| Message ID | Y5z4Og3XmCGQwTO9@mail.google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp1245631wrn;
Fri, 16 Dec 2022 15:08:24 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXtwiNhdB5G2SwyB0ho2vMnXawOaoxnEo9rC7EPzL0tM5kkeWKZ15Ruj9B1arpUplqvCRXpg
X-Received: by 2002:a05:6402:2a08:b0:477:e889:5533 with SMTP id
ey8-20020a0564022a0800b00477e8895533mr59003edb.25.1671232104353;
Fri, 16 Dec 2022 15:08:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671232104; cv=none;
d=google.com; s=arc-20160816;
b=Xfy7janNRfxe44pl0/QJkOY+5dnPWUr/aJlYnPefy4vF2CZtb3o6vI4q2unVw7zWqj
qsjo+pjCmLME4jOpR5aUpwWog1Jz/r7P94nYVuOsf+zpME9qLG6ykG7qvtmkUd0PXQKS
bE+lZUeqhedyBAzv8Q+u35QTNSmCPlQ6dF06OeGGLmJXu1lHcvhMGoVi3IqswuYY6tKZ
QekV38dNEtpuZWqATD/CXXNGqRMlLgVoj8k4/N26s96/FT8vvPsXxuRXKfeRCbeHCnam
jncjgD6r5sKbZL2J72RQuq7PvuXjARxV94tRzFCzYaD9iioH6rVfcy2SgHIdxrvoAbE/
X2Pw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:in-reply-to:content-disposition:mime-version
:message-id:subject:cc:to:from:date:dkim-signature;
bh=FhOEzYNEcDxMyM3XQ/fnbGxtfJieZvNSyymdAKevlVM=;
b=y8G2Xq4NepND8m8WQBHkkd73MW+DFVgsXDyyH932jdTjp6vH46H8dcyDh94V2VhrDx
Kg0wRZHtgc3g5kjdrq/jb1IDimHQgqpt5L7gN+YQD6/LgjKJ64XZCI9GXkDzURavOIqV
w29q2jHYXQ9oISJWTsdD1kxln5nb/8JdgFTg8xJ24CFZn5SB2yPhQHM5e+OFVF2Vnxbi
OsxbnUcOBfuAdQZK5pJHagHP7xbmMGoBU4aHlf3n1JIztebsJY8nkt88IHaxdROh55Ph
umtktrY5oP+L0HQ7HXB3oolPhtTZSSXN3Kb/s0BSO3RXDXZ7JMrydPCDSINizLBQKfAC
AWPQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=pn0juEOD;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
f5-20020aa7d845000000b00477cb6f619csi210666eds.48.2022.12.16.15.08.00;
Fri, 16 Dec 2022 15:08:24 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=pn0juEOD;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229895AbiLPW7R (ORCPT <rfc822;jeantsuru.cumc.mandola@gmail.com>
+ 99 others); Fri, 16 Dec 2022 17:59:17 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34964 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229469AbiLPW7P (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 16 Dec 2022 17:59:15 -0500
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com
[IPv6:2607:f8b0:4864:20::1036])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5BA446E9FE;
Fri, 16 Dec 2022 14:59:14 -0800 (PST)
Received: by mail-pj1-x1036.google.com with SMTP id
z8-20020a17090abd8800b00219ed30ce47so7531313pjr.3;
Fri, 16 Dec 2022 14:59:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=in-reply-to:content-disposition:mime-version:message-id:subject:cc
:to:from:date:from:to:cc:subject:date:message-id:reply-to;
bh=FhOEzYNEcDxMyM3XQ/fnbGxtfJieZvNSyymdAKevlVM=;
b=pn0juEODsf7EPl5bNEVJWQoFRwgGlEJg4rivi/utRvU3MtqMAINckElS0Op8E0rKc+
dehWDXkgc6f5pUvnvZypE1nJEckZSB7HKuHJsO7yDJGqiqV/1ontppw5ltmYnuJDXJaR
Oh/6C0y8aaKgc+6hTowIH9009/5XSdHfBdg//y8BZv1wEMMpNQCXIBadTpzOlvSpzhkn
BOyEar0mEk6Y0wR31k9Lr2YeAnfFEEyf//x/XSHyIApeTReeRGjyvE9groveD/RYaQhj
ON9rjY45hpwIzcJ1f7LKNhPlVfd3bzMS4v7PUr5Ln+jr0H2i9dQ3fAh53OERu4t+bk2G
lx5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=in-reply-to:content-disposition:mime-version:message-id:subject:cc
