lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 26 May 2023 21:31:39 -0700
From:   Joe Perches <joe@...ches.com>
To:     Kees Cook <keescook@...omium.org>,
        Andy Whitcroft <apw@...onical.com>
Cc:     Dwaipayan Ray <dwaipayanray1@...il.com>,
        Lukas Bulwahn <lukas.bulwahn@...il.com>,
        "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH v3] checkpatch: Check for 0-length and 1-element arrays

On Fri, 2023-05-26 at 19:09 -0700, Kees Cook wrote:
> Fake flexible arrays have been deprecated since last millennium. Proper
> C99 flexible arrays must be used throughout the kernel so
> CONFIG_FORTIFY_SOURCE and CONFIG_UBSAN_BOUNDS can provide proper array
> bounds checking.

Hi again.


> diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
[]
> @@ -7430,6 +7430,21 @@ sub process {
>  			}
>  		}
>  
> +# check for array definition/declarations that should use flexible arrays instead
> +		if ($sline =~ /^[\+ ]\s*}\s*;\s*$/ &&
> +		    $prevline =~ /^\+\s*(?:\}|$Type)\s*$Ident\s*\[\s*(0|1)\s*\]\s*;\s*$/) {

Ahh, now I see why you want to use (?:\}|$Type) to find
struct arrays defined as the last object in another struct.

e.g.: (from drivers/infiniband/hw/mlx5/odp.c)

struct prefetch_mr_work {
	struct work_struct work;
	u32 pf_flags;
	u32 num_sge;
	struct {
		u64 io_virt;
		struct mlx5_ib_mr *mr;
		size_t length;
	} frags[];
};

grepping for some existing variants, perhaps the $sline test should
be extended to something like:

		if ($sline =~ /^[\+ ]\s*}\s*(?:__packed|__attribute__\s*$balanced_parens)?\s*;\s*$/ &&

Dunno, the __packed/__attribute__ uses aren't particularly common.
There are ~1000 uses kernel wide with flexible arrays and only
about 100 with 0 or 1 that could be converted.

like from drivers/net/hyperv/hyperv_net.h:

struct nvsp_6_pd_batch_msg {
	struct nvsp_message_header hdr;
	u16 count;
	u16 guest2host:1;
	u16 is_recv:1;
	u16 reserved:14;
	struct nvsp_6_pd_buf pd_buf[0];
} __packed;

My list (probably incomplete), done with a stupid grep:
(and the 0's are more interesting and much less common than the 1's)

