From: Kees Cook <keescook@chromium.org>
To: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Cc: netdev@vger.kernel.org, Steven Zou <steven.zou@intel.com>,
intel-wired-lan@lists.osuosl.org,
linux-hardening@vger.kernel.org
Subject: Re: [Intel-wired-lan] [PATCH net-next v1 1/7] overflow: add DEFINE_FLEX() for on-stack allocs
Date: Thu, 10 Aug 2023 11:46:11 -0700 [thread overview]
Message-ID: <202308101131.D8DEE055@keescook> (raw)
In-Reply-To: <20230810103509.163225-2-przemyslaw.kitszel@intel.com>
On Thu, Aug 10, 2023 at 06:35:03AM -0400, Przemek Kitszel wrote:
> Add DEFINE_FLEX() macro for on-stack allocations of structs with
> flexible array member.
>
> Add also const_flex_size() macro, that reads size of structs
> allocated by DEFINE_FLEX().
>
> Using underlying array for on-stack storage lets us to declare
> known-at-compile-time structures without kzalloc().
>
> Actual usage for ice driver is in following patches of the series.
>
> Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> ---
> v1: change macro name; add macro for size read;
> accept struct type instead of ptr to it; change alignment;
> ---
> include/linux/overflow.h | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index f9b60313eaea..21a4410799eb 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -309,4 +309,31 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
> #define struct_size_t(type, member, count) \
> struct_size((type *)NULL, member, count)
>
> +/**
> + * DEFINE_FLEX() - Define a zeroed, on-stack, instance of @type structure with
> + * a trailing flexible array member.
> + *
> + * @type: structure type name, including "struct" keyword.
> + * @name: Name for a variable to define.
> + * @member: Name of the array member.
> + * @count: Number of elements in the array; must be compile-time const.
> + */
> +#define DEFINE_FLEX(type, name, member, count) \
> + union { \
> + u8 bytes[struct_size_t(type, member, count)]; \
> + type obj; \
> + } name##_u __aligned(_Alignof(type)) = {}; \
> + type *name = (type *)&name##_u
We'll need another macro when __counted_by is needed, but yes, if all of
these structs use non-native endian counters, we can't require it in the
base macro. (i.e. not now -- this is fine as-is.)
> +
> +/**
> + * const_flex_size() - Get size of on-stack instance of structure with
> + * a trailing flexible array member.
> + *
> + * @name: Name of the variable, the one defined by DEFINE_FLEX() macro above.
> + *
> + * Get size of @name, which is equivalent to struct_size(name, array, count),
> + * but does not require (repeating) last two arguments.
> + */
> +#define const_flex_size(name) __builtin_object_size(name, 1)
Naming is hard. ;) I don't like "const" here (it's not a storage
class). But more importantly, this calculation ("how big is this thing
actually?") gets used a lot in the fortify routines, so I'd prefer
exposing those macros (from fortify-string.h):
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index c88488715a39..4b788fa0c576 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -352,6 +352,18 @@ struct ftrace_likely_data {
# define __realloc_size(x, ...)
#endif
+/*
+ * When the size of an allocated object is needed, use the best available
+ * mechanism to find it. (For cases where sizeof() cannot be used.)
+ */
+#if __has_builtin(__builtin_dynamic_object_size)
+#define __struct_size(p) __builtin_dynamic_object_size(p, 0)
+#define __member_size(p) __builtin_dynamic_object_size(p, 1)
+#else
+#define __struct_size(p) __builtin_object_size(p, 0)
+#define __member_size(p) __builtin_object_size(p, 1)
+#endif
+
#ifndef asm_volatile_goto
#define asm_volatile_goto(x...) asm goto(x)
#endif
diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index da51a83b2829..1e7711185ec6 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -93,13 +93,9 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size)
#if __has_builtin(__builtin_dynamic_object_size)
#define POS __pass_dynamic_object_size(1)
#define POS0 __pass_dynamic_object_size(0)
-#define __struct_size(p) __builtin_dynamic_object_size(p, 0)
-#define __member_size(p) __builtin_dynamic_object_size(p, 1)
#else
#define POS __pass_object_size(1)
#define POS0 __pass_object_size(0)
-#define __struct_size(p) __builtin_object_size(p, 0)
-#define __member_size(p) __builtin_object_size(p, 1)
#endif
#define __compiletime_lessthan(bounds, length) ( \
And the way DEFINE_FLEX is built, __struct_size() and __member_size()
will give the same result (which is what I was concerned about for
FORTIFY_SOURCE's use of __member_size not "seeing" the flexible array
members).
