lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 21 Jan 2020 10:03:09 -0600
From:   "Gustavo A. R. Silva" <gustavo@...eddedor.com>
To:     Mikael Magnusson <mikachu@...il.com>
Cc:     gregkh@...uxfoundation.org, jslaby@...e.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tty: n_hdlc: Use flexible-array member



On 1/21/20 09:24, Gustavo A. R. Silva wrote:
> 
> 
> On 1/21/20 09:14, Gustavo A. R. Silva wrote:
>>
>>
>> On 1/21/20 09:00, Mikael Magnusson wrote:
>>> Gustavo Silva wrote:
>>>> On 1/20/20 23:54, Jiri Slaby wrote:
>>>>> On 21. 01. 20, 0:45, Gustavo A. R. Silva wrote:
>>>>>> diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
>>>>>> index 98361acd3053..b5499ca8757e 100644
>>>>>> --- a/drivers/tty/n_hdlc.c
>>>>>> +++ b/drivers/tty/n_hdlc.c
>>>>>> @@ -115,7 +115,7 @@
>>>>>>  struct n_hdlc_buf {
>>>>>>    struct list_head  list_item;
>>>>>>    int     count;
>>>>>> -  char      buf[1];
>>>>>> +  char      buf[];
>>>>>>  };
>>>>>>  
>>>>>>  #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
>>>>>
>>>>> Have you checked, that you don't have to "+ 1" here now?
>>>>>
>>>>
>>>> Yep. That's not necessary.
>>>>
>>>> _In terms of memory allocation_, zero-length/one-element arrays and flexible-array
>>>> members work exactly the same way.
>>>
>>> This is not true, but maybe it's still not necessary in this particular code, I didn't examine it.
>>>
>>
>> I should have said _in terms of dynamic memory allocation_.
>>
>> Your example is correct:
>>
>> "... a one-element array always occupies at least as much space as a single object of the type."[1]
>>
>> But the above does not affect on the current code.
>>
> 
> Oh wait! Yeah; I see the issue in #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe) now...
> 

This would be the new patch; and I'm making use the the struct_size helper
this time, to safely calculate the allocation size:

diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 98361acd3053..27b506bf03ce 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -115,11 +115,9 @@
 struct n_hdlc_buf {
        struct list_head  list_item;
        int               count;
-       char              buf[1];
+       char              buf[];
 };

-#define        N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
-
 struct n_hdlc_buf_list {
        struct list_head  list;
        int               count;
@@ -524,7 +522,8 @@ static void n_hdlc_tty_receive(struct tty_struct *tty, const __u8 *data,
                /* no buffers in free list, attempt to allocate another rx buffer */
                /* unless the maximum count has been reached */
                if (n_hdlc->rx_buf_list.count < MAX_RX_BUF_COUNT)
-                       buf = kmalloc(N_HDLC_BUF_SIZE, GFP_ATOMIC);
+                       buf = kmalloc(struct_size(buf, buf, maxframe),
+                                     GFP_ATOMIC);
        }

        if (!buf) {
@@ -853,7 +852,7 @@ static struct n_hdlc *n_hdlc_alloc(void)

        /* allocate free rx buffer list */
        for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
-               buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
+               buf = kmalloc(struct_size(buf, buf, maxframe), GFP_KERNEL);
                if (buf)
                        n_hdlc_buf_put(&n_hdlc->rx_free_buf_list,buf);
                else if (debuglevel >= DEBUG_LEVEL_INFO)
@@ -862,7 +861,7 @@ static struct n_hdlc *n_hdlc_alloc(void)

        /* allocate free tx buffer list */
        for(i=0;i<DEFAULT_TX_BUF_COUNT;i++) {
-               buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
+               buf = kmalloc(struct_size(buf, buf, maxframe), GFP_KERNEL);
                if (buf)
                        n_hdlc_buf_put(&n_hdlc->tx_free_buf_list,buf);
                else if (debuglevel >= DEBUG_LEVEL_INFO)


And it seems that that extra "+ 1" is not needed. The frame size is always being
verified in multiple places:


/* verify frame size */
 if (count > maxframe ) {
                if (debuglevel & DEBUG_LEVEL_INFO)
                        printk (KERN_WARNING
                                "n_hdlc_tty_write: truncating user packet "
                                "from %lu to %d\n", (unsigned long) count,
                                maxframe );
                count = maxframe;
        }
		    ^^^^^^		
and _count_ is being limited to _maxframe_, before copying data into _buf_ :

/* copy received data to HDLC buffer */
        memcpy(buf->buf,data,count);
        buf->count=count;

So we might save some bytes, too.

I'll properly write and send v2, shortly.

Thanks
--
Gustavo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