[PATCH] xen/gntalloc: Replace UAPI 1-element array

[PATCH] xen/gntalloc: Replace UAPI 1-element array

[Kees Cook]

Without changing the structure size (since it is UAPI), add a proper
flexible array member, and reference it in the kernel so that it will
not be trip the array-bounds sanitizer[1].

Link: https://github.com/KSPP/linux/issues/113 [1]
Cc: Juergen Gross <jgross@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/xen/gntalloc.c      | 2 +-
 include/uapi/xen/gntalloc.h | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/xen/gntalloc.c b/drivers/xen/gntalloc.c
index 26ffb8755ffb..f93f73ecefee 100644
--- a/drivers/xen/gntalloc.c
+++ b/drivers/xen/gntalloc.c
@@ -317,7 +317,7 @@ static long gntalloc_ioctl_alloc(struct gntalloc_file_private_data *priv,
 		rc = -EFAULT;
 		goto out_free;
 	}
-	if (copy_to_user(arg->gref_ids, gref_ids,
+	if (copy_to_user(arg->gref_ids_flex, gref_ids,
 			sizeof(gref_ids[0]) * op.count)) {
 		rc = -EFAULT;
 		goto out_free;
diff --git a/include/uapi/xen/gntalloc.h b/include/uapi/xen/gntalloc.h
index 48d2790ef928..3109282672f3 100644
--- a/include/uapi/xen/gntalloc.h
+++ b/include/uapi/xen/gntalloc.h
@@ -31,7 +31,10 @@ struct ioctl_gntalloc_alloc_gref {
 	__u64 index;
 	/* The grant references of the newly created grant, one per page */
 	/* Variable size, depending on count */
-	__u32 gref_ids[1];
+	union {
+		__u32 gref_ids[1];
+		__DECLARE_FLEX_ARRAY(__u32, gref_ids_flex);
+	};
 };
 
 #define GNTALLOC_FLAG_WRITABLE 1
-- 
2.34.1

Re: [PATCH] xen/gntalloc: Replace UAPI 1-element array

[Gustavo A. R. Silva]

On 2/6/24 11:03, Kees Cook wrote:
> Without changing the structure size (since it is UAPI), add a proper
> flexible array member, and reference it in the kernel so that it will
> not be trip the array-bounds sanitizer[1].
> 
> Link: https://github.com/KSPP/linux/issues/113 [1]
> Cc: Juergen Gross <jgross@suse.com>
> Cc: Stefano Stabellini <sstabellini@kernel.org>
> Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
> Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
> Cc: xen-devel@lists.xenproject.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Thanks!
--
Gustavo

> ---
>   drivers/xen/gntalloc.c      | 2 +-
>   include/uapi/xen/gntalloc.h | 5 ++++-
>   2 files changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/xen/gntalloc.c b/drivers/xen/gntalloc.c
> index 26ffb8755ffb..f93f73ecefee 100644
> --- a/drivers/xen/gntalloc.c
> +++ b/drivers/xen/gntalloc.c
> @@ -317,7 +317,7 @@ static long gntalloc_ioctl_alloc(struct gntalloc_file_private_data *priv,
>   		rc = -EFAULT;
>   		goto out_free;
>   	}
> -	if (copy_to_user(arg->gref_ids, gref_ids,
> +	if (copy_to_user(arg->gref_ids_flex, gref_ids,
>   			sizeof(gref_ids[0]) * op.count)) {
>   		rc = -EFAULT;
>   		goto out_free;
> diff --git a/include/uapi/xen/gntalloc.h b/include/uapi/xen/gntalloc.h
> index 48d2790ef928..3109282672f3 100644
> --- a/include/uapi/xen/gntalloc.h
> +++ b/include/uapi/xen/gntalloc.h
> @@ -31,7 +31,10 @@ struct ioctl_gntalloc_alloc_gref {
>   	__u64 index;
>   	/* The grant references of the newly created grant, one per page */
>   	/* Variable size, depending on count */
> -	__u32 gref_ids[1];
> +	union {
> +		__u32 gref_ids[1];
> +		__DECLARE_FLEX_ARRAY(__u32, gref_ids_flex);
> +	};
>   };
>   
>   #define GNTALLOC_FLAG_WRITABLE 1