create(struct garp_applicant *app, const void *data, u8 len, u8 type) { struct rb_node *parent = NULL, **p = &app->gid.rb_node; - struct garp_attr *attr; + struct garp_attr *attr = NULL; int d; while (*p) { @@ -184,13 +184,10 @@ static struct garp_attr *garp_attr_create(struct garp_applicant *app, return attr; } } - attr = kmalloc(sizeof(*attr) + len, GFP_ATOMIC); - if (!attr) - return attr; + if (mem_to_flex_dup(&attr, data, len, GFP_ATOMIC)) + return NULL; attr->state = GARP_APPLICANT_VO; attr->type = type; - attr->dlen = len; - memcpy(attr->data, data, len); rb_link_node(&attr->node, parent, p); rb_insert_color(&attr->node, &app->gid); From patchwork Wed May 4 01:44:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836868 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3158C43217 for ; Wed, 4 May 2022 01:51:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343689AbiEDByy (ORCPT ); Tue, 3 May 2022 21:54:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343614AbiEDBxl (ORCPT ); Tue, 3 May 2022 21:53:41 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE9E4457A6 for ; Tue, 3 May 2022 18:48:39 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id p6so16903458pjm.1 for ; Tue, 03 May 2022 18:48:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hCvG0k88HO9y5mV8jIlfDaOoiV0I/JnHiEgOfadNreI=; b=nTykdqnni29IYFP/aKlZ1tz+wSZFndNhf6nwtWAlZtsI1+zfxgtaBvH+tz4Jq/XHTo 7HJGSNs/F64gdmokeo6uSP6KePJfQuFps/a+uVb9CQhG7Wm+ptt1Wr19Dv7sboM4E5DX 5fllnhK611XRrQM46REzeI6j7l3nMzBYK6UHc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hCvG0k88HO9y5mV8jIlfDaOoiV0I/JnHiEgOfadNreI=; b=Z396aFDSfr9jM3bp1rtTxdGM1m3MH2Fb6IodKseGnCHmbkdnwZ9sg2iBmbDhuuskG6 V1y6pNK2zfZY6HklqVIFlaDZTedq+JhvipQZEJ+53wtjpqfPAxfZNwCB9IeX86Qj8Lfi OFsfzokwbrJOsoFBV28Xku0465cHAFLiSWIZ2sqJTJUww+tU74mhMxaOzaHLierQqu+e sNeNf1uKwU0zCoR2t/tkpFIRgPz9MseLfR//s4BZHcBPnUpr7BWTrnP8IdYx8dkfK8Kp 6pD0FHBtUlmakJu1tvoCbkxuCqSIrY0Jk3frQw5SwmgmuqNVbWghzJeUySvQKYpET/GN n3LA== X-Gm-Message-State: AOAM530hKTMnmPvjanD6+TLiW4iuDmGoFHVhQ8oxetMlizlOvAvXoqVM +w+4+Tgcx/9jxugLQfcDmlRAWA== X-Google-Smtp-Source: ABdhPJwgYtUgRfXFStndc6tc8aWOhj34n+I6ph52sEva3s1BDogx8/opvP6kUhmqSBitrWDSodtTYw== X-Received: by 2002:a17:90a:4581:b0:1bc:d215:8722 with SMTP id v1-20020a17090a458100b001bcd2158722mr7760505pjg.149.1651628864924; Tue, 03 May 2022 18:47:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id v12-20020a65568c000000b003c2f9540127sm1039683pgs.93.2022.05.03.18.47.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:41 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Yang Yingliang , netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng Subject: [PATCH 16/32] 802/mrp: Use mem_to_flex_dup() with struct mrp_attr Date: Tue, 3 May 2022 18:44:25 -0700 Message-Id: <20220504014440.3697851-17-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1997; h=from:subject; bh=OvOiYjzm/q6KNaMl+//jdZvtdGx65Whv0+J0OvbhHK4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqE83ulc8i1Me+2H60c4+E7txzeLZOhw3piKY/N AW6WeVaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJhJeD/ oCosU8dkvX3qhHC1w07Zs/6TYmI5gdPsPSk8ZM0TFXbvewK/h3P8F3y3Nj710vMoVm4HKj2kaEgTOk 2f2b5GE4O8jpZqRExVAK8Rw2Cf/+lieahxnXSaeHUcCSE5w7f3XjMdbU5lVFfxvOwj5yiCJ8AmC0h6 PKlej2yANnnifLBAy1vCwATP2HMjRoJK8z8V8EPZWY5Ak8cwN5N+W8aRpKReFLT56NqrSMNdex1APu dJQyH++TBuJBuyERb/vZdPxaz6qQCAzya/hpIBykyOqwSpa+BuzC5eaQePNcGDlTxES1vpgiLcnpCY ylYUXLQ+/MEaj/+FNFhQb44VMXSJW6mBxFuV9yP0MGuTLCFYQ2tjlsr0dWXoGDaFAaazyGNVjsWTdX POY6oata9LsQMBKZIVM5ROcKCdIv711ZQR5lFNVAIwLL/QUuyvkWtdQwSvdywSC8oK7xwBWlABXbox I9fjkKMnE1RYapMRtAmf2VKQ0RghvNMYTAPgLGO7OYoWbeGSQ2hIfI655r9udNZNdyoNBAjzqo0qLR QOmey3V+dlX3CiVaAbQTmtt3Nc5u/EhyJdE/xxV8TqqMA3btOXCemNQBKKIif6kQD22YoS7IRqY0J5 q1bRyY9izDrZQAwPOQpXq88UsmOMBlUHokCiJyT9thFEfc5wcLBU5JMv7gIA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Yang Yingliang Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/mrp.h | 4 ++-- net/802/mrp.c | 9 +++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/include/net/mrp.h b/include/net/mrp.h index 1c308c034e1a..211670bb46f2 100644 --- a/include/net/mrp.h +++ b/include/net/mrp.h @@ -91,8 +91,8 @@ struct mrp_attr { struct rb_node node; enum mrp_applicant_state state; u8 type; - u8 len; - unsigned char value[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, len); + DECLARE_FLEX_ARRAY_ELEMENTS(unsigned char, value); }; enum mrp_applications { diff --git a/net/802/mrp.c b/net/802/mrp.c index 35e04cc5390c..8b9b2e685a42 100644 --- a/net/802/mrp.c +++ b/net/802/mrp.c @@ -257,7 +257,7 @@ static struct mrp_attr *mrp_attr_create(struct mrp_applicant *app, const void *value, u8 len, u8 type) { struct rb_node *parent = NULL, **p = &app->mad.rb_node; - struct mrp_attr *attr; + struct mrp_attr *attr = NULL; int d; while (*p) { @@ -273,13 +273,10 @@ static struct mrp_attr *mrp_attr_create(struct mrp_applicant *app, return attr; } } - attr = kmalloc(sizeof(*attr) + len, GFP_ATOMIC); - if (!attr) - return attr; + if (mem_to_flex_dup(&attr, value, len, GFP_ATOMIC)) + return NULL; attr->state = MRP_APPLICANT_VO; attr->type = type; - attr->len = len; - memcpy(attr->value, value, len); rb_link_node(&attr->node, parent, p); rb_insert_color(&attr->node, &app->mad); From patchwork Wed May 4 01:44:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836964 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99720C433FE for ; Wed, 4 May 2022 01:56:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234191AbiEDCAM (ORCPT ); Tue, 3 May 2022 22:00:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40086 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343886AbiEDB64 (ORCPT ); Tue, 3 May 2022 21:58:56 -0400 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C50D42A05 for ; Tue, 3 May 2022 18:53:14 -0700 (PDT) Received: by mail-pj1-x1036.google.com with SMTP id z5-20020a17090a468500b001d2bc2743c4so48715pjf.0 for ; Tue, 03 May 2022 18:53:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=vEhg+UN+nvvIRlNnvIoleDYLxzWI/4j+AXJ2OBahvyQ=; b=E5bLX9p+4KMQ7dCXesW/uSO4Z3TzhqBoNV2cnwQ6UenYFaZTatAXLltuILaNWlnTeH ZPF9bsRL6MA89tW5PvZIMCIKWfhOmFJwJGsxRwJiF9IEfmjgBCchcmHUHUKuUjfJgzaf xdp24lDnEh6QoNKPI3Ft2lTJ+h48bMoBlTL80= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vEhg+UN+nvvIRlNnvIoleDYLxzWI/4j+AXJ2OBahvyQ=; b=vyajAfJNSea7ID7/PlkQShkFVJ4iLOSfBdguKqE5UQ6TejZ2tWkxaKmfXw2eJdcTYJ d7Wy9HFsMEMXbA455/WOnrxSScNqt2c6/WttN13h7OnMhCE6mCwX/ZgrSXiNJ4b7EaLb t93BHY5RWcYawWnZr0yn2tq+lU6lH4Wz7tMZNZdihyVMM6FTUMgM0pP4YoIC5gVhDr1c 2okpYA7B8gw55WljGLSYuqivQAS6HXP3zZDAd/uugrG/MqkcKfYBLKTZge8CwVEhqlzS BfLXKLtgPaKUIPp156wPGNeJuOUQt2MigQ2UY47Jvs9JNNH6KbD2yojSGsVclNJWBs6Y UmjQ== X-Gm-Message-State: AOAM533ms7FEhzE564orzqqX21r0mieFzuoCsOamCmL4NgxTDXvcdVxK 5Br3Ky7sr7EfiBQ+Xucg5mQqIA== X-Google-Smtp-Source: ABdhPJzI4IiRrxPSXkixkcvlB8cGm8brcWRiM4L1KUnKofXLRSVRJRXFkv6QdN0IforxNoZJSUOL5w== X-Received: by 2002:a17:903:2d1:b0:156:7ceb:b56f with SMTP id s17-20020a17090302d100b001567cebb56fmr19656689plk.11.1651629165975; Tue, 03 May 2022 18:52:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id o1-20020a170902778100b0015e8d4eb2cbsm7014958pll.277.2022.05.03.18.52.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Baowen Zheng , Eli Cohen , Louis Peens , Simon Horman , netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 17/32] net/flow_offload: Use mem_to_flex_dup() with struct flow_action_cookie Date: Tue, 3 May 2022 18:44:26 -0700 Message-Id: <20220504014440.3697851-18-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1993; h=from:subject; bh=PrKJ7fngslFAVnoAR+kxxSWcyzyvUbqj4Z3UXnDbHJY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqEQoFbddPpYBIL178hMkYpivETQV90l3JHFEnm 7J1thjCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJtw3EA C0LNh89YqDNrcJCXsCKfSbcHlFxrq44D7OA0sCgHExo+fXdaECb+Xj3tfEkQFm9bgvn/VnNhpCwqMV U8VQzGL6UaTCr267IE8XzSzkQJ6Uu2Nn+oM8/g6gDst8U7DsXu/1M4XVa8NK32yL6cBvV8PVBTcChy j8jyHBC43g8+Lg9oLs4UB/SO8Tb2ObCEpGf+h+/rD6v1mUrkoYKhvITvEAQ6BXgJ7NMeKfMd5TbnLL n7fyJaP0DKQoiMbMCMPhOnbaBLKTz9JjJ2/U07j/wfD/U5vjQBmTOZvo7vv3sex/J3PimMP/LVVrgg rZ19XaTiGULGLnmPuJjPt4zppdXAE7bED4queSk/tjdOsuMkougu3osd+yKLNrkqDRGxwMqxHn6Adg VL64IdPA3BY3aE8mOXGUxTLKtJs1pv7lv1msRzE5gUB7RTMHQ1//cIMC8EgdL5FVxZNtm4Nrhurpsb fvUFe8jDSjzE++5RHGWvAqbIheq7tgJhhaDmUF+rUmIMNowlHUeWcz7qDRxFSgMiX+xi/ZX4sJtg/V tnoPJ9uGluYyVnNod6v2TAn0dMpQirNr3BrADN1GRZ9iYaSt2xYRiifwpxLWUpi4DIfHGqb2y4ockX o/g9MpGsEistTYeWgK8HQdvJO+YhqSNADTeBhz9hngLOsUZU3CcUlT8pVg2A== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Baowen Zheng Cc: Eli Cohen Cc: Louis Peens Cc: Simon Horman Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/flow_offload.h | 4 ++-- net/core/flow_offload.c | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h index 021778a7e1af..ca5db457a0bc 100644 --- a/include/net/flow_offload.h +++ b/include/net/flow_offload.h @@ -190,8 +190,8 @@ enum flow_action_hw_stats { typedef void (*action_destr)(void *priv); struct flow_action_cookie { - u32 cookie_len; - u8 cookie[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, cookie_len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, cookie); }; struct flow_action_cookie *flow_action_cookie_create(void *data, diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c index 73f68d4625f3..e23c8d05b828 100644 --- a/net/core/flow_offload.c +++ b/net/core/flow_offload.c @@ -199,13 +199,10 @@ struct flow_action_cookie *flow_action_cookie_create(void *data, unsigned int len, gfp_t gfp) { - struct flow_action_cookie *cookie; + struct flow_action_cookie *cookie = NULL; - cookie = kmalloc(sizeof(*cookie) + len, gfp); - if (!cookie) + if (mem_to_flex_dup(&cookie, data, len, gfp)) return NULL; - cookie->cookie_len = len; - memcpy(cookie->cookie, data, len); return cookie; } EXPORT_SYMBOL(flow_action_cookie_create); From patchwork Wed May 4 01:44:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836966 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EC6FC43217 for ; Wed, 4 May 2022 01:56:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343727AbiEDCAR (ORCPT ); Tue, 3 May 2022 22:00:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343731AbiEDB6q (ORCPT ); Tue, 3 May 2022 21:58:46 -0400 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB7C349C90 for ; Tue, 3 May 2022 18:52:53 -0700 (PDT) Received: by mail-pj1-x102c.google.com with SMTP id a15-20020a17090ad80f00b001dc2e23ad84so3919529pjv.4 for ; Tue, 03 May 2022 18:52:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=c1Rtb5BPD8+4OzMMFAYya8AfbyIngu3+nEeMZt3y0UI=; b=PPT74quvAq5PeXKx/MiU6TPQu9k3CNU13XJUuKL0EyoDADIEUu/0flA/RnFvgA1c7X mBDEtN+hqIFmsdnm+Z9MnOUhAzMjdHFmhT3p34uRueOVQQXniPBqP+mbSA7EtL7aqOIy RKCLgSNE4LzNp+Ti/YBiXR973K5zL+mViu9iQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=c1Rtb5BPD8+4OzMMFAYya8AfbyIngu3+nEeMZt3y0UI=; b=7fqi7OFidTwhFx2E+2QpxQ0QxyUSUK1V9FQgx8qJY6fhNkMw2DZRk71/45MoYoyeNT WzYW9Uh7tNZUqM+J4uklLM6slHh9gB3pZgd/Sk9wZSQBFy8vGhqyf9MK2Zek4o6DErZw Rm2DNhmR7YHTgj0Dr0AqEeII3ty7PGCCH90F/pTx8GbGmETHkXfb4LY6IZKBu3lcp1YK uy0B4NTPEv1N+WLXCyOxCkMOY5YxbXCrThGuVedtMWMT15y9m/ZnDRcaY7QEchqquPUB GOY+j6XF0/uKEfnbtLxp3mfgzNeSwSz0qMBtJMv4PC2lc5qh/Ld+xNpws4K1lRfqgcFV BxGQ== X-Gm-Message-State: AOAM530ik2fccQS6x7TjxnCu8p0hgFb8Ma7pwPGnEo6rKe//NEyA17+q Rz6N5OqSWY6DHBK3x/K0v7MMYw== X-Google-Smtp-Source: ABdhPJy9YM6KtZZ5wMsnV4yFFcSNCX9KYL1ZJOPPB5wyJaSy9z58GLFzajXm3Uww6qTcq0KIE+eXxw== X-Received: by 2002:a17:90b:33ca:b0:1d7:d322:9aa2 with SMTP id lk10-20020a17090b33ca00b001d7d3229aa2mr7746156pjb.21.1651629164562; Tue, 03 May 2022 18:52:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id t10-20020a170902d14a00b0015eb200cc00sm2752880plt.138.2022.05.03.18.52.