From patchwork Mon Oct 24 17:20:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9991 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp615685wru; Mon, 24 Oct 2022 12:26:58 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7z4F3m9VUIPG4bjbAqnsROfW/HRPNO2vWX5T5CMVs6N/kEacRLXW9zmsdlJlLiwSp1SAsm X-Received: by 2002:a05:6402:3548:b0:45d:6506:990a with SMTP id f8-20020a056402354800b0045d6506990amr32334170edd.218.1666639618367; Mon, 24 Oct 2022 12:26:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666639618; cv=none; d=google.com; s=arc-20160816; b=T35VCyupcqBv/Q201+shPkoVDWY+GiYW/ZYNyMdVtRINnPenADfUkwmrOlt2T+xJIL AWy3QX14L0o1dwpICCYP+DlzyAwqARUG1f8yqLniQXO1x1m8oPq3122EiNlGhu36+hov 2fI2shDRIrKNBQeoDu1td+8/a4+rqhnK6rKDrMKbx1fjy6MApPqfJmAhnFizEczKhpsw is+YuYOWNt2BM7AlmOeqy3+2xlJ0TdxOwkFcJzEq2BJ/K6jY37gii15Nfm4vLNNPhlY2 9seNZkPVseLUIlPjGkvKz9UVb/kOVI164F8YqgRVSgzHtejRgun8FHv0DbafpDXqWz73 t8pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Qmxj0vWQEgj+Z1mhxk0t11F2TRS4068pG7Cn3YLc93M=; b=qGWml3U+qs/0xGtO+fMciGG9kQXbedxGEJUhizdrjz3wLmmFNeCSqIcu7Z5EYJfYtC weTENckuBhTEFZ+dq0Ur1IGaXS1FIJx0saAzOoSNaQs8C2fAldjdJGn7BoeODh9KAMBE N9z5RmaLRmnyLOPEZ6O387xEUGHRxcJrjLSVOpuHds7V7BxPC0DliRlLQ4w6dFowniue SGbdb0PQFXHFZr7cjEawHcWO8xBP/oTW1ZsNR0XvNX4dWbHy9J/rtLEyUa1Bw7sN0bko 2VzlOsylur9j/FHrDUr+/SwqudZ1mPPuWrfwPniqXoWA5yt2XxEzWCQhZFsshVRFvi9R QYhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=RoeYtWCJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sb8-20020a1709076d8800b007807e1ea26csi588331ejc.637.2022.10.24.12.26.31; Mon, 24 Oct 2022 12:26:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=RoeYtWCJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232019AbiJXTYx (ORCPT + 99 others); Mon, 24 Oct 2022 15:24:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231269AbiJXTW6 (ORCPT ); Mon, 24 Oct 2022 15:22:58 -0400 Received: from mail-oa1-f43.google.com (mail-oa1-f43.google.com [209.85.160.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C32D07F137 for ; Mon, 24 Oct 2022 10:57:42 -0700 (PDT) Received: by mail-oa1-f43.google.com with SMTP id 586e51a60fabf-13b103a3e5dso12739072fac.2 for ; Mon, 24 Oct 2022 10:57:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Qmxj0vWQEgj+Z1mhxk0t11F2TRS4068pG7Cn3YLc93M=; b=RoeYtWCJrPlGX0VIs/sc613ERsiT3jaYUobVmaCMhW3nhpYDM0rLD5Hx7T0fmI+ovc 0ZgzTQmQThekxpZw4bPmYTOZW5E2uNHWODxkebN2f1QGt3WsTjShOOHkGn9JHcHgYawk mbhb1yEhHsbkzfaOjuFM2WBP8Ptv5f4pqEQwg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Qmxj0vWQEgj+Z1mhxk0t11F2TRS4068pG7Cn3YLc93M=; b=2IefEAtP5BdExjtiy0KJqJvw6OCIbl5XSbEDdVP8A/TlspZXJLKffqz5BImQh331B9 NclssWPqVXZnCgIB3txYWOaH7svqf+A32v7FNt/d5EwBnvRNCuGYxD1eX8bKOYzALotg xPEl5sl+GOX9bg+Prb4s7gfQoyyRz2cHQZ68qMgRByAXs2IOodmxiILMK9fW9bOvVCkS RUcIwF+UUOuwfw7eW9Vx4cwdOOjpf1Z1KShR0QORKYGxcSyQlzR/NNUSK0eg8FbqiWVa A1nI9c7j95599hzVac5embl77hK4u+k5Q1iBUSHrNADYcb7YrajcK3t5Y+2ZdqiU9lS1 7bKQ== X-Gm-Message-State: ACrzQf3pD/Y6nu7hhJ8b1zPhYsR/5gcg80fiw8k2wCeUzZWD6zRwMKaL tbaZ+1j9jraNV7vjwsZcmhO+fDkKESXdqg== X-Received: by 2002:a17:90b:1bd2:b0:213:2d7:3162 with SMTP id oa18-20020a17090b1bd200b0021302d73162mr8926706pjb.91.1666632061482; Mon, 24 Oct 2022 10:21:01 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p15-20020a17090a348f00b00212d9a06edcsm3740554pjb.42.2022.10.24.10.20.