From patchwork Wed May  4 01:44:10 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837120
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 96DCAC433FE
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:31 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320015.540605 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N3-0005jB-R3; Wed, 04 May 2022 05:16:17 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320015.540605;
 Wed, 04 May 2022 05:16:17 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N3-0005iu-M6; Wed, 04 May 2022 05:16:17 +0000
Received: by outflank-mailman (input) for mailman id 320015;
 Wed, 04 May 2022 01:47:36 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm476-0007U4-Er
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:36 +0000
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com
 [2607:f8b0:4864:20::42e])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 2aecb958-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:35 +0200 (CEST)
Received: by mail-pf1-x42e.google.com with SMTP id a11so21695pff.1
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:34 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 k23-20020a170902ba9700b0015e8d4eb1d6sm7012542pls.32.2022.05.03.18.47.32
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:32 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2aecb958-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=+ZZ5vfFx25K1I7i1kYl8UxhLqvkhElnoRitD8+hKJmA=;
        b=DpRwgsc8k+bO9cXVHmU7ksT2E8T7R4om62xOunRq9j6F4/Hlmd+72tPALfSIkWpTBv
         6ZsB/FoXumwXqUlvu94h7ehF0Poi6zQZRyL/SVAXWNru3D7CYZKN+GO4S+p3OYu8TvOf
         p5r4/HuAd0PoSIWCdxVFPC7ODUIYPeBjfKvmU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=+ZZ5vfFx25K1I7i1kYl8UxhLqvkhElnoRitD8+hKJmA=;
        b=H3QBJt/8FGoNQ5tBkoz9intG79x0e79OkL5RhEkVHtcOG9moyDesIcBce+RH3JQWp8
         CsBSv5aJ+eNuYZka6umPEfZrdZ7fsnmMUrHRpgFzGJJ8h2yLjSPf0yEg1DYnU3QU215e
         JLlqOGtw+5nh2AfgiwbpWKfNqzjorh0R43SzEuttjAIff+9jd8KzdMjGJQx4XoiBDbA9
         V5dENXB2yryBxs/SV5Rn+2pHGOtdqUlL66+4xJQL7zrulUHJso8VlYB+hDVaBx2c/Kc+
         bxzLm0SsXZnWICCNT+db+yFwXUVKRF/v0aI4q1PY88hhz3o5Wy6KdIZZ01YVMhH+NWrT
         wYTQ==
X-Gm-Message-State: AOAM533t0VWpDlAbh3obgPlGAYAoIJrDkM1VV7Pxr/v14Y/BO7PCLM4k
	hSzci+WWN1gZZDS09g2Y58Vxsg==
X-Google-Smtp-Source: 
 ABdhPJytQuECKGgEb8eAW6DkkFw1E8TxkJAce0g4AzSArkwdtDW898amuL4eidgPFi1A7RBjUnKTDA==
X-Received: by 2002:a62:8684:0:b0:50d:972b:d9d2 with SMTP id
 x126-20020a628684000000b0050d972bd9d2mr18445121pfd.4.1651628853419;
        Tue, 03 May 2022 18:47:33 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Rasmus Villemoes <linux@rasmusvillemoes.dk>,
 "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>,
 Rich Felker <dalias@aerifal.cx>, Eric Dumazet <edumazet@google.com>,
 netdev@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary
Date: Tue,  3 May 2022 18:44:10 -0700
Message-Id: <20220504014440.3697851-2-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2198; h=from:subject;
 bh=m3+rrHA3rlt0sA4WgKzRJNTXeSTN4vWW0f0prUvbWYY=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqAKYSI60YG7oB43Zm2qf2XEYFq9+0dv6JxgKQA
 Vag6ObOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagAAKCRCJcvTf3G3AJt+PD/
 4wYVpcKl2liC+Uc4jUmmdOovQey8J6/k2HmeHGxkjjuXUGIWCxvRqFTmpp0zt8q6NeCY1dzyQE7A9N
 PW2CVLlv5GLZfLyBlcsOWL4hofk/Ed905HvAky/Dx8yVe0LszOaIIrWGUii70nX0RIZBcDlNYaOY4k
 wGJaGLJ9XI5Abp/vMi8qzgEIVt5Qty6Z+cfnpAvETE9FFC0ibHAuxSsOCPhKMgvWgkyDjMAVgJQC6t
 TKGjSE1Rwow+68x8cxXa3ZsNgWXO0wHDaWWB4/QUxyVrq/AqCxOvgu3SljXBgVpaeUF41w+gB7rTXz
 Jpn7XXtJZLIDQT9yoNDAsj8yjQSIPdaKabA732knKP+dXXvoimMLj17LWxunuIrNQJ5Awl5Dz2jNa4
 96eQ4Eabc5miPNc5+9VOK1Wc20FUE/uqW/VkQkBWzcnLXslpLRuJ2jNTFzk50BKZOJ20vutotuSmWf
 5gqjyHzRfK+iajoBCEV6nUiWN7ewO8XDDayLZtzu5foCWXgFFwp2ZWksNnvY6M1djooGD0fU2cMDkZ
 HK9WR0ZfO5zv8cE5RCjDXb25deVhtGS6HRKU3vBlDmFx3drFqOEK/4zwTej6ttVyJqAspxBqEq7xpi
 JDgQOkTfh60YdtsNYhykruXCL3NnFuRLtxOeMGWD4IL6YtPwYfH3V6aFCljQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

In preparation for run-time memcpy() bounds checking, split the nlmsg
copying for error messages (which crosses a previous unspecified flexible
array boundary) in half. Avoids the future run-time warning:

memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" (size 16)

Creates an explicit flexible array at the end of nlmsghdr for the payload,
named "nlmsg_payload". There is no impact on UAPI; the sizeof(struct
nlmsghdr) does not change, but now the compiler can better reason about
where things are being copied.

Fixed-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Link: https://lore.kernel.org/lkml/d7251d92-150b-5346-6237-52afc154bb00@rasmusvillemoes.dk
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Rich Felker <dalias@aerifal.cx>
Cc: Eric Dumazet <edumazet@google.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/uapi/linux/netlink.h | 1 +
 net/netlink/af_netlink.c     | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h
index 855dffb4c1c3..47f9342d51bc 100644
--- a/include/uapi/linux/netlink.h
+++ b/include/uapi/linux/netlink.h
@@ -47,6 +47,7 @@ struct nlmsghdr {
 	__u16		nlmsg_flags;	/* Additional flags */
 	__u32		nlmsg_seq;	/* Sequence number */
 	__u32		nlmsg_pid;	/* Sending process port ID */
+	__u8		nlmsg_payload[];/* Contents of message */
 };
 
 /* Flags values */
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 1b5a9c2e1c29..09346aee1022 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2445,7 +2445,10 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
 			  NLMSG_ERROR, payload, flags);
 	errmsg = nlmsg_data(rep);
 	errmsg->error = err;
-	memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh));
+	errmsg->msg = *nlh;
+	if (payload > sizeof(*errmsg))
+		memcpy(errmsg->msg.nlmsg_payload, nlh->nlmsg_payload,
+		       nlh->nlmsg_len - sizeof(*nlh));
 
 	if (nlk_has_extack && extack) {
 		if (extack->_msg) {

From patchwork Wed May  4 01:44:11 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837124
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 26A62C43217
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:33 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320019.540619 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N4-0005xr-OY; Wed, 04 May 2022 05:16:18 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320019.540619;
 Wed, 04 May 2022 05:16:18 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N4-0005vw-ET; Wed, 04 May 2022 05:16:18 +0000
Received: by outflank-mailman (input) for mailman id 320019;
 Wed, 04 May 2022 01:47:39 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm478-0007U4-VW
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:39 +0000
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com
 [2607:f8b0:4864:20::532])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 2c029691-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:36 +0200 (CEST)
Received: by mail-pg1-x532.google.com with SMTP id t13so8564pgn.8
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:36 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 d10-20020a170903208a00b0015e8d4eb1e8sm6942318plc.50.2022.05.03.18.47.33
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:33 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2c029691-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=5xrPLh8wlK0Awe/nxhZ3OTQkBfhB9ct4glfpE9UmuQA=;
        b=iR9L6Vqjlx1BryUCEPQzmXGsipsWNHmgM203Ex9fHJaxkwALa+U/8+AhC1W6u8Uu4S
         pdpKAydA7J6X8qY7ulBdTwd5M0XdedZwrLJ2rJGOBc8ssCMpRdfFdFzH/3OiOkWgs3nY
         iUUPR2F7rY3hlYziqOz651zfzNr5dc2NwLGx4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=5xrPLh8wlK0Awe/nxhZ3OTQkBfhB9ct4glfpE9UmuQA=;
        b=68zlw9162eImomox+uTr66LNJfDgM5R3ZFxEkQ4ytdSTk6QR/tSjJNF0VdMOZf38p3
         WUFBKb+3wNje5cLXfzPGadmvyNX+etJxWORn9uKIgpx3sKRy9J7PFSl6OcBaqLWWfpaf
         Hbej7hMdQsJ7WmuWtAmj2HZtXng/mtjQNGWFJo5TDmIwenbiUD3Nnztvwl2+yjftre9f
         /m//osB0GkuBgADv/kiTl1VTabzwl0zc1OufdG60bGmrpS5U2JA5KVOijAErNjvLA9Rm
         x1+7Q9e+UIT4HQsARcuOk2s0GE4sdlmq6n7VAU2to8slgLLGX961Hi1dralLG8wNvRVh
         Ld+A==
X-Gm-Message-State: AOAM532Z0NMWq6LaMooigsvrFKqiINoqx/H2S/z5a1LI649lPKF/ZrHz
	AQy2g2d07gJ6lqTMOA5loe2gTw==
X-Google-Smtp-Source: 
 ABdhPJwtYLoTUD9KqFl1mr1s8ohNwDAzj5ZRjD1HD2J430AUFuNRKn9PfFCjyKwAxdqiF9EOZPPuPw==
X-Received: by 2002:a05:6a00:1695:b0:4f7:decc:506b with SMTP id
 k21-20020a056a00169500b004f7decc506bmr18741084pfc.7.1651628855010;
        Tue, 03 May 2022 18:47:35 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Keith Packard <keithp@keithp.com>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Daniel Axtens <dja@axtens.net>, Dan Williams <dan.j.williams@intel.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>,
 Guenter Roeck <linux@roeck-us.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Tadeusz Struk <tadeusz.struk@linaro.org>,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 David Gow <davidgow@google.com>, David Howells <dhowells@redhat.com>,
 "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 keyrings@vger.kernel.org, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Takashi Iwai <tiwai@suse.com>, Tom Rix <trix@redhat.com>,
 Udipto Goswami <quic_ugoswami@quicinc.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 02/32] Introduce flexible array struct memcpy() helpers
Date: Tue,  3 May 2022 18:44:11 -0700
Message-Id: <20220504014440.3697851-3-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=31712; h=from:subject;
 bh=5cc80Yc5OXNqRAprch5bwZGcqXUCUMStKhnm0MOB3y0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBuKUviArqTxzH7Wyv/Nwvzm6EtfG7z8zEgd2S
 CFn/D26JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJpjQEA
 ChDXz4K07hJ0QiNbIT6owwYl55x0UIZFIMNeKxftQCbtR6Cl3MX4CkUi+/EJ8C8dPDo6mlzFTZqAxE
 XzATgYZNuJ523DOE/BPbCYmvKr4YAWPu6Wn7kbjIxVBMviz5nZcyJxQ+/XBUyAGJ3SxROvWBwUjV/6
 F/JTDhfGISKpN7rStULVRZGpTFvhYy7KSGzeySPi7vdd0TzXBe/xWYm4+5OavNt9bEaQtWuPDsj44s
 DUlQOr5PRhiqMWKrzj0D2TzJNWzzHtyuSLO7/68u4AbQn8eb2UwqSoZd2dRkTgWpr3Z2V9/4cHhRDV
 WCmu8DVvZjtJESAMl+XTQPnpKn58oDlSpvOJbQQTA8KOSOou/Nci/P0W1rEVlYh0NojG6VCbAeBMrn
 rEVYhXf5v38RvldzmZdcHqvf8H1heVEsdF+y1ZbqUcAH22EtmZCnLmlHAi+20tUoXkU8VbgWEqvPJl
 Pah1xcPhbEcI1rbQunpPk4m/1qmImy9fuVUAyNvYMscpMdVdH4K0gKVYpQHZYsisa3jMvAsFcOOs2J
 iA/kdCWGFCI/JDzzU5cB8un6NJx/gQNXyzGdb41MWlUlEuoGJaqd6aYCuJPRtQbEQLLk/LJH0ABw65
 j/jpppipk5fv9Ey1Hx63Ukkoh4P5ebCD0Gd8fn28BxsX/cCzBQE9z93YBRng==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

The compiler is not able to automatically perform bounds checking
on structures that end in flexible arrays: __builtin_object_size()
is compile-time only. Any possible run-time checks are currently
short-circuited because there isn't an obvious common way to figure out
the bounds of such a structure. C has no way (yet[1]) to signify which
struct member holds the number of allocated flexible array elements
(like exists in other languages).

As a result, the kernel (and C projects generally) need to manually
check the bounds, check the element size calculations, and perform sanity
checking on all the associated variable types in between (e.g. 260
cannot be stored in a u8). This is extremely fragile.

However, even if we could do all this through a magic memcpy(), the API
itself doesn't provide meaningful feedback, which forces the kernel into
an "all or nothing" approach: either do the copy or panic the system. Any
failure conditions should be _detectable_, with API users able to
gracefully recover.

To deal with these needs, create a set of helper functions that do the
work of memcpy() but perform the needed bounds checking based on the
arguments given: flex_cpy(). The common pattern of "allocate and copy"
is also included: flex_dup(). However, one of the most common patterns
is deserialization: allocating and populating flexible array members
from a byte array: mem_to_flex_dup(). And if the elements are already
allocated: mem_to_flex().

The concept of a "flexible array structure" is introduced, which is a
struct that has both a trailing flexible array member _and_ an element
count member. If a struct lacks the element count member, it's just a
blob: there are no bounds associated with it.

The most common style of flexible array struct in the kernel is a
"normal" one, where both the flex-array and element-count are present:

    struct flex_array_struct_example {
        ...		/* arbitrary members */
        u16 part_count;	/* count of elements stored in "parts" below. */
        ...		/* arbitrary members */
        u32 parts[];	/* flexible array with elements of type u32. */
    };

Next are "encapsulating flexible array structs", which is just a struct
that contains a flexible array struct as its final member:

    struct encapsulating_example {
        ...		/* arbitrary members */
        struct flex_array_struct_example fas;
    };

There are also "split" flex array structs, which have the element-count
member in a separate struct level than the flex-array member:

    struct split_example {
        ...		/* arbitrary members */
        u16 part_count;	/* count of elements stored in "parts" below. */
        ...		/* arbitrary members */
        struct blob_example {
            ...		/* other blob members */
            u32 parts[];/* flexible array with elements of type u32. */
        } blob;
    };

To have the helpers deal with these arbitrary layouts, the names of the
flex-array and element-count members need to be specified with each use
(since C lacks the array-with-length syntax[1] so the compiler cannot
automatically determine them). However, for the "normal" (most common)
case, we can get close to "automatic" by explicitly declaring common
member aliases "__flex_array_elements", and "__flex_array_elements_count"
respectively. The regular helpers use these members, but extended helpers
exist to cover the other two code patterns.

For example, using the most complicated helper, mem_to_flex_dup():

    /* Flexible array struct with members identified. */
    struct something {
        int mode;
        DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, how_many);
        unsigned long flags;
        DECLARE_FLEX_ARRAY_ELEMENTS(u32, value);
    };
    ...
    struct something *instance = NULL;
    int rc;

    rc = mem_to_flex_dup(&instance, byte_array, count, GFP_KERNEL);
    if (rc)
        return rc;

This will:

- validate "instance" is non-NULL (no NULL dereference).
- validate "*instance" is NULL (no memory allocation resource leak).
- validate that "count" is:
  - non-negative (no arithmetic underflow).
  - has a value that can be stored in the "how_many" type (no value
    truncation).
- calculate the bytes needed to store "count"-many trailing u32 elements
  (no arithmetic overflow/underflow).
- calculate the bytes needed for a "struct something" with the above
  trailing elements (no arithmetic overflow/underflow).
- allocate the memory and check the result (no NULL dereference).
- initialize the non-flex-array portion of the struct to zero (no
  uninitialized memory usage).
- copy from "buf" into the flexible array elements.

If anything goes wrong, it returns a negative errno.

With these helpers the kernel can move away from many of the open-coded
patterns of using memcpy() with a dynamically-sized destination buffer.

[1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1990.htm

Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Keith Packard <keithp@keithp.com>
Cc: Francis Laniel <laniel_francis@privacyrequired.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/flex_array.h  | 637 ++++++++++++++++++++++++++++++++++++
 include/linux/string.h      |   1 +
 include/uapi/linux/stddef.h |  14 +
 3 files changed, 652 insertions(+)
 create mode 100644 include/linux/flex_array.h

diff --git a/include/linux/flex_array.h b/include/linux/flex_array.h
new file mode 100644
index 000000000000..b2cf219f7b56
--- /dev/null
+++ b/include/linux/flex_array.h
@@ -0,0 +1,637 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _LINUX_FLEX_ARRAY_H_
+#define _LINUX_FLEX_ARRAY_H_
+
+#include <linux/string.h>
+/*
+ * A "flexible array structure" is a struct which ends with a flexible
+ * array _and_ contains a member that represents how many array elements
+ * are present in the flexible array structure:
+ *
+ * struct flex_array_struct_example {
+ *	...		// arbitrary members
+ *	u16 part_count;	// count of elements stored in "parts" below.
+ *	..		// arbitrary members
+ *	u32 parts[];	// flexible array with elements of type u32.
+ * };
+ *
+ * Without the "count of elements" member, a structure ending with a
+ * flexible array has no way to check its own size, and should be
+ * considered just a blob of memory that is length-checked through some
+ * other means. Kernel structures with flexible arrays should strive to
+ * always be true flexible array structures so that they can be operated
+ * on with the flex*()-family of helpers defined below.
+ *
+ * An "encapsulating flexible array structure" is a structure that contains
+ * a full "flexible array structure" as its final struct member. These are
+ * used frequently when needing to pass around a copy of a flexible array
+ * structure, and track other things about the data outside of the scope of
+ * the flexible array structure itself:
+ *
+ * struct encapsulating_example {
+ *	...		// other members
+ *	struct flex_array_struct_example fas;
+ * };
+ *
+ * For bounds checking operations on a flexible array structure, member
+ * aliases must be created so the helpers can always locate the associated
+ * members. Marking up the examples above would look like this:
+ *
+ * struct flex_array_struct_example {
+ *	...		// arbitrary members
+ *	// count of elements stored in "parts" below.
+ *	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u16, part_count);
+ *	..		// arbitrary members
+ *	// flexible array with elements of type u32.
+ *	DECLARE_FLEX_ARRAY_ELEMENTS(u32, parts);
+ * };
+ *
+ * The above creates the aliases for part_count as __flex_array_elements_count
+ * and parts as __flex_array_elements.
+ *
+ * For encapsulated flexible array structs, there are alternative helpers
+ * below where the flexible array struct member name can be explicitly
+ * included as an argument. (See the @dot_fas_member arguments below.)
+ *
+ *
+ * Examples:
+ *
+ * Using mem_to_flex():
+ *
+ *        struct single {
+ *                u32 flags;
+ *                u32 count;
+ *                u8 data[];
+ *        };
+ *        struct single *ptr_single;
+ *
+ *        struct encap {
+ *                u16 info;
+ *                struct single single;
+ *        };
+ *        struct encap *ptr_encap;
+ *
+ *        struct blob {
+ *                u32 flags;
+ *                u8 data[];
+ *        };
+ *
+ *        struct split {
+ *                u32 count;
+ *                struct blob blob;
+ *        };
+ *        struct split *ptr_split;
+ *
+ *        mem_to_flex(ptr_one, src, count);
+ *        __mem_to_flex(ptr_encap, single.data, single.count, src, count);
+ *        __mem_to_flex(ptr_split, count, blob.data, src, count);
+ *
+ */
+
+/* These are wrappers around the UAPI macros. */
+#define DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(TYPE, NAME)			\
+	__DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(TYPE, NAME)
+
+#define DECLARE_FLEX_ARRAY_ELEMENTS(TYPE, NAME)				\
+	__DECLARE_FLEX_ARRAY_ELEMENTS(TYPE, NAME)
+
+/* All the helpers return negative on failure, as must be checked. */
+static inline int __must_check __must_check_errno(int err)
+{
+	return err;
+}
+
+/**
+ * __fas_elements_bytes - Calculate potential size of the flexible
+ *			  array elements of a given flexible array
+ *			  structure.
+ *
+ * @p: Pointer to flexible array structure.
+ * @flex_member: Member name of the flexible array elements.
+ * @count_member: Member name of the flexible array elements count.
+ * @elements_count: Count of proposed number of @p->__flex_array_elements
+ * @bytes: Pointer to variable to write calculation of total size in bytes.
+ *
+ * Returns: 0 on successful calculation, -ve on error.
+ *
+ * This performs the same calculation as flex_array_size(), except
+ * that the result is bounds checked and written to @bytes instead
+ * of being returned.
+ */
+#define __fas_elements_bytes(p, flex_member, count_member,		\
+			     elements_count, bytes)			\
+__must_check_errno(({							\
+	int __feb_err = -EINVAL;					\
+	size_t __feb_elements_count = (elements_count);			\
+	size_t __feb_elements_max =					\
+		type_max(typeof((p)->count_member));			\
+	if (__feb_elements_count > __feb_elements_max ||		\
+	    check_mul_overflow(sizeof(*(p)->flex_member),		\
+			       __feb_elements_count, bytes)) {		\
+		*(bytes) = 0;						\
+		__feb_err = -E2BIG;					\
+	} else {							\
+		__feb_err = 0;						\
+	}								\
+	__feb_err;							\
+}))
+
+/**
+ * fas_elements_bytes - Calculate current size of the flexible array
+ *			elements of a given flexible array structure.
+ *
+ * @p: Pointer to flexible array structure.
+ * @bytes: Pointer to variable to write calculation of total size in bytes.
+ *
+ * Returns: 0 on successful calculation, -ve on error.
+ *
+ * This performs the same calculation as flex_array_size(), except
+ * that the result is bounds checked and written to @bytes instead
+ * of being returned.
+ */
+#define fas_elements_bytes(p, bytes)					\
+	__fas_elements_bytes(p, __flex_array_elements,			\
+			     __flex_array_elements_count,		\
+			     (p)->__flex_array_elements_count, bytes)
+
+/** __fas_bytes - Calculate potential size of flexible array structure
+ *
+ * @p: Pointer to flexible array structure.
+ * @flex_member: Member name of the flexible array elements.
+ * @count_member: Member name of the flexible array elements count.
+ * @elements_count: Count of proposed number of @p->__flex_array_elements
+ * @bytes: Pointer to variable to write calculation of total size in bytes.
+ *
+ * Returns: 0 on successful calculation, -ve on error.
+ *
+ * This performs the same calculation as struct_size(), except
+ * that the result is bounds checked and written to @bytes instead
+ * of being returned.
+ */
+#define __fas_bytes(p, flex_member, count_member, elements_count, bytes)\
+__must_check_errno(({							\
+	int __fasb_err;							\
+	typeof(*bytes) __fasb_bytes;					\
+									\
+	if (__fas_elements_bytes(p, flex_member, count_member,		\
+				 elements_count, &__fasb_bytes) ||	\
+	    check_add_overflow(sizeof(*(p)), __fasb_bytes, bytes)) {	\
+		*(bytes) = 0;						\
+		__fasb_err = -E2BIG;					\
+	} else {							\
+		__fasb_err = 0;						\
+	}								\
+	__fasb_err;							\
+}))
+
+/** fas_bytes - Calculate current size of flexible array structure
+ *
+ * @p: Pointer to flexible array structure.
+ * @bytes: Pointer to variable to write calculation of total size in bytes.
+ *
+ * This performs the same calculation as struct_size(), except
+ * that the result is bounds checked and written to @bytes instead
+ * of being returned, using the current size of the flexible array
+ * structure (via @p->__flexible_array_elements_count).
+ *
+ * Returns: 0 on successful calculation, -ve on error.
+ */
+#define fas_bytes(p, bytes)						\
+	__fas_bytes(p, __flex_array_elements,				\
+		    __flex_array_elements_count,			\
+		    (p)->__flex_array_elements_count, bytes)
+
+/** flex_cpy - Copy from one flexible array struct into another with count conversion
+ *
+ * @dst: Destination pointer
+ * @src: Source pointer
+ *
+ * The full structure of @src will be copied to @dst, including all trailing
+ * flexible array elements. @dst->__flex_array_elements_count must be large
+ * enough to hold @src->__flex_array_elements_count. Any elements left over
+ * in @dst will be zero-wiped.
+ *
+ * Returns: 0 on successful calculation, -ve on error.
+ */
+#define flex_cpy(dst, src) __must_check_errno(({			\
+	int __fc_err = -EINVAL;						\
+	typeof(*(dst)) *__fc_dst = (dst);				\
+	typeof(*(src)) *__fc_src = (src);				\
+	size_t __fc_dst_bytes, __fc_src_bytes;				\
+									\
+	BUILD_BUG_ON(!__same_type(*(__fc_dst), *(__fc_src)));		\
+									\
+	do {								\
+		if (fas_bytes(__fc_dst, &__fc_dst_bytes) ||		\
+		    fas_bytes(__fc_src, &__fc_src_bytes) ||		\
+		    __fc_dst_bytes < __fc_src_bytes) {			\
+			/* do we need to wipe dst here? */		\
+			__fc_err = -E2BIG;				\
+			break;						\
+		}							\
+		__builtin_memcpy(__fc_dst, __fc_src, __fc_src_bytes);	\
+		/* __flex_array_elements_count is included in memcpy */	\
+		/* Wipe any now-unused trailing elements in @dst: */	\
+		__builtin_memset((u8 *)__fc_dst + __fc_src_bytes, 0,	\
+				 __fc_dst_bytes - __fc_src_bytes);	\
+		__fc_err = 0;						\
+	} while (0);							\
+	__fc_err;							\
+}))
+
+/** __flex_dup - Allocate and copy an arbitrarily encapsulated flexible
+ *		 array struct
+ *
+ * @alloc: Pointer to Pointer to hold to-be-allocated (optionally
+ *	   encapsulating) flexible array struct.
+ * @dot_fas_member: For encapsulating flexible arrays, the name of the
+ *		    flexible array struct member preceded with a literal
+ *		    dot (e.g. .foo.bar.flex_array_struct_name). For a
+ *		    regular flexible array struct, this macro arument is
+ *		    empty.
+ * @src: Pointer to source flexible array struct.
+ * @gfp: GFP allocation flags
+ *
+ * This copies the contents of one flexible array struct into another.
+ * The (**@alloc)@dot_fas_member and @src arguments must resolve to the
+ * same type. Everything prior to @dot_fas_member in *@alloc will be
+ * initialized to zero.
+ *
+ * Failure modes:
+ * - @alloc is NULL.
+ * - *@alloc is not NULL (something was already allocated).
+ * - Required allocation size is larger than size_t can hold.
+ * - No available memory to allocate @alloc.
+ *
+ * Returns: 0 on success, -ve on failure.
+ */
+#define __flex_dup(alloc, dot_fas_member, src, gfp)			\
+__must_check_errno(({							\
+	int __fd_err = -EINVAL;						\
+	typeof(*(src)) *__fd_src = (src);				\
+	typeof(**(alloc)) *__fd_alloc;					\
+	typeof((*__fd_alloc)dot_fas_member) *__fd_dst;			\
+	size_t __fd_alloc_bytes, __fd_copy_bytes;			\
+									\
+	BUILD_BUG_ON(!__same_type(*(__fd_dst), *(__fd_src)));		\
+									\
+	do {								\
+		if ((uintptr_t)(alloc) < 1 || *(alloc)) {		\
+			__fd_err = -EINVAL;				\
+			break;						\
+		}							\
+		if (fas_bytes(__fd_src, &__fd_copy_bytes) ||		\
+		    check_add_overflow(__fd_copy_bytes,			\
+				       sizeof(*__fd_alloc) -		\
+					sizeof(*__fd_dst),		\
+				       &__fd_alloc_bytes)) {		\
+			__fd_err = -E2BIG;				\
+			break;						\
+		}							\
+		__fd_alloc = kmalloc(__fd_alloc_bytes, gfp);		\
+		if (!__fd_alloc) {					\
+			__fd_err = -ENOMEM;				\
+			break;						\
+		}							\
+		__fd_dst = &((*__fd_alloc)dot_fas_member);		\
+		/* Optimize away any unneeded memset. */		\
+		if (sizeof(*__fd_alloc) != sizeof(*__fd_dst))		\
+			__builtin_memset(__fd_alloc, 0,			\
+					 __fd_alloc_bytes -		\
+						__fd_copy_bytes);	\
+		__builtin_memcpy(__fd_dst, src, __fd_copy_bytes);	\
+		/* __flex_array_elements_count is included in memcpy */	\
+		*(alloc) = __fd_alloc;					\
+		__fd_err = 0;						\
+	} while (0);							\
+	__fd_err;							\
+}))
+
+/** flex_dup - Allocate and copy a flexible array struct
+ *
+ * @alloc: Pointer to Pointer to hold to-be-allocated flexible array struct.
+ * @src: Pointer to source flexible array struct.
+ * @gfp: GFP allocation flags
+ *
+ * This copies the contents of one flexible array struct into another.
+ * The *@alloc and @src arguments must resolve to the same type.
+ *
+ * Failure modes:
+ * - @alloc is NULL.
+ * - *@alloc is not NULL (something was already allocated).
+ * - Required allocation size is larger than size_t can hold.
+ * - No available memory to allocate @alloc.
+ *
+ * Returns: 0 on success, -ve on failure.
+ */
+#define flex_dup(alloc, src, gfp)					\
+	__flex_dup(alloc, /* alloc itself */, src, gfp)
+
+/** __mem_to_flex - Copy from memory buffer into a flexible array structure's
+ *		    flexible array elements.
+ *
+ * @ptr: Pointer to already allocated flexible array struct.
+ * @flex_member: Member name of the flexible array elements.
+ * @count_member: Member name of the flexible array elements count.
+ * @src: Source memory pointer.
+ * @elements_count: Number of @ptr's flexible array elements to copy from
+ *		    @src into @ptr.
+ *
+ * Copies @elements_count-many elements from memory buffer at @src into
+ * @ptr->@flex_member, wipes any remaining elements, and updates
+ * @ptr->@count_member.
+ *
+ * This is essentially a simple deserializer.
+ *
+ * TODO: It would be nice to automatically discover the max bounds of @src
+ *	 besides @elements_count. There is currently no universal way to ask
+ *	 "what is the size of a given pointer's allocation?" So for
+ *	 now just use __builtin_object_size(@src, 1) to validate known
+ *	 compile-time too-large conditions. Perhaps in the future if
+ *	 __mtf_copy_bytes above is > PAGE_SIZE, perform a dynamic lookup
+ *	 using something similar to __check_heap_object().
+ *
+ * Failure conditions:
+ * - The value of @elements_count cannot fit in the @ptr's @count_member
+ *   type (e.g. 260 in a u8).
+ * - @ptr's @count_member value is smaller than @elements_count (e.g. not
+ *   enough space was previously allocated).
+ * - @elements_count yields a byte count greater than:
+ *   - INT_MAX (as a simple "too big" sanity check)
+ *   - the compile-time size of @src (when it can be determined)
+ *
+ * Returns: 0 on success, -ve on error.
+ */
+#define __mem_to_flex(ptr, flex_member, count_member, src,		\
+		      elements_count)					\
+__must_check_errno(({							\
+	int __mtf_err = -EINVAL;					\
+	typeof(*(ptr)) *__mtf_ptr = (ptr);				\
+	typeof(elements_count) __mtf_src_count = (elements_count);	\
+	size_t __mtf_copy_bytes, __mtf_dst_bytes;			\
+	u8 *__mtf_dst = (u8 *)__mtf_ptr->flex_member;			\
+									\
+	do {								\
+		if (is_negative(__mtf_src_count) ||			\
+		    __fas_elements_bytes(__mtf_ptr, flex_member,	\
+					 count_member,			\
+					 __mtf_src_count,		\
+					 &__mtf_copy_bytes) ||		\
+		    __mtf_copy_bytes > INT_MAX ||			\
+		    __mtf_copy_bytes > __builtin_object_size(src, 1) ||	\
+		    __fas_elements_bytes(__mtf_ptr, flex_member,	\
+					 count_member,			\
+					 __mtf_ptr->count_member,	\
+					 &__mtf_dst_bytes) ||		\
+		    __mtf_dst_bytes < __mtf_copy_bytes) {		\
+			__mtf_err = -E2BIG;				\
+			break;						\
+		}							\
+		__builtin_memcpy(__mtf_dst, src, __mtf_copy_bytes);	\
+		/* Wipe any now-unused trailing elements in @dst: */	\
+		__builtin_memset(__mtf_dst + __mtf_dst_bytes, 0,	\
+				 __mtf_dst_bytes - __mtf_copy_bytes);	\
+		/* Make sure in-struct count of elements is updated: */	\
+		__mtf_ptr->count_member = __mtf_src_count;		\
+		__mtf_err = 0;						\
+	} while (0);							\
+	__mtf_err;							\
+}))
+
+#define mem_to_flex(ptr, src, elements_count)				\
+	__mem_to_flex(ptr, __flex_array_elements,			\
+		      __flex_array_elements_count, src, elements_count)
+
+/** __mem_to_flex_dup - Allocate a flexible array structure and copy into
+ *			its flexible array elements from a memory buffer.
+ *
+ * @alloc: Pointer to pointer to hold allocation for flexible array struct.
+ * @dot_fas_member: For encapsulating flexible array structs, the name of
+ *		    the flexible array struct member preceded with a
+ *		    literal dot (e.g. .foo.bar.flex_array_struct_name).
+ *		    For a regular flexible array struct, this macro arument
+ *		    is empty.
+ * @src: Source memory buffer pointer.
+ * @elements_count: Number of @alloc's flexible array elements to copy from
+ *		    @src into @ptr.
+ * @gfp: GFP allocation flags
+ *
+ * This behaves like mem_to_flex(), but allocates the needed space for
+ * a new flexible array struct and its trailing elements.
+ *
+ * This is essentially a simple allocating deserializer.
+ *
+ * TODO: It would be nice to automatically discover the max bounds of @src
+ *	 besides @elements_count. There is currently no universal way to ask
+ *	 "what is the size of a given pointer's allocation?" So for now just
+ *	 use __builtin_object_size(@src, 1) to validate known compile-time
+ *	 too-large conditions. Perhaps in the future if __mtfd_copy_bytes
+ *	 above is > PAGE_SIZE, perform a dynamic lookup using something
+ *	 similar to __check_heap_object().
+ *
+ * Failure conditions:
+ * - @alloc is NULL.
+ * - *@alloc is not NULL (something was already allocated).
+ * - The value of @elements_count cannot fit in the @alloc's
+ *   __flex_array_elements_count member type (e.g. 260 in u8).
+ * - @elements_count yields a byte count greater than:
+ *   - INT_MAX (as a simple "too big" sanity check)
+ *   - the compile-time size of @src (when it can be determined)
+ * - @alloc could not be allocated.
+ *
+ * Returns: 0 on success, -ve on error.
+ */
+#define __mem_to_flex_dup(alloc, dot_fas_member, src, elements_count,	\
+			  gfp)						\
+__must_check_errno(({							\
+	int __mtfd_err = -EINVAL;					\
+	typeof(elements_count) __mtfd_src_count = (elements_count);	\
+	typeof(**(alloc)) *__mtfd_alloc;				\
+	typeof((*__mtfd_alloc)dot_fas_member) *__mtfd_fas;		\
+	u8 *__mtfd_dst;							\
+	size_t __mtfd_alloc_bytes, __mtfd_copy_bytes;			\
+									\
+	do {								\
+		if ((uintptr_t)(alloc) < 1 || *(alloc)) {		\
+			__mtfd_err = -EINVAL;				\
+			break;						\
+		}							\
+		if (is_negative(__mtfd_src_count) ||			\
+		    __fas_elements_bytes(__mtfd_fas,			\
+					 __flex_array_elements,		\
+					 __flex_array_elements_count,	\
+					 __mtfd_src_count,		\
+					 &__mtfd_copy_bytes) ||		\
+		    __mtfd_copy_bytes > INT_MAX ||			\
+		    __mtfd_copy_bytes > __builtin_object_size(src, 1) ||\
+		    check_add_overflow(sizeof(*__mtfd_alloc),		\
+				       __mtfd_copy_bytes,		\
+				       &__mtfd_alloc_bytes)) {		\
+			__mtfd_err = -E2BIG;				\
+			break;						\
+		}							\
+		__mtfd_alloc = kmalloc(__mtfd_alloc_bytes, gfp);	\
+		if (!__mtfd_alloc) {					\
+			__mtfd_err = -ENOMEM;				\
+			break;						\
+		}							\
+		__mtfd_fas = &((*__mtfd_alloc)dot_fas_member);		\
+		__mtfd_dst = (u8 *)__mtfd_fas->__flex_array_elements;	\
+		__builtin_memset(__mtfd_alloc, 0, __mtfd_alloc_bytes -	\
+						  __mtfd_copy_bytes);	\
+		__builtin_memcpy(__mtfd_dst, src, __mtfd_copy_bytes);	\
+		/* Make sure in-struct count of elements is updated: */	\
+		__mtfd_fas->__flex_array_elements_count =		\
+						    __mtfd_src_count;	\
+		*(alloc) = __mtfd_alloc;				\
+		__mtfd_err = 0;						\
+	} while (0);							\
+	__mtfd_err;							\
+}))
+
+/** mem_to_flex_dup - Allocate a flexible array structure and copy
+ *			into it from a memory buffer.
+ *
+ * @alloc: Pointer to pointer to hold allocation for flexible array struct.
+ * @src: Source memory pointer.
+ * @elements_count: Number of @alloc's flexible array elements to copy from
+ *		   @src into @alloc.
+ * @gfp: GFP allocation flags
+ *
+ * This behaves like mem_to_flex(), but allocates the needed space for
+ * a new flexible array struct and its trailing elements.
+ *
+ * This is essentially a simple allocating deserializer.
+ *
+ * TODO: It would be nice to automatically discover the max bounds of @src
+ *	 besides @elements_count. There is currently no universal way to ask
+ *	 "what is the size of a given pointer's allocation?" So for
+ *	 now just use __builtin_object_size(@src, 1) to validate known
+ *	 compile-time too-large conditions. Perhaps in the future if
+ *	 __mtf_copy_bytes above is > PAGE_SIZE, perform a dynamic lookup
+ *	 using something similar to __check_heap_object().
+ *
+ * Failure conditions:
+ * - @alloc is NULL.
+ * - *@alloc is not NULL (something was already allocated).
+ * - The value of @elements_count cannot fit in the @alloc's
+ *   __flex_array_elements_count member type (e.g. 260 in u8).
+ * - @elements_count yields a byte count greater than:
+ *   - INT_MAX (as a simple "too big" sanity check)
+ *   - the compile-time size of @src (when it can be determined)
+ * - @alloc could not be allocated.
+ *
+ * Returns: 0 on success, -ve on error.
+ */
+#define mem_to_flex_dup(alloc, src, elements_count, gfp)		\
+	__mem_to_flex_dup(alloc, /* alloc itself */, src, elements_count, gfp)
+
+/** flex_to_mem - Copy all flexible array structure elements into memory
+ *		  buffer.
+ *
+ * @dst: Destination buffer pointer.
+ * @bytes_available: How many bytes are available in @dst.
+ * @ptr: Pointer to allocated flexible array struct.
+ * @bytes_written: Pointer to variable to store how many bytes were written
+ *		   (may be NULL).
+ *
+ * Copies all of @ptr's flexible array elements into @dst.
+ *
+ * This is essentially a simple serializer.
+ *
+ * Failure conditions:
+ * - @bytes_available in @dst is any of:
+ *   - negative.
+ *   - larger than INT_MAX.
+ *   - not large enough to hold the resulting copy.
+ * - @bytes_written's type cannot hold the size of the copy (e.g. 260 in u8).
+ *
+ * Return: 0 on success, -ve on failure.
+ *
+ */
+#define flex_to_mem(dst, bytes_available, ptr, bytes_written)		\
+__must_check_errno(({							\
+	int __ftm_err = -EINVAL;					\
+	typeof(*(ptr)) *__ftm_ptr = (ptr);				\
+	u8 *__ftm_src = (u8 *)__ftm_ptr->__flex_array_elements;		\
+	typeof(*(bytes_written)) *__ftm_written = (bytes_written);	\
+	size_t __ftm_written_max = type_max(typeof(*__ftm_written));	\
+	typeof(bytes_available) __ftm_dst_bytes = (bytes_available);	\
+	size_t __ftm_copy_bytes;					\
+									\
+	do {								\
+		if (is_negative(__ftm_dst_bytes) ||			\
+		    __ftm_dst_bytes > INT_MAX ||			\
+		    fas_elements_bytes(__ftm_ptr, &__ftm_copy_bytes) ||	\
+		    __ftm_dst_bytes < __ftm_copy_bytes ||		\
+		    (!__same_type(typeof(bytes_written), NULL) &&	\
+		     __ftm_copy_bytes > __ftm_written_max)) {		\
+			__ftm_err = -E2BIG;				\
+			break;						\
+		}							\
+		__builtin_memcpy(dst, __ftm_src, __ftm_copy_bytes);	\
+		if (__ftm_written)					\
+			*__ftm_written = __ftm_copy_bytes;		\
+		__ftm_err = 0;						\
+	} while (0);							\
+	__ftm_err;							\
+}))
+
+/** flex_to_mem_dup - Copy entire flexible array structure into newly
+ *		      allocated memory buffer.
+ *
+ * @alloc: Pointer to pointer to newly allocated memory region to hold contents
+ *	   of the copy.
+ * @alloc_size: Pointer to variable to hold the size of the allocated memory.
+ * @ptr: Pointer to allocated flexible array struct.
+ * @gfp: GFP allocation flags
+ *
+ * Allocates @alloc and copies all of @ptr's flexible array elements.
+ *
+ * This is essentially a simple allocating serializer.
+ *
+ * Failure conditions:
+ * - @alloc is NULL.
+ * - *@alloc is not NULL (something was already allocated).
+ * - @alloc_size is NULL.
+ * - @alloc_size's type cannot hold the size of the copy (e.g. 260 in u8).
+ * - @alloc could not be allocated.
+ *
+ * Return: 0 on success, -ve on failure.
+ */
+#define flex_to_mem_dup(alloc, alloc_size, ptr, gfp)			\
+__must_check_errno(({							\
+	int __ftmd_err = -EINVAL;					\
+	typeof(**(alloc)) *__ftmd_alloc;				\
+	typeof(*(alloc_size)) *__ftmd_alloc_size = (alloc_size);	\
+	typeof(*(ptr)) *__ftmd_ptr = (ptr);				\
+	u8 *__ftmd_src = (u8 *)__ftmd_ptr->__flex_array_elements;	\
+	size_t __ftmd_alloc_max = type_max(typeof(*__ftmd_alloc_size));	\
+	size_t __ftmd_copy_bytes;					\
+									\
+	do {								\
+		if ((uintptr_t)(alloc) < 1 || *(alloc) ||		\
+		    (uintptr_t)(alloc_size) < 1) {			\
+			__ftmd_err = -EINVAL;				\
+			break;						\
+		}							\
+		if (fas_elements_bytes(__ftmd_ptr,			\
+				       &__ftmd_copy_bytes) ||		\
+		    __ftmd_copy_bytes > __ftmd_alloc_max) {		\
+			__ftmd_err = -E2BIG;				\
+			break;						\
+		}							\
+		__ftmd_alloc = kmemdup(__ftmd_src, __ftmd_copy_bytes,	\
+				       gfp);				\
+		if (!__ftmd_alloc) {					\
+			__ftmd_err = -ENOMEM;				\
+			break;						\
+		}							\
+		*__ftmd_alloc_size = __ftmd_copy_bytes;			\
+		*(alloc) = __ftmd_alloc;				\
+		__ftmd_err = 0;						\
+	} while (0);							\
+	__ftmd_err;							\
+}))
+
+#endif /* _LINUX_FLEX_ARRAY_H_ */
diff --git a/include/linux/string.h b/include/linux/string.h
index b6572aeca2f5..c01b76f73e99 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -252,6 +252,7 @@ static inline const char *kbasename(const char *path)
 #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
 #include <linux/fortify-string.h>
 #endif
+#include <linux/flex_array.h>
 
