Re: [PATCH] ASoC: Intel: Skylake: Replace 1-element array with flex-array

["Péter Ujfalusi" <peter.ujfalusi@linux.intel.com>]

On 10/02/2023 07:14, Kees Cook wrote:
> The kernel is globally removing the ambiguous 0-length and 1-element
> arrays in favor of flexible arrays, so that we can gain both compile-time
> and run-time array bounds checking[1]. In this instance, struct
> skl_cpr_cfg contains struct skl_cpr_gtw_cfg, which defined "config_data"
> as a 1-element array.
> 
> Normally when switching from a 1-element array to a flex-array, any
> related size calculations must be adjusted too. However, it seems the
> original code was over-allocating space, since 1 extra u32 would be
> included by the sizeof():
> 
>                 param_size = sizeof(struct skl_cpr_cfg);
>                 param_size += mconfig->formats_config[SKL_PARAM_INIT].caps_size;
> 
> But the copy uses caps_size bytes, and cap_size / 4 (i.e. sizeof(u32))
> for the length tracking:
> 
>         memcpy(cpr_mconfig->gtw_cfg.config_data,
>                         mconfig->formats_config[SKL_PARAM_INIT].caps,
>                         mconfig->formats_config[SKL_PARAM_INIT].caps_size);
> 
>         cpr_mconfig->gtw_cfg.config_length =
>                         (mconfig->formats_config[SKL_PARAM_INIT].caps_size) / 4;
> 
> Therefore, no size calculations need adjusting. Change the struct
> skl_cpr_gtw_cfg config_data member to be a true flexible array, which
> also fixes the over-allocation, and silences this memcpy run-time false
> positive:
> 
>   memcpy: detected field-spanning write (size 100) of single field "cpr_mconfig->gtw_cfg.config_data" at sound/soc/intel/skylake/skl-messages.c:554 (size 4)
> 
> [1] For lots of details, see both:
>     https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays
>     https://people.kernel.org/kees/bounded-flexible-arrays-in-c

Reviewed-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>

> 
> Reported-by: Sasa Ostrouska <casaxa@gmail.com>
> Link: https://lore.kernel.org/all/CALFERdwvq5day_sbDfiUsMSZCQu9HG8-SBpOZDNPeMdZGog6XA@mail.gmail.com/
> Cc: Cezary Rojewski <cezary.rojewski@intel.com>
> Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
> Cc: Liam Girdwood <liam.r.girdwood@linux.intel.com>
> Cc: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
> Cc: Bard Liao <yung-chuan.liao@linux.intel.com>
> Cc: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
> Cc: Kai Vehmanen <kai.vehmanen@linux.intel.com>
> Cc: Mark Brown <broonie@kernel.org>
> Cc: Jaroslav Kysela <perex@perex.cz>
> Cc: Takashi Iwai <tiwai@suse.com>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: "Amadeusz Sławiński" <amadeuszx.slawinski@linux.intel.com>
> Cc: alsa-devel@alsa-project.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  sound/soc/intel/skylake/skl-topology.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/soc/intel/skylake/skl-topology.h b/sound/soc/intel/skylake/skl-topology.h
> index 6db0fd7bad49..ad94f8020c27 100644
> --- a/sound/soc/intel/skylake/skl-topology.h
> +++ b/sound/soc/intel/skylake/skl-topology.h
> @@ -115,7 +115,7 @@ struct skl_cpr_gtw_cfg {
>  	u32 dma_buffer_size;
>  	u32 config_length;
>  	/* not mandatory; required only for DMIC/I2S */
> -	u32 config_data[1];
> +	u32 config_data[];
>  } __packed;
>  
>  struct skl_dma_control {

-- 
Péter