| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202310091505.396E92C3@keescook>
Date: Mon, 9 Oct 2023 15:05:21 -0700
From: Kees Cook <keescook@...omium.org>
To: "Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: Arend van Spriel <aspriel@...il.com>,
Franky Lin <franky.lin@...adcom.com>,
Hante Meuleman <hante.meuleman@...adcom.com>,
Kalle Valo <kvalo@...nel.org>, linux-wireless@...r.kernel.org,
brcm80211-dev-list.pdl@...adcom.com,
SHA-cyfmac-dev-list@...ineon.com, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] wifi: brcmfmac: fweh: Add __counted_by for struct
brcmf_fweh_queue_item and use struct_size()
On Mon, Oct 09, 2023 at 03:42:04PM -0600, Gustavo A. R. Silva wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
> array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> functions).
>
> Also, relocate `event->datalen = datalen;` to before calling
> `memcpy(event->data, data, datalen);`, so that the __counted_by
> annotation has effect, and flex-array member `data` can be properly
> bounds-checked at run-time.
>
> While there, use struct_size() helper, instead of the open-coded
> version, to calculate the size for the allocation of the whole
> flexible structure, including of course, the flexible-array member.
>
> This code was found with the help of Coccinelle, and audited and
> fixed manually.
>
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
Yeah, looks right. Thanks for moving the count assignment.
Reviewed-by: Kees Cook <keescook@...omium.org>
-Kees
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> index dac7eb77799b..68960ae98987 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
> @@ -33,7 +33,7 @@ struct brcmf_fweh_queue_item {
> u8 ifaddr[ETH_ALEN];
> struct brcmf_event_msg_be emsg;
> u32 datalen;
> - u8 data[];
> + u8 data[] __counted_by(datalen);
> };
>
> /*
> @@ -418,17 +418,17 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
> datalen + sizeof(*event_packet) > packet_len)
> return;
>
> - event = kzalloc(sizeof(*event) + datalen, gfp);
> + event = kzalloc(struct_size(event, data, datalen), gfp);
> if (!event)
> return;
>
> + event->datalen = datalen;
> event->code = code;
> event->ifidx = event_packet->msg.ifidx;
>
> /* use memcpy to get aligned event message */
> memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
> memcpy(event->data, data, datalen);
> - event->datalen = datalen;
> memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
>
> brcmf_fweh_queue_event(fweh, event);
> --
> 2.34.1
>
>
--
Kees Cook
Powered by blists - more mailing lists