 void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
 		    int pad);
diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
index 7837ba4fe728..04870274f33b 100644
--- a/include/uapi/linux/stddef.h
+++ b/include/uapi/linux/stddef.h
@@ -44,4 +44,18 @@
 		struct { } __empty_ ## NAME; \
 		TYPE NAME[]; \
 	}
+
+/* For use with flexible array structure helpers, in <linux/flex_array.h> */
+#define __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(TYPE, NAME)			\
+	union {								\
+		TYPE __flex_array_elements_count;			\
+		TYPE NAME;						\
+	}
+
+#define __DECLARE_FLEX_ARRAY_ELEMENTS(TYPE, NAME)			\
+	union {								\
+		__DECLARE_FLEX_ARRAY(TYPE, __flex_array_elements);	\
+		__DECLARE_FLEX_ARRAY(TYPE, NAME);			\
+	}
+
 #endif

From patchwork Wed May  4 01:44:12 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837118
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id EECC7C433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:30 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320018.540610 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N4-0005px-6T; Wed, 04 May 2022 05:16:18 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320018.540610;
 Wed, 04 May 2022 05:16:18 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N4-0005og-0R; Wed, 04 May 2022 05:16:18 +0000
Received: by outflank-mailman (input) for mailman id 320018;
 Wed, 04 May 2022 01:47:38 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm478-0007U4-7A
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:38 +0000
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com
 [2607:f8b0:4864:20::42e])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 2c94b62b-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:36 +0200 (CEST)
Received: by mail-pf1-x42e.google.com with SMTP id a11so21695pff.1
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:36 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 r12-20020a170903020c00b0015e8d4eb27dsm438909plh.199.2022.05.03.18.47.33
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:35 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2c94b62b-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=50F1hUbWFLfT5ENWUNJYEA3u7uQsl+qxaqqCeMwZnyU=;
        b=XJCNLp6T2hlq16vnGlmWmig5+GsVMxNRRvIbEOnN6HSW8yTRmnmgFn0bdfSDK1+nc+
         /lIeg89b2qTVpmYFiDm9nYt9X28PYd7TpfNNYgxckwT1LfN0EOUF0w4hbizFZn5WO8zm
         t78WDusU+YL8An+v944Dg9g9tejsxP74BYxPU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=50F1hUbWFLfT5ENWUNJYEA3u7uQsl+qxaqqCeMwZnyU=;
        b=29zhVAAsOCm8qEcSFehjvdYZuHXNkxBcTpJoa9iLECxSBK4iopks0e9cQL3LtcyZ+Q
         KwYaV0woMFy4ME8JRYR476h+JgjpP+Mi3FYb1U6VCdUdSttejiat1yL4lO/6JDiz78/O
         MHKEflW7mr0Dc6EPwusrppnvHaGITTZTPcm+mY45L/ORoDUy9wPC4PesSNh17qGjIK4v
         ZM2ntAcZ/wdr2lf7sgYwVbucxnJyR2gfOjvInJtQOLhvkm2n/S8CJXfw4HF5ZcLLwtCq
         OxHGCTGXKO0lTSdk6mQRrJQz5BE6OfvixjD2snW3+NwZNZ93oVzCL4uIdnnsV1uQbypu
         0Ulw==
X-Gm-Message-State: AOAM5339Fu1kgph/nJDugmYJZnua/1AfeCIa8M4xVbPCFAYsV/On+qIE
	mm4+KislOROppD0Kdy/plLE1GA==
X-Google-Smtp-Source: 
 ABdhPJx5lkCCHxBXyDGf524YVNuXMSDkRx2jqeSfgP68bF0unQnk9Z/wgy4uMEksLglsYmioBepIKA==
X-Received: by 2002:a65:6d15:0:b0:382:4e6d:dd0d with SMTP id
 bf21-20020a656d15000000b003824e6ddd0dmr15813794pgb.333.1651628855971;
        Tue, 03 May 2022 18:47:35 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, David Gow <davidgow@google.com>,
 kunit-dev@googlegroups.com, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Howells <dhowells@redhat.com>,
 "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 03/32] flex_array: Add Kunit tests
Date: Tue,  3 May 2022 18:44:12 -0700
Message-Id: <20220504014440.3697851-4-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=19765; h=from:subject;
 bh=GG9nmr532r4pl7tVh2IFzW2uuFJ/hvJpUQj5i4N5B0I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqB7/551GkKwZcI+OcZghRu66mEP7FMOhfFmE5a
 67h/Z0iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJtfAEA
 CqSqFekHoLTEwm5Qyt0UbimHFpi/b/6zyOUB2KND396l+syWQ1mJIbLGjTios1NH/eIxHjGEKJ1syg
 U7L/zPIs4XJhvSt5mtK7HHfsD2jlgvLX3UL7IgUlEzTG1onpa1dDWN1UtoN81ahy1fct7CMGoD/1ll
 3ngnIysZAbkbazroo7sUYB/JX8DX8bsjNn97JBfq+F0NovBSkT6UKeW29aHUk5FoZhWo+bijLKKQBA
 JrEW47fYiaZ04M3TcLGaKkKLllkiajq0N/9TLMbmHrUZphVEZCSiD9eikb/Kpr28WXz4NX00Fu4CGe
 kq7UO4JP9HeF1pCMUg3iVoEHddmrfhdENHsLrAQzNrTdnkG+Jt7b+DxWscqIxexQR8D0GFXA1TavBy
 c52biYoOXViqwEmvm12u6MNQYxMVN2/v5fbzbwkcdy4DlhOuLC0Wu4AmEcPHG6wFuSX5NdbPBBeIzQ
 911ljxSY+UGfg0USsjIzhH6oqejgpYUmqqLAV0WoW7O8aSmtqBCOORogwfI680pWARJhsTuTVbZ5G4
 KsZcDi9opJFLcoYlb9wuFYeQrydBbShjiVXqT/tU0kK4PWWlEc85sOiKq7Bd8cuiixIgJW5Zlc+4n+
 1sgKfTbiJo/zVmyCeEmrKxLCEoinmDvnxEdOeXRWpeTslL+4jMSgSaBMHUCw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

Add tests for the new flexible array structure helpers. These can be run
with:

  make ARCH=um mrproper
  ./tools/testing/kunit/kunit.py config
  ./tools/testing/kunit/kunit.py run flex_array

Cc: David Gow <davidgow@google.com>
Cc: kunit-dev@googlegroups.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Gow <davidgow@google.com>
---
 lib/Kconfig.debug      |  12 +-
 lib/Makefile           |   1 +
 lib/flex_array_kunit.c | 523 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 531 insertions(+), 5 deletions(-)
 create mode 100644 lib/flex_array_kunit.c

diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 9077bb38bc93..8bae6b169c50 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -2551,11 +2551,6 @@ config OVERFLOW_KUNIT_TEST
 	  Builds unit tests for the check_*_overflow(), size_*(), allocation, and
 	  related functions.
 
-	  For more information on KUnit and unit tests in general please refer
-	  to the KUnit documentation in Documentation/dev-tools/kunit/.
-
-	  If unsure, say N.
-
 config STACKINIT_KUNIT_TEST
 	tristate "Test level of stack variable initialization" if !KUNIT_ALL_TESTS
 	depends on KUNIT
@@ -2567,6 +2562,13 @@ config STACKINIT_KUNIT_TEST
 	  CONFIG_GCC_PLUGIN_STRUCTLEAK, CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF,
 	  or CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL.
 
+config FLEX_ARRAY_KUNIT_TEST
+	tristate "Test flex_*() family of helper functions at runtime" if !KUNIT_ALL_TESTS
+	depends on KUNIT
+	default KUNIT_ALL_TESTS
+	help
+	  Builds unit tests for flexible array copy helper functions.
+
 config TEST_UDELAY
 	tristate "udelay test driver"
 	help
diff --git a/lib/Makefile b/lib/Makefile
index 6b9ffc1bd1ee..9884318db330 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -366,6 +366,7 @@ obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o
 obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o
 CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable)
 obj-$(CONFIG_STACKINIT_KUNIT_TEST) += stackinit_kunit.o
+obj-$(CONFIG_FLEX_ARRAY_KUNIT_TEST) += flex_array_kunit.o
 
 obj-$(CONFIG_GENERIC_LIB_DEVMEM_IS_ALLOWED) += devmem_is_allowed.o
 
diff --git a/lib/flex_array_kunit.c b/lib/flex_array_kunit.c
new file mode 100644
index 000000000000..48bee88945b4
--- /dev/null
+++ b/lib/flex_array_kunit.c
@@ -0,0 +1,523 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Test cases for flex_*() array manipulation helpers.
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <kunit/test.h>
+#include <linux/device.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/flex_array.h>
+
+#define COMPARE_STRUCTS(STRUCT_A, STRUCT_B)	do {			\
+	STRUCT_A *ptr_A;						\
+	STRUCT_B *ptr_B;						\
+	int rc;								\
+	size_t size_A, size_B;						\
+									\
+	/* matching types for flex array elements and count */		\
+	KUNIT_EXPECT_EQ(test, sizeof(*ptr_A), sizeof(*ptr_B));		\
+	KUNIT_EXPECT_TRUE(test, __same_type(*ptr_A->data,		\
+		*ptr_B->__flex_array_elements));			\
+	KUNIT_EXPECT_TRUE(test, __same_type(ptr_A->datalen,		\
+		ptr_B->__flex_array_elements_count));			\
+	KUNIT_EXPECT_EQ(test, sizeof(*ptr_A->data),			\
+			      sizeof(*ptr_B->__flex_array_elements));	\
+	KUNIT_EXPECT_EQ(test, offsetof(typeof(*ptr_A), data),		\
+			      offsetof(typeof(*ptr_B),			\
+				       __flex_array_elements));		\
+	KUNIT_EXPECT_EQ(test, offsetof(typeof(*ptr_A), datalen),	\
+			      offsetof(typeof(*ptr_B),			\
+				       __flex_array_elements_count));	\
+									\
+	/* struct_size() vs __fas_bytes() */				\
+	size_A = struct_size(ptr_A, data, 13);				\
+	rc = __fas_bytes(ptr_B, __flex_array_elements,			\
+			 __flex_array_elements_count, 13, &size_B);	\
+	KUNIT_EXPECT_EQ(test, rc, 0);					\
+	KUNIT_EXPECT_EQ(test, size_A, size_B);				\
+									\
+	/* flex_array_size() vs __fas_elements_bytes() */		\
+	size_A = flex_array_size(ptr_A, data, 13);			\
+	rc = __fas_elements_bytes(ptr_B, __flex_array_elements,		\
+			 __flex_array_elements_count, 13, &size_B);	\
+	KUNIT_EXPECT_EQ(test, rc, 0);					\
+	KUNIT_EXPECT_EQ(test, size_A, size_B);				\
+									\
+	KUNIT_EXPECT_EQ(test, sizeof(*ptr_A) + size_A,			\
+			      offsetof(typeof(*ptr_A), data) +		\
+			      (sizeof(*ptr_A->data) * 13));		\
+	KUNIT_EXPECT_EQ(test, sizeof(*ptr_B) + size_B,			\
+			      offsetof(typeof(*ptr_B),			\
+				       __flex_array_elements) +		\
+			      (sizeof(*ptr_B->__flex_array_elements) *	\
+			       13));					\
+} while (0)
+
+struct normal {
+	size_t	datalen;
+	u32	data[];
+};
+
+struct decl_normal {
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, datalen);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u32, data);
+};
+
+struct aligned {
+	unsigned short	datalen;
+	char		data[] __aligned(__alignof__(u64));
+};
+
+struct decl_aligned {
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned short, datalen);
+	DECLARE_FLEX_ARRAY_ELEMENTS(char, data) __aligned(__alignof__(u64));
+};
+
+static void struct_test(struct kunit *test)
+{
+	COMPARE_STRUCTS(struct normal, struct decl_normal);
+	COMPARE_STRUCTS(struct aligned, struct decl_aligned);
+}
+
+/* Flexible array structure with internal padding. */
+struct flex_cpy_obj {
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, count);
+	unsigned long empty;
+	char induce_padding;
+	/* padding ends up here */
+	unsigned long after_padding;
+	DECLARE_FLEX_ARRAY_ELEMENTS(u32, flex);
+};
+
+/* Encapsulating flexible array structure. */
+struct flex_dup_obj {
+	unsigned long flags;
+	int junk;
+	struct flex_cpy_obj fas;
+};
+
+/* Flexible array struct of only bytes. */
+struct tiny_flex {
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, count);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, byte_array);
+};
+
+#define CHECK_COPY(ptr)		do {						\
+	typeof(*(ptr)) *_cc_dst = (ptr);					\
+	KUNIT_EXPECT_EQ(test, _cc_dst->induce_padding, 0);			\
+	memcpy(&padding, &_cc_dst->induce_padding + sizeof(_cc_dst->induce_padding), \
+	       sizeof(padding));						\
+	/* Padding should be zero too. */					\
+	KUNIT_EXPECT_EQ(test, padding, 0);					\
+	KUNIT_EXPECT_EQ(test, src->count, _cc_dst->count);			\
+	KUNIT_EXPECT_EQ(test, _cc_dst->count, TEST_TARGET);			\
+	for (i = 0; i < _cc_dst->count - 1; i++) {				\
+		/* 'A' is 0x41, and here repeated in a u32. */			\
+		KUNIT_EXPECT_EQ(test, _cc_dst->flex[i], 0x41414141);		\
+	}									\
+	/* Last item should be different. */					\
+	KUNIT_EXPECT_EQ(test, _cc_dst->flex[_cc_dst->count - 1], 0x14141414);	\
+} while (0)
+
+/* Test copying from one flexible array struct into another. */
+static void flex_cpy_test(struct kunit *test)
+{
+#define TEST_BOUNDS	13
+#define TEST_TARGET	12
+#define TEST_SMALL	10
+	struct flex_cpy_obj *src, *dst;
+	unsigned long padding;
+	int i, rc;
+
+	/* Prepare open-coded source. */
+	src = kzalloc(struct_size(src, flex, TEST_BOUNDS), GFP_KERNEL);
+	src->count = TEST_BOUNDS;
+	memset(src->flex, 'A', flex_array_size(src, flex, TEST_BOUNDS));
+	src->flex[src->count - 2] = 0x14141414;
+	src->flex[src->count - 1] = 0x24242424;
+
+	/* Prepare open-coded destination, alloc only. */
+	dst = kzalloc(struct_size(src, flex, TEST_BOUNDS), GFP_KERNEL);
+	/* Pre-fill with 0xFE marker. */
+	memset(dst, 0xFE, struct_size(src, flex, TEST_BOUNDS));
+	/* Pretend we're 1 element smaller. */
+	dst->count = TEST_TARGET;
+
+	/* Pretend to match the target destination size. */
+	src->count = TEST_TARGET;
+
+	rc = flex_cpy(dst, src);
+	KUNIT_EXPECT_EQ(test, rc, 0);
+	CHECK_COPY(dst);
+	/* Item past last copied item is unchanged from initial memset. */
+	KUNIT_EXPECT_EQ(test, dst->flex[dst->count], 0xFEFEFEFE);
+
+	/* Now trip overflow, and verify we didn't clobber beyond end. */
+	src->count = TEST_BOUNDS;
+	rc = flex_cpy(dst, src);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	/* Item past last copied item is unchanged from initial memset. */
+	KUNIT_EXPECT_EQ(test, dst->flex[dst->count], 0xFEFEFEFE);
+
+	/* Reset destination contents. */
+	memset(dst, 0xFD, struct_size(src, flex, TEST_BOUNDS));
+	dst->count = TEST_TARGET;
+
+	/* Copy less than max. */
+	src->count = TEST_SMALL;
+	rc = flex_cpy(dst, src);
+	KUNIT_EXPECT_EQ(test, rc, 0);
+	/* Verify count was adjusted. */
+	KUNIT_EXPECT_EQ(test, dst->count, TEST_SMALL);
+	/* Verify element beyond src size was wiped. */
+	KUNIT_EXPECT_EQ(test, dst->flex[TEST_SMALL], 0);
+	/* Verify element beyond original dst size was untouched. */
+	KUNIT_EXPECT_EQ(test, dst->flex[TEST_TARGET], 0xFDFDFDFD);
+
+	kfree(dst);
+	kfree(src);
+#undef TEST_BOUNDS
+#undef TEST_TARGET
+#undef TEST_SMALL
+}
+
+static void flex_dup_test(struct kunit *test)
+{
+#define TEST_TARGET	12
+	struct flex_cpy_obj *src, *dst = NULL, **null = NULL;
+	struct flex_dup_obj *encap = NULL;
+	unsigned long padding;
+	int i, rc;
+
+	/* Prepare open-coded source. */
+	src = kzalloc(struct_size(src, flex, TEST_TARGET), GFP_KERNEL);
+	src->count = TEST_TARGET;
+	memset(src->flex, 'A', flex_array_size(src, flex, TEST_TARGET));
+	src->flex[src->count - 1] = 0x14141414;
+
+	/* Reject NULL @alloc. */
+	rc = flex_dup(null, src, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -EINVAL);
+
+	/* Check good copy. */
+	rc = flex_dup(&dst, src, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, 0);
+	KUNIT_ASSERT_TRUE(test, dst != NULL);
+	CHECK_COPY(dst);
+
+	/* Reject non-NULL *@alloc. */
+	rc = flex_dup(&dst, src, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -EINVAL);
+
+	kfree(dst);
+
+	/* Check good encap copy. */
+	rc = __flex_dup(&encap, .fas, src, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, 0);
+	KUNIT_ASSERT_TRUE(test, dst != NULL);
+	CHECK_COPY(&encap->fas);
+	/* Check that items external to "fas" are zero. */
+	KUNIT_EXPECT_EQ(test, encap->flags, 0);
+	KUNIT_EXPECT_EQ(test, encap->junk, 0);
+	kfree(encap);
+#undef MAGIC_WORD
+#undef TEST_TARGET
+}
+
+static void mem_to_flex_test(struct kunit *test)
+{
+#define TEST_TARGET	9
+#define TEST_MAX	U8_MAX
+#define MAGIC_WORD	0x03030303
+	u8 magic_byte = MAGIC_WORD & 0xff;
+	struct flex_cpy_obj *dst;
+	size_t big = (size_t)INT_MAX + 1;
+	char small[] = "Hello";
+	char *src;
+	u32 src_len;
+	int rc;
+
+	/* Open coded allocations, 1 larger than actually used. */
+	src_len = flex_array_size(dst, flex, TEST_MAX + 1);
+	src = kzalloc(src_len, GFP_KERNEL);
+	dst = kzalloc(struct_size(dst, flex, TEST_MAX + 1), GFP_KERNEL);
+	dst->count = TEST_TARGET;
+
+	/* Fill source. */
+	memset(src, magic_byte, src_len);
+
+	/* Short copy is fine. */
+	KUNIT_EXPECT_EQ(test, dst->flex[0], 0);
+	KUNIT_EXPECT_EQ(test, dst->flex[1], 0);
+	rc = mem_to_flex(dst, src, 1);
+	KUNIT_EXPECT_EQ(test, rc, 0);
+	KUNIT_EXPECT_EQ(test, dst->count, 1);
+	KUNIT_EXPECT_EQ(test, dst->after_padding, 0);
+	KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, dst->flex[1], 0);
+	dst->count = TEST_TARGET;
+
+	/* Reject negative elements count. */
+	rc = mem_to_flex(dst, small, -1);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	/* Make sure dst is unchanged. */
+	KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, dst->flex[1], 0);
+
+	/* Reject compile-time read overflow. */
+	rc = mem_to_flex(dst, small, 20);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	/* Make sure dst is unchanged. */
+	KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, dst->flex[1], 0);
+
+	/* Reject giant buffer source. */
+	rc = mem_to_flex(dst, small, big);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	/* Make sure dst is unchanged. */
+	KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, dst->flex[1], 0);
+
+	/* Copy beyond storage size is rejected. */
+	dst->count = TEST_MAX;
+	KUNIT_EXPECT_EQ(test, dst->flex[TEST_MAX - 1], 0);
+	KUNIT_EXPECT_EQ(test, dst->flex[TEST_MAX], 0);
+	rc = mem_to_flex(dst, src, TEST_MAX + 1);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	/* Make sure dst is unchanged. */
+	KUNIT_EXPECT_EQ(test, dst->flex[0], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, dst->flex[1], 0);
+
+	kfree(dst);
+	kfree(src);
+#undef MAGIC_WORD
+#undef TEST_MAX
+#undef TEST_TARGET
+}
+
+static void mem_to_flex_dup_test(struct kunit *test)
+{
+#define ELEMENTS_COUNT	259
+#define MAGIC_WORD	0xABABABAB
+	u8 magic_byte = MAGIC_WORD & 0xff;
+	struct flex_dup_obj *obj = NULL;
+	struct tiny_flex *tiny = NULL, **null = NULL;
+	size_t src_len, count, big = (size_t)INT_MAX + 1;
+	char small[] = "Hello";
+	u8 *src;
+	int rc;
+
+	src_len = struct_size(tiny, byte_array, ELEMENTS_COUNT);
+	src = kzalloc(src_len, GFP_KERNEL);
+	KUNIT_ASSERT_TRUE(test, src != NULL);
+	/* Fill with bytes. */
+	memset(src, magic_byte, src_len);
+	KUNIT_EXPECT_EQ(test, src[0], magic_byte);
+	KUNIT_EXPECT_EQ(test, src[src_len / 2], magic_byte);
+	KUNIT_EXPECT_EQ(test, src[src_len - 1], magic_byte);
+
+	/* Reject storage exceeding elements_count type. */
+	count = ELEMENTS_COUNT;
+	rc = mem_to_flex_dup(&tiny, src, count, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	KUNIT_EXPECT_TRUE(test, tiny == NULL);
+
+	/* Reject negative elements count. */
+	rc = mem_to_flex_dup(&tiny, src, -1, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	KUNIT_EXPECT_TRUE(test, tiny == NULL);
+
+	/* Reject compile-time read overflow. */
+	rc = mem_to_flex_dup(&tiny, small, 20, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	KUNIT_EXPECT_TRUE(test, tiny == NULL);
+
+	/* Reject giant buffer source. */
+	rc = mem_to_flex_dup(&tiny, small, big, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	KUNIT_EXPECT_TRUE(test, tiny == NULL);
+
+	/* Reject NULL @alloc. */
+	rc = mem_to_flex_dup(null, src, count, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -EINVAL);
+
+	/* Allow reasonable count.*/
+	count = ELEMENTS_COUNT / 2;
+	rc = mem_to_flex_dup(&tiny, src, count, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, 0);
+	KUNIT_ASSERT_TRUE(test, tiny != NULL);
+	/* Spot check the copy happened. */
+	KUNIT_EXPECT_EQ(test, tiny->count, count);
+	KUNIT_EXPECT_EQ(test, tiny->byte_array[0], magic_byte);
+	KUNIT_EXPECT_EQ(test, tiny->byte_array[count / 2], magic_byte);
+	KUNIT_EXPECT_EQ(test, tiny->byte_array[count - 1], magic_byte);
+
+	/* Reject non-NULL *@alloc. */
+	rc = mem_to_flex_dup(&tiny, src, count, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -EINVAL);
+	kfree(tiny);
+
+	/* Works with encapsulation too. */
+	count = ELEMENTS_COUNT / 10;
+	rc = __mem_to_flex_dup(&obj, .fas, src, count, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, 0);
+	KUNIT_ASSERT_TRUE(test, obj != NULL);
+	/* Spot check the copy happened. */
+	KUNIT_EXPECT_EQ(test, obj->fas.count, count);
+	KUNIT_EXPECT_EQ(test, obj->fas.after_padding, 0);
+	KUNIT_EXPECT_EQ(test, obj->fas.flex[0], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, obj->fas.flex[count / 2], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, obj->fas.flex[count - 1], MAGIC_WORD);
+	/* Check members before flexible array struct are zero. */
+	KUNIT_EXPECT_EQ(test, obj->flags, 0);
+	KUNIT_EXPECT_EQ(test, obj->junk, 0);
+	kfree(obj);
+#undef MAGIC_WORD
+#undef ELEMENTS_COUNT
+}
+
+static void flex_to_mem_test(struct kunit *test)
+{
+#define ELEMENTS_COUNT	200
+#define MAGIC_WORD	0xF1F2F3F4
+	struct flex_cpy_obj *src;
+	typeof(*src->flex) *cast;
+	size_t src_len = struct_size(src, flex, ELEMENTS_COUNT);
+	size_t copy_len = flex_array_size(src, flex, ELEMENTS_COUNT);
+	int i, rc;
+	size_t bytes = 0;
+	u8 too_small;
+	u8 *dst;
+
+	/* Create a filled flexible array struct. */
+	src = kzalloc(src_len, GFP_KERNEL);
+	KUNIT_ASSERT_TRUE(test, src != NULL);
+	src->count = ELEMENTS_COUNT;
+	src->after_padding = 13;
+	for (i = 0; i < ELEMENTS_COUNT; i++)
+		src->flex[i] = MAGIC_WORD;
+
+	/* Over-allocate space to do past-src_len checking. */
+	dst = kzalloc(src_len * 2, GFP_KERNEL);
+	KUNIT_ASSERT_TRUE(test, dst != NULL);
+	cast = (void *)dst;
+
+	/* Fail if dst is too small. */
+	rc = flex_to_mem(dst, copy_len - 1, src, &bytes);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	/* Make sure nothing was copied. */
+	KUNIT_EXPECT_EQ(test, bytes, 0);
+	KUNIT_EXPECT_EQ(test, cast[0], 0);
+
+	/* Fail if type too small to hold size of copy. */
+	KUNIT_EXPECT_GT(test, copy_len, type_max(typeof(too_small)));
+	rc = flex_to_mem(dst, copy_len, src, &too_small);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	/* Make sure nothing was copied. */
+	KUNIT_EXPECT_EQ(test, bytes, 0);
+	KUNIT_EXPECT_EQ(test, cast[0], 0);
+
+	/* Check good copy. */
+	rc = flex_to_mem(dst, copy_len, src, &bytes);
+	KUNIT_EXPECT_EQ(test, rc, 0);
+	KUNIT_EXPECT_EQ(test, bytes, copy_len);
+	/* Spot check the copy */
+	KUNIT_EXPECT_EQ(test, cast[0], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT / 2], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT - 1], MAGIC_WORD);
+	/* Make sure nothing was written after last element. */
+	KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT], 0);
+
+	kfree(dst);
+	kfree(src);
+#undef MAGIC_WORD
+#undef ELEMENTS_COUNT
+}
+
+static void flex_to_mem_dup_test(struct kunit *test)
+{
+#define ELEMENTS_COUNT	210
+#define MAGIC_WORD	0xF0F1F2F3
+	struct flex_dup_obj *obj, **null = NULL;
+	struct flex_cpy_obj *src;
+	typeof(*src->flex) *cast;
+	size_t obj_len = struct_size(obj, fas.flex, ELEMENTS_COUNT);
+	size_t src_len = struct_size(src, flex, ELEMENTS_COUNT);
+	size_t copy_len = flex_array_size(src, flex, ELEMENTS_COUNT);
+	int i, rc;
+	size_t bytes = 0;
+	u8 too_small = 0;
+	u8 *dst = NULL;
+
+	/* Create a filled flexible array struct. */
+	obj = kzalloc(obj_len, GFP_KERNEL);
+	KUNIT_ASSERT_TRUE(test, obj != NULL);
+	obj->fas.count = ELEMENTS_COUNT;
+	obj->fas.after_padding = 13;
+	for (i = 0; i < ELEMENTS_COUNT; i++)
+		obj->fas.flex[i] = MAGIC_WORD;
+	src = &obj->fas;
+
+	/* Fail if type too small to hold size of copy. */
+	KUNIT_EXPECT_GT(test, src_len, type_max(typeof(too_small)));
+	rc = flex_to_mem_dup(&dst, &too_small, src, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -E2BIG);
+	KUNIT_EXPECT_TRUE(test, dst == NULL);
+	KUNIT_EXPECT_EQ(test, too_small, 0);
+
+	/* Fail if @alloc_size is NULL. */
+	KUNIT_EXPECT_TRUE(test, dst == NULL);
+	rc = flex_to_mem_dup(&dst, dst, src, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -EINVAL);
+	KUNIT_EXPECT_TRUE(test, dst == NULL);
+
+	/* Fail if @alloc is NULL. */
+	rc = flex_to_mem_dup(null, &bytes, src, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -EINVAL);
+	KUNIT_EXPECT_TRUE(test, dst == NULL);
+	KUNIT_EXPECT_EQ(test, bytes, 0);
+
+	/* Check good copy. */
+	rc = flex_to_mem_dup(&dst, &bytes, src, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, 0);
+	KUNIT_EXPECT_TRUE(test, dst != NULL);
+	KUNIT_EXPECT_EQ(test, bytes, copy_len);
+	cast = (void *)dst;
+	/* Spot check the copy */
+	KUNIT_EXPECT_EQ(test, cast[0], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT / 2], MAGIC_WORD);
+	KUNIT_EXPECT_EQ(test, cast[ELEMENTS_COUNT - 1], MAGIC_WORD);
+
+	/* Fail if *@alloc is non-NULL. */
+	bytes = 0;
+	rc = flex_to_mem_dup(&dst, &bytes, src, GFP_KERNEL);
+	KUNIT_EXPECT_EQ(test, rc, -EINVAL);
+	KUNIT_EXPECT_EQ(test, bytes, 0);
+
+	kfree(dst);
+	kfree(obj);
+#undef MAGIC_WORD
+#undef ELEMENTS_COUNT
+}
+
+static struct kunit_case flex_array_test_cases[] = {
+	KUNIT_CASE(struct_test),
+	KUNIT_CASE(flex_cpy_test),
+	KUNIT_CASE(flex_dup_test),
+	KUNIT_CASE(mem_to_flex_test),
+	KUNIT_CASE(mem_to_flex_dup_test),
+	KUNIT_CASE(flex_to_mem_test),
+	KUNIT_CASE(flex_to_mem_dup_test),
+	{}
+};
+
+static struct kunit_suite flex_array_test_suite = {
+	.name = "flex_array",
+	.test_cases = flex_array_test_cases,
+};
+
+kunit_test_suite(flex_array_test_suite);
+
+MODULE_LICENSE("GPL");

From patchwork Wed May  4 01:44:13 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837122
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 6D1A1C43219
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:33 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320020.540626 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N5-00066U-6q; Wed, 04 May 2022 05:16:19 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320020.540626;
 Wed, 04 May 2022 05:16:19 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N4-00063L-ST; Wed, 04 May 2022 05:16:18 +0000
Received: by outflank-mailman (input) for mailman id 320020;
 Wed, 04 May 2022 01:47:39 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm479-0007U1-9T
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:39 +0000
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com
 [2607:f8b0:4864:20::529])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 2ccb9786-cb4c-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:47:38 +0200 (CEST)
Received: by mail-pg1-x529.google.com with SMTP id 7so11490846pga.12
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:38 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 y15-20020a62b50f000000b0050dc7628169sm6918076pfe.67.2022.05.03.18.47.34
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:35 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2ccb9786-cb4c-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=911JnfKaG9oxLMZbIRJVKqmgZoLrOSfR0+bBHDgrI5Q=;
        b=XpaB8pfu8eVojSjAsTEUujhhPhU3ucUSWYxDz/8sQ6z59UWvf3i1yrd7kb6SWG2Tnt
         HAfw08l7QKrj5Y9xBESf9NlJZEn9vrEgx5ueLfnIKaMH/WYs9aAiD55J+sDOumyzi4NC
         ygqjXeva6u5ldSCOC93c/m2TPIGafNG0RRrsQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=911JnfKaG9oxLMZbIRJVKqmgZoLrOSfR0+bBHDgrI5Q=;
        b=yEAwnET2SAJele/cuo9AYkZPd7fE9zwiPeSUdE8NrkCUkmcvvDajsRsH2eeChfk1sc
         OS9iOnYZoSNKO44ZOEXNbktzXuHnfnAqZcMicMXX4aeycUOgg29g9oLf7mMQX5nxDGYV
         cIRpHRD8YlbCybjdbE+C3/p9UXs7SIQkbVC9tjhDdf7b09bZJ1dUf3nORVagYGPK2i6o
         uJwb2juQivfINw3+rjxi9t1beIK6AaQA5tqgIvT4Nsc1648CTnAY0S2AieUon4ShO5pG
         SFsy5SGBrmu/fyPK706RbmDTW/rfS8Rjgi7X6DedEWNcvTcmzUHmhrFifDoDwDpS6rD0
         H26Q==
X-Gm-Message-State: AOAM530+crvAfdqoV7ka3hk6/JMR4Ws3cdR7kpdLRHnueE8zbXjgkkgD
	MAET/F8yYTICpWWISvNBYJeIBQ==
X-Google-Smtp-Source: 
 ABdhPJydqfWS2cnvIBsBYcFhLEOpO1Tg+x0Mug13Ee8lcdS00R4Sd2JnpNFfM3uvQNoLZ5NloFdI/Q==
X-Received: by 2002:a05:6a00:150d:b0:510:3a9c:3eed with SMTP id
 q13-20020a056a00150d00b005103a9c3eedmr1139816pfu.86.1651628856514;
        Tue, 03 May 2022 18:47:36 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>, Tom Rix <trix@redhat.com>,
 linux-hardening@vger.kernel.org, llvm@lists.linux.dev,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org,
 linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>, netdev@vger.kernel.org, =?utf-8?q?N?=
	=?utf-8?q?uno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 04/32] fortify: Add run-time WARN for cross-field memcpy()
Date: Tue,  3 May 2022 18:44:13 -0700
Message-Id: <20220504014440.3697851-5-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=7485; h=from:subject;
 bh=tR948KPQeb2PYDrDjEae6GxtJ84K9V5KxBtP7gPRR/0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBJdrO+OL3bCOY6akLjwosSFqhKtDoTb/Zh8Fy
 uzSMohWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJu6nD/
 4nHJdgb4XE8OHMjojOaPl9nULa44o03t//4waAm5Xj50QbDOyrBIKqeaRsc5tWg7tp/Z6v0nmG1RJ6
 XSHy4AfPcewPHlkIjBTKQ1jbxZcS7qaEExIyWtMJtQ7GtiOD1AWiQbAW4KJ769iV/0me51Vamo+8Ip
 veorWN0jTQ+xDJ7fyb9mbxXsI7lvSOQUBdZzwAzPgJazmEXjwO8ozXnn0AaGKNv31py+LgyPwV3P64
 KAQ04Gxp/rMnWduFhSm2pHXhcI6M++J1CvvtB/IPwWfRbr9CNUU4Jk3s04sG/XIIP/XCeyAn9u7lla
 0QyhfHAuqHdIkCdiPXrp7mi2GKNlqOsemPZjnRNTm7F8RVQ7axjkLgPu/OdKyoIjcu4+Gxe1+1ddUe
 aX6mQB2mGmzNYtycr4ZILXoVPXUX2aUg4K+tE9BlmcAPTi2DTbr35TkFDaDVuBx1qu3sfaOS7h4cb8
 ktu5OJHSekWrtF+UVSH3EdBatG6D2HeS6wxcx6SHUNtMwugLr34tjLkliqOflvnPJpRccxYFyzl9dZ
 qy69k3TaXevsfsMBn7XO5PIzGI74pL+vRzFTRl1RwbUS4WyKiQh9d4h/hZVD2tYMHxvgBj3q9keCdw
 H22GUCBSF28gbojQv8oqLHwc2cPU6T+4DFzfvbOlpZYHDcM7+2IPrnwnqyXQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

Enable run-time checking of dynamic memcpy() and memmove() lengths,
issuing a WARN when a write would exceed the size of the target struct
member, when built with CONFIG_FORTIFY_SOURCE=y. This would have caught
all of the memcpy()-based buffer overflows from 2018 through 2020,
specifically covering all the cases where the destination buffer size
is known at compile time.

This change ONLY adds a run-time warning. As false positives are currently
still expected, this will not block the overflow. The new warnings will
look like this:

  memcpy: detected field-spanning write (size N) of single field "var->dest" (size M)
  WARNING: CPU: n PID: pppp at source/file/path.c:nr function+0xXX/0xXX [module]

The false positives are most likely where intentional field-spanning
writes are happening. These need to be addressed similarly to how the
compile-time cases were addressed: add a struct_group(), split the
memcpy(), use a flex_array.h helper, or some other refactoring.

In order to make identifying/investigating instances of added runtime
checks easier, each instance includes the destination variable name as a
WARN argument, prefixed with 'field "'. Therefore, on any given build,
it is trivial to inspect the artifacts to find instances. For example
on an x86_64 defconfig build, there are 78 new run-time memcpy() bounds
checks added:

  $ for i in vmlinux $(find . -name '*.ko'); do \
      strings "$i" | grep '^field "'; done | wc -l
  78

Currently, the common case where a destination buffer is known to be a
dynamic size (i.e. has a trailing flexible array) does not generate a
WARN. For example:

    struct normal_flex_array {
	void *a;
	int b;
	size_t array_size;
	u32 c;
	u8 flex_array[];
    };

    struct normal_flex_array *instance;
    ...
    /* These cases will be ignored for run-time bounds checking. */
    memcpy(instance, src, len);
    memcpy(instance->flex_array, src, len);

This code pattern will need to be addressed separately, likely by
migrating to one of the flex_array.h family of helpers.

Note that one of the dynamic-sized destination cases is irritatingly
unable to be detected by the compiler: when using memcpy() to target
a composite struct member which contains a trailing flexible array
struct. For example:

    struct wrapper {
	int foo;
	char bar;
	struct normal_flex_array embedded;
    };

    struct wrapper *instance;
    ...
    /* This will incorrectly WARN when len > sizeof(instance->embedded) */
    memcpy(&instance->embedded, src, len);

These cases end up appearing to the compiler to be sized as if the
flexible array had 0 elements. :( For more details see:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832
https://godbolt.org/z/vW6x8vh4P

Regardless, all cases of copying to/from flexible array structures
should be migrated to using the new flex*()-family of helpers to gain
their added safety checking, but priority will need to be given to the
"composite flexible array structure destination" cases noted above.

As mentioned, none of these bounds checks block any overflows
currently. For users that have tested their workloads, do not encounter
any warnings, and wish to make these checks stop any overflows, they
can use a big hammer and set the sysctl panic_on_warn=1.

Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Tom Rix <trix@redhat.com>
Cc: linux-hardening@vger.kernel.org
Cc: llvm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/fortify-string.h | 70 ++++++++++++++++++++++++++++++++--
 1 file changed, 67 insertions(+), 3 deletions(-)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index 295637a66c46..9f65527fff40 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -3,6 +3,7 @@
 #define _LINUX_FORTIFY_STRING_H_
 
 #include <linux/const.h>
+#include <linux/bug.h>
 
 #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable
 #define __RENAME(x) __asm__(#x)
@@ -303,7 +304,7 @@ __FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size,
  * V = vulnerable to run-time overflow (will need refactoring to solve)
  *
  */
-__FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
+__FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size,
 					 const size_t p_size,
 					 const size_t q_size,
 					 const size_t p_size_field,
@@ -352,16 +353,79 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
 	if ((p_size != (size_t)(-1) && p_size < size) ||
 	    (q_size != (size_t)(-1) && q_size < size))
 		fortify_panic(func);
+
+	/*
+	 * Warn when writing beyond destination field size.
+	 *
+	 * We must ignore p_size_field == 0 and -1 for existing
+	 * 0-element and flexible arrays, until they are all converted
+	 * to flexible arrays and use the flex()-family of helpers.
+	 *
+	 * The implementation of __builtin_object_size() behaves
+	 * like sizeof() when not directly referencing a flexible
+	 * array member, which means there will be many bounds checks
+	 * that will appear at run-time, without a way for them to be
+	 * detected at compile-time (as can be done when the destination
+	 * is specifically the flexible array member).
+	 * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832
+	 */
+	if (p_size_field != 0 && p_size_field != (size_t)(-1) &&
+	    p_size != p_size_field && p_size_field < size)
+		return true;
+
+	return false;
 }
 
 #define __fortify_memcpy_chk(p, q, size, p_size, q_size,		\
 			     p_size_field, q_size_field, op) ({		\
 	size_t __fortify_size = (size_t)(size);				\
-	fortify_memcpy_chk(__fortify_size, p_size, q_size,		\
-			   p_size_field, q_size_field, #op);		\
+	WARN_ONCE(fortify_memcpy_chk(__fortify_size, p_size, q_size,	\
+				     p_size_field, q_size_field, #op),	\
+		  #op ": detected field-spanning write (size %zu) of single %s (size %zu)\n", \
+		  __fortify_size,					\
+		  "field \"" #p "\" at " __FILE__ ":" __stringify(__LINE__), \
+		  p_size_field);					\
 	__underlying_##op(p, q, __fortify_size);			\
 })
 
+/*
+ * Notes about compile-time buffer size detection:
+ *
+ * With these types...
+ *
+ *	struct middle {
+ *		u16 a;
+ *		u8 middle_buf[16];
+ *		int b;
+ *	};
+ *	struct end {
+ *		u16 a;
+ *		u8 end_buf[16];
+ *	};
+ *	struct flex {
+ *		int a;
+ *		u8 flex_buf[];
+ *	};
+ *
+ *	void func(TYPE *ptr) { ... }
+ *
+ * Cases where destination size cannot be currently detected:
+ * - the size of ptr's object (seemingly by design, gcc & clang fail):
+ *	__builtin_object_size(ptr, 1) == -1
+ * - the size of flexible arrays in ptr's obj (by design, dynamic size):
+ *      __builtin_object_size(ptr->flex_buf, 1) == -1
+ * - the size of ANY array at the end of ptr's obj (gcc and clang bug):
+ *	__builtin_object_size(ptr->end_buf, 1) == -1
+ *	https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836
+ *
+ * Cases where destination size is currently detected:
+ * - the size of non-array members within ptr's object:
+ *	__builtin_object_size(ptr->a, 1) == 2
+ * - the size of non-flexible-array in the middle of ptr's obj:
+ *	__builtin_object_size(ptr->middle_buf, 1) == 16
+ *
+ */
+
 /*
  * __builtin_object_size() must be captured here to avoid evaluating argument
  * side-effects further into the macro layers.

From patchwork Wed May  4 01:44:14 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837136
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 91E9DC433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:55 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320051.540784 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NS-0002wu-MD; Wed, 04 May 2022 05:16:42 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320051.540784;
 Wed, 04 May 2022 05:16:42 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NQ-0002k6-Lg; Wed, 04 May 2022 05:16:40 +0000
Received: by outflank-mailman (input) for mailman id 320051;
 Wed, 04 May 2022 01:52:47 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4C6-0008Vg-Vj
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:52:47 +0000
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com
 [2607:f8b0:4864:20::52a])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id e4796d04-cb4c-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:52:46 +0200 (CEST)
Received: by mail-pg1-x52a.google.com with SMTP id x12so18421pgj.7
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:52:46 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 c21-20020aa781d5000000b0050dc7628163sm6921886pfn.61.2022.05.03.18.52.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:52:44 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: e4796d04-cb4c-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=szeqM9M0yrMyJS9vcuYR4tTzvEASeBs+sh1JgS4qPAo=;
        b=SNMym2HDPaFxMLeJFcK68nelvSK8kE0Z3iij6ppE4Nnk5PkLPyihqCWqJWEyxTK+Ad
         Wlo0fMMZpa7cEJ44ZnUWiYYlbNhSmn3I+2rzPJ3v+90je6UlKRw4Aqz10rVm1pygvoeV
         KVh5PeFOgavCCRafhGFy8OhJb2FMOsRW4OkVk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=szeqM9M0yrMyJS9vcuYR4tTzvEASeBs+sh1JgS4qPAo=;
        b=3RJUiXYOZN1RyZOgCsuOnxS/1CXfwRanj5YH60A5g1VLQqv2t2GgxfQ4dL92NuIlCv
         Ktz2SGDh2kB957z0riXO0oajfB2ctF+pWbI1cricYaEUz8o9V0rQcAvzgOMIt7nzcgiQ
         SVPyCIkmzLd7KXf7oVFgdIHaEY1uMKF3l2Jhcme2OzPSHQk/Q8diU4BBgpFM7a/P9g4i
         Eco4L0GIMC4U8rHxaVAQ07FhzhwQyxQe/KHU49/qahY6pSHT46ivBh7Y2PSlNGweHUK0
         wg7epj65jNQVBkSbmTphkt2yzGIBZ0DQLk7tJRiPv6yKlNCR1/gvbIjdGp950wLJlqGt
         KtFQ==
X-Gm-Message-State: AOAM531r3tdG9PZeRQFXsH0av5AfXPVFf13e/b+Az4ICKkdF95v8aS/2
	QMl4AwoJNKGnK6JPKMgCFGop2A==
X-Google-Smtp-Source: 
 ABdhPJwdis58CLkd0sjK8SnsRx0Cj4uwRmI1rQtZqa6dArHava5h0MqK56bFRFrLStS8ZAx2UHCkJQ==
X-Received: by 2002:a65:614e:0:b0:380:bfd9:d4ea with SMTP id
 o14-20020a65614e000000b00380bfd9d4eamr15889135pgv.92.1651629164801;
        Tue, 03 May 2022 18:52:44 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Arend van Spriel <aspriel@gmail.com>,
 Franky Lin <franky.lin@broadcom.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>, Kalle Valo <kvalo@kernel.org>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com,
 SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 Christian Brauner <brauner@kernel.org>,
 =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Keith Packard <keithp@keithp.com>,
 keyrings@vger.kernel.org, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 05/32] brcmfmac: Use mem_to_flex_dup() with struct
 brcmf_fweh_queue_item
Date: Tue,  3 May 2022 18:44:14 -0700
Message-Id: <20220504014440.3697851-6-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2425; h=from:subject;
 bh=LUlPP0dMftItb3yi/Nge8ZTfomS6k0b5Ud+psHgt9Uk=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBCnVywLtiCXwEUYb08oAOpk1h97YdS8IXrTwN
 m34sdVuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJokcD/
 944yjyiL4MM2Llyg3BhqwjaPE/1VNwGW9grsHKNIASpW8lInBdW90HjydT+vZ0wCt1VpknFi2upnQI
 XFtVoH0BT1G9pp4WHMjMMAaSqS3XB0bqdYs4DVvPzTKh5kGr5jX6k9+GTSve/itnWwnYDdM80IlUNt
 S0IhtkWMACqLlgyqGlt11fTu2Zpj0mRgIVFYh1FPaQRGj+skxj5+tzJqnIxOvBBPtzMq5leG8tzvRp
 gGF1ADH/0BhWsidIuY5CltVSgionGZ0at33CGy6Yb686fc3WZxfkwUqwKd4kWy0/RHSdYt4O0S9KnY
 r3h5ztCJtoyE+LsOyQfAjweyIO2LhMxNdieb0lZcJ/4W95rILXttIhcQ8iyf4yAsY69UgQuHPKDcAf
 nBH2PYzGNfEsEHmEr7bOtF2WG7xXUZXn6gi1luh2tpxiaDAkWSbwC0/Hg4An1+r4RDKB8TaO47Qgsp
 PG9QvJ1Ej3BAp6hSui4/P+qsMcNSEBBM0dZS2Ro11mi+jDDxK5En0Xgd/el0xn+qwqq+NFNlC0jKcW
 /QhhJ9GSxPsZzAT51pgi/Q//ZlDNoXI6Xmoho22SXd2se2PmaeWQDnuPK8bWnerpItxcrS1KP5jR9H
 przw+F/g76E2CP74njdcHJE58D4/zsqYKWbbLWi2QfpgIWTEZ+hV+/A44Ihw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Arend van Spriel <aspriel@gmail.com>
Cc: Franky Lin <franky.lin@broadcom.com>
Cc: Hante Meuleman <hante.meuleman@broadcom.com>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-wireless@vger.kernel.org
Cc: brcm80211-dev-list.pdl@broadcom.com
Cc: SHA-cyfmac-dev-list@infineon.com
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 .../net/wireless/broadcom/brcm80211/brcmfmac/fweh.c   | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index bc3f4e4edcdf..bea798ca6466 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -32,8 +32,8 @@ struct brcmf_fweh_queue_item {
 	u8 ifidx;
 	u8 ifaddr[ETH_ALEN];
 	struct brcmf_event_msg_be emsg;
-	u32 datalen;
-	u8 data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, datalen);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
 };
 
 /*
@@ -395,7 +395,7 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
 {
 	enum brcmf_fweh_event_code code;
 	struct brcmf_fweh_info *fweh = &drvr->fweh;
-	struct brcmf_fweh_queue_item *event;
+	struct brcmf_fweh_queue_item *event = NULL;
 	void *data;
 	u32 datalen;
 
@@ -414,8 +414,7 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
 	    datalen + sizeof(*event_packet) > packet_len)
 		return;
 
-	event = kzalloc(sizeof(*event) + datalen, gfp);
-	if (!event)
+	if (mem_to_flex_dup(&event, data, datalen, gfp))
 		return;
 
 	event->code = code;
@@ -423,8 +422,6 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
 
 	/* use memcpy to get aligned event message */
 	memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
-	memcpy(event->data, data, datalen);
-	event->datalen = datalen;
 	memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
 
 	brcmf_fweh_queue_event(fweh, event);

From patchwork Wed May  4 01:44:15 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837119
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 15D4DC4332F
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:32 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320024.540641 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N6-0006SJ-Dc; Wed, 04 May 2022 05:16:20 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320024.540641;
 Wed, 04 May 2022 05:16:20 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N6-0006Ns-2c; Wed, 04 May 2022 05:16:20 +0000
Received: by outflank-mailman (input) for mailman id 320024;
 Wed, 04 May 2022 01:47:40 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47A-0007U4-Ty
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:40 +0000
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com
 [2607:f8b0:4864:20::42c])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 2df7430c-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:40 +0200 (CEST)
Received: by mail-pf1-x42c.google.com with SMTP id j6so16129857pfe.13
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:40 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 j14-20020aa7800e000000b0050dc762816bsm6923568pfi.69.2022.05.03.18.47.35
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:37 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2df7430c-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=/zjSzrQhFPsEVokcSsrv18uPDt/e1w8KitHmUEp+EKs=;
        b=mT+0HB76IN8PFmOQ4RQ3Shsn/xpSWIw4uZtDzm+qPL1ltT6DXjm7Tp880YLv6NTlX2
         jzlnck4Hcy2b22tjZHTFIsFigeOwa/p0jwatnoLYw/6ZPZFoRjVJYcegxFjMo85nErfR
         VdOWk3eGpgUIVPQ45lqiYFZPzg8bYlpkvYlx8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=/zjSzrQhFPsEVokcSsrv18uPDt/e1w8KitHmUEp+EKs=;
        b=hgDqft2slnu8FVh3VbVEVkVjahO9V0qincdjYBTHOeYCfLIh8HMur9Dx4UmdUT+pff
         iPGbU1ZMo9xykNhTDx9+FU7ON+jgqVwxjZREiyoGQJTg7XYwQSwHYqCm/plHaHcYEypc
         /+fZo3+QE9YIne9TUKCckCHmQLkoamlGJFz8399+CKKq3XWpATWVQqGFcZfPB5IcUjEQ
         XA8nMeDcI836pCmJrne7SMQFQ+Di4cI5r/zxGH7QHR/yL/L/ScPYN5dgJv4f8DgCTfyK
         QpyRoWwnQuBP7NAxnokfujtjBFAyELv/6Bepl6HuMJ/t0r0aLZUEJxLqPVZxQFIdhwnA
         ojMw==
X-Gm-Message-State: AOAM53368V3GZP6HCksMpycIQ0IiDrGZ6y90xsPP4Yf8tRyp1sEIZSN6
	i1dIqMyHeMzpFE9bnwbA79jzIw==
X-Google-Smtp-Source: 
 ABdhPJxhtwXtLVIUcB2US4slqD0XToxtoZJgPLmnCR1fqgUmJy/AmZ3otgqvCCOEdhxOZsYp+oeMXA==
X-Received: by 2002:a63:3409:0:b0:3ab:4d72:1f0a with SMTP id
 b9-20020a633409000000b003ab4d721f0amr15975186pga.420.1651628858527;
        Tue, 03 May 2022 18:47:38 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Luca Coelho <luciano.coelho@intel.com>,
 "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>,
 Lee Jones <lee.jones@linaro.org>, Johannes Berg <johannes.berg@intel.com>,
 Gregory Greenman <gregory.greenman@intel.com>, Kalle Valo <kvalo@kernel.org>,
 Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>,
 Andy Lavr <andy.lavr@gmail.com>, linux-wireless@vger.kernel.org,
 netdev@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Keith Packard <keithp@keithp.com>,
 keyrings@vger.kernel.org, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Leon Romanovsky <leon@kernel.org>, Liam Girdwood <lgirdwood@gmail.com>,
 linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org,
 linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org,
 linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org,
 linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org,
 linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 06/32] iwlwifi: calib: Prepare to use mem_to_flex_dup()
Date: Tue,  3 May 2022 18:44:15 -0700
Message-Id: <20220504014440.3697851-7-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4285; h=from:subject;
 bh=3rsHreun4MVxtWWXTu1WNAZSbES1/vQKrpGvwiRs9tU=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqBVRPLVwI+Gac+Hu63Hjdxl/T8wFFeQtpYoExL
 lGTHr0KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagQAKCRCJcvTf3G3AJls/D/
 437IfHiRN/O/WyQZtpBUHVGUgP169cUmMhP62Pg0E7Hm7/o39zhQLTQ6d/zK2YTBo7GmHkrgW8+U89
 K5ocyNlNeKiAOXNNyYjAKY0hINeYBOJbO+yP8Qb7dZ/ehdVAMXsZ5FjQQj2vRKXsiXBoCT4SNc7+7q
 9k8nWm0scS/uHdUFonlvWzm3U/glq/QdTO6+M+RL75mqVm3Z2pZVYd2zeERbawqDVM7cuH2Zg17Avr
 WdhGyjfTAsPULi+qZBWVUvqc6X+iQ4DfUXZsJix/xvmINZyl3qG1d9TC92K8dHMKiRgdQpvnR+FE6Q
 WFBlvLGlrizcMolOVSXOkMFCRZ74YilAy+JISkDbLH5XPWP7v8ecKO+KApQCuxSqbyQ5G2zKND3+pY
 XoycBgIvvVGCy6VqLKW/gevPTpcBLR3Co4zh7nUKJffVspyQUE2M+5pLQBir/tmUVL54XdaUlMD4Tn
 pwD2p93A7KSHATImTFhq4PX2SS6jGi0V6Il1OHQS6pknXDGlaqxdwNO9EjP+edRb938jKgEGXypou9
 S7mjGxWZ8I5Vu1E04fw2ClHZt4VH4Yas0mafjkRAPt2hiDdKF7TGiEg+awmLwQxN4tzHXDSsSGnmAv
 D9O1AcRWlYNF1HE1jUt/Y9dXMSZUe1atungkrYoabVpF4z5SrVEEglZiUKow==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

In preparation for replacing an open-coded memcpy() of a dynamically
side buffer, rearrange the structures to pass enough information into
the calling function to examine the bounds of the struct.

Rearrange the argument passing to use "cmd", rather than "hdr", since
"res" expects to operate on the "data" flex array in "cmd" (that follows
"hdr").

Cc: Luca Coelho <luciano.coelho@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Lee Jones <lee.jones@linaro.org>
Cc: Johannes Berg <johannes.berg@intel.com>
Cc: Gregory Greenman <gregory.greenman@intel.com>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Andy Lavr <andy.lavr@gmail.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/wireless/intel/iwlwifi/dvm/agn.h   |  2 +-
 drivers/net/wireless/intel/iwlwifi/dvm/calib.c | 10 +++++-----
 drivers/net/wireless/intel/iwlwifi/dvm/ucode.c |  8 ++++----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/agn.h b/drivers/net/wireless/intel/iwlwifi/dvm/agn.h
index abb8696ba294..744e111d2ea3 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/agn.h
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/agn.h
@@ -112,7 +112,7 @@ int iwl_load_ucode_wait_alive(struct iwl_priv *priv,
 			      enum iwl_ucode_type ucode_type);
 int iwl_send_calib_results(struct iwl_priv *priv);
 int iwl_calib_set(struct iwl_priv *priv,
-		  const struct iwl_calib_hdr *cmd, int len);
+		  const struct iwl_calib_cmd *cmd, int len);
 void iwl_calib_free_results(struct iwl_priv *priv);
 int iwl_dump_nic_event_log(struct iwl_priv *priv, bool full_log,
 			    char **buf);
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c
index a11884fa254b..ae1f0cf560e2 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c
@@ -19,7 +19,7 @@
 struct iwl_calib_result {
 	struct list_head list;
 	size_t cmd_len;
-	struct iwl_calib_hdr hdr;
+	struct iwl_calib_cmd cmd;
 	/* data follows */
 };
 
@@ -43,12 +43,12 @@ int iwl_send_calib_results(struct iwl_priv *priv)
 		int ret;
 
 		hcmd.len[0] = res->cmd_len;
-		hcmd.data[0] = &res->hdr;
+		hcmd.data[0] = &res->cmd;
 		hcmd.dataflags[0] = IWL_HCMD_DFL_NOCOPY;
 		ret = iwl_dvm_send_cmd(priv, &hcmd);
 		if (ret) {
 			IWL_ERR(priv, "Error %d on calib cmd %d\n",
-				ret, res->hdr.op_code);
+				ret, res->cmd.hdr.op_code);
 			return ret;
 		}
 	}
@@ -57,7 +57,7 @@ int iwl_send_calib_results(struct iwl_priv *priv)
 }
 
 int iwl_calib_set(struct iwl_priv *priv,
-		  const struct iwl_calib_hdr *cmd, int len)
+		  const struct iwl_calib_cmd *cmd, int len)
 {
 	struct iwl_calib_result *res, *tmp;
 
@@ -69,7 +69,7 @@ int iwl_calib_set(struct iwl_priv *priv,
 	res->cmd_len = len;
 
 	list_for_each_entry(tmp, &priv->calib_results, list) {
-		if (tmp->hdr.op_code == res->hdr.op_code) {
+		if (tmp->cmd.hdr.op_code == res->cmd.hdr.op_code) {
 			list_replace(&tmp->list, &res->list);
 			kfree(tmp);
 			return 0;
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c b/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c
index 4b27a53d0bb4..bb13ca5d666c 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c
@@ -356,18 +356,18 @@ static bool iwlagn_wait_calib(struct iwl_notif_wait_data *notif_wait,
 			      struct iwl_rx_packet *pkt, void *data)
 {
 	struct iwl_priv *priv = data;
-	struct iwl_calib_hdr *hdr;
+	struct iwl_calib_cmd *cmd;
 
 	if (pkt->hdr.cmd != CALIBRATION_RES_NOTIFICATION) {
 		WARN_ON(pkt->hdr.cmd != CALIBRATION_COMPLETE_NOTIFICATION);
 		return true;
 	}
 
-	hdr = (struct iwl_calib_hdr *)pkt->data;
+	cmd = (struct iwl_calib_cmd *)pkt->data;
 
-	if (iwl_calib_set(priv, hdr, iwl_rx_packet_payload_len(pkt)))
+	if (iwl_calib_set(priv, cmd, iwl_rx_packet_payload_len(pkt)))
 		IWL_ERR(priv, "Failed to record calibration data %d\n",
-			hdr->op_code);
+			cmd->hdr.op_code);
 
 	return false;
 }

From patchwork Wed May  4 01:44:16 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837121
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id EAAE1C433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:32 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320023.540636 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N5-0006HQ-U8; Wed, 04 May 2022 05:16:19 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320023.540636;
 Wed, 04 May 2022 05:16:19 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N5-0006Ec-Eu; Wed, 04 May 2022 05:16:19 +0000
Received: by outflank-mailman (input) for mailman id 320023;
 Wed, 04 May 2022 01:47:40 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47A-0007U4-Al
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:40 +0000
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com
 [2607:f8b0:4864:20::102b])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 2d8ca463-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:39 +0200 (CEST)
Received: by mail-pj1-x102b.google.com with SMTP id
 qe3-20020a17090b4f8300b001dc24e4da73so2750449pjb.1
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:39 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 ij16-20020a170902ab5000b0015e8d4eb200sm7024989plb.74.2022.05.03.18.47.36
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:37 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2d8ca463-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=xU+lft0xYFj1fS1yuTZSbozxjgBGk0a+m2yFd6VoFH8=;
        b=a+tRkUtoblEDLjvFId++UphGjoZEaQCYI3Vk83Wii7jOQPjtu5Lszr9szx/ri1HX51
         wV1jt/Of6XxA4HH6Vf9VLVYuUYeTQ2uz41Vd4xndvpOP8cB9qurXZHACinwkcuuAVoNS
         S4kXDV6k7pYw97SFuBD/SAZ91ynDl2QAdaG/0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=xU+lft0xYFj1fS1yuTZSbozxjgBGk0a+m2yFd6VoFH8=;
        b=fktl6Yv3Nm3QkSrb7p49UsoedJnB+T1LtCoWrC5aMnua+A7CliP10R0kINaiOIdNJe
         cDWYpgWPWJo6S1XkPix5ntPsEr+ewj30JFmd6Lt9MgS8Wm6TKT2i4h90YBqZGXaqU2e6
         9CzzDAtzn+tqEKRFXSorQNvE0OUppCaqmnUkpVgxArrrBYXjja9qrXTRLrFTff36VW5c
         H9LAeFS4x+Feygm3sFnSO7Aup5VmJ3wjCHwVC9a/VjeQC9puby9mmd90G+Y6HtY668xL
         wW3C7gVp12nwF8LUZ0zAQxkKDpmMUSOPDz5gMW7nu1QB/U3B/SyrQ8T6RgzvwQd9w3CE
         Z0uQ==
X-Gm-Message-State: AOAM533h1rB0hsaftIEPXgWtL1YV2Xfo/fysjXDl/KZ1isfFvrR2LZ/3
	BIjlTjV3W04WrA/aexlNOfx1Hg==
X-Google-Smtp-Source: 
 ABdhPJxAtBZ9EXzckbFxXEo5UZhmn/LsbzwXw7S3livWp9IXdIuEWTNc+6eQzBZkUiCIn0RCFgRUjw==
X-Received: by 2002:a17:90a:8407:b0:1d9:ab62:bd3c with SMTP id
 j7-20020a17090a840700b001d9ab62bd3cmr7874329pjn.139.1651628857838;
        Tue, 03 May 2022 18:47:37 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Andy Lavr <andy.lavr@gmail.com>,
 Luca Coelho <luciano.coelho@intel.com>, Kalle Valo <kvalo@kernel.org>,
 "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Eric Dumazet <edumazet@google.com>, linux-wireless@vger.kernel.org,
 netdev@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Keith Packard <keithp@keithp.com>,
 keyrings@vger.kernel.org, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 07/32] iwlwifi: calib: Use mem_to_flex_dup() with struct
 iwl_calib_result
Date: Tue,  3 May 2022 18:44:16 -0700
Message-Id: <20220504014440.3697851-8-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2309; h=from:subject;
 bh=WpodBqq01jqwxM1KRcJO62uugaWovPAJ5k8Asd34efc=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCGKNTo/e4rYqRS6JHFIWEcMsPl6ZUWQBFBFL/
 Wqla2nSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJvqCD/
 9KMmQRVL3p5s+EO2ziT+OnA/bWRcfyVrpdD2apYiZrAvV6jv+ChcK5o9LNvgU6liqmGQvBK56XO3bQ
 qrNnEnu62KEpY0aEShwY6YNXdwdTLw3FEMK42jV6f34XbajiPo0MoQoS/x/QSbL1eIG6JO5d4TRjIe
 0/Q48qkArPdlLvI5pKeSr1lsEVPndfc9NGHCI6nA2+bBonwbXOWfAC7HZPfrpPcmTgLfoKTkBLXai4
 ePDPJtwC3/jzsxtTC7J9DHOmQvRPHeYKpPXefkrkgeOaZf2ToPQ3uG49rEHXnkAeJVNemhQ1DJPNcQ
 HudzUsakTefZTR7ato8r+9r+0+ie8aFfQEAagdWcpPFVR9EyXHXbSWIWZPdHaXSsvv+zcH2BVwp+lX
 PHt2bIY0X/x3Uouh1It3/uSZlg30A1qnqeXxqNsMc6p4qaHY4pJywV1EkrsZwZd1PdBaiWc6LsdWnm
 g/rpEfcleSaFr5QGOmd7i7ErfwdtNTNDj5n6eo7f/rD6qfq1dEAIa3IkdH7xRECGPpT/2qd+a747A7
 vm2gjfh13/ghhPAbVTSZORt9oZN46upeJxwm83wHp0XHC4gVbEH+bjDqXYQAWbhNyUaOA8Ua7uIonu
 l7HgMXAQ7eoMMallt3TbHeAxvHxkwxcyt1LUHi517rK5CcCYO26DROhVZXYw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Avoids future false-positive warning when strict run-time memcpy()
bounds checking is enabled:

memcpy: detected field-spanning write (size 8) of single field "&res->hdr" (size 4)

Adds an additional size check since the minimum isn't 0.