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Stefan Richter , linux1394-devel@lists.sourceforge.net, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 18/32] firewire: Use __mem_to_flex_dup() with struct iso_interrupt_event Date: Tue, 3 May 2022 18:44:27 -0700 Message-Id: <20220504014440.3697851-19-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2017; h=from:subject; bh=En62c6cYeUTmU8jbvcTu7IkYSFHpDUIXfTMNPx9PLGc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqEY3t8cFKELeYkm2NJIduUgR+ZPwYvLuYXHKSq h9RlNwCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJmzQD/ 40OwL2hRSWj9CwaOb0EjwNMYNrEpXdJJUx4PtLsO50tNm7kViyp0rIIENwt0Refm3UMfgJOd4uhpAP UnN8m9LoCHDWTn2Ip+vIMDS3s7F5W2nAcbk5hF/C+qyUcxpZ01AbHR+GyZjxwzVt9qEG+TAXzPRQnp dfwWrtSjiyM2jKV9PjBNt6qRhM7Jxt/+wokWBFK4eM8IKP5wMTPXf0n1BGa/3mFi6dkoZD+yXtl4IT q4PePWOvlJ8zihIyMKu6xe3P2Cd5gPfwiDcsKwkrzufOJPHAEhY8riHbDxYytvqLGG7bw341elDFvM fFg+b/yC+gowOuz1miET0BDC+cA6vVe4BMDspdtGoFbNEJfsp72+AkNfwxKDENX6TekjFRU3iHzOci lPoBqEyf2AILOQko5Kh9u3twT5Z6Azf7bj/NRatR/QKpZXBkjRcvBCR8SN8nlgdnYckPdhxRBU5YUS IHSagdIFo3kzcAF1P/Aq785Nakdj4SMvQp66HlJm0gKK57rvSGhQtlRXIDROMfObo/Dar+MBASK/fr qWo15PcDT/tqMlbzcrYAAB4BcvmIgHfXG5riesv5IcmZv6ehMHVZTaM4Sf1wIA6V0OWztJpmHeUVBs 1l35/YNa44KeLfFackz/5o7jU6Cqxn/jknqaXV6GkQkL2jafxDjZYhz781sQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Stefan Richter Cc: linux1394-devel@lists.sourceforge.net Signed-off-by: Kees Cook --- drivers/firewire/core-cdev.c | 7 ++----- include/uapi/linux/firewire-cdev.h | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c index c9fe5903725a..7e884c61e12e 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c @@ -913,17 +913,14 @@ static void iso_callback(struct fw_iso_context *context, u32 cycle, size_t header_length, void *header, void *data) { struct client *client = data; - struct iso_interrupt_event *e; + struct iso_interrupt_event *e = NULL; - e = kmalloc(sizeof(*e) + header_length, GFP_ATOMIC); - if (e == NULL) + if (__mem_to_flex_dup(&e, .interrupt, header, header_length, GFP_ATOMIC)) return; e->interrupt.type = FW_CDEV_EVENT_ISO_INTERRUPT; e->interrupt.closure = client->iso_closure; e->interrupt.cycle = cycle; - e->interrupt.header_length = header_length; - memcpy(e->interrupt.header, header, header_length); queue_event(client, &e->event, &e->interrupt, sizeof(e->interrupt) + header_length, NULL, 0); } diff --git a/include/uapi/linux/firewire-cdev.h b/include/uapi/linux/firewire-cdev.h index 5effa9832802..22c5f59e9dfa 100644 --- a/include/uapi/linux/firewire-cdev.h +++ b/include/uapi/linux/firewire-cdev.h @@ -264,8 +264,8 @@ struct fw_cdev_event_iso_interrupt { __u64 closure; __u32 type; __u32 cycle; - __u32 header_length; - __u32 header[0]; + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u32, header_length); + __DECLARE_FLEX_ARRAY_ELEMENTS(__u32, header); }; /** From patchwork Wed May 4 01:44:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836871 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91AC8C43219 for ; Wed, 4 May 2022 01:52:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245643AbiEDBzt (ORCPT ); Tue, 3 May 2022 21:55:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343701AbiEDBxA (ORCPT ); Tue, 3 May 2022 21:53:00 -0400 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B68E64551D for ; Tue, 3 May 2022 18:48:30 -0700 (PDT) Received: by mail-pl1-x62f.google.com with SMTP id x18so160307plg.6 for ; Tue, 03 May 2022 18:48:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ifZyQ0FGREg3J5AlhSr1XwF8hVhKkYa2p2S/5EeDNQo=; b=oI9BqoXIzDP9CoImflntgKhs0kNacYAtoqQVKtiTaZQIfSzE3upaJIyWSMVlJB9jX5 Uzgry9KW4Gc+1VYbvAKoSW8Y7tDSPleB46+D+uoXs4vfR0muKw9a9urjnLYWGuq+yUxW TpztkzpLBXFj1c/3e7LzufWdk2zzK47xh6GHU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ifZyQ0FGREg3J5AlhSr1XwF8hVhKkYa2p2S/5EeDNQo=; b=WYhwBK0iiq4rsx1931DPXsZHzk5fuQL2CDWlgCWGIJJyLKulPxeKyUmo7/Im9/3xLI jNDTubccjvbr/8DF37gkKYRQ1oDEiN4a4XJsCAyutYx2qX+HaXzpm0YcXOIXSI3ArqvG rwPBQKPUNjgljnmyDWo2t92JcKf1Isdc7ckJecOc3obLVKwESJmtLWDV49h2S+bki8US aJLe5AYbJsWKE4tzJttnLYmoGGd1em4zl8C2gcBE0/i1bHRvFlUqvlaBazgTQLbZms9z oc3Hn+oVU7IlLzvBD2OsYvOYszzttajGfhPa51NbXrMonLGhuGZlVrpXNWVENlFYIyeD 0/Sw== X-Gm-Message-State: AOAM5303uAGkNWOVISrl7TR8cUI1hO8HIxXBatP0JId6dlQdw6lX5g38 C5i/cD2muvEuYPQBFwMhOnURwA== X-Google-Smtp-Source: ABdhPJw0m5mVFCOgCUpCE8GLC3GlwaR4OoV/F1PJE/v/+oOh0kg89xS/hIyuryWJooLw39F8A8MZEA== X-Received: by 2002:a17:902:9a81:b0:158:1c91:4655 with SMTP id w1-20020a1709029a8100b001581c914655mr20008107plp.162.1651628863597; Tue, 03 May 2022 18:47:43 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p7-20020aa78607000000b0050dc762814dsm6945126pfn.39.2022.05.03.18.47.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:43 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , David Howells , Marc Dionne , linux-afs@lists.infradead.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl Date: Tue, 3 May 2022 18:44:28 -0700 Message-Id: <20220504014440.3697851-20-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1709; h=from:subject; bh=saaNwrN23mX+OUTBowMD9D5OUm7L78VX128VXuwjwK4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFfM0vuwTYMUTv7e3BZX/iyY3njPgklra+Pkd2 Z4Ou11+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJnn8D/ 0T93KRcb7qCWTB465n1/YTnsBy2jNLz/U2OLVBzcDFt0AYoA7buN0/1goMxvPhSLi6bjE8UGxc7Fm2 xx2FN5ysX9H/h+AK/cJ3DkHLeBbkc/PToOz1Rhf5ASBW2+V7+qa6CVBSwtSMKSrvj1IM0/N6ioBB18 MCYPkmQ5qhj0A1T1FA5/P3wK+c+Ifo0Yti2zuuDAIo5vSlw/g2lJmCFOlKoVoRmzWGn3UyVXJ9I2UQ xKVYebiH78lPg6s6N8CPVfENvu4vx//FaBlyLvf4NFhRMP18HACQP44Qc0JxstvU7LUJDijflXIFRi grE+kmE6e8bz3l6xfmcLLCVVxLK6kcbN3OPR+1k6kH5962HfiJPZd9T/oRuzkyyoFrBDpqQaKr2g97 9t3Z++vXgvnHcsU1cXdQfiWNAJpoV7p0N66Awn9yJJxP+n2LKF+1g7vkk1gkZ2hlcco2zbVq1FoTnd Kq1+DAU+g1ED0hIHLj9KRfnow47QSvPnc3E3GtLGWqIqKnDHNqPKkcdMSkOm3B6mDT3H0KPxEPrXSQ e1b3nOgGEcTvPf2Pm2gSCNuMfjkK4yrpVG4rvDniz6n+9MLWIpAAWJQjbptVRYhcyt8n75fxNua/sq zBQRxeXk3BLz5v/Hfp5qbE1czFgBcqhDqrr0pErXoP5/DINTx+J9WdEMY0DQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: David Howells Cc: Marc Dionne Cc: linux-afs@lists.infradead.org Signed-off-by: Kees Cook --- fs/afs/internal.h | 4 ++-- fs/afs/xattr.c | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/fs/afs/internal.h b/fs/afs/internal.h index 7a72e9c60423..83014d20b6b3 100644 --- a/fs/afs/internal.h +++ b/fs/afs/internal.h @@ -1125,8 +1125,8 @@ extern bool afs_fs_get_capabilities(struct afs_net *, struct afs_server *, extern void afs_fs_inline_bulk_status(struct afs_operation *); struct afs_acl { - u32 size; - u8 data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, size); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); }; extern void afs_fs_fetch_acl(struct afs_operation *); diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c index 7751b0b3f81d..77b3af283d49 100644 --- a/fs/afs/xattr.c +++ b/fs/afs/xattr.c @@ -73,16 +73,13 @@ static int afs_xattr_get_acl(const struct xattr_handler *handler, static bool afs_make_acl(struct afs_operation *op, const void *buffer, size_t size) { - struct afs_acl *acl; + struct afs_acl *acl = NULL; - acl = kmalloc(sizeof(*acl) + size, GFP_KERNEL); - if (!acl) { + if (mem_to_flex_dup(&acl, buffer, size, GFP_KERNEL)) { afs_op_nomem(op); return false; } - acl->size = size; - memcpy(acl->data, buffer, size); op->acl = acl; return true; } From patchwork Wed May 4 01:44:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836965 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F96EC433EF for ; Wed, 4 May 2022 01:56:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343844AbiEDCAP (ORCPT ); Tue, 3 May 2022 22:00:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39238 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343727AbiEDB6p (ORCPT ); Tue, 3 May 2022 21:58:45 -0400 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22C4349934 for ; Tue, 3 May 2022 18:52:50 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id p12so43885pfn.0 for ; Tue, 03 May 2022 18:52:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=tkQJNMDRPVcNM81JGzyx6JZrZP+sXh6Sgsv2ZLlrcME=; b=TYzsMmP+/eI9TqO4+QAx6yxqi3QYWePclkTlbFjhG/HlibMiAybufg/zrz+rLu5OQM GYSNJAX6L87NNLI9qdgxro62vFxqE/fqrqJQw8CwHhp/9rH1kcR4jgxtvHzWUzWEYP1/ vfXC+WsSf1WXNAAHPYjXFPor5Evr5tOPUQrMM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tkQJNMDRPVcNM81JGzyx6JZrZP+sXh6Sgsv2ZLlrcME=; b=ACyLP1EZ9kNMTbG2pGRgkr8ZzB7o8f+Nxz378zPEIb5jyMlNE8koAnzvrMZ8pqhbOR AgfJnLhFGVjrekktXgrC5zCV7ehM+5QyUYEkdN4f3j9RElM+/yPEftr/Y1V5phsRsPzU 68cmwDi4R1jxtHqSCZV0nNdd9A/wP1+gGyhfrH2VqA1azufXQYBXZEzPGBZM96LF8CZV JLGPYB1n9J7OkfvyVHMTbHbENEeYvt0+z7brV0VfVzNGfnP1toZvUsYgkcFa6eYDOR7E jEeV6vA1QusiWlt44bgNzUm95aYj1mcQeg4PAMkKoHojkBT8XiEjsLy4G27GE7wcIJ77 RubA== X-Gm-Message-State: AOAM533uskvd2IX2yZwhf2rCP5CSohm/Kb3oObqXctg2NNrHa365yYTs O2/VnN9DMEnmwwG6pTP2bW0GsA== X-Google-Smtp-Source: ABdhPJzd2GOAjzGn3dHyifeB61yC1hzuZZRMfExezpGzXB0ryyiVV1/iB3lQu0jt+CvyiQCWH3gZ9w== X-Received: by 2002:a05:6a00:1307:b0:4b0:b1c:6fd9 with SMTP id j7-20020a056a00130700b004b00b1c6fd9mr18835684pfu.27.1651629164498; Tue, 03 May 2022 18:52:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id c6-20020a170902c2c600b0015e8d4eb250sm6979470pla.154.2022.05.03.18.52.