:to:from:date:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=FhOEzYNEcDxMyM3XQ/fnbGxtfJieZvNSyymdAKevlVM=;
b=O+JJImMol1WolAbkwsoCifwy24ye/ZvI80B++4z24Pd8zbXpK48ioen15nKkINdkej
n7VeGNVb3RpSP6gCTIXa0LKqYFtJ4onnD8+u6q4wrw4MWHNFestGgSWZLGzVBq1hAVdR
O/+lV1DF5r1jaBLmm2iv+9a0MhdBx7ct+X57QeLtRJWhbLrWBCu6Zsm8y50I7F/y0sZj
+DVhUigsCAK8GkOibqjkwbdgiWIdcCxIySNE+me6A512UOHu9JWtsu4STC3wRhh4Nw5S
kwN0C2m2pff2Bew/unlbfa1pqXGqB0dot/zN/JsOyntJx+EyrIswaT1gYY/4NGiia4uS
sZiA==
X-Gm-Message-State: ANoB5pmUDNBNqsXvuwnhcRfUmb73doqoBviR/oj8bwhhjiLkMdu0SOZw
hpnQEsXR52HP7S0ck6SNQKo=
X-Received: by 2002:a05:6a20:2d09:b0:ad:f140:79a3 with SMTP id
g9-20020a056a202d0900b000adf14079a3mr4956375pzl.6.1671231553754;
Fri, 16 Dec 2022 14:59:13 -0800 (PST)
Received: from mail.google.com (125-237-37-88-fibre.sparkbb.co.nz.
[125.237.37.88])
by smtp.gmail.com with ESMTPSA id
f2-20020a170902ce8200b00188f8badbcdsm2132409plg.137.2022.12.16.14.59.09
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 16 Dec 2022 14:59:13 -0800 (PST)
Date: Sat, 17 Dec 2022 11:59:06 +1300
From: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
To: Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Ilpo =?utf-8?b?SsOkcnZp?=
=?utf-8?b?bmVu?= <ilpo.jarvinen@linux.intel.com>,
Andy Shevchenko <andy.shevchenko@gmail.com>,
Jiri Slaby <jirislaby@kernel.org>, Haowen Bai <baihaowen@meizu.com>
Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
paulo.miguel.almeida.rodenas@gmail.com
Subject: [PATCH v3] [next] pcmcia: synclink_cs: replace 1-element array with
flex-array member
Message-ID: <Y5z4Og3XmCGQwTO9@mail.google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Y5uN9Rr3v1uWH765@mail.google.com>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1752178628281291331?=
X-GMAIL-MSGID: =?utf-8?q?1752413874711724171?=
|
| Series |
[v3,next] pcmcia: synclink_cs: replace 1-element array with flex-array member
|
|
Commit Message
Paulo Miguel Almeida
Dec. 16, 2022, 10:59 p.m. UTC
One-element arrays are deprecated, and we are replacing them with
flexible array members instead. So, replace one-element array with
flexible-array member in struct RXBUF and refactor the rest of the code
accordingly. While at it, fix an edge case which could cause
rx_buf_count to be 0 when max_frame_size was set to the maximum
allowed value (65535).
It's worth mentioning that struct RXBUF was allocating 1 byte "too much"
for what is required (ignoring bytes added by padding).
This helps with the ongoing efforts to tighten the FORTIFY_SOURCE
routines on memcpy() and help us make progress towards globally
enabling -fstrict-flex-arrays=3 [1].
Link: https://github.com/KSPP/linux/issues/79
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 [1]
Signed-off-by: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
---
Changelog:
- v3:
fix size calculation mistakes using overflow.h macros: (Req: Andy
Shevchenko, Kees Cook)
add notes struct RXBUF size (Kees Cook)
- v2: removed changes to how the size of RXBUF was calculated. I
changed my mind after thinking about the existing padding in the
struct. Happy to discuss it if anyone sees it differently.
