Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2002813pxb;
        Mon, 11 Oct 2021 18:37:40 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwCrV4pKuEhjATe5OFuSm6449aoEdB6lwt6YUy5aq+vB32CR+o2WD/+TUWBIBaS4pYN8VYr
X-Received: by 2002:a17:906:c7c1:: with SMTP id dc1mr30737863ejb.6.1634002659890;
        Mon, 11 Oct 2021 18:37:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1634002659; cv=none;
        d=google.com; s=arc-20160816;
        b=bXu/LCrJgSdWMSwCZN5aGzjO1r80BfcALJZ0Fq8aH5GnOhATOHleIWZOCmcT1IgFCk
         /xUR98ZvLSWgXCBj+Mb+NnAxuEGvaXHJ+Q+Kjcl0N5IPBHcAblm0rUB6VwxgyUerFXwK
         BNu8ods6krZ5wB+V7yfEUYbnUjJwIn87tIBl3URfYXRYIo/XP86kRwUDHoWx+jZzfue3
         q0b3g1Tb2pxKU5V/DHGsztI/+y2tIcwZ2zKp9mB+/5bfuGVTlri+Qrb3iFPmEa5HerWS
         tudRlk1lfW3wz+qW1Nm85A79+vCBDhx0zpHGJ4i3Oxj6MZtE2HZlU0vqPdoHS76L0/fN
         8dZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=r0Ff71inlEYvzkRBmPt8svvZl+EP6YyWS0oDWKfbcho=;
        b=EW6FnVYt6W3WvCwYNaI8G9f/Au6UUvCbhx4d3HToccql6mgWoRmfwq0TZcqfS/hJel
         U98HrWjDQ6//3AKUqto/S5mr/j/b8HuaHsHfATGV8eLVuw6DEEzsOEKhCyVpqDBGdnaK
         N2gcNG0ZIbul9ztz7IItojRlhT4pD6JjTzntKTuHapB5aCZZpBINFySistc1isE+33GE
         0aRsFA+0+xAhmYcHlCal/a6RsVQkWms39n+4fpZ3NP2J2Bp7zw/eS6WK6teTGwruO1vD
         qNaLEWhM4+vSLP4/FLWkXh/6HCyQZjvxef1Qr9FVWfOZ9Pt0hHCLzFyebDUQftgJZqoF
         mMWQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 16si12410897ejf.565.2021.10.11.18.36.59;
        Mon, 11 Oct 2021 18:37:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234486AbhJLBgF (ORCPT <rfc822;lpalcu@gmail.com> + 99 others);
        Mon, 11 Oct 2021 21:36:05 -0400
Received: from mga01.intel.com ([192.55.52.88]:27025 "EHLO mga01.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S231135AbhJLBgE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Oct 2021 21:36:04 -0400
X-IronPort-AV: E=McAfee;i="6200,9189,10134"; a="250404503"
X-IronPort-AV: E=Sophos;i="5.85,366,1624345200"; 
   d="scan'208";a="250404503"
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Oct 2021 18:33:59 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.85,366,1624345200"; 
   d="scan'208";a="591540770"
Received: from louislifei-optiplex-7050.sh.intel.com (HELO louislifei-OptiPlex-7050) ([10.239.154.151])
  by orsmga004.jf.intel.com with ESMTP; 11 Oct 2021 18:33:57 -0700
Date:   Tue, 12 Oct 2021 09:34:29 +0800
From:   Li Fei1 <fei1.li@intel.com>
To:     Len Baker <len.baker@gmx.com>
Cc:     keescook@chromium.org, gustavoars@kernel.org,
        linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
        fei1.li@intel.com
Subject: Re: [PATCH] virt: acrn: Prefer array_syze and struct_size over open
 coded arithmetic
Message-ID: <20211012013429.GA28284@louislifei-OptiPlex-7050>
References: <20211011103902.15638-1-len.baker@gmx.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20211011103902.15638-1-len.baker@gmx.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Oct 11, 2021 at 12:39:02PM +0200, Len Baker wrote:
> As noted in the "Deprecated Interfaces, Language Features, Attributes,
> and Conventions" documentation [1], size calculations (especially
> multiplication) should not be performed in memory allocator (or similar)
> function arguments due to the risk of them overflowing. This could lead
> to values wrapping around and a smaller allocation being made than the
> caller was expecting. Using those allocations could lead to linear
> overflows of heap memory and other misbehaviors.
> 
> So, use the array_size() helper to do the arithmetic instead of the
> argument "count * size" in the vzalloc() function.
> 
> Also, take the opportunity to add a flexible array member of struct
> vm_memory_region_op to the vm_memory_region_batch structure. And then,
> change the code accordingly and use the struct_size() helper to do the
> arithmetic instead of the argument "size + size * count" in the kzalloc
> function.
> 
> This code was detected with the help of Coccinelle and audited and fixed
> manually.
> 
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments
> 
> Signed-off-by: Len Baker <len.baker@gmx.com>

