| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <af96abd5-1eaa-a74f-cfb6-7ed82fe2207c@linux.intel.com>
Date: Mon, 13 Feb 2023 13:52:45 +0100
From: Amadeusz Sławiński
<amadeuszx.slawinski@...ux.intel.com>
To: Kees Cook <keescook@...omium.org>
Cc: Cezary Rojewski <cezary.rojewski@...el.com>,
Sasa Ostrouska <casaxa@...il.com>,
Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>,
Liam Girdwood <liam.r.girdwood@...ux.intel.com>,
Peter Ujfalusi <peter.ujfalusi@...ux.intel.com>,
Bard Liao <yung-chuan.liao@...ux.intel.com>,
Ranjani Sridharan <ranjani.sridharan@...ux.intel.com>,
Kai Vehmanen <kai.vehmanen@...ux.intel.com>,
Mark Brown <broonie@...nel.org>, Takashi Iwai <tiwai@...e.com>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
alsa-devel@...a-project.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] ASoC: Intel: Skylake: Replace 1-element array with
flex-array
On 2/10/2023 8:06 PM, Kees Cook wrote:
> On Fri, Feb 10, 2023 at 02:10:56PM +0100, Amadeusz Sławiński wrote:
>> On 2/10/2023 6:14 AM, Kees Cook wrote:
>>> The kernel is globally removing the ambiguous 0-length and 1-element
>>> arrays in favor of flexible arrays, so that we can gain both compile-time
>>> and run-time array bounds checking[1]. In this instance, struct
>>> skl_cpr_cfg contains struct skl_cpr_gtw_cfg, which defined "config_data"
>>> as a 1-element array.
>>>
>>> Normally when switching from a 1-element array to a flex-array, any
>>> related size calculations must be adjusted too. However, it seems the
>>> original code was over-allocating space, since 1 extra u32 would be
>>> included by the sizeof():
>>>
>>> param_size = sizeof(struct skl_cpr_cfg);
>>> param_size += mconfig->formats_config[SKL_PARAM_INIT].caps_size;
>>>
>>> But the copy uses caps_size bytes, and cap_size / 4 (i.e. sizeof(u32))
>>> for the length tracking:
>>>
>>> memcpy(cpr_mconfig->gtw_cfg.config_data,
>>> mconfig->formats_config[SKL_PARAM_INIT].caps,
>>> mconfig->formats_config[SKL_PARAM_INIT].caps_size);
>>>
>>> cpr_mconfig->gtw_cfg.config_length =
>>> (mconfig->formats_config[SKL_PARAM_INIT].caps_size) / 4;
>>>
>>> Therefore, no size calculations need adjusting. Change the struct
>>> skl_cpr_gtw_cfg config_data member to be a true flexible array, which
>>> also fixes the over-allocation, and silences this memcpy run-time false
>>> positive:
>>>
>>> memcpy: detected field-spanning write (size 100) of single field "cpr_mconfig->gtw_cfg.config_data" at sound/soc/intel/skylake/skl-messages.c:554 (size 4)
>>>
>>> [1] For lots of details, see both:
>>> https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays
>>> https://people.kernel.org/kees/bounded-flexible-arrays-in-c
>>>
>>> Reported-by: Sasa Ostrouska <casaxa@...il.com>
>>> Link: https://lore.kernel.org/all/CALFERdwvq5day_sbDfiUsMSZCQu9HG8-SBpOZDNPeMdZGog6XA@mail.gmail.com/
>>> Cc: Cezary Rojewski <cezary.rojewski@...el.com>
>>> Cc: Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>
>>> Cc: Liam Girdwood <liam.r.girdwood@...ux.intel.com>
>>> Cc: Peter Ujfalusi <peter.ujfalusi@...ux.intel.com>
>>> Cc: Bard Liao <yung-chuan.liao@...ux.intel.com>
>>> Cc: Ranjani Sridharan <ranjani.sridharan@...ux.intel.com>
>>> Cc: Kai Vehmanen <kai.vehmanen@...ux.intel.com>
>>> Cc: Mark Brown <broonie@...nel.org>
>>> Cc: Jaroslav Kysela <perex@...ex.cz>
>>> Cc: Takashi Iwai <tiwai@...e.com>
>>> Cc: "Gustavo A. R. Silva" <gustavoars@...nel.org>
>>> Cc: "Amadeusz Sławiński" <amadeuszx.slawinski@...ux.intel.com>
>>> Cc: alsa-devel@...a-project.org
>>> Signed-off-by: Kees Cook <keescook@...omium.org>
>>> ---
>>> sound/soc/intel/skylake/skl-topology.h | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/sound/soc/intel/skylake/skl-topology.h b/sound/soc/intel/skylake/skl-topology.h
>>> index 6db0fd7bad49..ad94f8020c27 100644
>>> --- a/sound/soc/intel/skylake/skl-topology.h
>>> +++ b/sound/soc/intel/skylake/skl-topology.h
>>> @@ -115,7 +115,7 @@ struct skl_cpr_gtw_cfg {
>>> u32 dma_buffer_size;
>>> u32 config_length;
>>> /* not mandatory; required only for DMIC/I2S */
>>> - u32 config_data[1];
>>> + u32 config_data[];
>>> } __packed;
>>> struct skl_dma_control {
>>
>> This fails in our validation.
>
> Ah, okay. Thanks for checking!
>
>> Maybe we can use the union workaround, to
>> leave the size as is?
>>
>> Following seems to work in manual test:
>> diff --git a/sound/soc/intel/skylake/skl-topology.h
>> b/sound/soc/intel/skylake/skl-topology.h
>> index 6db0fd7bad49..ffbd2e60fede 100644
>> --- a/sound/soc/intel/skylake/skl-topology.h
>> +++ b/sound/soc/intel/skylake/skl-topology.h
>> @@ -115,7 +115,10 @@ struct skl_cpr_gtw_cfg {
>> u32 dma_buffer_size;
>> u32 config_length;
>> /* not mandatory; required only for DMIC/I2S */
>> - u32 config_data[1];
>> + union {
>> + u32 x;
>> + u32 config_data[0];
>> + };
>
> Yeah, that could work, though the last member would be:
> DECLARE_FLEX_ARRAY(u32, config_data);
> otherwise the array is 0 length (rather than a proper flex array).
>
> But before that, let me see if I can track down where the size is being
> used, in case we can avoid adding the padding.
>
I did spend some more time on this, apparently struct was missing one
field according to IPC protocol. I've send fix for this.
Powered by blists - more mailing lists