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Oct 2022 10:20:59 -0700 (PDT) From: Kees Cook To: "Darrick J . Wong" Cc: Kees Cook , "Gustavo A. R. Silva" , Keith Packard , Francis Laniel , Daniel Axtens , Dan Williams , Vincenzo Frascino , Guenter Roeck , Daniel Vetter , Tadeusz Struk , Zorro Lang , Geert Uytterhoeven , Andy Shevchenko , Paolo Abeni , linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v2 1/2] Introduce flexible array struct helpers Date: Mon, 24 Oct 2022 10:20:57 -0700 Message-Id: <20221024172058.534477-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221024171848.never.522-kees@kernel.org> References: <20221024171848.never.522-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=18300; h=from:subject; bh=VE7xE6KLOJSCX2oFsNSDiArHxjbRjS0XR5nN7wPVdak=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjVsl5dqBVu20HBDxjnaBdpQ4Z+Gwk8jxnBnk9XUf6 TjbRDE2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY1bJeQAKCRCJcvTf3G3AJnjYD/ 9e8sZwsx0UGUUd9+YNI10JmHm8eu4aq3JfuMHdBoia93B7Pfw3j0gOiqJ8qwMu3sika8o2bvIIyvDT xq6w6nz0GWN5ltrDJcPmSq6CQGbghZiANR35ZMRLF89TQ0ozS7UWuLwOGZ6spWJf6r65BokhasAwR2 k4iFjwyereicMgyzRebXEZCDNCdhET1K0rY5ZH8O4OWzRlkIDEismAqs96gWGLpMOt7tMVAheAk8lj bFUncugq4ldcbrUcp2bDUK1qDe3bOR0dW/vyAGYvXK4HhcuaK3s3CEkqI8Anh0GGsTLvTKBOFKasle 3pFWCw13Wk0qVVAmbhCesAB9VP3yoJNVDsiI/4zS9zH8PwtQ6H6CjNmDVd2uXCQjXPxfQXZWLKNPCY ZyFtqbn45v39IXDjf53qmFJGrYF/oB2N062qNehpGFXNhc3Gdj2BJ7DDqWZRh36tj8WPXWFZXuMjpS R8meS6vh3P2OPOFHbLngSo6nIHsIysYn73VzIMK3Umqtnr8iJXEF7+f0NAl+O5oVyEKunMcTwENEku xkDj7Z6ocZuSOhHU7HAuzMHKgWiD/k5vjhFuU8l0gCToAUGXpMazhw4wrUff5TyUgCMHqBdXnsd+Tv IMcZ/gH68RIPK9jqs8I6p46YpHPbYZJzIcOd8v4osi1Oc0mC7BLsLsvEi5Gg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747595487879301321?= X-GMAIL-MSGID: =?utf-8?q?1747598304603163932?= The compiler is not able to automatically perform bounds checking on structures that end in flexible arrays: __builtin_object_size() is compile-time only, and __builtin_dynamic_object_size() may not always be able to figure it out. Any possible run-time checks are currently short-circuited (or trigger false positives) because there isn't an obvious common way to figure out the bounds of such a structure. C has no way (yet[1]) to signify which struct member holds the number of allocated flexible array elements (like exists in other languages). As a result, the kernel (and C projects generally) need to manually check the bounds, check the element size calculations, and perform sanity checking on all the associated variable types in between (e.g. 260 cannot be stored in a u8). This is extremely fragile. However, even if we could do all this through a magic memcpy(), the API itself doesn't provide meaningful feedback, which forces the kernel into an "all or nothing" approach: either do the copy or panic the system. Any failure conditions should be _detectable_, with API users able to gracefully recover. To deal with these needs, create the first of a set of helper functions that do the work of memcpy() but perform the needed bounds checking based on the arguments given: flex_cpy(). This API will be expanded in the future to also include the common pattern of "allocate and copy": flex_dup(), "deserialize and copy": mem_to_flex(), and "deserialize, allocate, and copy": mem_to_flex_dup(). The concept of a "flexible array structure" is introduced, which is a struct that has both a trailing flexible array member _and_ an element count member. If a struct lacks the element count member, it's just a blob: there are no bounds associated with it. The most common style of flexible array struct in the kernel is a "simple" one, where both the flex-array and element-count are present: struct flex_array_struct_example { ... /* arbitrary members */ u16 part_count; /* count of elements stored in "parts" below. */ ... /* arbitrary members */ u32 parts[]; /* flexible array with elements of type u32. */ }; Next are "encapsulating flexible array structs", which is just a struct that contains a flexible array struct as its final member: struct encapsulating_example { ... /* arbitrary members */ struct flex_array_struct_example fas; }; There are also "split" flex array structs, which have the element-count member in a separate struct level than the flex-array member: struct split_example { ... /* arbitrary members */ u16 part_count; /* count of elements stored in "parts" below. */ ... /* arbitrary members */ struct blob_example { ... /* other blob members */ u32 parts[];/* flexible array with elements of type u32. */ } blob; }; To have the helpers deal with these arbitrary layouts, the names of the flex-array and element-count members need to be specified with each use (since C lacks the array-with-length syntax[1] so the compiler cannot automatically determine them). However, for the "simple" (most common) case, we can get close to "automatic" by explicitly declaring common member aliases "__flex_array_elements", and "__flex_array_elements_count" respectively. The regular helpers use these members, but extended helpers exist to cover the other two code patterns. For example, using the newly introduced flex_cpy(): /* Flexible array struct with members identified. */ struct simple { int mode; DECLARE_FAS_COUNT(int, how_many); unsigned long flags; DECLARE_FAS_ARRAY(u32, value); }; ... int do_simple(struct simple *src) { struct simple *instance = NULL; size_t bytes; int rc; /* Allocate */ if (fas_bytes(src, &bytes)) return -E2BIG; instance = kmalloc(bytes, GFP_KERNEL); if (!instance) return -ENOMEM; instance->how_many = src->how_many; /* Copy */ rc = flex_cpy(instance, src); if (rc) { kfree(instance); return rc; } return 0; } If anything goes wrong, it returns a negative errno. Note that the "allocate" pattern above will be the basis of the future flex_dup() helper. With these helpers the kernel can move away from many of the open-coded patterns of using memcpy() with a dynamically-sized destination buffer. [1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1990.htm Cc: "Gustavo A. R. Silva" Cc: Keith Packard Cc: Francis Laniel Cc: Daniel Axtens Cc: Dan Williams Cc: Vincenzo Frascino Cc: Guenter Roeck Cc: Daniel Vetter Cc: Tadeusz Struk Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220504014440.3697851-3-keescook@chromium.org --- include/linux/flex_array.h | 325 ++++++++++++++++++++++++++++++++++++ include/linux/string.h | 1 + include/uapi/linux/stddef.h | 14 ++ 3 files changed, 340 insertions(+) create mode 100644 include/linux/flex_array.h diff --git a/include/linux/flex_array.h b/include/linux/flex_array.h new file mode 100644 index 000000000000..ebdbf0e5f722 --- /dev/null +++ b/include/linux/flex_array.h @@ -0,0 +1,325 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_FLEX_ARRAY_H_ +#define _LINUX_FLEX_ARRAY_H_ + +#include + +/* Make sure we compose correctly with KASAN. */ +#ifndef __underlying_memcpy +#define __underlying_memcpy __builtin_memcpy +#endif +#ifndef __underlying_memset +#define __underlying_memset __builtin_memset +#endif + +/* + * A "flexible array structure" (FAS) is a structure