Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
From:   <nobuhiro1.iwamatsu@toshiba.co.jp>
To:     <gustavoars@kernel.org>, <mturquette@baylibre.com>,
        <sboyd@kernel.org>
CC:     <keescook@chromium.org>, <linux-clk@vger.kernel.org>,
        <linux-arm-kernel@lists.infradead.org>,
        <linux-kernel@vger.kernel.org>, <linux-hardening@vger.kernel.org>
Subject: RE: [PATCH 1/2][next] clk: visconti: Fix undefined behavior bug in
 struct visconti_pll_provider
Thread-Topic: [PATCH 1/2][next] clk: visconti: Fix undefined behavior bug in
 struct visconti_pll_provider
Thread-Index: AQHZ/LJNyQMz8Qp5hUqym6eH9mB9QrBLegCA
Date:   Sun, 15 Oct 2023 22:49:34 +0000
Message-ID: <TYVPR01MB112454C37D7A41F76CB84B0AA92D0A@TYVPR01MB11245.jpnprd01.prod.outlook.com>
References: <cover.1697076650.git.gustavoars@kernel.org>
 <0a59a721d54b557076cc94eabeb694d463773204.1697076650.git.gustavoars@kernel.org>
In-Reply-To: <0a59a721d54b557076cc94eabeb694d463773204.1697076650.git.gustavoars@kernel.org>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-2022-jp?B?a1NXTXBsSHp2OXZKVlZVeWttOFBJRUI0bXZSTGRXeTg5N0NHYlJITFpS?=
 =?iso-2022-jp?B?R0VnZVc5azZoT2lSamdYSUZvM1pIdUF3TFRMb05Oc0RlMXQyOUtOb2cv?=
 =?iso-2022-jp?B?NUZ3bDVWRStWYU5XcnI0cFFRaDVlVmt0b0pTWDRlN2pwRDJrS1NZVGs5?=
 =?iso-2022-jp?B?QjBMTVNBNUltK05NQWFLWDVqeVJmYklIdWxuMlFrZVdQUk5WaE54NC9o?=
 =?iso-2022-jp?B?SDU4dmRMRWs5V1JGMk9FSlVPcW1YRk1FRkRkWExmend5SzltemlPbnBM?=
 =?iso-2022-jp?B?OHpBSmx0aW1rZ0dIWmJrK2YzNG9mNlpCc0tCTnl4bzd2KzhXUkJCaWlD?=
 =?iso-2022-jp?B?cHV0Zmk4RHRjNXR3YlZyUTBQRGdWSlJXdmxJUWtLMXZPeWZIZXVtUEVR?=
 =?iso-2022-jp?B?ckVMWTZPaWJZNXRoRFZQRG5YREtLMkRUaktEZmdYeUMxdk9aVFQxQUNS?=
 =?iso-2022-jp?B?T25oRVo3eDdQbmNEZmlTVzZlbDRqQXd6cGpHMkMrWWM2L2w4UmgrRWhZ?=
 =?iso-2022-jp?B?MklYanAyUlMwdSs1dEwwcDFEcXMzVE9ibFJnZ0pUSnJRU2wwMmdKUVNm?=
 =?iso-2022-jp?B?YXUvdURUeHpHRFlwY0xsZytURzJ2MndYekhWVDQ4NHVNYXRBdzZaTFcz?=
 =?iso-2022-jp?B?ZmhleXJya0RtMlFxWkNYa2UxKzZob3ZlRmh0bVNGNjRNei9sZlBIRzZj?=
 =?iso-2022-jp?B?eW9qMVYzNkthZmVQNU1uaFVCYjl5L2pRbWVjYlpSelRrdU9USGhFOFBt?=
 =?iso-2022-jp?B?U2lvd1pNdW1IclF4TFM2aktSUGE4VHk4VWxzV05zZTJLQmN6ekc5bmtx?=
 =?iso-2022-jp?B?ODFwbE1oVzFBNW91eFMwTnN1WFd1UExHMVduMnpHelpyOXRXYnhvWHF0?=
 =?iso-2022-jp?B?b3MzUHZ3M2RIQkZFcTNBUTQ1YnZkMFkzVUk2VEdKTzZXTVF0Zk5OTjlY?=
 =?iso-2022-jp?B?WlJoZEl2RVR0aWtSVUplTmlzNndoblFKWEtmK2ZnaUtnV0tFRzlwVnRE?=
 =?iso-2022-jp?B?aDByQmpzNUtyaHBCVVl3eHRWeER4RlM5eGw0VnJkWW1yS3NQZU5QbzJH?=
 =?iso-2022-jp?B?TWZkQWtTQTM1dXdxSmV5TDMweWVEZFN3ZFZoWnJrRTd1STJsZ29rbUlJ?=
 =?iso-2022-jp?B?MUdrT2ltRldjSnlWOVVqTTFRZFFlSzY3SnFzUXFzeTMyM0RZa3BOYlpo?=
 =?iso-2022-jp?B?bHR4UnJESHNROUM3c1NSQjlhNVlCNk5jb2MwblFGLzloUnBBU1VndkJm?=
 =?iso-2022-jp?B?Y2JVUWwyZUNHMzhMSytNT2VXQkZsZE0xQlk5UitIa1Rqam1nazZOZmJF?=
 =?iso-2022-jp?B?dFlwTlNVSERFa3JTU2FNYVpuQk8zK3FEc3RKRXBFZVJJeXE1YXRJZUFG?=
 =?iso-2022-jp?B?M2RNVG5HeFEzZEZ4UVNKTGZDbHZFYU9pMC85TXBEaStCRXJsTWJZby9S?=
 =?iso-2022-jp?B?bGl5dW1zWXNwcXUzYUU1dDhDUDZPTzlJbmQ4N1FUWitia0JLMUlKMWhl?=
 =?iso-2022-jp?B?RVcwazFiTFlIaWcrcEFzeUlpWGM0bUhqd1hLeExkRUhSNFpRK0h4Rm4w?=
 =?iso-2022-jp?B?SWJsTmVnRkNkK0JmVzJWSEdHM05QUERCN1h2M01sYmJGYTAzcGIyczlJ?=
 =?iso-2022-jp?B?akxtcFhGZUR4d1VvdXNWYXpVT255NFBOR0paN2FDNU9SVlVTVTNxTFdS?=
 =?iso-2022-jp?B?M2dhSUFGa0JBd1J4bEx4ZUhDVGRJcnZBT01OdSswNitIYzhsYjR4UlVn?=
 =?iso-2022-jp?B?djJrdEtlYXdaRlhFWXFHVXJSSkVpUUY0SVhjdkNHcnlUU1pONW8wdlA5?=
 =?iso-2022-jp?B?YUlMTjhFbUxzekowUXhaT0w5MW9TdnA0ajJTN3lxUExRczNFa3RDNlpU?=
 =?iso-2022-jp?B?dUpoM2U4a25XaXJxenpGeUpnYUhuNEVNdEltdmwwSFhKbjhoM3JwVXNR?=
 =?iso-2022-jp?B?ZjhXT0pXclFNYy9XWjRvYzIwdFh0M1cvSGF2MVVxRmJOVGhvSHJMK3VP?=
 =?iso-2022-jp?B?UWd0TmtNOXNrb2FMRDhNV0ExVU02R1JaUFRpVDdmY283cGJSVHltOXhM?=
 =?iso-2022-jp?B?ZTY5N3BzTFRWSndTeUZTZUZTU1hKRldQUklET2V6TkFIanlLcFJNWWRq?=
 =?iso-2022-jp?B?ZU10WXljL0NEWkpTQWMwYzhLQi9QVUNGOEIrenAzTkgzMmYrUFdsUlRM?=
 =?iso-2022-jp?B?Mk5QOCt6S0JJVTRac29DVFUveklqV3hqZHh0ekdIWTliSkx0b1pQbU1N?=
 =?iso-2022-jp?B?elFUM2JMOEJqb2Y1eTNBK1JMOUVjRzM5NXVFcVJEOU5EUFE1cmsranNw?=
 =?iso-2022-jp?B?VzJ4blVhYVNrYk9LNE1DcjRpMnR3WkNNL3c9PQ==?=
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
X-OriginatorOrg: toshiba.co.jp
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TYVPR01MB11245.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d1136a38-2dd7-4e22-726d-08dbcdd10065
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Oct 2023 22:49:34.1120
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f109924e-fb71-4ba0-b2cc-65dcdf6fbe4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ORa+6UCfj8NLpgPZkK/GNaarA6ZgSI73VQJJXr0qnhmSgvTH4QpwbnaDnPUgUPFKqTx4teTfJjmq+T91i64f9IxTGDj1IL4dA7fhQVLRCzNSVHNWwYrSg/sJjT5lsivX
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY3PR01MB10015
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
        SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sun, 15 Oct 2023 16:20:49 -0700 (PDT)

Hi Gustavo A. R. Silva,

Thanks for your patch!

> -----Original Message-----
> From: Gustavo A. R. Silva <gustavoars@kernel.org>
> Sent: Thursday, October 12, 2023 11:18 AM
> To: Michael Turquette <mturquette@baylibre.com>; Stephen Boyd
> <sboyd@kernel.org>; iwamatsu nobuhiro(岩松 信洋 ○ＤＩＴＣ□ＤＩＴ○Ｏ
> ＳＴ) <nobuhiro1.iwamatsu@toshiba.co.jp>
> Cc: Kees Cook <keescook@chromium.org>; linux-clk@vger.kernel.org;
> linux-arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org; Gustavo A.
> R. Silva <gustavoars@kernel.org>; linux-hardening@vger.kernel.org
> Subject: [PATCH 1/2][next] clk: visconti: Fix undefined behavior bug in struct
> visconti_pll_provider
> 
> `struct clk_hw_onecell_data` is a flexible structure, which means that it
> contains flexible-array member at the bottom, in this case array
> `hws`:
> 
> include/linux/clk-provider.h:
> 1380 struct clk_hw_onecell_data {
> 1381         unsigned int num;
> 1382         struct clk_hw *hws[] __counted_by(num);
> 1383 };
> 
> This could potentially lead to an overwrite of the objects following `clk_data` in
> `struct visconti_pll_provider`, in this case `struct device_node *node;`, at
> run-time:
> 
> drivers/clk/visconti/pll.h:
>  16 struct visconti_pll_provider {
>  17         void __iomem *reg_base;
>  18         struct clk_hw_onecell_data clk_data;
>  19         struct device_node *node;
>  20 };
> 
> Notice that a total of 56 bytes are allocated for flexible-array `hws` at line 328.
> See below:
> 
> include/dt-bindings/clock/toshiba,tmpv770x.h:
>  14 #define TMPV770X_NR_PLL		7
> 
> drivers/clk/visconti/pll-tmpv770x.c:
>  69 ctx = visconti_init_pll(np, reg_base, TMPV770X_NR_PLL);
> 
> drivers/clk/visconti/pll.c:
> 321 struct visconti_pll_provider * __init visconti_init_pll(struct device_node
> *np,
> 322                                                         void __iomem
> *base,
> 323                                                         unsigned long
> nr_plls)
> 324 {
> 325         struct visconti_pll_provider *ctx;
> ...
> 328         ctx = kzalloc(struct_size(ctx, clk_data.hws, nr_plls),
> GFP_KERNEL);
> 
> `struct_size(ctx, clk_data.hws, nr_plls)` above translates to sizeof(struct
> visconti_pll_provider) + sizeof(struct clk_hw *) * 7 ==
> 24 + 8 * 7 == 24 + 56
> 		  ^^^^
> 		   |
> 	allocated bytes for flex array `hws`
> 
> $ pahole -C visconti_pll_provider drivers/clk/visconti/pll.o struct
> visconti_pll_provider {
> 	void *                     reg_base;             /*     0     8 */
> 	struct clk_hw_onecell_data clk_data;             /*     8     8 */
> 	struct device_node *       node;                 /*    16     8 */
> 
> 	/* size: 24, cachelines: 1, members: 3 */
> 	/* last cacheline: 24 bytes */
> };
> 
> And then, after the allocation, some data is written into all members of `struct
> visconti_pll_provider`:
> 
> 332         for (i = 0; i < nr_plls; ++i)
> 333                 ctx->clk_data.hws[i] = ERR_PTR(-ENOENT);
> 334
> 335         ctx->node = np;
> 336         ctx->reg_base = base;
> 337         ctx->clk_data.num = nr_plls;
> 
> Fix all these by placing the declaration of object `clk_data` at the end of `struct
> visconti_pll_provider`. Also, add a comment to make it clear that this object
> must always be last in the structure, and prevent this bug from being
> introduced again in the future.
> 
> Fixes: b4cbe606dc36 ("clk: visconti: Add support common clock driver and
> reset driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Acked-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>

Best regards,
  Nobuhiro