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:52:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Lars-Peter Clausen , =?utf-8?q?Nuno_S=C3=A1?= , Liam Girdwood , Mark Brown , Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org, Alexei Starovoitov , Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lee Jones , Leon Romanovsky , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 20/32] ASoC: sigmadsp: Use mem_to_flex_dup() with struct sigmadsp_data Date: Tue, 3 May 2022 18:44:29 -0700 Message-Id: <20220504014440.3697851-21-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2019; h=from:subject; bh=6F6KuGFShxf4JxPYrPXKFZeMoWxJdOn30za8QMiNMmc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFlVM0+m4mgxXYHmim1KeQeXuOmDGRSbqn4CM/ nO+6V12JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJlsGD/ wObp4TF0rjxUnDl2XU/AX62Kx0wgUSNaGDsaAeFZLHsspTJNlI1xRmKN2zRi+snj0mrEhw1q9Yh76Z 6xSGswQmdh9uemezB9oVUp2GxxN8WyMWOAR+OlnbPY//H6lChfwlnFARSS1Rkb2ZmcX//rZQZhHCXc svCtT3KSBt+VremyDJs9eQY7zKQWSEjl94vDal0JxS0GbWRYV672gtwgzYHATTiXJfZNK9Hnh5x9cI gP5/UtCpxOgh6ebk6PFJurz7rwB5cHVPIkhz8fgbd1cA/0ybs2wrCYj6JpgihAXuZtV18lAdnt8ND/ zB2f7mC3x32cU4603jCCh3lhtKY74eDhUyxc2qxDVBIyLoOufW0rNL12ZmPb/ZqzHlvwvJRNsgVIeo SLXEWPzSRWl4K2DFX2+37Xle5LxGv8rC5oIP/GCWXKXR98j60QjzBdcMWXTL+hc6sVS7VKBDtIDKQO bT+6D7J9MgSyuvsB8QDDWA1XfDXpj4PrZoT1fpgmZGGO+E9p7LhEd5TGmvmWF4EiqePthKxEq+ytkN iIM2UomARrjFWKhMiO7lt831EjVuWu1bB4+YBjMve73RZhWrYBTG1Fi4daezhQ+AyJvye8gqJgbfNu RIcWAmcfFgGhsp4VDM+sRhA/KybFzkFbvrxBwlwAx/rdq4RJkgf/AFGMfR9g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Lars-Peter Clausen Cc: "Nuno Sá" Cc: Liam Girdwood Cc: Mark Brown Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: alsa-devel@alsa-project.org Signed-off-by: Kees Cook Acked-by: Mark Brown --- sound/soc/codecs/sigmadsp.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/sound/soc/codecs/sigmadsp.c b/sound/soc/codecs/sigmadsp.c index b992216aee55..648bdc73c5d9 100644 --- a/sound/soc/codecs/sigmadsp.c +++ b/sound/soc/codecs/sigmadsp.c @@ -42,8 +42,8 @@ struct sigmadsp_data { struct list_head head; uint32_t samplerates; unsigned int addr; - unsigned int length; - uint8_t data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, length); + DECLARE_FLEX_ARRAY_ELEMENTS(uint8_t, data); }; struct sigma_fw_chunk { @@ -263,7 +263,7 @@ static int sigma_fw_load_data(struct sigmadsp *sigmadsp, const struct sigma_fw_chunk *chunk, unsigned int length) { const struct sigma_fw_chunk_data *data_chunk; - struct sigmadsp_data *data; + struct sigmadsp_data *data = NULL; if (length <= sizeof(*data_chunk)) return -EINVAL; @@ -272,14 +272,11 @@ static int sigma_fw_load_data(struct sigmadsp *sigmadsp, length -= sizeof(*data_chunk); - data = kzalloc(sizeof(*data) + length, GFP_KERNEL); - if (!data) + if (mem_to_flex_dup(&data, data_chunk->data, length, GFP_KERNEL)) return -ENOMEM; data->addr = le16_to_cpu(data_chunk->addr); - data->length = length; data->samplerates = le32_to_cpu(chunk->samplerates); - memcpy(data->data, data_chunk->data, length); list_add_tail(&data->head, &sigmadsp->data_list); return 0; From patchwork Wed May 4 01:44:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836870 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A596C43219 for ; Wed, 4 May 2022 01:51:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343742AbiEDBzG (ORCPT ); Tue, 3 May 2022 21:55:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56782 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343755AbiEDBxz (ORCPT ); Tue, 3 May 2022 21:53:55 -0400 Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A25D45AD7 for ; Tue, 3 May 2022 18:48:46 -0700 (PDT) Received: by mail-pg1-x533.google.com with SMTP id 7so11491101pga.12 for ; Tue, 03 May 2022 18:48:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=tt+uE/qYWOs3CEanZOjmvMoORa5i/xMNqAO3DwAd5m4=; b=YmT1lNTRttmLRyn/WOgpT0DAFWD3BvjkOIsApwxFa4B3Com0bh2yQqIJO66Wiak8Tt rwU+QSbZtL4swuVhrV8kkivMWLyJT9AqfxXpJ4Lm9ZibQLMBbHjNrpcN7FDNu1QRPCS+ uiBQnyfLBZT2SNnaE6twmHxSxmZ2FlIbgcsF8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tt+uE/qYWOs3CEanZOjmvMoORa5i/xMNqAO3DwAd5m4=; b=M9Vtggl5OdzFHhe/kSHOUL/MEsGGP405IYsacn3qJbJovfJw8KgFgzbkhw4nvNRnko QV2jbxY4WBZu/LhGZ2bZ/aeZUy5BHTsqWypLi6WpFMlyv2oY+bGgnZrwl8axf6PI8vLL rKbu4QBOMh7dSKFZf0jR13pC/dMEhMA/y8EpLAiL5ecBt4528rLuSJQOYE9dkdPKps/L EdSLfEa/45yHhAIVpH32GfiY0mLEwjweoxBgclhLnnkBHXTN3xorU2hc4bbszEo/Gt0T KC73ZZWbJHUW4vz+duORrUX0JAAG6JYbr4hy+QJfXQHU7IiK1rGADNzZB0Gpm8x/xaRx yiCw== X-Gm-Message-State: AOAM533Os0LY5RTdVlK+5Yr3mzoQsk7WE0CyMTMyOscvdq9Qln/Vlj93 f8WcSjfPNgWw8sKxzrgkHqaSPA== X-Google-Smtp-Source: ABdhPJyaDNAFsbp7ZFwZAoK9Xc4UX4Pztt8PjVEG/vpKdBDmGO/KaYu31SJFp8S1HaJxz30qr/Lnug== X-Received: by 2002:a05:6a00:1c5c:b0:505:7469:134a with SMTP id s28-20020a056a001c5c00b005057469134amr19088479pfw.16.1651628867093; Tue, 03 May 2022 18:47:47 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q26-20020a63505a000000b003aa8b87feb5sm13939242pgl.0.2022.05.03.18.47.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Andy Gross , Bjorn Andersson , linux-arm-msm@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Lavr , Arend van Spriel , Baowen Zheng , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 21/32] soc: qcom: apr: Use mem_to_flex_dup() with struct apr_rx_buf Date: Tue, 3 May 2022 18:44:30 -0700 Message-Id: <20220504014440.3697851-22-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1693; h=from:subject; bh=f797ezn2sQWsQcALbTjtcz0/uVJxqqsdCbEE9J5EL4c=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFcya5M1Ba7xKOXe16qG7jIlVI8ph+ibFXwwOp nrqS7nGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJhB6D/ 4mAanYpWDhhzP0wFox6ZgqAP9umNDzMV7dRX4Y08wPvedXkTuo/N0jclu6EdK/Bs4KaQilIZSFkLno xsM8xXSf4UqStJoT27N7DzjgnXKUJuyB5HZu1PfC+8PJ3QEnqiU5wE/l/2KdIJiAa7Xrj82dQB2cOe f9cgwxVbs3UnZy77Wv+k8FP5dMShK5yfzH0kpSd88R+/mDgZ6PLzi6zr8ZQiGCGdehQ7yp7ahiIA+i aAsDm3/+QhB0XaYdbqgAm2IAn+ouEdBPFgeXFzXqJwdi8AEfwBoByO06B8F23M3UCLdd6ZTRuaYeVQ kIZhzXstlVWDB9mIUnTP7dpfIY0lC+xzWyCLtZeT4bAvCwQB9CAAEWnSx7qfxwfOCYH1OjKUWJ+Xo4 5bWdci/vlaLQLD13TFP2X8QMY+seDM4SmnQAjgo5eITKrQ8RREz044kssPiR5qrnynNMOFWoNryxir 5TxsUJqEcElCuxyYstu2GZWqRpIeTKHVnaCu6XWtUkfQXhXikks9R9eVs6gSl+qIiVvgsVs7Tv/R9N rFtDfCJB155p3+TaJfCxSA/1e92fAlkjvrq+Ar3n/Jqs+/JGlPFT7Zy0qsgxzMjclrsboCWAvbLZZ2 OSexYpHjEn8jykFiHVbn1z48UtV3JdplNzCir+Gph+mH4axRJfHc0k7gYzyA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Andy Gross Cc: Bjorn Andersson Cc: linux-arm-msm@vger.kernel.org Signed-off-by: Kees Cook --- drivers/soc/qcom/apr.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c index 3caabd873322..6cf6f6df276e 100644 --- a/drivers/soc/qcom/apr.c +++ b/drivers/soc/qcom/apr.c @@ -40,8 +40,8 @@ struct packet_router { struct apr_rx_buf { struct list_head node; - int len; - uint8_t buf[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len); + DECLARE_FLEX_ARRAY_ELEMENTS(uint8_t, buf); }; /** @@ -162,7 +162,7 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf, int len, void *priv, u32 addr) { struct packet_router *apr = dev_get_drvdata(&rpdev->dev); - struct apr_rx_buf *abuf; + struct apr_rx_buf *abuf = NULL; unsigned long flags; if (len <= APR_HDR_SIZE) { @@ -171,13 +171,9 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf, return -EINVAL; } - abuf = kzalloc(sizeof(*abuf) + len, GFP_ATOMIC); - if (!abuf) + if (mem_to_flex_dup(&abuf, buf, len, GFP_ATOMIC)) return -ENOMEM; - abuf->len = len; - memcpy(abuf->buf, buf, len); - spin_lock_irqsave(&apr->rx_lock, flags); list_add_tail(&abuf->node, &apr->rx_list); spin_unlock_irqrestore(&apr->rx_lock, flags); From patchwork Wed May 4 01:44:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836967 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9674C433FE for ; Wed, 4 May 2022 01:58:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343756AbiEDCCF (ORCPT ); Tue, 3 May 2022 22:02:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343932AbiEDCBw (ORCPT ); Tue, 3 May 2022 22:01:52 -0400 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 218154477E for ; Tue, 3 May 2022 18:57:44 -0700 (PDT) Received: by mail-pl1-x62e.google.com with SMTP id d17so206983plg.0 for ; Tue, 03 May 2022 18:57:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=t4tLOfp2E2B9sgaGczz1NwPmHgtmRYBWoAQq16bLzJ0=; b=I3H3+WN+4U2IJzWLbxbA/bIvmhwpU+qBCw+gT1kFMomBbMNpQHZRW5m4AyP4iYFi7B wO7Fc+96Bo7pEAoDQ9bMSzGw32N3zXUa3Gz+3UCf0arCmNNwPy4jlH+xYNM+a196cQiM uiF0kR4EmYLRMWy1Z3PDmpbPfAtknr37xwrFY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=t4tLOfp2E2B9sgaGczz1NwPmHgtmRYBWoAQq16bLzJ0=; b=0EHvxERLmEGyBSM5s8UjUDG01o1WPgkTJBCexI9+Siql3RYuK6gLfbzEr3MbJ8SkCu MBQxQ80qwO7kaOMBFPx1RiXXzQqcUNTjR1mNvyZubbHWZw9B8N03EYuFJskKgzX8TwfJ NcRXdmaVvXvJUJgC6Hnb2GmRHmAHTwpALStiInx0XkvPl7GVD5QR4SPYs8dsLjr1gRbQ x5kYbIoiwg7TAuPNV7OHckw5EUEmZZUyXLSFTE1GYjk9CIJeqqu4FLmhcx1HGiSX43oF 4YXoZUh4mvVCxRRgYztD8sy+gpq4k25rMiX0UgwtvZvsf9BGsL4zE6/wIFyB1smganpS PezA== X-Gm-Message-State: AOAM530ThLegyTuFG/mrnrat6kt2nDdMGvXF0j3PcAup/LLp1HzngOTC lLXUbQ/5w4QDEqlTWNAdqBO0Xg== X-Google-Smtp-Source: ABdhPJx5GxTWGrvbJaA2kolqR8TFLUvWJ4fmGcS69vZKSOwUJMVbyE8LZKawL0KBG4S0vewpbcjD/w== X-Received: by 2002:a17:90b:1bd1:b0:1dc:7118:cf28 with SMTP id oa17-20020a17090b1bd100b001dc7118cf28mr7983557pjb.3.1651629463545; Tue, 03 May 2022 18:57:43 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id v1-20020a170902ca8100b0015e8d4eb1c7sm6977097pld.17.2022.05.03.18.57.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:42 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Russell King , Christian Brauner , Andrew Morton , Muchun Song , linux-arm-kernel@lists.infradead.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 22/32] atags_proc: Use mem_to_flex_dup() with struct buffer Date: Tue, 3 May 2022 18:44:31 -0700 Message-Id: <20220504014440.3697851-23-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1766; h=from:subject; bh=LnjqklrPVWNNMfpJjCRO96xv5LhFHHWzp99zKaiUXqg=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFIMxxbq1Hf+xelWQa6dzkOUxczwNZ6gqGtZgE u/xEciiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJpySD/ 9y19Eohym3FvBZ0fkG9198v9dbCdm6Pjk18VavszBLhJaXRQM+HUC12vTL4roysA9+j7Y6cR3Kj+wq mOj198L6Vf/kLphe9xK9VW8LUtIBMSqwCe6Jb9KvCOzeJt1MCby6s4CLjMwjVk9Xf0ZpbPwyghODjv Ol/fkTTE1L9VOXyhYqOagbjRt1ZyTMdInfVLCEui8yUpYiaclByI9CIWaHVkeTDP+2pgEibaH/4OYF wScQ0s9UBHmLFAqRyw73xHGYEHN7DaT9kxcQ0VZMiNRcYxnu5o5CdcqgHDnW0Ws1fLC8PN0uMYp4N2 rNatCh14EdFNyQewdpkHW8VlGj373tjOHjfpHC0RkrDel6FJ4Ac7ipDJypBfD/E0/Apg/I1MwDDPaC nZOn83UTZag+wJyrVfm5yRqNeeoaLNiS9PzD+ARWL40QVrGBA61Ch7hLljKEu7HPfOeufLqsruBVa/ IGTYZbtUKTu+xZFocXg9FmT3/XFiJqva79//82c/nDPbB0Oek/1d/nHiv6e1p5qQeyDcF/lH9dR7Vc v6zhxqG/em6APpkkhmZtA3GMlJqi13XwAKn0eZ/nS06JrCIy8Cq+02xWpUwqJV6SZ63AviU8SrK86H cYVB3yY3zLGR0ABTEsKF2Yo/EaE3tvZgUnPk5p2jx3782+uMiis96Fb2iKQw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Russell King Cc: Christian Brauner Cc: Andrew Morton Cc: Muchun Song Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Kees Cook --- arch/arm/kernel/atags_proc.