- v1: https://lore.kernel.org/lkml/Y5mMWEtHWKOiPVU+@mail.google.com/
---
drivers/char/pcmcia/synclink_cs.c | 33 +++++++++++++++++++------------
1 file changed, 20 insertions(+), 13 deletions(-)
Comments
On Sat, Dec 17, 2022 at 11:59:06AM +1300, Paulo Miguel Almeida wrote: > One-element arrays are deprecated, and we are replacing them with > flexible array members instead. So, replace one-element array with > flexible-array member in struct RXBUF and refactor the rest of the code > accordingly. While at it, fix an edge case which could cause > rx_buf_count to be 0 when max_frame_size was set to the maximum > allowed value (65535). > > It's worth mentioning that struct RXBUF was allocating 1 byte "too much" > for what is required (ignoring bytes added by padding). What was the result of using __packed to make sure there wasn't a sizing error? -Kees > > This helps with the ongoing efforts to tighten the FORTIFY_SOURCE > routines on memcpy() and help us make progress towards globally > enabling -fstrict-flex-arrays=3 [1]. > > Link: https://github.com/KSPP/linux/issues/79 > Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 [1] > Signed-off-by: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com> > --- > Changelog: > > - v3: > fix size calculation mistakes using overflow.h macros: (Req: Andy > Shevchenko, Kees Cook) > add notes struct RXBUF size (Kees Cook) > > - v2: removed changes to how the size of RXBUF was calculated. I > changed my mind after thinking about the existing padding in the > struct. Happy to discuss it if anyone sees it differently. > > - v1: https://lore.kernel.org/lkml/Y5mMWEtHWKOiPVU+@mail.google.com/ > --- > drivers/char/pcmcia/synclink_cs.c | 33 +++++++++++++++++++------------ > 1 file changed, 20 insertions(+), 13 deletions(-) > > diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c > index b2735be81ab2..eee6772a0978 100644 > --- a/drivers/char/pcmcia/synclink_cs.c > +++ b/drivers/char/pcmcia/synclink_cs.c > @@ -105,7 +105,7 @@ static MGSL_PARAMS default_params = { > typedef struct { > int count; > unsigned char status; > - char data[1]; > + char data[]; > } RXBUF; > > /* The queue of BH actions to be performed */ > @@ -229,12 +229,18 @@ typedef struct _mgslpc_info { > } MGSLPC_INFO; > > #define MGSLPC_MAGIC 0x5402 > +#define MGSLPC_MAX_FRAME_SIZE 65535 > +#define MGSLPC_MIN_FRAME_SIZE 4096 > > /* > * The size of the serial xmit buffer is 1 page, or 4096 bytes > */ > #define TXBUFSIZE 4096 > > +/* > + * RXBUF accommodates at least 1 buffer (header+data) of MGSLPC_MAX_FRAME_SIZE > + */ > +#define RXBUF_MAX_SIZE (sizeof(RXBUF) + MGSLPC_MAX_FRAME_SIZE) > > #define CHA 0x00 /* channel A offset */ > #define CHB 0x40 /* channel B offset */ > @@ -529,7 +535,7 @@ static int mgslpc_probe(struct pcmcia_device *link) > tty_port_init(&info->port); > info->port.ops = &mgslpc_port_ops; > INIT_WORK(&info->task, bh_handler); > - info->max_frame_size = 4096; > + info->max_frame_size = MGSLPC_MIN_FRAME_SIZE; > init_waitqueue_head(&info->status_event_wait_q); > init_waitqueue_head(&info->event_wait_q); > spin_lock_init(&info->lock); > @@ -2611,19 +2617,20 @@ static int mgslpc_proc_show(struct seq_file *m, void *v) > static int rx_alloc_buffers(MGSLPC_INFO *info) > { > /* each buffer has header and data */ > - info->rx_buf_size = sizeof(RXBUF) + info->max_frame_size; > + if (check_add_overflow(sizeof(RXBUF), info->max_frame_size, &info->rx_buf_size)) > + return -EINVAL; > > - /* calculate total allocation size for 8 buffers */ > - info->rx_buf_total_size = info->rx_buf_size * 8; > + /* try to alloc as many buffers that can fit within RXBUF_MAX_SIZE (up to 8) */ > + if (check_mul_overflow(info->rx_buf_size, 8, &info->rx_buf_total_size)) > + return -EINVAL; > > - /* limit total allocated memory */ > - if (info->rx_buf_total_size > 0x10000) > - info->rx_buf_total_size = 0x10000; > + if (info->rx_buf_total_size > RXBUF_MAX_SIZE) > + info->rx_buf_total_size = RXBUF_MAX_SIZE; > > /* calculate number of buffers */ > info->rx_buf_count = info->rx_buf_total_size / info->rx_buf_size; > > - info->rx_buf = kmalloc(info->rx_buf_total_size, GFP_KERNEL); > + info->rx_buf = kcalloc(info->rx_buf_count, info->rx_buf_size, GFP_KERNEL); > if (info->rx_buf == NULL) > return -ENOMEM; > > @@ -2695,10 +2702,10 @@ static int mgslpc_add_device(MGSLPC_INFO *info) > current_dev->next_device = info; > } > > - if (info->max_frame_size < 4096) > - info->max_frame_size = 4096; > - else if (info->max_frame_size > 65535) > - info->max_frame_size = 65535; > + if (info->max_frame_size < MGSLPC_MIN_FRAME_SIZE) > + info->max_frame_size = MGSLPC_MIN_FRAME_SIZE; > + else if (info->max_frame_size > MGSLPC_MAX_FRAME_SIZE) > + info->max_frame_size = MGSLPC_MAX_FRAME_SIZE; > > printk("SyncLink PC Card %s:IO=%04X IRQ=%d\n", > info->device_name, info->io_base, info->irq_level); > -- > 2.38.1 >
On Fri, Dec 16, 2022 at 03:42:47PM -0800, Kees Cook wrote: > On Sat, Dec 17, 2022 at 11:59:06AM +1300, Paulo Miguel Almeida wrote: > > One-element arrays are deprecated, and we are replacing them with > > flexible array members instead. So, replace one-element array with > > flexible-array member in struct RXBUF and refactor the rest of the code > > accordingly. While at it, fix an edge case which could cause > > rx_buf_count to be 0 when max_frame_size was set to the maximum > > allowed value (65535). > > > > It's worth mentioning that struct RXBUF was allocating 1 byte "too much" > > for what is required (ignoring bytes added by padding). > > What was the result of using __packed to make sure there wasn't a sizing > error? > > -Kees > With or without __packed__ attribute, sufficient space would be allocated which is good :-) In both cases there is still some "extra space" (1 byte on __packed and 4 bytes on non-packed) but that should be negligible. OTOH, if I'm asked to cull those bytes I am happy to do it too. pahole -C RXBUF non-packed/drivers/char/pcmcia/synclink_cs.o typedef struct { int count; /* 0 4 */ unsigned char status; /* 4 1 */ char data[]; /* 5 0 */ /* size: 8, cachelines: 1, members: 3 */ /* padding: 3 */ /* last cacheline: 8 bytes */ } RXBUF; pahole -C RXBUF packed/drivers/char/pcmcia/synclink_cs.o typedef struct { int count; /* 0 4 */ unsigned char status; /* 4 1 */ char data[]; /* 5 0 */ /* size: 5, cachelines: 1, members: 3 */ /* last cacheline: 5 bytes */ } __attribute__((__packed__)) RXBUF; - Paulo A. > > > > This helps with the ongoing efforts to tighten the FORTIFY_SOURCE > > routines on memcpy() and help us make progress towards globally > > enabling -fstrict-flex-arrays=3 [1]. > > > > Link: https://github.com/KSPP/linux/issues/79 > > Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 [1] > > Signed-off-by: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com> > > --- > > Changelog: > > > > - v3: > > fix size calculation mistakes using overflow.h macros: (Req: Andy > > Shevchenko, Kees Cook) > > add notes struct RXBUF size (Kees Cook) > > > > - v2: removed changes to how the size of RXBUF was calculated. I > > changed my mind after thinking about the existing padding in the > > struct. Happy to discuss it if anyone sees it differently. > > > > - v1: https://lore.kernel.org/lkml/Y5mMWEtHWKOiPVU+@mail.google.com/ > > --- > > drivers/char/pcmcia/synclink_cs.c | 33 +++++++++++++++++++------------ > > 1 file changed, 20 insertions(+), 13 deletions(-) > > > > diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c > > index b2735be81ab2..eee6772a0978 100644 > > --- a/drivers/char/pcmcia/synclink_cs.c > > +++ b/drivers/char/pcmcia/synclink_cs.c > > @@ -105,7 +105,7 @@ static MGSL_PARAMS default_params = { > > typedef struct { > > int count; > > unsigned char status; > > - char data[1]; > > + char data[]; > > } RXBUF; > > > > /* The queue of BH actions to be performed */ > > @@ -229,12 +229,18 @@ typedef struct _mgslpc_info { > > } MGSLPC_INFO; > > > > #define MGSLPC_MAGIC 0x5402 > > +#define MGSLPC_MAX_FRAME_SIZE 65535 > > +#define MGSLPC_MIN_FRAME_SIZE 4096 > > > > /* > > * The size of the serial xmit buffer is 1 page, or 4096 bytes > > */ > > #define TXBUFSIZE 4096 > > > > +/* > > + * RXBUF accommodates at least 1 buffer (header+data) of MGSLPC_MAX_FRAME_SIZE > > + */ > > +#define RXBUF_MAX_SIZE (sizeof(RXBUF) + MGSLPC_MAX_FRAME_SIZE) > > > > #define CHA 0x00 /* channel A offset */ > > #define CHB 0x40 /* channel B offset */ > > @@ -529,7 +535,7 @@ static int mgslpc_probe(struct pcmcia_device *link) > > tty_port_init(&info->port); > > info->port.ops = &mgslpc_port_ops; > > INIT_WORK(&info->task, bh_handler); > > - info->max_frame_size = 4096; > > + info->max_frame_size = MGSLPC_MIN_FRAME_SIZE; > > init_waitqueue_head(&info->status_event_wait_q); > > init_waitqueue_head(&info->event_wait_q); > > spin_lock_init(&info->lock); > > @@ -2611,19 +2617,20 @@ static int mgslpc_proc_show(struct seq_file *m, void *v) > > static int rx_alloc_buffers(MGSLPC_INFO *info) > > { > > /* each buffer has header and data */ > > - info->rx_buf_size = sizeof(RXBUF) + info->max_frame_size; > > + if (check_add_overflow(sizeof(RXBUF), info->max_frame_size, &info->rx_buf_size)) > > + return -EINVAL; > > > > - /* calculate total allocation size for 8 buffers */ > > - info->rx_buf_total_size = info->rx_buf_size * 8; > > + /* try to alloc as many buffers that can fit within RXBUF_MAX_SIZE (up to 8) */ > > + if (check_mul_overflow(info->rx_buf_size, 8, &info->rx_buf_total_size)) > > + return -EINVAL; > > > > - /* limit total allocated memory */ > > - if (info->rx_buf_total_size > 0x10000) > > - info->rx_buf_total_size = 0x10000; > > + if (info->rx_buf_total_size > RXBUF_MAX_SIZE) > > + info->rx_buf_total_size = RXBUF_MAX_SIZE; > > > > /* calculate number of buffers */ > > info->rx_buf_count = info->rx_buf_total_size / info->rx_buf_size; > > > > - info->rx_buf = kmalloc(info->rx_buf_total_size, GFP_KERNEL); > > + info->rx_buf = kcalloc(info->rx_buf_count, info->rx_buf_size, GFP_KERNEL); > > if (info->rx_buf == NULL) > > return -ENOMEM; > > > > @@ -2695,10 +2702,10 @@ static int mgslpc_add_device(MGSLPC_INFO *info) > > current_dev->next_device = info; > > } > > > > - if (info->max_frame_size < 4096) > > - info->max_frame_size = 4096; > > - else if (info->max_frame_size > 65535) > > - info->max_frame_size = 65535; > > + if (info->max_frame_size < MGSLPC_MIN_FRAME_SIZE) > > + info->max_frame_size = MGSLPC_MIN_FRAME_SIZE; > > + else if (info->max_frame_size > MGSLPC_MAX_FRAME_SIZE) > > + info->max_frame_size = MGSLPC_MAX_FRAME_SIZE; > > > > printk("SyncLink PC Card %s:IO=%04X IRQ=%d\n", > > info->device_name, info->io_base, info->irq_level); > > -- > > 2.38.1 > > > > -- > Kees Cook
