| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202406101128.C7BEF1F@keescook>
Date: Mon, 10 Jun 2024 11:34:40 -0700
From: Kees Cook <kees@...nel.org>
To: Vincent Mailhol <mailhol.vincent@...adoo.fr>
Cc: Marc Kleine-Budde <mkl@...gutronix.de>, linux-can@...r.kernel.org,
Thomas Kopp <thomas.kopp@...rochip.com>,
Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
netdev@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH 1/2] can: peak_canfd: decorate pciefd_board.can with
__counted_by()
On Sun, Jun 09, 2024 at 01:54:18PM +0900, Vincent Mailhol wrote:
> A new __counted_by() attribute was introduced in [1]. It makes the
> compiler's sanitizer aware of the actual size of a flexible array
> member, allowing for additional runtime checks.
>
> Move the end of line comments to the previous line to make room and
> apply the __counted_by() attribute to the can flexible array member of
> struct pciefd_board.
>
> [1] commit dd06e72e68bc ("Compiler Attributes: Add __counted_by macro")
> Link: https://git.kernel.org/torvalds/c/dd06e72e68bc
>
> CC: Kees Cook <kees@...nel.org>
> Signed-off-by: Vincent Mailhol <mailhol.vincent@...adoo.fr>
> ---
> drivers/net/can/peak_canfd/peak_pciefd_main.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/can/peak_canfd/peak_pciefd_main.c b/drivers/net/can/peak_canfd/peak_pciefd_main.c
> index 1df3c4b54f03..636102103a88 100644
> --- a/drivers/net/can/peak_canfd/peak_pciefd_main.c
> +++ b/drivers/net/can/peak_canfd/peak_pciefd_main.c
> @@ -190,8 +190,10 @@ struct pciefd_board {
> void __iomem *reg_base;
> struct pci_dev *pci_dev;
> int can_count;
> - spinlock_t cmd_lock; /* 64-bits cmds must be atomic */
> - struct pciefd_can *can[]; /* array of network devices */
> + /* 64-bits cmds must be atomic */
> + spinlock_t cmd_lock;
> + /* array of network devices */
> + struct pciefd_can *can[] __counted_by(can_count);
> };
>
> /* supported device ids. */
You'll need to adjust the code logic that manipulates "can_count", as
accesses to "can" will trap when they're seen as out of bounds. For
example:
pciefd = devm_kzalloc(&pdev->dev, struct_size(pciefd, can, can_count),
GFP_KERNEL);
...
/* pciefd->can_count is "0" now */
while (pciefd->can_count < can_count) {
...
pciefd_can_probe(pciefd);
/* which does: */
pciefd->can[pciefd->can_count] = priv; /// HERE
...
pciefd->can_count++;
}
The access at "HERE" above will trap: "can" is believed to have
"can_count" elements (0 on the first time through the loop).
This needs to be adjusted to increment "can_count" first.
Perhaps:
diff --git a/drivers/net/can/peak_canfd/peak_pciefd_main.c b/drivers/net/can/peak_canfd/peak_pciefd_main.c
index 1df3c4b54f03..df8304b2d291 100644
--- a/drivers/net/can/peak_canfd/peak_pciefd_main.c
+++ b/drivers/net/can/peak_canfd/peak_pciefd_main.c
@@ -676,7 +676,8 @@ static int pciefd_can_probe(struct pciefd_board *pciefd)
spin_lock_init(&priv->tx_lock);
/* save the object address in the board structure */
- pciefd->can[pciefd->can_count] = priv;
+ pciefd->can_count++;
+ pciefd->can[pciefd->can_count - 1] = priv;
dev_info(&pciefd->pci_dev->dev, "%s at reg_base=0x%p irq=%d\n",
ndev->name, priv->reg_base, ndev->irq);
@@ -800,8 +801,6 @@ static int peak_pciefd_probe(struct pci_dev *pdev,
err = pciefd_can_probe(pciefd);
if (err)
goto err_free_canfd;
-
- pciefd->can_count++;
}
/* set system timestamps counter in RST mode */
--
Kees Cook
Powered by blists - more mailing lists