Received: by 2002:a05:7412:cfc7:b0:fc:a2b0:25d7 with SMTP id by7csp390519rdb; Sat, 17 Feb 2024 13:19:14 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCWtkHXAlI57SNKlzyI0mergv9UZaOSmry5+STGW8SF1UGvCVZFtYGwbA0qNlxX+mtV0/2WIrMs8aoBGNmUYVG0GofNX+jppN6cyQDcYTg== X-Google-Smtp-Source: AGHT+IGjXsQ+Kma1rEd3E+jVnp5//a0keEq14UwnBuXgU8tjx2BhG453EeHLf7UtGsRsy6XVrQYL X-Received: by 2002:a17:906:2508:b0:a3d:1994:d3b2 with SMTP id i8-20020a170906250800b00a3d1994d3b2mr5804121ejb.74.1708204754079; Sat, 17 Feb 2024 13:19:14 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708204754; cv=pass; d=google.com; s=arc-20160816; b=sRD4voz7qFaW/RRvpIhvxcmGN/i9NZA/i5/6VxEy5KdxrX5E077K744H969XhCPmVu LpQhPA7gZs2G2vhM1gcXmnh7wIkno2Ww8JDeOGs23N78DGUGZ2cw0AFKHmNR4B4tNcZK c3uprI00Kmd7midaaX8f6VV5cWWrhso5AXtHd8+7RcALuab3vKtJ2Tfej2xERsV0LgeF SCsroNwQnwPsuitN+CY2IG01n6hGSUAgoI8kjaBg9b2Amde2B44SjMw9YWJ0672NeQc3 d53qZvPhYDqyRLYV3fp6zLMKVWHCi6ctweslkGWm+sVbW/hH++IPGIaO0tzRJoKk10vd +kig== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=jsUAb6vb40+XemerMiSmb6ZuxYzXcwGlQ49c+yrXOkw=; fh=P+dsLFU6t40AD7n4hiYphUXMhDCLNNWXRiutejvBDx4=; b=obIum6hRgAIRnK69o2mtgS6l4Xot9WmVBgK+5RPyayC7BCOI8gTCbrjfS0v35eDdyB /IBaai+xGcIF98C3K/4qkjqx6oxib9WPl+tr2BKYvMpqrymzsp6kLT6WBAftI6wXNik8 vzOgCz3ueaYqjIeUmqOT/gCFKXaFzPRaFckdSuoKqQ8ck9NYgzmCm8Te/c+mQ6NOBkPJ h61d3swDpRgUabKK6DGAN/YGud4OWn/dkMs4tuxuK3gGis8DOlsL1zi7rcDMf5Z/71zb 7qKvL7BxCnv0dPza6XD8gNf2vrzIq7tD16Mq74B7TYy46Ek/qtVFa7QHF/Y7PnPHYL6i H82A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=fRjUtNWb; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of linux-kernel+bounces-70092-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-70092-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id i13-20020a170906264d00b00a3d9a83bb51si1122935ejc.79.2024.02.17.13.19.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Feb 2024 13:19:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-70092-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=fRjUtNWb; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of linux-kernel+bounces-70092-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-70092-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id AC3AF1F22020 for ; Sat, 17 Feb 2024 21:19:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 06EA47F7F6; Sat, 17 Feb 2024 21:19:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="fRjUtNWb" Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DFA9B1CF83 for ; Sat, 17 Feb 2024 21:19:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708204746; cv=none; b=r9CRdKj1BNlpHk4l4DsKQuAQ+j2277bd0mP9hQPVhKKjhdrxb+PnOv96KjLbqyzG75yr7LnoYRy+ZaZ8CkLhNsB2rFyFnR6aueP8c0QMgK+ZBciuyqYCHMaObTUYObI1RdPllFvVduzxwS/DzyVOQc+pUQ9N7RytZsT2AI4IGHQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708204746; c=relaxed/simple; bh=jqmSZE/6hIL7tHTUq7XBmsqEMOHIxcazTD9D7B73dnA=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=GNyuUoF+iwMeH4QNbDejV4xFVijm2yo35Rba/HxdwFxOu1nq1a9kw8NEP/4DUh8i9Um7v0mO3p6EGXKFE61kxkyl4JcULHowPt+bf3Ml/hLqN2eQQcfceQQQbVtUJA32JHkhDKBFU71GcjJGiexyjsM44Gj/Y+A1NnPk4WWGxws= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org; spf=pass smtp.mailfrom=ieee.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b=fRjUtNWb; arc=none smtp.client-ip=209.85.222.