[PATCH] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array

[PATCH] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array

[Kees Cook]

Since commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3"),
UBSAN_BOUNDS no longer pretends 1-element arrays are unbounded. Walking
bmSublinkSpeedAttr will trigger a warning, so make it a proper flexible
array. Add a union to keep the struct size identical for userspace in
case anything was depending on the old size.

False positive warning was:

UBSAN: array-index-out-of-bounds in drivers/usb/host/xhci-hub.c:231:31 index 1 is out of range for type '__le32 [1]'

for this line of code:

	ssp_cap->bmSublinkSpeedAttr[offset++] = cpu_to_le32(attr);

Reported-by: Borislav Petkov <bp@alien8.de>
Closes: https://lore.kernel.org/lkml/2023062945-fencing-pebble-0411@gregkh/
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/uapi/linux/usb/ch9.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h
index b17e3a21b15f..3ff98c7ba7e3 100644
--- a/include/uapi/linux/usb/ch9.h
+++ b/include/uapi/linux/usb/ch9.h
@@ -981,7 +981,11 @@ struct usb_ssp_cap_descriptor {
 #define USB_SSP_MIN_RX_LANE_COUNT		(0xf << 8)
 #define USB_SSP_MIN_TX_LANE_COUNT		(0xf << 12)
 	__le16 wReserved;
-	__le32 bmSublinkSpeedAttr[1]; /* list of sublink speed attrib entries */
+	union {
+		__le32 legacy_padding;
+		/* list of sublink speed attrib entries */
+		__DECLARE_FLEX_ARRAY(__le32, bmSublinkSpeedAttr);
+	};
 #define USB_SSP_SUBLINK_SPEED_SSID	(0xf)		/* sublink speed ID */
 #define USB_SSP_SUBLINK_SPEED_LSE	(0x3 << 4)	/* Lanespeed exponent */
 #define USB_SSP_SUBLINK_SPEED_LSE_BPS		0
-- 
2.34.1

Re: [PATCH] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array

[Greg Kroah-Hartman]

On Thu, Jun 29, 2023 at 12:09:00PM -0700, Kees Cook wrote:
> Since commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3"),
> UBSAN_BOUNDS no longer pretends 1-element arrays are unbounded. Walking
> bmSublinkSpeedAttr will trigger a warning, so make it a proper flexible
> array. Add a union to keep the struct size identical for userspace in
> case anything was depending on the old size.
> 
> False positive warning was:
> 
> UBSAN: array-index-out-of-bounds in drivers/usb/host/xhci-hub.c:231:31 index 1 is out of range for type '__le32 [1]'
> 
> for this line of code:
> 
> 	ssp_cap->bmSublinkSpeedAttr[offset++] = cpu_to_le32(attr);
> 
> Reported-by: Borislav Petkov <bp@alien8.de>
> Closes: https://lore.kernel.org/lkml/2023062945-fencing-pebble-0411@gregkh/
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  include/uapi/linux/usb/ch9.h | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

Thanks for the quick response, I'll queue it up after 6.5-rc1 is out.

Boris, can you test if this fixes the issue you see or not?

greg k-h

Re: [PATCH] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array

[Borislav Petkov]

On Thu, Jun 29, 2023 at 09:17:23PM +0200, Greg Kroah-Hartman wrote:
> Boris, can you test if this fixes the issue you see or not?

Tested-by: Borislav Petkov (AMD) <bp@alien8.de>

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array

[Kees Cook]

On Thu, Jun 29, 2023 at 09:17:23PM +0200, Greg Kroah-Hartman wrote:
> On Thu, Jun 29, 2023 at 12:09:00PM -0700, Kees Cook wrote:
> > Since commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3"),
> > UBSAN_BOUNDS no longer pretends 1-element arrays are unbounded. Walking
> > bmSublinkSpeedAttr will trigger a warning, so make it a proper flexible
> > array. Add a union to keep the struct size identical for userspace in
> > case anything was depending on the old size.
> > 
> > False positive warning was:
> > 
> > UBSAN: array-index-out-of-bounds in drivers/usb/host/xhci-hub.c:231:31 index 1 is out of range for type '__le32 [1]'
> > 
> > for this line of code:
> > 
> > 	ssp_cap->bmSublinkSpeedAttr[offset++] = cpu_to_le32(attr);
> > 
> > Reported-by: Borislav Petkov <bp@alien8.de>
> > Closes: https://lore.kernel.org/lkml/2023062945-fencing-pebble-0411@gregkh/
> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> >  include/uapi/linux/usb/ch9.h | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> Thanks for the quick response, I'll queue it up after 6.5-rc1 is out.

