| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202310091503.E59363D14@keescook>
Date: Mon, 9 Oct 2023 15:03:56 -0700
From: Kees Cook <keescook@...omium.org>
To: "Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: Lars-Peter Clausen <lars@...afoo.de>,
Nuno Sá <nuno.sa@...log.com>,
Liam Girdwood <lgirdwood@...il.com>,
Mark Brown <broonie@...nel.org>, Jaroslav Kysela <perex@...ex.cz>,
Takashi Iwai <tiwai@...e.com>, alsa-devel@...a-project.org,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] ASoC: sigmadsp: Add __counted_by for struct
sigmadsp_data and use struct_size()
On Mon, Oct 09, 2023 at 03:24:23PM -0600, Gustavo A. R. Silva wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
> array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> functions).
>
> While there, use struct_size() and size_sub() helpers, instead of the
> open-coded version, to calculate the size for the allocation of the
> whole flexible structure, including of course, the flexible-array
> member.
>
> This code was found with the help of Coccinelle, and audited and
> fixed manually.
>
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
> ---
> sound/soc/codecs/sigmadsp.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/sound/soc/codecs/sigmadsp.c b/sound/soc/codecs/sigmadsp.c
> index b93c078a8040..56546e2394ab 100644
> --- a/sound/soc/codecs/sigmadsp.c
> +++ b/sound/soc/codecs/sigmadsp.c
> @@ -43,7 +43,7 @@ struct sigmadsp_data {
> uint32_t samplerates;
> unsigned int addr;
> unsigned int length;
> - uint8_t data[];
> + uint8_t data[] __counted_by(length);
> };
>
> struct sigma_fw_chunk {
> @@ -270,7 +270,7 @@ static int sigma_fw_load_data(struct sigmadsp *sigmadsp,
>
> length -= sizeof(*data_chunk);
>
> - data = kzalloc(sizeof(*data) + length, GFP_KERNEL);
> + data = kzalloc(struct_size(data, data, length), GFP_KERNEL);
> if (!data)
> return -ENOMEM;
>
> @@ -413,7 +413,8 @@ static int process_sigma_action(struct sigmadsp *sigmadsp,
> if (len < 3)
> return -EINVAL;
>
> - data = kzalloc(sizeof(*data) + len - 2, GFP_KERNEL);
> + data = kzalloc(struct_size(data, data, size_sub(len, 2)),
> + GFP_KERNEL);
Since len was just size-checked before the alloc, size_sub() is a bit of
overkill, but it's not technically wrong. :P
Reviewed-by: Kees Cook <keescook@...omium.org>
--
Kees Cook
Powered by blists - more mailing lists