[PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t
@ 2023-09-29 15:42 Gustavo A. R. Silva
  2023-09-29 16:20 ` Jann Horn
  2023-09-29 17:28 ` Kees Cook
  0 siblings, 2 replies; 6+ messages in thread
From: Gustavo A. R. Silva @ 2023-09-29 15:42 UTC (permalink / raw)
  To: Mauro Carvalho Chehab
  Cc: linux-media, linux-kernel, Gustavo A. R. Silva, linux-hardening

`struct urb` is a flexible structure, which means that it contains a
flexible-array member at the bottom. This could potentially lead to an
overwrite of the object `wq` at run-time with the contents of `urb`.

Fix this by placing object `urb` at the end of `struct smsusb_urb_t`.

Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/media/usb/siano/smsusb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 9d9e14c858e6..2c048f8e8371 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -40,10 +40,10 @@ struct smsusb_urb_t {
 	struct smscore_buffer_t *cb;
 	struct smsusb_device_t *dev;
 
-	struct urb urb;
-
 	/* For the bottom half */
 	struct work_struct wq;
+
+	struct urb urb;
 };
 
 struct smsusb_device_t {
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t
  2023-09-29 15:42 [PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t Gustavo A. R. Silva
@ 2023-09-29 16:20 ` Jann Horn
  2023-09-30  7:01   ` Greg Kroah-Hartman
  2023-09-29 17:28 ` Kees Cook
  1 sibling, 1 reply; 6+ messages in thread
From: Jann Horn @ 2023-09-29 16:20 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Greg Kroah-Hartman, USB list
  Cc: Mauro Carvalho Chehab, linux-media, linux-kernel, linux-hardening

On Fri, Sep 29, 2023 at 5:42 PM Gustavo A. R. Silva
<gustavoars@kernel.org> wrote:
> `struct urb` is a flexible structure, which means that it contains a
> flexible-array member at the bottom. This could potentially lead to an
> overwrite of the object `wq` at run-time with the contents of `urb`.
>
> Fix this by placing object `urb` at the end of `struct smsusb_urb_t`.

Does this really change the situation? "struct smsusb_device_t"
contains an array of "struct smsusb_urb_t", so it seems to be like
you're just shifting the "VLA inside a non-final member of a struct"
thing around so that there is one more layer of abstraction in
between.

Comments on "struct urb" say:

 * Isochronous URBs have a different data transfer model, in part because
 * the quality of service is only "best effort".  Callers provide specially
 * allocated URBs, with number_of_packets worth of iso_frame_desc structures
 * at the end.

and:

/* (in) ISO ONLY */

And it looks like smsusb only uses that URB as a bulk URB, so the flex
array is unused and we can't have an overflow here?

If this is intended to make it possible to enable some kinda compiler
warning, it might be worth talking to the USB folks to figure out the
right approach here.

> Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic")
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
>  drivers/media/usb/siano/smsusb.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
> index 9d9e14c858e6..2c048f8e8371 100644
> --- a/drivers/media/usb/siano/smsusb.c
> +++ b/drivers/media/usb/siano/smsusb.c
> @@ -40,10 +40,10 @@ struct smsusb_urb_t {
>         struct smscore_buffer_t *cb;
>         struct smsusb_device_t *dev;
>
> -       struct urb urb;
> -
>         /* For the bottom half */
>         struct work_struct wq;
> +
> +       struct urb urb;
>  };
>
>  struct smsusb_device_t {
> --
> 2.34.1
>
>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t
  2023-09-29 15:42 [PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t Gustavo A. R. Silva
  2023-09-29 16:20 ` Jann Horn
@ 2023-09-29 17:28 ` Kees Cook
  2023-09-29 17:40   ` Jann Horn
  1 sibling, 1 reply; 6+ messages in thread
From: Kees Cook @ 2023-09-29 17:28 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Mauro Carvalho Chehab, linux-media, linux-kernel, linux-hardening

On Fri, Sep 29, 2023 at 05:42:11PM +0200, Gustavo A. R. Silva wrote:
> `struct urb` is a flexible structure, which means that it contains a
> flexible-array member at the bottom. This could potentially lead to an
> overwrite of the object `wq` at run-time with the contents of `urb`.
> 
> Fix this by placing object `urb` at the end of `struct smsusb_urb_t`.
> 
> Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic")
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

As Jann pointed out, it's unlikely there is a function bug here, but I
still think it's right to make sure this is robust and clears the way
for -Wflex-array-member-not-at-end.

