[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b63a8f5b-0bc3-3a27-416e-d0943cb0d147@intel.com>
Date: Tue, 1 Aug 2023 15:08:17 +0200
From: Alexander Lobakin <aleksander.lobakin@...el.com>
To: Kees Cook <keescook@...omium.org>
CC: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>, Larysa Zaremba <larysa.zaremba@...el.com>, "Andy
Shevchenko" <andriy.shevchenko@...ux.intel.com>, "Gustavo A. R. Silva"
<gustavoars@...nel.org>, <netdev@...r.kernel.org>,
<linux-hardening@...r.kernel.org>, <intel-wired-lan@...ts.osuosl.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net-next 1/3] virtchnl: fix fake 1-elem arrays in structs
allocated as `nents + 1` - 1
From: Kees Cook <keescook@...omium.org>
Date: Fri, 28 Jul 2023 15:43:26 -0700
> On Fri, Jul 28, 2023 at 05:52:05PM +0200, Alexander Lobakin wrote:
>> The two most problematic virtchnl structures are virtchnl_rss_key and
>> virtchnl_rss_lut. Their "flex" arrays have the type of u8, thus, when
>> allocating / checking, the actual size is calculated as `sizeof +
>> nents - 1 byte`. But their sizeof() is not 1 byte larger than the size
>> of such structure with proper flex array, it's two bytes larger due to
>> the padding. That said, their size is always 1 byte larger unless
>> there are no tail elements -- then it's +2 bytes.
>> Add virtchnl_struct_size() macro which will handle this case (and later
>> other cases as well). Make its calling conv the same as we call
>> struct_size() to allow it to be drop-in, even though it's unlikely to
>> become possible to switch to generic API. The macro will calculate a
>> proper size of a structure with a flex array at the end, so that it
>> becomes transparent for the compilers, but add the difference from the
>> old values, so that the real size of sorta-ABI-messages doesn't change.
>> Use it on the allocation side in IAVF and the receiving side (defined
>> as static inline in virtchnl.h) for the mentioned two structures.
>
> This all looks workable, but it's a unique solution in the kernel. That
> is fine, of course, but would it be easier to maintain/test if it went
> with the union style solutions?
>
> struct foo {
> ...
> union {
> type legacy_padding;
> DECLARE_FLEX_ARRAY(type, member);
> };
> };
>
> Then the size doesn't change and "member" can still be used. (i.e. no
> collateral changes needed.)
This wouldn't work unfortunately. I mean, you'd still need weird
calculations.
Speaking of e.g. virtchnl_rss_lut, it's always
`struct_size(nents + 1) - 1`, you can't just use the pattern above and
then struct_size(). Not only legacy padding is needed, but also
calculation adjustments.
Or did you mean define the structures as above and leave the
calculations as they are? It makes me feel we can miss something that
way. With the series, all the broken structures are processed in one
place and I thought _this_ would be actually easier to maintain...
>
> -Kees
>
Thanks,
Olek
Powered by blists - more mailing lists