From: Kees Cook <keescook@chromium.org>
To: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>,
Vikash Garodia <quic_vgarodia@quicinc.com>,
Andy Gross <agross@kernel.org>,
Bjorn Andersson <andersson@kernel.org>,
Konrad Dybcio <konrad.dybcio@linaro.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH][next] media: venus: hfi_cmds: Replace fake flex-array with flexible-array member
Date: Wed, 17 May 2023 10:50:53 -0700 [thread overview]
Message-ID: <202305171049.9AB52166@keescook> (raw)
In-Reply-To: <ZGQn63U4IeRUiJWb@work>
On Tue, May 16, 2023 at 07:03:39PM -0600, Gustavo A. R. Silva wrote:
> One-element arrays are deprecated, and we are replacing them with flexible
> array members instead. So, replace one-element arrays with flexible-array
> members in struct hfi_sys_set_resource_pkt, and refactor the rest of
> the code, accordingly.
>
> This helps with the ongoing efforts to tighten the FORTIFY_SOURCE
> routines on memcpy() and help us make progress towards globally
> enabling -fstrict-flex-arrays=3 [1].
>
> The only binary differences seen before/after changes are the
> following:
>
> 17ba: mov %rbx,%rdi
> 17bd: call 17c2 <pkt_sys_set_resource+0x42>
> 17be: R_X86_64_PLT32 __tsan_write4-0x4
> - 17c2: movl $0x14,(%rbx)
> + 17c2: movl $0x10,(%rbx)
> 17c8: lea 0x4(%rbx),%rdi
> 17cc: call 17d1 <pkt_sys_set_resource+0x51>
> 17cd: R_X86_64_PLT32 __tsan_write4-0x4
>
> which is expected once this accounts for the following line of code
> at drivers/media/platform/qcom/venus/hfi_cmds.c:73
>
> 73 pkt->hdr.size = sizeof(*pkt);
>
> and as *pkt is of type struct hfi_sys_set_resource_pkt, sizeof(*pkt) is
> reduced by 4 bytes, due to the flex-array transformation.
Based on the other place that was subtracting the 1 element, this looks
like hfi_cmds.c:73 is an existing sizing bug that is now fixed with this
patch, yes?
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
>
> Link: https://github.com/KSPP/linux/issues/79
> Link: https://github.com/KSPP/linux/issues/293
> Link: https://gcc.gnu.org/pipermail/gcc-patches/2022-October/602902.html [1]
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
> drivers/media/platform/qcom/venus/hfi_cmds.c | 2 +-
> drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.c b/drivers/media/platform/qcom/venus/hfi_cmds.c
> index 3f74d518ad08..7c82e212434e 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.c
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.c
> @@ -83,7 +83,7 @@ int pkt_sys_set_resource(struct hfi_sys_set_resource_pkt *pkt, u32 id, u32 size,
> res->size = size;
> res->mem = addr;
> pkt->resource_type = HFI_RESOURCE_OCMEM;
> - pkt->hdr.size += sizeof(*res) - sizeof(u32);
> + pkt->hdr.size += sizeof(*res);
> break;
> }
> case VIDC_RESOURCE_NONE:
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
> index ba74d03eb9cd..dd9c5066442d 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.h
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
> @@ -56,7 +56,7 @@ struct hfi_sys_set_resource_pkt {
> struct hfi_pkt_hdr hdr;
> u32 resource_handle;
> u32 resource_type;
> - u32 resource_data[1];
> + u32 resource_data[];
> };
>
> struct hfi_sys_release_resource_pkt {
> --
> 2.34.1
>
--
Kees Cook
next prev parent reply other threads:[~2023-05-17 17:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-17 1:03 [PATCH][next] media: venus: hfi_cmds: Replace fake flex-array with flexible-array member Gustavo A. R. Silva
2023-05-17 2:11 ` Konrad Dybcio
2023-05-17 17:18 ` Konrad Dybcio
2023-05-17 17:50 ` Kees Cook [this message]
2023-05-17 18:08 ` Gustavo A. R. Silva
2023-05-25 11:36 ` Vikash Garodia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202305171049.9AB52166@keescook \
--to=keescook@chromium.org \
--cc=agross@kernel.org \
--cc=andersson@kernel.org \
--cc=gustavoars@kernel.org \
--cc=konrad.dybcio@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=quic_vgarodia@quicinc.com \
--cc=stanimir.k.varbanov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.