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t
  2023-09-29 17:28 ` Kees Cook
@ 2023-09-29 17:40   ` Jann Horn
  0 siblings, 0 replies; 6+ messages in thread
From: Jann Horn @ 2023-09-29 17:40 UTC (permalink / raw)
  To: Kees Cook
  Cc: Gustavo A. R. Silva, Mauro Carvalho Chehab, linux-media,
	linux-kernel, linux-hardening

On Fri, Sep 29, 2023 at 7:29 PM Kees Cook <keescook@chromium.org> wrote:
> On Fri, Sep 29, 2023 at 05:42:11PM +0200, Gustavo A. R. Silva wrote:
> > `struct urb` is a flexible structure, which means that it contains a
> > flexible-array member at the bottom. This could potentially lead to an
> > overwrite of the object `wq` at run-time with the contents of `urb`.
> >
> > Fix this by placing object `urb` at the end of `struct smsusb_urb_t`.
> >
> > Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
>
> As Jann pointed out, it's unlikely there is a function bug here, but I
> still think it's right to make sure this is robust and clears the way
> for -Wflex-array-member-not-at-end.

But if this change makes the warning go away, that just means the
warning is implemented badly, right?

Like, before we had:

struct urb {
  ...
  struct usb_iso_packet_descriptor iso_frame_desc[];
};
struct smsusb_urb_t {
  ...
  struct urb urb; // not last element
  ...
};

whereas afterwards we have:

struct urb {
  ...
  struct usb_iso_packet_descriptor iso_frame_desc[];
};
struct smsusb_urb_t {
  ...
  struct urb urb;
};
struct smsusb_device_t {
  ...
  struct smsusb_urb_t surbs[MAX_URBS]; // array, and not last element
  ...
};

That's basically the same pattern! Except that the new version has one
more layer of indirection and there's an array involved.

And you can't address that by moving struct members around because of
the involvement of the array.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t
  2023-09-29 16:20 ` Jann Horn
@ 2023-09-30  7:01   ` Greg Kroah-Hartman
  2023-10-01  6:58     ` Gustavo A. R. Silva
  0 siblings, 1 reply; 6+ messages in thread
From: Greg Kroah-Hartman @ 2023-09-30  7:01 UTC (permalink / raw)
  To: Jann Horn
  Cc: Gustavo A. R. Silva, USB list, Mauro Carvalho Chehab, linux-media,
	linux-kernel, linux-hardening

On Fri, Sep 29, 2023 at 06:20:10PM +0200, Jann Horn wrote:
> On Fri, Sep 29, 2023 at 5:42 PM Gustavo A. R. Silva
> <gustavoars@kernel.org> wrote:
> > `struct urb` is a flexible structure, which means that it contains a
> > flexible-array member at the bottom. This could potentially lead to an
> > overwrite of the object `wq` at run-time with the contents of `urb`.
> >
> > Fix this by placing object `urb` at the end of `struct smsusb_urb_t`.
> 
> Does this really change the situation? "struct smsusb_device_t"
> contains an array of "struct smsusb_urb_t", so it seems to be like
> you're just shifting the "VLA inside a non-final member of a struct"
> thing around so that there is one more layer of abstraction in
> between.
> 
> Comments on "struct urb" say:
> 
>  * Isochronous URBs have a different data transfer model, in part because
>  * the quality of service is only "best effort".  Callers provide specially
>  * allocated URBs, with number_of_packets worth of iso_frame_desc structures
>  * at the end.
> 
> and:
> 
> /* (in) ISO ONLY */
> 
> And it looks like smsusb only uses that URB as a bulk URB, so the flex
> array is unused and we can't have an overflow here?
> 
> If this is intended to make it possible to enable some kinda compiler
> warning, it might be worth talking to the USB folks to figure out the
> right approach here.
> 
> > Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> > ---
> >  drivers/media/usb/siano/smsusb.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
> > index 9d9e14c858e6..2c048f8e8371 100644
> > --- a/drivers/media/usb/siano/smsusb.c
> > +++ b/drivers/media/usb/siano/smsusb.c
> > @@ -40,10 +40,10 @@ struct smsusb_urb_t {
> >         struct smscore_buffer_t *cb;
> >         struct smsusb_device_t *dev;
> >
> > -       struct urb urb;
> > -
> >         /* For the bottom half */
> >         struct work_struct wq;
> > +
> > +       struct urb urb;
> >  };

