* [PATCH] VMCI: Annotate struct vmci_handle_arr with __counted_by
@ 2023-10-07 14:32 Christophe JAILLET
2023-10-08 17:12 ` Kees Cook
2023-11-30 22:00 ` Kees Cook
0 siblings, 2 replies; 3+ messages in thread
From: Christophe JAILLET @ 2023-10-07 14:32 UTC (permalink / raw)
To: Bryan Tan, Vishnu Dasa, VMware PV-Drivers Reviewers,
Arnd Bergmann, Greg Kroah-Hartman, Kees Cook, Gustavo A. R. Silva,
Nathan Chancellor, Nick Desaulniers, Tom Rix
Cc: linux-kernel, kernel-janitors, Christophe JAILLET,
linux-hardening, llvm
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
This patch is part of a work done in parallel of what is currently worked
on by Kees Cook.
My patches are only related to corner cases that do NOT match the
semantic of his Coccinelle script[1].
In this case, something similar to struct_size() is implemented in
handle_arr_calc_size().
Note that I'm slightly unsure on how things will behave in regards to the
krealloc() in vmci_handle_arr_append_entry().
[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
---
drivers/misc/vmw_vmci/vmci_handle_array.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/vmw_vmci/vmci_handle_array.h b/drivers/misc/vmw_vmci/vmci_handle_array.h
index 96193f85be5b..b0e6b1956014 100644
--- a/drivers/misc/vmw_vmci/vmci_handle_array.h
+++ b/drivers/misc/vmw_vmci/vmci_handle_array.h
@@ -17,7 +17,7 @@ struct vmci_handle_arr {
u32 max_capacity;
u32 size;
u32 pad;
- struct vmci_handle entries[];
+ struct vmci_handle entries[] __counted_by(capacity);
};
#define VMCI_HANDLE_ARRAY_HEADER_SIZE \
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] VMCI: Annotate struct vmci_handle_arr with __counted_by
2023-10-07 14:32 [PATCH] VMCI: Annotate struct vmci_handle_arr with __counted_by Christophe JAILLET
@ 2023-10-08 17:12 ` Kees Cook
2023-11-30 22:00 ` Kees Cook
1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2023-10-08 17:12 UTC (permalink / raw)
To: Christophe JAILLET
Cc: Bryan Tan, Vishnu Dasa, VMware PV-Drivers Reviewers,
Arnd Bergmann, Greg Kroah-Hartman, Gustavo A. R. Silva,
Nathan Chancellor, Nick Desaulniers, Tom Rix, linux-kernel,
kernel-janitors, linux-hardening, llvm
On Sat, Oct 07, 2023 at 04:32:34PM +0200, Christophe JAILLET wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> functions).
>
> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> ---
> This patch is part of a work done in parallel of what is currently worked
> on by Kees Cook.
>
> My patches are only related to corner cases that do NOT match the
> semantic of his Coccinelle script[1].
>
> In this case, something similar to struct_size() is implemented in
> handle_arr_calc_size().
I think this should likely lose VMCI_HANDLE_ARRAY_HEADER_SIZE entirely
and the helper to use sizeof() and struct_size() directly, but probably
as a separate patch.
>
> Note that I'm slightly unsure on how things will behave in regards to the
> krealloc() in vmci_handle_arr_append_entry().
It looks correct to me:
new_array = krealloc(array, new_size, GFP_ATOMIC);
...
new_array->capacity += capacity_bump;
i.e. "capacity" is adjusted up before accessing any "entries".
>
> [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
> ---
> drivers/misc/vmw_vmci/vmci_handle_array.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/vmw_vmci/vmci_handle_array.h b/drivers/misc/vmw_vmci/vmci_handle_array.h
> index 96193f85be5b..b0e6b1956014 100644
> --- a/drivers/misc/vmw_vmci/vmci_handle_array.h
> +++ b/drivers/misc/vmw_vmci/vmci_handle_array.h
> @@ -17,7 +17,7 @@ struct vmci_handle_arr {
> u32 max_capacity;
> u32 size;
> u32 pad;
> - struct vmci_handle entries[];
> + struct vmci_handle entries[] __counted_by(capacity);
> };
>
> #define VMCI_HANDLE_ARRAY_HEADER_SIZE \
> --
> 2.34.1
>
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] VMCI: Annotate struct vmci_handle_arr with __counted_by
2023-10-07 14:32 [PATCH] VMCI: Annotate struct vmci_handle_arr with __counted_by Christophe JAILLET
2023-10-08 17:12 ` Kees Cook
@ 2023-11-30 22:00 ` Kees Cook
1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2023-11-30 22:00 UTC (permalink / raw)
To: Bryan Tan, Vishnu Dasa, VMware PV-Drivers Reviewers,
Arnd Bergmann, Greg Kroah-Hartman, Gustavo A. R. Silva,
Nathan Chancellor, Nick Desaulniers, Tom Rix, Christophe JAILLET
Cc: Kees Cook, linux-kernel, kernel-janitors, linux-hardening, llvm
On Sat, 07 Oct 2023 16:32:34 +0200, Christophe JAILLET wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> functions).
>
>
> [...]
Applied to for-next/hardening, thanks!
[1/1] VMCI: Annotate struct vmci_handle_arr with __counted_by
https://git.kernel.org/kees/c/81c643edd8bd
Take care,
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-11-30 22:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-07 14:32 [PATCH] VMCI: Annotate struct vmci_handle_arr with __counted_by Christophe JAILLET
2023-10-08 17:12 ` Kees Cook
2023-11-30 22:00 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox