Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp3042689rwl; Fri, 6 Jan 2023 14:49:26 -0800 (PST) X-Google-Smtp-Source: AMrXdXvxwwcnu6uE5IATIXvi7hn3uN4mQPYXRJZcM2uOMFnlVRp+sLXDbhz1CfROi2NEf3bDp6Ik X-Received: by 2002:a17:907:d311:b0:829:5e3f:3c92 with SMTP id vg17-20020a170907d31100b008295e3f3c92mr66993605ejc.73.1673045366584; Fri, 06 Jan 2023 14:49:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673045366; cv=none; d=google.com; s=arc-20160816; b=IznJBaCZBvsTDGmhOUkUVjqx4keHrSGCJ9YL/hWshZbHnJVnxihyPO9Txyq7x8BmwG URknsqHgsqoCZXRQDj6eJKBQXFGXbUHFszuzbMWsslmdgP348Ub657p4x7WiJ23yjMEh X4JZes38jTx3j0gLpk+H/9W56/nsuW/ylZngCk9DCOYoIq6TmCEfpyQxcXRg1sX4lIbm tgV4jFWwnK6hANYn/VQRwwfstTdHTMspclyVMEYeiyFgvJ+Kemk9GNrPRXjiUPpxzOPs lXVa6SlrL6w9EWGtZaaKYf/xbXNn8AtlTqpa2pHpr+Ex3cQN5dLkNbc4xnA/7FAGjbaZ yQzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=EMQOzwmfuRZl552G69+pCqsXxQZTt1N1oJx/8nrVhvU=; b=Sv/c7mfH/P38sbVcUP99R7nlDtdhriu8bplMP5WKtawMp4wGhs0g7AlWjNkzN3MK5M RPug4dKwXWMCVlnid1r0xJODPYOhxvcduN1qQT7hQ+e74XO/pGuW4wzL9bH4KLCNdkTm QTKl54+4FMsrcmp41y25OxvU1e31tojWUPQ2ZLxl3f1ZsKsEUuGD2oD+BDEzkZE5nVI3 a44hHZv+fds2dL994D5Ui37zn+Fdn9TVgaGIsc0h9EWKLrOTX6SlFldAAKfzHh8bbT0Y AqbRCPIjUkilrOgTbLFKzA6/uRkChoI2Z1aMggYLBh4GdQE5gyMdafO0QYMXdVDjsYWf Of6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=L8b6ctln; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gb23-20020a170907961700b007bbf9652314si3312613ejc.435.2023.01.06.14.49.13; Fri, 06 Jan 2023 14:49:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=L8b6ctln; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235821AbjAFW1g (ORCPT + 55 others); Fri, 6 Jan 2023 17:27:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52550 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236389AbjAFW1T (ORCPT ); Fri, 6 Jan 2023 17:27:19 -0500 Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 032F184BDA for ; Fri, 6 Jan 2023 14:27:18 -0800 (PST) Received: by mail-wm1-x334.google.com with SMTP id c65-20020a1c3544000000b003cfffd00fc0so4599161wma.1 for ; Fri, 06 Jan 2023 14:27:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EMQOzwmfuRZl552G69+pCqsXxQZTt1N1oJx/8nrVhvU=; b=L8b6ctlnXzv5qRopWOZuNC8OcoxVT5s+SS1wp75LfHRZhMDwxxizVYWgi1QDlHRNeA qlZXTyp2cHOMXcPOO0t5U41sRF4VuYKyiE8Kv24cY9HoF19o5q5CXOMu+l+rbtqDukgS Xh1URH2uJq18iu/KgMLYx3WQWEl1vk41h0jfw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EMQOzwmfuRZl552G69+pCqsXxQZTt1N1oJx/8nrVhvU=; b=JTMc+XHpXUfgofPCv2PrTKfpsEWAE4KV3ZX7B0q1lcBE4LLALU3u52bfFkU2IiT/AF jWin5ab8FAM0Wcp7QdLe+VFIQhjsozfJ8Hm7+N1gBUBfJvZ8Rd5+JEqnGl1A0RFwJyqc TjBslu+qxm05AhcuYVJQ8C+kTkngt575uPTxfH3uKBSn0qNEfGLU8F/eCauFbxdGJL8/ vnZTDHJqILfqc8eUzNYRWBEnbdqAIU2p0YyNGj4CsbzAWe65wExzgWVr0YRRgIab8kNR a/GmkKQtFREnjJkE5a8Cz0a3bZdqR2u9/ipu3+DUsTEygsnQF/PR1VkUtnzZHD25VmmG