From: Kees Cook <keescook@chromium.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] KVM: x86: Replace 0-length arrays with flexible arrays
Date: Thu, 12 Jan 2023 14:42:56 -0800 [thread overview]
Message-ID: <202301121441.1E38EE308@keescook> (raw)
In-Reply-To: <Y7xPSEMOWqz+3kgD@google.com>
On Mon, Jan 09, 2023 at 05:30:48PM +0000, Sean Christopherson wrote:
> On Thu, Jan 05, 2023, Kees Cook wrote:
> > Zero-length arrays are deprecated[1]. Replace struct kvm_nested_state's
> > "data" union 0-length arrays with flexible arrays. (How are the
> > sizes of these arrays verified?)
>
> It's not really interpreted as an array, it's a mandatory single-entry "array".
>
> if (copy_from_user(vmcs12, user_vmx_nested_state->vmcs12, sizeof(*vmcs12)))
> return -EFAULT;
If it's mandatory, why is it [0] instead of just a single struct? i.e.
why is it not:
union {
struct kvm_vmx_nested_state_data vmx;
struct kvm_svm_nested_state_data svm;
};
>
> > Detected with GCC 13, using -fstrict-flex-arrays=3:
> >
> > arch/x86/kvm/svm/nested.c: In function 'svm_get_nested_state':
> > arch/x86/kvm/svm/nested.c:1536:17: error: array subscript 0 is outside array bounds of 'struct kvm_svm_nested_state_data[0]' [-Werror=array-bounds=]
> > 1536 | &user_kvm_nested_state->data.svm[0];
> > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > In file included from include/uapi/linux/kvm.h:15,
> > from include/linux/kvm_host.h:40,
> > from arch/x86/kvm/svm/nested.c:18:
> > arch/x86/include/uapi/asm/kvm.h:511:50: note: while referencing 'svm'
> > 511 | struct kvm_svm_nested_state_data svm[0];
> > | ^~~
> >
> > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays
> >
> > Cc: Sean Christopherson <seanjc@google.com>
> > Cc: Paolo Bonzini <pbonzini@redhat.com>
> > Cc: Thomas Gleixner <tglx@linutronix.de>
> > Cc: Ingo Molnar <mingo@redhat.com>
> > Cc: Borislav Petkov <bp@alien8.de>
> > Cc: Dave Hansen <dave.hansen@linux.intel.com>
> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > Cc: x86@kernel.org
> > Cc: "H. Peter Anvin" <hpa@zytor.com>
> > Cc: kvm@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
>
> Nit on the comment aside,
>
> Reviewed-by: Sean Christopherson <seanjc@google.com>
>
> > arch/x86/include/uapi/asm/kvm.h | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
> > index e48deab8901d..8ec3dfd641b0 100644
> > --- a/arch/x86/include/uapi/asm/kvm.h
> > +++ b/arch/x86/include/uapi/asm/kvm.h
> > @@ -502,13 +502,13 @@ struct kvm_nested_state {
> > } hdr;
> >
> > /*
> > - * Define data region as 0 bytes to preserve backwards-compatability
> > + * Define union of flexible arrays to preserve backwards-compatability
>
> I think I'd actually prefer the "as 0 bytes" comment. The important part is that
> the size of "data" be zero, how that happens is immaterial.
Okay, I'll drop this part.
>
> > * to old definition of kvm_nested_state in order to avoid changing
> > * KVM_{GET,PUT}_NESTED_STATE ioctl values.
> > */
> > union {
> > - struct kvm_vmx_nested_state_data vmx[0];
> > - struct kvm_svm_nested_state_data svm[0];
> > + __DECLARE_FLEX_ARRAY(struct kvm_vmx_nested_state_data, vmx);
> > + __DECLARE_FLEX_ARRAY(struct kvm_svm_nested_state_data, svm);
> > } data;
> > };
> >
> > --
> > 2.34.1
> >
--
Kees Cook
next prev parent reply other threads:[~2023-01-12 22:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-05 19:05 [PATCH] KVM: x86: Replace 0-length arrays with flexible arrays Kees Cook
2023-01-09 17:30 ` Sean Christopherson
2023-01-12 22:42 ` Kees Cook [this message]
2023-01-12 22:44 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202301121441.1E38EE308@keescook \
--to=keescook@chromium.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=gustavoars@kernel.org \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.