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/arch/arm/kernel/atags_proc.c b/arch/arm/kernel/atags_proc.c index 3ec2afe78423..638bbb616daa 100644 --- a/arch/arm/kernel/atags_proc.c +++ b/arch/arm/kernel/atags_proc.c @@ -6,8 +6,8 @@ #include struct buffer { - size_t size; - char data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, size); + DECLARE_FLEX_ARRAY_ELEMENTS(char, data); }; static ssize_t atags_read(struct file *file, char __user *buf, @@ -38,7 +38,7 @@ static int __init init_atags_procfs(void) */ struct proc_dir_entry *tags_entry; struct tag *tag = (struct tag *)atags_copy; - struct buffer *b; + struct buffer *b = NULL; size_t size; if (tag->hdr.tag != ATAG_CORE) { @@ -54,13 +54,9 @@ static int __init init_atags_procfs(void) WARN_ON(tag->hdr.tag != ATAG_NONE); - b = kmalloc(sizeof(*b) + size, GFP_KERNEL); - if (!b) + if (mem_to_flex_dup(&b, atags_copy, size, GFP_KERNEL)) goto nomem; - b->size = size; - memcpy(b->data, atags_copy, size); - tags_entry = proc_create_data("atags", 0400, NULL, &atags_proc_ops, b); if (!tags_entry) goto nomem; From patchwork Wed May 4 01:44:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836875 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F65BC433F5 for ; Wed, 4 May 2022 01:53:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233003AbiEDB4l (ORCPT ); Tue, 3 May 2022 21:56:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56094 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343680AbiEDByy (ORCPT ); Tue, 3 May 2022 21:54:54 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD8743F8BB for ; Tue, 3 May 2022 18:49:03 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id w17-20020a17090a529100b001db302efed6so6389pjh.4 for ; Tue, 03 May 2022 18:49:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=QnKXHDo7FoS6A9KJnTSD5KrVSbLLoX11tytSVaJywLg=; b=I1CnhqzTuM3VIMYb3RIInFBjlZ/Kx1CC2nOaz3zCzGfRz66UhpKktUjcUf1DB5iFHu gfyX0fG10mb1nZrZrHamW6VaM5Mxf2xxMafia1jAkPA8Cn5ohLG+uBumAmwOSdS3hISM a4JzdC7Fo3kAKeDLIrkA80T/ZAttaFcZAV7gI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QnKXHDo7FoS6A9KJnTSD5KrVSbLLoX11tytSVaJywLg=; b=m3Un16chaA4UQcJ+saR4sYOhw9pbQN9pAnxJH1LvvlONV7afy/S7abumZ9ecQk/DIQ pis8Wmr/LaEPPrhs/Org4IBGYBYytslYx3DeHzEdtIk1LqZJ3WdMyrvD81FbtHyiGFsw eDUD83aVG76qzUfBbcMsrKI6AGDXC3c/0AJGASGbuiXDw36zJEt7B2iWr7imE6khkELI rCT209rIaufzk/aW5Uu/1hPb82STwZHtQJJKgrV99agrSPzTFctWDYKYXld2iSDTIv9u +Up2v/ZlWKAiSBfg6CyQKH3PHSq48Bte+foB7VfyaCs3r3toYw63kuX3d3fRCRUV9v/2 fTJw== X-Gm-Message-State: AOAM5307vWmEYH5+qyKlpfK7Dg7+LswA+y1G907ZqE/mpZk2a7WuC9PA Z9ctJuLoUrqCY6JgYnw+A0TCEQ== X-Google-Smtp-Source: ABdhPJwfTAxyAJFgY1oitylR/Cmm8/uATlVgjIuVTmKRpsuPoxTiwANwfO0lQwCtHkRUnQW8wKiN6Q== X-Received: by 2002:a17:90b:180d:b0:1dc:6c19:afd3 with SMTP id lw13-20020a17090b180d00b001dc6c19afd3mr7816856pjb.84.1651628867653; Tue, 03 May 2022 18:47:47 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x16-20020a1709027c1000b0015e8d4eb294sm6998452pll.222.2022.05.03.18.47.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Marc Dionne , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 23/32] Bluetooth: Use mem_to_flex_dup() with struct hci_op_configure_data_path Date: Tue, 3 May 2022 18:44:32 -0700 Message-Id: <20220504014440.3697851-24-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2134; h=from:subject; bh=wkblXI7lu8DePbBEkrWcF6TPvSCY+fsd3+cJcm8lUX8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFhAG+9XZipSZhJ97uz0MVZAPm9ikLEayXBQca tSbucr2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJuQgD/ 0RkSBHvTdsmM6uGZhl5vuzw4/t8A08lVzH+n9delDb7Snc4rClp98T7EnMak/i+Ne5YZV/OBum0+Ri 2Rso0KTZ7bgngl/ZWjToI21GZHTx0BvhmyN92pCyMRw8Q5g2WKeqI0pNWy8pO+tdkj+OZBI+kBTpzB DSCicDcFGgdZrS4ClZfIJ3ul5GuyH628GJbhzyj2IkHnbcVJTgVXEYTZfa9CUXIk5OxX0tgeN5hgKI YhvXiesuoZ4ZeGkGoBZgoWkyhWZg61taY7sMsK18JUdPuD2jO1Ziy7pPKMcmqr1QC1dxYBE2bshZ+7 3zm60sMtOhDVJc9pY0GGXTh83THBv9el1PLd8R1i03dHlFU+DYzQrq0OMEQ82DXkr9t89m7UmRpPNh UlFCgY75idmpPhVdKyd4ETvQlZtXZLEj7o98G9BByjCzXoXREee+09IWrA/DOZh7zHcuLHY4mwot7j j2JWq1nvZO0OVDBDjoUB6FMPShLAPZiPeGYn+67y9JU7lL1VFHN8sVsxBLq08bQ/HI32D+rAgZCCsn fVZ7tajhB6zkfYibttaD+E5RLSV+adLK+eXnFBqoQttbtNsKxuiZQF0dJZusj9dnKk/M5l3Ud90Uiq FXQeX6fOpiALefTfw5/ocOvMAHAP7Hz1WKgKO3NK7KYNbxbmS5+syYfDxdWQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Marcel Holtmann Cc: Johan Hedberg Cc: Luiz Augusto von Dentz Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: linux-bluetooth@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/bluetooth/hci.h | 4 ++-- net/bluetooth/hci_request.c | 9 ++------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h index 62a9bb022aed..7b398ef0b46d 100644 --- a/include/net/bluetooth/hci.h +++ b/include/net/bluetooth/hci.h @@ -1321,8 +1321,8 @@ struct hci_rp_read_local_oob_ext_data { struct hci_op_configure_data_path { __u8 direction; __u8 data_path_id; - __u8 vnd_len; - __u8 vnd_data[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u8, vnd_len); + DECLARE_FLEX_ARRAY_ELEMENTS(__u8, vnd_data); } __packed; #define HCI_OP_READ_LOCAL_VERSION 0x1001 diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c index f4afe482e300..e29be3810b93 100644 --- a/net/bluetooth/hci_request.c +++ b/net/bluetooth/hci_request.c @@ -2435,19 +2435,14 @@ int hci_req_configure_datapath(struct hci_dev *hdev, struct bt_codec *codec) if (err < 0) goto error; - cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL); - if (!cmd) { - err = -ENOMEM; + err = mem_to_flex_dup(&cmd, vnd_data, vnd_len, GFP_KERNEL); + if (err < 0) goto error; - } err = hdev->get_data_path_id(hdev, &cmd->data_path_id); if (err < 0) goto error; - cmd->vnd_len = vnd_len; - memcpy(cmd->vnd_data, vnd_data, vnd_len); - cmd->direction = 0x00; hci_req_add(&req, HCI_CONFIGURE_DATA_PATH, sizeof(*cmd) + vnd_len, cmd); From patchwork Wed May 4 01:44:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B7A9C4332F for ; Wed, 4 May 2022 01:58:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344078AbiEDCCR (ORCPT ); Tue, 3 May 2022 22:02:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46886 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343856AbiEDCBz (ORCPT ); Tue, 3 May 2022 22:01:55 -0400 Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20D0D44A27 for ; Tue, 3 May 2022 18:57:45 -0700 (PDT) Received: by mail-pf1-x433.google.com with SMTP id bo5so27245pfb.4 for ; Tue, 03 May 2022 18:57:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=gAffb2dB7AJw8ctZpf7uy/Kjt0ZfUPuqpFj+O/VUlMc=; b=Hd3jrxU8+XlRdXnNJ6BuxLBWU0ZKLG70m7wHx4jqP+VfQJII0AB4HJY2PvK+TXUYom id9ML06dSBRB1VVnBWjBz+2v5YDaqSJHQM5Ls3McxesxCE+qRmiHqxTVev9Mnq0iPJTj hb0i3oZtBtCUvWZopE6bN0CU7y3IuWgie3Mk8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gAffb2dB7AJw8ctZpf7uy/Kjt0ZfUPuqpFj+O/VUlMc=; b=lPkjVdd1mlNI8TIMXZkmB8QS6UCaTfCfE/8Lfe8Ub3G81Pb+iKZVyumihF0qpvYlqv UkAaWxrZmrYrx8CssT0ODQ61cU1VXWO/z0sUlT8STiMsemGfNxNVWd5YKXetjqOLUmeq UBebOxfltW1vv5kNPhytFsgJkLKyOwYV7Jk+UnfN2mEP5E9cbK6fngvUyzNCgEXU+BUu uZJAwR1ip8mxNln7GP73XBST2y7Xqt+CMUs7IksANDi7bk+jIOVgPe/pmjCgDQAWaLao 2pJ8vKCQxRRd+vhfZfyWMKRTCAbouHP4QFnddfGXipWwqZ3r1xRWejrjV86oUuc5iF/A ByhA== X-Gm-Message-State: AOAM531GpHLhGlDvWV40AlGzOdFRo2dGcj6eHawrWQ6Sl05gQ7H5nF5n UzkSJSfIrAXKNBuiZ/NTBLIMLg== X-Google-Smtp-Source: ABdhPJxlBLRlfGSyNuTVAnetkTua0ronzL5456WpZJAiTHWkRGz8uFL5gIV5Iqbc+GrBy/+PUt+kRw== X-Received: by 2002:a05:6a00:194a:b0:50d:aef0:fb44 with SMTP id s10-20020a056a00194a00b0050daef0fb44mr18390643pfk.77.1651629465325; Tue, 03 May 2022 18:57:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a4-20020aa780c4000000b0050dc76281d9sm7179167pfn.179.2022.05.03.18.57.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Dennis Dalessandro , Jason Gunthorpe , Leon Romanovsky , linux-rdma@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 24/32] IB/hfi1: Use mem_to_flex_dup() for struct tid_rb_node Date: Tue, 3 May 2022 18:44:33 -0700 Message-Id: <20220504014440.3697851-25-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2597; h=from:subject; bh=j5qqa5iL1lvOORaDlLtm9UR9x0OLEu0XOUmPN1O3Ohg=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqGK+oIIr5PEnTJbsZIIE6wDFvul9czcGBuCOb4 OJUbtUyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJlPpD/ 0VwfEZeptxhwXvC03S8kaKbVzD8jf4H7HBP2WwjQ4ovXcZoeEPoHk43gm5ko9ZHxsEuhVYfSsNabEv KwzfkX+Be0SZ1mudTtAQCrxBnFPmMKxMszwt9mMNZtm6E/XnP2w7B2+1rA358f0MYJXzvFe7/kn3VU 5iBgnGpNGOZgXOG+jBcjTyiKQiMSXDSUp0cIXvVQpsePyQMfJGh/eu5bFCRNrwstStCte4Ow73c4Va IaWYSGyLDy4kuX78W5f19yAQR3uD4X1ryr/AVwZV0/P/jnJmz5EmCKU1qFe2YNVe7kF2+3nxmDxawo cvJJ0SuVsX0ZNg8KDkjZEG/9wBeWjiXSyoD0G6pP/WshlZoegMuvye4fFyhyKmatyVqt3t8c7FD223 F60swFGSkgfSg6J4GMTvGe3/d8QAl3MTq2ZH18n8DlcYgMk+3J2vMunZUU58h8auD6hXcni1nXgoMb GZApmHHYK5s4Fqge2j1uqJVBjHZOX3fK3YaZhKtoTqm6FUuJw+H1P3nVYfkcXshsd8t27NuIM2hLa9 jZnMgeaYhLQAUUWWjOKVskE6/+GP5gz4+qjVUI/Alev5kHFOWsbWXBC5JGCSrGBZtpMfJqMcYVqTxZ tS3tgiujwVPsRJdYvH3X2NotOyhjEtEFR8egS3/g8M+hET9UITd8x/6NqLnw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Dennis Dalessandro Cc: Jason Gunthorpe Cc: Leon Romanovsky Cc: linux-rdma@vger.kernel.org Signed-off-by: Kees Cook --- drivers/infiniband/hw/hfi1/user_exp_rcv.c | 7 ++----- drivers/infiniband/hw/hfi1/user_exp_rcv.h | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c index 186d30291260..f14846662ac9 100644 --- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c +++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c @@ -683,7 +683,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd, { int ret; struct hfi1_ctxtdata *uctxt = fd->uctxt; - struct tid_rb_node *node; + struct tid_rb_node *node = NULL; struct hfi1_devdata *dd = uctxt->dd; dma_addr_t phys; struct page **pages = tbuf->pages + pageidx; @@ -692,8 +692,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd, * Allocate the node first so we can handle a potential * failure before we've programmed anything. */ - node = kzalloc(struct_size(node, pages, npages), GFP_KERNEL); - if (!node) + if (mem_to_flex_dup(&node, pages, npages, GFP_KERNEL)) return -ENOMEM; phys = dma_map_single(&dd->pcidev->dev, __va(page_to_phys(pages[0])), @@ -707,12 +706,10 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd, node->fdata = fd; node->phys = page_to_phys(pages[0]); - node->npages = npages; node->rcventry = rcventry; node->dma_addr = phys; node->grp = grp; node->freed = false; - memcpy(node->pages, pages, flex_array_size(node, pages, npages)); if (fd->use_mn) { ret = mmu_interval_notifier_insert( diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.h b/drivers/infiniband/hw/hfi1/user_exp_rcv.h index 8c53e416bf84..4be3446c4d25 100644 --- a/drivers/infiniband/hw/hfi1/user_exp_rcv.h +++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.h @@ -32,8 +32,8 @@ struct tid_rb_node { u32 rcventry; dma_addr_t dma_addr; bool freed; - unsigned int npages; - struct page *pages[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, npages); + DECLARE_FLEX_ARRAY_ELEMENTS(struct page *, pages); }; static inline int num_user_pages(unsigned long addr, From patchwork Wed May 4 01:44:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836874 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37805C43219 for ; Wed, 4 May 2022 01:53:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343712AbiEDB4k (ORCPT ); Tue, 3 May 2022 21:56:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343691AbiEDBy4 (ORCPT ); Tue, 3 May 2022 21:54:56 -0400 Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3843B30F4A for ; Tue, 3 May 2022 18:49:06 -0700 (PDT) Received: by mail-pg1-x535.google.com with SMTP id j70so27253pge.1 for ; Tue, 03 May 2022 18:49:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dWvrJlxp0hfwq/rpuMGCsTJMwzo7GNCIoJATWYPCVJE=; b=OW0yn3aPFgkfwn8L35EyIBf488Ir3oPRdcuBBy8HPNsH5M0x5CXqSqshhOTKtpKq5L QF/xhc9eykoWhvFmZW6nwgo8tyY5Hha7nsaQ+7vI7aAIrUuE+pM/MYF4FAAKrs9ERjRM nEcriHnnehj4N7XQ40GlCVy2op0vzdnIn84H4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dWvrJlxp0hfwq/rpuMGCsTJMwzo7GNCIoJATWYPCVJE=; b=GbH9auICUXrTwzmtwBvOdZac8kiLS+AsVcjpuxb8fHJZ4GBBbmWYPSDb+B4ic89d8e oGFtouknh5hvvqNc3QC5IkulwiGdeUPrzP6lWSJqYTrdO4axxN2YEIe4N7j4j85QM+Dy 9RkMx9TFXQAePtnkwL+3s5wS+MPEF/knQWiL6F7u2F7hvqYuY29QcPrMqf1wR3wju5of BjSPn5uscXWKqZ5ViCBXk2VbKDRuplW2dVmhQREd/+kdQ+H84ZCgL8iKeBybo/PUKjn+ 8TRMgsas1yI7jTDD9n8m3/Y5Bk5zNX32i413xVPZHZ4+qaBmeQTz2875ePue2icQWQl3 qZhQ== X-Gm-Message-State: AOAM5304YYzlvruwwKlfvhstpOdvX5VgNbo/RK7V4MUVq4NOKC2sB0h+ ulJtXPmINgwdPyr8uUGtdfIzgg== X-Google-Smtp-Source: ABdhPJzOaa5v3jlqumCDj5Itb35H5nm0wuuZNJDbIPaJqouQiWes+awOwCXnf4apYBS42dQvscreqA== X-Received: by 2002:a65:6216:0:b0:39d:5e6c:7578 with SMTP id d22-20020a656216000000b0039d5e6c7578mr15924526pgv.114.1651628868778; Tue, 03 May 2022 18:47:48 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s5-20020a17090aa10500b001d287fd3f79sm1950057pjp.46.2022.05.03.18.47.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:47 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , "K. Y. Srinivasan" , Haiyang Zhang , Stephen Hemminger , Wei Liu , Dexuan Cui , linux-hyperv@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 25/32] Drivers: hv: utils: Use mem_to_flex_dup() with struct cn_msg Date: Tue, 3 May 2022 18:44:34 -0700 Message-Id: <20220504014440.3697851-26-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2219; h=from:subject; bh=dgFYdMqTm4tBMA+d8KWXYde/YMvArhgtiTydpKgqF6s=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqGpwfENVCD78xIrOKs07wFk+8+2VNIIqaIzTy/ MQg5zx6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJlkID/ 9xYgI2yUTmOqWGUHwjPg6PRpPwUj6yqPTnvHBjZmeB6GcMkb/J1qYZ0We4QMX2FKo8/RxUIZmkpsBI ghlT5pXLwU+EL9vLRAtiKFcmM6HmLrpDOA+H7c/+3yz3nLeExs5il9FvDhAWsAneG2E6lymkjrtZwB PmGHZ1SbLjt7dlHn9zzeTTcBLGvqVG+t1HbL1yM0qT9sxR33bwrS1/XY/VbQ9ZBwXv5G1ci/UQYTn+ IxWJQyTz1WY3n4gGJIy12AX3Gg0SC3bdx9m5pnqgXmSvY3uw+gAkf+Jq+ITd7t+YW8zrXaiMMGPmhC +dn4j7Pvv4hNJ6R/d9/lrj8cAs53cQUbwW3e/7yRsiZb37BKs643K8RW97bKNemjiBUk2NngqjWaOl FzxBm7iGLEjOq989XZeJNEB+MQLecqtGjX+/LxzzzpvAKeMi9bXDiSJAfPG2yxB7wzIUCmUUxW3kKq 5ITIvocBuuqbJzokzh+M+VX/4LsefOVBxhkljlxxgFvwnLhsXHSrMa9c7vd07TAikSiJ0Vi6xYDuv0 m4TiF4oEz1DuG0oiUI9BpM7VSTL+S8V/5GoKv/V+vcO7lhrDKhfS7G8kPKHplhyqNqe7RD2pCIVyOI ++T7/zqpV+vaRd4iu+z+vgmLDrCZcODKGwvjXW2ZeAEW8baladN7FbwkDLDA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Stephen Hemminger Cc: Wei Liu Cc: Dexuan Cui Cc: linux-hyperv@vger.kernel.org Signed-off-by: Kees Cook --- drivers/hv/hv_utils_transport.c | 7 ++----- include/uapi/linux/connector.h | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/hv/hv_utils_transport.c b/drivers/hv/hv_utils_transport.c index 832885198643..43b4f8893cc0 100644 --- a/drivers/hv/hv_utils_transport.c +++ b/drivers/hv/hv_utils_transport.c @@ -217,20 +217,17 @@ static void hvt_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp) int hvutil_transport_send(struct hvutil_transport *hvt, void *msg, int len, void (*on_read_cb)(void)) { - struct cn_msg *cn_msg; + struct cn_msg *cn_msg = NULL; int ret = 0; if (hvt->mode == HVUTIL_TRANSPORT_INIT || hvt->mode == HVUTIL_TRANSPORT_DESTROY) { return -EINVAL; } else if (hvt->mode == HVUTIL_TRANSPORT_NETLINK) { - cn_msg = kzalloc(sizeof(*cn_msg) + len, GFP_ATOMIC); - if (!cn_msg) + if (mem_to_flex_dup(&cn_msg, msg, len, GFP_ATOMIC)) return -ENOMEM; cn_msg->id.idx = hvt->cn_id.idx; cn_msg->id.val = hvt->cn_id.val; - cn_msg->len = len; - memcpy(cn_msg->data, msg, len); ret = cn_netlink_send(cn_msg, 0, 0, GFP_ATOMIC); kfree(cn_msg); /* diff --git a/include/uapi/linux/connector.h b/include/uapi/linux/connector.h index 3738936149a2..b85bbe753dae 100644 --- a/include/uapi/linux/connector.h +++ b/include/uapi/linux/connector.h @@ -73,9 +73,9 @@ struct cn_msg { __u32 seq; __u32 ack; - __u16 len; /* Length of the following data */ + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, len); __u16 flags; - __u8 data[0]; + __DECLARE_FLEX_ARRAY_ELEMENTS(__u8, data); }; #endif /* _UAPI__CONNECTOR_H */ From patchwork Wed May 4 01:44:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836873 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D2C3C4332F for ; Wed, 4 May 2022 01:53:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343628AbiEDB4j (ORCPT ); Tue, 3 May 2022 21:56:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56838 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343679AbiEDByy (ORCPT ); Tue, 3 May 2022 21:54:54 -0400 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2B68041318 for ; Tue, 3 May 2022 18:49:04 -0700 (PDT) Received: by mail-pl1-x635.google.com with SMTP id s14so154700plk.8 for ; Tue, 03 May 2022 18:49:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RgEz4A26uAC0tPMSdTdWzcdcPMkc9MyjUZa57zGhp5c=; b=THMBXiotwI/HtB6w2vZ4AUJ2BjQh4hIPsHX7+RZwOa1PHLlgiT/9TXJjWzKZ2YkERx +jSME8ruQzJrkosl9qqzWHjBRc3gpjhe8YYA4SgiQV2fs5uQIJ4ItuKhnxn0qRtTRwig 4dauL4e9jCHwc/wxp5WYhLqZAsMtRYdbGk0Nk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RgEz4A26uAC0tPMSdTdWzcdcPMkc9MyjUZa57zGhp5c=; b=wJVhgdQZuhDalaQDWJ5V7TpQj4Dlldy5Lwg6LVTo3iVVsFfGX1HcDnb3IxL391pZyQ eTj+9BPfOYJLJv5zzP9AyRdxSqNxzy0ueTZz8AGaJ+cM4dl38Ir90zy0pY5tC+OkXDg/ Eg+LKXLiQXpjVdsdQe5ElFYDY560xCJfVLvXphIQQE8x1rSpQDGlsVJLzoizoTWVMJAn fKqLaCqSDprUz1EJR29RJIL0JwiHt3eTGxlm5RZQ07PSNUey50B+JrKzsRdubZtu66OW VHYV9TZTUr1YybPv4QPwFBdsqde044W4/vLwiOoai+Nm0ay+IngZ0TYEYR13A7F0NbWC wn4A== X-Gm-Message-State: AOAM531z9IzfIbPrFatU+l3WJFDCyJTbmwGYltCbBMi3SF0PwB7J9LNt CrDUvpro7tLk+j34TPFgnOyoCQ== X-Google-Smtp-Source: ABdhPJxzrexxW/yf0eI3tzcv3meb1lpVecV0BZq4fTM2Rm6r9dsZwj3LUHAp+WFhmr0b7U1/sntV2Q== X-Received: by 2002:a17:902:da8b:b0:15e:aba7:43fe with SMTP id j11-20020a170902da8b00b0015eaba743femr10560505plx.9.1651628869143; Tue, 03 May 2022 18:47:49 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id n21-20020aa78a55000000b0050dc76281c2sm6940054pfa.156.2022.05.03.18.47.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:47 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Mimi Zohar , Dmitry Kasatkin , James Morris , "Serge E. Hallyn" , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 26/32] ima: Use mem_to_flex_dup() with struct modsig Date: Tue, 3 May 2022 18:44:35 -0700 Message-Id: <20220504014440.3697851-27-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2212; h=from:subject; bh=0OJGwcsHhKZ90NmLpvzscbvuHwuTm4ffAc9aRODTTVY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqG62vfnuT12WKQv0IVuyRZyZzMX4U3Y+bYmap0 sx6VNCCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJp8HEA CsjdGpDagpIubOZwh4SIwzLI0mQ71SVDOmeVgjaMH3wCaEUbVyUbQcZCwMkSSQkmaYi0JHdt186r90 KEdAes66ANgHJSwIbVxb19utRynHoJDFwO5gfVuTp2sVSu0AKP3KnJZajTXsyucbZynSVAJNanMloi v43qXD0nlRXkU0gX5ADpraYNTEc4DmC1I4QdBks60+U4wHFdhcjQvwo5U7V+5dzuva3RK7ldVtXJrB VeE5PpJQ5Xc1tmru3dEvFHv9MKipcoi+cf2u17BgJcgfDnUcb/oIr/jZVk1w2GF8Ilp5rtUyr0DM8m Na/yIL9jeaPARJok7fgLZP9afaRB6ZwWwE4H2uMjCy1cT6gasjHiZsGre3gXlWVcsFQqLjohy6kCxW rBj7pLN4d++yrxKprYmKAt3zeatf5EMTvrLIgqFUOrk/sAwpHwlXmgGTkAeWNhT8J5VVKpaeshrS8f gKI9RgmhD5seOLoAZLEOSns1PPAdryQb5THkD3O+72gLN08L6etoAPODJ68wd7fcwq7Wg5n5/+AkF2 1jkeaI8b1sgNrwkPOtdnKDQm4yxesI//AmfFdH7EEjbVd52gAVu+rbz7yhcBh1dHRczes2IJW3soaR v4zCatjhXz33SY1+Zru2qRrDvhgaoAqzqRxMbwi9eNYoszXDTRyDKQ8NgEFg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- security/integrity/ima/ima_modsig.