On Sat, Dec 17, 2022 at 12:59 AM Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com> wrote: > > One-element arrays are deprecated, and we are replacing them with > flexible array members instead. So, replace one-element array with > flexible-array member in struct RXBUF and refactor the rest of the code > accordingly. While at it, fix an edge case which could cause > rx_buf_count to be 0 when max_frame_size was set to the maximum > allowed value (65535). > > It's worth mentioning that struct RXBUF was allocating 1 byte "too much" > for what is required (ignoring bytes added by padding). > > This helps with the ongoing efforts to tighten the FORTIFY_SOURCE > routines on memcpy() and help us make progress towards globally > enabling -fstrict-flex-arrays=3 [1]. ... > static int rx_alloc_buffers(MGSLPC_INFO *info) > { > /* each buffer has header and data */ > - info->rx_buf_size = sizeof(RXBUF) + info->max_frame_size; > + if (check_add_overflow(sizeof(RXBUF), info->max_frame_size, &info->rx_buf_size)) > + return -EINVAL; > > - /* calculate total allocation size for 8 buffers */ > - info->rx_buf_total_size = info->rx_buf_size * 8; > + /* try to alloc as many buffers that can fit within RXBUF_MAX_SIZE (up to 8) */ > + if (check_mul_overflow(info->rx_buf_size, 8, &info->rx_buf_total_size)) > + return -EINVAL; This check is implied by kcalloc(). But to make it effective we probably need to get a count first. > - /* limit total allocated memory */ > - if (info->rx_buf_total_size > 0x10000) > - info->rx_buf_total_size = 0x10000; > + if (info->rx_buf_total_size > RXBUF_MAX_SIZE) > + info->rx_buf_total_size = RXBUF_MAX_SIZE; If max_frame_size > 8192 - sizeof(RXBUF), we bump into this condition... > /* calculate number of buffers */ > info->rx_buf_count = info->rx_buf_total_size / info->rx_buf_size; ...which means that rx_buf_count < 8... (and if max_frame_size > RXBUF_MAX_SIZE - sizeof(RXBUF), count becomes 0, I don't know if below clamp_val() is the only place to guarantee that) > - info->rx_buf = kmalloc(info->rx_buf_total_size, GFP_KERNEL); > + info->rx_buf = kcalloc(info->rx_buf_count, info->rx_buf_size, GFP_KERNEL); ...hence rx_buf size will be less than rx_buf_total_size. That is probably not an issue per se, but I'm wondering if the (bigger) value of rx_buf_total_size is the problem further in the code. > if (info->rx_buf == NULL) > return -ENOMEM; Maybe something like static int rx_alloc_buffers(MGSLPC_INFO *info) { /* Prevent count from being 0 */ if (->max_frame_size > MAX_FRAME_SIZE) return -EINVAL; ... count = ...; ... rx_total_size = ... rx_buf = kcalloc(...); Then you don't need to check overflow with check_add_overflow() and check_mul_overflow() will be inside the kcalloc. ... > - if (info->max_frame_size < 4096) > - info->max_frame_size = 4096; > - else if (info->max_frame_size > 65535) > - info->max_frame_size = 65535; > + if (info->max_frame_size < MGSLPC_MIN_FRAME_SIZE) > + info->max_frame_size = MGSLPC_MIN_FRAME_SIZE; > + else if (info->max_frame_size > MGSLPC_MAX_FRAME_SIZE) > + info->max_frame_size = MGSLPC_MAX_FRAME_SIZE; You can use clamp_val() macro here.
