Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp738111rdb; Sun, 1 Oct 2023 03:31:02 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGk8gcFH6Me4LzDn6KnEgWJPLQ2ubL4PlxAq+EnTBIU5nfg4WDLZJ0I71ykQNClatODjN4k X-Received: by 2002:a05:6a21:66c5:b0:154:e7e6:85c8 with SMTP id ze5-20020a056a2166c500b00154e7e685c8mr8042767pzb.31.1696156261932; Sun, 01 Oct 2023 03:31:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696156261; cv=none; d=google.com; s=arc-20160816; b=sz9qJ1oeo+Lo3g2OxTcmX5Db3Ljed5HuOWOyeSkCHUbWxsd2h8swfXBaVuGkf9enXA fi8NezpOkU/sWI3wnKDLYgs23IkOxE67hXKgzAQCcmO09muE2E10dNCmfieZ+hIo3Qyg UVt/dF79xgfGX7tsV86DFD5uVev2PjucFAGiAiBn3NofdEC2oOlPzXYYU2xw7u3zBQct W9NnbVkQqTWTXlPrk9e/P5avPjpzJEU4wTFF6C2rAXjxpb5cxeAM07JU+r8eMam9nQts ybhgRFp9G3GuObjpMfQs0rcgyz+yXiUM8ueiNQmC0hWwThez9klE172CQ3RKcwj8JP2V picQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:message-id :in-reply-to:subject:cc:to:from:date:dkim-signature; bh=ojMGvfX4EQDBSjYC40hfQgCdDjoAMF7YsfOIfh6s8Lo=; fh=Yv45ZiipHFBwnitwQPEwRhAFBeYFtwghWxeWcGNu3Nc=; b=f56lbkUjAyyjTTaBk5NdPSB85S94n3rkFsm5Lzg5mUB9svvNST807CXeUkdazzFIYN 8d50ngpqeAo0d9plVpnC5rFop+4+sFLPh0GFdiNXeaDf7yxzbm776EV49XDtvhNMhgHW QN/u+V1QahjNZXBi+k9z3lXWeVuPQTRq5tBw8vJIiT4tAjmKoPO8bxfHrlEjEDHPPof3 km2PBzwKgUMkbH06G9adTtaaJoDklL7FK4KQk60GZ7neNv1h1c6hSwO4L9s9CgSEQnJT r1oTAd1lSvPjtHBDZgCMZfLcyZYAxDVRZgmMKERKGEOwkxLQt1y7wBo8SwkPAlaDeq/g ucFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@inria.fr header.s=dc header.b=uHY2qLaZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=inria.fr Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id u136-20020a62798e000000b0068a54522bb0si24379165pfc.144.2023.10.01.03.31.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 01 Oct 2023 03:31:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@inria.fr header.s=dc header.b=uHY2qLaZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=inria.fr Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 430D4824E7A5; Sun, 1 Oct 2023 00:25:20 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234403AbjJAHZP (ORCPT + 99 others); Sun, 1 Oct 2023 03:25:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234371AbjJAHZN (ORCPT ); Sun, 1 Oct 2023 03:25:13 -0400 Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8BE81BF; Sun, 1 Oct 2023 00:25:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=date:from:to:cc:subject:in-reply-to:message-id: references:mime-version; bh=ojMGvfX4EQDBSjYC40hfQgCdDjoAMF7YsfOIfh6s8Lo=; b=uHY2qLaZzbaNayyA7pb/uFAQ6qNO5z1SEJna0zofg4j98bZOCu9vtqD5 PMHTQAQkGKCrMNBCDSx45A5wgw6UrNQQCaQ4tJEqH5DBk7iExxGqDkFN4 8/QFdqwXsC0o8mHsskDDRfOJQhweB/n6LpsyZl9dXFUaw28hhjI+eyKeV Q=; Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=julia.lawall@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="6.03,191,1694728800"; d="scan'208";a="67430614" Received: from 231.85.89.92.rev.sfr.net (HELO hadrien) ([92.89.85.231]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Oct 2023 09:25:09 +0200 Date: Sun, 1 Oct 2023 09:25:07 +0200 (CEST) From: Julia Lawall X-X-Sender: jll@hadrien To: Kees Cook cc: Christophe JAILLET , Ian Abbott , H Hartley Sweeten , "Gustavo A. R. Silva" , Nathan Chancellor , Nick Desaulniers , Tom Rix , linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: Re: [PATCH] comedi: Annotate struct comedi_lrange with __counted_by In-Reply-To: <202309301342.5B5BED40A1@keescook> Message-ID: References: <5c3b7459b820e22e2ac6ce892d4aadcc119cc919.1696065263.git.christophe.jaillet@wanadoo.fr> <202309301342.5B5BED40A1@keescook> User-Agent: Alpine 2.22 (DEB 394 2020-01-19) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Sun, 01 Oct 2023 00:25:20 -0700 (PDT) On Sat, 30 Sep 2023, Kees Cook wrote: > On Sat, Sep 30, 2023 at 11:14:47AM +0200, Christophe JAILLET wrote: > > Prepare for the coming implementation by GCC and Clang of the __counted_by > > attribute. Flexible array members annotated with __counted_by can have > > their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS > > (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family > > functions). > > > > Signed-off-by: Christophe JAILLET > > --- > > This patch is part of a work done in parallel of what is currently worked > > on by Kees Cook. > > > > My patches are only related to corner cases that do NOT match the > > semantic of his Coccinelle script[1]. > > Nice! > > struct comedi_lrange { > int length; > struct comedi_krange range[]; > }; > ... > static const struct comedi_lrange range_rti800_ai_10_bipolar = { > 4, { > BIP_RANGE(10), > BIP_RANGE(1), > BIP_RANGE(0.1), > BIP_RANGE(0.02) > } > }; > > I'm struggling to come up with a way for Coccinelle to find this kind of > thing in other places... > > > In this case, it is been spotted because of comedi_alloc_spriv(). > > All other usages of struct comedi_lrange seem to be static definition of > > the structure that explicitly set the .length field. > > Ah-ha, I found it in drivers/comedi/drivers/das16.c das16_ai_range(): > > lrange = comedi_alloc_spriv(s, > struct_size(lrange, range, 1)); This is not found due to the regular expression used for the name of the alloc function. Maybe you could drop it entirely? Maybe you could just check for alloc somewhere in the string? identifier ALLOC =~ "alloc"; works in this case. Also, I see in the link that you have: // Options: --all-includes You can actually force this by putting #spatch --all-includes and any other options you want. julia > > I was also able to find this: > > union jr3_pci_single_range { > struct comedi_lrange l; > char _reserved[offsetof(struct comedi_lrange, range[1])]; > }; > > Which looks a lot like DEFINE_FLEX: > https://lore.kernel.org/linux-hardening/20230912115937.1645707-2-przemyslaw.kitszel@intel.com/ > But that above for stack varaibles rather than globals. But I'm way off > topic now. ;) > > Reviewed-by: Kees Cook > > > > > [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci > > --- > > include/linux/comedi/comedidev.h | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/include/linux/comedi/comedidev.h b/include/linux/comedi/comedidev.h > > index 0a1150900ef3..c08416a7364b 100644 > > --- a/include/linux/comedi/comedidev.h > > +++ b/include/linux/comedi/comedidev.h > > @@ -633,7 +633,7 @@ extern const struct comedi_lrange range_unknown; > > */ > > struct comedi_lrange { > > int length; > > - struct comedi_krange range[]; > > + struct comedi_krange range[] __counted_by(length); > > }; > > > > /** > > -- > > 2.34.1 > > > > -- > Kees Cook >