Re: [PATCH 1/2][next] clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Dinh Nguyen <dinguyen@kernel.org>,
	Michael Turquette <mturquette@baylibre.com>,
	Stephen Boyd <sboyd@kernel.org>,
	linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH 1/2][next] clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data
Date: Wed, 11 Oct 2023 14:38:59 -0700	[thread overview]
Message-ID: <202310111438.2D0168C@keescook> (raw)
In-Reply-To: <5dd8483177dc8cd91d021170b6717f2e570bab03.1697059539.git.gustavoars@kernel.org>

On Wed, Oct 11, 2023 at 03:34:03PM -0600, Gustavo A. R. Silva wrote:
> `struct clk_hw_onecell_data` is a flexible structure, which means that
> it contains flexible-array member at the bottom, in this case array
> `hws`:
> 
> include/linux/clk-provider.h:
> 1380 struct clk_hw_onecell_data {
> 1381         unsigned int num;
> 1382         struct clk_hw *hws[] __counted_by(num);
> 1383 };
> 
> This could potentially lead to an overwrite of the objects following
> `clk_data` in `struct stratix10_clock_data`, in this case
> `void __iomem *base;` at run-time:
> 
> drivers/clk/socfpga/stratix10-clk.h:
>   9 struct stratix10_clock_data {
>  10         struct clk_hw_onecell_data      clk_data;
>  11         void __iomem            *base;
>  12 };
> 
> There are currently three different places where memory is allocated for
> `struct stratix10_clock_data`, including the flex-array `hws` in
> `struct clk_hw_onecell_data`:
> 
> drivers/clk/socfpga/clk-agilex.c:
> 469         clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws,
> 470                                 num_clks), GFP_KERNEL);
> 
> drivers/clk/socfpga/clk-agilex.c:
> 509         clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws,
> 510                                 num_clks), GFP_KERNEL);
> 
> drivers/clk/socfpga/clk-s10.c:
> 400         clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws,
> 401                                                  num_clks), GFP_KERNEL);
> 
> I'll use just one of them to describe the issue. See below.
> 
> Notice that a total of 440 bytes are allocated for flexible-array member
> `hws` at line 469:
> 
> include/dt-bindings/clock/agilex-clock.h:
>  70 #define AGILEX_NUM_CLKS	55
> 
> drivers/clk/socfpga/clk-agilex.c:
> 459         struct stratix10_clock_data *clk_data;
> 460         void __iomem *base;
> ...
> 466
> 467         num_clks = AGILEX_NUM_CLKS;
> 468
> 469         clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws,
> 470                                 num_clks), GFP_KERNEL);
> 
> `struct_size(clk_data, clk_data.hws, num_clks)`	above translates to
> sizeof(struct stratix10_clock_data) + sizeof(struct clk_hw *) * 55 ==
> 16 + 8 * 55 == 16 + 440
> 		    ^^^
> 		     |
> 	allocated bytes for flex-array `hws`
> 
> 474         for (i = 0; i < num_clks; i++)
> 475                 clk_data->clk_data.hws[i] = ERR_PTR(-ENOENT);
> 476
> 477         clk_data->base = base;
> 
> and then some data is written into both `hws` and `base` objects.
> 
> Fix this by placing the declaration of object `clk_data` at the end of
> `struct stratix10_clock_data`. Also, add a comment to make it clear
> that this object must always be last in the structure.
> 
> Fixes: ba7e258425ac ("clk: socfpga: Convert to s10/agilex/n5x to use clk_hw")
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Nice find!

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook

next prev parent reply	other threads:[~2023-10-11 21:39 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-11 21:31 [PATCH 0/2][next] Fix undefined behavior bug and add bounds-checking coverage Gustavo A. R. Silva
2023-10-11 21:34 ` [PATCH 1/2][next] clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data Gustavo A. R. Silva
2023-10-11 21:38   ` Kees Cook [this message]
2023-10-12  1:22     ` Gustavo A. R. Silva
2023-10-11 21:35 ` [PATCH 2/2][next] clk: socfpga: agilex: Add bounds-checking coverage for " Gustavo A. R. Silva
2023-10-11 21:41   ` Kees Cook
2023-10-12  1:22     ` Gustavo A. R. Silva

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202310111438.2D0168C@keescook \
    --to=keescook@chromium.org \
    --cc=dinguyen@kernel.org \
    --cc=gustavoars@kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mturquette@baylibre.com \
    --cc=sboyd@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.