Yeah, this is going to get messy.  Ideally, just dynamically create the
urb and change this to a "struct urb *urb;" instead.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t
  2023-09-30  7:01   ` Greg Kroah-Hartman
@ 2023-10-01  6:58     ` Gustavo A. R. Silva
  0 siblings, 0 replies; 6+ messages in thread
From: Gustavo A. R. Silva @ 2023-10-01  6:58 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Jann Horn
  Cc: Gustavo A. R. Silva, USB list, Mauro Carvalho Chehab, linux-media,
	linux-kernel, linux-hardening



On 9/30/23 09:01, Greg Kroah-Hartman wrote:
> On Fri, Sep 29, 2023 at 06:20:10PM +0200, Jann Horn wrote:
>> On Fri, Sep 29, 2023 at 5:42 PM Gustavo A. R. Silva
>> <gustavoars@kernel.org> wrote:
>>> `struct urb` is a flexible structure, which means that it contains a
>>> flexible-array member at the bottom. This could potentially lead to an
>>> overwrite of the object `wq` at run-time with the contents of `urb`.
>>>
>>> Fix this by placing object `urb` at the end of `struct smsusb_urb_t`.
>>
>> Does this really change the situation? "struct smsusb_device_t"
>> contains an array of "struct smsusb_urb_t", so it seems to be like

Yeah. I noticed that too.

Probably what Greg suggests (dynamically create the urb) can fix this, too.

I haven't taken a deep dive into this particular case. So, let me go and
figure something out.

>> you're just shifting the "VLA inside a non-final member of a struct"
>> thing around so that there is one more layer of abstraction in
>> between.
>>
>> Comments on "struct urb" say:
>>
>>   * Isochronous URBs have a different data transfer model, in part because
>>   * the quality of service is only "best effort".  Callers provide specially
>>   * allocated URBs, with number_of_packets worth of iso_frame_desc structures
>>   * at the end.
>>
>> and:
>>
>> /* (in) ISO ONLY */
>>
>> And it looks like smsusb only uses that URB as a bulk URB, so the flex
>> array is unused and we can't have an overflow here?
>>
>> If this is intended to make it possible to enable some kinda compiler
>> warning, it might be worth talking to the USB folks to figure out the
>> right approach here.
>>
>>> Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic")
>>> Cc: stable@vger.kernel.org
>>> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
>>> ---
>>>   drivers/media/usb/siano/smsusb.c | 4 ++--
>>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
>>> index 9d9e14c858e6..2c048f8e8371 100644
>>> --- a/drivers/media/usb/siano/smsusb.c
>>> +++ b/drivers/media/usb/siano/smsusb.c
>>> @@ -40,10 +40,10 @@ struct smsusb_urb_t {
>>>          struct smscore_buffer_t *cb;
>>>          struct smsusb_device_t *dev;
>>>
>>> -       struct urb urb;
>>> -
>>>          /* For the bottom half */
>>>          struct work_struct wq;
>>> +
>>> +       struct urb urb;
>>>   };
> 
> Yeah, this is going to get messy.  Ideally, just dynamically create the
> urb and change this to a "struct urb *urb;" instead.

Probably, yes.

Thanks
--
Gustavo

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2023-10-01  9:13 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-29 15:42 [PATCH][next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t Gustavo A. R. Silva
2023-09-29 16:20 ` Jann Horn
2023-09-30  7:01   ` Greg Kroah-Hartman
2023-10-01  6:58     ` Gustavo A. R. Silva
2023-09-29 17:28 ` Kees Cook
2023-09-29 17:40   ` Jann Horn

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox