Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp711685lqm; Wed, 1 May 2024 13:17:30 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU5vZuq17BPqlykEE2/QvcKBmPUIhc3+x53JG04aSVzNdrpkFGhju1Oy/opyJ5q2XZZfMHM1NeLNgjUoJDMSFkvwxxlMLS825MAAtIbYg== X-Google-Smtp-Source: AGHT+IHtqS7mvpKsdw5DZwHd6xvo+Hr89WkWxDczlPSoPFojsIKGteLFIRqW6qJEiuLJM8LsEZ63 X-Received: by 2002:a17:90b:942:b0:2ae:ee75:1479 with SMTP id dw2-20020a17090b094200b002aeee751479mr3581531pjb.25.1714594649839; Wed, 01 May 2024 13:17:29 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714594649; cv=pass; d=google.com; s=arc-20160816; b=I10x/p1uf9J+ZAHyv8s7iKn1ZRfnfkbKM1ZySTUi2erIAwpAPANOmTdLo9cNCioaq3 hXBeD+fF2VCJybPbY6Hee/3j5GrrmFTDHmvGl2/P9Juh/jJYFwnrhdWXLlAbdZchbciv 9Xtm9km9M4O9id7hMEl1HGDHEPWxvKfFBttIKylwjKKOOuauwN6OuR+04EOmW4IfQNeB PtJfWY9WX4HPIcMXH+1uUf6Ipz/gAvvA04+7tZf7Q3lWafJrK/OlWtvH7ETEsYDphpMQ o9BlUt6aa7h8p3/OvpXfhwDXQ2POwR5IOB+otGZJrax05sFMBaKQMSnRCt0zDd8HmNCi J+6Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=TzZlykvaZE49hrAwdEmOhVJUm5xEaSWSbmXs/qt6Y88=; fh=0lIzzwpC8NZxoB8oMx1diiJqnFrTo67g884rF167BKs=; b=ChIhv7OHUEAV8J8nC78SBzJwMeSxKq6ozM7j1cEJG2Lakt4ZwSbtCS42k98mGT6eEe evdKaEvqV80cGyaneVP4JhERZCc+HfBtpUTpRoanBjB9oZmPKlzPCBnmjxBi5c5IXwsO ZFnR1IG+46ZaYiXs8nSPFR7CuD5NSojonUaeyNsSgLNZilcvQL/Xux+VvfDoaSTqDR6/ HR3FVdnaHDyTqzEF0jy8wp+BGSipOWQvftffscR65kCvQOljLxHWUb3pZ0au00Hjm/dC Pe5GnP3RwY7ZrUegoAhGfZePIuCUjbN/Mr6AwBO402r9L/N+XwkhTes1kiQm60qnUz3E dEMA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=jQgW0CgZ; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-165744-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-165744-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id nl6-20020a17090b384600b002a28be9e69fsi2153277pjb.130.2024.05.01.13.17.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 May 2024 13:17:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-165744-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=jQgW0CgZ; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-165744-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-165744-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 41CF3282348 for ; Wed, 1 May 2024 20:17:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 310EB1635BD; Wed, 1 May 2024 20:17:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="jQgW0CgZ" Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F12113956C for ; Wed, 1 May 2024 20:17:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714594638; cv=none; b=Rt2JzvEcEbBjNg0Ljj24qYR9JejFcNZfAJ6C7cJ5HCT5yRz9KHo7xY76qyx635LDjcf0EHZZYF0w8C9UaVJFZqFnXjBk+5NdN3EVHJJEpVDiroHff5fE/hVgxlVmTRb4Wy6wS+v3uTlPKar6s578MNxpidPL4g/vitMWd1dw6uM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714594638; c=relaxed/simple; bh=GGpAKEpoycwjSWcYUqnZv8ZhAZUkHxo5m5D9dqJxuNo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=bBPcPONoNOoovHaZzgL1HyYMkwZE6HzVbrmOoH/xV8uMAHw7eem8gYL2qgb6CLf5t/dK/793qlwSlWPSac2kfaQxf9wVojaUgwt06ruW6VvgDw7bUXUTKzlG/lZ/RVAJYoBSTQmvwCGHlMGRT80cpVYsRkK53MZ0U1+BC1xcIbM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=jQgW0CgZ; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-6f2f6142d64so6765487b3a.2 