Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2817126pxb; Tue, 21 Sep 2021 08:17:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxREdJdn8vvljmrS+1KmzfmdcwGphkjjEIucIv4GitbYNGK0LPwgksA9nkym1lSPHmUWXQ6 X-Received: by 2002:a92:c548:: with SMTP id a8mr14565104ilj.295.1632237463064; Tue, 21 Sep 2021 08:17:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632237463; cv=none; d=google.com; s=arc-20160816; b=fQiVZVg7xlPQZscLTiL/SL4JPXu6itIXOwcHSykvuRhKqA4WSxVEqZVtc8HONErMbx aJBev+BW6wWKJE6WArCeUNnxZoITcSBRTS0OpTSx4m2VZ+SZZW4oFW4QUNRahdOjR0t7 +IvlFSjG7ThCmdP/MMhPRzENw/j3qP1tqsmJeH+wXJt3nfxngkieXY5gbV/vvPggnerQ 7KnJQsLDPz3zR3uULs2pmjP1Twt2gdb7bAiHrC/pteZ/c7aDu/5M2adIy3ShuZcLBAXd hj37cvevM4ugR853cxuiq8Un4IBaS1pN1Y07TMWBki2xilKKO+/qtpzPpsN4FvlrQWfJ HCBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=6b4bk+5E8OPLQowTL7kis4IonQ7Cljxm8kY9KOSGcPs=; b=O71x1Fb3L0iXkM3aINl8TTFchRIDJQiMnv0HIJXnszJ97meSPJrfTP2zEQWEkwIfbV baDwfw67lUi1Xu0zwhP8YPbcW5Lsi7FqEXh8/79HFY69y9F9SyKwao0v1Pu71FBoxHFo lYBCMWdvStsf5Z/JOQCY7V1Ai9HOc4pJtgvo/rZ2LSd6mMCVe21UsVO2qkbTPB71jjnZ wudibbxSY96DcduKY6BbXaan9KPfALQBw/bl/jNyhY/m6MrxHyFWwvUv5Z4Fj6hNQRWj es6qAuUHXcTR/G1tPH6K7UfddQ/CMflue+WDjop3psdorV3s2lxrudCmgM60cLZ7LFn3 rF6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kroah.com header.s=fm1 header.b=rZpPfzSs; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=eD37gPlH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u7si4803288jae.78.2021.09.21.08.17.30; Tue, 21 Sep 2021 08:17:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kroah.com header.s=fm1 header.b=rZpPfzSs; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=eD37gPlH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233991AbhIUPRL (ORCPT + 99 others); Tue, 21 Sep 2021 11:17:11 -0400 Received: from wnew4-smtp.messagingengine.com ([64.147.123.18]:56643 "EHLO wnew4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233974AbhIUPRJ (ORCPT ); Tue, 21 Sep 2021 11:17:09 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailnew.west.internal (Postfix) with ESMTP id 488EC2B01343; Tue, 21 Sep 2021 11:15:39 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Tue, 21 Sep 2021 11:15:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kroah.com; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm1; bh=6b4bk+5E8OPLQowTL7kis4IonQ7 Cljxm8kY9KOSGcPs=; b=rZpPfzSs7Jb93FbC2bda9KAVNQiNL2itKHeoUk8QtO4 nBfNouIRbOzCMVOAwkrqCbiRklbBDXzt8fYbjKQZJfyE9hSK51MlaU1k5BJaJXPA QZZR/dVzp3MOBxZ5qYKUSOI69UU3h29jXS3yjzXBmZGSJZTjHYBU5b2i3OSy+klS chgd3LZghrfSzga9MfaLMGDUX0ZaSh19tyL2gJvrARA07G7SChyQc49zg4XwITuP CXaUtQYayrE5+G2ytoWthiJ1n0BgJPvgnC9/YeRKN/xvI9qn0y6/INe28jrtq/pJ mvmkt8Gdmazj4rO4+C1yfGutYlOPFXdIofAaxB1aqHg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=6b4bk+ 5E8OPLQowTL7kis4IonQ7Cljxm8kY9KOSGcPs=; b=eD37gPlHJgVovesHO5uuoI N+uyLl/5gkfFL+fAr9k/5/pPL22rUsUuC42Rc+oLsbhLUzjJg7b8/rz4mhocY0t0 DHJzv3Eqvjgy/z1l3bI9huge0JjW1aKY3Q+41QinCs2WZ69gNO4YEglkqfNIiEWp 5GJOOSDEINUb1ZcqDgJg1AvyPfO0+rSai5FH7gW8XXTH4SR7h5HV5QH8mRUxwpVu 7ZSiviVPb27RxoUI42QbIDk9qeEaa9cA05RSIw/QTzPd5Hv9aF3n7uRYCaZCZMWM wN4iwnuC2/CBh0dzpReBoPgbiFFTIm5SOpwzl5kzOhWMN/bNAK1E9pWcAcCUmjAg == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudeigedgkeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefirhgvghcu mffjuceoghhrvghgsehkrhhorghhrdgtohhmqeenucggtffrrghtthgvrhhnpeeuleeltd ehkeeltefhleduuddvhfffuedvffduveegheekgeeiffevheegfeetgfenucffohhmrghi nhepkhgvrhhnvghlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepghhrvghgsehkrhhorghhrdgtohhm X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 21 Sep 2021 11:15:37 -0400 (EDT) Date: Tue, 21 Sep 2021 17:15:35 +0200 From: Greg KH To: Hans de Goede Cc: Kees Cook , Len Baker , Henrique de Moraes Holschuh , Mark Gross , "Gustavo A. R. Silva" , ibm-acpi-devel@lists.sourceforge.net, platform-driver-x86@vger.kernel.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] platform/x86: thinkpad_acpi: Prefer struct_size over open coded arithmetic Message-ID: References: <20210918150500.21530-1-len.baker@gmx.com> <202109192246.B438B42EF@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 21, 2021 at 03:46:23PM +0200, Hans de Goede wrote: > Hi, > > On 9/20/21 7:58 AM, Kees Cook wrote: > > On Sat, Sep 18, 2021 at 05:05:00PM +0200, Len Baker wrote: > >> As noted in the "Deprecated Interfaces, Language Features, Attributes, > >> and Conventions" documentation [1], size calculations (especially > >> multiplication) should not be performed in memory allocator (or similar) > >> function arguments due to the risk of them overflowing. This could lead > >> to values wrapping around and a smaller