On Sat, Dec 17, 2022 at 01:43:40PM +0200, Andy Shevchenko wrote: > On Sat, Dec 17, 2022 at 12:59 AM Paulo Miguel Almeida > <paulo.miguel.almeida.rodenas@gmail.com> wrote: > > > > One-element arrays are deprecated, and we are replacing them with > > flexible array members instead. So, replace one-element array with > > flexible-array member in struct RXBUF and refactor the rest of the code > > accordingly. While at it, fix an edge case which could cause > > rx_buf_count to be 0 when max_frame_size was set to the maximum > > allowed value (65535). > > > > It's worth mentioning that struct RXBUF was allocating 1 byte "too much" > > for what is required (ignoring bytes added by padding). > > > > This helps with the ongoing efforts to tighten the FORTIFY_SOURCE > > routines on memcpy() and help us make progress towards globally > > enabling -fstrict-flex-arrays=3 [1]. > > ... > > > static int rx_alloc_buffers(MGSLPC_INFO *info) > > { > > /* each buffer has header and data */ > > - info->rx_buf_size = sizeof(RXBUF) + info->max_frame_size; > > + if (check_add_overflow(sizeof(RXBUF), info->max_frame_size, &info->rx_buf_size)) > > + return -EINVAL; > > > > - /* calculate total allocation size for 8 buffers */ > > - info->rx_buf_total_size = info->rx_buf_size * 8; > > > + /* try to alloc as many buffers that can fit within RXBUF_MAX_SIZE (up to 8) */ > > + if (check_mul_overflow(info->rx_buf_size, 8, &info->rx_buf_total_size)) > > + return -EINVAL; > > This check is implied by kcalloc(). But to make it effective we > probably need to get a count first. > > > - /* limit total allocated memory */ > > - if (info->rx_buf_total_size > 0x10000) > > - info->rx_buf_total_size = 0x10000; > > + if (info->rx_buf_total_size > RXBUF_MAX_SIZE) > > + info->rx_buf_total_size = RXBUF_MAX_SIZE; > > If max_frame_size > 8192 - sizeof(RXBUF), we bump into this condition... > > > /* calculate number of buffers */ > > info->rx_buf_count = info->rx_buf_total_size / info->rx_buf_size; > > ...which means that rx_buf_count < 8... that's correct. My reading of what the original author intended is the following: - rx_buf_count can be < 8 if max_frame_size needs to be > 8192 so that userspace tools don't need to collate the different packets together then again, SyncLink_CS supports a variety of protocols. - the more circular buffers, the better, but it looks perfectly acceptable to have 1 big rx_buf (max_frame_size possible) if the communication is orchestrated nicely (which part sends what and when) especially for RS-232-based communications. > (and if max_frame_size > RXBUF_MAX_SIZE - sizeof(RXBUF), count becomes > 0, I don't know if below clamp_val() is the only place to guarantee > that) > I can confirm that the clamp_val() below is the only place that guarantees the max_frame_size isn't greater than RXBUF_MAX_SIZE. That happens at the device probing stage: ( mgslpc_probe > mgslpc_add_device > clamp_val-like routine ) As max_frame_size can only be set as a module parameter and no other way is exposed to userspace to tweak that afterwards, my 2 cents is that clamp_val() routine should be fine as rx_buf_count will always be > 0 after this fix. > > - info->rx_buf = kmalloc(info->rx_buf_total_size, GFP_KERNEL); > > + info->rx_buf = kcalloc(info->rx_buf_count, info->rx_buf_size, GFP_KERNEL); > > ...hence rx_buf size will be less than rx_buf_total_size. > > That is probably not an issue per se, but I'm wondering if the > (bigger) value of rx_buf_total_size is the problem further in the > code. > rx_buf_total_size isn't used outside of this function so it could be a local variable IMO.. so I would say that this wouldn't be a problem. I had noticed that rx_buf_total_size could be moved into a local variable before but I thought that removing it from MGSLPC struct should be part of a separate patch instead. > > if (info->rx_buf == NULL) > > return -ENOMEM; > > Maybe something like > > static int rx_alloc_buffers(MGSLPC_INFO *info) > { > /* Prevent count from being 0 */ > if (->max_frame_size > MAX_FRAME_SIZE) > return -EINVAL; This boils down to whether having the clamp_val() on the probe method is sufficient in your point of view. You make the final call on this :-) > ... > count = ...; > ... > rx_total_size = ... > rx_buf = kcalloc(...); > > Then you don't need to check overflow with check_add_overflow() and > check_mul_overflow() will be inside the kcalloc. > check_mul_overflow point -> agreed. check_add_overflow -> similar suggestion as my previous point, if the clamp_val on probe is sufficient for you, I would say that we don't need it as of now too. But if you still think that we need it, I'm flexible with that too. > ... > > > - if (info->max_frame_size < 4096) > > - info->max_frame_size = 4096; > > - else if (info->max_frame_size > 65535) > > - info->max_frame_size = 65535; > > + if (info->max_frame_size < MGSLPC_MIN_FRAME_SIZE) > > + info->max_frame_size = MGSLPC_MIN_FRAME_SIZE; > > + else if (info->max_frame_size > MGSLPC_MAX_FRAME_SIZE) > > + info->max_frame_size = MGSLPC_MAX_FRAME_SIZE; > > You can use clamp_val() macro here. > Nice, I didn't know about this macro. I will make that change for v4. All really nice points you've made Andy, I'm learning heaps of new things with this patch :-) thanks! - Paulo A.
diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c index b2735be81ab2..eee6772a0978 100644 --- a/drivers/char/pcmcia/synclink_cs.c +++ b/drivers/char/pcmcia/synclink_cs.c @@ -105,7 +105,7 @@ static MGSL_PARAMS default_params = { typedef struct { int count; unsigned char status; - char data[1]; + char data[]; } RXBUF; /* The queue of BH actions to be performed */ @@ -229,12 +229,18 @@ typedef struct _mgslpc_info { } MGSLPC_INFO; #define MGSLPC_MAGIC 0x5402 +#define MGSLPC_MAX_FRAME_SIZE 65535 +#define MGSLPC_MIN_FRAME_SIZE 4096 /* * The size of the serial xmit buffer is 1 page, or 4096 bytes */ #define TXBUFSIZE 4096 +/* + * RXBUF accommodates at least 1 buffer (header+data) of MGSLPC_MAX_FRAME_SIZE + */ +#define RXBUF_MAX_SIZE (sizeof(RXBUF) + MGSLPC_MAX_FRAME_SIZE) #define CHA 0x00 /* channel A offset */ #define CHB 0x40 /* channel B offset */ @@ -529,7 +535,7 @@ static int mgslpc_probe(struct pcmcia_device *link) tty_port_init(&info->port); info->port.ops = &mgslpc_port_ops; INIT_WORK(&info->task, bh_handler); - info->max_frame_size = 4096; + info->max_frame_size = MGSLPC_MIN_FRAME_SIZE; init_waitqueue_head(&info->status_event_wait_q); init_waitqueue_head(&info->event_wait_q); spin_lock_init(&info->lock); @@ -2611,19 +2617,20 @@ static int mgslpc_proc_show(struct seq_file *m, void *v) static int rx_alloc_buffers(MGSLPC_INFO *info) { /* each buffer has header and data */ - info->rx_buf_size = sizeof(RXBUF) + info->max_frame_size; + if (check_add_overflow(sizeof(RXBUF), info->max_frame_size, &info->rx_buf_size)) + return -EINVAL; - /* calculate total allocation size for 8 buffers */ - info->rx_buf_total_size = info->rx_buf_size * 8; + /* try to alloc as many buffers that can fit within RXBUF_MAX_SIZE (up to 8) */ + if (check_mul_overflow(info->rx_buf_size, 8, &info->rx_buf_total_size)) + return -EINVAL; - /* limit total allocated memory */ - if (info->rx_buf_total_size > 0x10000) - info->rx_buf_total_size = 0x10000; + if (info->rx_buf_total_size > RXBUF_MAX_SIZE) + info->rx_buf_total_size = RXBUF_MAX_SIZE; /* calculate number of buffers */ info->rx_buf_count = info->rx_buf_total_size / info->rx_buf_size; - info->rx_buf = kmalloc(info->rx_buf_total_size, GFP_KERNEL); + info->rx_buf = kcalloc(info->rx_buf_count, info->rx_buf_size, GFP_KERNEL); if (info->rx_buf == NULL) return -ENOMEM; @@ -2695,10 +2702,10 @@ static int mgslpc_add_device(MGSLPC_INFO *info) current_dev->next_device = info; } - if (info->max_frame_size < 4096) - info->max_frame_size = 4096; - else if (info->max_frame_size > 65535) - info->max_frame_size = 65535; + if (info->max_frame_size < MGSLPC_MIN_FRAME_SIZE) + info->max_frame_size = MGSLPC_MIN_FRAME_SIZE; + else if (info->max_frame_size > MGSLPC_MAX_FRAME_SIZE) + info->max_frame_size = MGSLPC_MAX_FRAME_SIZE; printk("SyncLink PC Card %s:IO=%04X IRQ=%d\n", info->device_name, info->io_base, info->irq_level);