Received: by 2002:a05:7412:da14:b0:e2:908c:2ebd with SMTP id fe20csp2077878rdb; Mon, 9 Oct 2023 11:43:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEq60cMOww33DbTtZDDGK1TrJVyzf8zuFRDfXz8Yoh60Btjjj7EMClxXm340PX18JTaeu6X X-Received: by 2002:a17:902:a604:b0:1c7:37e2:13fb with SMTP id u4-20020a170902a60400b001c737e213fbmr15275398plq.55.1696876980221; Mon, 09 Oct 2023 11:43:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696876980; cv=none; d=google.com; s=arc-20160816; b=ZFSs+NjMZCXVCcrZ5UUfKwkDWb3rpVHNhXWoWHlUI0+iBVb7uFXACVax0SOgeoDx9X LJPiQnqy9t2yCcXegEcGJKE97+7YL0rYuFEzfb8mfN/3b7sT7jEM3ecg4wLWFHtJsP3q r6Sfmh/VFoJvfDINcTEkgOQeMtMaGIbCoH75CMF6j+n4GPiHy4magu3PZPt1GHMeH8ON GpRJ95WU2kX1rPC4xm5Cwa1ycjWeci07VsnUs0pX9kOlAuRZ22LCtULWHjWqsJBE9dn+ WlOzqE8x1QR7LXtGALCtSvWZFPn11Lvu7FW5k6rIst0eKxpuh+ZfpgPTcorzL75GS8lZ KIsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature; bh=+IyRiWickrRcdiRvAWGvXsQqczM7mcNHFN+SU13T9J4=; fh=V1zW8Pj/gMgNWT25ZOO4qkTGt2oVWUuqtm1Eggufv8Q=; b=HiotE89I9orwT1lMV1QA4ZVxxgfxuzjLCo7WklV6EvOEuHrgCfimAEA37ebaukxn1J 0zcoF3H6dDbFIxauhlf3+Fd0xb0IZ+E+Q+rqUP8TtMFlPM6oOjiJHf10PtWtmF6tng9P ui8n6azp7PvVuXUPqtjodd3tJOBHpJ+U7oGvbUVaKTBy8QSfEnAesYdO7UdcC9D5z+je xVQztiiaCpxF5IUXL/VWOzD0Rfw23/KBbqPeRgubtzzaWfqPa7I9UoeeUuQq6fw+EVyC dMWmP03ahwk6kgqxKRH8r8ipNkGz6JGIpBa04bsg/rtiJLInHLzcjf+Jvi2a9FyB42pv RJNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dUdg+Q1G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id kz7-20020a170902f9c700b001b89fd6bec4si9559336plb.144.2023.10.09.11.42.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 11:43:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dUdg+Q1G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id C10A78048E63; Mon, 9 Oct 2023 11:42:57 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378055AbjJISmh (ORCPT + 99 others); Mon, 9 Oct 2023 14:42:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1378344AbjJISm2 (ORCPT ); Mon, 9 Oct 2023 14:42:28 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF5631A4; Mon, 9 Oct 2023 11:42:09 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2863AC433C7; Mon, 9 Oct 2023 18:42:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1696876929; bh=pOd28ycSTuXiUWMP0Dwr/hJLjUUz6PJ55hSKuTCzAb4=; h=Date:From:To:Cc:Subject:From; b=dUdg+Q1GNGEu1lG4+5q+dBKPNIXKRXg+XNVDksa9t4B7yiviWQtCOAEYsFdlTq1GV a8c30hvRV+VqasI0wjQscMsnPLVw2PCVmveO1LX2uC+HefZ7rUFM3x4psnjbOJeXsn RVL+eCQwM5t59B+3wZKf8Vk9PcVKwAr1feGMCQ+/X23ehYamX4NMhe4zcxeObIJYuZ m+7y9hN7iXY2bVOnXN+gfipCzwMYDdSZAfUt59Ayq2QGWKEXi0zsKtGEqLqtFZyTtG skqPReNdklQEKY5UJLnCdkpAlsZ1A4FispQQ2TP5Z3w6DYfaRO4BwKYTHH66QaZaTk s7dsg98nFck6Q== Date: Mon, 9 Oct 2023 12:42:05 -0600 From: "Gustavo A. R. Silva" To: Stanimir Varbanov , Vikash Garodia , Bryan O'Donoghue , Andy Gross , Bjorn Andersson , Konrad Dybcio , Mauro Carvalho Chehab Cc: linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" , linux-hardening@vger.kernel.org Subject: [PATCH][next] media: venus: hfi_cmds: Replace one-element array with flex-array member and use __counted_by Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 09 Oct 2023 11:42:57 -0700 (PDT) X-Spam-Level: ** Array `data` in `struct hfi_sfr` is being used as a fake flexible array at run-time: drivers/media/platform/qcom/venus/hfi_venus.c: 1033 p = memchr(sfr->data, '\0', sfr->buf_size); 1034 /* 1035 * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates 1036 * that Venus is in the process of crashing. 1037 */ 1038 if (!p) 1039 sfr->data[sfr->buf_size - 1] = '\0'; 1040 1041 dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data); Fake flexible arrays are deprecated, and should be replaced by flexible-array members. So, replace one-element array with a flexible-array member in `struct hfi_sfr`. While there, also annotate array `data` with __counted_by() to prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). This results in no differences in binary output. This issue was found with the help of Coccinelle, and audited and fixed manually. Signed-off-by: Gustavo A. R. Silva --- drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h index dd9c5066442d..20acd412ee7b 100644 --- a/drivers/media/platform/qcom/venus/hfi_cmds.h +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h @@ -242,7 +242,7 @@ struct hfi_session_parse_sequence_header_pkt { struct hfi_sfr { u32 buf_size; - u8 data[1]; + u8 data[] __counted_by(buf_size); }; struct hfi_sys_test_ssr_pkt { -- 2.34.1