allocation being made than the > >> caller was expecting. Using those allocations could lead to linear > >> overflows of heap memory and other misbehaviors. > >> > >> So, switch to flexible array member in the struct attribute_set_obj and > >> refactor the code accordingly to use the struct_size() helper instead of > >> the argument "size + count * size" in the kzalloc() function. > >> > >> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments > >> > >> Signed-off-by: Len Baker > >> --- > >> drivers/platform/x86/thinkpad_acpi.c | 8 +++----- > >> 1 file changed, 3 insertions(+), 5 deletions(-) > >> > >> diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c > >> index 50ff04c84650..ed0b01ead796 100644 > >> --- a/drivers/platform/x86/thinkpad_acpi.c > >> +++ b/drivers/platform/x86/thinkpad_acpi.c > >> @@ -1008,7 +1008,7 @@ struct attribute_set { > >> > >> struct attribute_set_obj { > >> struct attribute_set s; > >> - struct attribute *a; > >> + struct attribute *a[]; > >> } __attribute__((packed)); > > > > Whoa. I have so many questions... :) > > > >> > >> static struct attribute_set *create_attr_set(unsigned int max_members, > >> @@ -1020,13 +1020,11 @@ static struct attribute_set *create_attr_set(unsigned int max_members, > >> return NULL; > >> > >> /* Allocates space for implicit NULL at the end too */ > >> - sobj = kzalloc(sizeof(struct attribute_set_obj) + > >> - max_members * sizeof(struct attribute *), > >> - GFP_KERNEL); > >> + sobj = kzalloc(struct_size(sobj, a, max_members + 1), GFP_KERNEL); > > > > Whoa, this needs a lot more detail in the changelog if this is actually > > correct. The original code doesn't seem to match the comment? (Where is > > the +1?) So is this also a bug-fix? > > Kees, at first I thought you were spot-on with this comment, but the > truth is more subtle. struct attribute_set_obj was: > > struct attribute_set_obj { > struct attribute_set s; > struct attribute *a; > } __attribute__((packed)); > > Another way of looking at this, which makes things more clear is as: > > struct attribute_set_obj { > struct attribute_set s; > struct attribute *a[1]; > } __attribute__((packed)); > > So the sizeof(struct attribute_set_obj) in the original kzalloc call > included room for 1 "extra" pointer which is reserved for the terminating > NULL pointer. > > Changing the struct to: > > struct attribute_set_obj { > struct attribute_set s; > struct attribute *a[]; > } __attribute__((packed)); > > Is equivalent to changing it to: > > struct attribute_set_obj { > struct attribute_set s; > struct attribute *a[0]; > } __attribute__((packed)); > > So the change in the struct declaration reduces the sizeof(struct attribute_set_obj) > by the size of 1 pointer, making the +1 necessary. > > So AFAICT there is actually no functional change here. > > Still I will hold off merging this until we agree on this :) First off, why is a single driver doing so many odd things with attribute groups? Why not just use them the way that the rest of the kernel does? Why does this driver need this special handling and no one else does? I think the default way of handling if an attribute is enabled or not, should suffice here, and make things much simpler overall as all of this crazy attribute handling can just be removed. Bonus would also be that I think it would fix the race conditions that happen when trying to create attributes after the device is bound to the driver that I think the existing driver has today. > > (I see the caller uses +2? Why? It seems to be using each of hotkey_attributes, > > plus 1 more attr, plus a final NULL?) > > The +2 is actually for 2 extra attributes (making the total number > of extra attributes +3 because the sizeof(struct attribute_set_obj) > already includes 1 extra). > > FWIW these 2 extra attributes are for devices with a > a physical rfkill on/off switch and for the device being > a convertible capable of reporting laptop- vs tablet-mode. Again, using the default way to show (or not show) attributes should solve this issue. Why not just use that instead? > >> if (!sobj) > >> return NULL; > >> sobj->s.max_members = max_members; > >> - sobj->s.group.attrs = &sobj->a; > >> + sobj->s.group.attrs = sobj->a; > >> sobj->s.group.name = name; > > > > The caller also never sets a name? > > attribute_group.name may be NULL, I don't know > of (m)any drivers which actual set this to non NULL. It is used by some, that is how you can put all of the attributes in a subdirectory automatically. No idea if that's needed here... All attributes for this driver are documented in Documentation/ABI/, right? :) thanks, greg k-h