From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org,
Kashyap Desai <kashyap.desai@broadcom.com>,
Sumit Saxena <sumit.saxena@broadcom.com>,
Shivasharan S <shivasharan.srikanteshwara@broadcom.com>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2 3/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_DRV_RAID_MAP
Date: Thu, 23 Jun 2022 17:38:25 +0200 [thread overview]
Message-ID: <20220623153825.GA6458@embeddedor> (raw)
In-Reply-To: <202206230816.1383511C@keescook>
On Thu, Jun 23, 2022 at 08:19:49AM -0700, Kees Cook wrote:
> On Thu, Jun 23, 2022 at 05:14:01AM +0200, Gustavo A. R. Silva wrote:
> > On Thu, Jun 23, 2022 at 03:45:33AM +0200, Gustavo A. R. Silva wrote:
> > > On Wed, Jun 22, 2022 at 03:26:38PM -0700, Kees Cook wrote:
> > > > On Wed, Aug 04, 2021 at 11:20:04PM -0500, Gustavo A. R. Silva wrote:
> > > > > Replace one-element array with a flexible-array member in struct
> > > > > MR_DRV_RAID_MAP and use the flex_array_size() helper.
> > > > >
> > > > > This helps with the ongoing efforts to globally enable -Warray-bounds
> > > > > and get us closer to being able to tighten the FORTIFY_SOURCE routines
> > > > > on memcpy().
> > > > >
> > > > > Link: https://en.wikipedia.org/wiki/Flexible_array_member
> > > > > Link: https://www.kernel.org/doc/html/v5.10/process/deprecated.html#zero-length-and-one-element-arrays
> > > > > Link: https://github.com/KSPP/linux/issues/79
> > > > > Link: https://github.com/KSPP/linux/issues/109
> > > > > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> > > >
> > > > I'd really like to see this fixed. :) I'm running into this 1-element
> > > > array problem now with UBSAN_BOUNDS:
> > >
> > > Wow; another forgoten patch from the times we didn't have Patchwork. :)
> > >
> > > >
> > > > [ 10.011173] UBSAN: array-index-out-of-bounds in /build/linux-WLUive/linux-5.15.0/drivers/scsi/megaraid/megaraid_sas_fp.c:103:32
> > > > [ 10.087824] index 1 is out of range for type 'MR_LD_SPAN_MAP [1]'
> > > >
> > > > and I'm not the only one:
> > > >
> > > > https://bugzilla.kernel.org/show_bug.cgi?id=215943
> > >
> > > It's actually great that other people are running into these issues now.
> > > That could only means that we should fixed ASAP. :)
> > >
> > > We also have this other series that hasn't been applied yet:
> > >
> > > https://lore.kernel.org/linux-hardening/cover.1645513670.git.gustavoars@kernel.org/
> > >
> > > >
> > > > > ---
> > > > > Changes in v2:
> > > > > - None.
> > > > >
> > > > > drivers/scsi/megaraid/megaraid_sas_fp.c | 6 +++---
> > > > > drivers/scsi/megaraid/megaraid_sas_fusion.h | 2 +-
> > > > > 2 files changed, 4 insertions(+), 4 deletions(-)
> > > > >
> > > > > diff --git a/drivers/scsi/megaraid/megaraid_sas_fp.c b/drivers/scsi/megaraid/megaraid_sas_fp.c
> > > > > index da1cad1ee123..9cb36ef96c2c 100644
> > > > > --- a/drivers/scsi/megaraid/megaraid_sas_fp.c
> > > > > +++ b/drivers/scsi/megaraid/megaraid_sas_fp.c
> > > > > @@ -229,8 +229,8 @@ static int MR_PopulateDrvRaidMap(struct megasas_instance *instance, u64 map_id)
> > > > > le32_to_cpu(desc_table->raid_map_desc_offset));
> > > > > memcpy(pDrvRaidMap->ldSpanMap,
> > > > > fw_map_dyn->ld_span_map,
> > > > > - sizeof(struct MR_LD_SPAN_MAP) *
> > > > > - le32_to_cpu(desc_table->raid_map_desc_elements));
> > > > > + flex_array_size(pDrvRaidMap, ldSpanMap,
> > > > > + le32_to_cpu(desc_table->raid_map_desc_elements)));
> > > > > break;
> > > > > default:
> > > > > dev_dbg(&instance->pdev->dev, "wrong number of desctableElements %d\n",
> > > > > @@ -254,7 +254,7 @@ static int MR_PopulateDrvRaidMap(struct megasas_instance *instance, u64 map_id)
> > > > > pDrvRaidMap->ldTgtIdToLd[i] =
> > > > > (u16)fw_map_ext->ldTgtIdToLd[i];
> > > > > memcpy(pDrvRaidMap->ldSpanMap, fw_map_ext->ldSpanMap,
> > > > > - sizeof(struct MR_LD_SPAN_MAP) * ld_count);
> > > > > + flex_array_size(pDrvRaidMap, ldSpanMap, ld_count));
> > > > > memcpy(pDrvRaidMap->arMapInfo, fw_map_ext->arMapInfo,
> > > > > sizeof(struct MR_ARRAY_INFO) * MAX_API_ARRAYS_EXT);