which ends with a + * flexible array member (FAM) _and_ contains another member that represents + * how many array elements are present in the struct instance's flexible + * array member: + * + * struct flex_array_struct_example { + * ... // arbitrary members + * u16 part_count; // count of elements stored in "parts" below. + * ... // arbitrary members + * u32 parts[]; // flexible array member containing u32 elements. + * }; + * + * Without the "count of elements" member, a structure ending with a + * flexible array has no way to check its own size, and should be + * considered just a blob of memory that is length-checked through some + * other means. Kernel structures with flexible arrays should strive to + * always be true flexible array structures so that they can be operated + * on with the flex*()-family of helpers defined below. + * + * To use the normal flex*() helpers, prepare for future C syntax that + * would identify a flex array's count member directly, and keep kernel + * declarations minimized, a common declaration, bounded_flex_array(), is + * provided: + * + * struct flex_array_struct_example { + * ... // arbitrary members + * bounded_flex_array( + * u16, part_count, // count of elements stored in "parts" below. + * u32, parts // flexible array with elements of type u32. + * ); + * ); + * + * To handle the less common case when the count member cannot be made a + * neighbor of the flex array, either the extended flex*() helpers can be + * used, or the members can also be declared separately: + * + * struct flex_array_struct_example { + * ... // position-sensitive members + * // count of elements stored in "parts" below. + * DECLARE_FAS_COUNT(u16, part_count); + * .. // position-sensitive members + * // flexible array with elements of type u32. + * DECLARE_FAS_ARRAY(u32, parts); + * }; + * + * The above two declaration styles will create an alias for part_count as + * __flex_array_elements_count and for parts as __flex_array_elements, + * which are used internally to avoid needing to repeat the member names + * as arguments to the normal flex*() helpers. + * + * The extended flex*() helpers are designed to be used in the less common + * situations when the member aliases are not available, especially in two + * flexible array struct layout situations: "encapsulated" and "split". + * + * An "encapsulated flexible array structure" is a structure that contains + * a full "flexible array structure" as its final struct member. These are + * used frequently when needing to pass around a copy of a flexible array + * structure, and track other things about the data outside of the scope of + * the flexible array structure itself: + * + * struct encapsulated_example { + * ... // arbitrary members + * struct flex_array_struct_example fas; + * }; + * + * A "split flexible array structure" is like an encapsulated flexible + * array struct, but the element count member is at a different level, + * separate from the struct that contains the flexible array: + * + * struct blob_example { + * ... // arbitrary members + * u32 parts[]; // flexible array with elements of type u32. + * }; + * + * struct split_example { + * ... // arbitrary members + * u16 part_count; // count of elements stored in "parts" below. + * ... // arbitrary members + * struct blob_example blob; + * }; + * + * In the case where the element count member is not stored in native + * CPU format, the extended helpers can