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c index fb25723c65bc..200c080d36de 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -28,8 +28,8 @@ struct modsig { * This is what will go to the measurement list if the template requires * storing the signature. */ - int raw_pkcs7_len; - u8 raw_pkcs7[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, raw_pkcs7_len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, raw_pkcs7); }; /* @@ -42,7 +42,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, { const size_t marker_len = strlen(MODULE_SIG_STRING); const struct module_signature *sig; - struct modsig *hdr; + struct modsig *hdr = NULL; size_t sig_len; const void *p; int rc; @@ -65,8 +65,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, buf_len -= sig_len + sizeof(*sig); /* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */ - hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL); - if (!hdr) + if (mem_to_flex_dup(&hdr, buf + buf_len, sig_len, GFP_KERNEL)) return -ENOMEM; hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len); @@ -76,9 +75,6 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, return rc; } - memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len); - hdr->raw_pkcs7_len = sig_len; - /* We don't know the hash algorithm yet. */ hdr->hash_algo = HASH_ALGO__LAST; From patchwork Wed May 4 01:44:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836971 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 534DEC4167D for ; Wed, 4 May 2022 01:58:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244836AbiEDCCb (ORCPT ); Tue, 3 May 2022 22:02:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343944AbiEDCBx (ORCPT ); Tue, 3 May 2022 22:01:53 -0400 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A0B2544A08 for ; Tue, 3 May 2022 18:57:45 -0700 (PDT) Received: by mail-pl1-x62f.google.com with SMTP id j8so160230pll.11 for ; Tue, 03 May 2022 18:57:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=01xJZEdKekiitPaj8shKdCy94myHgVaNNGs/evnqdOM=; b=SvMNDAvPtTxF809bZoNNzl6o2LENxUqxJ8mipssp3LG3CBJ8QbgPBB5oXpfBBM0oF0 mrxvm9m9xVoCbf+yK4esflyfRaDRIsoJWH6TXY5t/ov9rXMP+/iMpbnHqj0C62OZCoN6 UGJtRe8MarqA1Hj1HXhO/p0X4vXAnV3Tj8zaI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=01xJZEdKekiitPaj8shKdCy94myHgVaNNGs/evnqdOM=; b=37TBtKupj6EPbWDh2uSOrNWJhwB6SVi+diM0pOWUijY8amigV/K0rfsI4L1kZLK4F6 V64dDXvJ96193+WOWokAdRoHjmxReasI+4xQhe88dQgXDvhGpM8R8faMnuLLY3jPnVcd iYBq54hKWoK5Zx2LA1sGYjLpD/i3TTyVrdzzWijXhPQ/yhSefpYZsN3m3ZHTOrUNMQSi cHTCPd9bJSmB2SSknhvz9+/ubRKrzcWzQ7X1gX772Xqwb481iloG7wayfMsK5RiaIxut TKPZolLQBIbuJZI/LwWZ4FVQRXaeA7FBfITTJscTJRqIxTNfx3nTh/xFewcWt+vTKdQz v5EQ== X-Gm-Message-State: AOAM5312OcRy19pcWWzHM+b/X41FclmgPAuwqULw3J0Icy1ZZ+qkCLNU ZqTjxolJMfX5levpdoejSucvdw== X-Google-Smtp-Source: ABdhPJzqn2WxKVt7rWNzi+965SEqw7JTWEb+lKAff5WyHkMUjA5nI6RYV6fsBZImK2fATViZPprHkA== X-Received: by 2002:a17:902:748b:b0:15c:3d1b:8a4d with SMTP id h11-20020a170902748b00b0015c3d1b8a4dmr19589131pll.85.1651629464893; Tue, 03 May 2022 18:57:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e7-20020a62ee07000000b0050dc7628187sm7109908pfi.97.2022.05.03.18.57.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:44 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , David Howells , Jarkko Sakkinen , James Morris , "Serge E. Hallyn" , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 27/32] KEYS: Use mem_to_flex_dup() with struct user_key_payload Date: Tue, 3 May 2022 18:44:36 -0700 Message-Id: <20220504014440.3697851-28-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2171; h=from:subject; bh=+EMqJweUKHRI+p140UR53z0ouyFfaCeLO7XO6/7BouU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqGhXIUX0opXFG+79dwIKeyeoTVzZjDz3s4gqRG WcoAdoCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJpigD/ 9+hUDrqvhbexCJ+LI5xyfbONc0He6AfGv1OpoTuMyM/EDr+8Hlw69lTHvEd33pGAWnTcfLgvPFr5do SNqT7Ky9GohochNniXjI7VRAtZrFkRiG4130PztKwnvQ1ESHLdO+N8oQLoe0xNaVekFqVoLBQkU9ev NHp8YraJs7P1h9w8Pzngx6LtwE4pUvGsFmXmsBhmx5Uk1uiQ2UWzwtYPWYzdgEo1mTJ+BX1FT2/meR Eat9ZR2zS06PJ4uns7jc0qp4FerfBCuZHWMHvuzUrZLKj8YxmjyZPUn166vO9ypE2CX9eBtY3kFi3n EmX0Ryqm38lbokKGz+VyWMmMBepuljd3Kfm8eTAac9jztiqctLEmKqxMqXkQxGfDluj5udRd3fZOOR lag1NSmzJGGy19dHbynOZKZH+nGjFmGobp3C/7rBrswBDkGAbM9kHRt0+D9nPRbomIChQdinr+YNdi taMC+Zbtg73jiBg4SNGk9uXdxHdHcrvUozaxfZNwaBq19qR/CzNl695UzIFzTsoHUgCgp8UNwQOrIX 147/aQi6XAgsy4OrML7xnIyf5cn/Lol5s3J5+7HAqw9FmH4FhWg/atdWEZT71eREnRWKn+j7VQWUSS sH4Cq8R0Hlz39XjL9tHdhH6lg4wbDgAXnwYK6YZ7bEVdBr2fYMufUIc2hMWw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: David Howells Cc: Jarkko Sakkinen Cc: James Morris Cc: "Serge E. Hallyn" Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/keys/user-type.h | 4 ++-- security/keys/user_defined.c | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/include/keys/user-type.h b/include/keys/user-type.h index 386c31432789..4e67ff902a32 100644 --- a/include/keys/user-type.h +++ b/include/keys/user-type.h @@ -26,8 +26,8 @@ */ struct user_key_payload { struct rcu_head rcu; /* RCU destructor */ - unsigned short datalen; /* length of this data */ - char data[] __aligned(__alignof__(u64)); /* actual data */ + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned short, datalen); + DECLARE_FLEX_ARRAY_ELEMENTS(char, data) __aligned(__alignof__(u64)); }; extern struct key_type key_type_user; diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index 749e2a4dcb13..2fb84894cdaa 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c @@ -58,21 +58,18 @@ EXPORT_SYMBOL_GPL(key_type_logon); */ int user_preparse(struct key_preparsed_payload *prep) { - struct user_key_payload *upayload; + struct user_key_payload *upayload = NULL; size_t datalen = prep->datalen; if (datalen <= 0 || datalen > 32767 || !prep->data) return -EINVAL; - upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL); - if (!upayload) + if (mem_to_flex_dup(&upayload, prep->data, datalen, GFP_KERNEL)) return -ENOMEM; /* attach the data */ prep->quotalen = datalen; prep->payload.data[0] = upayload; - upayload->datalen = datalen; - memcpy(upayload->data, prep->data, datalen); return 0; } EXPORT_SYMBOL_GPL(user_preparse); From patchwork Wed May 4 01:44:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836968 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8D59C4167E for ; Wed, 4 May 2022 01:58:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343921AbiEDCCD (ORCPT ); Tue, 3 May 2022 22:02:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45872 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343930AbiEDCBw (ORCPT ); Tue, 3 May 2022 22:01:52 -0400 Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E41F544759 for ; Tue, 3 May 2022 18:57:43 -0700 (PDT) Received: by mail-pg1-x536.google.com with SMTP id 202so19921pgc.9 for ; Tue, 03 May 2022 18:57:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rbuuZeQPYS/ZqiRJTOL0fJFLrNpJQKS6QwLbS0JMY/Y=; b=Aydv/AU/AZjVEPtiqBONRpzT2Ty39Vvxt2nRw4lRsRTiChjbuH3CBtpVpPkeZSBFK6 zdgmOm2O/OwYN3+guV5vUjUfuHrQcdlBHjoZJkVx9D3VoYUSW8m0vG5AtNFTLXP40SJ0 Ys4mhsjMHxsUEY5V0SeB81DJET0W6jrFHyAsM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rbuuZeQPYS/ZqiRJTOL0fJFLrNpJQKS6QwLbS0JMY/Y=; b=J7iveBIMLT9ortA9Op31hY8R96kulhuov0TlxagnOqm4go7J7lbUPXHmaQHsjpAdj+ tPloE0VoNnPLR0ftkLwOxmfVq7eb1i5JbO7K2kc4hvLIRa+S8xrnGqsAfcWxIXtADznZ R7R9eGDO4KaajOHvfZAIheHKdhw8kcKhDaazS1FYw9lAD8vIAi3J3CvPKPeQN5sjDb26 mnpRlerEst2xjLzca3+aiIjRjLnI7Fvlpp8AvOKPerUl+RfcwrY9HLQhTm1KlqZ5xVSn r+wwa/6zKzNmL2dlRXBi1bC1+thBBxAVHlhZya6XZdj6al4OMRepwR+DbAjQ3ncGwTwq X4CA== X-Gm-Message-State: AOAM530KNR5JoyhcMcNCqxdOwq78RN81PzE5tXXkPXpBWDqmj5VIFKPV cUlg8ukDoAt0u4VKKPrmU7hfJg== X-Google-Smtp-Source: ABdhPJwuyR3D3gjHOuMQAe4uLwpskO6bXcMzL1OMGNpp5ZYff9umCciU4RQpJsR0YF0M5vkWDSaqfA== X-Received: by 2002:a63:b45:0:b0:3c1:9a7c:8cb2 with SMTP id a5-20020a630b45000000b003c19a7c8cb2mr15872848pgl.197.1651629463449; Tue, 03 May 2022 18:57:43 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id h3-20020a62b403000000b0050dc7628181sm7143868pfn.91.2022.05.03.18.57.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:42 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Steffen Klassert , Herbert Xu , "David S. Miller" , Paul Moore , Stephen Smalley , Eric Paris , Nick Desaulniers , Xiu Jianfeng , =?utf-8?q?Christian_G=C3=B6ttsche?= , netdev@vger.kernel.org, selinux@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Rich Felker , Rob Herring , Russell King , "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Stephen Hemminger , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Yang Yingliang Subject: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab Date: Tue, 3 May 2022 18:44:37 -0700 Message-Id: <20220504014440.3697851-29-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3696; h=from:subject; bh=lo77E+k1d7CC41pTHDyzxO7V17zZAZU2RAD4DG2zlf8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqHYGDosyWmB9LoZ/xyfTluExkJdmxRYXDGGUpK LWQR5yOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJtEtD/ 9q7isByvmnLJbF2Mqtm1GQLY5WfrgpLpjGz0wPZPFjTuIQg5cBR9sDT+aFaBgykC00RI3PI08gsS9x JTi9K5ZLLk5xSHCb0CjZKLo+ARF0awusiFxdJwvbSdnvd44xlkRwQcTwLZJVGqr2yqy1jJvW1u/3Yh ZZdqt4uhJJpDu5ukdXw+OwIsu09yrTMufSFBgGUsU5+73BimHVDJD+/bAZBGxLMHaKK06iBuF62hS+ XVkvSjBaytrB7eplhA3FHdoU+z/LeETfQYkjmOeYJe6qC/4XyTzzuTjmlkj3sUYna+gIZzZHw5lCgK e8ZKUtmmyjY5P/B2T6F7kreBUKh5iZLQ2r0VwfwJfpJuk13DSHdvjCQuhl4Gt013zBd9fWhQZJesS5 o9IMVFaMGKiFrS1RpL2iZHNi9XVb32DwtShUKjyeEw7ioOL0wYGhna0Kp6zzMgnwjmSeJYnd7Rpifr zM2tyFEjE6tpop237tnM6UbRdzm3XRg4GDWTpvqG9hsvcQcDOk1Wp2/aCUi8Xgzl8dNl2Fr8PklFs5 z9ZW1ImUkK8q5k+Zy0o0VYflt1WZnHugXEEA8b/AT3xAXNqa3BayfVHOM7lLNNWJLV4rSY9HRRJDtf tRpTY3p7aW3hTdJeb21upjhDTPNqM9cBLjUh0Pb2AymaADYZ1hqLMPlC3M+Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying: struct xfrm_sec_ctx struct sidtab_str_cache Cc: Steffen Klassert Cc: Herbert Xu Cc: "David S. Miller" Cc: Paul Moore Cc: Stephen Smalley Cc: Eric Paris Cc: Nick Desaulniers Cc: Xiu Jianfeng Cc: "Christian Göttsche" Cc: netdev@vger.kernel.org Cc: selinux@vger.kernel.org Signed-off-by: Kees Cook --- include/uapi/linux/xfrm.h | 4 ++-- security/selinux/ss/sidtab.c | 9 +++------ security/selinux/xfrm.c | 7 ++----- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h index 65e13a099b1a..4a6fa2beff6a 100644 --- a/include/uapi/linux/xfrm.h +++ b/include/uapi/linux/xfrm.h @@ -31,9 +31,9 @@ struct xfrm_id { struct xfrm_sec_ctx { __u8 ctx_doi; __u8 ctx_alg; - __u16 ctx_len; + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, ctx_len); __u32 ctx_sid; - char ctx_str[0]; + __DECLARE_FLEX_ARRAY_ELEMENTS(char, ctx_str); }; /* Security Context Domains of Interpretation */ diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index a54b8652bfb5..a9d434e8cff7 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -23,8 +23,8 @@ struct sidtab_str_cache { struct rcu_head rcu_member; struct list_head lru_member; struct sidtab_entry *parent; - u32 len; - char str[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, len); + DECLARE_FLEX_ARRAY_ELEMENTS(char, str); }; #define index_to_sid(index) ((index) + SECINITSID_NUM + 1) @@ -570,8 +570,7 @@ void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry, goto out_unlock; } - cache = kmalloc(struct_size(cache, str, str_len), GFP_ATOMIC); - if (!cache) + if (mem_to_flex_dup(&cache, str, str_len, GFP_ATOMIC)) goto out_unlock; if (s->cache_free_slots == 0) { @@ -584,8 +583,6 @@ void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry, s->cache_free_slots--; } cache->parent = entry; - cache->len = str_len; - memcpy(cache->str, str, str_len); list_add(&cache->lru_member, &s->cache_lru_list); rcu_assign_pointer(entry->cache, cache); diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index c576832febc6..bc7a54bf8f0d 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -345,7 +345,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, struct xfrm_sec_ctx *polsec, u32 secid) { int rc; - struct xfrm_sec_ctx *ctx; + struct xfrm_sec_ctx *ctx = NULL; char *ctx_str = NULL; u32 str_len; @@ -360,8 +360,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, if (rc) return rc; - ctx = kmalloc(struct_size(ctx, ctx_str, str_len), GFP_ATOMIC); - if (!ctx) { + if (mem_to_flex_dup(&ctx, ctx_str, str_len, GFP_ATOMIC)) { rc = -ENOMEM; goto out; } @@ -369,8 +368,6 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, ctx->ctx_doi = XFRM_SC_DOI_LSM; ctx->ctx_alg = XFRM_SC_ALG_SELINUX; ctx->ctx_sid = secid; - ctx->ctx_len = str_len; - memcpy(ctx->ctx_str, ctx_str, str_len); x->security = ctx; atomic_inc(&selinux_xfrm_refcount); From patchwork Wed May 4 01:44:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836869 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3BD7C433EF for ; Wed, 4 May 2022 01:51:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343796AbiEDBzA (ORCPT ); Tue, 3 May 2022 21:55:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56086 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231220AbiEDByN (ORCPT ); Tue, 3 May 2022 21:54:13 -0400 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD86334672 for ; Tue, 3 May 2022 18:48:52 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id 202so6388pgc.9 for ; Tue, 03 May 2022 18:48:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=e+5qnKpu1VsQ22oucG43AL+WcjSiOIWtbY50R7ZcVWE=; b=g9AcrkR+3RVkYkCjXueQwetC04MS+NoxVmpAB9VicL40p720LPQhGGdx5xmKktKIDM zPigxQLAL6TBhbYLJe+5LnwPNyPpBp4uN8e2a1B/ZwWxWPLLj/iqfcDi30QcFjJ9kn/S 1QG2VSMrqeLVVCmXWD35ETUMI7QbOsGkL0vw4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=e+5qnKpu1VsQ22oucG43AL+WcjSiOIWtbY50R7ZcVWE=; b=uIAQOYVU0t39W6tgp0Eo3o6gdZ/MgZxqJtz28BHDmG8fXlUm63H1/SzhhBp2sOPGeY GDd+c9c0T3YbyHyssugSPx14HSPUn9aJS1i/EU/7ua5kTkTEhIsC1s9zCIBUIXz5OB0U vqNArPVPYNI+rlutXY1W1vBjwFio7c3YZfiliYh+2ecLGaYl7k61A05Nlvwb3MkJbKNV uliYZNQj42u9/dRVHV28QWoVt7i7OLiNIT7Ax/uViK+t6wp4o4BsOfS6GO1gsvs0AzK1 Lw2WEqBnmnscKIImvC9LFnlkfw2dgplU+hZ25Vb1sgTJhIbaNzFdxsbTLvT/dTa0w99A Nkhw== X-Gm-Message-State: AOAM531NTA5FvxVbOjr/PXLxY/cpw+ZPfvmc0nwj4uNPY3c8cHARoZO8 XvA9Njy60xCM6rHh3L30xGOB+w== X-Google-Smtp-Source: ABdhPJxuJ/TfKZwNU1g++1UcAgI1lzggjLoAsNP8bmvKj2yDlBKxIJ0pcPTbnZZuzJvhc8NJkTRvgQ== X-Received: by 2002:a05:6a00:230d:b0:4f6:ec4f:35ff with SMTP id h13-20020a056a00230d00b004f6ec4f35ffmr18919434pfh.53.1651628868717; Tue, 03 May 2022 18:47:48 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d11-20020a170902b70b00b0015e8d4eb2casm7025311pls.276.2022.05.03.18.47.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:47:47 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Chris Zankel , Max Filippov , Rob Herring , Frank Rowand , Guenter Roeck , linux-xtensa@linux-xtensa.org, devicetree@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 29/32] xtensa: Use mem_to_flex_dup() with struct property Date: Tue, 3 May 2022 18:44:38 -0700 Message-Id: <20220504014440.3697851-30-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2507; h=from:subject; bh=Sq6uxCkPHvMJ5JYb1gf1A6wcVxIwkSOLKZO2iCrXvzo=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqHU+zS6KGRXLibFnc06yiYHvM6h9+r1i1/xDqh sS9tPM6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJio4D/ 9e7/PUFE5eJVA+iwP4RNPRrwfTbaso73y3UIDDhSBi7DWpVecGpxBZFhq8AZJnACJZ6+0txfLVZrgC Hf9yN6InooZL//+CTSXiiLI0odsJS5G7VPzg8jqFheAUvfc33Ayl7CE4IjUesDTHb8MJcD6pRcV301 BkdC9bu9R9O1wfXjDMG6LGijqVC44/VnATk0Fj2osA9aCT7hCW4+9Y2AhfOuja15+dIryUwqZtX2nq ec7DFRbWbwCMxIvSe2M9T/eENcPFBDRzyY24sIHLdTtdM3+mq1w0JC+v5z47HvtBxdp6Ab4AjGQ6AH +XYDv1NkFrQYotIcm5C43jbDrqJMKe7MsguTTl2SqeeyJm0j16c29CoaUYxAFDubw9ldqYXLp5WTjS purW5BkSiZew9UjQYOHstIZ3tkzqccDABlxOoJx6Jeg7kYmdQqE4PnV7je2MA/jAMh7Hm3WqyHFS4l uZ6AZ4qsuZ3GaLee5riE9Nh9OXqTK8uWuL7aIKJHegYL1BtPlvOB5J6yMZJ+U/rhYZD5ZxqQ0LXB2z BwWGEo9PhEtkSWKk2TiOybFLVH2xKxpJfcQV806Jj+7f6Kq059naUze9XagBDSL7sUoMR34BvbOeER oRxCHL5YzBGrQi45jMVYuRuMcPsrrlr2vvkyx+TWc4h0GZl7w6C6OGv59wRA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Chris Zankel Cc: Max Filippov Cc: Rob Herring Cc: Frank Rowand Cc: Guenter Roeck Cc: linux-xtensa@linux-xtensa.org Cc: devicetree@vger.kernel.org Signed-off-by: Kees Cook --- arch/xtensa/platforms/xtfpga/setup.c | 9 +++------ include/linux/of.h | 3 ++- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/arch/xtensa/platforms/xtfpga/setup.c b/arch/xtensa/platforms/xtfpga/setup.c index 538e6748e85a..31c1fa4ba4ec 100644 --- a/arch/xtensa/platforms/xtfpga/setup.c +++ b/arch/xtensa/platforms/xtfpga/setup.c @@ -102,7 +102,7 @@ CLK_OF_DECLARE(xtfpga_clk, "cdns,xtfpga-clock", xtfpga_clk_setup); #define MAC_LEN 6 static void __init update_local_mac(struct device_node *node) { - struct property *newmac; + struct property *newmac = NULL; const u8* macaddr; int prop_len; @@ -110,19 +110,16 @@ static void __init update_local_mac(struct device_node *node) if (macaddr == NULL || prop_len != MAC_LEN) return; - newmac = kzalloc(sizeof(*newmac) + MAC_LEN, GFP_KERNEL); - if (newmac == NULL) + if (mem_to_flex_dup(&newmac, macaddr, MAC_LEN, GFP_KERNEL)) return; - newmac->value = newmac + 1; - newmac->length = MAC_LEN; + newmac->value = newmac->contents; newmac->name = kstrdup("local-mac-address", GFP_KERNEL); if (newmac->name == NULL) { kfree(newmac); return; } - memcpy(newmac->value, macaddr, MAC_LEN); ((u8*)newmac->value)[5] = (*(u32*)DIP_SWITCHES_VADDR) & 0x3f; of_update_property(node, newmac); } diff --git a/include/linux/of.h b/include/linux/of.h index 17741eee0ca4..efb0f419fd1f 100644 --- a/include/linux/of.h +++ b/include/linux/of.h @@ -30,7 +30,7 @@ typedef u32 ihandle; struct property { char *name; - int length; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, length); void *value; struct property *next; #if defined(CONFIG_OF_DYNAMIC) || defined(CONFIG_SPARC) @@ -42,6 +42,7 @@ struct property { #if defined(CONFIG_OF_KOBJ) struct bin_attribute attr; #endif + DECLARE_FLEX_ARRAY_ELEMENTS(u8, contents); }; #if defined(CONFIG_SPARC) From patchwork Wed May 4 01:44:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836973 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87D4AC4321E for ; Wed, 4 May 2022 01:59:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343863AbiEDCCl (ORCPT ); Tue, 3 May 2022 22:02:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343874AbiEDCCA (ORCPT ); Tue, 3 May 2022 22:02:00 -0400 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADC6E4578F for ; Tue, 3 May 2022 18:57:48 -0700 (PDT) Received: by mail-pl1-x62f.google.com with SMTP id c11so154919plg.13 for ; Tue, 03 May 2022 18:57:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/QgTacQ+A83oLfMgc7AcEsbfIOOMUUn/07ShQ/z1lc0=; b=OEKPNTKscDvuMfuoT9d4JeIvnRRtddZvUR90FLHTaY6dqJ3WoEedmmXxG6udDH4ll2 hQ3xVWzIJux8F2/IVGnkOvoKvzigrtb6PN+WIk/nKNi6EuEO6/f9y41IdVZKJ50O2w0U wl96xKQAPtHy1YFDiqJxnzLe5ZISnsn0F+m/k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/QgTacQ+A83oLfMgc7AcEsbfIOOMUUn/07ShQ/z1lc0=; b=qsrHVNmSpVCqisKB/zRLe1+f5TmSOM3WGrcfs3p4eLUrwnDzCCPVQHJjJ7WBldL0f9 LZCiSJd98b78fnFaNe8KG/dCgjzJ4sMUhK+/SbqHdID6J88a/oMP3LzBWsIbLnFzXoaj MIgV69p649q8JZswlap2ydCEkjcz0JK26o8sMzJSUtJLB1VqDwJHFILPpTdC072es6+m LXFlguLph2tNig9iGlAz4yKvXRqn7KW8AE3/ZFO3wvvG+XJy0C2rWF8LV/KOb4kw3dQn M9hhn+/u4ib0VkUzH9Hejj8yJctv/bwrHsoM7gy7+u7f+LYS4N/Pk68QUDGH1QCFN4Kl GhyA== X-Gm-Message-State: AOAM530UrjBF2UcH3Gd+0ABeRBthcl2rMal+rDo3UI570wgkFHitiD7z +h7Fn7yNHieK0B4MKZZ7z2wEdQ== X-Google-Smtp-Source: ABdhPJx8aKMSjL++Bpt30on0DM0NaXAHkv4OnZme/XsKFvFNTXlI9dAida62sUR6NL+CxtZNwLd4Dg== X-Received: by 2002:a17:90b:1a88:b0:1dc:8e84:9133 with SMTP id ng8-20020a17090b1a8800b001dc8e849133mr4261692pjb.231.1651629467464; Tue, 03 May 2022 18:57:47 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d10-20020a170902e14a00b0015e8d4eb23fsm6979600pla.137.2022.05.03.18.57.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:46 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Felipe Balbi , Greg Kroah-Hartman , Eugeniu Rosca , John Keeping , Jens Axboe , Udipto Goswami , Andrew Gabbasov , linux-usb@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Francis Laniel , Frank Rowand , Franky Lin , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Johan Hedberg , Johannes Berg , Johannes Berg , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 30/32] usb: gadget: f_fs: Use mem_to_flex_dup() with struct ffs_buffer Date: Tue, 3 May 2022 18:44:39 -0700 Message-Id: <20220504014440.3697851-31-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2095; h=from:subject; bh=LoG608ySlb2xL5QEVpZpmYP+iWI9TrvgD0EbU83Sc1E=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqHiYfLCw3gedIJSUEv2AjZro9JsQDzVs6+PWv3 Jf25uuWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJtOuD/ 44mR9b5DwvccUUG6HIlhBLAsn/BfAVzBmuRK+yPZ9MioNDOL4TpD4dZaBBpGG0hJon5radolumfj0P VNZW46qoLbHEBiSScw3XJnUUVFGSv9GbDDKBVRxmIWevrrYcSx9Ey7v8r/vqablkY0Kzx4Q+fL+nnh 4X55duw+qKqgzFtzT5kMl5IKcf/sFUgv1r2jts0fmdh4Bu2jfLlkfdmjQhJ4Af2db1+OF6UjtoOy5R 6BRYL6DkOEkVM3vSV8rlDM6yldlZogrtVEpiQUvbkDi2LerWROmCrkpPzwbukN6gYwmAh2v78g4BDT Asjg/ynqVVAPardAHgI8QUQbZeI1y2iXC5u4FfFaeEUSCVddHgdjugXVWOiP7s+phDof4Ke2yI+sBV QfV5yaD/w1jelv5AZidP9asc2fTSb8ASrFF+lKcuVilfbgIn9krQvLJqB8gjrr8OyJ8falxCUPu3i9 l/P190yQNXc+sUM1kJVb0JaQYSk6mxyyCv3suqH72zxRXkDKeNa7lGgBW+tH8Of1c6RUkdJZYUe0pH L7tc/j/ocIEHXPRHlkHrndofVZCRhIQ2XiFWxCEfSW4N1fXtuDO+O77rmlbdYwwwgsTLusPjWPXhon 642xzSjREIl8aWgxlvRZ5ty8QQFJP8TbxfkMEUHUpitb1yMsa0xo6z3WBFcA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: Eugeniu Rosca Cc: John Keeping Cc: Jens Axboe Cc: Udipto Goswami Cc: Andrew Gabbasov Cc: linux-usb@vger.kernel.org Signed-off-by: Kees Cook --- drivers/usb/gadget/function/f_fs.