From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org,
Kashyap Desai <kashyap.desai@broadcom.com>,
Sumit Saxena <sumit.saxena@broadcom.com>,
Shivasharan S <shivasharan.srikanteshwara@broadcom.com>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2 3/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_DRV_RAID_MAP
Date: Thu, 23 Jun 2022 03:45:33 +0200 [thread overview]
Message-ID: <20220623014533.GA7132@embeddedor> (raw)
In-Reply-To: <202206221457.1A12D768EF@keescook>
On Wed, Jun 22, 2022 at 03:26:38PM -0700, Kees Cook wrote:
> On Wed, Aug 04, 2021 at 11:20:04PM -0500, Gustavo A. R. Silva wrote:
> > Replace one-element array with a flexible-array member in struct
> > MR_DRV_RAID_MAP and use the flex_array_size() helper.
> >
> > This helps with the ongoing efforts to globally enable -Warray-bounds
> > and get us closer to being able to tighten the FORTIFY_SOURCE routines
> > on memcpy().
> >
> > Link: https://en.wikipedia.org/wiki/Flexible_array_member
> > Link: https://www.kernel.org/doc/html/v5.10/process/deprecated.html#zero-length-and-one-element-arrays
> > Link: https://github.com/KSPP/linux/issues/79
> > Link: https://github.com/KSPP/linux/issues/109
> > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
>
> I'd really like to see this fixed. :) I'm running into this 1-element
> array problem now with UBSAN_BOUNDS:
Wow; another forgoten patch from the times we didn't have Patchwork. :)
>
> [ 10.011173] UBSAN: array-index-out-of-bounds in /build/linux-WLUive/linux-5.15.0/drivers/scsi/megaraid/megaraid_sas_fp.c:103:32
> [ 10.087824] index 1 is out of range for type 'MR_LD_SPAN_MAP [1]'
>
> and I'm not the only one:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=215943
It's actually great that other people are running into these issues now.
That could only means that we should fixed ASAP. :)
We also have this other series that hasn't been applied yet:
https://lore.kernel.org/linux-hardening/cover.1645513670.git.gustavoars@kernel.org/
>
> > ---
> > Changes in v2:
> > - None.
> >
> > drivers/scsi/megaraid/megaraid_sas_fp.c | 6 +++---
> > drivers/scsi/megaraid/megaraid_sas_fusion.h | 2 +-
> > 2 files changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/scsi/megaraid/megaraid_sas_fp.c b/drivers/scsi/megaraid/megaraid_sas_fp.c
> > index da1cad1ee123..9cb36ef96c2c 100644
> > --- a/drivers/scsi/megaraid/megaraid_sas_fp.c
> > +++ b/drivers/scsi/megaraid/megaraid_sas_fp.c
> > @@ -229,8 +229,8 @@ static int MR_PopulateDrvRaidMap(struct megasas_instance *instance, u64 map_id)
> > le32_to_cpu(desc_table->raid_map_desc_offset));
> > memcpy(pDrvRaidMap->ldSpanMap,
> > fw_map_dyn->ld_span_map,
> > - sizeof(struct MR_LD_SPAN_MAP) *
> > - le32_to_cpu(desc_table->raid_map_desc_elements));
> > + flex_array_size(pDrvRaidMap, ldSpanMap,
> > + le32_to_cpu(desc_table->raid_map_desc_elements)));
> > break;
> > default:
> > dev_dbg(&instance->pdev->dev, "wrong number of desctableElements %d\n",
> > @@ -254,7 +254,7 @@ static int MR_PopulateDrvRaidMap(struct megasas_instance *instance, u64 map_id)
> > pDrvRaidMap->ldTgtIdToLd[i] =
> > (u16)fw_map_ext->ldTgtIdToLd[i];
> > memcpy(pDrvRaidMap->ldSpanMap, fw_map_ext->ldSpanMap,
> > - sizeof(struct MR_LD_SPAN_MAP) * ld_count);
> > + flex_array_size(pDrvRaidMap, ldSpanMap, ld_count));
> > memcpy(pDrvRaidMap->arMapInfo, fw_map_ext->arMapInfo,
> > sizeof(struct MR_ARRAY_INFO) * MAX_API_ARRAYS_EXT);
> > memcpy(pDrvRaidMap->devHndlInfo, fw_map_ext->devHndlInfo,
> > diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.h b/drivers/scsi/megaraid/megaraid_sas_fusion.h
> > index 9adb8b30f422..5fe2f7a6eebe 100644
> > --- a/drivers/scsi/megaraid/megaraid_sas_fusion.h
> > +++ b/drivers/scsi/megaraid/megaraid_sas_fusion.h
> > @@ -1182,7 +1182,7 @@ struct MR_DRV_RAID_MAP {
> > devHndlInfo[MAX_RAIDMAP_PHYSICAL_DEVICES_DYN];
> > u16 ldTgtIdToLd[MAX_LOGICAL_DRIVES_DYN];
> > struct MR_ARRAY_INFO arMapInfo[MAX_API_ARRAYS_DYN];
> > - struct MR_LD_SPAN_MAP ldSpanMap[1];
> > + struct MR_LD_SPAN_MAP ldSpanMap[];
> >
> > };
> >
>
> I think this patch is incomplete, and the wrapping struct needs to be
> adjusted too:
>
> @@ -1193,7 +1193,7 @@ struct MR_DRV_RAID_MAP {
> struct MR_DRV_RAID_MAP_ALL {
>
> struct MR_DRV_RAID_MAP raidMap;
> - struct MR_LD_SPAN_MAP ldSpanMap[MAX_LOGICAL_DRIVES_DYN - 1];
> + struct MR_LD_SPAN_MAP ldSpanMap[MAX_LOGICAL_DRIVES_DYN];
> } __packed;
>
> With that added, I get zero changes to the executable code.
>
> I assume the others need adjustment too.
Interesting... OK, let me refresh my memory about the whole thing
and be back in a minute.
--
Gustavo
next prev parent reply other threads:[~2022-06-23 1:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-05 4:17 [PATCH v2 0/4][next] scsi: megaraid_sas: Replace one-element arrays with flexible-array members Gustavo A. R. Silva
2021-08-05 4:18 ` [PATCH v2 1/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_FW_RAID_MAP Gustavo A. R. Silva
2021-08-05 4:18 ` [PATCH v2 2/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_FW_RAID_MAP_DYNAMIC Gustavo A. R. Silva
2021-08-05 4:20 ` [PATCH v2 3/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_DRV_RAID_MAP Gustavo A. R. Silva
2022-06-22 22:26 ` Kees Cook
2022-06-23 1:45 ` Gustavo A. R. Silva [this message]
2022-06-23 3:14 ` Gustavo A. R. Silva
2022-06-23 15:19 ` Kees Cook
2022-06-23 15:38 ` Gustavo A. R. Silva
2022-06-24 17:48 ` Kees Cook
2022-06-24 20:13 ` Kees Cook
2022-06-28 9:11 ` Sumit Saxena
2021-08-05 4:20 ` [PATCH v2 4/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_PD_CFG_SEQ_NUM_SYNC Gustavo A. R. Silva
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220623014533.GA7132@embeddedor \
--to=gustavoars@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=kashyap.desai@broadcom.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=megaraidlinux.pdl@broadcom.com \
--cc=shivasharan.srikanteshwara@broadcom.com \
--cc=sumit.saxena@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.