be used to specify the to/from + * cpu helper needed to do the conversions. + * + * Examples of using flex_cpy(): + * + * struct simple { + * u32 flags; + * bounded_flex_array( + * u32, count, + * u8, data + * ); + * }; + * struct hardware_defined { + * DECLARE_FAS_COUNT(u32, count); + * u32 state; + * u32 flags; + * DECLARE_FAS_ARRAY(u8, data); + * }; + * + * int do_simple(struct simple *src) { + * struct simple *ptr_simple = NULL; + * struct hardware_defined *ptr_hw = NULL; + * + * ...allocation of ptr_simple happens... + * ptr_simple->count = src->count; + * rc = flex_cpy(ptr_simple, src); + * ... + * ...allocation of ptr_hw happens... + * ptr_hw->count = src->count; + * rc = flex_cpy(ptr_hw, src); + * ... + * } + * + * struct blob { + * u32 flags; + * u8 data[]; + * }; + * struct split { + * be32 count; + * struct blob blob; + * }; + * struct split *ptr_split = NULL; + * + * int do_split(struct split *src) { + * struct split *ptr = NULL; + * + * ...allocation of ptr happens... + * ptr->count = src->count; + * rc = __flex_cpy(ptr, src, blob.data, count, be32_to_cpu); + * ... + * } + * + */ + +/* Wrappers around the UAPI macros. */ +#define bounded_flex_array(COUNT_TYPE, COUNT_NAME, ARRAY_TYPE, ARRAY_NAME) \ + __DECLARE_FAS_COUNT(COUNT_TYPE, COUNT_NAME); \ + __DECLARE_FAS_ARRAY(ARRAY_TYPE, ARRAY_NAME) + +#define DECLARE_FAS_COUNT(TYPE, NAME) \ + __DECLARE_FAS_COUNT(TYPE, NAME) + +#define DECLARE_FAS_ARRAY(TYPE, NAME) \ + __DECLARE_FAS_ARRAY(TYPE, NAME) + +/* All the helpers return negative on failure, and must be checked. */ +static inline int __must_check __must_check_errno(int err) +{ + return err; +} + +#define __passthru(x) (x) + +/** + * __fas_elements_bytes - Calculate potential size of the flexible + * array elements of a given flexible array + * structure + * + * @p: Pointer to flexible array structure. + * @flex_member: Member name of the flexible array elements. + * @count_member: Member name of the flexible array elements count. + * @elements_count: Count of proposed number of @p->__flex_array_elements + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * Returns: 0 on successful calculation, -ve on error. + * + * This performs the same calculation as flex_array_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned. + */ +#define __fas_elements_bytes(p, flex_member, count_member, \ + elements_count, bytes) \ +__must_check_errno(({ \ + int __feb_err = -EINVAL; \ + size_t __feb_elements_count = (elements_count); \ + size_t __feb_elements_max = \ + type_max(typeof((p)->count_member)); \ + if (__feb_elements_count > __feb_elements_max || \ + check_mul_overflow(sizeof(*(p)->flex_member), \ + __feb_elements_count, bytes)) { \ + *(bytes) = 0; \ + __feb_err = -E2BIG; \ + } else { \ + __feb_err = 0; \ + } \ + __feb_err; \ +})) + +/** + * fas_elements_bytes - Calculate current size of the flexible array + * elements of a given flexible array structure + * + * @p: Pointer to flexible array structure. + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * Returns: 0 on successful calculation, -ve on error. + * + * This performs the same calculation as flex_array_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned. + */ +#define fas_elements_bytes(p, bytes) \ + __fas_elements_bytes(p, __flex_array_elements, \ + __flex_array_elements_count, \ + (p)->__flex_array_elements_count, bytes) + +/** + * __fas_bytes - Calculate potential size of flexible array structure + * + * @p: Pointer to flexible array structure. + * @flex_member: Member name of the flexible array elements. + * @count_member: Member name of the flexible array elements count. + * @elements_count: Count of proposed number of @p->__flex_array_elements + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * Returns: 0 on successful calculation, -ve on error. + * + * This performs the same calculation as struct_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned. + */ +#define __fas_bytes(p, flex_member, count_member, elements_count, bytes)\ +__must_check_errno(({ \ + int __fasb_err; \ + typeof(*bytes) __fasb_bytes; \ + \ + if (__fas_elements_bytes(p, flex_member, count_member, \ + elements_count, &__fasb_bytes) || \ + check_add_overflow(sizeof(*(p)), __fasb_bytes, bytes)) { \ + *(bytes) = 0; \ + __fasb_err = -E2BIG; \ + } else { \ + __fasb_err = 0; \ + } \ + __fasb_err; \ +})) + +/** + * fas_bytes - Calculate current size of flexible array structure + * + * @p: Pointer to flexible array structure. + * @bytes: Pointer to variable to write calculation of total size in bytes. + * + * This performs the same calculation as struct_size(), except + * that the result is bounds checked and written to @bytes instead + * of being returned, using the current size of the flexible array + * structure (via @p->__flexible_array_elements_count). + * + * Returns: 0 on successful calculation, -ve on error. + */ +#define fas_bytes(p, bytes) \ + __fas_bytes(p, __flex_array_elements, \ + __flex_array_elements_count, \ + (p)->__flex_array_elements_count, bytes) + +/** + * flex_cpy - Copy from one flexible array struct into another + * + * @dst: Destination pointer + * @src: Source pointer + * + * The full structure of @src will be copied to @dst, including all trailing + * flexible array elements. @dst->__flex_array_elements_count must be large + * enough to hold @src->__flex_array_elements_count. Any elements left over + * in @dst will be zero-wiped. + * + * Returns: 0 on successful calculation, -ve on error. + */ +#define __flex_cpy(dst, src, elements_member, count_member, to_cpu) \ +__must_check_errno(({ \ + int __fc_err = -EINVAL; \ + typeof(*(dst)) *__fc_dst = (dst); \ + typeof(*(src)) *__fc_src = (src); \ + size_t __fc_dst_bytes, __fc_src_bytes; \ + \ + BUILD_BUG_ON(!__same_type(*(__fc_dst), *(__fc_src))); \ + \ + do { \ + if (__fas_bytes(__fc_dst, \ + elements_member, \ + count_member, \ + to_cpu(__fc_dst->count_member), \ + &__fc_dst_bytes) || \ + __fas_bytes(__fc_src, \ + elements_member, \ + count_member, \ + to_cpu(__fc_src->count_member), \ + &__fc_src_bytes) || \ + __fc_dst_bytes < __fc_src_bytes) { \ + /* do we need to wipe dst here? */ \ + __fc_err = -E2BIG; \ + break; \ + } \ + __underlying_memcpy(__fc_dst, __fc_src, __fc_src_bytes);\ + /* __flex_array_elements_count is included in memcpy */ \ + /* Wipe any now-unused trailing elements in @dst: */ \ + __underlying_memset((u8 *)__fc_dst + __fc_src_bytes, 0, \ + __fc_dst_bytes - __fc_src_bytes); \ + __fc_err = 0; \ + } while (0); \ + __fc_err; \ +})) + +#define flex_cpy(dst, src) \ + __flex_cpy(dst, src, __flex_array_elements, \ + __flex_array_elements_count, __passthru) + +#endif /* _LINUX_FLEX_ARRAY_H_ */ diff --git a/include/linux/string.h b/include/linux/string.h index cf7607b32102..9277f9e2a432 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -256,6 +256,7 @@ static inline const char *kbasename(const char *path) #define unsafe_memcpy(dst, src, bytes, justification) \ memcpy(dst, src, bytes) #endif +#include void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, int pad); diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h index 7837ba4fe728..e16afe1951d8 100644 --- a/include/uapi/linux/stddef.h +++ b/include/uapi/linux/stddef.h @@ -44,4 +44,18 @@ struct { } __empty_ ## NAME; \ TYPE NAME[]; \ } + +/* For use with flexible array structure helpers, in */ +#define __DECLARE_FAS_COUNT(TYPE, NAME) \ + union { \ + TYPE __flex_array_elements_count; \ + TYPE NAME; \ + } + +#define __DECLARE_FAS_ARRAY(TYPE, NAME) \ + union { \ + __DECLARE_FLEX_ARRAY(TYPE, __flex_array_elements); \ + __DECLARE_FLEX_ARRAY(TYPE, NAME); \ + } + #endif From patchwork Mon Oct 24 17:20:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9932 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp598107wru; Mon, 24 Oct 2022 11:41:46 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4FOCkf/ev2rjL2iZqjxPiA5ZUILZQukFHg6BdCE6H7ysMkfECTxvVEjSSNy/MX3wwGX/BD X-Received: by 2002:a17:90b:4c11:b0:212:ec8:88ff with SMTP id na17-20020a17090b4c1100b002120ec888ffmr28154694pjb.199.1666636906089; Mon, 24 Oct 2022 11:41:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666636906; cv=none; d=google.com; s=arc-20160816; b=B2rgDHXKuRsZGXYrnyDjDj6VRbUIVtH3t8KAri4pH4d1NlQtOScFIhSfBJLmbrm1zD B+0PTjrnVCrGV1/m+cUFwJMRQFzEHYn6FxSsEHkjZ5eA9/vdYGT0XWJ9MfPw3aixwFqO ibedPptHElse7Tki6bCVO4mpaji+Q6yqtxe+b3tYwc5qla5oNB4nUgaV3BOJoQ3NuLNE Pd+LmBjrdvvfSQTtmwSZI2QQusJi5KZLZfHwUdinmIR/WTiioUqKwqp6ZQ9gnCJNOF/O /v8fCcfeRTEFhTjnT2jOh3VDSmOXDquE7sb0LYpjLVOv4jGqmA2NYyt0SR/awqJ807Ts CBsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=rfwpvweGi1Ucx8HQshpxviuI+RQIpmr8edZSxz2ZyS8=; b=uXYVDwRFWokRpcGlJsDICz/jy51tFL903S9oWAlmSMTKobVtnxj3JUNrkyMhz+qkhR 8wCUsPt7fFtxvPvW3/fNWxoqhOGptVz6OeT7rFp8ZspFtncdC+0cMaLofBb9DvjQfcXq 9LKNOcd0RUFLaFSkYzZMsPMI4KVHn8gRkkFtLQdrvGaaSQ+oRzWTQEMn6YasFedHcstd UClASOPtdtXuucz7exJGkv7aXJs/OGFRfhKx0SCBwtelVr0zCISR5p1ZH6c3wqTom2K2 8e4EI2ZluUJEuxpQTRb2eLCSjl558jVDfaTjPBCqQSGHHctlEoQ9jCr164UV/dt6QvVM yt+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=cRHBNse3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t185-20020a6381c2000000b00462cfc13a30si193297pgd.412.2022.10.24.11.41.30; Mon, 24 Oct 2022 11:41:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=cRHBNse3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232133AbiJXSkn (ORCPT + 99 others); Mon, 24 Oct 2022 14:40:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231874AbiJXSkT (ORCPT ); Mon, 24 Oct 2022 14:40:19 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A257A8365 for ; Mon, 24 Oct 2022 10:22:20 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id ez6so8621707pjb.1 for ; Mon, 24 Oct 2022 10:22:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rfwpvweGi1Ucx8HQshpxviuI+RQIpmr8edZSxz2ZyS8=; b=cRHBNse3LDl7knerfXifthateEO5UMiwl8a2j41s/BW6mt9+2V3xiOBC2HFZioyyJH i+yc2YUJzK2L4RQsm7M3cbP6yJybDkXRaeZV/j2urLVjf0krimJh45HbXtqBVhQL1Iqq JmXAxZ1V4PIuXYnDklyo4doMEr87jbivpe/Vc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rfwpvweGi1Ucx8HQshpxviuI+RQIpmr8edZSxz2ZyS8=; b=EWBu6cBAZB8xztusCBkReEzuVr1wvhomECDsFEKRcmm4LD54I30QgXFRcQLOF8PRvI ViUg2sLpHfL9B1G8GfpqKX67Mq9a+hEgmO5E+XrT7pI8Vpw8KHFDL7Q+m1YAvgroLP9Y EKW8rCCFQ+qefhFnUWILPqa5j0yRoHQgMB/qZMm3gfQ9IbkoTRQJsBFlpcrde2s4hqX/ 3VS0mK8ry/TqASdWu+BL+9GHyDRif3k9qYeDQ9uM6a//YNt1NJEY4Z9ZtFyhwygfjpH1 qRY6cvZgVDdzzGrtsGOOqKWhe0oswoEKE0yKEtgsaZtvHH3Jk+rG397yZXgJbRSgjrUk Y63w== X-Gm-Message-State: ACrzQf3vA7gQKkZXq69ULntMic9uW0/54EcXq0XBCDhHMBl5Rs8wu7BA W9IDDJmFt1W8kbNV8Gy0+Ig/UQ== X-Received: by 2002:a17:903:2307:b0:181:e618:b4c5 with SMTP id d7-20020a170903230700b00181e618b4c5mr33087193plh.172.1666632060401; Mon, 24 Oct 2022 10:21:00 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id i188-20020a626dc5000000b0056262811c5fsm72421pfc.59.2022.10.24.10.20.