Re: [PATCH] powerpc/rtas: Replace one-element arrays with flexible arrays

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Nathan Lynch <nathanl@linux.ibm.com>
Cc: Andrew Donnellan <ajd@linux.ibm.com>,
	linuxppc-dev@lists.ozlabs.org,
	Leonardo Bras <leobras.c@gmail.com>,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH] powerpc/rtas: Replace one-element arrays with flexible arrays
Date: Fri, 27 Jan 2023 11:23:57 -0800	[thread overview]
Message-ID: <202301271120.B83DA0B3@keescook> (raw)
In-Reply-To: <87357wp1h7.fsf@linux.ibm.com>

On Fri, Jan 27, 2023 at 07:10:28AM -0600, Nathan Lynch wrote:
> Andrew Donnellan <ajd@linux.ibm.com> writes:
> > Using a one-element array as a fake flexible array is deprecated.
> >
> > Replace the one-element flexible arrays in rtas-types.h with C99 standard
> > flexible array members instead.
> >
> > This helps us move towards enabling -fstrict-flex-arrays=3 in future.
> >
> > Found using scripts/coccinelle/misc/flexible_array.cocci.
> >
> > Cc: Nathan Lynch <nathanl@linux.ibm.com>
> > Cc: Leonardo Bras <leobras.c@gmail.com>
> > Cc: linux-hardening@vger.kernel.org
> > Link: https://github.com/KSPP/linux/issues/21
> > Link: https://github.com/KSPP/linux/issues/79
> > Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
> > ---
> >  arch/powerpc/include/asm/rtas-types.h | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/powerpc/include/asm/rtas-types.h b/arch/powerpc/include/asm/rtas-types.h
> > index 8df6235d64d1..40ec03a05c0b 100644
> > --- a/arch/powerpc/include/asm/rtas-types.h
> > +++ b/arch/powerpc/include/asm/rtas-types.h
> > @@ -44,7 +44,7 @@ struct rtas_error_log {
> >  	 */
> >  	u8		byte3;			/* General event or error*/
> >  	__be32		extended_log_length;	/* length in bytes */
> > -	unsigned char	buffer[1];		/* Start of extended log */
> > +	unsigned char	buffer[];		/* Start of extended log */
> >  						/* Variable length.      */
> >  };
> >  
> > @@ -85,7 +85,7 @@ struct rtas_ext_event_log_v6 {
> >  					/* that defines the format for	*/
> >  					/* the vendor specific log type	*/
> >  	/* Byte 16-end of log */
> > -	u8 vendor_log[1];		/* Start of vendor specific log	*/
> > +	u8 vendor_log[];		/* Start of vendor specific log	*/
> >  					/* Variable length.		*/
> >  };
> 
> I see at least one place that consults the size of one of these structs,
> in get_pseries_errorlog():
> 
> 	/* Check that we understand the format */
> 	if (ext_log_length < sizeof(struct rtas_ext_event_log_v6) || ...
> 
> Don't all such sites need to be audited/adjusted for changes like this?

Yeah, I'd expect a binary comparison[1] before/after to catch things like
this. E.g. the following C files mention those structs:

arch/powerpc/platforms/pseries/io_event_irq.c
arch/powerpc/platforms/pseries/ras.c
arch/powerpc/kernel/rtasd.c
arch/powerpc/kernel/rtas.c

-Kees

[1] https://outflux.net/blog/archives/2022/06/24/finding-binary-differences/

-- 
Kees Cook

WARNING: multiple messages have this Message-ID (diff)

From: Kees Cook <keescook@chromium.org>
To: Nathan Lynch <nathanl@linux.ibm.com>
Cc: Leonardo Bras <leobras.c@gmail.com>,
	linuxppc-dev@lists.ozlabs.org,
	Andrew Donnellan <ajd@linux.ibm.com>,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH] powerpc/rtas: Replace one-element arrays with flexible arrays
Date: Fri, 27 Jan 2023 11:23:57 -0800	[thread overview]
Message-ID: <202301271120.B83DA0B3@keescook> (raw)
In-Reply-To: <87357wp1h7.fsf@linux.ibm.com>

On Fri, Jan 27, 2023 at 07:10:28AM -0600, Nathan Lynch wrote:
> Andrew Donnellan <ajd@linux.ibm.com> writes:
> > Using a one-element array as a fake flexible array is deprecated.
> >
> > Replace the one-element flexible arrays in rtas-types.h with C99 standard
> > flexible array members instead.
> >
> > This helps us move towards enabling -fstrict-flex-arrays=3 in future.
> >
> > Found using scripts/coccinelle/misc/flexible_array.cocci.
> >
> > Cc: Nathan Lynch <nathanl@linux.ibm.com>
> > Cc: Leonardo Bras <leobras.c@gmail.com>
> > Cc: linux-hardening@vger.kernel.org
> > Link: https://github.com/KSPP/linux/issues/21
> > Link: https://github.com/KSPP/linux/issues/79
> > Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
> > ---
> >  arch/powerpc/include/asm/rtas-types.h | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/powerpc/include/asm/rtas-types.h b/arch/powerpc/include/asm/rtas-types.h
> > index 8df6235d64d1..40ec03a05c0b 100644
> > --- a/arch/powerpc/include/asm/rtas-types.h
> > +++ b/arch/powerpc/include/asm/rtas-types.h
> > @@ -44,7 +44,7 @@ struct rtas_error_log {
> >  	 */
> >  	u8		byte3;			/* General event or error*/
> >  	__be32		extended_log_length;	/* length in bytes */
> > -	unsigned char	buffer[1];		/* Start of extended log */
> > +	unsigned char	buffer[];		/* Start of extended log */
> >  						/* Variable length.      */
> >  };
> >  
> > @@ -85,7 +85,7 @@ struct rtas_ext_event_log_v6 {
> >  					/* that defines the format for	*/
> >  					/* the vendor specific log type	*/
> >  	/* Byte 16-end of log */
> > -	u8 vendor_log[1];		/* Start of vendor specific log	*/
> > +	u8 vendor_log[];		/* Start of vendor specific log	*/
> >  					/* Variable length.		*/
> >  };
> 
> I see at least one place that consults the size of one of these structs,
> in get_pseries_errorlog():
> 
> 	/* Check that we understand the format */
> 	if (ext_log_length < sizeof(struct rtas_ext_event_log_v6) || ...
> 
> Don't all such sites need to be audited/adjusted for changes like this?

Yeah, I'd expect a binary comparison[1] before/after to catch things like
this. E.g. the following C files mention those structs:

arch/powerpc/platforms/pseries/io_event_irq.c
arch/powerpc/platforms/pseries/ras.c
arch/powerpc/kernel/rtasd.c
arch/powerpc/kernel/rtas.c

-Kees

[1] https://outflux.net/blog/archives/2022/06/24/finding-binary-differences/

-- 
Kees Cook

next prev parent reply	other threads:[~2023-01-27 19:24 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-27  8:50 [PATCH] powerpc/rtas: Replace one-element arrays with flexible arrays Andrew Donnellan
2023-01-27  8:59 ` Leonardo Brás
2023-01-27 13:10 ` Nathan Lynch
2023-01-27 19:23   ` Kees Cook [this message]
2023-01-27 19:23     ` Kees Cook
2023-04-20  7:46   ` Andrew Donnellan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202301271120.B83DA0B3@keescook \
    --to=keescook@chromium.org \
    --cc=ajd@linux.ibm.com \
    --cc=leobras.c@gmail.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=nathanl@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.