Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Date:   Wed, 16 Aug 2023 09:36:50 -0400
From:   Stefan Hajnoczi <stefanha@redhat.com>
To:     David Laight <David.Laight@aculab.com>
Cc:     "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
        Jason Gunthorpe <jgg@ziepe.ca>,
        "Tian, Kevin" <kevin.tian@intel.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Alex Williamson <alex.williamson@redhat.com>
Subject: Re: [PATCH 2/4] vfio: use __aligned_u64 in struct
 vfio_device_gfx_plane_info
Message-ID: <20230816133650.GC3425284@fedora>
References: <20230809210248.2898981-1-stefanha@redhat.com>
 <20230809210248.2898981-3-stefanha@redhat.com>
 <aff0d24d4bce4d34b27cfe6a76b0634e@AcuMS.aculab.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="IA0szQIho2MN2VEN"
Content-Disposition: inline
In-Reply-To: <aff0d24d4bce4d34b27cfe6a76b0634e@AcuMS.aculab.com>
Precedence: bulk


--IA0szQIho2MN2VEN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 15, 2023 at 03:23:50PM +0000, David Laight wrote:
> From: Stefan Hajnoczi
> > Sent: 09 August 2023 22:03
> >=20
> > The memory layout of struct vfio_device_gfx_plane_info is
> > architecture-dependent due to a u64 field and a struct size that is not
> > a multiple of 8 bytes:
> > - On x86_64 the struct size is padded to a multiple of 8 bytes.
> > - On x32 the struct size is only a multiple of 4 bytes, not 8.
> > - Other architectures may vary.
> >=20
> > Use __aligned_u64 to make memory layout consistent. This reduces the
> > chance of holes that result in an information leak and the chance that
> > 32-bit userspace on a 64-bit kernel breakage.
>=20
> Isn't the hole likely to cause an information leak?
> Forcing it to be there doesn't make any difference.
> I'd add an explicit pad as well.

Yes, Kevin had a similar comment about this text. What I meant was that
it's safest to have a single memory layout across all architectures
(with explicit padding) so that there are no surprises. I'm going to
remove the statement about information leaks because it's confusing.

>=20
> It is a shame there isn't an __attribute__(()) to error padded structures.
>=20
> >=20
> > This patch increases the struct size on x32 but this is safe because of
> > the struct's argsz field. The kernel may grow the struct as long as it
> > still supports smaller argsz values from userspace (e.g. applications
> > compiled against older kernel headers).
>=20
> Doesn't changing the offset of later fields break compatibility?
> The size field (probably) only lets you extend the structure.

Yes, that would break compatibility but I don't see any changes in this
patch series that modifies the offsets of later fields. Have I missed
something?

> Oh, for sanity do min(variable, constant).

Can you elaborate?

Thanks,
Stefan

--IA0szQIho2MN2VEN
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAmTc0PIACgkQnKSrs4Gr
c8jAuQf/Upyntfw/M5KfXri893SxdBLJ23KNlmWpQG93GFyLqc4NWElriTGYe98j
swYOSqt679605BgSc7OR7TttgzLM6s9rDgXo+g5WzF2LzwIFcSjkvySKhjRmaH6a
onatY7KI1vKw59JhuHLU5aCIoG3+SlsfA9gNNGD8Zyo+BtoQqeWUIsKcEsJvQx04
hkiriJOzvjHlWoo6B1w/98HZhaNEwkUOIdskVu5z2PuejMd5wCxR3ho81GIKznds
1JzRXA7dkfAuZ/T4WUP3+XmIllwzMw6YFkafvAwaaHS69myNtk28UDbEcPTUEcw0
QZcCXTOjunwBQzp4Td0LVjEVbz4V1g==
=cIK8
-----END PGP SIGNATURE-----

--IA0szQIho2MN2VEN--