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Oct 2022 10:20:59 -0700 (PDT) From: Kees Cook To: "Darrick J . Wong" Cc: Kees Cook , Zorro Lang , linux-xfs@vger.kernel.org, "Gustavo A. R. Silva" , Keith Packard , Francis Laniel , Daniel Axtens , Dan Williams , Vincenzo Frascino , Guenter Roeck , Daniel Vetter , Tadeusz Struk , Geert Uytterhoeven , Andy Shevchenko , Paolo Abeni , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 2/2] xfs: Use flex_cpy() to check extent copying Date: Mon, 24 Oct 2022 10:20:58 -0700 Message-Id: <20221024172058.534477-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221024171848.never.522-kees@kernel.org> References: <20221024171848.never.522-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1465; h=from:subject; bh=x7Rm68JdcafZ41E9GsTynBW1VglPIkAcCBWjMgC1XZs=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjVsl5e3fUqEVHLRTWTi07FP0i2KlufVIIqNEwvzK+ yPgcmKOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY1bJeQAKCRCJcvTf3G3AJpMWEA CCEj7newKc7qcVZhldSpFBK/EeIB9fXY4+iLuVdu3LFqPY13Hef3MaSmkB/Y4IRnNYMG1z40nYXPIX BRl9opcuI31xnN1rs9ZUql+0uHLhCbkvPekMurdx40/rXV8JSpfAawk6g/Hu4CzhhSEZPdV2BCmaA2 gPls9t3srVcaoPQcet6h5Vl878GD2tUPabyGLFzf2zrvkrYFuVG9Vcf8M6rzhWjAgTUrKXTOgGosnk yGdKK2sRbrNnAI3hLfunqyLQKTE2SM35KEak96gL9DDY4Yj+Jir7NkBast9okeDQfOYj3pfkyZyvVv yq3vnuORIfjZgdqMs/p+kv8pQKeOqwBTmplsuSM9xrTvOT1ElTE4P2+4hKNvRivsAlyme/BYPaUdW/ sUfyLqIoCWWsRNTtJ1BkJsPqnHMTxkelyCDmn5xTuYv+GAbx/2UG13vPbNvmJUPLxYTw+YeksRdUYl ZrMgfde6Ifb4yzbsuerEt/fkpd6/85Y7vJ4vf/GtZOdVt/QN4BDxlETGpas8pgV+Bs4tqMNFPpHRHm eFd8JmG9/qGYmtuaMepu/Rn7zhnwIYUevSDwoH+OanWEGdftSxXaQyEO28EEoMYEGbyWDTqkz04/4O zC5bLw/JhL8gPbVuJHIo7cu+CcKMc0HdtDfDGHW0LDUBdHrqREEUb2tKT8hw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747595460708914539?= X-GMAIL-MSGID: =?utf-8?q?1747595460708914539?= Use flex_cpy() instead of memcpy() to copy the bui_fmt flexible array structure, which will perform bounds checking internally. Avoids the false positive warning seen under FORTIFY_SOURCE: memcpy: detected field-spanning write (size 48) of single field "dst_bui_fmt" at fs/xfs/xfs_bmap_item.c:628 (size 16) Reported-by: Zorro Lang Link: https://bugzilla.kernel.org/show_bug.cgi?id=216563 Cc: "Darrick J. Wong" Cc: linux-xfs@vger.kernel.org Signed-off-by: Kees Cook --- fs/xfs/xfs_bmap_item.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c index 51f66e982484..5f135893df66 100644 --- a/fs/xfs/xfs_bmap_item.c +++ b/fs/xfs/xfs_bmap_item.c @@ -24,6 +24,7 @@ #include "xfs_error.h" #include "xfs_log_priv.h" #include "xfs_log_recover.h" +#include struct kmem_cache *xfs_bui_cache; struct kmem_cache *xfs_bud_cache; @@ -624,10 +625,10 @@ xfs_bui_copy_format( src_bui_fmt = buf->i_addr; len = xfs_bui_log_format_sizeof(src_bui_fmt->bui_nextents); - if (buf->i_len == len) { - memcpy(dst_bui_fmt, src_bui_fmt, len); + if (buf->i_len == len && + __flex_cpy(dst_bui_fmt, src_bui_fmt, + bui_extents, bui_nextents, __passthru) == 0) return 0; - } XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, NULL); return -EFSCORRUPTED; }