Re: [PATCH v4 2/8] overflow: Add struct_size_with_data() and struct_data_pointer() helpers

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Vinod Koul <vkoul@kernel.org>,
	Linus Walleij <linus.walleij@linaro.org>,
	Jonathan Cameron <Jonathan.Cameron@huawei.com>,
	Mark Brown <broonie@kernel.org>,
	linux-arm-kernel@lists.infradead.org, dmaengine@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-iio@vger.kernel.org,
	linux-spi@vger.kernel.org, netdev@vger.kernel.org,
	linux-hardening@vger.kernel.org,
	Jonathan Cameron <jic23@kernel.org>,
	Lars-Peter Clausen <lars@metafoo.de>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>
Subject: Re: [PATCH v4 2/8] overflow: Add struct_size_with_data() and struct_data_pointer() helpers
Date: Wed, 28 Feb 2024 13:37:36 -0800	[thread overview]
Message-ID: <202402281334.876DC89@keescook> (raw)
In-Reply-To: <20240228204919.3680786-3-andriy.shevchenko@linux.intel.com>

On Wed, Feb 28, 2024 at 10:41:32PM +0200, Andy Shevchenko wrote:
> Introduce two helper macros to calculate the size of the structure
> with trailing aligned data and to retrieve the pointer to that data.
> 
> Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
> ---
>  include/linux/overflow.h | 27 ++++++++++++++++++++++++++-
>  1 file changed, 26 insertions(+), 1 deletion(-)
> 
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index bc390f026128..b93bbf1b6aaa 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -2,9 +2,10 @@
>  #ifndef __LINUX_OVERFLOW_H
>  #define __LINUX_OVERFLOW_H
>  
> +#include <linux/align.h>
>  #include <linux/compiler.h>
> -#include <linux/limits.h>
>  #include <linux/const.h>
> +#include <linux/limits.h>
>  
>  /*
>   * We need to compute the minimum and maximum values representable in a given
> @@ -337,6 +338,30 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
>   */
>  #define array3_size(a, b, c)	size_mul(size_mul(a, b), c)
>  
> +/**
> + * struct_size_with_data() - Calculate size of structure with trailing aligned data.
> + * @p: Pointer to the structure.
> + * @a: Alignment in bytes before trailing data.
> + * @s: Data size in bytes (must not be 0).
> + *
> + * Calculates size of memory needed for structure of @p followed by an
> + * aligned data of size @s.
> + *
> + * Return: number of bytes needed or SIZE_MAX on overflow.
> + */
> +#define struct_size_with_data(p, a, s)	size_add(ALIGN(sizeof(*(p)), (a)), (s))

I don't like this -- "p" should have a trailing flexible array. (See
below.)

> +
> +/**
> + * struct_data_pointer - Calculate offset of the trailing data reserved with
> + * struct_size_with_data().
> + * @p: Pointer to the structure.
> + * @a: Alignment in bytes before trailing data.
> + *
> + * Return: offset in bytes to the trailing data reserved with
> + * struct_size_with_data().
> + */
> +#define struct_data_pointer(p, a)	PTR_ALIGN((void *)((p) + 1), (a))

I'm not super excited about propagating the "p + 1" code pattern to find
things after an allocation. This leads to the compiler either being
blind to accesses beyond an allocation, or being too conservative about
accesses beyond an object. Instead of these helpers I would much prefer
that data structures that use this code pattern be converted to using
trailing flexible arrays, at which point the compiler is in a much
better position to reason about sizes.

-- 
Kees Cook

next prev parent reply	other threads:[~2024-02-28 21:37 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-28 20:41 [PATCH v4 0/8] iio: core: New macros and making use of them Andy Shevchenko
2024-02-28 20:41 ` [PATCH v4 1/8] overflow: Use POD in check_shl_overflow() Andy Shevchenko
2024-02-28 21:33   ` Kees Cook
2024-02-29 10:59     ` Andy Shevchenko
2024-02-29 18:30   ` (subset) " Kees Cook
2024-02-28 20:41 ` [PATCH v4 2/8] overflow: Add struct_size_with_data() and struct_data_pointer() helpers Andy Shevchenko
2024-02-28 21:37   ` Kees Cook [this message]
2024-02-28 21:51     ` Andy Shevchenko
2024-02-28 20:41 ` [PATCH v4 3/8] iio: core: NULLify private pointer when there is no private data Andy Shevchenko
2024-02-28 21:06   ` David Lechner
2024-02-28 21:36     ` Andy Shevchenko
2024-03-03 12:46       ` Jonathan Cameron
2024-02-28 20:41 ` [PATCH v4 4/8] iio: core: Calculate alloc_size only once in iio_device_alloc() Andy Shevchenko
2024-02-28 20:57   ` David Lechner
2024-02-28 21:09     ` Andy Shevchenko
2024-02-28 20:41 ` [PATCH v4 5/8] iio: core: Use new helpers from overflow.h " Andy Shevchenko
2024-02-29 15:29   ` Nuno Sá
2024-03-03 13:09     ` Jonathan Cameron
2024-02-28 20:41 ` [PATCH v4 6/8] spi: Use new helpers from overflow.h in __spi_alloc_controller() Andy Shevchenko
2024-02-28 21:00   ` Mark Brown
2024-02-28 20:41 ` [PATCH v4 7/8] net-device: Use new helpers from overflow.h in netdevice APIs Andy Shevchenko
2024-02-28 21:46   ` Kees Cook
2024-02-28 21:53     ` Andy Shevchenko
2024-02-28 22:41     ` Jakub Kicinski
2024-02-29  0:01       ` Kees Cook
2024-02-29  0:49         ` Gustavo A. R. Silva
2024-02-29  0:57           ` Jakub Kicinski
2024-02-29  1:03             ` Gustavo A. R. Silva
2024-02-29  1:15               ` Jakub Kicinski
2024-02-29  1:36                 ` Gustavo A. R. Silva
2024-02-29  0:56         ` Jakub Kicinski
2024-02-29 19:08           ` Kees Cook
2024-02-29 19:37             ` Jakub Kicinski
2024-02-29 21:31               ` Kees Cook
2024-02-29 10:54         ` Andy Shevchenko
2024-02-28 20:41 ` [PATCH v4 8/8] dmaengine: ste_dma40: Use new helpers from overflow.h Andy Shevchenko
2024-02-29 14:14   ` Linus Walleij
2024-02-29 14:53     ` Andy Shevchenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202402281334.876DC89@keescook \
    --to=keescook@chromium.org \
    --cc=Jonathan.Cameron@huawei.com \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=broonie@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dmaengine@vger.kernel.org \
    --cc=edumazet@google.com \
    --cc=gustavoars@kernel.org \
    --cc=jic23@kernel.org \
    --cc=kuba@kernel.org \
    --cc=lars@metafoo.de \
    --cc=linus.walleij@linaro.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-iio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-spi@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=vkoul@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).