CTlA== X-Gm-Message-State: AFqh2kpngd69oodAfixjTMUQgBmCxWduSDBZMY4tlyVUrnz0JYq3Yjau KHKaPkHvsfMOQiZbhFtV303OcQ0hyOtAvVmLh/onCg== X-Received: by 2002:a05:600c:4153:b0:3c6:c182:b125 with SMTP id h19-20020a05600c415300b003c6c182b125mr3731572wmm.145.1673044036338; Fri, 06 Jan 2023 14:27:16 -0800 (PST) MIME-Version: 1.0 References: <20230106045327.never.413-kees@kernel.org> <202301061234.D15CF0E627@keescook> In-Reply-To: <202301061234.D15CF0E627@keescook> From: Julius Werner Date: Fri, 6 Jan 2023 23:27:04 +0100 Message-ID: Subject: Re: [PATCH] firmware: coreboot: Check size of table entry and split memcpy To: Kees Cook Cc: Julius Werner , Jack Rosenthal , Paul Menzel , Guenter Roeck , Brian Norris , Stephen Boyd , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Yeah, exactly. Isn't that a bit simpler? (I wasn't aware of the flexible array member in union issue, but it sounds like we have a neat solution for that already.) On Fri, Jan 6, 2023 at 9:35 PM Kees Cook wrote: > > On Fri, Jan 06, 2023 at 04:03:35PM +0100, Julius Werner wrote: > > Have you considered adding the flexible array member directly to the > > union in struct coreboot_device instead? I think that would make this > > a bit simpler by not having to copy header and data portion > > separately. > > Are you thinking something like this? > > > diff --git a/drivers/firmware/google/coreboot_table.c b/drivers/firmware/google/coreboot_table.c > index 2652c396c423..564a3c908838 100644 > --- a/drivers/firmware/google/coreboot_table.c > +++ b/drivers/firmware/google/coreboot_table.c > @@ -93,14 +93,19 @@ static int coreboot_table_populate(struct device *dev, void *ptr) > for (i = 0; i < header->table_entries; i++) { > entry = ptr_entry; > > - device = kzalloc(sizeof(struct device) + entry->size, GFP_KERNEL); > + if (entry->size < sizeof(*entry)) { > + dev_warn(dev, "coreboot table entry too small!\n"); > + return -EINVAL; > + } > + > + device = kzalloc(sizeof(device->dev) + entry->size, GFP_KERNEL); > if (!device) > return -ENOMEM; > > device->dev.parent = dev; > device->dev.bus = &coreboot_bus_type; > device->dev.release = coreboot_device_release; > - memcpy(&device->entry, ptr_entry, entry->size); > + memcpy(device->raw, entry, entry->size); > > switch (device->entry.tag) { > case LB_TAG_CBMEM_ENTRY: > diff --git a/drivers/firmware/google/coreboot_table.h b/drivers/firmware/google/coreboot_table.h > index 37f4d335a606..d814dca33a08 100644 > --- a/drivers/firmware/google/coreboot_table.h > +++ b/drivers/firmware/google/coreboot_table.h > @@ -79,6 +79,7 @@ struct coreboot_device { > struct lb_cbmem_ref cbmem_ref; > struct lb_cbmem_entry cbmem_entry; > struct lb_framebuffer framebuffer; > + DECLARE_FLEX_ARRAY(u8, raw); > }; > }; > > > -- > Kees Cook