lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <5417cc2c-c29a-49f5-8932-44d0507c0dea@embeddedor.com>
Date: Thu, 4 Sep 2025 17:57:53 +0200
From: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
To: James Bottomley <James.Bottomley@...senPartnership.com>,
 John Garry <john.g.garry@...cle.com>,
 "Gustavo A. R. Silva" <gustavoars@...nel.org>,
 Jack Wang <jinpu.wang@...ud.ionos.com>,
 "Martin K. Petersen" <martin.petersen@...cle.com>
Cc: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
 linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] scsi: pm80xx: Avoid -Wflex-array-member-not-at-end
 warning



On 9/4/25 14:39, James Bottomley wrote:
> On Thu, 2025-09-04 at 07:52 +0100, John Garry wrote:
>> On 03/09/2025 19:44, Gustavo A. R. Silva wrote:
>>> diff --git a/drivers/scsi/pm8001/pm8001_hwi.h
>>> b/drivers/scsi/pm8001/pm8001_hwi.h
>>> index fc2127dcb58d..7dc7870a8f86 100644
>>> --- a/drivers/scsi/pm8001/pm8001_hwi.h
>>> +++ b/drivers/scsi/pm8001/pm8001_hwi.h
>>> @@ -339,8 +339,10 @@ struct ssp_completion_resp {
>>>    	__le32	status;
>>>    	__le32	param;
>>>    	__le32	ssptag_rescv_rescpad;
>>> -	struct ssp_response_iu  ssp_resp_iu;
>>>    	__le32	residual_count;
>>> +
>>> +	/* Must be last --ends in a flexible-array member. */
>>> +	struct ssp_response_iu  ssp_resp_iu;
>>
>> this is a HW structure, right? I did not think that it is ok to
>> simply re-order them...
> 
> Agreed, this is a standards defined information unit corresponding to
> an on the wire data structure.  The patch is clearly wrong.
> 
> That being said, the three things the flexible member can contain are
> no data, response data or sense data.  None of them has a residual
> count at the beginning and, indeed, this field is never referred to in
> the driver, so it looks like it can simply be deleted to fix the
> warning.

I see. I just submitted v2. Thanks!

> 
> That being said, this pattern of adding fields after flexible members
> to represent data that's common to all content types of the union is
> not unknown in SCSI so if you want to enable this warning, what are we
> supposed to do when we encounter a genuine use case?

It depends on the situation. Some people prefer to have a separate struct
with only the header part of the flexible structure --this is excluding
the flexible-array member (FAM), and then use an object of that header
type embedded anywhere in any other struct. This of course (sometimes)
implies having to do many other changes to accommodate the rest of the
code accordingly, as in this[1] case.

To address the situation described above without necessarily having to
create a separate header struct and change a lot of code, the
struct_group() helper can be used [2].

In other cases, when for some reason the FAM has to be accessed through
a composite struct, both struct_group() and container_of() (this to
retrieve a pointer to the flexible structure and then access the FAM)
can be used [3].

We have the new TRAILING_OVERLAP() helper that in many cases can be
superior to the struct_group()/container_of() approach. For instance
this[4] could've been fixed with the following shorter and simpler
patch:

  struct nfsacl_simple_acl {
-       struct posix_acl acl;
-       struct posix_acl_entry ace[4];
+       TRAILING_OVERLAP(struct posix_acl, acl, a_entries,
+               struct posix_acl_entry ace[4];
+       );
  };

However, at the time we didn't have TRAILING_OVERLAP(). Also, this new
macro is helping us to detect alignment issues and correct them [5].
These[6][7] are a couple more example of when and how to use this helper.

We also have the DEFINE_FLEX()/DEFINE_RAW_FLEX() helpers [8][9].

So, again, we can do different things depending on the situation and
maintainer's preferences.

Ideally, FAMs-in-the-middle should be avoided, because it's so easy
for them to open the door to memory corruption bugs[10] (to mention
some).

Thanks
-Gustavo

[1] https://git.kernel.org/linus/d2af710d6d50
[2] https://git.kernel.org/linus/c54979a3abc4
[3] https://git.kernel.org/linus/a7e8997ae18c
[4] https://git.kernel.org/linus/dfd500d89545
[5] https://lore.kernel.org/linux-hardening/aLiYrQGdGmaDTtLF@kspp/
[6] https://git.kernel.org/linus/5e54510a9389
[7] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=8abbbbb588f1
[8] https://git.kernel.org/linus/1d717123bb1a
[9] https://git.kernel.org/linus/34116ec67cc1
[10a] https://git.kernel.org/linus/eea03d18af9c
[10b] https://git.kernel.org/linus/6e4bf018bb04
[10c] https://git.kernel.org/linus/cf44e745048d
[10d] https://git.kernel.org/linus/d761bb01c85b

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