lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 13 Feb 2023 13:52:45 +0100
From:   Amadeusz Sławiński 
        <amadeuszx.slawinski@...ux.intel.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     Cezary Rojewski <cezary.rojewski@...el.com>,
        Sasa Ostrouska <casaxa@...il.com>,
        Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>,
        Liam Girdwood <liam.r.girdwood@...ux.intel.com>,
        Peter Ujfalusi <peter.ujfalusi@...ux.intel.com>,
        Bard Liao <yung-chuan.liao@...ux.intel.com>,
        Ranjani Sridharan <ranjani.sridharan@...ux.intel.com>,
        Kai Vehmanen <kai.vehmanen@...ux.intel.com>,
        Mark Brown <broonie@...nel.org>, Takashi Iwai <tiwai@...e.com>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        alsa-devel@...a-project.org, linux-kernel@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH] ASoC: Intel: Skylake: Replace 1-element array with
 flex-array

On 2/10/2023 8:06 PM, Kees Cook wrote:
> On Fri, Feb 10, 2023 at 02:10:56PM +0100, Amadeusz Sławiński wrote:
>> On 2/10/2023 6:14 AM, Kees Cook wrote:
>>> The kernel is globally removing the ambiguous 0-length and 1-element
>>> arrays in favor of flexible arrays, so that we can gain both compile-time
>>> and run-time array bounds checking[1]. In this instance, struct
>>> skl_cpr_cfg contains struct skl_cpr_gtw_cfg, which defined "config_data"
>>> as a 1-element array.
>>>
>>> Normally when switching from a 1-element array to a flex-array, any
>>> related size calculations must be adjusted too. However, it seems the
>>> original code was over-allocating space, since 1 extra u32 would be
>>> included by the sizeof():
>>>
>>>                   param_size = sizeof(struct skl_cpr_cfg);
>>>                   param_size += mconfig->formats_config[SKL_PARAM_INIT].caps_size;
>>>
>>> But the copy uses caps_size bytes, and cap_size / 4 (i.e. sizeof(u32))
>>> for the length tracking:
>>>
>>>           memcpy(cpr_mconfig->gtw_cfg.config_data,
>>>                           mconfig->formats_config[SKL_PARAM_INIT].caps,
>>>                           mconfig->formats_config[SKL_PARAM_INIT].caps_size);
>>>
>>>           cpr_mconfig->gtw_cfg.config_length =
>>>                           (mconfig->formats_config[SKL_PARAM_INIT].caps_size) / 4;
>>>
>>> Therefore, no size calculations need adjusting. Change the struct
>>> skl_cpr_gtw_cfg config_data member to be a true flexible array, which
>>> also fixes the over-allocation, and silences this memcpy run-time false
>>> positive:
>>>
>>>     memcpy: detected field-spanning write (size 100) of single field "cpr_mconfig->gtw_cfg.config_data" at sound/soc/intel/skylake/skl-messages.c:554 (size 4)
>>>
>>> [1] For lots of details, see both:
>>>       https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays
>>>       https://people.kernel.org/kees/bounded-flexible-arrays-in-c
>>>
>>> Reported-by: Sasa Ostrouska <casaxa@...il.com>
>>> Link: https://lore.kernel.org/all/CALFERdwvq5day_sbDfiUsMSZCQu9HG8-SBpOZDNPeMdZGog6XA@mail.gmail.com/
>>> Cc: Cezary Rojewski <cezary.rojewski@...el.com>
>>> Cc: Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>
>>> Cc: Liam Girdwood <liam.r.girdwood@...ux.intel.com>
>>> Cc: Peter Ujfalusi <peter.ujfalusi@...ux.intel.com>
>>> Cc: Bard Liao <yung-chuan.liao@...ux.intel.com>
>>> Cc: Ranjani Sridharan <ranjani.sridharan@...ux.intel.com>
>>> Cc: Kai Vehmanen <kai.vehmanen@...ux.intel.com>
>>> Cc: Mark Brown <broonie@...nel.org>
>>> Cc: Jaroslav Kysela <perex@...ex.cz>
>>> Cc: Takashi Iwai <tiwai@...e.com>
>>> Cc: "Gustavo A. R. Silva" <gustavoars@...nel.org>
>>> Cc: "Amadeusz Sławiński" <amadeuszx.slawinski@...ux.intel.com>
>>> Cc: alsa-devel@...a-project.org
>>> Signed-off-by: Kees Cook <keescook@...omium.org>
>>> ---
>>>    sound/soc/intel/skylake/skl-topology.h | 2 +-
>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/sound/soc/intel/skylake/skl-topology.h b/sound/soc/intel/skylake/skl-topology.h
>>> index 6db0fd7bad49..ad94f8020c27 100644
>>> --- a/sound/soc/intel/skylake/skl-topology.h
>>> +++ b/sound/soc/intel/skylake/skl-topology.h
>>> @@ -115,7 +115,7 @@ struct skl_cpr_gtw_cfg {
>>>    	u32 dma_buffer_size;
>>>    	u32 config_length;
>>>    	/* not mandatory; required only for DMIC/I2S */
>>> -	u32 config_data[1];
>>> +	u32 config_data[];
>>>    } __packed;
>>>    struct skl_dma_control {
>>
>> This fails in our validation.
> 
> Ah, okay. Thanks for checking!
> 
>> Maybe we can use the union workaround, to
>> leave the size as is?
>>
>> Following seems to work in manual test:
>> diff --git a/sound/soc/intel/skylake/skl-topology.h
>> b/sound/soc/intel/skylake/skl-topology.h
>> index 6db0fd7bad49..ffbd2e60fede 100644
>> --- a/sound/soc/intel/skylake/skl-topology.h
>> +++ b/sound/soc/intel/skylake/skl-topology.h
>> @@ -115,7 +115,10 @@ struct skl_cpr_gtw_cfg {
>>          u32 dma_buffer_size;
>>          u32 config_length;
>>          /* not mandatory; required only for DMIC/I2S */
>> -       u32 config_data[1];
>> +       union {
>> +               u32 x;
>> +               u32 config_data[0];
>> +       };
> 
> Yeah, that could work, though the last member would be:
> 	DECLARE_FLEX_ARRAY(u32, config_data);
> otherwise the array is 0 length (rather than a proper flex array).
> 
> But before that, let me see if I can track down where the size is being
> used, in case we can avoid adding the padding.
> 

I did spend some more time on this, apparently struct was missing one 
field according to IPC protocol. I've send fix for this.

Powered by blists - more mailing lists