lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Jan 2022 15:26:53 -0800 From: Kees Cook <keescook@...omium.org> To: "Gustavo A. R. Silva" <gustavoars@...nel.org> Cc: Felipe Balbi <balbi@...nel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH][next] usb: gadget: f_fs: Use struct_size() and flex_array_size() helpers On Thu, Jan 20, 2022 at 04:29:33PM -0600, Gustavo A. R. Silva wrote: > Make use of the struct_size() and flex_array_size() helpers instead of > an open-coded version, in order to avoid any potential type mistakes > or integer overflows that, in the worst scenario, could lead to heap > overflows. > > Also, address the following sparse warnings: > drivers/usb/gadget/function/f_fs.c:922:23: warning: using sizeof on a flexible structure > > Link: https://github.com/KSPP/linux/issues/174 > Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org> > --- > drivers/usb/gadget/function/f_fs.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index 25ad1e97a458..7461d27e9604 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -919,12 +919,12 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile, > data_len, ret); > > data_len -= ret; > - buf = kmalloc(sizeof(*buf) + data_len, GFP_KERNEL); > + buf = kmalloc(struct_size(buf, storage, data_len), GFP_KERNEL); > if (!buf) > return -ENOMEM; > buf->length = data_len; > buf->data = buf->storage; > - memcpy(buf->storage, data + ret, data_len); > + memcpy(buf->storage, data + ret, flex_array_size(buf, storage, data_len)); Looks good to me. This is a place where I think we'll be back later to fix up the alloc/deserialize-from-memory pattern with a future helper, but in the meantime, yes, let's get this covered by struct_size(). Reviewed-by: Kees Cook <keescook@...omium.org> > > /* > * At this point read_buffer is NULL or READ_BUFFER_DROP (if > -- > 2.27.0 > -- Kees Cook
Powered by blists - more mailing lists