Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3543527rwd; Mon, 22 May 2023 15:57:22 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7A1aoXhrWAwpZtJQV3e+BlQQu3RUgWKDXSPrY3HtkDzErdrbd/5yd3z2PlWfxcLRCt9S6E X-Received: by 2002:a17:903:41c4:b0:1af:ccc3:25d1 with SMTP id u4-20020a17090341c400b001afccc325d1mr353661ple.62.1684796242629; Mon, 22 May 2023 15:57:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684796242; cv=none; d=google.com; s=arc-20160816; b=KHV8rGkI2Kvl0qFfSm0hZ53a5PrCw0uO3muxSJ7p31kBI+tAPKVehuRg9qjiMigedi p21Giyb1HayH3wIvKF4V+1kx/HtLMjqYLa+8JPJ8Vz1QzmrUDATHuS+5DYJngLSmcWpo 7k7fG1IZSME3bSb4HBNoKEpgI7g/AhLpoW7FnE/mepMKUZzkjlJKGTjlLlOhsbvSwMLd 6Bl8Wm+SbrFrJV158SBGXIsbtEYGC//QzVPwQQpav1PT5evo6yUGJHILiO9/ky9HjBqq BNQLXktt92ccN8Z0NkAXqDqJRrSr0M1c8Fajaa1XS2HojATLXvQKIGaHj9MAqBoJxi6t UDTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=hZQp5Oe9OeHBRr4k76BLf3C1RYkjtZNLc9yPRrps/J8=; b=dlI9r3DimisqED67Twig2s0o01QVuuzIlZ0gaH0ZOHNWfH/Yw5DHid9jPzieYDO8Qk 92CDy6OQ/aCxCwymGn/isJFd35eN90wDe+kw5pI28S4VNP7ZTEsjsV6GmSezZOjnjFeU ub+sAMWCZKNLa5HXpZMiObnFO7WeFZnbKoW8yUu5ayT51B/cxPxlDZdwdREe2FOnENj4 V2DepW+g7KZlzilHmbIAdMnempQ2VMYjr7fTYNkQFiJCBFHtTwF/kHfSC+w+R7qhnu0G 3M/CMlQrkLkuI756mLinXxcHzdCnOSwB14UgBB2KIqrBkHwvvE+uwlw52/xRIj7BKmVi F3kA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=bfz6xYrI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j13-20020a170902da8d00b001a98e569e33si289138plx.588.2023.05.22.15.57.08; Mon, 22 May 2023 15:57:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=bfz6xYrI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230182AbjEVWfQ (ORCPT + 99 others); Mon, 22 May 2023 18:35:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233674AbjEVWfP (ORCPT ); Mon, 22 May 2023 18:35:15 -0400 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DADEDB for ; Mon, 22 May 2023 15:35:13 -0700 (PDT) Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-50bf7bb76d0so2790a12.0 for ; Mon, 22 May 2023 15:35:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1684794911; x=1687386911; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hZQp5Oe9OeHBRr4k76BLf3C1RYkjtZNLc9yPRrps/J8=; b=bfz6xYrI1eJoYxgHwXKSP3X69QjzDQuMhp79vRPO3P+Bup2yqgP14kDV6qJilGnuwP EwLJ48TW+o6bPkJUU3yuzzvHpf4FsZvJSMpstNUdhxLbeijpsYbwQr/FK67Ztu/SsHd6 PRuvHr8Wm9ZzJITPuBUe8De19Byw+LI5KiGTSm+IwqF3Q/8I1HHRF5LCdmAT7qMAbaIY m6j1cQ6TnlRC6ZxTgKfFcv5i7QeQ2k/rqmyXuXYmOPYgz4Ro8sCbRUbTafPW9bnba0Mp Gkieo+2MLt6XPTfPcZl9gwD9zDAyhC4M/NjvsZdT2oiTUeR7tLmX4zPZDICRyhP5jWpQ buSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684794911; x=1687386911; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hZQp5Oe9OeHBRr4k76BLf3C1RYkjtZNLc9yPRrps/J8=; b=FH6BGug96Vb6312m8IqC9PFVdb1DqRKrF24Foo2BaAjZ1fovb+Ky/Eqw3AyPBjGkAo 4+Lic3R/9YqLbeF/CE2AcQlvUp/A2S4tfDsLmni1IbvUTXt0aMhZpohTzJkyk/EpRU/D 8oTpNZWIrQAPGN6fxq0nU49kiTdHxz4GK/fkH0dQ8nk/QHLNvwcI8Ivt9jNXgFKsnkQ0 dT7Tg/lBrFLAt/M1ad6IC93Sw+PjEDMuefX3zi6NPqQn1fjQ106XZJUWrH0ZQ/SZXDXg D9b7gDUDQdeDuFLPtdvr9cVAdhfa5Iqk1vA1jKytM7wBLuQLZvisM7HOrTIyyQcHaD/G DHLw== X-Gm-Message-State: AC+VfDysP3xFHJUORjNbj6UC2Fm46844j2Nnb6iYkYic3PpO7zei9Ywp 2Z5SJjWGBq3R7wuU8BiCEbyV+CEVpkQYYmJQu4eP X-Received: by 2002:a50:870e:0:b0:506:c207:c979 with SMTP id i14-20020a50870e000000b00506c207c979mr53730edb.0.1684794911550; Mon, 22 May 2023 15:35:11 -0700 (PDT) MIME-Version: 1.0 References: <20230522213924.never.119-kees@kernel.org> In-Reply-To: <20230522213924.never.119-kees@kernel.org> From: Bill Wendling Date: Mon, 22 May 2023 15:34:55 -0700 Message-ID: Subject: Re: [PATCH] fscrypt: Replace 1-element array with flexible array To: Kees Cook Cc: Eric Biggers , "Theodore Y. Ts'o" , Jaegeuk Kim , "Gustavo A . R . Silva" , linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 22, 2023 at 2:39=E2=80=AFPM Kees Cook w= rote: > > 1-element arrays are deprecated, and are being replaced with C99 > flexible arrays[1]. In the future, we can add annotations for the > flexible array member "encrypted_path" to have a size determined > by the "len" member. > > As sizes were being calculated with the extra byte intentionally, > propagate the difference so there is no change in binary output. > > [1] https://github.com/KSPP/linux/issues/79 > > Cc: Eric Biggers > Cc: "Theodore Y. Ts'o" > Cc: Jaegeuk Kim > Cc: Gustavo A. R. Silva > Cc: linux-fscrypt@vger.kernel.org > Signed-off-by: Kees Cook Reviewed-By: Bill Wendling (With a tear in my eye about the original code...) > --- > fs/crypto/fscrypt_private.h | 2 +- > fs/crypto/hooks.c | 10 +++++----- > 2 files changed, 6 insertions(+), 6 deletions(-) > > diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h > index 7ab5a7b7eef8..2d63da48635a 100644 > --- a/fs/crypto/fscrypt_private.h > +++ b/fs/crypto/fscrypt_private.h > @@ -171,7 +171,7 @@ fscrypt_policy_flags(const union fscrypt_policy *poli= cy) > */ > struct fscrypt_symlink_data { > __le16 len; > - char encrypted_path[1]; > + char encrypted_path[]; > } __packed; > > /** > diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c > index 9e786ae66a13..6238dbcadcad 100644 > --- a/fs/crypto/hooks.c > +++ b/fs/crypto/hooks.c > @@ -255,10 +255,10 @@ int fscrypt_prepare_symlink(struct inode *dir, cons= t char *target, > * for now since filesystems will assume it is there and subtract= it. > */ > if (!__fscrypt_fname_encrypted_size(policy, len, > - max_len - sizeof(struct fscry= pt_symlink_data), > + max_len - sizeof(struct fscry= pt_symlink_data) - 1, > &disk_link->len)) > return -ENAMETOOLONG; > - disk_link->len +=3D sizeof(struct fscrypt_symlink_data); > + disk_link->len +=3D sizeof(struct fscrypt_symlink_data) + 1; > > disk_link->name =3D NULL; > return 0; > @@ -289,7 +289,7 @@ int __fscrypt_encrypt_symlink(struct inode *inode, co= nst char *target, > if (!sd) > return -ENOMEM; > } > - ciphertext_len =3D disk_link->len - sizeof(*sd); > + ciphertext_len =3D disk_link->len - sizeof(*sd) - 1; > sd->len =3D cpu_to_le16(ciphertext_len); > > err =3D fscrypt_fname_encrypt(inode, &iname, sd->encrypted_path, > @@ -367,7 +367,7 @@ const char *fscrypt_get_symlink(struct inode *inode, = const void *caddr, > * the ciphertext length, even though this is redundant with i_si= ze. > */ > > - if (max_size < sizeof(*sd)) > + if (max_size < sizeof(*sd) + 1) > return ERR_PTR(-EUCLEAN); > sd =3D caddr; > cstr.name =3D (unsigned char *)sd->encrypted_path; > @@ -376,7 +376,7 @@ const char *fscrypt_get_symlink(struct inode *inode, = const void *caddr, > if (cstr.len =3D=3D 0) > return ERR_PTR(-EUCLEAN); > > - if (cstr.len + sizeof(*sd) - 1 > max_size) > + if (cstr.len + sizeof(*sd) > max_size) > return ERR_PTR(-EUCLEAN); > > err =3D fscrypt_fname_alloc_buffer(cstr.len, &pstr); > -- > 2.34.1 >