From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Nathan Lynch <nathanl@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Sasha Levin <sashal@kernel.org>,
nathan@kernel.org, vaibhav@linux.ibm.com, gautam@linux.ibm.com,
amachhiw@linux.vnet.ibm.com, jniethe5@gmail.com,
sshegde@linux.ibm.com, linuxppc-dev@lists.ozlabs.org,
llvm@lists.linux.dev
Subject: [PATCH AUTOSEL 6.9 19/23] powerpc/pseries: Enforce hcall result buffer validity and size
Date: Mon, 27 May 2024 11:50:20 -0400 [thread overview]
Message-ID: <20240527155123.3863983-19-sashal@kernel.org> (raw)
In-Reply-To: <20240527155123.3863983-1-sashal@kernel.org>
From: Nathan Lynch <nathanl@linux.ibm.com>
[ Upstream commit ff2e185cf73df480ec69675936c4ee75a445c3e4 ]
plpar_hcall(), plpar_hcall9(), and related functions expect callers to
provide valid result buffers of certain minimum size. Currently this
is communicated only through comments in the code and the compiler has
no idea.
For example, if I write a bug like this:
long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE
plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);
This compiles with no diagnostics emitted, but likely results in stack
corruption at runtime when plpar_hcall9() stores results past the end
of the array. (To be clear this is a contrived example and I have not
found a real instance yet.)
To make this class of error less likely, we can use explicitly-sized
array parameters instead of pointers in the declarations for the hcall
APIs. When compiled with -Warray-bounds[1], the code above now
provokes a diagnostic like this:
error: array argument is too small;
is of size 32, callee requires at least 72 [-Werror,-Warray-bounds]
60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,
| ^ ~~~~~~
[1] Enabled for LLVM builds but not GCC for now. See commit
0da6e5fd6c37 ("gcc: disable '-Warray-bounds' for gcc-13 too") and
related changes.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240408-pseries-hvcall-retbuf-v1-1-ebc73d7253cf@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/hvcall.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index a41e542ba94dd..39cd1ca4ccb9c 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -524,7 +524,7 @@ long plpar_hcall_norets_notrace(unsigned long opcode, ...);
* Used for all but the craziest of phyp interfaces (see plpar_hcall9)
*/
#define PLPAR_HCALL_BUFSIZE 4
-long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...);
+long plpar_hcall(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...);
/**
* plpar_hcall_raw: - Make a hypervisor call without calculating hcall stats
@@ -538,7 +538,7 @@ long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...);
* plpar_hcall, but plpar_hcall_raw works in real mode and does not
* calculate hypervisor call statistics.
*/
-long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...);
+long plpar_hcall_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...);
/**
* plpar_hcall9: - Make a pseries hypervisor call with up to 9 return arguments
@@ -549,8 +549,8 @@ long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...);
* PLPAR_HCALL9_BUFSIZE to size the return argument buffer.
*/
#define PLPAR_HCALL9_BUFSIZE 9
-long plpar_hcall9(unsigned long opcode, unsigned long *retbuf, ...);
-long plpar_hcall9_raw(unsigned long opcode, unsigned long *retbuf, ...);
+long plpar_hcall9(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...);
+long plpar_hcall9_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...);
/* pseries hcall tracing */
extern struct static_key hcall_tracepoint_key;
--
2.43.0
next prev parent reply other threads:[~2024-05-27 15:52 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-27 15:50 [PATCH AUTOSEL 6.9 01/23] drm/amd/display: Exit idle optimizations before HDCP execution Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 02/23] drm/amd/display: Workaround register access in idle race with cursor Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 03/23] ASoC: Intel: sof_cs42l42: rename BT offload quirk Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 04/23] ima: Fix use-after-free on a dentry's dname.name Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 05/23] platform/x86: toshiba_acpi: Add quirk for buttons on Z830 Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 06/23] cgroup/cpuset: Make cpuset hotplug processing synchronous Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 07/23] drm/amd/display: add root clock control function pointer to fix display corruption Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 08/23] ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 09/23] ASoC: Intel: sof_sdw: add quirk for Dell SKU 0C0F Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 10/23] drm/lima: add mask irq callback to gp and pp Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 11/23] drm/lima: include pp bcast irq in timeout handler check Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 12/23] drm/lima: mask irqs in timeout path before hard reset Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 13/23] platform/x86: x86-android-tablets: Unregister devices in reverse order Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 14/23] platform/x86: x86-android-tablets: Add Lenovo Yoga Tablet 2 Pro 1380F/L data Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 15/23] ALSA: hda/realtek: Add quirks for HP Omen models using CS35L41 Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 16/23] ALSA: hda/realtek: Add quirks for Lenovo 13X Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 17/23] media: lgdt3306a: Add a check against null-pointer-def Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 18/23] powerpc: make fadump resilient with memory add/remove events Sasha Levin
2024-05-30 11:52 ` Sourabh Jain
2024-06-18 9:15 ` Pavel Machek
2024-06-19 6:31 ` Michael Ellerman
2024-06-19 14:30 ` Sasha Levin
2024-06-19 14:32 ` Sasha Levin
2024-05-27 15:50 ` Sasha Levin [this message]
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 20/23] media: intel/ipu6: Fix build with !ACPI Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 21/23] media: mtk-vcodec: potential null pointer deference in SCP Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 22/23] powerpc/io: Avoid clang null pointer arithmetic warnings Sasha Levin
2024-05-27 15:50 ` [PATCH AUTOSEL 6.9 23/23] platform/x86: p2sb: Don't init until unassigned resources have been assigned Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240527155123.3863983-19-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=amachhiw@linux.vnet.ibm.com \
--cc=gautam@linux.ibm.com \
--cc=jniethe5@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=llvm@lists.linux.dev \
--cc=mpe@ellerman.id.au \
--cc=nathan@kernel.org \
--cc=nathanl@linux.ibm.com \
--cc=sshegde@linux.ibm.com \
--cc=stable@vger.kernel.org \
--cc=vaibhav@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox