lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Oct 2023 15:05:21 -0700
From: Kees Cook <keescook@...omium.org>
To: "Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: Arend van Spriel <aspriel@...il.com>,
	Franky Lin <franky.lin@...adcom.com>,
	Hante Meuleman <hante.meuleman@...adcom.com>,
	Kalle Valo <kvalo@...nel.org>, linux-wireless@...r.kernel.org,
	brcm80211-dev-list.pdl@...adcom.com,
	SHA-cyfmac-dev-list@...ineon.com, linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] wifi: brcmfmac: fweh: Add __counted_by for struct
 brcmf_fweh_queue_item and use struct_size()

On Mon, Oct 09, 2023 at 03:42:04PM -0600, Gustavo A. R. Silva wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
> array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> functions).
> 
> Also, relocate `event->datalen = datalen;` to before calling
> `memcpy(event->data, data, datalen);`, so that the __counted_by
> annotation has effect, and flex-array member `data` can be properly
> bounds-checked at run-time.
> 
> While there, use struct_size() helper, instead of the open-coded
> version, to calculate the size for the allocation of the whole
> flexible structure, including of course, the flexible-array member.
> 
> This code was found with the help of Coccinelle, and audited and
> fixed manually.
> 
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>

Yeah, looks right. Thanks for moving the count assignment.

Reviewed-by: Kees Cook <keescook@...omium.org>

-Kees

> ---
>  drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> index dac7eb77799b..68960ae98987 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> @@ -33,7 +33,7 @@ struct brcmf_fweh_queue_item {
>  	u8 ifaddr[ETH_ALEN];
>  	struct brcmf_event_msg_be emsg;
>  	u32 datalen;
> -	u8 data[];
> +	u8 data[] __counted_by(datalen);
>  };
>  
>  /*
> @@ -418,17 +418,17 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
>  	    datalen + sizeof(*event_packet) > packet_len)
>  		return;
>  
> -	event = kzalloc(sizeof(*event) + datalen, gfp);
> +	event = kzalloc(struct_size(event, data, datalen), gfp);
>  	if (!event)
>  		return;
>  
> +	event->datalen = datalen;
>  	event->code = code;
>  	event->ifidx = event_packet->msg.ifidx;
>  
>  	/* use memcpy to get aligned event message */
>  	memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
>  	memcpy(event->data, data, datalen);
> -	event->datalen = datalen;
>  	memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
>  
>  	brcmf_fweh_queue_event(fweh, event);
> -- 
> 2.34.1
> 
> 

-- 
Kees Cook

Powered by blists - more mailing lists