In this case, I think using __struct_size() in place of const_flex_size()
in the patch series is the way to go.
--
Kees Cook
_______________________________________________
Intel-wired-lan mailing list
Intel-wired-lan@osuosl.org
https://lists.osuosl.org/mailman/listinfo/intel-wired-lan
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Cc: netdev@vger.kernel.org, Jacob Keller <jacob.e.keller@intel.com>,
intel-wired-lan@lists.osuosl.org,
Alexander Lobakin <aleksander.lobakin@intel.com>,
linux-hardening@vger.kernel.org,
Steven Zou <steven.zou@intel.com>
Subject: Re: [PATCH net-next v1 1/7] overflow: add DEFINE_FLEX() for on-stack allocs
Date: Thu, 10 Aug 2023 11:46:11 -0700 [thread overview]
Message-ID: <202308101131.D8DEE055@keescook> (raw)
In-Reply-To: <20230810103509.163225-2-przemyslaw.kitszel@intel.com>
On Thu, Aug 10, 2023 at 06:35:03AM -0400, Przemek Kitszel wrote:
> Add DEFINE_FLEX() macro for on-stack allocations of structs with
> flexible array member.
>
> Add also const_flex_size() macro, that reads size of structs
> allocated by DEFINE_FLEX().
>
> Using underlying array for on-stack storage lets us to declare
> known-at-compile-time structures without kzalloc().
>
> Actual usage for ice driver is in following patches of the series.
>
> Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> ---
> v1: change macro name; add macro for size read;
> accept struct type instead of ptr to it; change alignment;
> ---
> include/linux/overflow.h | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index f9b60313eaea..21a4410799eb 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -309,4 +309,31 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
> #define struct_size_t(type, member, count) \
> struct_size((type *)NULL, member, count)
>
> +/**
> + * DEFINE_FLEX() - Define a zeroed, on-stack, instance of @type structure with
> + * a trailing flexible array member.
> + *
> + * @type: structure type name, including "struct" keyword.
> + * @name: Name for a variable to define.
> + * @member: Name of the array member.
> + * @count: Number of elements in the array; must be compile-time const.
> + */
> +#define DEFINE_FLEX(type, name, member, count) \
> + union { \
> + u8 bytes[struct_size_t(type, member, count)]; \
> + type obj; \
> + } name##_u __aligned(_Alignof(type)) = {}; \
> + type *name = (type *)&name##_u
We'll need another macro when __counted_by is needed, but yes, if all of
these structs use non-native endian counters, we can't require it in the
base macro. (i.e. not now -- this is fine as-is.)
> +
> +/**
> + * const_flex_size() - Get size of on-stack instance of structure with
> + * a trailing flexible array member.
> + *
> + * @name: Name of the variable, the one defined by DEFINE_FLEX() macro above.
> + *
> + * Get size of @name, which is equivalent to struct_size(name, array, count),
> + * but does not require (repeating) last two arguments.
> + */
> +#define const_flex_size(name) __builtin_object_size(name, 1)
Naming is hard. ;) I don't like "const" here (it's not a storage
class). But more importantly, this calculation ("how big is this thing
actually?") gets used a lot in the fortify routines, so I'd prefer
exposing those macros (from fortify-string.h):
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index c88488715a39..4b788fa0c576 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -352,6 +352,18 @@ struct ftrace_likely_data {
# define __realloc_size(x, ...)
#endif
+/*
+ * When the size of an allocated object is needed, use the best available
+ * mechanism to find it. (For cases where sizeof() cannot be used.)