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ieee.org Received: by mail-qk1-f177.google.com with SMTP id af79cd13be357-7875adf71b1so25395085a.0 for ; Sat, 17 Feb 2024 13:19:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; t=1708204742; x=1708809542; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=jsUAb6vb40+XemerMiSmb6ZuxYzXcwGlQ49c+yrXOkw=; b=fRjUtNWbyUcxuRIkCB0gXWYH6TIvfHCtO29QgX3+Ws+ceUgFRqNzEYiutvsEmoBBYM ypJp25oScrs8hIJBClbEkerQf+Um4HRE0GUZ+JrpN8Pzx8C4G5JwFfJKXVuZvVFP+MIG f+tCQxLCGwwjS0d5d8xqHaIMgDw958TM+cDl0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708204742; x=1708809542; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jsUAb6vb40+XemerMiSmb6ZuxYzXcwGlQ49c+yrXOkw=; b=mY0Q7HP5SARybM2M17gjFStZl+uNi2xJOTmHmj7QDIPtGrcflOQWWc8YmY1AaVBZpH /3IuKreSd/8Hjeb5HJxU/IdvNRlX8KMTve0s1Kt/AqncJPP+yiUtYmbK2jWESBvJ0Y3+ zUmSv7T/N39nzpt+24V4Z+PHz92sCKnjJqNXKB/isbVtLgj1d/rq7l2zi9qTrHUhtVtZ lQhphKyFEnlbCkkhOVQQKuoRIPYnYP+NlFGp5URF4a06FWtJh/jyWJB71EjrSFGvNy2T 4+Gt6sgF8JO9HAF2jfS2liLpR6WPqvb05ibqbPMQ7qNlycncgANfS+mbVqtVMtRj637X X1Ag== X-Forwarded-Encrypted: i=1; AJvYcCVB3J1YZ0cGQRuwQwBairV+zOCiEnRoAImjj0ZvbawZGEnfQMeQfA5R70jSwQWXdhCd28EnY2+TKVFnFemGkMXLBVtLc5Nf7M1u3tV/ X-Gm-Message-State: AOJu0Yw4Ure37w2yCWbOA7cHabt82vpUJbs/PdF9mOk3M/QGiilhTUtn l/bLFmXclvG/0F7jaJFC3+S58N75Cgh9Rx6f3iQNAIg5QJY65mSZWTdekP0L5A== X-Received: by 2002:a05:620a:46ab:b0:787:538c:58cb with SMTP id bq43-20020a05620a46ab00b00787538c58cbmr4663545qkb.28.1708204741830; Sat, 17 Feb 2024 13:19:01 -0800 (PST) Received: from [10.211.55.3] (c-98-61-227-136.hsd1.mn.comcast.net. [98.61.227.136]) by smtp.googlemail.com with ESMTPSA id c3-20020a05620a11a300b00785d7f634bcsm1116200qkk.8.2024.02.17.13.19.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 17 Feb 2024 13:19:01 -0800 (PST) Message-ID: <02cf87a3-4e92-4f6d-98f6-dfc0e198d462@ieee.org> Date: Sat, 17 Feb 2024 15:18:59 -0600 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] greybus: audio: apbridgea: Remove flexible array from struct audio_apbridgea_hdr Content-Language: en-US To: Erick Archer , Vaibhav Agarwal , Mark Greer , Johan Hovold , Alex Elder , Greg Kroah-Hartman , "Gustavo A. R. Silva" , Kees Cook Cc: greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org References: <20240217154758.7965-1-erick.archer@gmx.com> From: Alex Elder In-Reply-To: <20240217154758.7965-1-erick.archer@gmx.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 2/17/24 9:47 AM, Erick Archer wrote: > When a struct containing a flexible array is included in another struct, > and there is a member after the struct-with-flex-array, there is a > possibility of memory overlap. These cases must be audited [1]. See: > > struct inner { > ... > int flex[]; > }; > > struct outer { > ... > struct inner header; > int overlap; > ... > }; > > This is the scenario for the "struct audio_apbridgea_hdr" structure > that is included in the following "struct audio_apbridgea_*_request" > structures: Yeah this was not a very good way to define these header structures, but I'm glad to hear the flexible array at the end was never used. I don't know why it was there; maybe it's an artifact from some other information that got removed. If the code compiles with your change, it ought to be fine. (It compiles for me.) It would be good for Vaibhav or Mark to comment though, maybe they can provide some context. > > struct audio_apbridgea_set_config_request > struct audio_apbridgea_register_cport_request > struct audio_apbridgea_unregister_cport_request > struct audio_apbridgea_set_tx_data_size_request > struct audio_apbridgea_prepare_tx_request > struct audio_apbridgea_start_tx_request > struct audio_apbridgea_stop_tx_request > struct audio_apbridgea_shutdown_tx_request > struct audio_apbridgea_set_rx_data_size_request > struct audio_apbridgea_prepare_rx_request > struct audio_apbridgea_start_rx_request > struct audio_apbridgea_stop_rx_request > struct audio_apbridgea_shutdown_rx_request > > The pattern is like the one shown below: > > struct audio_apbridgea_hdr { > ... > __u8 data[]; > } __packed; > > struct audio_apbridgea_*_request { > struct audio_apbridgea_hdr hdr; > ... > } __packed; > > In this case, the trailing flexible array can be removed because it is > never used. > > Link: https://github.com/KSPP/linux/issues/202 [1] > Signed-off-by: Erick Archer > --- > Hi everyone, > > I'm not sure this patch is correct. My concerns are: > > The "struct audio_apbridgea_hdr" structure is used as a first member in > all the "struct audio_apbridgea_*_request" structures. And these last > structures are used in the "gb_audio_apbridgea_*(...)" functions. These > functions fill the "request" structure and always use: > > gb_hd_output(connection->hd, &req, sizeof(req), > GB_APB_REQUEST_AUDIO_CONTROL, true); > > Then, the "gb_hd_output(struct gb_host_device *hd, ...)" function calls: > > hd->driver->output(hd, req, size, cmd, async); > > The first parameter to this function is of type: > > struct gb_host_device { > ... > const struct gb_hd_driver *driver; > ... > }; > > And the "gb_hd_driver" structure is defined as: > > struct gb_hd_driver { > ... > int (*output)(struct gb_host_device *hd, void *req, u16 size, u8 cmd, > bool async); > }; > > Therefore, my question is: > Where is the "output" function pointer set? I think I'm missing something. I think it will be drivers/greybus/es2.c:output(). But in any case, the output function will know nothing about the structure of the request, so I think it's unrelated to the change you're proposing. Johan can confirm this. I'd like to hear from these others, but otherwise this change looks good to me. Reviewed-by: Alex Elder > > I have search for another greybus drivers and I have found that, for > example, the "es2_ap_driver" (drivers/greybus/es2.c) sets the "output" > member in: > > static struct gb_hd_driver es2_driver = { > ... > .output = output, > }; > > I think that the flexible array that I have removed should be used in > the function assigned to the "output" function pointer. But I am not > able to find this function. > > A bit of light on this would be greatly appreciated. > > Thanks, > Erick > --- > drivers/staging/greybus/audio_apbridgea.h | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/drivers/staging/greybus/audio_apbridgea.h b/drivers/staging/greybus/audio_apbridgea.h > index efec0f815efd..ab707d310129 100644 > --- a/drivers/staging/greybus/audio_apbridgea.h > +++ b/drivers/staging/greybus/audio_apbridgea.h > @@ -65,7 +65,6 @@ > struct audio_apbridgea_hdr { > __u8 type; > __le16 i2s_port; > - __u8 data[]; > } __packed; > > struct audio_apbridgea_set_config_request { > -- > 2.25.1 >