I'm going to send this before -rc1, since we've had another report[1] that
was fixed by this. Given the verification there and Boris's testing, I
think this is good to land. I'll toss it in -next now and send it to
Linus on Friday after making sure there are no more surprises.

-Kees

[1] https://lore.kernel.org/lkml/DA3FEB08-DF39-406B-89CC-9076CFCF597A@kernel.org/

-- 
Kees Cook

Re: [PATCH] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array

[Greg Kroah-Hartman]

On Wed, Jul 05, 2023 at 02:11:03PM -0700, Kees Cook wrote:
> On Thu, Jun 29, 2023 at 09:17:23PM +0200, Greg Kroah-Hartman wrote:
> > On Thu, Jun 29, 2023 at 12:09:00PM -0700, Kees Cook wrote:
> > > Since commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3"),
> > > UBSAN_BOUNDS no longer pretends 1-element arrays are unbounded. Walking
> > > bmSublinkSpeedAttr will trigger a warning, so make it a proper flexible
> > > array. Add a union to keep the struct size identical for userspace in
> > > case anything was depending on the old size.
> > > 
> > > False positive warning was:
> > > 
> > > UBSAN: array-index-out-of-bounds in drivers/usb/host/xhci-hub.c:231:31 index 1 is out of range for type '__le32 [1]'
> > > 
> > > for this line of code:
> > > 
> > > 	ssp_cap->bmSublinkSpeedAttr[offset++] = cpu_to_le32(attr);
> > > 
> > > Reported-by: Borislav Petkov <bp@alien8.de>
> > > Closes: https://lore.kernel.org/lkml/2023062945-fencing-pebble-0411@gregkh/
> > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > >  include/uapi/linux/usb/ch9.h | 6 +++++-
> > >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > Thanks for the quick response, I'll queue it up after 6.5-rc1 is out.
> 
> I'm going to send this before -rc1, since we've had another report[1] that
> was fixed by this. Given the verification there and Boris's testing, I
> think this is good to land. I'll toss it in -next now and send it to
> Linus on Friday after making sure there are no more surprises.
> 
> -Kees
> 
> [1] https://lore.kernel.org/lkml/DA3FEB08-DF39-406B-89CC-9076CFCF597A@kernel.org/

No problem:

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Re: [PATCH] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array

[Gustavo A. R. Silva]

On 6/29/23 13:09, Kees Cook wrote:
> Since commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3"),
> UBSAN_BOUNDS no longer pretends 1-element arrays are unbounded. Walking
> bmSublinkSpeedAttr will trigger a warning, so make it a proper flexible
> array. Add a union to keep the struct size identical for userspace in
> case anything was depending on the old size.
> 
> False positive warning was:
> 
> UBSAN: array-index-out-of-bounds in drivers/usb/host/xhci-hub.c:231:31 index 1 is out of range for type '__le32 [1]'
> 
> for this line of code:
> 
> 	ssp_cap->bmSublinkSpeedAttr[offset++] = cpu_to_le32(attr);
> 
> Reported-by: Borislav Petkov <bp@alien8.de>
> Closes: https://lore.kernel.org/lkml/2023062945-fencing-pebble-0411@gregkh/
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Signed-off-by: Kees Cook <keescook@chromium.org>

Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Thanks!
--
Gustavo

> ---
>   include/uapi/linux/usb/ch9.h | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h
> index b17e3a21b15f..3ff98c7ba7e3 100644
> --- a/include/uapi/linux/usb/ch9.h
> +++ b/include/uapi/linux/usb/ch9.h
> @@ -981,7 +981,11 @@ struct usb_ssp_cap_descriptor {
>   #define USB_SSP_MIN_RX_LANE_COUNT		(0xf << 8)
>   #define USB_SSP_MIN_TX_LANE_COUNT		(0xf << 12)
>   	__le16 wReserved;
> -	__le32 bmSublinkSpeedAttr[1]; /* list of sublink speed attrib entries */
> +	union {
> +		__le32 legacy_padding;
> +		/* list of sublink speed attrib entries */
> +		__DECLARE_FLEX_ARRAY(__le32, bmSublinkSpeedAttr);
> +	};
>   #define USB_SSP_SUBLINK_SPEED_SSID	(0xf)		/* sublink speed ID */
>   #define USB_SSP_SUBLINK_SPEED_LSE	(0x3 << 4)	/* Lanespeed exponent */
>   #define USB_SSP_SUBLINK_SPEED_LSE_BPS		0