From: Kees Cook <keescook@chromium.org>
To: Jason Andryuk <jandryuk@gmail.com>
Cc: Christian Lamparter <chunkeey@googlemail.com>,
Kalle Valo <kvalo@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-wireless@vger.kernel.org, linux-hardening@vger.kernel.org,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Tom Rix <trix@redhat.com>,
linux-kernel@vger.kernel.org, llvm@lists.linux.dev
Subject: Re: [PATCH] wifi: p54: Annotate struct p54_cal_database with __counted_by
Date: Mon, 9 Oct 2023 09:07:17 -0700 [thread overview]
Message-ID: <202310090906.9310CF4434@keescook> (raw)
In-Reply-To: <CAKf6xptEEHJAsrwh_oebK1_AMb+_tvLtiY8sP-Qk=Z9jXhVf7Q@mail.gmail.com>
On Mon, Oct 09, 2023 at 10:55:32AM -0400, Jason Andryuk wrote:
> Hi,
>
> I randomly peeked at this patch. Unfortunately, I am not familiar
> with the actual p54 code.
>
> On Fri, Oct 6, 2023 at 4:17 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > Prepare for the coming implementation by GCC and Clang of the __counted_by
> > attribute. Flexible array members annotated with __counted_by can have
> > their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
> > array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> > functions).
> >
> > As found with Coccinelle[1], add __counted_by for struct p54_cal_database.
> >
> > Cc: Christian Lamparter <chunkeey@googlemail.com>
> > Cc: Kalle Valo <kvalo@kernel.org>
> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > Cc: linux-wireless@vger.kernel.org
> > Cc: linux-hardening@vger.kernel.org
> > Link: https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci [1]
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > drivers/net/wireless/intersil/p54/p54.h | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/wireless/intersil/p54/p54.h b/drivers/net/wireless/intersil/p54/p54.h
> > index 3356ea708d81..770e348d1f6c 100644
> > --- a/drivers/net/wireless/intersil/p54/p54.h
> > +++ b/drivers/net/wireless/intersil/p54/p54.h
> > @@ -126,7 +126,7 @@ struct p54_cal_database {
> > size_t entry_size;
> > size_t offset;
> > size_t len;
> > - u8 data[];
> > + u8 data[] __counted_by(entries);
>
> This looks incorrect - I think you want __counted_by(len)? The
> presence of entry_size made me suspicious.
>
> > };
>
> This is the function that creates struct p54_cal_database:
>
> static struct p54_cal_database *p54_convert_db(struct pda_custom_wrapper *src,
> size_t total_len)
> {
> struct p54_cal_database *dst;
> size_t payload_len, entries, entry_size, offset;
>
> payload_len = le16_to_cpu(src->len);
> entries = le16_to_cpu(src->entries);
> entry_size = le16_to_cpu(src->entry_size);
> offset = le16_to_cpu(src->offset);
> if (((entries * entry_size + offset) != payload_len) ||
> (payload_len + sizeof(*src) != total_len))
> return NULL;
>
> dst = kmalloc(sizeof(*dst) + payload_len, GFP_KERNEL);
> if (!dst)
> return NULL;
>
> dst->entries = entries;
> dst->entry_size = entry_size;
> dst->offset = offset;
> dst->len = payload_len;
>
> memcpy(dst->data, src->data, payload_len);
> return dst;
> }
>
> You can see that kmalloc is performed with `sizeof(*dst) +
> payload_len`, and payload_len is assigned to ->len.
Agreed!
> I don't read Coccinelle, but, if this patch was auto-generated, I
> wonder if the script has an error.
Yeah, I'm not sure which part went wrong. I will investigate. Thanks for
catching this!
--
Kees Cook
next prev parent reply other threads:[~2023-10-09 16:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-06 20:17 [PATCH] wifi: p54: Annotate struct p54_cal_database with __counted_by Kees Cook
2023-10-06 20:49 ` Gustavo A. R. Silva
2023-10-09 14:55 ` Jason Andryuk
2023-10-09 15:03 ` Gustavo A. R. Silva
2023-10-09 16:07 ` Kees Cook [this message]
2023-10-09 16:18 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202310090906.9310CF4434@keescook \
--to=keescook@chromium.org \
--cc=chunkeey@googlemail.com \
--cc=gustavoars@kernel.org \
--cc=jandryuk@gmail.com \
--cc=kvalo@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.