$ git grep -A1 -P '\w+\s+\w+[ \t]*\[\s*[01]?\s*\][ \t]*;'| \
  grep -B1 "\-}" | \
  grep -B1 -P "\-}.*(__attribute__|__packed)" | \
  grep -P '\[\s*[01]\s*\]'
drivers/gpu/drm/hyperv/hyperv_drm_proto.c:	struct video_output_situation video_output[1];
drivers/gpu/drm/hyperv/hyperv_drm_proto.c:	struct rect rect[1];
drivers/hid/intel-ish-hid/ishtp-hid.h:	} __packed reports[1];
drivers/net/ethernet/brocade/bna/bfi_enet.h:	u8		rsvd1[1];
drivers/net/ethernet/emulex/benet/be_cmds.h:	u32 data_buffer[1];
drivers/net/ethernet/emulex/benet/be_cmds.h:	u32 data_buffer[1];
drivers/net/hyperv/hyperv_net.h:	struct nvsp_1_receive_buffer_section sections[1];
drivers/net/hyperv/hyperv_net.h:	struct nvsp_6_pd_buf pd_buf[0];
drivers/net/wireless/ath/ath10k/htc.h:	struct ath10k_htc_record trailer[0];
drivers/net/wireless/ath/ath10k/htt.h:	u8 prefetch[0]; /* start of frame, for FW classification engine */
drivers/net/wireless/ath/ath10k/htt.h:	u8 prefetch[0]; /* start of frame, for FW classification engine */
drivers/net/wireless/ath/ath10k/wmi.h:	struct host_memory_chunk items[1];
drivers/net/wireless/ath/ath10k/wmi.h:	u8 tlvs[0];
drivers/net/wireless/ath/ath10k/wmi.h:	struct wmi_channel channel_list[1];
drivers/net/wireless/ath/ath10k/wmi.h:	u8 data[1];
drivers/net/wireless/ath/ath10k/wmi.h:	u8 data[1];
drivers/net/wireless/ath/ath10k/wmi.h:	struct wmi_channel peer_chan_list[1];
drivers/net/wireless/ath/ath11k/htc.h:	struct ath11k_htc_record trailer[0];
drivers/net/wireless/ath/ath6kl/usb.c:	__le32 _pad[1];
drivers/net/wireless/ath/ath6kl/wmi.h:	u8 reserved[1];
drivers/net/wireless/ath/ath6kl/wmi.h:	struct wmi_pmkid pmkid_list[1];
drivers/net/wireless/ath/ath6kl/wmi.h:	u8 reserved[1];
drivers/net/wireless/ath/carl9170/fwcmd.h:	u32	vals[0];
drivers/net/wireless/ath/carl9170/fwcmd.h:	__le32		regs[0];
drivers/net/wireless/ath/wcn36xx/hal.h:	u8 rem_ie_id[1];
drivers/net/wireless/ath/wil6210/fw.h:	u8 data[0]; /* free-form data [data_size], see above */
drivers/net/wireless/ath/wil6210/fw.h:	struct wil_fw_data_dwrite data[0];
drivers/net/wireless/ath/wil6210/wmi.h:	u8 payload[0];
drivers/net/wireless/ath/wil6210/wmi.h:	u8 reserved[1];
drivers/net/wireless/atmel/at76c50x-usb.h:	u8 reserved[1];
drivers/net/wireless/intel/iwlwifi/fw/api/d3.h:	u8 wake_packet[1];
drivers/net/wireless/intel/iwlwifi/fw/api/rx.h:	__le32 reserved[1];
drivers/net/wireless/intel/iwlwifi/pcie/internal.h:	u8 reserved[1];
drivers/net/wireless/intersil/p54/lmac.h:	u8 exclude[1];
drivers/net/wireless/marvell/mwifiex/fw.h:	struct mwifiex_chan_scan_param_set chan_scan_param[1];
drivers/net/wireless/marvell/mwifiex/fw.h:	u8 bitmap[1];
drivers/net/wireless/marvell/mwifiex/fw.h:	struct chan_band_param_set chan_band_param[1];
drivers/net/wireless/marvell/mwifiex/fw.h:	u8 ssid[1];
drivers/net/wireless/marvell/mwifiex/fw.h:	u8 tsf_data[1];
drivers/net/wireless/marvell/mwifiex/fw.h:	u8 value[1];
drivers/net/wireless/marvell/mwifiex/fw.h:	u8    tlv_buffer[1];
drivers/net/wireless/marvell/mwifiex/fw.h:	struct ieee80211_country_ie_triplet triplet[1];
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h:	u8 rsv[1];
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h:	u8 rsv[1];
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h:	u8 pad[1];
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h:	u8 pad[1];
drivers/net/wireless/mediatek/mt76/mt7996/mcu.h:	u8 __rsv2[1];
drivers/net/wireless/mediatek/mt76/mt7996/mcu.h:	u8 __rsv2[1];
drivers/net/wireless/quantenna/qtnfmac/qlink.h:	u8 rsvd[1];
drivers/net/wireless/quantenna/qtnfmac/qlink.h:	u8 rsvd[1];
drivers/net/wireless/quantenna/qtnfmac/qlink.h:	u8 rsvd[1];
drivers/net/wireless/quantenna/qtnfmac/qlink.h:	u8 rsvd[1];
drivers/net/wireless/realtek/rtw89/coex.c:	u8 val[1];
drivers/net/wireless/ti/wl18xx/acx.h:	u8 padding[1];
drivers/net/wireless/ti/wl18xx/conf.h:	u8 padding[1];
drivers/net/wireless/ti/wlcore/acx.h:	u8 pad[1];
drivers/net/wireless/ti/wlcore/acx.h:	u8 pad[1];
drivers/net/wireless/ti/wlcore/acx.h:	u8 pad[1];
drivers/net/wireless/ti/wlcore/acx.h:	u8 padding[1];
drivers/net/wireless/ti/wlcore/cmd.h:	u8 padding[1];
drivers/nvmem/u-boot-env.c:	uint8_t data[0];
drivers/platform/x86/dell/dcdbas.h:	__u8 command_buffer[1];
