Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2339272pxb; Sat, 25 Sep 2021 04:43:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFq/mXc/G+s7rPr547d4gNiSmUjn4PpRa/jFEThNLsp6p1XBLwTvYySGOwnsyJwBsmIrxM X-Received: by 2002:a92:cd8b:: with SMTP id r11mr11628616ilb.291.1632570230881; Sat, 25 Sep 2021 04:43:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632570230; cv=none; d=google.com; s=arc-20160816; b=K7rCkCtm+4Izee8xUVYMMhwlU3zZlwlS7NDWUgCWV85Vnqg+soDPBQUJ/n31LPASLO LE2egGrq7CitznlPfT/UAZO+X2B0hq081scJYKnWwSvg7PrCs0f9z4ad/Y87WezU5fvv 5iAWC2ZrUEMuIuGqsMH1tMB8lO1nUpPe19NbDNy7Wt6fERlqG+9b0JlfQkBAaw4YZvLW LWw1j62X/INA9XhmaOEasIw2qD5vrJcOMYVlsSFPtdVEZ583VZX06h36BCB1LEPBkd0u ZnsCDlIRIMer2feX2DTsJNt1eYn8zPZjTWyZZWSc+Qw7/nLZLrvAviOL/xqk962FV15o Q5hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=fAAt1IFQdKn+0NpSvnALpVTfeIKaB3J3+cw9rbRrFDA=; b=Nljj5w00tAmSpCl+ypEhabzKLyKSd61mydsvPLvLBqsTzwpNJUOMFOcTYlegc7vWUy JQKGy+IjtpyvQLuMTHXHx7+KJvk1YLlCU75ml2gBrXoEBjrFcZ8o32NzMfHS8DTgJzY+ 3zTTqcypxTH9k+s2BFWOV9+kgfPWv+DTusazQXhecsXttaKQccuPUE+KRSpfshEIBGEJ 6wv+r+hKuQqpf6pLImC/YJNprdCYRy0iUi/YPG52lgtWRkuXERDEKuKMfmy4aSy8KrH/ RpoNcpMf8dv6gOPk3TN5eGFVg2WjqMb/FPrAQ8ogLElqR3xAgBiziQV9Lif5kgyr5Kie atAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=jIsIs4oI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d7si13667666ila.10.2021.09.25.04.43.38; Sat, 25 Sep 2021 04:43:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=jIsIs4oI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244584AbhIYLo2 (ORCPT + 99 others); Sat, 25 Sep 2021 07:44:28 -0400 Received: from mout.gmx.net ([212.227.17.22]:51637 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241912AbhIYLo1 (ORCPT ); Sat, 25 Sep 2021 07:44:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1632570146; bh=tj1T55xR/yg8xao0p750/JK6a19FeyQYkhFZlEM80pc=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=jIsIs4oIra5zoQsfYzRy6F4QZD2C/6eAFwaShOZRpXADzua2xqwm1Q56zv0WB1Uym 5dEotaWyrd1Uab2clsKVMZU1jkkkZraGmXlkHMS3eaSAYY562PuIEbMndcTC+fxylz p4l2fYSChrer/N7RUKzVDj+0jCLPRufho5OjnZa8= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.72.99]) by mail.gmx.net (mrgmx104 [212.227.17.174]) with ESMTPSA (Nemesis) id 1MCsQ4-1mcvlB2qMC-008u6J; Sat, 25 Sep 2021 13:42:25 +0200 From: Len Baker To: Matthew Wilcox , Hannes Reinecke , "James E.J. Bottomley" , "Martin K. Petersen" Cc: Len Baker , "Gustavo A. R. Silva" , Kees Cook , linux-hardening@vger.kernel.org, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] scsi: advansys: Prefer struct_size over open coded arithmetic Date: Sat, 25 Sep 2021 13:42:05 +0200 Message-Id: <20210925114205.11377-1-len.baker@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:Yb/8SLe1hPGKDCy+r65BkW/b2XavDwCthM5r9hAymGEg6Eu+aie jPVkV1i/8Y6ZmFNZLQkqcBxXbVpLcj/LYe2co6AXVVasKNNkAlV8ldtLZViASleG56l8LCI 89Fz7/VPH19/yh6fkE1NDzthFHk5I1O8iPZE4nwlwqK9YHZ7yT9JnctzOBhygvtz1ggaVpV