Reported-by: Andy Lavr <andy.lavr@gmail.com>
Cc: Luca Coelho <luciano.coelho@intel.com>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Gregory Greenman <gregory.greenman@intel.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/wireless/intel/iwlwifi/dvm/calib.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c
index ae1f0cf560e2..7480c19d7af0 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c
@@ -18,8 +18,11 @@
 /* Opaque calibration results */
 struct iwl_calib_result {
 	struct list_head list;
-	size_t cmd_len;
-	struct iwl_calib_cmd cmd;
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, cmd_len);
+	union {
+		struct iwl_calib_cmd cmd;
+		DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
+	};
 	/* data follows */
 };
 
@@ -59,14 +62,10 @@ int iwl_send_calib_results(struct iwl_priv *priv)
 int iwl_calib_set(struct iwl_priv *priv,
 		  const struct iwl_calib_cmd *cmd, int len)
 {
-	struct iwl_calib_result *res, *tmp;
+	struct iwl_calib_result *res = NULL, *tmp;
 
-	res = kmalloc(sizeof(*res) + len - sizeof(struct iwl_calib_hdr),
-		      GFP_ATOMIC);
-	if (!res)
+	if (len < sizeof(*cmd) || mem_to_flex_dup(&res, cmd, len, GFP_ATOMIC))
 		return -ENOMEM;
-	memcpy(&res->hdr, cmd, len);
-	res->cmd_len = len;
 
 	list_for_each_entry(tmp, &priv->calib_results, list) {
 		if (tmp->cmd.hdr.op_code == res->cmd.hdr.op_code) {

From patchwork Wed May  4 01:44:17 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837134
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 87A04C433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:50 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320049.540762 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NN-0001p9-HQ; Wed, 04 May 2022 05:16:37 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320049.540762;
 Wed, 04 May 2022 05:16:37 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NL-0001dS-SD; Wed, 04 May 2022 05:16:35 +0000
Received: by outflank-mailman (input) for mailman id 320049;
 Wed, 04 May 2022 01:52:45 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4C5-0008Vg-UZ
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:52:45 +0000
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com
 [2607:f8b0:4864:20::532])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id e3b25c7e-cb4c-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:52:44 +0200 (CEST)
Received: by mail-pg1-x532.google.com with SMTP id 6so2144pgb.13
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:52:44 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 m1-20020a637d41000000b003c14af5063esm13641114pgn.86.2022.05.03.18.52.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:52:43 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: e3b25c7e-cb4c-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=xT+5hQcq61BvthAgaoVmL+Iixyk9Kz6M9vS9nNgwYZE=;
        b=foxymm92zvgmK0ETJD/OF52F7nwlYYgJQ8oVdho7r9BzWtgtuSGYfDYK5MhNshEOoZ
         2wn0h0u9CPuexCbq87DKe80piTtxK5R6ZpJwSBGXRNF7rOHEPYzOtCIu9lKjSdiUbhe+
         r2DkWtw3UKhrg5w4I5ukgiJdOnG5MzFcAx9yc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=xT+5hQcq61BvthAgaoVmL+Iixyk9Kz6M9vS9nNgwYZE=;
        b=Ej/NX4k2cHepcyQKn330sRS+z2I0Wc/VSQC5SnEh+juypLzcp92uOLgqKAbgpf9F7D
         mcBizMiCM4JvC4HeDNS33ptC69evMiHB8NBhFC2FembNtViK816XAhM0XePKxAbEJ9b2
         K56+wzHWs7aKoM3a82c3kQQ00MccC+fahmEb52Gki0ct4XJyHG2vAhOtsQRMbZcImanS
         GiYhNDT4yDxDzNfsuSUW7U4rd1yOmQsVwbAr0rtFp1Ig3LEErE+rDv1WvTefC5TQKOa5
         6CVs14ZPzs0D901QvOqD5hb0Vve+idStDrq/dlj9F/nPfTIr7k59gAAOLJdIUwu1byLw
         Q/Ag==
X-Gm-Message-State: AOAM5327+nQ0InZNKZ9fn0C4Ba5HEDVcVuUcs4bn/Q4GXSRlmiWGr3l1
	YkNiRWRGXc0OR7VatZw7NfnflQ==
X-Google-Smtp-Source: 
 ABdhPJzg0KwFLixG8Pstl42rdZ/PTRxkyHAZczqCheTOMrqPGfLT6/zfzGOMo4pLCA8igqbxzHRxPA==
X-Received: by 2002:a63:6fc4:0:b0:393:9567:16dc with SMTP id
 k187-20020a636fc4000000b00393956716dcmr15834959pgc.593.1651629163469;
        Tue, 03 May 2022 18:52:43 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Luca Coelho <luciano.coelho@intel.com>,
 Kalle Valo <kvalo@kernel.org>, "David S. Miller" <davem@davemloft.net>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Johannes Berg <johannes@sipsolutions.net>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Eric Dumazet <edumazet@google.com>, linux-wireless@vger.kernel.org,
 netdev@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Keith Packard <keithp@keithp.com>,
 keyrings@vger.kernel.org, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 08/32] iwlwifi: mvm: Use mem_to_flex_dup() with struct
 ieee80211_key_conf
Date: Tue,  3 May 2022 18:44:17 -0700
Message-Id: <20220504014440.3697851-9-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2437; h=from:subject;
 bh=kqrSs6qCwh+Lec2OX97eOmuBYGTxbYZO/oveyYvsSyU=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCYob8Le101GWyzNPT8SUQLcWbnMdLaBLnNMKi
 PFuQ5FWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJrrrD/
 41pLe3vLmy1DT131k402AnWkbvKKTeLHCfdZOZOBG/caJXqmnpOxwil6RAxg5u6hN5hKr+gqoQg3jM
 PjxMAKOnj4UigmA4/hMbFkpe2UAFQce0nHR1yDX9KirGdKMvnAq1KmeZTOvAK12ubsFuw1otFOoOY9
 il9bAkoOcb67DGRv3WnjeBeJAIZesPeob+hkdIGXBLwjDM9HsKNWnS0CO4faN9H2UB5yHtan5AE3fY
 ejNDT+faux7HktJ5LMXGuFK8hNTMT6DzsBUJMh/VqnJUQfz4J8NZnt1C2fhjm2UKTMJJXaSL2VTIls
 +E869VhJZmwXhnjNOoXxgs2ypZPdZn7bJMJt9MVXQCWOJ/r5Z4HL//NjQwlMsxa5eN/OtY6fhuJmQa
 Kt081e3mYWawz+yHoGLyrxfgEVcaxPetNNZbtFWAguSAm+2kDAVJoYtbd1P/PeFNxjV9iclz5KMbsR
 vfwg2FoAJ4/UE7uv/e9hwMg874lDgZBVxecyw2BfPg0CFqa9KiQ4QmpYRs8HaRBhJQv/jDtfxWqnVh
 RhanF8E/YIf8Mwjneo+/nQykVNYJP+mnin2t2PXGGQTtyZfdgc4mogRxpnvnUcDOoGAndvfOm8tHL7
 lnC6lEffqiIvIoLzddv1Yrb2IU0R/a/tFtHusn7zJ+WlS695vP3r1pDWMDUg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Luca Coelho <luciano.coelho@intel.com>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Gregory Greenman <gregory.greenman@intel.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 8 ++------
 include/net/mac80211.h                       | 4 ++--
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
index 406f0a50a5bf..23cade528dcf 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -4108,7 +4108,7 @@ int iwl_mvm_add_pasn_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
 	int ret;
 	u16 queue;
 	struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
-	struct ieee80211_key_conf *keyconf;
+	struct ieee80211_key_conf *keyconf = NULL;
 
 	ret = iwl_mvm_allocate_int_sta(mvm, sta, 0,
 				       NL80211_IFTYPE_UNSPECIFIED,
@@ -4122,15 +4122,11 @@ int iwl_mvm_add_pasn_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
 	if (ret)
 		goto out;
 
-	keyconf = kzalloc(sizeof(*keyconf) + key_len, GFP_KERNEL);
-	if (!keyconf) {
+	if (mem_to_flex_dup(&keyconf, key, key_len, GFP_KERNEL)) {
 		ret = -ENOBUFS;
 		goto out;
 	}
-
 	keyconf->cipher = cipher;
-	memcpy(keyconf->key, key, key_len);
-	keyconf->keylen = key_len;
 
 	ret = iwl_mvm_send_sta_key(mvm, sta->sta_id, keyconf, false,
 				   0, NULL, 0, 0, true);
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 75880fc70700..4abe52963a96 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -1890,8 +1890,8 @@ struct ieee80211_key_conf {
 	u8 hw_key_idx;
 	s8 keyidx;
 	u16 flags;
-	u8 keylen;
-	u8 key[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, keylen);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, key);
 };
 
 #define IEEE80211_MAX_PN_LEN	16

From patchwork Wed May  4 01:44:18 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837127
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 7AF56C4332F
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:36 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320030.540674 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N9-0007Gw-Q2; Wed, 04 May 2022 05:16:23 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320030.540674;
 Wed, 04 May 2022 05:16:23 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N8-0007CI-Rn; Wed, 04 May 2022 05:16:22 +0000
Received: by outflank-mailman (input) for mailman id 320030;
 Wed, 04 May 2022 01:47:43 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47D-0007U4-DV
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:43 +0000
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com
 [2607:f8b0:4864:20::42d])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 2f320c5b-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:42 +0200 (CEST)
Received: by mail-pf1-x42d.google.com with SMTP id bo5so13454pfb.4
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:42 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 f1-20020aa782c1000000b0051008603b66sm534694pfn.219.2022.05.03.18.47.37
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:39 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2f320c5b-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=z9UACyPlKQMpsfBiUxRNSWJwLKyqQ0BVbIzFlqTVpEg=;
        b=VrQ6dmSQ7VwQQlIfvwbiI2ql0BVm4J4y9LnkKFZwetWH13cFjtZDcQhXtoigM+PS1n
         cWMsbR1tWdnyAFxVTIwv3Ub+HJcEvYJUmHiHKdd7Tvd9COj+RhcM0WyuPg5dj9PivY8a
         z6yX6sb9Wvgoc2VwmZES4MbGCx8+oyfzVBgW4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=z9UACyPlKQMpsfBiUxRNSWJwLKyqQ0BVbIzFlqTVpEg=;
        b=IQc73+5+jKk96efUyDTD3gTkunWq2894dqstlAop9DyrjkJ4koVNYprOBNR0o6iWuu
         ttyyGE0DA7eMak94UfLE4RWoH2EInMETvnEm9CQiP8mITOj7tSOTokPouFsTm0dJ5aic
         uVgd/mhCWncK6BGx6qHjZk85LWS2tAzBZB2t+hqidE6XwftyJctB9Cg3aNZZAA+BcrRU
         S61l1ROJsbDsEkbKMJFqxO3Jk1XRKSnhJOV0h00+NrASp5dHo3XrTrx6Lx7YSpLiTBMR
         MsJ/H/mxTfbjF74p4tY5y6gptI55UXogvT/pJh9I85Q5MPEH021JziWFfaF3IuMigrQ0
         miog==
X-Gm-Message-State: AOAM530KAJJYmW2vg+nEl2TmdKlMAvsMmqus0TtRuspcZhCxZvLRwnS5
	wpLbBNbzBGmm0Wql+v6uIVszTQ==
X-Google-Smtp-Source: 
 ABdhPJwEApgoIF80IVfCqZ7Wc14eeSv0NeFMafCSFu13taEwh77M4/lfD99nmAtgnvxZOmH48ydyyA==
X-Received: by 2002:a65:524b:0:b0:383:1b87:2d21 with SMTP id
 q11-20020a65524b000000b003831b872d21mr15967593pgp.482.1651628860634;
        Tue, 03 May 2022 18:47:40 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Christian Lamparter <chunkeey@googlemail.com>, Kalle Valo <kvalo@kernel.org>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Keith Packard <keithp@keithp.com>,
 keyrings@vger.kernel.org, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 09/32] p54: Use mem_to_flex_dup() with struct p54_cal_database
Date: Tue,  3 May 2022 18:44:18 -0700
Message-Id: <20220504014440.3697851-10-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2429; h=from:subject;
 bh=nMnYI58OZL/NYqqBGThX6X9At9N55AKclw2PdmxLkv8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCpEYc7sUWDpluF0bUB90CkVbrB3/z8O0fymGg
 eduju0uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJkJoEA
 CB3d+CRBr1VkScrlHfbIs1LkNyymQ0HwJgl7p4QyueseREG9Mt5326Iwc7RqKF+Rn+YzyWk8dFShzv
 z6gbI8PNrGAqBPz5BIqLg3dYYHVK5dPPYcYrISNYxFwyXlYH5CnwM8gllN72k9RJxbWzAxh0A+60N/
 jviJWlHykiM1Zhxd/qazs6ZevTYO060Zif3DN8WCX/LuwNHp30u5sclQ55oDW3betiobkSC6Ov1eP6
 Hi7uDPuaVPlM2ZtdStVUbJUtmb0ddMSgxtTLjFPmzu+/igOg0pwYTovc41hbeEbBnxlRHIoUJWYLEF
 9HwXpVeVj29IIka07Wj1DhYds+eo/zSM1UgogveTLy1YqauYGa0HDWQq9oUmlyE1DVBtfNlwDKfQFw
 abW5WTkLqlaK1bDWZEM/2f5rXJ6Qb2wLF8985KU4MwKaSdM+Jib4Npl3mdvg3RTIqLUDL5C0EsnPZd
 jx7VWu4NuZxHBeVOpG042kcl9h6NgrzPV4i2lneNTdK9Mf4aIUBuhXuEi0RjjZPRX5KWBWDETa+SHA
 xIpk2sXTFarSyRcDwvPPRN7FWxxM5y5OPAGRGPRQhj9zCDB+Eh+NAEZe1GFUTZYOWu4PHtyiVVuH0q
 lf+bEbHqDfX8rt+XVzeUsKcH3bW7KZvEkMLgB/C70MIwPtiUdXvWDMDbvCRw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Christian Lamparter <chunkeey@googlemail.com>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/wireless/intersil/p54/eeprom.c | 8 ++------
 drivers/net/wireless/intersil/p54/p54.h    | 4 ++--
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/intersil/p54/eeprom.c b/drivers/net/wireless/intersil/p54/eeprom.c
index 5bd35c147e19..bd9b3ea327b9 100644
--- a/drivers/net/wireless/intersil/p54/eeprom.c
+++ b/drivers/net/wireless/intersil/p54/eeprom.c
@@ -702,7 +702,7 @@ static int p54_convert_output_limits(struct ieee80211_hw *dev,
 static struct p54_cal_database *p54_convert_db(struct pda_custom_wrapper *src,
 					       size_t total_len)
 {
-	struct p54_cal_database *dst;
+	struct p54_cal_database *dst = NULL;
 	size_t payload_len, entries, entry_size, offset;
 
 	payload_len = le16_to_cpu(src->len);
@@ -713,16 +713,12 @@ static struct p54_cal_database *p54_convert_db(struct pda_custom_wrapper *src,
 	     (payload_len + sizeof(*src) != total_len))
 		return NULL;
 
-	dst = kmalloc(sizeof(*dst) + payload_len, GFP_KERNEL);
-	if (!dst)
+	if (mem_to_flex_dup(&dst, src->data, payload_len, GFP_KERNEL))
 		return NULL;
 
 	dst->entries = entries;
 	dst->entry_size = entry_size;
 	dst->offset = offset;
-	dst->len = payload_len;
-
-	memcpy(dst->data, src->data, payload_len);
 	return dst;
 }
 
diff --git a/drivers/net/wireless/intersil/p54/p54.h b/drivers/net/wireless/intersil/p54/p54.h
index 3356ea708d81..22bbb6d28245 100644
--- a/drivers/net/wireless/intersil/p54/p54.h
+++ b/drivers/net/wireless/intersil/p54/p54.h
@@ -125,8 +125,8 @@ struct p54_cal_database {
 	size_t entries;
 	size_t entry_size;
 	size_t offset;
-	size_t len;
-	u8 data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
 };
 
 #define EEPROM_READBACK_LEN 0x3fc

From patchwork Wed May  4 01:44:19 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837126
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 08AE9C433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:36 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320032.540685 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NA-0007Xr-VA; Wed, 04 May 2022 05:16:24 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320032.540685;
 Wed, 04 May 2022 05:16:24 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N9-0007Ry-Vy; Wed, 04 May 2022 05:16:24 +0000
Received: by outflank-mailman (input) for mailman id 320032;
 Wed, 04 May 2022 01:47:44 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47E-0007U4-Bu
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:44 +0000
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com
 [2607:f8b0:4864:20::102f])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 2fb4306a-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:43 +0200 (CEST)
Received: by mail-pj1-x102f.google.com with SMTP id e24so16903191pjt.2
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:42 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 a23-20020a62bd17000000b0050dc762817csm6895201pff.86.2022.05.03.18.47.37
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:39 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2fb4306a-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=OUtFJC5/TKCmTq7i/wF9dXPYB7F9m5Fe+Glt57epyug=;
        b=LA1DuW2pq5PcEvMCaSGHJyuI7WWCw3brL8SvS9+2zVb7L13DgPnUJao9oTWLzzgmb0
         FDFEPcC6DrQfzS+lsrgByCwuE3V59hlwMRxN4HndNJubDx+3EuT5ltBW8juSZqsKA86J
         6Mk0HEWOn29+r/VVptC8G26Rp5mKAXoQSht84=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=OUtFJC5/TKCmTq7i/wF9dXPYB7F9m5Fe+Glt57epyug=;
        b=EFTS5Rlug7C1wTcsrz8BhHt4/YKj7z4/vAM8ZUn6Hw7scqDJJXbfxihC0qL0nKj7xz
         kqrqO1CvKgKcZIUHXMZdGQcn/jMXfWClwjfUV+Mjeep6aySGTwZxsANavYZum5wouL4d
         XRD+C3cylxmygHLVnHFbm0pb3xtzpxnwwzs5quINzJiMcWMeUm2r0Xk+LHi8DZAYZ6vz
         CEgvGZgAAlJUcCrSEw+CuFoRtJ2cxAATVRgpPTJwYNSbzcIXlU2CEpYB6CBeCIDHiVWq
         bLsR3Hl1wjpBkVddpdX3wbK4GMOcLXMhPhR5eRLYWXFjTfUjYDRLppx8Xf4m9GeVE/9A
         HJgg==
X-Gm-Message-State: AOAM530Yf5Km9r0lOc3l5BI0ED1WA33JCaKPD0Td2kbZ0MeJqFMvLPcy
	ohwtyeaItJ/cPhtZOzY0H+ZLkQ==
X-Google-Smtp-Source: 
 ABdhPJx7ujhXCzRS91FZ+LbZ03DWxWBQ0dT1Khz71PDh68k6Z8Yrj0NdP/nPQNiqOyMCkQJP+cu5vw==
X-Received: by 2002:a17:902:e811:b0:15e:b27b:92ef with SMTP id
 u17-20020a170902e81100b0015eb27b92efmr8546338plg.142.1651628861418;
        Tue, 03 May 2022 18:47:41 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Loic Poulain <loic.poulain@linaro.org>,
 Kalle Valo <kvalo@kernel.org>, "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, wcn36xx@lists.infradead.org,
 linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Keith Packard <keithp@keithp.com>,
 keyrings@vger.kernel.org, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, Wei Liu <wei.liu@kernel.org>,
 xen-devel@lists.xenproject.org, Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 10/32] wcn36xx: Use mem_to_flex_dup() with struct
 wcn36xx_hal_ind_msg
Date: Tue,  3 May 2022 18:44:19 -0700
Message-Id: <20220504014440.3697851-11-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2631; h=from:subject;
 bh=Msy2+XfnfeHEfU9VZJ5tdjPuaYOOARhkHxIAzZX3hrE=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqCU5cwj3opYKUJRuHiQ6yrF7a8I32dTqix7rZH
 epN2AJmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaggAKCRCJcvTf3G3AJlHYD/
 wPCLYVdBQwlOASKzq0go8+yQ9WXYDGyw7A8O0OnAVu3fIR1Fz5Lc4pY5x32WjVh8glBxJBPELf/CJL
 MNaKgMdTHQ7NA2hxtEc7bQM+t4sMdVV5x1MYPoH8LFiI3+Tvt13YvoQ+E1WZ0t2qqUC8zhxbH36dxW
 Bc0wCumlz/0FK9T//W8qmXHq+YCTZhpOj4lIosW7Ic80QXG9vfEguHz+8nSw2PXbpXiLtiKMXYVPis
 NcxiHBa5qoFp2VamsSe418quush6XqJxmFvLZl7mtiboKYYYu2/qPzI5A37FAbPIGCru3jMXR/tCbm
 Q/hHT9bgmoM7Gg13G5tslRAOTf4pY5AWKIKHlUwbJswOg2FEBoabSKGh058NrhtgM0MjsUnbiDiOZ5
 aO0FKd7cJsVfNFB7uZ3+4sBW8mA109abyB33FJQ/eJ+s21q6pPofkO9ECLZme3sqINH5kUfMBZEGbc
 CCwh1fPl5ZjvS1fXH/PGcDGjsAPJyMdcuEmaFNP9/8CuF7AfC9V9oEUOZ4lm0ofCSU0/fD12keSaj3
 IHfhVbZKNV1ZZFfOUd6M2qngKUJR4ZbYTuwFlDxka/MvOQ2XJ1z5dhL/T/KTejeZjeDoZmMeDtRSc8
 Toe4QQtXjKsYj/+iwJSz5/80d1lP2aqDJFhk1y/i4XSNcgPBCqcyBiQzMbsQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Loic Poulain <loic.poulain@linaro.org>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: wcn36xx@lists.infradead.org
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/wireless/ath/wcn36xx/smd.c | 8 ++------
 drivers/net/wireless/ath/wcn36xx/smd.h | 4 ++--
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
index dc3805609284..106af0a2ffc4 100644
--- a/drivers/net/wireless/ath/wcn36xx/smd.c
+++ b/drivers/net/wireless/ath/wcn36xx/smd.c
@@ -3343,7 +3343,7 @@ int wcn36xx_smd_rsp_process(struct rpmsg_device *rpdev,
 	const struct wcn36xx_hal_msg_header *msg_header = buf;
 	struct ieee80211_hw *hw = priv;
 	struct wcn36xx *wcn = hw->priv;
-	struct wcn36xx_hal_ind_msg *msg_ind;
+	struct wcn36xx_hal_ind_msg *msg_ind = NULL;
 	wcn36xx_dbg_dump(WCN36XX_DBG_SMD_DUMP, "SMD <<< ", buf, len);
 
 	switch (msg_header->msg_type) {
@@ -3407,16 +3407,12 @@ int wcn36xx_smd_rsp_process(struct rpmsg_device *rpdev,
 	case WCN36XX_HAL_DELETE_STA_CONTEXT_IND:
 	case WCN36XX_HAL_PRINT_REG_INFO_IND:
 	case WCN36XX_HAL_SCAN_OFFLOAD_IND:
-		msg_ind = kmalloc(struct_size(msg_ind, msg, len), GFP_ATOMIC);
-		if (!msg_ind) {
+		if (mem_to_flex_dup(&msg_ind, buf, len, GFP_ATOMIC)) {
 			wcn36xx_err("Run out of memory while handling SMD_EVENT (%d)\n",
 				    msg_header->msg_type);
 			return -ENOMEM;
 		}
 
-		msg_ind->msg_len = len;
-		memcpy(msg_ind->msg, buf, len);
-
 		spin_lock(&wcn->hal_ind_lock);
 		list_add_tail(&msg_ind->list, &wcn->hal_ind_queue);
 		queue_work(wcn->hal_ind_wq, &wcn->hal_ind_work);
diff --git a/drivers/net/wireless/ath/wcn36xx/smd.h b/drivers/net/wireless/ath/wcn36xx/smd.h
index 3fd598ac2a27..76ecac46f36b 100644
--- a/drivers/net/wireless/ath/wcn36xx/smd.h
+++ b/drivers/net/wireless/ath/wcn36xx/smd.h
@@ -46,8 +46,8 @@ struct wcn36xx_fw_msg_status_rsp {
 
 struct wcn36xx_hal_ind_msg {
 	struct list_head list;
-	size_t msg_len;
-	u8 msg[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, msg_len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, msg);
 };
 
 struct wcn36xx;

From patchwork Wed May  4 01:44:20 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837125
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 3AABFC433FE
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:35 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320029.540665 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N8-0006vw-D9; Wed, 04 May 2022 05:16:22 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320029.540665;
 Wed, 04 May 2022 05:16:22 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N7-0006rL-O1; Wed, 04 May 2022 05:16:21 +0000
Received: by outflank-mailman (input) for mailman id 320029;
 Wed, 04 May 2022 01:47:43 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47C-0007U4-SV
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:42 +0000
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com
 [2607:f8b0:4864:20::1034])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 2f325e7f-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:42 +0200 (CEST)
Received: by mail-pj1-x1034.google.com with SMTP id
 cq17-20020a17090af99100b001dc0386cd8fso3382pjb.5
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:42 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 n21-20020a634d55000000b003c14af50617sm13533557pgl.47.2022.05.03.18.47.38
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:39 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2f325e7f-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=P7uM3xoAcE7zuGNsfEYVdWWhl8RQOVkTgxnXHqQm9tk=;
        b=Ttm1udnLhK1uzAB04KBRSr/POGM0kwPI1bs4XPEU6UEtgK8/23ubm+dxeV4+X853RT
         0+Il5Jok8kr0+FDj5VV/8TyC5lx1HeS1NOnJkl2lVk9pme8hyn7Y1lYALOBUqbtoGYi3
         cAWN4x8Bl4pcx02o/CTto17Eyhwd5u2uMzQSw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=P7uM3xoAcE7zuGNsfEYVdWWhl8RQOVkTgxnXHqQm9tk=;
        b=CzF2swXzJxePme2qfhya1OY4oF5kEILB4G12AyhLWa63zgs4oIrCIZU6uc+d9sLObX
         bZrvAZRSykJ+1UJV9978No7zrqjX+cGa6GE9OUHcKJgNzqciZO5HUizMoD0G0h/GVgFz
         U+w+EcQkg5hKz4mzIId0Ekv9UbGd/na+JfYTzsmbyPQQTrqInt711XAx3+aNPnq9V0Ky
         9rU9+ytLOplygSfGzUBfJwlII3pDBaqbtUqfNZqZgbhMKrdrS+pH4IZQci/pn7MrzaqF
         uFx8OoywBPFs8HeRFlEgTK22DKyWDc1ZIQ5OdXJZbCIeVgCzIVUt3gJBA/pyG2Tf+UeN
         0VRA==
X-Gm-Message-State: AOAM530GZPF4oFwGeYtu6aIosPGZSiB9zOFfZTUUNkJH8y7m6r8iNLT+
	zQDJ4CMdUmbot0e3hdIBab1zpQ==
X-Google-Smtp-Source: 
 ABdhPJxiRXcmbs8jLBX+uUybbobrWQal42E5OsdXgAFm4WZnFq+xnafC0he6L5xAcHtlxnI8HYhS1A==
X-Received: by 2002:a17:90b:3742:b0:1d9:5dc6:dede with SMTP id
 ne2-20020a17090b374200b001d95dc6dedemr7813310pjb.92.1651628860398;
        Tue, 03 May 2022 18:47:40 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Johannes Berg <johannes@sipsolutions.net>,
 "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, linux-wireless@vger.kernel.org,
 netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 11/32] nl80211: Use mem_to_flex_dup() with struct
 cfg80211_cqm_config
Date: Tue,  3 May 2022 18:44:20 -0700
Message-Id: <20220504014440.3697851-12-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2217; h=from:subject;
 bh=rRfAu1/k1e5caQg21/8VBHhysNqsP1FR5GA2AHrLW6w=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDYqJpVuI+Da24TYyn7rK2cAZcih+2ZRWaGUhg
 VviQcPmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJjdwD/
 9GoZycFvhK6h6fbIQwuLO60vgqzr+JFBMz2boSXTBJSryctNsbZrwuvUuiBZUKC1y9sGE+SgzQm0T7
 WzDZtyTlGmT1CZjKFpgdCfMbuMLVROkIwwyYoraeYFirZmIIRURYhLoAsJh4ZeL+hi8jOWnaV5ClMm
 GpAX4WW1YsM9YRJimQri0QE7pLQKGb80KxVsDgul4e0OUj1wYZTYbTgr98Zpysc1nSby6oGnxfPJ5B
 GvVh8QA/SYaCCMlYyUKr3bjTLrKOZ0NSnt6bAW38OpCXj8344D0TsfmO6tGo0jkheFbpEhSFjRi0Lj
 1/+lxcBQ3jvc7zB+0Q5hpVWgX0kC+MxgbmIRdXF66gXOY9KMZzGl6dt9Fdm0xQWH6kFZlX7zpOBeHx
 To/pgX+EVE7aw6zudBInH3vlkkTYIklAIL/O9ajINZfL2HKHTp1XgnQdpa0KDyxqJilBhkXXekcKjn
 s7KJFzs28RJWqn+YgyJ+4W4uA6XLQvHdqVGZu5zS748KLU05KkgCeTW+Wm195aiMdUvqPG1QyqpCX5
 1oMep8SXDkjOyDi6DnWcfFivJfrpKBqXU3oWsvXdBRhX+fVXmfr/E7qrARl1smC7xBgqWCcJf152Rh
 nwFocx9Hoo9dTUkHbkM4z/OFi36I6ENfaPOS+x9fFE1riA7xPsrh1gW6nwwA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 net/wireless/core.h    |  4 ++--
 net/wireless/nl80211.c | 15 ++++-----------
 2 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/net/wireless/core.h b/net/wireless/core.h
index 3a7dbd63d8c6..899d111993c6 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -295,8 +295,8 @@ struct cfg80211_beacon_registration {
 struct cfg80211_cqm_config {
 	u32 rssi_hyst;
 	s32 last_rssi_event_value;
-	int n_rssi_thresholds;
-	s32 rssi_thresholds[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, n_rssi_thresholds);
+	DECLARE_FLEX_ARRAY_ELEMENTS(s32, rssi_thresholds);
 };
 
 void cfg80211_destroy_ifaces(struct cfg80211_registered_device *rdev);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 945ed87d12e0..70df7132cce8 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -12096,21 +12096,14 @@ static int nl80211_set_cqm_rssi(struct genl_info *info,
 
 	wdev_lock(wdev);
 	if (n_thresholds) {
-		struct cfg80211_cqm_config *cqm_config;
+		struct cfg80211_cqm_config *cqm_config = NULL;
 
-		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
-						 n_thresholds),
-				     GFP_KERNEL);
-		if (!cqm_config) {
-			err = -ENOMEM;
+		err = mem_to_flex_dup(&cqm_config, thresholds, n_thresholds,
+				      GFP_KERNEL);
+		if (err)
 			goto unlock;
-		}
 
 		cqm_config->rssi_hyst = hysteresis;
-		cqm_config->n_rssi_thresholds = n_thresholds;
-		memcpy(cqm_config->rssi_thresholds, thresholds,
-		       flex_array_size(cqm_config, rssi_thresholds,
-				       n_thresholds));
 
 		wdev->cqm_config = cqm_config;
 	}

From patchwork Wed May  4 01:44:21 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837123
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 0DF56C4321E
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:34 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320026.540653 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N7-0006iY-FK; Wed, 04 May 2022 05:16:21 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320026.540653;
 Wed, 04 May 2022 05:16:21 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7N6-0006ex-UG; Wed, 04 May 2022 05:16:20 +0000
Received: by outflank-mailman (input) for mailman id 320026;
 Wed, 04 May 2022 01:47:42 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47C-0007U4-0H
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:42 +0000
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com
 [2607:f8b0:4864:20::42b])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 2e7e2912-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:41 +0200 (CEST)
Received: by mail-pf1-x42b.google.com with SMTP id x23so10860423pff.9
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:41 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 i3-20020a17090a718300b001d6a79768b6sm1982097pjk.49.2022.05.03.18.47.38
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:39 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 2e7e2912-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=jHmaho/x33MqcwhAHjzMaEbYW3Sn2ucNcqc26yK2kNU=;
        b=P8OaWDj1i9vMS2YXwPGohhK4T/Iw+CyPZ/W6hEEhH6k1LaC96jgeOuZ+dQGCL7k52R
         9vedbYNUSwVa5cTgkoS7mq60UIXNgrNEh8xt0xCvSUKOkKMHizwfjhRvtgim24nhUgRa
         9onXSvEkUpL1rmnA+09r2XcsNzTJwLrKjOBuk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=jHmaho/x33MqcwhAHjzMaEbYW3Sn2ucNcqc26yK2kNU=;
        b=RJQ6fmhIo/2H+2B4RjOqnlsBl+21sG53M5wjGPyq+kMKT7FcDuHBv28q+HrGvUQVo/
         3JBJyc0Zeykn0Jw+w3GAOWCUesqERKzRZDZNch6EPnZ5HbeDAy6gvffSQJZnfM32RNs7
         pLIJ8Q4ELEtqRPxPhjfrWjj48fWdhBCW4y14erefCCvnZ+TU5mMhhNkz4oRrsce3qgLr
         GIxGj/fUTba0SdR3RRhGPIO4BPyylJSzged31kLwM0ZABQ3spWqDONmEwh0dNRl8jTAF
         iSIqiiW6I9k3cnBoO8UXOoayfTzp3t42uzVqSDCn2KZn6J1+CJC70o2QY1pKLkbfHbyI
         1CLg==
X-Gm-Message-State: AOAM533yOQxhXT86tTETT3FumZIeNq0i4RzYWhKBJX8S7mBBNlbGKwl8
	ugvyiWGc+mQFh2seFK4RG7RdMA==
X-Google-Smtp-Source: 
 ABdhPJwDwI9Zn57H+UzccAss3I4+YVo4G5gzupm0JsKJ0LRhyJxSmHdZxJnL2FMxr0l8EdjG4443ww==
X-Received: by 2002:a05:6a00:2482:b0:50d:481d:b516 with SMTP id
 c2-20020a056a00248200b0050d481db516mr18785143pfv.10.1651628859404;
        Tue, 03 May 2022 18:47:39 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Johannes Berg <johannes@sipsolutions.net>,
 "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, Eric Dumazet <edumazet@google.com>,
 linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct
 cfg80211_bss_ies
Date: Tue,  3 May 2022 18:44:21 -0700
Message-Id: <20220504014440.3697851-13-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4271; h=from:subject;
 bh=zLIoLyad9bBq8i+CHRJcAMhW5JgPaoyM4x0VIL3Wjf8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDR3XqoFSprf0Mf1o1HYj7dBBBP7wDZ118xdTx
 ToM0RNGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJpDCD/
 wMlRRCUB8XTmCXlLdvPCGb5ACTTMa3Km0myBmfsx6i7FkHxAEfNtllJsJZ1xGdv/WP8g4XEUJ0zuGC
 7wsRbPVl7sHYNyFiAu9iXMMSYvJVG0G1YrRXdH2A3UhX8o4+JfEVNj7XazhRyhM9cIwvTR0hQBUIKJ
 OO0TtkviYxesRpL1xBvgYIcCWjxEvNdpsGjAfF7Wn6Ml1dOstypUTb2ulq7hIf7BX8w63KuqOXZx6V
 eQKW4gi3cQO3gPoEWsv9zeDktQzxWbaMN212KDtDCB76/UH1i+QQg8eLLlaSQ/55nnf45kUX75sHkI
 zDmnUC7uL8hJaFE7/98/TeYKsLAgbyP1/MwzniEWgtSaLkPJj+BDTLhK4+jBB7zxpXsyQsyJXmfWnN
 69jBTE8Z6ldaOWiCaA2dwzQcHNWXsHvzTspOWk/Tiv7AIUHd8Nqe4ecJtsbDBBxQU21ogSn3TNlfat
 3ZCTfW1XDttiZNSK2Rit27Gb0LCzE4nKpVwxT5qmFoGk/jjq2ZfP1uWkMyv4TOb/bfGw5ZiXtTJwtA
 22mI6CUOQ9lCD1lIB2WdB8z0yibGypy9fbuDpeqzg6v+weYYD4cY0Q38ZtkdzpABByyOAlmZm7iXIU
 /hIQA44hD8/vgfuYEgBfavnXALP3koZt6viHAklNZAsuY6wiAG9ZgR2ZT8XQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/net/cfg80211.h |  4 ++--
 net/wireless/scan.c    | 21 ++++++---------------
 2 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 68713388b617..fa236015f6ef 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -2600,9 +2600,9 @@ struct cfg80211_inform_bss {
 struct cfg80211_bss_ies {
 	u64 tsf;
 	struct rcu_head rcu_head;
-	int len;
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len);
 	bool from_beacon;
-	u8 data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
 };
 
 /**
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 4a6d86432910..9f53d05c6aaa 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1932,7 +1932,7 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
 				gfp_t gfp)
 {
 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
-	struct cfg80211_bss_ies *ies;
+	struct cfg80211_bss_ies *ies = NULL;
 	struct ieee80211_channel *channel;
 	struct cfg80211_internal_bss tmp = {}, *res;
 	int bss_type;
@@ -1978,13 +1978,10 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
 	 * override the IEs pointer should we have received an earlier
 	 * indication of Probe Response data.
 	 */
-	ies = kzalloc(sizeof(*ies) + ielen, gfp);
-	if (!ies)
+	if (mem_to_flex_dup(&ies, ie, ielen, gfp))
 		return NULL;
-	ies->len = ielen;
 	ies->tsf = tsf;
 	ies->from_beacon = false;
-	memcpy(ies->data, ie, ielen);
 
 	switch (ftype) {
 	case CFG80211_BSS_FTYPE_BEACON:
@@ -2277,7 +2274,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
 	size_t ielen = len - offsetof(struct ieee80211_mgmt,
 				      u.probe_resp.variable);
 	size_t new_ie_len;
-	struct cfg80211_bss_ies *new_ies;
+	struct cfg80211_bss_ies *new_ies = NULL;
 	const struct cfg80211_bss_ies *old;
 	u8 cpy_len;
 
@@ -2314,8 +2311,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
 	if (!new_ie)
 		return;
 
-	new_ies = kzalloc(sizeof(*new_ies) + new_ie_len, GFP_ATOMIC);
-	if (!new_ies)
+	if (mem_to_flex_dup(&new_ies, new_ie, new_ie_len, GFP_ATOMIC))
 		goto out_free;
 
 	pos = new_ie;
@@ -2333,10 +2329,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
 	memcpy(pos, mbssid + cpy_len, ((ie + ielen) - (mbssid + cpy_len)));
 
 	/* update ie */
-	new_ies->len = new_ie_len;
 	new_ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp);
 	new_ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control);
-	memcpy(new_ies->data, new_ie, new_ie_len);
 	if (ieee80211_is_probe_resp(mgmt->frame_control)) {
 		old = rcu_access_pointer(nontrans_bss->proberesp_ies);
 		rcu_assign_pointer(nontrans_bss->proberesp_ies, new_ies);
@@ -2363,7 +2357,7 @@ cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy,
 				      gfp_t gfp)
 {
 	struct cfg80211_internal_bss tmp = {}, *res;
-	struct cfg80211_bss_ies *ies;
+	struct cfg80211_bss_ies *ies = NULL;
 	struct ieee80211_channel *channel;
 	bool signal_valid;
 	struct ieee80211_ext *ext = NULL;
@@ -2442,14 +2436,11 @@ cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy,
 		capability = le16_to_cpu(mgmt->u.probe_resp.capab_info);
 	}
 
-	ies = kzalloc(sizeof(*ies) + ielen, gfp);
-	if (!ies)
+	if (mem_to_flex_dup(&ies, variable, ielen, gfp))
 		return NULL;
-	ies->len = ielen;
 	ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp);
 	ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control) ||
 			   ieee80211_is_s1g_beacon(mgmt->frame_control);
-	memcpy(ies->data, variable, ielen);
 
 	if (ieee80211_is_probe_resp(mgmt->frame_control))
 		rcu_assign_pointer(tmp.pub.proberesp_ies, ies);

From patchwork Wed May  4 01:44:22 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837139
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id A588DC433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:00 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320059.540809 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NZ-0004hN-1M; Wed, 04 May 2022 05:16:49 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320059.540809;
 Wed, 04 May 2022 05:16:48 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NY-0004Xi-8O; Wed, 04 May 2022 05:16:48 +0000
Received: by outflank-mailman (input) for mailman id 320059;
 Wed, 04 May 2022 01:52:50 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4C9-0008Vg-N1
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:52:49 +0000
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com
 [2607:f8b0:4864:20::1029])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id e50fe268-cb4c-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:52:47 +0200 (CEST)
Received: by mail-pj1-x1029.google.com with SMTP id
 t11-20020a17090ad50b00b001d95bf21996so3943249pju.2
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:52:47 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 e7-20020a62ee07000000b0050dc7628187sm7105368pfi.97.2022.05.03.18.52.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:52:45 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: e50fe268-cb4c-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=mP4n/1nXKyry8BA7O9b2ZHkrsFy8iWlCifKEx03rFnY=;
        b=KHTjDn10FYAC4WZ7g7q0AiHpgmThRRwNrbm62hmsBLY/2xCOlkENwcyXQ7aBQDInHn
         4dM/qCI2Tdd2RF0pF33RCRgUwHIp4H4DbO/aaCcleZepYJ5vWn77BhvgITsj4rJQjCoy
         BKAgqDEuTpx8EMb/HQ18TpUE/vAD2m0OUQRDA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=mP4n/1nXKyry8BA7O9b2ZHkrsFy8iWlCifKEx03rFnY=;
        b=fU7z56Ocj/QQe4kI6UON0D/Bq0jNirBE2Ov6gJS7EPnFvqXteUHCVzLn5JyJvbMbvf
         2vTa/Zy0hEBxm2fn7xxtjS+kReSPXZgtOd68FFGJADHi3/WkbiE7oh4zOYe/HlVhfhiV
         lv1Ssiph1BZLfvscsPIZQyUi8u40NBkLrXqa5YD1arf48CpCYKP7ZNbRsBmUoHerCEx0
         6IVR+qVN4ih3H2x5Tt5ZllbdyBqFtV0lI1218BgSztxJBprQ14ka7S0eNA2p0X5EwHtO
         Y1msM8cGFOIDHe7ZEb978GSsyhUCvUw+F6IwZjlDQQjSDpCHPlchF6guPNQw8Lcxibfj
         fAxQ==
X-Gm-Message-State: AOAM533iyVEPENtyGi7AdbAF1j1e/WXcaTmXOEPohTrErk1MjaugGlwb
	dlcul6RZcMDX5nvFnYcBAPDQuQ==
X-Google-Smtp-Source: 
 ABdhPJwHKY3hhc2EVCZI7A1dFaYRwqtmSZDSbHAbD6nPuIchK7Q/r3a8yj8NWOtZNQdYaNOSw3r3qA==
X-Received: by 2002:a17:902:7049:b0:156:285a:2d64 with SMTP id
 h9-20020a170902704900b00156285a2d64mr19719385plt.63.1651629165731;
        Tue, 03 May 2022 18:52:45 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Johannes Berg <johannes@sipsolutions.net>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 13/32] mac80211: Use mem_to_flex_dup() with several structs
Date: Tue,  3 May 2022 18:44:22 -0700
Message-Id: <20220504014440.3697851-14-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4296; h=from:subject;
 bh=pufTBCpv1+FASDh6fZcOJeIhSO8YXc6ZD3a299NrZm4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDYrX5tu9Go+cvYwIXEOTpZneB8YhW9dUC3sac
 ck3ML8KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJq+JD/
 0X3AbEhtjv68HS2Qdhx7xmo3K/uONkt1yj8h+vION6AHfDmeZPu5bBaCsLzt2TEAHsBPpBRc/uejYa
 E5pfehOGAmVM9Fmpr+oP9ly2RkyPTwtNTxFzb4xd27IkVD6UCFORNFDveBYD2VZmO04Vlo9STZ2Bva
 Ya86oVZEXAhbCZ0AKH2Z49cpjz9VZgyDJ90DrfDKvzm96gavfrOqU0IVXkfUaaZ2QIO1JKI1ll5mvN
 bjuyTdXnOlMf6CsLwcLHMMb3wDPPpFe8MXv8dayu3NC1pfidvNqoPkozVAiGWacsIqIp8awptGqHH3
 yZM3uXcRJhmG01Xnag1yX2F7KLQmdLxTX6Hbi08mVFLjqUHf68oJ6AVzIx7EMO+10VCaS/VKc3pV3a
 pK6YmhDCo4DAFS2qS/uEZXisfMRLsJ/cNqfILKDs5PJ0Es4D+au1dZbccNyNOsuJKBeugjRZ5yxcT7
 MJKOMLVY1PqPEf5qN8rvFBbg71fUmT5dpnBhj5KXWGXisWBxjiXBivh+CA2Ejt0B6LRCEsIE3FDe5W
 KUS1oA4CkivV4K+FG1LXa3Rjg0Q3XEjfoJZfQnEJWIevZxzJmOPWarLDNgPdL+D9ql+ZHO2xZ2SL6R
 x2yZO7FnhS+Q3p1vFXul6o0tnRCpX7VXjQMb8yEVgGi33g8kkzRVmWX114lw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying:

    struct probe_resp
    struct fils_discovery_data
    struct unsol_bcast_probe_resp_data

Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 net/mac80211/cfg.c         | 22 ++++++----------------
 net/mac80211/ieee80211_i.h | 12 ++++++------
 2 files changed, 12 insertions(+), 22 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index f1d211e61e49..355edbf41707 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -867,20 +867,16 @@ ieee80211_set_probe_resp(struct ieee80211_sub_if_data *sdata,
 			 const struct ieee80211_csa_settings *csa,
 			 const struct ieee80211_color_change_settings *cca)
 {
-	struct probe_resp *new, *old;
+	struct probe_resp *new = NULL, *old;
 
 	if (!resp || !resp_len)
 		return 1;
 
 	old = sdata_dereference(sdata->u.ap.probe_resp, sdata);
 
-	new = kzalloc(sizeof(struct probe_resp) + resp_len, GFP_KERNEL);
-	if (!new)
+	if (mem_to_flex_dup(&new, resp, resp_len, GFP_KERNEL))
 		return -ENOMEM;
 
-	new->len = resp_len;
-	memcpy(new->data, resp, resp_len);
-
 	if (csa)
 		memcpy(new->cntdwn_counter_offsets, csa->counter_offsets_presp,
 		       csa->n_counter_offsets_presp *
@@ -898,7 +894,7 @@ ieee80211_set_probe_resp(struct ieee80211_sub_if_data *sdata,
 static int ieee80211_set_fils_discovery(struct ieee80211_sub_if_data *sdata,
 					struct cfg80211_fils_discovery *params)
 {
-	struct fils_discovery_data *new, *old = NULL;
+	struct fils_discovery_data *new = NULL, *old = NULL;
 	struct ieee80211_fils_discovery *fd;
 
 	if (!params->tmpl || !params->tmpl_len)
@@ -909,11 +905,8 @@ static int ieee80211_set_fils_discovery(struct ieee80211_sub_if_data *sdata,
 	fd->max_interval = params->max_interval;
 
 	old = sdata_dereference(sdata->u.ap.fils_discovery, sdata);
-	new = kzalloc(sizeof(*new) + params->tmpl_len, GFP_KERNEL);
-	if (!new)
+	if (mem_to_flex_dup(&new, params->tmpl, params->tmpl_len, GFP_KERNEL))
 		return -ENOMEM;
-	new->len = params->tmpl_len;
-	memcpy(new->data, params->tmpl, params->tmpl_len);
 	rcu_assign_pointer(sdata->u.ap.fils_discovery, new);
 
 	if (old)
@@ -926,17 +919,14 @@ static int
 ieee80211_set_unsol_bcast_probe_resp(struct ieee80211_sub_if_data *sdata,
 				     struct cfg80211_unsol_bcast_probe_resp *params)
 {
-	struct unsol_bcast_probe_resp_data *new, *old = NULL;
+	struct unsol_bcast_probe_resp_data *new = NULL, *old = NULL;
 
 	if (!params->tmpl || !params->tmpl_len)
 		return -EINVAL;
 
 	old = sdata_dereference(sdata->u.ap.unsol_bcast_probe_resp, sdata);
-	new = kzalloc(sizeof(*new) + params->tmpl_len, GFP_KERNEL);
-	if (!new)
+	if (mem_to_flex_dup(&new, params->tmpl, params->tmpl_len, GFP_KERNEL))
 		return -ENOMEM;
-	new->len = params->tmpl_len;
-	memcpy(new->data, params->tmpl, params->tmpl_len);
 	rcu_assign_pointer(sdata->u.ap.unsol_bcast_probe_resp, new);
 
 	if (old)
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index d4a7ba4a8202..2e9bbfb12c0d 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -263,21 +263,21 @@ struct beacon_data {
 
 struct probe_resp {
 	struct rcu_head rcu_head;
-	int len;
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len);
 	u16 cntdwn_counter_offsets[IEEE80211_MAX_CNTDWN_COUNTERS_NUM];
-	u8 data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
 };
 
 struct fils_discovery_data {
 	struct rcu_head rcu_head;
-	int len;
-	u8 data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
 };
 
 struct unsol_bcast_probe_resp_data {
 	struct rcu_head rcu_head;
-	int len;
-	u8 data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
 };
 
 struct ps_data {

From patchwork Wed May  4 01:44:23 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837129
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id D2A54C433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:38 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320037.540707 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7ND-0008Cu-FE; Wed, 04 May 2022 05:16:27 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320037.540707;
 Wed, 04 May 2022 05:16:27 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NC-00082k-LW; Wed, 04 May 2022 05:16:26 +0000
Received: by outflank-mailman (input) for mailman id 320037;
 Wed, 04 May 2022 01:47:46 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47G-0007U1-7x
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:46 +0000
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com
 [2607:f8b0:4864:20::62a])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 3139a411-cb4c-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:47:45 +0200 (CEST)
Received: by mail-pl1-x62a.google.com with SMTP id d22so151481plr.9
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:45 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 136-20020a63078e000000b003c511f54e55sm516441pgh.28.2022.05.03.18.47.39
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:41 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 3139a411-cb4c-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=dMAADGqtkadGyWtiMmUAPEm8bORo1cOmSuHFnzFIe9g=;
        b=HdhwV0WkvXZw3hjS8p1tFCKs9cZKJFJ7k5obLNyUKACusCcW1RzcVwG/3AkN25wPjr
         MN1c4fbIR9x0erwQN9MET5VRJYx8dh+R8g2fLDUMIFlB05v/yh9SmtiE3TYb5zg7tp+O
         AetyTzERcbfGEy31+di4TAAiEqxWduNa5FUWY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=dMAADGqtkadGyWtiMmUAPEm8bORo1cOmSuHFnzFIe9g=;
        b=qAYs1T2DIoUvska3+EhXXNPXaFbXKkiA4o8VBkVr3hR5tYr2w+eeCxwTQcoPZbOrec
         KObhCAOoDPuDNnr4a5122NV6s0LMgVYxfx9xhJLbla11vM6xxDxoFQq2EUmlcDz9Wyk5
         mOX6KhJWbahuQLLhgS1rtQMkQYTB263BQLU5mHiprnCdBBZHhEEJAtxzwe5O+DG6fuRf
         +gNeZq9r6WJC4mDr20wCE995MD9fxRumRZbiywWRfR9AoKdESPSGvG+uu8RgglG0ib4l
         0DYFBDM5QNZRz86tzQnbAzDEhwQzVhhE93M8d++KRyVXpHl1lLCWYTzAmn29L8St2Fbf
         JF+g==
X-Gm-Message-State: AOAM531hIdFlF4g1HoFBlHWen2H9yWn3DZPLuKPGnI+kO87v1WpR1SPN
	bFUH2+EIqBjY7aij+Tawe1XZpw==
X-Google-Smtp-Source: 
 ABdhPJydJlkF2g/C05t9xL+CcCRfyDPyeeapmmNS1jyl5QDmxOwU4sKgjA6yob870vT6k0dKeYtEdg==
X-Received: by 2002:a17:90b:1c88:b0:1b8:a77e:c9cb with SMTP id
 oo8-20020a17090b1c8800b001b8a77ec9cbmr7789362pjb.205.1651628863999;
        Tue, 03 May 2022 18:47:43 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>, Alexei Starovoitov <ast@kernel.org>,
 Cong Wang <cong.wang@bytedance.com>, Al Viro <viro@zeniv.linux.org.uk>,
 netdev@vger.kernel.org, alsa-devel@alsa-project.org,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Daniel Axtens <dja@axtens.net>,
 Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, "K. Y. Srinivasan" <kys@microsoft.com>,
 Lars-Peter Clausen <lars@metafoo.de>, Lee Jones <lee.jones@linaro.org>,
 Leon Romanovsky <leon@kernel.org>, Liam Girdwood <lgirdwood@gmail.com>,
 linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org,
 linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org,
 linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org,
 linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org,
 linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 14/32] af_unix: Use mem_to_flex_dup() with struct unix_address
Date: Tue,  3 May 2022 18:44:23 -0700
Message-Id: <20220504014440.3697851-15-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2272; h=from:subject;
 bh=8b5W7mEG2Sah1C3FkS/UxctivFJh7iOzV6P8ujUbZM8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqDcR3znMx51jViMoq05/q58V2/1rXjoJjYBmJ4
 CKXc5kiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHagwAKCRCJcvTf3G3AJp8ZEA
 CTZiOebtApgRIMQFGfvlsj7s1U7ENKry+y1qCoH7clKk+kIHUFtKQuToAucuA7HnBVAIDqbBHa+dtu
 b1A4bqv4cHK21pPyhZmiE0VCyP00EYC8X6VbBCMRrhOvgKIRCQKYCDRRU3x3+zdTamMi+Cw4QRLFbr
 KeEVo3vWRxKFNYlUY6py6WsFnpaTCP45A1Rt2Mk1ONM+4tvkRlgJQKibXiiVxMmNJiq7diRyS43UyZ
 xdZzOY9N/SsdVs+DBAetVCVJfwnmWSxup+qwrjzAenumL1egb53niPav19Uu0KPGAkzqPtS4NDain6
 T5G8UOgj2W4S/ZIxVzp3AEI0v7Q07cg9AUILFEUOEn2Ga7m2xtn/dn5Hqt0Gq5ryDybbgCBb0FW6nE
 apZrvb6JoF5ZEkWIMx0CD3b/SEJCPUMr1n+n/nlozI3/5uYk+uJuq11ezAU6BWwGeaiQi5MNENuLtJ
 f2iVuD520n1Ne+0aDX0g+6Bxq6CjD/3mk3NtQkdQZ1W7jF6hmMJWqPx/GWYvlmDlmSQNEQ659WICV6
 styiy2WjRaD2LhpwT9sZHwcdpjjTGhsJ3rXcC+FrO5v7LrNOaE49f+5vGV2+PdIn7TzyijsyYCwjfC
 sD4MdxKc4Kc8wvaGgok8h676GkR5iOBRUeFIUjcwGTrf9mDGBR6ew5hwb4cQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Cong Wang <cong.wang@bytedance.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/net/af_unix.h | 14 ++++++++++++--
 net/unix/af_unix.c    |  7 ++-----
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index a7ef624ed726..422535b71295 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -25,8 +25,18 @@ extern struct hlist_head unix_socket_table[2 * UNIX_HASH_SIZE];
 
 struct unix_address {
 	refcount_t	refcnt;
-	int		len;
-	struct sockaddr_un name[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len);
+	union {
+		DECLARE_FLEX_ARRAY(struct sockaddr_un, name);
+		/*
+		 * While a struct is used to access the flexible
+		 * array, it may only be partially populated, and
+		 * "len" above is actually tracking bytes, not a
+		 * count of struct sockaddr_un elements, so also
+		 * include a byte-size flexible array.
+		 */
+		DECLARE_FLEX_ARRAY_ELEMENTS(u8, bytes);
+	};
 };
 
 struct unix_skb_parms {
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index e1dd9e9c8452..8410cbc82ded 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -244,15 +244,12 @@ EXPORT_SYMBOL_GPL(unix_peer_get);
 static struct unix_address *unix_create_addr(struct sockaddr_un *sunaddr,
 					     int addr_len)
 {
-	struct unix_address *addr;
+	struct unix_address *addr = NULL;
 
-	addr = kmalloc(sizeof(*addr) + addr_len, GFP_KERNEL);
-	if (!addr)
+	if (mem_to_flex_dup(&addr, sunaddr, addr_len, GFP_KERNEL))
 		return NULL;
 
 	refcount_set(&addr->refcnt, 1);
-	addr->len = addr_len;
-	memcpy(addr->name, sunaddr, addr_len);
 
 	return addr;
 }

From patchwork Wed May  4 01:44:24 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837133
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id EF712C433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:46 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320048.540751 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NL-0001H9-0u; Wed, 04 May 2022 05:16:35 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320048.540751;
 Wed, 04 May 2022 05:16:34 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NJ-00019I-8m; Wed, 04 May 2022 05:16:33 +0000
Received: by outflank-mailman (input) for mailman id 320048;
 Wed, 04 May 2022 01:52:45 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4C5-0008Vf-Qc
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:52:45 +0000
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com
 [2607:f8b0:4864:20::1035])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id e3a46777-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:52:44 +0200 (CEST)
Received: by mail-pj1-x1035.google.com with SMTP id
 w17-20020a17090a529100b001db302efed6so14823pjh.4
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:52:44 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 g16-20020a62e310000000b0050dc76281d2sm7165111pfh.172.2022.05.03.18.52.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:52:42 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: e3a46777-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=KYZx+y1oKNSP1oqgJrB6Tz6rT9EWA8WKaERG51foz1A=;
        b=bz1Sh9MVCXyP0oQlo8D6xVMzQ27pV4R6B//UGDTL8nzMS3F7Sze+JRYFVh2IBIaTFl
         BrDTiNFs4Nw3sFWGEkG5ftS8E8tnvlsvZL9PIbvMFVJ2Ru0EtHqoxpqbupakHeJmxqdO
         iZ/yeqiNZ245qldJTLvXJrPu0t4+xuvhNmFB4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=KYZx+y1oKNSP1oqgJrB6Tz6rT9EWA8WKaERG51foz1A=;
        b=6jhQdmwyS7DaNkjisqbSo5Tp37RoF1zEWXYNYD3pgkIjTt/SUi6QJ1ikvslE9Xl4oB
         eHQpaeDcUwLXjJhIE2ZVmoDs2aK4S9o51MLCBynxHvsr4/im4islngvQl92pm99iAf+X
         WAm/zZOV85QK2Bp8TvOrTG6lqfJy+xtDeU/LxkhXD7QBUITzrGVqqfyB7tvM0yHTPqKd
         kyV4EupwL8A91d5ElBqHWw7ECuUg/BHE570njlQ3J0xjVm4SkqtlKCEsvme8OK8TACD6
         CxwdEmw5lHk9Z9889F6k2fBORyv8rXkEDVLG/XKIYGMUAB1ZXHGsp68c03uZhHTaEVWu
         V6NA==
X-Gm-Message-State: AOAM530jP4LEhYPsLSihR/h7Lgp26ZFM4npl1Jy6KpDFY7w6n4JlG/tc
	fa7FNvWHd4SORBINUQMVGf1YPg==
X-Google-Smtp-Source: 
 ABdhPJzn4mkWoLO9GkvHCb0f9HPITkXNkv0C1WpBFBFfJEBtcJV5kgYulneag//rfVNwLsJ0LGVqMg==
X-Received: by 2002:a17:90b:1251:b0:1d7:f7ae:9f1 with SMTP id
 gx17-20020a17090b125100b001d7f7ae09f1mr7834178pjb.65.1651629163350;
        Tue, 03 May 2022 18:52:43 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Hulk Robot <hulkci@huawei.com>, Yang Yingliang <yangyingliang@huawei.com>,
 netdev@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>
Subject: [PATCH 15/32] 802/garp: Use mem_to_flex_dup() with struct garp_attr
Date: Tue,  3 May 2022 18:44:24 -0700
Message-Id: <20220504014440.3697851-16-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2053; h=from:subject;
 bh=g6mLY++H2BfqQCK003F0EjItFkVyhehgYOIo/aZQtaQ=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqEjjw/bjk+w/BAp5zZGN/lLOysTcemUiPR49xS
 rdNJyZqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJkdZD/
 9ULlU2HE7dyOGGZcxoTDzzzQ0RkAnTOaJ+RVqmjII2Tv1VoPm6QRB0LGPVIKf/ajMgajI22eW2yGjV
 dV/acgUammYsccOQLPxTPzsPUVFZFU0hxMis5Oq9JqjehQPY4nErl1wT/Zymsur2YjD5pHbuIEHC00
 ++wwwIwEXX7l/PdVNJ+PMRIdE9atC0npYUgWrpfpDQWjeDdc8adknigoQ33ZyiQZNgrZVYTO9/59Qg
 8KXYHO+zkVTrXNgaZRW0wDjH3ltz+pKJr0geOSSbUhz6LlZjAauJ/rC2ZsYG+CUN5gZKKeQGMACl+O
 utmoGfrkJAMo4fchbVPoySQfEI4RycU3tPyq3AjrjHPoEOk1up5kNYJrBZjwNIsdxzt2klrR6QtXyt
 bfI8wU27DsqhelPlsyi6UMtKYVW917c/eUpFGiSJstE8AvpEEc7fwbwOkpO95+zogvhdjqrPwm0ODF
 hO4WSuDl0qqoSCqmphywXtHTbvP3/SyHQqpHk+XFWlqObHfRedTUudfAq0fRt/wpoTokjndugHxbB3
 vPHZIR/QvpGV0TdPvLZ2ykBHieWoDTJLdsmeVjUv1/KqeUr4N1QQRZM24ry1hMmkrjPTDYRPSVjN1n
 2Idl5GOStpor5uc8wuqfeiXlQfP7X+6iC5KJi+Kgwt8eOaWFgTn89ibYrF3g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Hulk Robot <hulkci@huawei.com>
Cc: Yang Yingliang <yangyingliang@huawei.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/net/garp.h | 4 ++--
 net/802/garp.c     | 9 +++------
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/include/net/garp.h b/include/net/garp.h
index 4d9a0c6a2e5f..ec087ae534e7 100644
--- a/include/net/garp.h
+++ b/include/net/garp.h
@@ -80,8 +80,8 @@ struct garp_attr {
 	struct rb_node			node;
 	enum garp_applicant_state	state;
 	u8				type;
-	u8				dlen;
-	unsigned char			data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, dlen);
+	DECLARE_FLEX_ARRAY_ELEMENTS(unsigned char, data);
 };
 
 enum garp_applications {
diff --git a/net/802/garp.c b/net/802/garp.c
index f6012f8e59f0..72743ed00a54 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -168,7 +168,7 @@ static struct garp_attr *garp_attr_create(struct garp_applicant *app,
 					  const void *data, u8 len, u8 type)
 {
 	struct rb_node *parent = NULL, **p = &app->gid.rb_node;
-	struct garp_attr *attr;
+	struct garp_attr *attr = NULL;
 	int d;
 
 	while (*p) {
@@ -184,13 +184,10 @@ static struct garp_attr *garp_attr_create(struct garp_applicant *app,
 			return attr;
 		}
 	}
-	attr = kmalloc(sizeof(*attr) + len, GFP_ATOMIC);
-	if (!attr)
-		return attr;
+	if (mem_to_flex_dup(&attr, data, len, GFP_ATOMIC))
+		return NULL;
 	attr->state = GARP_APPLICANT_VO;
 	attr->type  = type;
-	attr->dlen  = len;
-	memcpy(attr->data, data, len);
 
 	rb_link_node(&attr->node, parent, p);
 	rb_insert_color(&attr->node, &app->gid);

From patchwork Wed May  4 01:44:25 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837145
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 5F16BC433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:14 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320069.540879 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nm-0007vX-Dd; Wed, 04 May 2022 05:17:02 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320069.540879;
 Wed, 04 May 2022 05:17:01 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nk-0007lY-U8; Wed, 04 May 2022 05:17:00 +0000
Received: by outflank-mailman (input) for mailman id 320069;
 Wed, 04 May 2022 01:57:49 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4Gz-0000D6-4r
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:49 +0000
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com
 [2607:f8b0:4864:20::102a])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 97dff336-cb4d-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:57:47 +0200 (CEST)
Received: by mail-pj1-x102a.google.com with SMTP id
 a15-20020a17090ad80f00b001dc2e23ad84so3926618pjv.4
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:47 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 g13-20020a170902c38d00b0015e8d4eb1efsm6956799plg.57.2022.05.03.18.57.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:45 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 97dff336-cb4d-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=hCvG0k88HO9y5mV8jIlfDaOoiV0I/JnHiEgOfadNreI=;
        b=nTykdqnni29IYFP/aKlZ1tz+wSZFndNhf6nwtWAlZtsI1+zfxgtaBvH+tz4Jq/XHTo
         7HJGSNs/F64gdmokeo6uSP6KePJfQuFps/a+uVb9CQhG7Wm+ptt1Wr19Dv7sboM4E5DX
         5fllnhK611XRrQM46REzeI6j7l3nMzBYK6UHc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=hCvG0k88HO9y5mV8jIlfDaOoiV0I/JnHiEgOfadNreI=;
        b=brNgfaaCL7He9Owu/9/fUGSWn8KCFVdzHINdxZPyvKW2RztN60wTMzTYA9K9neWUBZ
         UrPqHP0x3wFSIDouuPuF+MawWb+J999GUskos8pMCPWVQB3rj40TwtGZUtTqN3m3XuFO
         umwppx1em2pGomI9l7BlkZ3MvNOgRwnyeVq8BqrTvxAGzlKwk6M8iUWAho/abEN9uvLY
         012KS/UsEWOw3eLxuTA32qcqKhKB19n4ZE975hBukPP0U4Ff/oZdJR7YOhPRF8zucREX
         gNs85c8WQp+NJ2KV2nMh/0InA37BAl7kOXuIje9vcn4PZAfvfX5mArERQ6RPXES6a9Ip
         c7ew==
X-Gm-Message-State: AOAM5302AlPtotpIUwVmd//FtXmkR9hy3GhhqtEb/y+8KJ+KA9RgPWzS
	dlEgmru50BRpilyP6GIPxtxZEw==
X-Google-Smtp-Source: 
 ABdhPJy/xxcAxGHu6MAf8PWivCJIfByxF3Ri1FspSsyk9y0AdnFFlTGxMLPZluu1QVnfA2Jry7j06A==
X-Received: by 2002:a17:90a:343:b0:1cb:234a:a975 with SMTP id
 3-20020a17090a034300b001cb234aa975mr7933650pjf.83.1651629465679;
        Tue, 03 May 2022 18:57:45 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Yang Yingliang <yangyingliang@huawei.com>, netdev@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>
Subject: [PATCH 16/32] 802/mrp: Use mem_to_flex_dup() with struct mrp_attr
Date: Tue,  3 May 2022 18:44:25 -0700
Message-Id: <20220504014440.3697851-17-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1997; h=from:subject;
 bh=OvOiYjzm/q6KNaMl+//jdZvtdGx65Whv0+J0OvbhHK4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqE83ulc8i1Me+2H60c4+E7txzeLZOhw3piKY/N
 AW6WeVaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJhJeD/
 oCosU8dkvX3qhHC1w07Zs/6TYmI5gdPsPSk8ZM0TFXbvewK/h3P8F3y3Nj710vMoVm4HKj2kaEgTOk
 2f2b5GE4O8jpZqRExVAK8Rw2Cf/+lieahxnXSaeHUcCSE5w7f3XjMdbU5lVFfxvOwj5yiCJ8AmC0h6
 PKlej2yANnnifLBAy1vCwATP2HMjRoJK8z8V8EPZWY5Ak8cwN5N+W8aRpKReFLT56NqrSMNdex1APu
 dJQyH++TBuJBuyERb/vZdPxaz6qQCAzya/hpIBykyOqwSpa+BuzC5eaQePNcGDlTxES1vpgiLcnpCY
 ylYUXLQ+/MEaj/+FNFhQb44VMXSJW6mBxFuV9yP0MGuTLCFYQ2tjlsr0dWXoGDaFAaazyGNVjsWTdX
 POY6oata9LsQMBKZIVM5ROcKCdIv711ZQR5lFNVAIwLL/QUuyvkWtdQwSvdywSC8oK7xwBWlABXbox
 I9fjkKMnE1RYapMRtAmf2VKQ0RghvNMYTAPgLGO7OYoWbeGSQ2hIfI655r9udNZNdyoNBAjzqo0qLR
 QOmey3V+dlX3CiVaAbQTmtt3Nc5u/EhyJdE/xxV8TqqMA3btOXCemNQBKKIif6kQD22YoS7IRqY0J5
 q1bRyY9izDrZQAwPOQpXq88UsmOMBlUHokCiJyT9thFEfc5wcLBU5JMv7gIA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Yang Yingliang <yangyingliang@huawei.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/net/mrp.h | 4 ++--
 net/802/mrp.c     | 9 +++------
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/include/net/mrp.h b/include/net/mrp.h
index 1c308c034e1a..211670bb46f2 100644
--- a/include/net/mrp.h
+++ b/include/net/mrp.h
@@ -91,8 +91,8 @@ struct mrp_attr {
 	struct rb_node			node;
 	enum mrp_applicant_state	state;
 	u8				type;
-	u8				len;
-	unsigned char			value[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u8, len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(unsigned char, value);
 };
 
 enum mrp_applications {
diff --git a/net/802/mrp.c b/net/802/mrp.c
index 35e04cc5390c..8b9b2e685a42 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -257,7 +257,7 @@ static struct mrp_attr *mrp_attr_create(struct mrp_applicant *app,
 					const void *value, u8 len, u8 type)
 {
 	struct rb_node *parent = NULL, **p = &app->mad.rb_node;
-	struct mrp_attr *attr;
+	struct mrp_attr *attr = NULL;
 	int d;
 
 	while (*p) {
@@ -273,13 +273,10 @@ static struct mrp_attr *mrp_attr_create(struct mrp_applicant *app,
 			return attr;
 		}
 	}
-	attr = kmalloc(sizeof(*attr) + len, GFP_ATOMIC);
-	if (!attr)
-		return attr;
+	if (mem_to_flex_dup(&attr, value, len, GFP_ATOMIC))
+		return NULL;
 	attr->state = MRP_APPLICANT_VO;
 	attr->type  = type;
-	attr->len   = len;
-	memcpy(attr->value, value, len);
 
 	rb_link_node(&attr->node, parent, p);
 	rb_insert_color(&attr->node, &app->mad);

From patchwork Wed May  4 01:44:26 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837138
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id EFD4BC433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:59 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320055.540803 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NX-00041e-6r; Wed, 04 May 2022 05:16:47 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320055.540803;
 Wed, 04 May 2022 05:16:46 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NV-0003tA-Ib; Wed, 04 May 2022 05:16:45 +0000
Received: by outflank-mailman (input) for mailman id 320055;
 Wed, 04 May 2022 01:52:48 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4C8-0008Vg-My
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:52:48 +0000
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com
 [2607:f8b0:4864:20::432])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id e525fab1-cb4c-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:52:47 +0200 (CEST)
Received: by mail-pf1-x432.google.com with SMTP id v11so14983pff.6
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:52:47 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 r1-20020a1709028bc100b0015e8d4eb26dsm7012010plo.183.2022.05.03.18.52.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:52:45 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: e525fab1-cb4c-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=vEhg+UN+nvvIRlNnvIoleDYLxzWI/4j+AXJ2OBahvyQ=;
        b=E5bLX9p+4KMQ7dCXesW/uSO4Z3TzhqBoNV2cnwQ6UenYFaZTatAXLltuILaNWlnTeH
         ZPF9bsRL6MA89tW5PvZIMCIKWfhOmFJwJGsxRwJiF9IEfmjgBCchcmHUHUKuUjfJgzaf
         xdp24lDnEh6QoNKPI3Ft2lTJ+h48bMoBlTL80=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=vEhg+UN+nvvIRlNnvIoleDYLxzWI/4j+AXJ2OBahvyQ=;
        b=29ISmw9Yfn8qFDlPlNqQJq8d9BVDIe8VPkdASr7QDA5YBZdhAx5cO5Nq2GsoOAPcIE
         B7jDxsvkV8bMF7yk9l0RznE/ysHY16/VH3RlNgLpVfH9PY4t+Nxm0YGIhG903/agiFGI
         EdwtMxFIcdVuzW9pd+iujykeSen5MkJ36RU6Y5bBMJCtnlsOz2rVruivSiNnRVJlZW/x
         y3fEjzH6pOkTU25nAIzeMZu8lVYfl6OiuXg0jzXQtTiHKV6OK7WXjfuWCjVFHYkcaODB
         HGsuE5PD5Mq+wIWvwte2Ap92cnHJ7+4bgZPtRA/TRnchqH928QZSsV4vfR5mTyoslws+
         TQ8A==
X-Gm-Message-State: AOAM532e8ZggLgc4u+5WdLEb9BKRf6vv3c7WgGp9vW19A6FFn+V2WJRA
	a2nmt597DowBj1cucUbuw5Y5ag==
X-Google-Smtp-Source: 
 ABdhPJxoiYBXvCh64QSH6OUY9EQxIRhEKB4uYd5bFmFfjmCLPQJOIMmboo7ZUamkfbJvRXo9YdSApw==
X-Received: by 2002:a62:e80d:0:b0:50d:8f8e:ffb8 with SMTP id
 c13-20020a62e80d000000b0050d8f8effb8mr18591524pfi.37.1651629165912;
        Tue, 03 May 2022 18:52:45 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Baowen Zheng <baowen.zheng@corigine.com>, Eli Cohen <elic@nvidia.com>,
 Louis Peens <louis.peens@corigine.com>,
 Simon Horman <simon.horman@corigine.com>, netdev@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 17/32] net/flow_offload: Use mem_to_flex_dup() with struct
 flow_action_cookie
Date: Tue,  3 May 2022 18:44:26 -0700
Message-Id: <20220504014440.3697851-18-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1993; h=from:subject;
 bh=PrKJ7fngslFAVnoAR+kxxSWcyzyvUbqj4Z3UXnDbHJY=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqEQoFbddPpYBIL178hMkYpivETQV90l3JHFEnm
 7J1thjCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJtw3EA
 C0LNh89YqDNrcJCXsCKfSbcHlFxrq44D7OA0sCgHExo+fXdaECb+Xj3tfEkQFm9bgvn/VnNhpCwqMV
 U8VQzGL6UaTCr267IE8XzSzkQJ6Uu2Nn+oM8/g6gDst8U7DsXu/1M4XVa8NK32yL6cBvV8PVBTcChy
 j8jyHBC43g8+Lg9oLs4UB/SO8Tb2ObCEpGf+h+/rD6v1mUrkoYKhvITvEAQ6BXgJ7NMeKfMd5TbnLL
 n7fyJaP0DKQoiMbMCMPhOnbaBLKTz9JjJ2/U07j/wfD/U5vjQBmTOZvo7vv3sex/J3PimMP/LVVrgg
 rZ19XaTiGULGLnmPuJjPt4zppdXAE7bED4queSk/tjdOsuMkougu3osd+yKLNrkqDRGxwMqxHn6Adg
 VL64IdPA3BY3aE8mOXGUxTLKtJs1pv7lv1msRzE5gUB7RTMHQ1//cIMC8EgdL5FVxZNtm4Nrhurpsb
 fvUFe8jDSjzE++5RHGWvAqbIheq7tgJhhaDmUF+rUmIMNowlHUeWcz7qDRxFSgMiX+xi/ZX4sJtg/V
 tnoPJ9uGluYyVnNod6v2TAn0dMpQirNr3BrADN1GRZ9iYaSt2xYRiifwpxLWUpi4DIfHGqb2y4ockX
 o/g9MpGsEistTYeWgK8HQdvJO+YhqSNADTeBhz9hngLOsUZU3CcUlT8pVg2A==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Baowen Zheng <baowen.zheng@corigine.com>
Cc: Eli Cohen <elic@nvidia.com>
Cc: Louis Peens <louis.peens@corigine.com>
Cc: Simon Horman <simon.horman@corigine.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/net/flow_offload.h | 4 ++--
 net/core/flow_offload.c    | 7 ++-----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h
index 021778a7e1af..ca5db457a0bc 100644
--- a/include/net/flow_offload.h
+++ b/include/net/flow_offload.h
@@ -190,8 +190,8 @@ enum flow_action_hw_stats {
 typedef void (*action_destr)(void *priv);
 
 struct flow_action_cookie {
-	u32 cookie_len;
-	u8 cookie[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, cookie_len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, cookie);
 };
 
 struct flow_action_cookie *flow_action_cookie_create(void *data,
diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
index 73f68d4625f3..e23c8d05b828 100644
--- a/net/core/flow_offload.c
+++ b/net/core/flow_offload.c
@@ -199,13 +199,10 @@ struct flow_action_cookie *flow_action_cookie_create(void *data,
 						     unsigned int len,
 						     gfp_t gfp)
 {
-	struct flow_action_cookie *cookie;
+	struct flow_action_cookie *cookie = NULL;
 
-	cookie = kmalloc(sizeof(*cookie) + len, gfp);
-	if (!cookie)
+	if (mem_to_flex_dup(&cookie, data, len, gfp))
 		return NULL;
-	cookie->cookie_len = len;
-	memcpy(cookie->cookie, data, len);
 	return cookie;
 }
 EXPORT_SYMBOL(flow_action_cookie_create);

From patchwork Wed May  4 01:44:27 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837128
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id BDDDBC433FE
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:37 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320035.540699 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NC-0007wL-8O; Wed, 04 May 2022 05:16:26 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320035.540699;
 Wed, 04 May 2022 05:16:26 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NB-0007nh-By; Wed, 04 May 2022 05:16:25 +0000
Received: by outflank-mailman (input) for mailman id 320035;
 Wed, 04 May 2022 01:47:45 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47F-0007U4-CE
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:45 +0000
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com
 [2607:f8b0:4864:20::534])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 30645da1-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:44 +0200 (CEST)
Received: by mail-pg1-x534.google.com with SMTP id i62so13977pgd.6
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:44 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 a7-20020aa780c7000000b0050dc76281b6sm7143766pfn.144.2022.05.03.18.47.40
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:41 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 30645da1-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=c1Rtb5BPD8+4OzMMFAYya8AfbyIngu3+nEeMZt3y0UI=;
        b=PPT74quvAq5PeXKx/MiU6TPQu9k3CNU13XJUuKL0EyoDADIEUu/0flA/RnFvgA1c7X
         mBDEtN+hqIFmsdnm+Z9MnOUhAzMjdHFmhT3p34uRueOVQQXniPBqP+mbSA7EtL7aqOIy
         RKCLgSNE4LzNp+Ti/YBiXR973K5zL+mViu9iQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=c1Rtb5BPD8+4OzMMFAYya8AfbyIngu3+nEeMZt3y0UI=;
        b=CBO3FRDCo5FT6GIKWHYp9yxSblV7fccPJ2I9MDCAx1PEQdt8JvhDr1UTA6s13LL1Iz
         0pkzl7zuACVxgs+p/0CYYzRh10dkrScKKbGZTdQlMc0sYcd72UQXzJnPLTJlm0gsB5e5
         EY9d8B5JhQzRvQeLzYAyyBZ2KKgBG0ziboIJxJqV0lWN/FpS6O1j3miuwVpMGQFZji4/
         XwY+ogzgIuRehZwQHM1j5JnDC7pH/c7TozhpfIsmODNKgyGaB8AU2ugjNaqpNs5uwoUn
         XMlNKWyZ4iKcCeTPuiDEYfScytsQ112Gbolf42UKI7OhZF43tYnxmq8NYw1s3SQ+dyWb
         mZlQ==
X-Gm-Message-State: AOAM530H68nr/Q9u8iJJC9ynwMBV/6VY2Y21w8CSTk0uZX1+jP8l+hbJ
	21vYkYEX4l0HN/3ICgKl3a2t3w==
X-Google-Smtp-Source: 
 ABdhPJxnr15nFI48HkUIGCzg3Ti+ux7Hnf2+eF3BCNGMnuO30iNkq86oUQW51ItlsFi5999/esgbAg==
X-Received: by 2002:a62:33c2:0:b0:50d:a588:daab with SMTP id
 z185-20020a6233c2000000b0050da588daabmr18437024pfz.31.1651628862604;
        Tue, 03 May 2022 18:47:42 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 linux1394-devel@lists.sourceforge.net, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux-afs@lists.infradead.org,
 linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org,
 linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org,
 linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org,
 linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 18/32] firewire: Use __mem_to_flex_dup() with struct
 iso_interrupt_event
Date: Tue,  3 May 2022 18:44:27 -0700
Message-Id: <20220504014440.3697851-19-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2017; h=from:subject;
 bh=En62c6cYeUTmU8jbvcTu7IkYSFHpDUIXfTMNPx9PLGc=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqEY3t8cFKELeYkm2NJIduUgR+ZPwYvLuYXHKSq
 h9RlNwCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahAAKCRCJcvTf3G3AJmzQD/
 40OwL2hRSWj9CwaOb0EjwNMYNrEpXdJJUx4PtLsO50tNm7kViyp0rIIENwt0Refm3UMfgJOd4uhpAP
 UnN8m9LoCHDWTn2Ip+vIMDS3s7F5W2nAcbk5hF/C+qyUcxpZ01AbHR+GyZjxwzVt9qEG+TAXzPRQnp
 dfwWrtSjiyM2jKV9PjBNt6qRhM7Jxt/+wokWBFK4eM8IKP5wMTPXf0n1BGa/3mFi6dkoZD+yXtl4IT
 q4PePWOvlJ8zihIyMKu6xe3P2Cd5gPfwiDcsKwkrzufOJPHAEhY8riHbDxYytvqLGG7bw341elDFvM
 fFg+b/yC+gowOuz1miET0BDC+cA6vVe4BMDspdtGoFbNEJfsp72+AkNfwxKDENX6TekjFRU3iHzOci
 lPoBqEyf2AILOQko5Kh9u3twT5Z6Azf7bj/NRatR/QKpZXBkjRcvBCR8SN8nlgdnYckPdhxRBU5YUS
 IHSagdIFo3kzcAF1P/Aq785Nakdj4SMvQp66HlJm0gKK57rvSGhQtlRXIDROMfObo/Dar+MBASK/fr
 qWo15PcDT/tqMlbzcrYAAB4BcvmIgHfXG5riesv5IcmZv6ehMHVZTaM4Sf1wIA6V0OWztJpmHeUVBs
 1l35/YNa44KeLfFackz/5o7jU6Cqxn/jknqaXV6GkQkL2jafxDjZYhz781sQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: linux1394-devel@lists.sourceforge.net
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/firewire/core-cdev.c       | 7 ++-----
 include/uapi/linux/firewire-cdev.h | 4 ++--
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index c9fe5903725a..7e884c61e12e 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -913,17 +913,14 @@ static void iso_callback(struct fw_iso_context *context, u32 cycle,
 			 size_t header_length, void *header, void *data)
 {
 	struct client *client = data;
-	struct iso_interrupt_event *e;
+	struct iso_interrupt_event *e = NULL;
 
-	e = kmalloc(sizeof(*e) + header_length, GFP_ATOMIC);
-	if (e == NULL)
+	if (__mem_to_flex_dup(&e, .interrupt, header, header_length, GFP_ATOMIC))
 		return;
 
 	e->interrupt.type      = FW_CDEV_EVENT_ISO_INTERRUPT;
 	e->interrupt.closure   = client->iso_closure;
 	e->interrupt.cycle     = cycle;
-	e->interrupt.header_length = header_length;
-	memcpy(e->interrupt.header, header, header_length);
 	queue_event(client, &e->event, &e->interrupt,
 		    sizeof(e->interrupt) + header_length, NULL, 0);
 }
diff --git a/include/uapi/linux/firewire-cdev.h b/include/uapi/linux/firewire-cdev.h
index 5effa9832802..22c5f59e9dfa 100644
--- a/include/uapi/linux/firewire-cdev.h
+++ b/include/uapi/linux/firewire-cdev.h
@@ -264,8 +264,8 @@ struct fw_cdev_event_iso_interrupt {
 	__u64 closure;
 	__u32 type;
 	__u32 cycle;
-	__u32 header_length;
-	__u32 header[0];
+	__DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u32, header_length);
+	__DECLARE_FLEX_ARRAY_ELEMENTS(__u32, header);
 };
 
 /**

From patchwork Wed May  4 01:44:28 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837137
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id CDC0AC433FE
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:56 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320052.540791 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NU-0003Vd-RB; Wed, 04 May 2022 05:16:44 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320052.540791;
 Wed, 04 May 2022 05:16:44 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NT-0003KT-4A; Wed, 04 May 2022 05:16:43 +0000
Received: by outflank-mailman (input) for mailman id 320052;
 Wed, 04 May 2022 01:52:47 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4C7-0008Vg-Mc
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:52:47 +0000
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com
 [2607:f8b0:4864:20::531])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id e4826b9c-cb4c-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:52:46 +0200 (CEST)
Received: by mail-pg1-x531.google.com with SMTP id a191so31722pge.2
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:52:46 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 p8-20020a17090ab90800b001d9780b7779sm1993305pjr.15.2022.05.03.18.52.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:52:44 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: e4826b9c-cb4c-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=ifZyQ0FGREg3J5AlhSr1XwF8hVhKkYa2p2S/5EeDNQo=;
        b=oI9BqoXIzDP9CoImflntgKhs0kNacYAtoqQVKtiTaZQIfSzE3upaJIyWSMVlJB9jX5
         Uzgry9KW4Gc+1VYbvAKoSW8Y7tDSPleB46+D+uoXs4vfR0muKw9a9urjnLYWGuq+yUxW
         TpztkzpLBXFj1c/3e7LzufWdk2zzK47xh6GHU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=ifZyQ0FGREg3J5AlhSr1XwF8hVhKkYa2p2S/5EeDNQo=;
        b=8OwWXFoCNPioaa+Ou+MczVcYDO4JnP3MXMwex8p2mQCBVVDuOH1LeRX/KuWb2MG9tS
         ub5F8/R9ZtnKifcq5Du/YhYFroBPmSGvavGbvBuHvxHKkcJQC6Pyp4HucbUchpt6aKcq
         u53zZjGwEr6fC+o6oBg9Ry9nM388Eq6/z1PpUvRU/KxMES32doN0CqU5umLMZZOp/RBU
         E2e5KGlQZMoXm4MgKOUOyPcuFSsnol6f9cRaP+kCKhmsz5Y8qNa8l4sygL+k1FrGEL4Z
         stsYJOL2Vmcu/J4wP9auOw9jVTuCK1XpYqhUdHZ3OVaTPX/tX6L008gyq/lHzcr5I1YX
         qblA==
X-Gm-Message-State: AOAM532T1FCbmrk9Ec6zDHkR7GtfznqGbKjjxvsBXr27S7VoW+VvvVZR
	C6/ZlR1RcBhCq6XkHB8FHYDXrw==
X-Google-Smtp-Source: 
 ABdhPJwZiz3yJY+jd4qKaXewy5LDTdfohDV0JwoDG1EH0nOIyFnsz5yLMaixtkbCgQQyU/bziKLmbA==
X-Received: by 2002:a63:48f:0:b0:3ab:3b1f:7e7f with SMTP id
 137-20020a63048f000000b003ab3b1f7e7fmr16090583pge.164.1651629164850;
        Tue, 03 May 2022 18:52:44 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, David Howells <dhowells@redhat.com>,
 Marc Dionne <marc.dionne@auristor.com>, linux-afs@lists.infradead.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org,
 linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org,
 linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org,
 linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl
Date: Tue,  3 May 2022 18:44:28 -0700
Message-Id: <20220504014440.3697851-20-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1709; h=from:subject;
 bh=saaNwrN23mX+OUTBowMD9D5OUm7L78VX128VXuwjwK4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFfM0vuwTYMUTv7e3BZX/iyY3njPgklra+Pkd2
 Z4Ou11+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJnn8D/
 0T93KRcb7qCWTB465n1/YTnsBy2jNLz/U2OLVBzcDFt0AYoA7buN0/1goMxvPhSLi6bjE8UGxc7Fm2
 xx2FN5ysX9H/h+AK/cJ3DkHLeBbkc/PToOz1Rhf5ASBW2+V7+qa6CVBSwtSMKSrvj1IM0/N6ioBB18
 MCYPkmQ5qhj0A1T1FA5/P3wK+c+Ifo0Yti2zuuDAIo5vSlw/g2lJmCFOlKoVoRmzWGn3UyVXJ9I2UQ
 xKVYebiH78lPg6s6N8CPVfENvu4vx//FaBlyLvf4NFhRMP18HACQP44Qc0JxstvU7LUJDijflXIFRi
 grE+kmE6e8bz3l6xfmcLLCVVxLK6kcbN3OPR+1k6kH5962HfiJPZd9T/oRuzkyyoFrBDpqQaKr2g97
 9t3Z++vXgvnHcsU1cXdQfiWNAJpoV7p0N66Awn9yJJxP+n2LKF+1g7vkk1gkZ2hlcco2zbVq1FoTnd
 Kq1+DAU+g1ED0hIHLj9KRfnow47QSvPnc3E3GtLGWqIqKnDHNqPKkcdMSkOm3B6mDT3H0KPxEPrXSQ
 e1b3nOgGEcTvPf2Pm2gSCNuMfjkK4yrpVG4rvDniz6n+9MLWIpAAWJQjbptVRYhcyt8n75fxNua/sq
 zBQRxeXk3BLz5v/Hfp5qbE1czFgBcqhDqrr0pErXoP5/DINTx+J9WdEMY0DQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: David Howells <dhowells@redhat.com>
Cc: Marc Dionne <marc.dionne@auristor.com>
Cc: linux-afs@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/afs/internal.h | 4 ++--
 fs/afs/xattr.c    | 7 ++-----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 7a72e9c60423..83014d20b6b3 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -1125,8 +1125,8 @@ extern bool afs_fs_get_capabilities(struct afs_net *, struct afs_server *,
 extern void afs_fs_inline_bulk_status(struct afs_operation *);
 
 struct afs_acl {
-	u32	size;
-	u8	data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, size);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
 };
 
 extern void afs_fs_fetch_acl(struct afs_operation *);
diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c
index 7751b0b3f81d..77b3af283d49 100644
--- a/fs/afs/xattr.c
+++ b/fs/afs/xattr.c
@@ -73,16 +73,13 @@ static int afs_xattr_get_acl(const struct xattr_handler *handler,
 static bool afs_make_acl(struct afs_operation *op,
 			 const void *buffer, size_t size)
 {
-	struct afs_acl *acl;
+	struct afs_acl *acl = NULL;
 
-	acl = kmalloc(sizeof(*acl) + size, GFP_KERNEL);
-	if (!acl) {
+	if (mem_to_flex_dup(&acl, buffer, size, GFP_KERNEL)) {
 		afs_op_nomem(op);
 		return false;
 	}
 
-	acl->size = size;
-	memcpy(acl->data, buffer, size);
 	op->acl = acl;
 	return true;
 }

From patchwork Wed May  4 01:44:29 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837135
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 70123C433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:52 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320050.540772 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NQ-0002PA-Gr; Wed, 04 May 2022 05:16:40 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320050.540772;
 Wed, 04 May 2022 05:16:39 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NO-0002Eg-6E; Wed, 04 May 2022 05:16:38 +0000
Received: by outflank-mailman (input) for mailman id 320050;
 Wed, 04 May 2022 01:52:46 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4C6-0008Vf-JM
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:52:46 +0000
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com
 [2607:f8b0:4864:20::1031])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id e4237b71-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:52:45 +0200 (CEST)
Received: by mail-pj1-x1031.google.com with SMTP id
 j8-20020a17090a060800b001cd4fb60dccso27631pjj.2
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:52:45 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 e9-20020a635449000000b003c14af505edsm10931771pgm.5.2022.05.03.18.52.43
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:52:43 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: e4237b71-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=tkQJNMDRPVcNM81JGzyx6JZrZP+sXh6Sgsv2ZLlrcME=;
        b=TYzsMmP+/eI9TqO4+QAx6yxqi3QYWePclkTlbFjhG/HlibMiAybufg/zrz+rLu5OQM
         GYSNJAX6L87NNLI9qdgxro62vFxqE/fqrqJQw8CwHhp/9rH1kcR4jgxtvHzWUzWEYP1/
         vfXC+WsSf1WXNAAHPYjXFPor5Evr5tOPUQrMM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=tkQJNMDRPVcNM81JGzyx6JZrZP+sXh6Sgsv2ZLlrcME=;
        b=teeWBQQ84Kzul5EJ8q+ofmCOguqBbxMQw/wixtVs6zyXgj5pd6zbxuJ+T9uWOGAoAR
         GkbxYQ3K3J+eigjwbmReGhc0GvBB2r5+ie8jCbzK5BABk7w+e6AVf9hUpd6M8XWTOKCo
         qXlvJxYLDgecA+2zBeS44XwdxWZp3vNB7+wY26owi0ewMQ1n0Hb6VKEmrLIiqH/eUJQ4
         JBGEDSfZgjW2U6iCmVQsRkIn4ae2lOkPE99HXnej2TZtsQSHy1OCuZ3mz8HwygMwDwvI
         hFglt9rJ84qE3ztn+zHlB19pjZscfZTQKVQVAqzmRs9b/8jpo5yIdr6jcQqzgvBSdz0D
         pCqg==
X-Gm-Message-State: AOAM5306iljyPk2qZjiCxGynuwxZdTizXYv5Hy2JYeX5wZuLt0iFerdn
	l7w7kN/VmCkPxbdPHx3PURA6qA==
X-Google-Smtp-Source: 
 ABdhPJw9Mfs8NfMfd0J0YXQIXkiEsTIKgP7m3XPDxYdlVEgqirj/YA+wclSgtM17YB9KKuMWrujLhg==
X-Received: by 2002:a17:90a:f405:b0:1da:2640:f171 with SMTP id
 ch5-20020a17090af40500b001da2640f171mr7788351pjb.245.1651629164213;
        Tue, 03 May 2022 18:52:44 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Lars-Peter Clausen <lars@metafoo.de>,
	=?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Liam Girdwood <lgirdwood@gmail.com>, Mark Brown <broonie@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
 alsa-devel@alsa-project.org, Alexei Starovoitov <ast@kernel.org>,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jason Gunthorpe <jgg@ziepe.ca>, Jens Axboe <axboe@kernel.dk>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lee Jones <lee.jones@linaro.org>,
 Leon Romanovsky <leon@kernel.org>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>, Paolo Abeni <pabeni@redhat.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Tom Rix <trix@redhat.com>,
 Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 20/32] ASoC: sigmadsp: Use mem_to_flex_dup() with struct
 sigmadsp_data
Date: Tue,  3 May 2022 18:44:29 -0700
Message-Id: <20220504014440.3697851-21-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2019; h=from:subject;
 bh=6F6KuGFShxf4JxPYrPXKFZeMoWxJdOn30za8QMiNMmc=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFlVM0+m4mgxXYHmim1KeQeXuOmDGRSbqn4CM/
 nO+6V12JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJlsGD/
 wObp4TF0rjxUnDl2XU/AX62Kx0wgUSNaGDsaAeFZLHsspTJNlI1xRmKN2zRi+snj0mrEhw1q9Yh76Z
 6xSGswQmdh9uemezB9oVUp2GxxN8WyMWOAR+OlnbPY//H6lChfwlnFARSS1Rkb2ZmcX//rZQZhHCXc
 svCtT3KSBt+VremyDJs9eQY7zKQWSEjl94vDal0JxS0GbWRYV672gtwgzYHATTiXJfZNK9Hnh5x9cI
 gP5/UtCpxOgh6ebk6PFJurz7rwB5cHVPIkhz8fgbd1cA/0ybs2wrCYj6JpgihAXuZtV18lAdnt8ND/
 zB2f7mC3x32cU4603jCCh3lhtKY74eDhUyxc2qxDVBIyLoOufW0rNL12ZmPb/ZqzHlvwvJRNsgVIeo
 SLXEWPzSRWl4K2DFX2+37Xle5LxGv8rC5oIP/GCWXKXR98j60QjzBdcMWXTL+hc6sVS7VKBDtIDKQO
 bT+6D7J9MgSyuvsB8QDDWA1XfDXpj4PrZoT1fpgmZGGO+E9p7LhEd5TGmvmWF4EiqePthKxEq+ytkN
 iIM2UomARrjFWKhMiO7lt831EjVuWu1bB4+YBjMve73RZhWrYBTG1Fi4daezhQ+AyJvye8gqJgbfNu
 RIcWAmcfFgGhsp4VDM+sRhA/KybFzkFbvrxBwlwAx/rdq4RJkgf/AFGMfR9g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: alsa-devel@alsa-project.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/codecs/sigmadsp.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/sound/soc/codecs/sigmadsp.c b/sound/soc/codecs/sigmadsp.c
index b992216aee55..648bdc73c5d9 100644
--- a/sound/soc/codecs/sigmadsp.c
+++ b/sound/soc/codecs/sigmadsp.c
@@ -42,8 +42,8 @@ struct sigmadsp_data {
 	struct list_head head;
 	uint32_t samplerates;
 	unsigned int addr;
-	unsigned int length;
-	uint8_t data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, length);
+	DECLARE_FLEX_ARRAY_ELEMENTS(uint8_t, data);
 };
 
 struct sigma_fw_chunk {
@@ -263,7 +263,7 @@ static int sigma_fw_load_data(struct sigmadsp *sigmadsp,
 	const struct sigma_fw_chunk *chunk, unsigned int length)
 {
 	const struct sigma_fw_chunk_data *data_chunk;
-	struct sigmadsp_data *data;
+	struct sigmadsp_data *data = NULL;
 
 	if (length <= sizeof(*data_chunk))
 		return -EINVAL;
@@ -272,14 +272,11 @@ static int sigma_fw_load_data(struct sigmadsp *sigmadsp,
 
 	length -= sizeof(*data_chunk);
 
-	data = kzalloc(sizeof(*data) + length, GFP_KERNEL);
-	if (!data)
+	if (mem_to_flex_dup(&data, data_chunk->data, length, GFP_KERNEL))
 		return -ENOMEM;
 
 	data->addr = le16_to_cpu(data_chunk->addr);
-	data->length = length;
 	data->samplerates = le32_to_cpu(chunk->samplerates);
-	memcpy(data->data, data_chunk->data, length);
 	list_add_tail(&data->head, &sigmadsp->data_list);
 
 	return 0;

From patchwork Wed May  4 01:44:30 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837131
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id F2EA2C433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:42 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320044.540729 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NG-0000S0-JR; Wed, 04 May 2022 05:16:30 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320044.540729;
 Wed, 04 May 2022 05:16:30 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NF-0000MJ-KA; Wed, 04 May 2022 05:16:29 +0000
Received: by outflank-mailman (input) for mailman id 320044;
 Wed, 04 May 2022 01:51:49 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47I-0007U4-Gb
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:48 +0000
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com
 [2607:f8b0:4864:20::530])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 328da9af-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:47 +0200 (CEST)
Received: by mail-pg1-x530.google.com with SMTP id g3so22040pgg.3
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:47 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 j17-20020aa783d1000000b0050dc7628166sm6962339pfn.64.2022.05.03.18.47.41
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:45 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 328da9af-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=tt+uE/qYWOs3CEanZOjmvMoORa5i/xMNqAO3DwAd5m4=;
        b=YmT1lNTRttmLRyn/WOgpT0DAFWD3BvjkOIsApwxFa4B3Com0bh2yQqIJO66Wiak8Tt
         rwU+QSbZtL4swuVhrV8kkivMWLyJT9AqfxXpJ4Lm9ZibQLMBbHjNrpcN7FDNu1QRPCS+
         uiBQnyfLBZT2SNnaE6twmHxSxmZ2FlIbgcsF8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=tt+uE/qYWOs3CEanZOjmvMoORa5i/xMNqAO3DwAd5m4=;
        b=Pq+y38erQEjwn18MEH/HBEiEyG+KRYw55e22sgzxjpaCPVyNr87fy5onSO2hjRg51d
         1j7Y8g8L70W61iE51LpEBjsB6/L3TV/u4cXHP5aXS6cvgKqJ8eVJ+5QwQE5b7dqRXzMa
         17yJ1iycY5NBCt1vp/EDBdULYSn4bkQJgtgCQAOpC5B6Dv3YAnrZr/r8DiQYRuSXIAgH
         bHb+eK3cVSW80ZSq4iLqULcBFlWpftMTLyvWyPCP+203cRyUEm6/FiYJSGQ8nbqKLa0y
         HJlKoG+oOE5auhxqba4DBCqw+T5HVlRBdc5OyGM6sOeQhtYGcEzeQ+QIMZiMLEoBBFH7
         HokA==
X-Gm-Message-State: AOAM532I1aTbSYiooWL56mKoZPglZ5ysgmVR9tzpvnHV7GBA/uU6+d1I
	bOsvtevnnDLJWmzY/JR4WdXX6Q==
X-Google-Smtp-Source: 
 ABdhPJxm8oQpe82/AlfHpo86YsbZI42gD8lqIDet1sGBcYjpwPke9wpE0Wpp3R+D8mPYMYqjJQCKXw==
X-Received: by 2002:a65:490d:0:b0:39e:58cb:b1eb with SMTP id
 p13-20020a65490d000000b0039e58cbb1ebmr16428991pgs.390.1651628866265;
        Tue, 03 May 2022 18:47:46 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Andy Gross <agross@kernel.org>,
 Bjorn Andersson <bjorn.andersson@linaro.org>, linux-arm-msm@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Lavr <andy.lavr@gmail.com>,
 Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org,
 linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org,
 linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 21/32] soc: qcom: apr: Use mem_to_flex_dup() with struct
 apr_rx_buf
Date: Tue,  3 May 2022 18:44:30 -0700
Message-Id: <20220504014440.3697851-22-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1693; h=from:subject;
 bh=f797ezn2sQWsQcALbTjtcz0/uVJxqqsdCbEE9J5EL4c=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFcya5M1Ba7xKOXe16qG7jIlVI8ph+ibFXwwOp
 nrqS7nGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJhB6D/
 4mAanYpWDhhzP0wFox6ZgqAP9umNDzMV7dRX4Y08wPvedXkTuo/N0jclu6EdK/Bs4KaQilIZSFkLno
 xsM8xXSf4UqStJoT27N7DzjgnXKUJuyB5HZu1PfC+8PJ3QEnqiU5wE/l/2KdIJiAa7Xrj82dQB2cOe
 f9cgwxVbs3UnZy77Wv+k8FP5dMShK5yfzH0kpSd88R+/mDgZ6PLzi6zr8ZQiGCGdehQ7yp7ahiIA+i
 aAsDm3/+QhB0XaYdbqgAm2IAn+ouEdBPFgeXFzXqJwdi8AEfwBoByO06B8F23M3UCLdd6ZTRuaYeVQ
 kIZhzXstlVWDB9mIUnTP7dpfIY0lC+xzWyCLtZeT4bAvCwQB9CAAEWnSx7qfxwfOCYH1OjKUWJ+Xo4
 5bWdci/vlaLQLD13TFP2X8QMY+seDM4SmnQAjgo5eITKrQ8RREz044kssPiR5qrnynNMOFWoNryxir
 5TxsUJqEcElCuxyYstu2GZWqRpIeTKHVnaCu6XWtUkfQXhXikks9R9eVs6gSl+qIiVvgsVs7Tv/R9N
 rFtDfCJB155p3+TaJfCxSA/1e92fAlkjvrq+Ar3n/Jqs+/JGlPFT7Zy0qsgxzMjclrsboCWAvbLZZ2
 OSexYpHjEn8jykFiHVbn1z48UtV3JdplNzCir+Gph+mH4axRJfHc0k7gYzyA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Andy Gross <agross@kernel.org>
Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
Cc: linux-arm-msm@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/soc/qcom/apr.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
index 3caabd873322..6cf6f6df276e 100644
--- a/drivers/soc/qcom/apr.c
+++ b/drivers/soc/qcom/apr.c
@@ -40,8 +40,8 @@ struct packet_router {
 
 struct apr_rx_buf {
 	struct list_head node;
-	int len;
-	uint8_t buf[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(uint8_t, buf);
 };
 
 /**
@@ -162,7 +162,7 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf,
 				  int len, void *priv, u32 addr)
 {
 	struct packet_router *apr = dev_get_drvdata(&rpdev->dev);
-	struct apr_rx_buf *abuf;
+	struct apr_rx_buf *abuf = NULL;
 	unsigned long flags;
 
 	if (len <= APR_HDR_SIZE) {
@@ -171,13 +171,9 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf,
 		return -EINVAL;
 	}
 
-	abuf = kzalloc(sizeof(*abuf) + len, GFP_ATOMIC);
-	if (!abuf)
+	if (mem_to_flex_dup(&abuf, buf, len, GFP_ATOMIC))
 		return -ENOMEM;
 
-	abuf->len = len;
-	memcpy(abuf->buf, buf, len);
-
 	spin_lock_irqsave(&apr->rx_lock, flags);
 	list_add_tail(&abuf->node, &apr->rx_list);
 	spin_unlock_irqrestore(&apr->rx_lock, flags);

From patchwork Wed May  4 01:44:31 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837130
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 528FAC433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:42 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320040.540720 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NF-00007m-AL; Wed, 04 May 2022 05:16:29 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320040.540720;
 Wed, 04 May 2022 05:16:29 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NE-0008Tk-5h; Wed, 04 May 2022 05:16:28 +0000
Received: by outflank-mailman (input) for mailman id 320040;
 Wed, 04 May 2022 01:47:48 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47I-0007U1-Ql
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:48 +0000
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com
 [2607:f8b0:4864:20::1032])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 32c54e3e-cb4c-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:47:48 +0200 (CEST)
Received: by mail-pj1-x1032.google.com with SMTP id
 t11-20020a17090ad50b00b001d95bf21996so3936158pju.2
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:48 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 az10-20020a170902a58a00b0015e8d4eb233sm6960220plb.125.2022.05.03.18.47.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:45 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 32c54e3e-cb4c-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=t4tLOfp2E2B9sgaGczz1NwPmHgtmRYBWoAQq16bLzJ0=;
        b=I3H3+WN+4U2IJzWLbxbA/bIvmhwpU+qBCw+gT1kFMomBbMNpQHZRW5m4AyP4iYFi7B
         wO7Fc+96Bo7pEAoDQ9bMSzGw32N3zXUa3Gz+3UCf0arCmNNwPy4jlH+xYNM+a196cQiM
         uiF0kR4EmYLRMWy1Z3PDmpbPfAtknr37xwrFY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=t4tLOfp2E2B9sgaGczz1NwPmHgtmRYBWoAQq16bLzJ0=;
        b=IZOXgNb6xszmV+77byFOw1rDZGfZd/6AHlvrYV8laAZ/kWzdvBXvSBDosM3Q8MmNnm
         OIAE+BaJwG+NPBnkTIn4M+fvCwlQ2auBK+pZCJg1gyW1ivPFI71WuZRZJ2Gl3KxTf/tt
         hT72oDg2IieBHFqCM/uOd3TjVDtaGqD1X9w2vpkgth9BBSmUZvMKr8jjLLRY/sTUav1M
         i7i1Q/YNsn1eH0XNn5Gw1zJQilhA5uDRhMmeYe7iY5WEkk3q9sHVV+TZ8hkGUjYJNLdS
         RmJyL3b9a6cVp/Q+SMJ211ZgTBkD4Itw91sj0tLVkaOTBsSRLbPle9ftnJq48+JNAtOx
         o9og==
X-Gm-Message-State: AOAM530gTW2t0vG24Y7P9/ph8OwFTKxidsEQprFw9tzGEfao1dFdn2xa
	M851mKghXtijGQt/m1+hjbFzUA==
X-Google-Smtp-Source: 
 ABdhPJwlsT0iQnDL6xwldA7EiHSnV+6TMJGJpyqPrrObMI2QZUEHe3gCMsqWN7yN6aeTIm9o+5AxVg==
X-Received: by 2002:a17:902:ecc8:b0:15e:9e46:cb7e with SMTP id
 a8-20020a170902ecc800b0015e9e46cb7emr14297448plh.111.1651628866623;
        Tue, 03 May 2022 18:47:46 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Russell King <linux@armlinux.org.uk>,
 Christian Brauner <brauner@kernel.org>,
 Andrew Morton <akpm@linux-foundation.org>,
 Muchun Song <songmuchun@bytedance.com>, linux-arm-kernel@lists.infradead.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com,
 =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-msm@vger.kernel.org,
 linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org,
 linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org,
 linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 22/32] atags_proc: Use mem_to_flex_dup() with struct buffer
Date: Tue,  3 May 2022 18:44:31 -0700
Message-Id: <20220504014440.3697851-23-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1766; h=from:subject;
 bh=LnjqklrPVWNNMfpJjCRO96xv5LhFHHWzp99zKaiUXqg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFIMxxbq1Hf+xelWQa6dzkOUxczwNZ6gqGtZgE
 u/xEciiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJpySD/
 9y19Eohym3FvBZ0fkG9198v9dbCdm6Pjk18VavszBLhJaXRQM+HUC12vTL4roysA9+j7Y6cR3Kj+wq
 mOj198L6Vf/kLphe9xK9VW8LUtIBMSqwCe6Jb9KvCOzeJt1MCby6s4CLjMwjVk9Xf0ZpbPwyghODjv
 Ol/fkTTE1L9VOXyhYqOagbjRt1ZyTMdInfVLCEui8yUpYiaclByI9CIWaHVkeTDP+2pgEibaH/4OYF
 wScQ0s9UBHmLFAqRyw73xHGYEHN7DaT9kxcQ0VZMiNRcYxnu5o5CdcqgHDnW0Ws1fLC8PN0uMYp4N2
 rNatCh14EdFNyQewdpkHW8VlGj373tjOHjfpHC0RkrDel6FJ4Ac7ipDJypBfD/E0/Apg/I1MwDDPaC
 nZOn83UTZag+wJyrVfm5yRqNeeoaLNiS9PzD+ARWL40QVrGBA61Ch7hLljKEu7HPfOeufLqsruBVa/
 IGTYZbtUKTu+xZFocXg9FmT3/XFiJqva79//82c/nDPbB0Oek/1d/nHiv6e1p5qQeyDcF/lH9dR7Vc
 v6zhxqG/em6APpkkhmZtA3GMlJqi13XwAKn0eZ/nS06JrCIy8Cq+02xWpUwqJV6SZ63AviU8SrK86H
 cYVB3yY3zLGR0ABTEsKF2Yo/EaE3tvZgUnPk5p2jx3782+uMiis96Fb2iKQw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Russell King <linux@armlinux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm/kernel/atags_proc.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/arch/arm/kernel/atags_proc.c b/arch/arm/kernel/atags_proc.c
index 3ec2afe78423..638bbb616daa 100644
--- a/arch/arm/kernel/atags_proc.c
+++ b/arch/arm/kernel/atags_proc.c
@@ -6,8 +6,8 @@
 #include <asm/page.h>
 
 struct buffer {
-	size_t size;
-	char data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, size);
+	DECLARE_FLEX_ARRAY_ELEMENTS(char, data);
 };
 
 static ssize_t atags_read(struct file *file, char __user *buf,
@@ -38,7 +38,7 @@ static int __init init_atags_procfs(void)
 	 */
 	struct proc_dir_entry *tags_entry;
 	struct tag *tag = (struct tag *)atags_copy;
-	struct buffer *b;
+	struct buffer *b = NULL;
 	size_t size;
 
 	if (tag->hdr.tag != ATAG_CORE) {
@@ -54,13 +54,9 @@ static int __init init_atags_procfs(void)
 
 	WARN_ON(tag->hdr.tag != ATAG_NONE);
 
-	b = kmalloc(sizeof(*b) + size, GFP_KERNEL);
-	if (!b)
+	if (mem_to_flex_dup(&b, atags_copy, size, GFP_KERNEL))
 		goto nomem;
 
-	b->size = size;
-	memcpy(b->data, atags_copy, size);
-
 	tags_entry = proc_create_data("atags", 0400, NULL, &atags_proc_ops, b);
 	if (!tags_entry)
 		goto nomem;

From patchwork Wed May  4 01:44:32 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837148
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 8B9F2C433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:21 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320076.540910 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nt-00018L-2P; Wed, 04 May 2022 05:17:09 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320076.540910;
 Wed, 04 May 2022 05:17:08 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nr-0000zb-GU; Wed, 04 May 2022 05:17:07 +0000
Received: by outflank-mailman (input) for mailman id 320076;
 Wed, 04 May 2022 01:57:51 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4H1-0000D6-4y
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:51 +0000
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com
 [2607:f8b0:4864:20::1032])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 98adc00f-cb4d-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:57:48 +0200 (CEST)
Received: by mail-pj1-x1032.google.com with SMTP id o69so15547488pjo.3
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:48 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 d25-20020aa78159000000b0050dc7628150sm6944272pfn.42.2022.05.03.18.57.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:46 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 98adc00f-cb4d-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=QnKXHDo7FoS6A9KJnTSD5KrVSbLLoX11tytSVaJywLg=;
        b=I1CnhqzTuM3VIMYb3RIInFBjlZ/Kx1CC2nOaz3zCzGfRz66UhpKktUjcUf1DB5iFHu
         gfyX0fG10mb1nZrZrHamW6VaM5Mxf2xxMafia1jAkPA8Cn5ohLG+uBumAmwOSdS3hISM
         a4JzdC7Fo3kAKeDLIrkA80T/ZAttaFcZAV7gI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=QnKXHDo7FoS6A9KJnTSD5KrVSbLLoX11tytSVaJywLg=;
        b=JXD6cLLB+Co+a1fBYLmLwF24KETnquon31SW+MhUlwsAXZYwyYCml6fvZVjirSYD0y
         7sLpCNYzOMfIQmupCGm5pzLi07iGfUJXbqtGg+7tqUznOcyUiw9qj2GVwRDDPHaATtnY
         kHhpmsJXyl6ei3WDKNnE0nxdGkSk1WSTrjZBBl7ezlTEoTlfa25vjWJPEqAgE0VOqKRk
         xm1THt7yYNj23iK7I7peuUlhuAvRzWg794MuiWKJ/ftG3ver5fqRqL5JHQSa+KOtY6Wi
         2VhdF9/EAoh7zHvopHx1r/qr+LMuIa8bwwvQd2EURDeGEgGPWN5ZEm/tdTmWbjgpta8J
         8zDw==
X-Gm-Message-State: AOAM533jhZI1AXx1b/SOZHkVQ+RvkWY6gT2iiIulwoCAcQ3CG7BXYKb8
	39XSVBq8Ker4KzcQc1Hyk4F1wg==
X-Google-Smtp-Source: 
 ABdhPJwBJoJRbJoEf8uS056mC/SrVUlIMx/WczuLmtwpXFTRApIslHsgCto/oSfyiNoJlGKNBXfsbw==
X-Received: by 2002:a17:90b:3904:b0:1dc:8fe0:df69 with SMTP id
 ob4-20020a17090b390400b001dc8fe0df69mr4001057pjb.59.1651629467088;
        Tue, 03 May 2022 18:57:47 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-hardening@vger.kernel.org,
 linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org,
 linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Marc Dionne <marc.dionne@auristor.com>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paul Moore <paul@paul-moore.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 23/32] Bluetooth: Use mem_to_flex_dup() with struct
 hci_op_configure_data_path
Date: Tue,  3 May 2022 18:44:32 -0700
Message-Id: <20220504014440.3697851-24-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2134; h=from:subject;
 bh=wkblXI7lu8DePbBEkrWcF6TPvSCY+fsd3+cJcm8lUX8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqFhAG+9XZipSZhJ97uz0MVZAPm9ikLEayXBQca
 tSbucr2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahQAKCRCJcvTf3G3AJuQgD/
 0RkSBHvTdsmM6uGZhl5vuzw4/t8A08lVzH+n9delDb7Snc4rClp98T7EnMak/i+Ne5YZV/OBum0+Ri
 2Rso0KTZ7bgngl/ZWjToI21GZHTx0BvhmyN92pCyMRw8Q5g2WKeqI0pNWy8pO+tdkj+OZBI+kBTpzB
 DSCicDcFGgdZrS4ClZfIJ3ul5GuyH628GJbhzyj2IkHnbcVJTgVXEYTZfa9CUXIk5OxX0tgeN5hgKI
 YhvXiesuoZ4ZeGkGoBZgoWkyhWZg61taY7sMsK18JUdPuD2jO1Ziy7pPKMcmqr1QC1dxYBE2bshZ+7
 3zm60sMtOhDVJc9pY0GGXTh83THBv9el1PLd8R1i03dHlFU+DYzQrq0OMEQ82DXkr9t89m7UmRpPNh
 UlFCgY75idmpPhVdKyd4ETvQlZtXZLEj7o98G9BByjCzXoXREee+09IWrA/DOZh7zHcuLHY4mwot7j
 j2JWq1nvZO0OVDBDjoUB6FMPShLAPZiPeGYn+67y9JU7lL1VFHN8sVsxBLq08bQ/HI32D+rAgZCCsn
 fVZ7tajhB6zkfYibttaD+E5RLSV+adLK+eXnFBqoQttbtNsKxuiZQF0dJZusj9dnKk/M5l3Ud90Uiq
 FXQeX6fOpiALefTfw5/ocOvMAHAP7Hz1WKgKO3NK7KYNbxbmS5+syYfDxdWQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/net/bluetooth/hci.h | 4 ++--
 net/bluetooth/hci_request.c | 9 ++-------
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 62a9bb022aed..7b398ef0b46d 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -1321,8 +1321,8 @@ struct hci_rp_read_local_oob_ext_data {
 struct hci_op_configure_data_path {
 	__u8	direction;
 	__u8	data_path_id;
-	__u8	vnd_len;
-	__u8	vnd_data[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u8, vnd_len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(__u8, vnd_data);
 } __packed;
 
 #define HCI_OP_READ_LOCAL_VERSION	0x1001
diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
index f4afe482e300..e29be3810b93 100644
--- a/net/bluetooth/hci_request.c
+++ b/net/bluetooth/hci_request.c
@@ -2435,19 +2435,14 @@ int hci_req_configure_datapath(struct hci_dev *hdev, struct bt_codec *codec)
 	if (err < 0)
 		goto error;
 
-	cmd = kzalloc(sizeof(*cmd) + vnd_len, GFP_KERNEL);
-	if (!cmd) {
-		err = -ENOMEM;
+	err = mem_to_flex_dup(&cmd, vnd_data, vnd_len, GFP_KERNEL);
+	if (err < 0)
 		goto error;
-	}
 
 	err = hdev->get_data_path_id(hdev, &cmd->data_path_id);
 	if (err < 0)
 		goto error;
 
-	cmd->vnd_len = vnd_len;
-	memcpy(cmd->vnd_data, vnd_data, vnd_len);
-
 	cmd->direction = 0x00;
 	hci_req_add(&req, HCI_CONFIGURE_DATA_PATH, sizeof(*cmd) + vnd_len, cmd);
 

From patchwork Wed May  4 01:44:33 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837142
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 8A4DDC433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:08 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320065.540849 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Ng-0006Lx-0y; Wed, 04 May 2022 05:16:56 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320065.540849;
 Wed, 04 May 2022 05:16:55 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Ne-0006Fv-FL; Wed, 04 May 2022 05:16:54 +0000
Received: by outflank-mailman (input) for mailman id 320065;
 Wed, 04 May 2022 01:57:47 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4Gx-0000D6-J8
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:47 +0000
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com
 [2607:f8b0:4864:20::62c])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 97a8f23d-cb4d-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:57:46 +0200 (CEST)
Received: by mail-pl1-x62c.google.com with SMTP id d15so185947plh.2
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:46 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 v5-20020a655c45000000b003c14af5060asm13495971pgr.34.2022.05.03.18.57.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:44 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 97a8f23d-cb4d-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=gAffb2dB7AJw8ctZpf7uy/Kjt0ZfUPuqpFj+O/VUlMc=;
        b=Hd3jrxU8+XlRdXnNJ6BuxLBWU0ZKLG70m7wHx4jqP+VfQJII0AB4HJY2PvK+TXUYom
         id9ML06dSBRB1VVnBWjBz+2v5YDaqSJHQM5Ls3McxesxCE+qRmiHqxTVev9Mnq0iPJTj
         hb0i3oZtBtCUvWZopE6bN0CU7y3IuWgie3Mk8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=gAffb2dB7AJw8ctZpf7uy/Kjt0ZfUPuqpFj+O/VUlMc=;
        b=X0K0ptRApAPVcHgdPDOc9hxEelYN8w9131Mj1BmppLuH9tCEN29cvJh+Ku8YHNBTHZ
         o49rjK8Edpf51YDLoqfJ8f+dLg6lcIqauKWNJWHymf5KMSVd9RvzLvlwfaHBkh57mtxE
         7JpQCFybyDIMlJDMBGnXR56HTjc2Wrbpu4FIQIQhZou7ImHtAunupw3FrkyAOmY973jN
         NwYmiprnimBxReFcDKcfcu7FVPfKXIt2mrMeEOlG/R14naUY6yWrmE+OwNB0NcoFpDxW
         5HpZMaOfvVn5Vhg3raO2CFjiprJ2I+D7c1PmWvJjZpYNLiHsV8eqPFc3d1VMQEJ5ORlU
         yGAg==
X-Gm-Message-State: AOAM531WaEJTK/t8F17UgXJuB7P8UhV0agepg+Cmc80s/S7+Bcddj01O
	Hp3wearHURwld1XZWZiFxShMdw==
X-Google-Smtp-Source: 
 ABdhPJz6qaS4+sld6IO764cErbo2AsXw9zqY/8zLJ1brIZKZBC0UJqtHfYq6e8mw4ednkAIXxJWdIQ==
X-Received: by 2002:a17:90b:1c8f:b0:1b8:c6dc:ca61 with SMTP id
 oo15-20020a17090b1c8f00b001b8c6dcca61mr7862141pjb.13.1651629465413;
        Tue, 03 May 2022 18:57:45 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 Jason Gunthorpe <jgg@ziepe.ca>, Leon Romanovsky <leon@kernel.org>,
 linux-rdma@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jens Axboe <axboe@kernel.dk>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Liam Girdwood <lgirdwood@gmail.com>,
 linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org,
 linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org,
 linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org,
 linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 24/32] IB/hfi1: Use mem_to_flex_dup() for struct tid_rb_node
Date: Tue,  3 May 2022 18:44:33 -0700
Message-Id: <20220504014440.3697851-25-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2597; h=from:subject;
 bh=j5qqa5iL1lvOORaDlLtm9UR9x0OLEu0XOUmPN1O3Ohg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqGK+oIIr5PEnTJbsZIIE6wDFvul9czcGBuCOb4
 OJUbtUyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJlPpD/
 0VwfEZeptxhwXvC03S8kaKbVzD8jf4H7HBP2WwjQ4ovXcZoeEPoHk43gm5ko9ZHxsEuhVYfSsNabEv
 KwzfkX+Be0SZ1mudTtAQCrxBnFPmMKxMszwt9mMNZtm6E/XnP2w7B2+1rA358f0MYJXzvFe7/kn3VU
 5iBgnGpNGOZgXOG+jBcjTyiKQiMSXDSUp0cIXvVQpsePyQMfJGh/eu5bFCRNrwstStCte4Ow73c4Va
 IaWYSGyLDy4kuX78W5f19yAQR3uD4X1ryr/AVwZV0/P/jnJmz5EmCKU1qFe2YNVe7kF2+3nxmDxawo
 cvJJ0SuVsX0ZNg8KDkjZEG/9wBeWjiXSyoD0G6pP/WshlZoegMuvye4fFyhyKmatyVqt3t8c7FD223
 F60swFGSkgfSg6J4GMTvGe3/d8QAl3MTq2ZH18n8DlcYgMk+3J2vMunZUU58h8auD6hXcni1nXgoMb
 GZApmHHYK5s4Fqge2j1uqJVBjHZOX3fK3YaZhKtoTqm6FUuJw+H1P3nVYfkcXshsd8t27NuIM2hLa9
 jZnMgeaYhLQAUUWWjOKVskE6/+GP5gz4+qjVUI/Alev5kHFOWsbWXBC5JGCSrGBZtpMfJqMcYVqTxZ
 tS3tgiujwVPsRJdYvH3X2NotOyhjEtEFR8egS3/g8M+hET9UITd8x/6NqLnw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: linux-rdma@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/infiniband/hw/hfi1/user_exp_rcv.c | 7 ++-----
 drivers/infiniband/hw/hfi1/user_exp_rcv.h | 4 ++--
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
index 186d30291260..f14846662ac9 100644
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
@@ -683,7 +683,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
 {
 	int ret;
 	struct hfi1_ctxtdata *uctxt = fd->uctxt;
-	struct tid_rb_node *node;
+	struct tid_rb_node *node = NULL;
 	struct hfi1_devdata *dd = uctxt->dd;
 	dma_addr_t phys;
 	struct page **pages = tbuf->pages + pageidx;
@@ -692,8 +692,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
 	 * Allocate the node first so we can handle a potential
 	 * failure before we've programmed anything.
 	 */
-	node = kzalloc(struct_size(node, pages, npages), GFP_KERNEL);
-	if (!node)
+	if (mem_to_flex_dup(&node, pages, npages, GFP_KERNEL))
 		return -ENOMEM;
 
 	phys = dma_map_single(&dd->pcidev->dev, __va(page_to_phys(pages[0])),
@@ -707,12 +706,10 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
 
 	node->fdata = fd;
 	node->phys = page_to_phys(pages[0]);
-	node->npages = npages;
 	node->rcventry = rcventry;
 	node->dma_addr = phys;
 	node->grp = grp;
 	node->freed = false;
-	memcpy(node->pages, pages, flex_array_size(node, pages, npages));
 
 	if (fd->use_mn) {
 		ret = mmu_interval_notifier_insert(
diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.h b/drivers/infiniband/hw/hfi1/user_exp_rcv.h
index 8c53e416bf84..4be3446c4d25 100644
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.h
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.h
@@ -32,8 +32,8 @@ struct tid_rb_node {
 	u32 rcventry;
 	dma_addr_t dma_addr;
 	bool freed;
-	unsigned int npages;
-	struct page *pages[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, npages);
+	DECLARE_FLEX_ARRAY_ELEMENTS(struct page *, pages);
 };
 
 static inline int num_user_pages(unsigned long addr,

From patchwork Wed May  4 01:44:34 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837149
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 7D350C433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:24 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320079.540918 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nu-0001ih-Tj; Wed, 04 May 2022 05:17:10 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320079.540918;
 Wed, 04 May 2022 05:17:10 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nt-0001aH-Hx; Wed, 04 May 2022 05:17:09 +0000
Received: by outflank-mailman (input) for mailman id 320079;
 Wed, 04 May 2022 01:57:52 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4H2-0000D6-50
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:52 +0000
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com
 [2607:f8b0:4864:20::42c])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 992860bc-cb4d-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:57:49 +0200 (CEST)
Received: by mail-pf1-x42c.google.com with SMTP id p12so50531pfn.0
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:49 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 x21-20020a1709027c1500b0015e8d4eb202sm6984553pll.76.2022.05.03.18.57.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:46 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 992860bc-cb4d-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=dWvrJlxp0hfwq/rpuMGCsTJMwzo7GNCIoJATWYPCVJE=;
        b=OW0yn3aPFgkfwn8L35EyIBf488Ir3oPRdcuBBy8HPNsH5M0x5CXqSqshhOTKtpKq5L
         QF/xhc9eykoWhvFmZW6nwgo8tyY5Hha7nsaQ+7vI7aAIrUuE+pM/MYF4FAAKrs9ERjRM
         nEcriHnnehj4N7XQ40GlCVy2op0vzdnIn84H4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=dWvrJlxp0hfwq/rpuMGCsTJMwzo7GNCIoJATWYPCVJE=;
        b=zo+fgNNId7BJTV9Wds/8rrfsBVUEOkqPOJPju1TF+kusEsGBWueUQbYGjQQV7xR8Sx
         kRYda/oMQtq2HbXKByrLPRj1Fd37KaCXmwHwm8i5b94n9S3keKEN0yhaTMnweDF/Bl0F
         GJA+U56vXcpeWXjFFilexf8ggKeVU7p/+cLu6mCdYQe1JakiknXGBovXTqlRsic/8dZ2
         g+SGZDIZRe09nlEEEvzGdx07O5ZOz6PzaKFfRPNduVr9YTafIUPLY2JSGYoII0y0IzrW
         SHoFV4lZ9HKFOB3AGIax6fY51py+7f6Ep8jbAsQ0emttEQiNHVfNQuvBMjuoyBC2+Zdd
         njYg==
X-Gm-Message-State: AOAM533mBQ5urbjJGTbs/j5JQt3y5oZilGRRbOZBx6DyRrVFZaxAgOnw
	7Y7ENIag2fmCv11r49xwrvFsBQ==
X-Google-Smtp-Source: 
 ABdhPJwbC/L7nZs96BtZ9jeB/rQtyCDwXrBrp6VlWrbG6DOzItmYMRFYheK4g32qpwyIMeuySKD+FQ==
X-Received: by 2002:a63:2b05:0:b0:3c2:3ed1:5fa9 with SMTP id
 r5-20020a632b05000000b003c23ed15fa9mr8717398pgr.220.1651629467921;
        Tue, 03 May 2022 18:57:47 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, "K. Y. Srinivasan" <kys@microsoft.com>,
 Haiyang Zhang <haiyangz@microsoft.com>,
 Stephen Hemminger <sthemmin@microsoft.com>, Wei Liu <wei.liu@kernel.org>,
 Dexuan Cui <decui@microsoft.com>, linux-hyperv@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
 Eli Cohen <elic@nvidia.com>, Eric Dumazet <edumazet@google.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 Lars-Peter Clausen <lars@metafoo.de>, Lee Jones <lee.jones@linaro.org>,
 Leon Romanovsky <leon@kernel.org>, Liam Girdwood <lgirdwood@gmail.com>,
 linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org,
 linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org,
 linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 xen-devel@lists.xenproject.org, Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 25/32] Drivers: hv: utils: Use mem_to_flex_dup() with struct
 cn_msg
Date: Tue,  3 May 2022 18:44:34 -0700
Message-Id: <20220504014440.3697851-26-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2219; h=from:subject;
 bh=dgFYdMqTm4tBMA+d8KWXYde/YMvArhgtiTydpKgqF6s=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqGpwfENVCD78xIrOKs07wFk+8+2VNIIqaIzTy/
 MQg5zx6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJlkID/
 9xYgI2yUTmOqWGUHwjPg6PRpPwUj6yqPTnvHBjZmeB6GcMkb/J1qYZ0We4QMX2FKo8/RxUIZmkpsBI
 ghlT5pXLwU+EL9vLRAtiKFcmM6HmLrpDOA+H7c/+3yz3nLeExs5il9FvDhAWsAneG2E6lymkjrtZwB
 PmGHZ1SbLjt7dlHn9zzeTTcBLGvqVG+t1HbL1yM0qT9sxR33bwrS1/XY/VbQ9ZBwXv5G1ci/UQYTn+
 IxWJQyTz1WY3n4gGJIy12AX3Gg0SC3bdx9m5pnqgXmSvY3uw+gAkf+Jq+ITd7t+YW8zrXaiMMGPmhC
 +dn4j7Pvv4hNJ6R/d9/lrj8cAs53cQUbwW3e/7yRsiZb37BKs643K8RW97bKNemjiBUk2NngqjWaOl
 FzxBm7iGLEjOq989XZeJNEB+MQLecqtGjX+/LxzzzpvAKeMi9bXDiSJAfPG2yxB7wzIUCmUUxW3kKq
 5ITIvocBuuqbJzokzh+M+VX/4LsefOVBxhkljlxxgFvwnLhsXHSrMa9c7vd07TAikSiJ0Vi6xYDuv0
 m4TiF4oEz1DuG0oiUI9BpM7VSTL+S8V/5GoKv/V+vcO7lhrDKhfS7G8kPKHplhyqNqe7RD2pCIVyOI
 ++T7/zqpV+vaRd4iu+z+vgmLDrCZcODKGwvjXW2ZeAEW8baladN7FbwkDLDA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Wei Liu <wei.liu@kernel.org>
Cc: Dexuan Cui <decui@microsoft.com>
Cc: linux-hyperv@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/hv/hv_utils_transport.c | 7 ++-----
 include/uapi/linux/connector.h  | 4 ++--
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/hv/hv_utils_transport.c b/drivers/hv/hv_utils_transport.c
index 832885198643..43b4f8893cc0 100644
--- a/drivers/hv/hv_utils_transport.c
+++ b/drivers/hv/hv_utils_transport.c
@@ -217,20 +217,17 @@ static void hvt_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
 int hvutil_transport_send(struct hvutil_transport *hvt, void *msg, int len,
 			  void (*on_read_cb)(void))
 {
-	struct cn_msg *cn_msg;
+	struct cn_msg *cn_msg = NULL;
 	int ret = 0;
 
 	if (hvt->mode == HVUTIL_TRANSPORT_INIT ||
 	    hvt->mode == HVUTIL_TRANSPORT_DESTROY) {
 		return -EINVAL;
 	} else if (hvt->mode == HVUTIL_TRANSPORT_NETLINK) {
-		cn_msg = kzalloc(sizeof(*cn_msg) + len, GFP_ATOMIC);
-		if (!cn_msg)
+		if (mem_to_flex_dup(&cn_msg, msg, len, GFP_ATOMIC))
 			return -ENOMEM;
 		cn_msg->id.idx = hvt->cn_id.idx;
 		cn_msg->id.val = hvt->cn_id.val;
-		cn_msg->len = len;
-		memcpy(cn_msg->data, msg, len);
 		ret = cn_netlink_send(cn_msg, 0, 0, GFP_ATOMIC);
 		kfree(cn_msg);
 		/*
diff --git a/include/uapi/linux/connector.h b/include/uapi/linux/connector.h
index 3738936149a2..b85bbe753dae 100644
--- a/include/uapi/linux/connector.h
+++ b/include/uapi/linux/connector.h
@@ -73,9 +73,9 @@ struct cn_msg {
 	__u32 seq;
 	__u32 ack;
 
-	__u16 len;		/* Length of the following data */
+	__DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, len);
 	__u16 flags;
-	__u8 data[0];
+	__DECLARE_FLEX_ARRAY_ELEMENTS(__u8, data);
 };
 
 #endif /* _UAPI__CONNECTOR_H */

From patchwork Wed May  4 01:44:35 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837143
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 7B8CAC433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:09 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320066.540857 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Ni-0006vs-0t; Wed, 04 May 2022 05:16:58 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320066.540857;
 Wed, 04 May 2022 05:16:57 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Ng-0006ic-Re; Wed, 04 May 2022 05:16:56 +0000
Received: by outflank-mailman (input) for mailman id 320066;
 Wed, 04 May 2022 01:57:48 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4Gy-0000D6-4l
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:48 +0000
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com
 [2607:f8b0:4864:20::52c])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 97d10802-cb4d-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:57:47 +0200 (CEST)
Received: by mail-pg1-x52c.google.com with SMTP id q76so17156pgq.10
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:47 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 r7-20020a17090b050700b001d2bff34228sm2042759pjz.9.2022.05.03.18.57.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:45 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 97d10802-cb4d-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=RgEz4A26uAC0tPMSdTdWzcdcPMkc9MyjUZa57zGhp5c=;
        b=THMBXiotwI/HtB6w2vZ4AUJ2BjQh4hIPsHX7+RZwOa1PHLlgiT/9TXJjWzKZ2YkERx
         +jSME8ruQzJrkosl9qqzWHjBRc3gpjhe8YYA4SgiQV2fs5uQIJ4ItuKhnxn0qRtTRwig
         4dauL4e9jCHwc/wxp5WYhLqZAsMtRYdbGk0Nk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=RgEz4A26uAC0tPMSdTdWzcdcPMkc9MyjUZa57zGhp5c=;
        b=S2XqLAnEbRCfqktg0Rp5aXYKSpAFcWx/a8iE2v0Tto1DHBo6xajBt6hZJTYbA5K/YP
         kJyrole7JHZsr8A1d7LJGtv+7JhEEBExXsuLOjqdZST9XMD7lyam3pqeD1vRa1WOe0Bi
         JBfTcTMIiHZlLcZT/kNfRaXyopot6DG9JSOwYObFgInO3vltEc7TygobJKxtcSNZnq61
         P7vPE2SWtTd19eSCItq8lUlRsZpgW3104RKe3OzzCNEY0No8/5lMw24VmAihJdA7H8e1
         0gDXA1wSKyx/y7ce5eJcNqPOQ9AWzmBBsFGiJ8Lbg4U0rMip/JS5MICjKhrJXcRRKRXj
         3ANQ==
X-Gm-Message-State: AOAM532m9TWL14aNCHOGrkuqkYF9awV7ngOIKXhEyS/iuFXmIyEV47Wm
	w65JKBxKatdSHP8bA8xZ9sxe0A==
X-Google-Smtp-Source: 
 ABdhPJy/mXnQX0lzKSCAqZ5j/o4PSwRGlEpcGdLSsNwTNiJ+5ZDPNEMrqd4G6zPJoCRhzNbxNPSiag==
X-Received: by 2002:a65:6e8f:0:b0:3c1:c903:e5fe with SMTP id
 bm15-20020a656e8f000000b003c1c903e5femr6684833pgb.424.1651629465609;
        Tue, 03 May 2022 18:57:45 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Mimi Zohar <zohar@linux.ibm.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
 James Morris <jmorris@namei.org>, "Serge E. Hallyn" <serge@hallyn.com>,
 linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Eli Cohen <elic@nvidia.com>, Eric Dumazet <edumazet@google.com>,
 Eric Paris <eparis@parisplace.org>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 Jarkko Sakkinen <jarkko@kernel.org>, Jaroslav Kysela <perex@perex.cz>,
 Jason Gunthorpe <jgg@ziepe.ca>, Jens Axboe <axboe@kernel.dk>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 26/32] ima: Use mem_to_flex_dup() with struct modsig
Date: Tue,  3 May 2022 18:44:35 -0700
Message-Id: <20220504014440.3697851-27-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2212; h=from:subject;
 bh=0OJGwcsHhKZ90NmLpvzscbvuHwuTm4ffAc9aRODTTVY=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqG62vfnuT12WKQv0IVuyRZyZzMX4U3Y+bYmap0
 sx6VNCCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJp8HEA
 CsjdGpDagpIubOZwh4SIwzLI0mQ71SVDOmeVgjaMH3wCaEUbVyUbQcZCwMkSSQkmaYi0JHdt186r90
 KEdAes66ANgHJSwIbVxb19utRynHoJDFwO5gfVuTp2sVSu0AKP3KnJZajTXsyucbZynSVAJNanMloi
 v43qXD0nlRXkU0gX5ADpraYNTEc4DmC1I4QdBks60+U4wHFdhcjQvwo5U7V+5dzuva3RK7ldVtXJrB
 VeE5PpJQ5Xc1tmru3dEvFHv9MKipcoi+cf2u17BgJcgfDnUcb/oIr/jZVk1w2GF8Ilp5rtUyr0DM8m
 Na/yIL9jeaPARJok7fgLZP9afaRB6ZwWwE4H2uMjCy1cT6gasjHiZsGre3gXlWVcsFQqLjohy6kCxW
 rBj7pLN4d++yrxKprYmKAt3zeatf5EMTvrLIgqFUOrk/sAwpHwlXmgGTkAeWNhT8J5VVKpaeshrS8f
 gKI9RgmhD5seOLoAZLEOSns1PPAdryQb5THkD3O+72gLN08L6etoAPODJ68wd7fcwq7Wg5n5/+AkF2
 1jkeaI8b1sgNrwkPOtdnKDQm4yxesI//AmfFdH7EEjbVd52gAVu+rbz7yhcBh1dHRczes2IJW3soaR
 v4zCatjhXz33SY1+Zru2qRrDvhgaoAqzqRxMbwi9eNYoszXDTRyDKQ8NgEFg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 security/integrity/ima/ima_modsig.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index fb25723c65bc..200c080d36de 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -28,8 +28,8 @@ struct modsig {
 	 * This is what will go to the measurement list if the template requires
 	 * storing the signature.
 	 */
-	int raw_pkcs7_len;
-	u8 raw_pkcs7[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, raw_pkcs7_len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, raw_pkcs7);
 };
 
 /*
@@ -42,7 +42,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 {
 	const size_t marker_len = strlen(MODULE_SIG_STRING);
 	const struct module_signature *sig;
-	struct modsig *hdr;
+	struct modsig *hdr = NULL;
 	size_t sig_len;
 	const void *p;
 	int rc;
@@ -65,8 +65,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 	buf_len -= sig_len + sizeof(*sig);
 
 	/* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */
-	hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL);
-	if (!hdr)
+	if (mem_to_flex_dup(&hdr, buf + buf_len, sig_len, GFP_KERNEL))
 		return -ENOMEM;
 
 	hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
@@ -76,9 +75,6 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 		return rc;
 	}
 
-	memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
-	hdr->raw_pkcs7_len = sig_len;
-
 	/* We don't know the hash algorithm yet. */
 	hdr->hash_algo = HASH_ALGO__LAST;
 

From patchwork Wed May  4 01:44:36 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837141
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 89962C433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:06 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320063.540837 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Ne-0005sA-5t; Wed, 04 May 2022 05:16:54 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320063.540837;
 Wed, 04 May 2022 05:16:53 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nc-0005hg-9B; Wed, 04 May 2022 05:16:52 +0000
Received: by outflank-mailman (input) for mailman id 320063;
 Wed, 04 May 2022 01:57:47 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4Gx-0000DU-F7
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:47 +0000
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com
 [2607:f8b0:4864:20::1030])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 975afaa6-cb4d-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:57:46 +0200 (CEST)
Received: by mail-pj1-x1030.google.com with SMTP id r9so16887863pjo.5
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:46 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 e13-20020a170903240d00b0015e8d4eb265sm7031136plo.175.2022.05.03.18.57.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:44 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 975afaa6-cb4d-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=01xJZEdKekiitPaj8shKdCy94myHgVaNNGs/evnqdOM=;
        b=SvMNDAvPtTxF809bZoNNzl6o2LENxUqxJ8mipssp3LG3CBJ8QbgPBB5oXpfBBM0oF0
         mrxvm9m9xVoCbf+yK4esflyfRaDRIsoJWH6TXY5t/ov9rXMP+/iMpbnHqj0C62OZCoN6
         UGJtRe8MarqA1Hj1HXhO/p0X4vXAnV3Tj8zaI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=01xJZEdKekiitPaj8shKdCy94myHgVaNNGs/evnqdOM=;
        b=m3/1atxdd1Qi+b9mne1pMud3zIFCZD/oXbGMs6NPIS5Hm7FubRRZhs3IJ2Oapok8tP
         qWQqcrYc5TMPbdcMs8Rv5beutXuC1ZYiRLEb4HjdpQhjJvKbfpfPAofX3ywH4TRz1Fyb
         Qeg/RImDVFHI4YpqhRsqR7rdbVrUudQKbi1DmUTDV077SE+3PkoIXra3EmPFta6RrOWb
         LEjCMjsLoTOPr2yjNjagJwMGY/hIZ5e+iXrnzzNBqHIqP4W8qbAj5tHTqeHlta9H4sIb
         Wpu9NY42FZrJ4673Se32FrBVxkY52PLEb093S1UyOimFFZI0ivNJ6HTsP0JzDzDhtkmv
         cRHw==
X-Gm-Message-State: AOAM530gxQZ4hLvjlW0qey7c1ZjxhfryYNhLufamm1V3UEGb6TaAMGfl
	iro4ChzX9ySPgJ0FV/vJEELfug==
X-Google-Smtp-Source: 
 ABdhPJy/3qlQKz4CGd/TL5fBHV8zpb68+maLc3mzl++Mz3XNXj92dha7r1Tz2gSmcMtLt6kUnUaPzQ==
X-Received: by 2002:a17:902:9a4c:b0:158:b6f0:4aa2 with SMTP id
 x12-20020a1709029a4c00b00158b6f04aa2mr19404150plv.163.1651629464772;
        Tue, 03 May 2022 18:57:44 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, David Howells <dhowells@redhat.com>,
 Jarkko Sakkinen <jarkko@kernel.org>, James Morris <jmorris@namei.org>,
 "Serge E. Hallyn" <serge@hallyn.com>, keyrings@vger.kernel.org,
 linux-security-module@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 27/32] KEYS: Use mem_to_flex_dup() with struct
 user_key_payload
Date: Tue,  3 May 2022 18:44:36 -0700
Message-Id: <20220504014440.3697851-28-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2171; h=from:subject;
 bh=+EMqJweUKHRI+p140UR53z0ouyFfaCeLO7XO6/7BouU=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqGhXIUX0opXFG+79dwIKeyeoTVzZjDz3s4gqRG
 WcoAdoCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahgAKCRCJcvTf3G3AJpigD/
 9+hUDrqvhbexCJ+LI5xyfbONc0He6AfGv1OpoTuMyM/EDr+8Hlw69lTHvEd33pGAWnTcfLgvPFr5do
 SNqT7Ky9GohochNniXjI7VRAtZrFkRiG4130PztKwnvQ1ESHLdO+N8oQLoe0xNaVekFqVoLBQkU9ev
 NHp8YraJs7P1h9w8Pzngx6LtwE4pUvGsFmXmsBhmx5Uk1uiQ2UWzwtYPWYzdgEo1mTJ+BX1FT2/meR
 Eat9ZR2zS06PJ4uns7jc0qp4FerfBCuZHWMHvuzUrZLKj8YxmjyZPUn166vO9ypE2CX9eBtY3kFi3n
 EmX0Ryqm38lbokKGz+VyWMmMBepuljd3Kfm8eTAac9jztiqctLEmKqxMqXkQxGfDluj5udRd3fZOOR
 lag1NSmzJGGy19dHbynOZKZH+nGjFmGobp3C/7rBrswBDkGAbM9kHRt0+D9nPRbomIChQdinr+YNdi
 taMC+Zbtg73jiBg4SNGk9uXdxHdHcrvUozaxfZNwaBq19qR/CzNl695UzIFzTsoHUgCgp8UNwQOrIX
 147/aQi6XAgsy4OrML7xnIyf5cn/Lol5s3J5+7HAqw9FmH4FhWg/atdWEZT71eREnRWKn+j7VQWUSS
 sH4Cq8R0Hlz39XjL9tHdhH6lg4wbDgAXnwYK6YZ7bEVdBr2fYMufUIc2hMWw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: David Howells <dhowells@redhat.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/keys/user-type.h     | 4 ++--
 security/keys/user_defined.c | 7 ++-----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/include/keys/user-type.h b/include/keys/user-type.h
index 386c31432789..4e67ff902a32 100644
--- a/include/keys/user-type.h
+++ b/include/keys/user-type.h
@@ -26,8 +26,8 @@
  */
 struct user_key_payload {
 	struct rcu_head	rcu;		/* RCU destructor */
-	unsigned short	datalen;	/* length of this data */
-	char		data[] __aligned(__alignof__(u64)); /* actual data */
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned short, datalen);
+	DECLARE_FLEX_ARRAY_ELEMENTS(char, data) __aligned(__alignof__(u64));
 };
 
 extern struct key_type key_type_user;
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 749e2a4dcb13..2fb84894cdaa 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -58,21 +58,18 @@ EXPORT_SYMBOL_GPL(key_type_logon);
  */
 int user_preparse(struct key_preparsed_payload *prep)
 {
-	struct user_key_payload *upayload;
+	struct user_key_payload *upayload = NULL;
 	size_t datalen = prep->datalen;
 
 	if (datalen <= 0 || datalen > 32767 || !prep->data)
 		return -EINVAL;
 
-	upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL);
-	if (!upayload)
+	if (mem_to_flex_dup(&upayload, prep->data, datalen, GFP_KERNEL))
 		return -ENOMEM;
 
 	/* attach the data */
 	prep->quotalen = datalen;
 	prep->payload.data[0] = upayload;
-	upayload->datalen = datalen;
-	memcpy(upayload->data, prep->data, datalen);
 	return 0;
 }
 EXPORT_SYMBOL_GPL(user_preparse);

From patchwork Wed May  4 01:44:37 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837140
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 096D0C433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:04 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320062.540827 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nb-0005M1-G1; Wed, 04 May 2022 05:16:51 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320062.540827;
 Wed, 04 May 2022 05:16:51 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Na-0005GQ-IV; Wed, 04 May 2022 05:16:50 +0000
Received: by outflank-mailman (input) for mailman id 320062;
 Wed, 04 May 2022 01:57:46 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4Gw-0000D6-Bu
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:46 +0000
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com
 [2607:f8b0:4864:20::62d])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 96a4330d-cb4d-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:57:45 +0200 (CEST)
Received: by mail-pl1-x62d.google.com with SMTP id n18so178684plg.5
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:45 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 g5-20020a17090a7d0500b001d7faf357b7sm2048797pjl.4.2022.05.03.18.57.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:42 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 96a4330d-cb4d-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=rbuuZeQPYS/ZqiRJTOL0fJFLrNpJQKS6QwLbS0JMY/Y=;
        b=Aydv/AU/AZjVEPtiqBONRpzT2Ty39Vvxt2nRw4lRsRTiChjbuH3CBtpVpPkeZSBFK6
         zdgmOm2O/OwYN3+guV5vUjUfuHrQcdlBHjoZJkVx9D3VoYUSW8m0vG5AtNFTLXP40SJ0
         Ys4mhsjMHxsUEY5V0SeB81DJET0W6jrFHyAsM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=rbuuZeQPYS/ZqiRJTOL0fJFLrNpJQKS6QwLbS0JMY/Y=;
        b=4gCLnUkpUP4jDEm8jzBwwanaD7N1HvZ3Xojdn7nhvG/UNi14gq2mh69zA1KV0LCEXt
         du43yIu9NmwK/F2Em1sDKslW96q25yfXQuFzjuzJhAhN1+aiZqKNfxKA20NxqiX8o+ON
         /KneBphI+RBWecUVi2SAW296GH5RKxDzpFO7182IG5wuxhVEVaOZVUdhkoeIUq+LAPEA
         HSbXj68UhDxBACH7u+ZHLYV1PO3uaCaxHdxyYQvvJqzjLmfc8qNfPGBgduHT5cGL1zfk
         IVvquRe924/YNYCkYXbntEnoU9wYsk7EknAmPYaKlSXWkhnCx2oW6gufNbegfqgu/8QJ
         VYvw==
X-Gm-Message-State: AOAM531v7wPWSqCNQ0NM1wDSM0atH5OcT0oMb86Gq70Tzef3SrKuZ2H1
	+k61gTXxNdmayiwFTaLNUX95Vg==
X-Google-Smtp-Source: 
 ABdhPJz6tYNBnWbxdtttDcx79X7XJmalrOAZ2eOiqk6F7AwF/hqWiLs80f73ZpQqflYNA4mYhbV7PA==
X-Received: by 2002:a17:90a:bf0a:b0:1db:d98d:7ce9 with SMTP id
 c10-20020a17090abf0a00b001dbd98d7ce9mr7862640pjs.155.1651629463602;
        Tue, 03 May 2022 18:57:43 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Herbert Xu <herbert@gondor.apana.org.au>,
 "David S. Miller" <davem@davemloft.net>, Paul Moore <paul@paul-moore.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Eric Paris <eparis@parisplace.org>,
 Nick Desaulniers <ndesaulniers@google.com>,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 netdev@vger.kernel.org, selinux@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eugeniu Rosca <erosca@de.adit-jv.com>,
 Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Rich Felker <dalias@aerifal.cx>,
 Rob Herring <robh+dt@kernel.org>, Russell King <linux@armlinux.org.uk>,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab
Date: Tue,  3 May 2022 18:44:37 -0700
Message-Id: <20220504014440.3697851-29-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3696; h=from:subject;
 bh=lo77E+k1d7CC41pTHDyzxO7V17zZAZU2RAD4DG2zlf8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqHYGDosyWmB9LoZ/xyfTluExkJdmxRYXDGGUpK
 LWQR5yOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJtEtD/
 9q7isByvmnLJbF2Mqtm1GQLY5WfrgpLpjGz0wPZPFjTuIQg5cBR9sDT+aFaBgykC00RI3PI08gsS9x
 JTi9K5ZLLk5xSHCb0CjZKLo+ARF0awusiFxdJwvbSdnvd44xlkRwQcTwLZJVGqr2yqy1jJvW1u/3Yh
 ZZdqt4uhJJpDu5ukdXw+OwIsu09yrTMufSFBgGUsU5+73BimHVDJD+/bAZBGxLMHaKK06iBuF62hS+
 XVkvSjBaytrB7eplhA3FHdoU+z/LeETfQYkjmOeYJe6qC/4XyTzzuTjmlkj3sUYna+gIZzZHw5lCgK
 e8ZKUtmmyjY5P/B2T6F7kreBUKh5iZLQ2r0VwfwJfpJuk13DSHdvjCQuhl4Gt013zBd9fWhQZJesS5
 o9IMVFaMGKiFrS1RpL2iZHNi9XVb32DwtShUKjyeEw7ioOL0wYGhna0Kp6zzMgnwjmSeJYnd7Rpifr
 zM2tyFEjE6tpop237tnM6UbRdzm3XRg4GDWTpvqG9hsvcQcDOk1Wp2/aCUi8Xgzl8dNl2Fr8PklFs5
 z9ZW1ImUkK8q5k+Zy0o0VYflt1WZnHugXEEA8b/AT3xAXNqa3BayfVHOM7lLNNWJLV4rSY9HRRJDtf
 tRpTY3p7aW3hTdJeb21upjhDTPNqM9cBLjUh0Pb2AymaADYZ1hqLMPlC3M+Q==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying:

    struct xfrm_sec_ctx
    struct sidtab_str_cache

Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Xiu Jianfeng <xiujianfeng@huawei.com>
Cc: "Christian Göttsche" <cgzones@googlemail.com>
Cc: netdev@vger.kernel.org
Cc: selinux@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/uapi/linux/xfrm.h    | 4 ++--
 security/selinux/ss/sidtab.c | 9 +++------
 security/selinux/xfrm.c      | 7 ++-----
 3 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index 65e13a099b1a..4a6fa2beff6a 100644
--- a/include/uapi/linux/xfrm.h
+++ b/include/uapi/linux/xfrm.h
@@ -31,9 +31,9 @@ struct xfrm_id {
 struct xfrm_sec_ctx {
 	__u8	ctx_doi;
 	__u8	ctx_alg;
-	__u16	ctx_len;
+	__DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, ctx_len);
 	__u32	ctx_sid;
-	char	ctx_str[0];
+	__DECLARE_FLEX_ARRAY_ELEMENTS(char, ctx_str);
 };
 