Hi Baker

Thanks for helping us to fix this issue. This patch looks good to me.
Please add Signed-off-by: Fei Li <fei1.li@intel.com>.
Only two minor comments.


> ---
>  drivers/virt/acrn/acrn_drv.h | 10 ++++++----
>  drivers/virt/acrn/mm.c       |  9 ++++-----
>  2 files changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/virt/acrn/acrn_drv.h b/drivers/virt/acrn/acrn_drv.h
> index 1be54efa666c..fcc2e3e5232a 100644
> --- a/drivers/virt/acrn/acrn_drv.h
> +++ b/drivers/virt/acrn/acrn_drv.h
> @@ -48,6 +48,7 @@ struct vm_memory_region_op {
>   * @reserved:		Reserved.
>   * @regions_num:	The number of vm_memory_region_op.
>   * @regions_gpa:	Physical address of a vm_memory_region_op array.
> + * @regions_op:		Flexible array of vm_memory_region_op.
One Tab please.
>   *
>   * HC_VM_SET_MEMORY_REGIONS uses this structure to manage EPT mappings of
>   * multiple memory regions of a User VM. A &struct vm_memory_region_batch
> @@ -55,10 +56,11 @@ struct vm_memory_region_op {
>   * ACRN Hypervisor.
>   */
>  struct vm_memory_region_batch {
> -	u16	vmid;
> -	u16	reserved[3];
> -	u32	regions_num;
> -	u64	regions_gpa;
> +	u16				vmid;
> +	u16				reserved[3];
> +	u32				regions_num;
> +	u64				regions_gpa;
> +	struct vm_memory_region_op	regions_op[];
Please use Whitespace instead of Tab.
>  };
> 
>  /**
> diff --git a/drivers/virt/acrn/mm.c b/drivers/virt/acrn/mm.c
> index c4f2e15c8a2b..a881742cd48d 100644
> --- a/drivers/virt/acrn/mm.c
> +++ b/drivers/virt/acrn/mm.c
> @@ -168,7 +168,7 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap)
> 
>  	/* Get the page number of the map region */
>  	nr_pages = memmap->len >> PAGE_SHIFT;
> -	pages = vzalloc(nr_pages * sizeof(struct page *));
> +	pages = vzalloc(array_size(nr_pages, sizeof(struct page *)));
>  	if (!pages)
>  		return -ENOMEM;
> 
> @@ -220,16 +220,15 @@ int acrn_vm_ram_map(struct acrn_vm *vm, struct acrn_vm_memmap *memmap)
>  	}
> 
>  	/* Prepare the vm_memory_region_batch */
> -	regions_info = kzalloc(sizeof(*regions_info) +
> -			       sizeof(*vm_region) * nr_regions,
> -			       GFP_KERNEL);
> +	regions_info = kzalloc(struct_size(regions_info, regions_op,
> +					   nr_regions), GFP_KERNEL);
>  	if (!regions_info) {
>  		ret = -ENOMEM;
>  		goto unmap_kernel_map;
>  	}
> 
>  	/* Fill each vm_memory_region_op */
> -	vm_region = (struct vm_memory_region_op *)(regions_info + 1);
> +	vm_region = regions_info->regions_op;
>  	regions_info->vmid = vm->vmid;
>  	regions_info->regions_num = nr_regions;
>  	regions_info->regions_gpa = virt_to_phys(vm_region);
> --
> 2.25.1
>