From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7655AC7EE23 for ; Wed, 17 May 2023 17:51:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229616AbjEQRu7 (ORCPT ); Wed, 17 May 2023 13:50:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229476AbjEQRu4 (ORCPT ); Wed, 17 May 2023 13:50:56 -0400 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15634FA for ; Wed, 17 May 2023 10:50:55 -0700 (PDT) Received: by mail-pg1-x52d.google.com with SMTP id 41be03b00d2f7-51f6461af24so688932a12.2 for ; Wed, 17 May 2023 10:50:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1684345854; x=1686937854; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=zUT9us1DezRMsnLU4PSux8SpLZ48zmMBvlSSjJkncm4=; b=QjotMdSjQZIecoNUy/osx/x608ogH3q/xE1ordj7EdXGfExtIiozjxWLezNEvttun/ x0j8Ew+Eskxu3YuyfNq1LQjCMKoZVu1jnkJRW/IruBQ9tArjYXLG/EFXEp/6ys4DMIPH +1H38AiggKVfv62qiG0zTd3sh6gpXwE47efmE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684345854; x=1686937854; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zUT9us1DezRMsnLU4PSux8SpLZ48zmMBvlSSjJkncm4=; b=eb71anG0wa0eq4WkFyhFbHhszjT7kKEGz+KRUrwkLPekgJuJeF+rZKS4cYxbJYwaz+ EP4UAU+XbXKcmmDVmD/DqPFwNvHUxNGET0TG+WfD2q1JIIzyi7XGymH5KnoYAqbIrrQN krHZX8b9iQvtcR6iAHz3pCFG2h+encaLGhxye9wxUSF/gd/007Qx06cTJjKQPsgSBnfq VKLrhai1N/ZFJNwztat3KhCuHpmC6fhDjCoAl3uvER3dzr8Uo4z9KrxqsRen8f1kqiwc MQt90FbqxWBPkgcIdDkYPSzypwx9y+QkRhd5/dY5ugraCtf8yU5feS7ExYDpVbRvAJMO 1jKg== X-Gm-Message-State: AC+VfDygvE1a9BQi1b8Y/qLXdFjIc7IcHipVxRJd0hzdIXfDEr3wbJCz 5KQKy9kYMTq7v0YKDssKPhI31A== X-Google-Smtp-Source: ACHHUZ5atc4t6+629ifcijOHATQmHDJlghJcNepJv1I/ddk3F3smO/swEB2POcnGNWpIegFFZScYBw== X-Received: by 2002:a05:6a20:441c:b0:100:bee5:c80d with SMTP id ce28-20020a056a20441c00b00100bee5c80dmr44711959pzb.25.1684345854541; Wed, 17 May 2023 10:50:54 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id b23-20020aa78117000000b0063d670ad850sm6041141pfi.92.2023.05.17.10.50.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 May 2023 10:50:54 -0700 (PDT) Date: Wed, 17 May 2023 10:50:53 -0700 From: Kees Cook To: "Gustavo A. R. Silva" Cc: Stanimir Varbanov , Vikash Garodia , Andy Gross , Bjorn Andersson , Konrad Dybcio , Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH][next] media: venus: hfi_cmds: Replace fake flex-array with flexible-array member Message-ID: <202305171049.9AB52166@keescook> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 16, 2023 at 07:03:39PM -0600, Gustavo A. R. Silva wrote: > One-element arrays are deprecated, and we are replacing them with flexible > array members instead. So, replace one-element arrays with flexible-array > members in struct hfi_sys_set_resource_pkt, and refactor the rest of > the code, accordingly. > > This helps with the ongoing efforts to tighten the FORTIFY_SOURCE > routines on memcpy() and help us make progress towards globally > enabling -fstrict-flex-arrays=3 [1]. > > The only binary differences seen before/after changes are the > following: > > 17ba: mov %rbx,%rdi > 17bd: call 17c2 > 17be: R_X86_64_PLT32 __tsan_write4-0x4 > - 17c2: movl $0x14,(%rbx) > + 17c2: movl $0x10,(%rbx) > 17c8: lea 0x4(%rbx),%rdi > 17cc: call 17d1 > 17cd: R_X86_64_PLT32 __tsan_write4-0x4 > > which is expected once this accounts for the following line of code > at drivers/media/platform/qcom/venus/hfi_cmds.c:73 > > 73 pkt->hdr.size = sizeof(*pkt); > > and as *pkt is of type struct hfi_sys_set_resource_pkt, sizeof(*pkt) is > reduced by 4 bytes, due to the flex-array transformation. Based on the other place that was subtracting the 1 element, this looks like hfi_cmds.c:73 is an existing sizing bug that is now fixed with this patch, yes? Reviewed-by: Kees Cook -Kees > > Link: https://github.com/KSPP/linux/issues/79 > Link: https://github.com/KSPP/linux/issues/293 > Link: https://gcc.gnu.org/pipermail/gcc-patches/2022-October/602902.html [1] > Signed-off-by: Gustavo A. R. Silva > --- > drivers/media/platform/qcom/venus/hfi_cmds.c | 2 +- > drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.c b/drivers/media/platform/qcom/venus/hfi_cmds.c > index 3f74d518ad08..7c82e212434e 100644 > --- a/drivers/media/platform/qcom/venus/hfi_cmds.c > +++ b/drivers/media/platform/qcom/venus/hfi_cmds.c > @@ -83,7 +83,7 @@ int pkt_sys_set_resource(struct hfi_sys_set_resource_pkt *pkt, u32 id, u32 size, > res->size = size; > res->mem = addr; > pkt->resource_type = HFI_RESOURCE_OCMEM; > - pkt->hdr.size += sizeof(*res) - sizeof(u32); > + pkt->hdr.size += sizeof(*res); > break; > } > case VIDC_RESOURCE_NONE: > diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h > index ba74d03eb9cd..dd9c5066442d 100644 > --- a/drivers/media/platform/qcom/venus/hfi_cmds.h > +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h > @@ -56,7 +56,7 @@ struct hfi_sys_set_resource_pkt { > struct hfi_pkt_hdr hdr; > u32 resource_handle; > u32 resource_type; > - u32 resource_data[1]; > + u32 resource_data[]; > }; > > struct hfi_sys_release_resource_pkt { > -- > 2.34.1 > -- Kees Cook