 /* Security Context Domains of Interpretation */
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index a54b8652bfb5..a9d434e8cff7 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -23,8 +23,8 @@ struct sidtab_str_cache {
 	struct rcu_head rcu_member;
 	struct list_head lru_member;
 	struct sidtab_entry *parent;
-	u32 len;
-	char str[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(char, str);
 };
 
 #define index_to_sid(index) ((index) + SECINITSID_NUM + 1)
@@ -570,8 +570,7 @@ void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry,
 		goto out_unlock;
 	}
 
-	cache = kmalloc(struct_size(cache, str, str_len), GFP_ATOMIC);
-	if (!cache)
+	if (mem_to_flex_dup(&cache, str, str_len, GFP_ATOMIC))
 		goto out_unlock;
 
 	if (s->cache_free_slots == 0) {
@@ -584,8 +583,6 @@ void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry,
 		s->cache_free_slots--;
 	}
 	cache->parent = entry;
-	cache->len = str_len;
-	memcpy(cache->str, str, str_len);
 	list_add(&cache->lru_member, &s->cache_lru_list);
 
 	rcu_assign_pointer(entry->cache, cache);
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index c576832febc6..bc7a54bf8f0d 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -345,7 +345,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
 				     struct xfrm_sec_ctx *polsec, u32 secid)
 {
 	int rc;
-	struct xfrm_sec_ctx *ctx;
+	struct xfrm_sec_ctx *ctx = NULL;
 	char *ctx_str = NULL;
 	u32 str_len;
 
@@ -360,8 +360,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
 	if (rc)
 		return rc;
 
-	ctx = kmalloc(struct_size(ctx, ctx_str, str_len), GFP_ATOMIC);
-	if (!ctx) {
+	if (mem_to_flex_dup(&ctx, ctx_str, str_len, GFP_ATOMIC)) {
 		rc = -ENOMEM;
 		goto out;
 	}
@@ -369,8 +368,6 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
 	ctx->ctx_doi = XFRM_SC_DOI_LSM;
 	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
 	ctx->ctx_sid = secid;
-	ctx->ctx_len = str_len;
-	memcpy(ctx->ctx_str, ctx_str, str_len);
 
 	x->security = ctx;
 	atomic_inc(&selinux_xfrm_refcount);

From patchwork Wed May  4 01:44:38 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837132
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 63269C433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:16:45 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320045.540739 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NI-0000pl-Bn; Wed, 04 May 2022 05:16:32 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320045.540739;
 Wed, 04 May 2022 05:16:31 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7NH-0000ky-95; Wed, 04 May 2022 05:16:31 +0000
Received: by outflank-mailman (input) for mailman id 320045;
 Wed, 04 May 2022 01:51:49 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm47L-0007U4-Kl
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:47:51 +0000
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com
 [2607:f8b0:4864:20::62b])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 3467b003-cb4c-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:47:50 +0200 (CEST)
Received: by mail-pl1-x62b.google.com with SMTP id k1so167938pll.4
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:47:50 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 e11-20020a62ee0b000000b0050dc762818bsm6935424pfi.101.2022.05.03.18.47.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:47:47 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 3467b003-cb4c-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=e+5qnKpu1VsQ22oucG43AL+WcjSiOIWtbY50R7ZcVWE=;
        b=g9AcrkR+3RVkYkCjXueQwetC04MS+NoxVmpAB9VicL40p720LPQhGGdx5xmKktKIDM
         zPigxQLAL6TBhbYLJe+5LnwPNyPpBp4uN8e2a1B/ZwWxWPLLj/iqfcDi30QcFjJ9kn/S
         1QG2VSMrqeLVVCmXWD35ETUMI7QbOsGkL0vw4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=e+5qnKpu1VsQ22oucG43AL+WcjSiOIWtbY50R7ZcVWE=;
        b=amjt22iF5IhpVxkEueHYdgaQxqKobSshIOpXHttbtJ7ET050O/dTYT30BUpihst8xg
         8Ahj5M7rxiYI5/i6AZlkZBXLafLD+yCORuhoCU+l6XdxI7LnBvTxCGVugDnQ7TYvmZse
         o8cqAG7N53+n7hnw2ygluCtloA2dJLhfRExAXYeOhZXnfU6OdDBrDx3aBBrjdUH17eRS
         EL0m632h30SqQ6IkSdlCzZvdgpYEGnu414VuVYzrlaH4UIoOeER+Ikd4E6kw/NktKX7s
         +Rlsp9+dMh/5SbxiriGa16QeGAVALKuuzQEy6aBRRhrxo5WgLigBDekC9QjASs9JrEsd
         Nj2Q==
X-Gm-Message-State: AOAM533aflmNj3HyQBMgxZynIpl1/kqmQGk10KJbOiq2K9ybmuG8jNfP
	aaK9HlMoMPy4qhzzY9eYG7HkUQ==
X-Google-Smtp-Source: 
 ABdhPJxl7EiV8keIDc6EF0ePDWOyFM8DsnsLzOPF7upSDtXElO4KQwWeIT0ElEMEtCPMOLdFUp0h+w==
X-Received: by 2002:a17:902:a5c4:b0:15d:4ca:90cf with SMTP id
 t4-20020a170902a5c400b0015d04ca90cfmr19318951plq.133.1651628869364;
        Tue, 03 May 2022 18:47:49 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Chris Zankel <chris@zankel.net>,
 Max Filippov <jcmvbkbc@gmail.com>, Rob Herring <robh+dt@kernel.org>,
 Frank Rowand <frowand.list@gmail.com>, Guenter Roeck <linux@roeck-us.net>,
 linux-xtensa@linux-xtensa.org, devicetree@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Cong Wang <cong.wang@bytedance.com>, Daniel Axtens <dja@axtens.net>,
 Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Mimi Zohar <zohar@linux.ibm.com>, Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Russell King <linux@armlinux.org.uk>,
 selinux@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
 SHA-cyfmac-dev-list@infineon.com, Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 29/32] xtensa: Use mem_to_flex_dup() with struct property
Date: Tue,  3 May 2022 18:44:38 -0700
Message-Id: <20220504014440.3697851-30-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2507; h=from:subject;
 bh=Sq6uxCkPHvMJ5JYb1gf1A6wcVxIwkSOLKZO2iCrXvzo=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqHU+zS6KGRXLibFnc06yiYHvM6h9+r1i1/xDqh
 sS9tPM6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJio4D/
 9e7/PUFE5eJVA+iwP4RNPRrwfTbaso73y3UIDDhSBi7DWpVecGpxBZFhq8AZJnACJZ6+0txfLVZrgC
 Hf9yN6InooZL//+CTSXiiLI0odsJS5G7VPzg8jqFheAUvfc33Ayl7CE4IjUesDTHb8MJcD6pRcV301
 BkdC9bu9R9O1wfXjDMG6LGijqVC44/VnATk0Fj2osA9aCT7hCW4+9Y2AhfOuja15+dIryUwqZtX2nq
 ec7DFRbWbwCMxIvSe2M9T/eENcPFBDRzyY24sIHLdTtdM3+mq1w0JC+v5z47HvtBxdp6Ab4AjGQ6AH
 +XYDv1NkFrQYotIcm5C43jbDrqJMKe7MsguTTl2SqeeyJm0j16c29CoaUYxAFDubw9ldqYXLp5WTjS
 purW5BkSiZew9UjQYOHstIZ3tkzqccDABlxOoJx6Jeg7kYmdQqE4PnV7je2MA/jAMh7Hm3WqyHFS4l
 uZ6AZ4qsuZ3GaLee5riE9Nh9OXqTK8uWuL7aIKJHegYL1BtPlvOB5J6yMZJ+U/rhYZD5ZxqQ0LXB2z
 BwWGEo9PhEtkSWKk2TiOybFLVH2xKxpJfcQV806Jj+7f6Kq059naUze9XagBDSL7sUoMR34BvbOeER
 oRxCHL5YzBGrQi45jMVYuRuMcPsrrlr2vvkyx+TWc4h0GZl7w6C6OGv59wRA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Chris Zankel <chris@zankel.net>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Cc: Rob Herring <robh+dt@kernel.org>
Cc: Frank Rowand <frowand.list@gmail.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: linux-xtensa@linux-xtensa.org
Cc: devicetree@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/xtensa/platforms/xtfpga/setup.c | 9 +++------
 include/linux/of.h                   | 3 ++-
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/arch/xtensa/platforms/xtfpga/setup.c b/arch/xtensa/platforms/xtfpga/setup.c
index 538e6748e85a..31c1fa4ba4ec 100644
--- a/arch/xtensa/platforms/xtfpga/setup.c
+++ b/arch/xtensa/platforms/xtfpga/setup.c
@@ -102,7 +102,7 @@ CLK_OF_DECLARE(xtfpga_clk, "cdns,xtfpga-clock", xtfpga_clk_setup);
 #define MAC_LEN 6
 static void __init update_local_mac(struct device_node *node)
 {
-	struct property *newmac;
+	struct property *newmac = NULL;
 	const u8* macaddr;
 	int prop_len;
 
@@ -110,19 +110,16 @@ static void __init update_local_mac(struct device_node *node)
 	if (macaddr == NULL || prop_len != MAC_LEN)
 		return;
 
-	newmac = kzalloc(sizeof(*newmac) + MAC_LEN, GFP_KERNEL);
-	if (newmac == NULL)
+	if (mem_to_flex_dup(&newmac, macaddr, MAC_LEN, GFP_KERNEL))
 		return;
 
-	newmac->value = newmac + 1;
-	newmac->length = MAC_LEN;
+	newmac->value = newmac->contents;
 	newmac->name = kstrdup("local-mac-address", GFP_KERNEL);
 	if (newmac->name == NULL) {
 		kfree(newmac);
 		return;
 	}
 
-	memcpy(newmac->value, macaddr, MAC_LEN);
 	((u8*)newmac->value)[5] = (*(u32*)DIP_SWITCHES_VADDR) & 0x3f;
 	of_update_property(node, newmac);
 }
diff --git a/include/linux/of.h b/include/linux/of.h
index 17741eee0ca4..efb0f419fd1f 100644
--- a/include/linux/of.h
+++ b/include/linux/of.h
@@ -30,7 +30,7 @@ typedef u32 ihandle;
 
 struct property {
 	char	*name;
-	int	length;
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, length);
 	void	*value;
 	struct property *next;
 #if defined(CONFIG_OF_DYNAMIC) || defined(CONFIG_SPARC)
@@ -42,6 +42,7 @@ struct property {
 #if defined(CONFIG_OF_KOBJ)
 	struct bin_attribute attr;
 #endif
+	DECLARE_FLEX_ARRAY_ELEMENTS(u8, contents);
 };
 
 #if defined(CONFIG_SPARC)

From patchwork Wed May  4 01:44:39 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837147
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id A97D4C433FE
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:18 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320074.540901 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nq-0000aq-KD; Wed, 04 May 2022 05:17:06 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320074.540901;
 Wed, 04 May 2022 05:17:06 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Np-0000Ts-7S; Wed, 04 May 2022 05:17:05 +0000
Received: by outflank-mailman (input) for mailman id 320074;
 Wed, 04 May 2022 01:57:50 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4H0-0000DU-6r
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:50 +0000
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com
 [2607:f8b0:4864:20::102b])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 99334a0e-cb4d-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:57:49 +0200 (CEST)
Received: by mail-pj1-x102b.google.com with SMTP id
 z5-20020a17090a468500b001d2bc2743c4so56873pjf.0
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:49 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 g25-20020a62e319000000b0050dc7628168sm6962145pfh.66.2022.05.03.18.57.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:47 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 99334a0e-cb4d-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=/QgTacQ+A83oLfMgc7AcEsbfIOOMUUn/07ShQ/z1lc0=;
        b=OEKPNTKscDvuMfuoT9d4JeIvnRRtddZvUR90FLHTaY6dqJ3WoEedmmXxG6udDH4ll2
         hQ3xVWzIJux8F2/IVGnkOvoKvzigrtb6PN+WIk/nKNi6EuEO6/f9y41IdVZKJ50O2w0U
         wl96xKQAPtHy1YFDiqJxnzLe5ZISnsn0F+m/k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=/QgTacQ+A83oLfMgc7AcEsbfIOOMUUn/07ShQ/z1lc0=;
        b=DK9MKrt0Ly6WQG82i/hZNLbbnLobEDszZI01OOtxu7bFkCeN8iymCcFPrpAOSWk9Ly
         QQQBj819LOh+YFOCDULdOp3p2e3T/ee5iL4Rrk3Mb0uHvDGT7qN5zz0UmzH5Niyjduyn
         MoD/OYG7AcPhQyG+NBtbq+ES36oLKcHKyfQ/1dEEJ0FFyji6LfNYz83dyFp3Xen7iMiD
         OFGAL+Hq5nCKSMmyYaHOKEDuSA8y4NhkpSzpwDJ7e4daFYZHJ82W4wdYzZNcoq1ksw4U
         vJoCQTBmTPZwPlwlEFzD5lHUDoNoe0xwJQacvc9gS642+qv0K6w0S/ZmFf7QipnLOntr
         2nLg==
X-Gm-Message-State: AOAM532yjYRnKnxPImTJ5D1mZRDN06FG5hVe38Mw9JJUKymmGZ1oOS7n
	3lsiJ6w9sj89ZdSH4esxcjMk8A==
X-Google-Smtp-Source: 
 ABdhPJz0Wz7uiw5Q84ZpgLomJ2sUNDZBw1NN/qBgJSmrLfPlt8IAi/IZc7UEAL8HYcl01ZzZ3TTw8Q==
X-Received: by 2002:a17:902:e851:b0:15e:93ac:41db with SMTP id
 t17-20020a170902e85100b0015e93ac41dbmr17049558plg.26.1651629467986;
        Tue, 03 May 2022 18:57:47 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Felipe Balbi <balbi@kernel.org>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, John Keeping <john@metanate.com>,
 Jens Axboe <axboe@kernel.dk>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>, linux-usb@vger.kernel.org,
 Alexei Starovoitov <ast@kernel.org>, alsa-devel@alsa-project.org,
 Al Viro <viro@zeniv.linux.org.uk>, Andrew Morton <akpm@linux-foundation.org>,
 Andy Gross <agross@kernel.org>, Andy Lavr <andy.lavr@gmail.com>,
 Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, Juergen Gross <jgross@suse.com>,
 Kalle Valo <kvalo@kernel.org>, Keith Packard <keithp@keithp.com>,
 keyrings@vger.kernel.org, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Vincenzo Frascino <vincenzo.frascino@arm.com>,
 wcn36xx@lists.infradead.org, Wei Liu <wei.liu@kernel.org>,
 xen-devel@lists.xenproject.org, Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 30/32] usb: gadget: f_fs: Use mem_to_flex_dup() with struct
 ffs_buffer
Date: Tue,  3 May 2022 18:44:39 -0700
Message-Id: <20220504014440.3697851-31-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2095; h=from:subject;
 bh=LoG608ySlb2xL5QEVpZpmYP+iWI9TrvgD0EbU83Sc1E=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqHiYfLCw3gedIJSUEv2AjZro9JsQDzVs6+PWv3
 Jf25uuWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJtOuD/
 44mR9b5DwvccUUG6HIlhBLAsn/BfAVzBmuRK+yPZ9MioNDOL4TpD4dZaBBpGG0hJon5radolumfj0P
 VNZW46qoLbHEBiSScw3XJnUUVFGSv9GbDDKBVRxmIWevrrYcSx9Ey7v8r/vqablkY0Kzx4Q+fL+nnh
 4X55duw+qKqgzFtzT5kMl5IKcf/sFUgv1r2jts0fmdh4Bu2jfLlkfdmjQhJ4Af2db1+OF6UjtoOy5R
 6BRYL6DkOEkVM3vSV8rlDM6yldlZogrtVEpiQUvbkDi2LerWROmCrkpPzwbukN6gYwmAh2v78g4BDT
 Asjg/ynqVVAPardAHgI8QUQbZeI1y2iXC5u4FfFaeEUSCVddHgdjugXVWOiP7s+phDof4Ke2yI+sBV
 QfV5yaD/w1jelv5AZidP9asc2fTSb8ASrFF+lKcuVilfbgIn9krQvLJqB8gjrr8OyJ8falxCUPu3i9
 l/P190yQNXc+sUM1kJVb0JaQYSk6mxyyCv3suqH72zxRXkDKeNa7lGgBW+tH8Of1c6RUkdJZYUe0pH
 L7tc/j/ocIEHXPRHlkHrndofVZCRhIQ2XiFWxCEfSW4N1fXtuDO+O77rmlbdYwwwgsTLusPjWPXhon
 642xzSjREIl8aWgxlvRZ5ty8QQFJP8TbxfkMEUHUpitb1yMsa0xo6z3WBFcA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Eugeniu Rosca <erosca@de.adit-jv.com>
Cc: John Keeping <john@metanate.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Udipto Goswami <quic_ugoswami@quicinc.com>
Cc: Andrew Gabbasov <andrew_gabbasov@mentor.com>
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/usb/gadget/function/f_fs.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 4585ee3a444a..bb0ff41dabd2 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -202,9 +202,9 @@ struct ffs_epfile {
 };
 
 struct ffs_buffer {
-	size_t length;
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, length);
 	char *data;
-	char storage[];
+	DECLARE_FLEX_ARRAY_ELEMENTS(char, storage);
 };
 
 /*  ffs_io_data structure ***************************************************/
@@ -905,7 +905,7 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile,
 				      void *data, int data_len,
 				      struct iov_iter *iter)
 {
-	struct ffs_buffer *buf;
+	struct ffs_buffer *buf = NULL;
 
 	ssize_t ret = copy_to_iter(data, data_len, iter);
 	if (data_len == ret)
@@ -919,12 +919,9 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile,
 		data_len, ret);
 
 	data_len -= ret;
-	buf = kmalloc(struct_size(buf, storage, data_len), GFP_KERNEL);
-	if (!buf)
+	if (mem_to_flex_dup(&buf, data + ret, data_len, GFP_KERNEL))
 		return -ENOMEM;
-	buf->length = data_len;
 	buf->data = buf->storage;
-	memcpy(buf->storage, data + ret, flex_array_size(buf, storage, data_len));
 
 	/*
 	 * At this point read_buffer is NULL or READ_BUFFER_DROP (if

From patchwork Wed May  4 01:44:40 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837146
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 64673C433EF
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:17 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320073.540890 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7No-0008Vb-Mp; Wed, 04 May 2022 05:17:04 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320073.540890;
 Wed, 04 May 2022 05:17:04 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nm-0008Mf-UM; Wed, 04 May 2022 05:17:02 +0000
Received: by outflank-mailman (input) for mailman id 320073;
 Wed, 04 May 2022 01:57:50 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4H0-0000D6-4v
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:50 +0000
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com
 [2607:f8b0:4864:20::102e])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 986eb06b-cb4d-11ec-a406-831a346695d4;
 Wed, 04 May 2022 03:57:48 +0200 (CEST)
Received: by mail-pj1-x102e.google.com with SMTP id
 cu23-20020a17090afa9700b001d98d8e53b7so3028087pjb.0
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:48 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 h3-20020a17090a2ec300b001cd4989ff50sm2000264pjs.23.2022.05.03.18.57.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:46 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 986eb06b-cb4d-11ec-a406-831a346695d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=Lxy/SBBLbAnketd1perUQv/dnI2mQxvvkPs8DufKeQc=;
        b=i0Oww6FXAlmLjZL2Xo7+cZyQbZSuVhJcrUz8A4NqwsB3mnE9GxrQbFM3pG+OqIOvr/
         bRoZsADS+tsQKhBZ6qjjGQ8wPq6NgM7w5LLDy+9US9EqrP5Wl9gOulV8iAxG2VM68w2h
         ys5/rKlySYl9/8SCzquZGEIldbBkfJX1v+C7U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=Lxy/SBBLbAnketd1perUQv/dnI2mQxvvkPs8DufKeQc=;
        b=EdVd9xBsBghjWCO/6BEus3D5/GlqaJufiu6wXcOo8Ccquewd8q54Rj1veXpQOkts0l
         OjmUYkKbRJEce0HFhgKmzs/BA16KuDn6DZo4fvUB0F/YS1KAkaLnTPqD+XzhhlJRWRSb
         3zJ0Z1QqG/dpVwGfTcYJzmOU5evz1uTs5f28wjPQkrDp2Bv8MjRu7ckq41xtVy6mPDnc
         ARthPSifuN7OHlVTGXBC0ML0F4x9DjAQUfDAmLz8Z21EGb3SMdaYPGj+voNDzWPs/5wl
         wWtLjtfNso4oW4DXBSL21tboFHKE6DL3RKg2mZPsZUOnWnmj2naKTuM7GN/5F3fhUZBs
         TFjA==
X-Gm-Message-State: AOAM530EFvac6KvlJ+5uV7Zd1iRGA0fM5zhrWclEclH8ehb7nYvtZPwI
	UwkL6SuzVLgKUt+WscSyENj7zQ==
X-Google-Smtp-Source: 
 ABdhPJwkCJiyloqnUC98ULA8VGwgD2gCblOMTFYJlDNNyWPyHvD0nLQtaW1YAKVPNQXc+1bJk4N22Q==
X-Received: by 2002:a17:903:2281:b0:15e:95f7:37d1 with SMTP id
 b1-20020a170903228100b0015e95f737d1mr16432450plh.18.1651629466697;
        Tue, 03 May 2022 18:57:46 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Juergen Gross <jgross@suse.com>, Stefano Stabellini <sstabellini@kernel.org>,
 xen-devel@lists.xenproject.org, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Bradley Grove <linuxdrivers@attotech.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 James Morris <jmorris@namei.org>, Jarkko Sakkinen <jarkko@kernel.org>,
 Jaroslav Kysela <perex@perex.cz>, Jason Gunthorpe <jgg@ziepe.ca>,
 Jens Axboe <axboe@kernel.dk>, Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Kalle Valo <kvalo@kernel.org>, Keith Packard <keithp@keithp.com>,
 keyrings@vger.kernel.org, kunit-dev@googlegroups.com,
 Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org,
 linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
 linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev,
 Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 31/32] xenbus: Use mem_to_flex_dup() with struct read_buffer
Date: Tue,  3 May 2022 18:44:40 -0700
Message-Id: <20220504014440.3697851-32-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1723; h=from:subject;
 bh=Af40/wtrXz82sQZ3gkXc9sqO1MKE/dCxzKzVkZCyPBE=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqH+KXwBf+62Kz/ptxhFXwkt9WosiEBHko2iuOB
 0fcNum2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHahwAKCRCJcvTf3G3AJvLPD/
 9BhjziZJhS9xD2GsjrelNYz/xp7Z6XtKNgFRofwy/p+e4IFCpDHMNYQmpP3WVjlkD9FyouGOGLk+Sf
 0i6cJgn02GGl9DKJH1kqxbUikzY6c8wzuc6v3W7+teBaTIZXxJ4Bg0xxroKqmZVZTUvN34ouMFIb2p
 ++rnq2J7531VZeebMPx+6kezaUVTaUGe1VFKBUuccT4/6mp2R8HqzWVgmSai8ZyNi4Z0nnObREm+rJ
 u1d6VjniOCRmOGgG7QCuuF+cUE4d+Isa6moThhkOv0m//DMJYGT/djpuk6W+kWlcJs+nrsoX1AByJu
 zD1O0Fk/hh4ooTDaA3lQmWtVq+gJIaYvCBILFRlDcGFC0oo/EM3wXTGcFGjgMgTNiEXK62PdLF9dZf
 kRieucxaOIdVPYz+BN9o4ps+oSWfIYaQYOYAOwTAA01RA6l3cElUd3dfgBE1lOqQNUDIkcTD8rOm+l
 8JdhxGwQaeetRebI0mGQru7qvbnW4s+raN3cR8JtJ36LlEBzqobHNRhVRK3K2dZQhOPhKgr3OWpCOE
 anL307TAv51pZ7CNDf9iEaZPdoVXALMDtkTpnwemX7C4Lc94fH0b/AmlH5YOCpb8DGFa9BJnGzvzbc
 FPmLrSOPa5hu9l1uVEcpEaQHDzIfRLtxISX0mmsQ1VLswRk+mwBJcKd8a+7w==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/xen/xenbus/xenbus_dev_frontend.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 597af455a522..4267aaef33fb 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -81,8 +81,8 @@ struct xenbus_transaction_holder {
 struct read_buffer {
 	struct list_head list;
 	unsigned int cons;
-	unsigned int len;
-	char msg[];
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, len);
+	DECLARE_FLEX_ARRAY_ELEMENTS(char, msg);
 };
 
 struct xenbus_file_priv {
@@ -188,21 +188,17 @@ static ssize_t xenbus_file_read(struct file *filp,
  */
 static int queue_reply(struct list_head *queue, const void *data, size_t len)
 {
-	struct read_buffer *rb;
+	struct read_buffer *rb = NULL;
 
 	if (len == 0)
 		return 0;
 	if (len > XENSTORE_PAYLOAD_MAX)
 		return -EINVAL;
 
-	rb = kmalloc(sizeof(*rb) + len, GFP_KERNEL);
-	if (rb == NULL)
+	if (mem_to_flex_dup(&rb, data, len, GFP_KERNEL))
 		return -ENOMEM;
 
 	rb->cons = 0;
-	rb->len = len;
-
-	memcpy(rb->msg, data, len);
 
 	list_add_tail(&rb->list, queue);
 	return 0;

From patchwork Wed May  4 01:44:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12837144
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 9D81AC433F5
	for <xen-devel@archiver.kernel.org>; Wed,  4 May 2022 05:17:12 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.320067.540865 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Nk-0007Si-2Z; Wed, 04 May 2022 05:17:00 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 320067.540865;
 Wed, 04 May 2022 05:16:59 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1nm7Ni-0007K0-RZ; Wed, 04 May 2022 05:16:58 +0000
Received: by outflank-mailman (input) for mailman id 320067;
 Wed, 04 May 2022 01:57:48 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Rvwn=VM=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1nm4Gy-0000DU-Id
 for xen-devel@lists.xenproject.org; Wed, 04 May 2022 01:57:48 +0000
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com
 [2607:f8b0:4864:20::633])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 98157bd0-cb4d-11ec-8fc4-03012f2f19d4;
 Wed, 04 May 2022 03:57:47 +0200 (CEST)
Received: by mail-pl1-x633.google.com with SMTP id d15so185970plh.2
 for <xen-devel@lists.xenproject.org>; Tue, 03 May 2022 18:57:47 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
 by smtp.gmail.com with ESMTPSA id
 c136-20020a63358e000000b003c14af5063bsm13937195pga.83.2022.05.03.18.57.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 03 May 2022 18:57:45 -0700 (PDT)
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 98157bd0-cb4d-11ec-8fc4-03012f2f19d4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=rmxrp/UxOFb8piH92Vxf3rNJk8bX2cfzoG0Wa8qHsPs=;
        b=M/yQls1bpyaiOjU76efK5Yp3KeWPaKFU4zmgVp0hnDPVEvcbG0Yr2VZsk9GtUI6EW2
         P3x8PrWJUASQzTlrmV7uEWLEbManT0y+Zg+pt3XuYEBjyOBd/MkDra9+mVvndIuuMdNV
         ADaMqJRFecvzQ2p2BbgcShyTVJWmeZm5rse6o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=rmxrp/UxOFb8piH92Vxf3rNJk8bX2cfzoG0Wa8qHsPs=;
        b=ERZBBA4T2e+lSiNt3oxi11fhKzxhUgQPUS2jxCKUlfMe/u+bWQ6YIM4pGsT8/gZ9B2
         W9kqLAdkZ4V6oCMXpzrhzgnNbaY5+Hokvep1bo3jcrCNtTUFcFss/ichGWA6cbg4/jNt
         ufZikIfgtJ0N3zghfrJdIGCuwbzWqAoTbUsnzOCAUwcnU4QNE1PuNWbP5ZceEEJetlHG
         g48rT0logPfN4iRsiFx8xk1LUErM8d9+d06OvbOMPw2m1gBfHj19OPKg0kYKw6sL7jIz
         bEvK/TtadS9ROyW+apylnQCDxko/NQgssjjS240Pz+btlOkQJkeFMn3fOo6KIISQ+x/h
         3T0g==
X-Gm-Message-State: AOAM532UbviZdt7vWZsvRKeeCy8hvv7d0WErfSP7TquIcwUa4ptJ+xFH
	JP4JhhtjcuIlqS80TtN0PQOw/w==
X-Google-Smtp-Source: 
 ABdhPJzsaAMZFIEH9aJDz9g66+jgdQsHq+yoVh8YzAJHoTu87D8ChQb63hX2VO7VJEySpHJexGyYWQ==
X-Received: by 2002:a17:903:2350:b0:15e:93de:763a with SMTP id
 c16-20020a170903235000b0015e93de763amr16789834plh.117.1651629466084;
        Tue, 03 May 2022 18:57:46 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: "Gustavo A . R . Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
 Bradley Grove <linuxdrivers@attotech.com>,
 "James E.J. Bottomley" <jejb@linux.ibm.com>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 linux-scsi@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
 alsa-devel@alsa-project.org, Al Viro <viro@zeniv.linux.org.uk>,
 Andrew Gabbasov <andrew_gabbasov@mentor.com>,
 Andrew Morton <akpm@linux-foundation.org>, Andy Gross <agross@kernel.org>,
 Andy Lavr <andy.lavr@gmail.com>, Arend van Spriel <aspriel@gmail.com>,
 Baowen Zheng <baowen.zheng@corigine.com>,
 Bjorn Andersson <bjorn.andersson@linaro.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 brcm80211-dev-list.pdl@broadcom.com, Christian Brauner <brauner@kernel.org>,
	=?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 Christian Lamparter <chunkeey@googlemail.com>,
 Chris Zankel <chris@zankel.net>, Cong Wang <cong.wang@bytedance.com>,
 Daniel Axtens <dja@axtens.net>, Daniel Vetter <daniel.vetter@ffwll.ch>,
 Dan Williams <dan.j.williams@intel.com>, David Gow <davidgow@google.com>,
 David Howells <dhowells@redhat.com>, "David S. Miller" <davem@davemloft.net>,
 Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
 devicetree@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eli Cohen <elic@nvidia.com>,
 Eric Dumazet <edumazet@google.com>, Eric Paris <eparis@parisplace.org>,
 Eugeniu Rosca <erosca@de.adit-jv.com>, Felipe Balbi <balbi@kernel.org>,
 Francis Laniel <laniel_francis@privacyrequired.com>,
 Frank Rowand <frowand.list@gmail.com>, Franky Lin <franky.lin@broadcom.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Gregory Greenman <gregory.greenman@intel.com>,
 Guenter Roeck <linux@roeck-us.net>, Haiyang Zhang <haiyangz@microsoft.com>,
 Hante Meuleman <hante.meuleman@broadcom.com>,
 Herbert Xu <herbert@gondor.apana.org.au>, Hulk Robot <hulkci@huawei.com>,
 Jakub Kicinski <kuba@kernel.org>, James Morris <jmorris@namei.org>,
 Jarkko Sakkinen <jarkko@kernel.org>, Jaroslav Kysela <perex@perex.cz>,
 Jason Gunthorpe <jgg@ziepe.ca>, Jens Axboe <axboe@kernel.dk>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Johannes Berg <johannes.berg@intel.com>,
 Johannes Berg <johannes@sipsolutions.net>, John Keeping <john@metanate.com>,
 Juergen Gross <jgross@suse.com>, Kalle Valo <kvalo@kernel.org>,
 Keith Packard <keithp@keithp.com>, keyrings@vger.kernel.org,
 kunit-dev@googlegroups.com, Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
 "K. Y. Srinivasan" <kys@microsoft.com>, Lars-Peter Clausen <lars@metafoo.de>,
 Lee Jones <lee.jones@linaro.org>, Leon Romanovsky <leon@kernel.org>,
 Liam Girdwood <lgirdwood@gmail.com>, linux1394-devel@lists.sourceforge.net,
 linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
 linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org,
 linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org,
 linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org,
 linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org,
 llvm@lists.linux.dev, Loic Poulain <loic.poulain@linaro.org>,
 Louis Peens <louis.peens@corigine.com>,
 Luca Coelho <luciano.coelho@intel.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Marc Dionne <marc.dionne@auristor.com>,
 Marcel Holtmann <marcel@holtmann.org>, Mark Brown <broonie@kernel.org>,
 Max Filippov <jcmvbkbc@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>,
 Muchun Song <songmuchun@bytedance.com>,
 Nathan Chancellor <nathan@kernel.org>, netdev@vger.kernel.org,
 Nick Desaulniers <ndesaulniers@google.com>,
 =?utf-8?q?Nuno_S=C3=A1?= <nuno.sa@analog.com>,
 Paolo Abeni <pabeni@redhat.com>, Paul Moore <paul@paul-moore.com>,
 Rich Felker <dalias@aerifal.cx>, Rob Herring <robh+dt@kernel.org>,
 Russell King <linux@armlinux.org.uk>, selinux@vger.kernel.org,
 "Serge E. Hallyn" <serge@hallyn.com>, SHA-cyfmac-dev-list@infineon.com,
 Simon Horman <simon.horman@corigine.com>,
 Stefano Stabellini <sstabellini@kernel.org>,
 Stefan Richter <stefanr@s5r6.in-berlin.de>,
 Steffen Klassert <steffen.klassert@secunet.com>,
 Stephen Hemminger <sthemmin@microsoft.com>,
 Stephen Smalley <stephen.smalley.work@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, Takashi Iwai <tiwai@suse.com>,
 Tom Rix <trix@redhat.com>, Udipto Goswami <quic_ugoswami@quicinc.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, wcn36xx@lists.infradead.org,
 Wei Liu <wei.liu@kernel.org>, xen-devel@lists.xenproject.org,
 Xiu Jianfeng <xiujianfeng@huawei.com>,
 Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 32/32] esas2r: Use __mem_to_flex() with struct atto_ioctl
Date: Tue,  3 May 2022 18:44:41 -0700
Message-Id: <20220504014440.3697851-33-keescook@chromium.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20220504014440.3697851-1-keescook@chromium.org>
References: <20220504014440.3697851-1-keescook@chromium.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1840; h=from:subject;
 bh=wclXkCNzL8tWkFiLRsyBirHZGs1pS2ud8xMfF2Bbgys=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicdqIM8CXiBVoq1vvnq9rbFmtFRUsN4irOoYa4gS1
 0IJEQ2KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnHaiAAKCRCJcvTf3G3AJgOdD/
 sEBkA9QLnBKc64IqIq4YxEg4VNWAmPZGOznytqC/Owjod/71puJ/xtUz+R2WjO80ATXotNqfvtWe/d
 9/yCjwl54Xp//OjYlRlQVLKBx2Q11FBqi4MBsooAiVirzGDDTHxmU1iuq6Wz2ZIdZlghDO60VBIerY
 f7y/tG7dD7LIfF4hLq69yeIQaG4gx8rz9gY1ntSTDKIZg+3A+cCuG7GHCLE4hzM9XcCNdcjNHkLLzM
 U6m0NaS7W7NFnR0mxnwloGXZVChfb884A/O/wC2lhgRNoxndIkrhF+x2NIhSvpQQmje9R235snuAfX
 mTZgHUaiYXSuSt8YrUbWAYgqP95oux1CHcGbFo6OSfvzri3R22Sizw6iJPckU4HcHFbxLD7v2eEMVp
 3ECGtyv2+WAG63yJy/2YJm4mTGZKQM9ZC/lL6nR/U6EYIjrevoE7kTnSKMDTU+PS27rxgE+Rh1Hg9K
 ipwZmZh4bV/Xed50s1aJAocNChxua0lDl5jjP3QaZBpQGTlt8ls0YY8i1DswPFLAiSj88j/CGJOPOK
 +82q4/Et8Wn6QjhXmaRuef6bFcOHFRRdfpp1PZEOD91CPvnpq0Q9e/WXiAbsnkg/diZHdL5A9LVD0O
 L6xVqhkIsupraaLBcdxfoyPChtyfc0T1x/f55UeM/J7IkMaJAzAUEKGWn+Gg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying. This requires adding the
flexible array explicitly.

Cc: Bradley Grove <linuxdrivers@attotech.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/esas2r/atioctl.h      |  1 +
 drivers/scsi/esas2r/esas2r_ioctl.c | 11 +++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/esas2r/atioctl.h b/drivers/scsi/esas2r/atioctl.h
index ff2ad9b38575..dd3437412ffc 100644
--- a/drivers/scsi/esas2r/atioctl.h
+++ b/drivers/scsi/esas2r/atioctl.h
@@ -831,6 +831,7 @@ struct __packed atto_hba_trace {
 	u32 total_length;
 	u32 trace_mask;
 	u8 reserved2[48];
+	u8 contents[];
 };
 
 #define ATTO_FUNC_SCSI_PASS_THRU     0x04
diff --git a/drivers/scsi/esas2r/esas2r_ioctl.c b/drivers/scsi/esas2r/esas2r_ioctl.c
index 08f4e43c7d9e..9310b54b1575 100644
--- a/drivers/scsi/esas2r/esas2r_ioctl.c
+++ b/drivers/scsi/esas2r/esas2r_ioctl.c
@@ -947,11 +947,14 @@ static int hba_ioctl_callback(struct esas2r_adapter *a,
 					break;
 				}
 
-				memcpy(trc + 1,
-				       a->fw_coredump_buff + offset,
-				       len);
+				if (__mem_to_flex(hi, data.trace.contents,
+						  data_length,
+						  a->fw_coredump_buff + offset,
+						  len)) {
+					hi->status = ATTO_STS_INV_FUNC;
+					break;
+				}
 
-				hi->data_length = len;
 			} else if (trc->trace_func == ATTO_TRC_TF_RESET) {
 				memset(a->fw_coredump_buff, 0,
 				       ESAS2R_FWCOREDUMP_SZ);