ymoL0jaaPUHtgT9PzWksQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:5tAKL7LSGAs=:1wCDbTUk7QZJvHUHguclsK ACuTwHKdKWLk7LDNSR6EjSGYVkA6ob/yH3hrzcfGOoIOfWLKhjeP/bYoHchd3z6SlphAx2cZW q+i347/DnlnkE9CFJ4nvP4K1HtOBN8Nc0jMcsNlf/sJDR8Rij4V1mRUhPUQlBHphh2n9q5snQ kpXECmbDDC8JvHkJUiavkA/oxIc7nR0cDTVLgYiEyhE0SsfxS43pPo495g4WLrrPqSIUktokO FeVS+9djC9VT/7GzRKhSYXkylq//eKw2oxsrJAoMpZq1MpiYXRxD2GDeCoyxm6cN1wQTIXF4A bbr8mafOXyaXgrRmHOMVTYZzANizzlByx3RBAgVo+aOVH0m9C0mlbeRpUJ15QWzcqyKRwpYst ohjJL4DkUwpuFHfw7OO+1nEPRlqN0uOHfqSjbp74siDnnhWqGkiMr1eaz4S0prOBCZpPLv/vM 4gREzbgJs60iCweaQyQYeF0nffGj/Atle8/QR/dmy/xJVZrpeqNPBynMA+SM37FfTC9tbqH8o jhpvGaQqAw0/0kInDEfDoRZvwa2ybVlwPDAXfgsxqgKlSqhcFy6ZoAULPw/hoNIVP2g1mvghB ehtyKH6I2jFiIek1lMvmuZrD9RUDM5iAV8nX69bDSyvLpINQmVYGBmavTz5rzFQhYLYEaU+Ht f6O/ACuLliqJiH4oHSaFkV55w/HFWufJfxxXdq5yI/Fa1x9zHWQStRoT9kjYqFDwmwDyz6W1E jDg2p658wbcG9Ng1L16FgmdBG2GPWlPYSi8ttZmqv++Yw3jFf6ZbrWv6jilFaS94ZNZ9GYFtS yWkBveataHXMHnLGnr1UMV5M/YviZp61KLEZfct0s6xN2oitBh541T3vhY2j/pcoqcknrsS2n VyVDh6KfHsuzy1Cwf+E2YXBso3TSl5rl0e0nQLjYuwBMm8XSNHzi57fk+OpEs28iS/1Zkavud i1er6cgTSMqQ137l16lt660+op55613Xq+Q09jCkIS4fiyXOyMaMWprFOZ5cYb4Mt0o6s8cP/ o7P3UVtunpvz/Ymo/JAcIVMoDXfMwmQsh+4g+g8OK1psCB+7WL8tvvHb5Xu0WL95ITHaA4s1q H7dnSXB4KwGEjs= Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As noted in the "Deprecated Interfaces, Language Features, Attributes, and Conventions" documentation [1], size calculations (especially multiplication) should not be performed in memory allocator (or similar) function arguments due to the risk of them overflowing. This could lead to values wrapping around and a smaller allocation being made than the caller was expecting. Using those allocations could lead to linear overflows of heap memory and other misbehaviors. So, use the struct_size() helper to do the arithmetic instead of the argument "size + count * size" in the kzalloc() function. This code was detected with the help of Coccinelle and audited and fixed manually. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#open-co= ded-arithmetic-in-allocator-arguments Signed-off-by: Len Baker =2D-- Changelog v1 -> v2 - Rebase against v5.15-rc2 - Remove the unnecessary "size" variable (Gustavo A. R. Silva). - Update the commit changelog to inform that this code was detected using a Coccinelle script (Gustavo A. R. Silva). drivers/scsi/advansys.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/advansys.c b/drivers/scsi/advansys.c index ffb391967573..e341b3372482 100644 =2D-- a/drivers/scsi/advansys.c +++ b/drivers/scsi/advansys.c @@ -7477,8 +7477,8 @@ static int asc_build_req(struct asc_board *boardp, s= truct scsi_cmnd *scp, return ASC_ERROR; } - asc_sg_head =3D kzalloc(sizeof(asc_scsi_q->sg_head) + - use_sg * sizeof(struct asc_sg_list), GFP_ATOMIC); + asc_sg_head =3D kzalloc(struct_size(asc_sg_head, sg_list, use_sg), + GFP_ATOMIC); if (!asc_sg_head) { scsi_dma_unmap(scp); set_host_byte(scp, DID_SOFT_ERROR); =2D- 2.25.1