2023-09-15 19:32:44

by Gustavo A. R. Silva

Subject: [PATCH][next] net: spider_net: Use size_add() in call to struct_size()

If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.

Fixes: 3f1071ec39f7 ("net: spider_net: Use struct_size() helper")
Signed-off-by: Gustavo A. R. Silva <[email protected]>
---
drivers/net/ethernet/toshiba/spider_net.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c
index 50d7eacfec58..87e67121477c 100644
--- a/drivers/net/ethernet/toshiba/spider_net.c
+++ b/drivers/net/ethernet/toshiba/spider_net.c
@@ -2332,7 +2332,7 @@ spider_net_alloc_card(void)
struct spider_net_card *card;

netdev = alloc_etherdev(struct_size(card, darray,
- tx_descriptors + rx_descriptors));
+ size_add(tx_descriptors, rx_descriptors)));
if (!netdev)
return NULL;

--
2.34.1

2023-09-15 21:28:28

by Kees Cook

Subject: Re: [PATCH][next] net: spider_net: Use size_add() in call to struct_size()

On Fri, Sep 15, 2023 at 01:25:36PM -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
>
> Fixes: 3f1071ec39f7 ("net: spider_net: Use struct_size() helper")
> Signed-off-by: Gustavo A. R. Silva <[email protected]>

Reviewed-by: Kees Cook <[email protected]>

--
Kees Cook

2023-09-16 05:48:23

by Geoff Levand

Subject: Re: [PATCH][next] net: spider_net: Use size_add() in call to struct_size()

On 9/15/23 14:25, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
>
> Fixes: 3f1071ec39f7 ("net: spider_net: Use struct_size() helper")
> Signed-off-by: Gustavo A. R. Silva <[email protected]>
> ---
> drivers/net/ethernet/toshiba/spider_net.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c
> index 50d7eacfec58..87e67121477c 100644
> --- a/drivers/net/ethernet/toshiba/spider_net.c
> +++ b/drivers/net/ethernet/toshiba/spider_net.c
> @@ -2332,7 +2332,7 @@ spider_net_alloc_card(void)
> struct spider_net_card *card;
>
> netdev = alloc_etherdev(struct_size(card, darray,
> - tx_descriptors + rx_descriptors));
> + size_add(tx_descriptors, rx_descriptors)));
> if (!netdev)
> return NULL;
>

Looks good to me. Thanks for your fix-up.

Signed-off-by: Geoff Levand <[email protected]>