drivers/scsi/be2iscsi/be_cmds.h:	struct	mgmt_conn_info	conn_list[1];
drivers/scsi/be2iscsi/be_cmds.h:	u32 if_hndl_list[1];
drivers/scsi/be2iscsi/be_main.h:	u32 dw[1];
drivers/scsi/be2iscsi/be_main.h:	u32 dw[1];
drivers/scsi/ipr.h:	struct ipr_hostrcb_config_element elem[1];
drivers/scsi/ipr.h:	struct ipr_hostrcb64_config_element elem[1];
drivers/scsi/ipr.h:	struct ipr_hostrcb_fabric_desc desc[1];
drivers/scsi/ipr.h:	struct ipr_hostrcb64_fabric_desc desc[1];
drivers/scsi/ipr.h:	struct ipr_sdt_entry entry[1];
drivers/scsi/ipr.h:	struct ipr_software_inq_lid_info lid[1];
drivers/scsi/megaraid/megaraid_sas.h:	struct MR_PD_ADDRESS   addr[1];
drivers/scsi/megaraid/megaraid_sas.h:	struct MR_HOST_DEVICE_LIST_ENTRY	host_device_list[1];
drivers/video/fbdev/hyperv_fb.c:	struct video_output_situation video_output[1];
drivers/video/fbdev/hyperv_fb.c:	struct rect rect[1];
fs/adfs/dir_fplus.h:	char	bigdirname[1];
fs/crypto/fscrypt_private.h:	char encrypted_path[1];
fs/isofs/rock.h:	__u8 flags[1];
fs/ksmbd/smb2pdu.h:	__u8 Chunks[1]; /* array of srv_copychunk */
fs/ksmbd/smb2pdu.h:	char name[1];
fs/ksmbd/smb_common.h:	unsigned char DialectsArray[1];
fs/ksmbd/smb_common.h:	__le16 FileSystemName[1]; /* do not have to save this - get subset? */
fs/ksmbd/smb_common.h:	__le16 VolumeLabel[1];
fs/ntfs/dir.h:	ntfschar name[0];
fs/ntfs/layout.h:/* 42*/	ntfschar file_name[0];			/* File name in Unicode. */
fs/ntfs/layout.h:	le32 sub_authority[1];		/* At least one sub_authority. */
fs/ntfs/layout.h:	ntfschar name[0];	/* The name of the volume in Unicode. */
fs/ntfs/layout.h:	u8 data[0];		/* The file's data contents. */
fs/ntfs/layout.h:	u8 bitmap[0];			/* Array of bits. */
fs/ntfs/layout.h:	u8 reparse_data[0];		/* Meaning depends on reparse_tag. */
fs/reiserfs/reiserfs.h:	__u16 entry_sizes[1];
include/linux/greybus/greybus_protocols.h:	__u8			data[0];
include/linux/greybus/greybus_protocols.h:	__u8			data[0];
include/linux/greybus/greybus_protocols.h:	__u8			data[0];
include/linux/greybus/greybus_protocols.h:	__u8				report[0];
include/linux/greybus/greybus_protocols.h:	__u8				data[0];	/* inbound data */
include/linux/greybus/greybus_protocols.h:	__u8			data[0];/* inbound data */
include/linux/hid.h:	struct hid_class_descriptor desc[1];
include/linux/hyperv.h:	struct vmtransfer_page_range ranges[1];
include/linux/hyperv.h:	struct gpa_range range[1];
include/linux/hyperv.h:	struct gpa_range range[1];
include/linux/hyperv.h:	unsigned char data[1];
include/linux/ieee80211.h:	u8 virtual_map[1];
include/linux/mtd/cfi.h:	struct cfi_intelext_blockinfo BlockTypes[1];
include/linux/mtd/cfi.h:	uint32_t ProtField[1]; /* Not host ordered */
include/linux/mtd/cfi.h:	uint32_t ConfField[1]; /* Not host ordered */
include/linux/ti_wilink_st.h:	u8 data[0];
include/scsi/fc/fc_ms.h:	struct fc_fdmi_port_name	port[1];
include/uapi/linux/bpf.h:	__u64 __opaque[1];
include/uapi/linux/usb/ch9.h:	__le16 wData[1];		/* UTF-16LE encoded */
tools/include/uapi/linux/bpf.h:	__u64 __opaque[1];
tools/testing/selftests/bpf/progs/btf_dump_test_case_padding.c:	char x[0];
tools/testing/selftests/kvm/include/x86_64/processor.h:	u8			extended_state_area[0];

> +			if ($1 == '0') {
> +				if (ERROR("ZERO_LENGTH_ARRAY",
> +					  "Use C99 flexible arrays instead of zero-length arrays - see https://github.com/KSPP/linux/issues/78\n" . $hereprev) &&

Instead of github links, how about using:
https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays


Why not combine both of these into a single ERROR?
What's the value in separate types?

			if (ERROR("FLEXIBLE_ARRAY",
				  "Use C99 flexible arrays - see: https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays\n" . $hereprev) &&
				  $fix && $1 == '0') {
				etc...
				

> +				    $fix) {
> +					$fixed[$fixlinenr - 1] =~ s/\[\s*0\s*\]/[]/;
> +				}
> +			} else {
> +				ERROR("ONE_ELEMENT_ARRAY",
> +				      "Use C99 flexible arrays instead of one-element arrays - see https://github.com/KSPP/linux/issues/79\n" . $hereprev);
> +			}
> +		}
> +
>  # nested likely/unlikely calls
>  		if ($line =~ /\b(?:(?:un)?likely)\s*\(\s*!?\s*(IS_ERR(?:_OR_NULL|_VALUE)?|WARN)/) {
>  			WARN("LIKELY_MISUSE",

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