lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <c80c0979933e0c05e80d95792ef167a28640a14b.1663816572.git.gustavoars@kernel.org> Date: Wed, 21 Sep 2022 23:28:35 -0500 From: "Gustavo A. R. Silva" <gustavoars@...nel.org> To: Kevin Barnett <kevin.barnett@...rosemi.com>, Don Brace <don.brace@...rochip.com>, storagedev@...rochip.com, "James E.J. Bottomley" <jejb@...ux.ibm.com>, "Martin K. Petersen" <martin.petersen@...cle.com> Cc: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org, "Gustavo A. R. Silva" <gustavoars@...nel.org>, linux-hardening@...r.kernel.org Subject: [PATCH 1/3][next] scsi: smartpqi: Replace one-element array with flexible-array member One-element arrays are deprecated, and we are replacing them with flexible array members instead. So, replace one-element array with flexible-array member in struct MR_DRV_RAID_MAP and refactor the the rest of the code accordingly. It seems that the addition of sizeof(struct report_log_lun) in all the places that are modified by this patch is due to the fact that the one-element array struct report_log_lun lun_entries[1]; always contributes to the size of the containing structure struct report_log_lun_list. Notice that at line 1267 while allocating memory for an instance of struct report_log_lun_list, some _extra_ space seems to be allocated for one element of type struct report_log_lun, which is the type of the elements in array lun_entries: 1267 internal_logdev_list = kmalloc(logdev_data_length + 1268 sizeof(struct report_log_lun), GFP_KERNEL); However, at line 1275 just logdev_data_length bytes are copied into internal_logdev_list (remember that we allocated space for logdev_data_length + sizeof(struct report_log_lun) bytes at line 1267), and then exactly sizeof(struct report_log_lun) bytes are being zeroing out at line 1276. 1275 memcpy(internal_logdev_list, logdev_data, logdev_data_length); 1276 memset((u8 *)internal_logdev_list + logdev_data_length, 0, 1277 sizeof(struct report_log_lun)); All the above makes think that it's just fine if we transform array lun_entries into a flexible-array member and just don't allocate that extra sizeof(struct report_log_lun) bytes of space. With this we can remove that memset() call and we also need to modify the code that updates the total length (internal_logdev_list->header.list_length) of array lun_entries at line 1278: 1278 put_unaligned_be32(logdev_list_length + 1279 sizeof(struct report_log_lun), 1280 &internal_logdev_list->header.list_length); This helps with the ongoing efforts to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/79 Link: https://github.com/KSPP/linux/issues/204 Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org> --- And of course, it'd be great if maintainers can confirm what I described in the changelog text. :) drivers/scsi/smartpqi/smartpqi.h | 2 +- drivers/scsi/smartpqi/smartpqi_init.c | 10 +++------- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/scsi/smartpqi/smartpqi.h b/drivers/scsi/smartpqi/smartpqi.h index e550b12e525a..d1756c9d1112 100644 --- a/drivers/scsi/smartpqi/smartpqi.h +++ b/drivers/scsi/smartpqi/smartpqi.h @@ -954,7 +954,7 @@ struct report_log_lun { struct report_log_lun_list { struct report_lun_header header; - struct report_log_lun lun_entries[1]; + struct report_log_lun lun_entries[]; }; struct report_phys_lun_8byte_wwid { diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c index b971fbe3b3a1..544cd18a90d7 100644 --- a/drivers/scsi/smartpqi/smartpqi_init.c +++ b/drivers/scsi/smartpqi/smartpqi_init.c @@ -1264,8 +1264,7 @@ static int pqi_get_device_lists(struct pqi_ctrl_info *ctrl_info, logdev_data_length = sizeof(struct report_lun_header) + logdev_list_length; - internal_logdev_list = kmalloc(logdev_data_length + - sizeof(struct report_log_lun), GFP_KERNEL); + internal_logdev_list = kmalloc(logdev_data_length, GFP_KERNEL); if (!internal_logdev_list) { kfree(*logdev_list); *logdev_list = NULL; @@ -1273,11 +1272,8 @@ static int pqi_get_device_lists(struct pqi_ctrl_info *ctrl_info, } memcpy(internal_logdev_list, logdev_data, logdev_data_length); - memset((u8 *)internal_logdev_list + logdev_data_length, 0, - sizeof(struct report_log_lun)); - put_unaligned_be32(logdev_list_length + - sizeof(struct report_log_lun), - &internal_logdev_list->header.list_length); + put_unaligned_be32(logdev_list_length, + &internal_logdev_list->header.list_length); kfree(*logdev_list); *logdev_list = internal_logdev_list; -- 2.34.1
Powered by blists - more mailing lists