+ */
+#if __has_builtin(__builtin_dynamic_object_size)
+#define __struct_size(p) __builtin_dynamic_object_size(p, 0)
+#define __member_size(p) __builtin_dynamic_object_size(p, 1)
+#else
+#define __struct_size(p) __builtin_object_size(p, 0)
+#define __member_size(p) __builtin_object_size(p, 1)
+#endif
+
#ifndef asm_volatile_goto
#define asm_volatile_goto(x...) asm goto(x)
#endif
diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index da51a83b2829..1e7711185ec6 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -93,13 +93,9 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size)
#if __has_builtin(__builtin_dynamic_object_size)
#define POS __pass_dynamic_object_size(1)
#define POS0 __pass_dynamic_object_size(0)
-#define __struct_size(p) __builtin_dynamic_object_size(p, 0)
-#define __member_size(p) __builtin_dynamic_object_size(p, 1)
#else
#define POS __pass_object_size(1)
#define POS0 __pass_object_size(0)
-#define __struct_size(p) __builtin_object_size(p, 0)
-#define __member_size(p) __builtin_object_size(p, 1)
#endif
#define __compiletime_lessthan(bounds, length) ( \
And the way DEFINE_FLEX is built, __struct_size() and __member_size()
will give the same result (which is what I was concerned about for
FORTIFY_SOURCE's use of __member_size not "seeing" the flexible array
members).
In this case, I think using __struct_size() in place of const_flex_size()
in the patch series is the way to go.
--
Kees Cook
next prev parent reply other threads:[~2023-08-10 18:46 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-10 10:35 [Intel-wired-lan] [PATCH net-next v1 0/7] introduce DEFINE_FLEX() macro Przemek Kitszel
2023-08-10 10:35 ` Przemek Kitszel
2023-08-10 10:35 ` [Intel-wired-lan] [PATCH net-next v1 1/7] overflow: add DEFINE_FLEX() for on-stack allocs Przemek Kitszel
2023-08-10 10:35 ` Przemek Kitszel
2023-08-10 16:24 ` [Intel-wired-lan] " Alexander Lobakin
2023-08-10 16:24 ` Alexander Lobakin
2023-08-10 18:31 ` [Intel-wired-lan] " Kees Cook
2023-08-10 18:31 ` Kees Cook
2023-08-16 12:23 ` [Intel-wired-lan] " Alexander Lobakin
2023-08-16 12:23 ` Alexander Lobakin
2023-08-10 18:46 ` Kees Cook [this message]
2023-08-10 18:46 ` Kees Cook
2023-08-11 9:10 ` [Intel-wired-lan] " Przemek Kitszel
2023-08-11 9:10 ` Przemek Kitszel
2023-08-10 10:35 ` [Intel-wired-lan] [PATCH net-next v1 2/7] ice: ice_sched_remove_elems: replace 1 elem array param by u32 Przemek Kitszel
2023-08-10 10:35 ` Przemek Kitszel
2023-08-10 10:35 ` [Intel-wired-lan] [PATCH net-next v1 3/7] ice: drop two params of ice_aq_move_sched_elems() Przemek Kitszel
2023-08-10 10:35 ` Przemek Kitszel
2023-08-10 10:35 ` [Intel-wired-lan] [PATCH net-next v1 4/7] ice: make use of DEFINE_FLEX() in ice_ddp.c Przemek Kitszel
2023-08-10 10:35 ` Przemek Kitszel
2023-08-10 10:35 ` [Intel-wired-lan] [PATCH net-next v1 5/7] ice: make use of DEFINE_FLEX() for struct ice_aqc_add_tx_qgrp Przemek Kitszel
2023-08-10 10:35 ` Przemek Kitszel
2023-08-10 10:35 ` [Intel-wired-lan] [PATCH net-next v1 6/7] ice: make use of DEFINE_FLEX() for struct ice_aqc_dis_txq_item Przemek Kitszel
2023-08-10 10:35 ` Przemek Kitszel
2023-08-10 10:35 ` [Intel-wired-lan] [PATCH net-next v1 7/7] ice: make use of DEFINE_FLEX() in ice_switch.c Przemek Kitszel
2023-08-10 10:35 ` Przemek Kitszel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308101131.D8DEE055@keescook \
--to=keescook@chromium.org \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=linux-hardening@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=przemyslaw.kitszel@intel.com \
--cc=steven.zou@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.