> > > > > memcpy(pDrvRaidMap->devHndlInfo, fw_map_ext->devHndlInfo,
> > > > > diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.h b/drivers/scsi/megaraid/megaraid_sas_fusion.h
> > > > > index 9adb8b30f422..5fe2f7a6eebe 100644
> > > > > --- a/drivers/scsi/megaraid/megaraid_sas_fusion.h
> > > > > +++ b/drivers/scsi/megaraid/megaraid_sas_fusion.h
> > > > > @@ -1182,7 +1182,7 @@ struct MR_DRV_RAID_MAP {
> > > > > devHndlInfo[MAX_RAIDMAP_PHYSICAL_DEVICES_DYN];
> > > > > u16 ldTgtIdToLd[MAX_LOGICAL_DRIVES_DYN];
> > > > > struct MR_ARRAY_INFO arMapInfo[MAX_API_ARRAYS_DYN];
> > > > > - struct MR_LD_SPAN_MAP ldSpanMap[1];
> > > > > + struct MR_LD_SPAN_MAP ldSpanMap[];
> > > > >
> > > > > };
> > > > >
> > > >
> > > > I think this patch is incomplete, and the wrapping struct needs to be
> > > > adjusted too:
> > > >
> > > > @@ -1193,7 +1193,7 @@ struct MR_DRV_RAID_MAP {
> > > > struct MR_DRV_RAID_MAP_ALL {
> > > >
> > > > struct MR_DRV_RAID_MAP raidMap;
> > > > - struct MR_LD_SPAN_MAP ldSpanMap[MAX_LOGICAL_DRIVES_DYN - 1];
> > > > + struct MR_LD_SPAN_MAP ldSpanMap[MAX_LOGICAL_DRIVES_DYN];
> > > > } __packed;
> >
> > BTW, I'd really like to get some input from the maintainers of this
> > code. :)
>
> Agreed, though if we get 0 output from a diffoscope of the object files,
> I think it's safe to carry such patches in our trees. This is how I've
> been testing:
Which object files are you comparing here? because I don't see the zero
change when comparing the before and after of megaraid_sas_fp.o with
the change you propose.
>
> $ make allmodconfig
> $ ./scripts/config -d GCOV_KERNEL -d KCOV -d GCC_PLUGINS -d IKHEADERS -d KASAN -d UBSAN
> $ make olddefconfig
> $ make the/path/to/code.o
> $ cp the/path/to/code.o the/path/to/code.before
> $ *apply patch*
> $ make the/path/to/code.o
> $ cp the/path/to/code.o the/path/to/code.after
> $ diffoscope the/path/to/code.before the/path/to/code.after
Yep; that's how we do it. However, I think the zero change is the
exception, not the norm in these sorts of changes.
The machine code could easily change after refactoring the code a
bit as a consequence of the flex-array transformation. It's not like
we are merely removing the 1 from the array declaration. We are also
making use of helpers like struct_size(), flex_array_size() and in
some cases we are making the code to stop allocating some too-many
extra bytes (which usually account for the size of one item of the
trailing array) that are never actually used. I think that could
easily impact how the compiler ultimately arrange the code.
--
Gustavo
next prev parent reply other threads:[~2022-06-23 15:38 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-05 4:17 [PATCH v2 0/4][next] scsi: megaraid_sas: Replace one-element arrays with flexible-array members Gustavo A. R. Silva
2021-08-05 4:18 ` [PATCH v2 1/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_FW_RAID_MAP Gustavo A. R. Silva
2021-08-05 4:18 ` [PATCH v2 2/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_FW_RAID_MAP_DYNAMIC Gustavo A. R. Silva
2021-08-05 4:20 ` [PATCH v2 3/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_DRV_RAID_MAP Gustavo A. R. Silva
2022-06-22 22:26 ` Kees Cook
2022-06-23 1:45 ` Gustavo A. R. Silva
2022-06-23 3:14 ` Gustavo A. R. Silva
2022-06-23 15:19 ` Kees Cook
2022-06-23 15:38 ` Gustavo A. R. Silva [this message]
2022-06-24 17:48 ` Kees Cook
2022-06-24 20:13 ` Kees Cook
2022-06-28 9:11 ` Sumit Saxena
2021-08-05 4:20 ` [PATCH v2 4/4][next] scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_PD_CFG_SEQ_NUM_SYNC Gustavo A. R. Silva
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220623153825.GA6458@embeddedor \
--to=gustavoars@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=kashyap.desai@broadcom.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=megaraidlinux.pdl@broadcom.com \
--cc=shivasharan.srikanteshwara@broadcom.com \
--cc=sumit.saxena@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.