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 4585ee3a444a..bb0ff41dabd2 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -202,9 +202,9 @@ struct ffs_epfile { }; struct ffs_buffer { - size_t length; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, length); char *data; - char storage[]; + DECLARE_FLEX_ARRAY_ELEMENTS(char, storage); }; /* ffs_io_data structure ***************************************************/ @@ -905,7 +905,7 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile, void *data, int data_len, struct iov_iter *iter) { - struct ffs_buffer *buf; + struct ffs_buffer *buf = NULL; ssize_t ret = copy_to_iter(data, data_len, iter); if (data_len == ret) @@ -919,12 +919,9 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile, data_len, ret); data_len -= ret; - buf = kmalloc(struct_size(buf, storage, data_len), GFP_KERNEL); - if (!buf) + if (mem_to_flex_dup(&buf, data + ret, data_len, GFP_KERNEL)) return -ENOMEM; - buf->length = data_len; buf->data = buf->storage; - memcpy(buf->storage, data + ret, flex_array_size(buf, storage, data_len)); /* * At this point read_buffer is NULL or READ_BUFFER_DROP (if From patchwork Wed May 4 01:44:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836972 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD7DCC43219 for ; Wed, 4 May 2022 01:59:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344088AbiEDCCg (ORCPT ); Tue, 3 May 2022 22:02:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343765AbiEDCCA (ORCPT ); Tue, 3 May 2022 22:02:00 -0400 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF38145525 for ; Tue, 3 May 2022 18:57:47 -0700 (PDT) Received: by mail-pl1-x62c.google.com with SMTP id j14so183499plx.3 for ; Tue, 03 May 2022 18:57:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Lxy/SBBLbAnketd1perUQv/dnI2mQxvvkPs8DufKeQc=; b=i0Oww6FXAlmLjZL2Xo7+cZyQbZSuVhJcrUz8A4NqwsB3mnE9GxrQbFM3pG+OqIOvr/ bRoZsADS+tsQKhBZ6qjjGQ8wPq6NgM7w5LLDy+9US9EqrP5Wl9gOulV8iAxG2VM68w2h ys5/rKlySYl9/8SCzquZGEIldbBkfJX1v+C7U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Lxy/SBBLbAnketd1perUQv/dnI2mQxvvkPs8DufKeQc=; b=JFWtm/batFO4TIARSgqxGF+V2lsFJiac/G1CPtjKQXzAWTRUhM47kJgfp0MzNV5Qjh lvJUcBgMuMEv3pTq7pCQ0NOOgkpjtxhIMwut1zpuC6DHgOPtaFEJrnjRd/jkjJENaT/W q6ywAN1C7jQcnOCxMaHi0v3z6GlOE20V7Nh/9MTgQm8mVf8a6UAIAUW/OYmmaxP8ZAPA XDD2S4WfwNnC7kqXw7LfdEutQss3/FpfPADe6RPcfjANlZybqU+ttHSGBeOJmVWV8Oqi DWFB60gs06vqq+JVsxi7+fDxcBVeZl69NtvWVtOchNXqkwwVAGbUtd4e8sUXXROlaJfh A25w== X-Gm-Message-State: AOAM533lJbQgIQgGw6izxi0V+KcvBVUqdyl/hUGIL5wHYHU34Wf9UFmz NUlro9xeQylwaEoPtbHqptresA== X-Google-Smtp-Source: ABdhPJzhM04gq6nD0c5tfEzafVhISMI33h/ClQtHEphkZhIwNd5i7iupeZ7DVVEJ9BDZdeqkD8opZQ== X-Received: by 2002:a17:90b:78b:b0:1d9:6cd6:3f4c with SMTP id l11-20020a17090b078b00b001d96cd63f4cmr7782216pjz.240.1651629467009; Tue, 03 May 2022 18:57:47 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z5-20020a170903018500b0015e8d4eb223sm7040663plg.109.2022.05.03.18.57.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:46 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Boris Ostrovsky , Juergen Gross , Stefano Stabellini , xen-devel@lists.xenproject.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , Xiu Jianfeng , Yang Yingliang Subject: [PATCH 31/32] xenbus: Use mem_to_flex_dup() with struct read_buffer Date: Tue, 3 May 2022 18:44:40 -0700 Message-Id: <20220504014440.3697851-32-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1723; h=from:subject; bh=Af40/wtrXz82sQZ3gkXc9sqO1MKE/dCxzKzVkZCyPBE=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqH+KXwBf+62Kz/ptxhFXwkt9WosiEBHko2iuOB 0fcNum2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJvLPD/ 9BhjziZJhS9xD2GsjrelNYz/xp7Z6XtKNgFRofwy/p+e4IFCpDHMNYQmpP3WVjlkD9FyouGOGLk+Sf 0i6cJgn02GGl9DKJH1kqxbUikzY6c8wzuc6v3W7+teBaTIZXxJ4Bg0xxroKqmZVZTUvN34ouMFIb2p ++rnq2J7531VZeebMPx+6kezaUVTaUGe1VFKBUuccT4/6mp2R8HqzWVgmSai8ZyNi4Z0nnObREm+rJ u1d6VjniOCRmOGgG7QCuuF+cUE4d+Isa6moThhkOv0m//DMJYGT/djpuk6W+kWlcJs+nrsoX1AByJu zD1O0Fk/hh4ooTDaA3lQmWtVq+gJIaYvCBILFRlDcGFC0oo/EM3wXTGcFGjgMgTNiEXK62PdLF9dZf kRieucxaOIdVPYz+BN9o4ps+oSWfIYaQYOYAOwTAA01RA6l3cElUd3dfgBE1lOqQNUDIkcTD8rOm+l 8JdhxGwQaeetRebI0mGQru7qvbnW4s+raN3cR8JtJ36LlEBzqobHNRhVRK3K2dZQhOPhKgr3OWpCOE anL307TAv51pZ7CNDf9iEaZPdoVXALMDtkTpnwemX7C4Lc94fH0b/AmlH5YOCpb8DGFa9BJnGzvzbc FPmLrSOPa5hu9l1uVEcpEaQHDzIfRLtxISX0mmsQ1VLswRk+mwBJcKd8a+7w== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Boris Ostrovsky Cc: Juergen Gross Cc: Stefano Stabellini Cc: xen-devel@lists.xenproject.org Signed-off-by: Kees Cook --- drivers/xen/xenbus/xenbus_dev_frontend.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c index 597af455a522..4267aaef33fb 100644 --- a/drivers/xen/xenbus/xenbus_dev_frontend.c +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c @@ -81,8 +81,8 @@ struct xenbus_transaction_holder { struct read_buffer { struct list_head list; unsigned int cons; - unsigned int len; - char msg[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, len); + DECLARE_FLEX_ARRAY_ELEMENTS(char, msg); }; struct xenbus_file_priv { @@ -188,21 +188,17 @@ static ssize_t xenbus_file_read(struct file *filp, */ static int queue_reply(struct list_head *queue, const void *data, size_t len) { - struct read_buffer *rb; + struct read_buffer *rb = NULL; if (len == 0) return 0; if (len > XENSTORE_PAYLOAD_MAX) return -EINVAL; - rb = kmalloc(sizeof(*rb) + len, GFP_KERNEL); - if (rb == NULL) + if (mem_to_flex_dup(&rb, data, len, GFP_KERNEL)) return -ENOMEM; rb->cons = 0; - rb->len = len; - - memcpy(rb->msg, data, len); list_add_tail(&rb->list, queue); return 0; From patchwork Wed May 4 01:44:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836969 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B6B6C4321E for ; Wed, 4 May 2022 01:58:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343904AbiEDCCP (ORCPT ); Tue, 3 May 2022 22:02:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46926 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343978AbiEDCB4 (ORCPT ); Tue, 3 May 2022 22:01:56 -0400 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E60445055 for ; Tue, 3 May 2022 18:57:47 -0700 (PDT) Received: by mail-pj1-x102a.google.com with SMTP id iq10so16933750pjb.0 for ; Tue, 03 May 2022 18:57:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rmxrp/UxOFb8piH92Vxf3rNJk8bX2cfzoG0Wa8qHsPs=; b=M/yQls1bpyaiOjU76efK5Yp3KeWPaKFU4zmgVp0hnDPVEvcbG0Yr2VZsk9GtUI6EW2 P3x8PrWJUASQzTlrmV7uEWLEbManT0y+Zg+pt3XuYEBjyOBd/MkDra9+mVvndIuuMdNV ADaMqJRFecvzQ2p2BbgcShyTVJWmeZm5rse6o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rmxrp/UxOFb8piH92Vxf3rNJk8bX2cfzoG0Wa8qHsPs=; b=mI14c17YCbyru5GNlc8yztGtrMedlBEMPWAgc3HDs32eUiXb2vIfuoNF+J21/n3Gtv HyY5/VmyzmpIZlfKV4JJwdZAatoLZnz/bBGhgVGU22O2uzBy6Pho5X1sswF6qJhIJrVF YnXQmN7HTSDA80rumkP7oyiQW3h9aeGSXA8LJTVGOhojX15qN6FLPntlfpqbo+UMqNS9 l2JsJYNFvAcarAAeENJi+e7ME6f3D4Ybp2CWdijvollLwTOTcqtvSk81r9ZmPWbAx7in YpfQGKehKFzpBm+hBXnWe2MUq7E/t/BSMMnvVSvMsD6uyNlfl1Y920SBxUBfynmN/Wn7 ct2g== X-Gm-Message-State: AOAM533lq9mnS5miUDwqy54wHhEdgKbw40rMyoH0bxvx/S1eCdoBvYnY +8Vf/j5/sqyJZ5Sn/gCdgorwIg== X-Google-Smtp-Source: ABdhPJw5UH+zE7V//6n7buLSwyzvbe4dXHNIfzHZYUp5Gsqm2kqmkk896GY+p9QRLPq6Ee7dPP32pg== X-Received: by 2002:a17:902:d1cd:b0:15d:1483:6ed6 with SMTP id g13-20020a170902d1cd00b0015d14836ed6mr20296811plb.58.1651629466374; Tue, 03 May 2022 18:57:46 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q3-20020a17090311c300b0015e8d4eb2e9sm6671462plh.307.2022.05.03.18.57.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 18:57:45 -0700 (PDT) From: Kees Cook To: "Gustavo A . R . Silva" Cc: Kees Cook , Bradley Grove , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , =?utf-8?q?Christian_G=C3=B6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , Daniel Axtens , Daniel Vetter , Dan Williams , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Francis Laniel , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Guenter Roeck , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , Johannes Berg , Johannes Berg , John Keeping , Juergen Gross , Kalle Valo , Keith Packard , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , =?utf-8?q?Nuno_S=C3=A1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Tadeusz Struk , Takashi Iwai , Tom Rix , Udipto Goswami , Vincenzo Frascino , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: [PATCH 32/32] esas2r: Use __mem_to_flex() with struct atto_ioctl Date: Tue, 3 May 2022 18:44:41 -0700 Message-Id: <20220504014440.3697851-33-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org> References: <20220504014440.3697851-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1840; h=from:subject; bh=wclXkCNzL8tWkFiLRsyBirHZGs1pS2ud8xMfF2Bbgys=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqIM8CXiBVoq1vvnq9rbFmtFRUsN4irOoYa4gS1 0IJEQ2KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaiAAKCRCJcvTf3G3AJgOdD/ sEBkA9QLnBKc64IqIq4YxEg4VNWAmPZGOznytqC/Owjod/71puJ/xtUz+R2WjO80ATXotNqfvtWe/d 9/yCjwl54Xp//OjYlRlQVLKBx2Q11FBqi4MBsooAiVirzGDDTHxmU1iuq6Wz2ZIdZlghDO60VBIerY f7y/tG7dD7LIfF4hLq69yeIQaG4gx8rz9gY1ntSTDKIZg+3A+cCuG7GHCLE4hzM9XcCNdcjNHkLLzM U6m0NaS7W7NFnR0mxnwloGXZVChfb884A/O/wC2lhgRNoxndIkrhF+x2NIhSvpQQmje9R235snuAfX mTZgHUaiYXSuSt8YrUbWAYgqP95oux1CHcGbFo6OSfvzri3R22Sizw6iJPckU4HcHFbxLD7v2eEMVp 3ECGtyv2+WAG63yJy/2YJm4mTGZKQM9ZC/lL6nR/U6EYIjrevoE7kTnSKMDTU+PS27rxgE+Rh1Hg9K ipwZmZh4bV/Xed50s1aJAocNChxua0lDl5jjP3QaZBpQGTlt8ls0YY8i1DswPFLAiSj88j/CGJOPOK +82q4/Et8Wn6QjhXmaRuef6bFcOHFRRdfpp1PZEOD91CPvnpq0Q9e/WXiAbsnkg/diZHdL5A9LVD0O L6xVqhkIsupraaLBcdxfoyPChtyfc0T1x/f55UeM/J7IkMaJAzAUEKGWn+Gg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. This requires adding the flexible array explicitly. Cc: Bradley Grove Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-scsi@vger.kernel.org Signed-off-by: Kees Cook --- drivers/scsi/esas2r/atioctl.h | 1 + drivers/scsi/esas2r/esas2r_ioctl.c | 11 +++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/esas2r/atioctl.h b/drivers/scsi/esas2r/atioctl.h index ff2ad9b38575..dd3437412ffc 100644 --- a/drivers/scsi/esas2r/atioctl.h +++ b/drivers/scsi/esas2r/atioctl.h @@ -831,6 +831,7 @@ struct __packed atto_hba_trace { u32 total_length; u32 trace_mask; u8 reserved2[48]; + u8 contents[]; }; #define ATTO_FUNC_SCSI_PASS_THRU 0x04 diff --git a/drivers/scsi/esas2r/esas2r_ioctl.c b/drivers/scsi/esas2r/esas2r_ioctl.c index 08f4e43c7d9e..9310b54b1575 100644 --- a/drivers/scsi/esas2r/esas2r_ioctl.c +++ b/drivers/scsi/esas2r/esas2r_ioctl.c @@ -947,11 +947,14 @@ static int hba_ioctl_callback(struct esas2r_adapter *a, break; } - memcpy(trc + 1, - a->fw_coredump_buff + offset, - len); + if (__mem_to_flex(hi, data.trace.contents, + data_length, + a->fw_coredump_buff + offset, + len)) { + hi->status = ATTO_STS_INV_FUNC; + break; + } - hi->data_length = len; } else if (trc->trace_func == ATTO_TRC_TF_RESET) { memset(a->fw_coredump_buff, 0, ESAS2R_FWCOREDUMP_SZ);