for ; Wed, 01 May 2024 13:17:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1714594636; x=1715199436; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=TzZlykvaZE49hrAwdEmOhVJUm5xEaSWSbmXs/qt6Y88=; b=jQgW0CgZjKAOEc1i32X+GqrG9yW5MdlKY2k8Efxwz8nU+RLfUYZ5CXsF9mPSY/nz/P TjHq3AOx7LGAUILxHTHsBT+P9AhvIqMmLnHYQefRI1QvPuOn5+4+ESQPa0eUFQCEJ/Ur kRwqbnyPYATUVSO5wbd/dd3DiAwwSK02MyjOY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714594636; x=1715199436; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=TzZlykvaZE49hrAwdEmOhVJUm5xEaSWSbmXs/qt6Y88=; b=mpWIarZb+uA/1ABVLjCi9B/QfhzyPHGHe0Vma8Acdp//gHpcnf9K6u1w9sZ6b14c+I V3gsiY7fldG4+VoUI+bR4RmBhxgpUpzEOjTzDDYYv3Js3nntrJ4wBp/hdHfL8asZyboP 7KsP9bjfVcbX5URYQGNNCba/UA5Zd+LzYAeT6LOrI2SPWYUnjpdbaZVaupMANyi6ioa5 FB6b31IbdqI+pCdsnl4qqEdjrG84d2UnokR/rB2XPcejhaCJBjJ5PyYgnBoKDntpmNnU UgKd35+A8/WGSnM0xJJ1xrSZvgkAt1O0DlMemFob2KzJVUoQEBujYJzl9xo54FUctkIJ Qlmw== X-Forwarded-Encrypted: i=1; AJvYcCUopqvF6kdlCFQWCQANozKUU1YrTs5schFlbToFSiAfM6dxNxI+SkLERNbog7yF/p1M8+5t2Vma8fgRVO/xaOOiYfl59xAaOK9oFqR0 X-Gm-Message-State: AOJu0Yy5UOWNSEHCvCMU72SnTqfhJuOj6xeqp2FtiOfthNlQzy2VRHqI Ca/qkYKPL3cvXSgOhYnhE+c45FwHVRwkNpZiaH5e8A0FtIf6jndsZYo041rOMQ== X-Received: by 2002:a05:6a21:6d82:b0:1ac:d96a:4fd6 with SMTP id wl2-20020a056a216d8200b001acd96a4fd6mr4640333pzb.23.1714594636355; Wed, 01 May 2024 13:17:16 -0700 (PDT) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id j19-20020aa783d3000000b006eaf3fd91a1sm23012143pfn.62.2024.05.01.13.17.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 May 2024 13:17:16 -0700 (PDT) Date: Wed, 1 May 2024 13:17:15 -0700 From: Kees Cook To: Erick Archer Cc: Marek Lindner , Simon Wunderlich , Antonio Quartulli , Sven Eckelmann , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , "Gustavo A. R. Silva" , b.a.t.m.a.n@lists.open-mesh.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: Re: [PATCH v3] batman-adv: Add flex array to struct batadv_tvlv_tt_data Message-ID: <202405011317.9896F210@keescook> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Wed, May 01, 2024 at 05:02:42PM +0200, Erick Archer wrote: > The "struct batadv_tvlv_tt_data" uses a dynamically sized set of > trailing elements. Specifically, it uses an array of structures of type > "batadv_tvlv_tt_vlan_data". So, use the preferred way in the kernel > declaring a flexible array [1]. > > At the same time, prepare for the coming implementation by GCC and Clang > of the __counted_by attribute. Flexible array members annotated with > __counted_by can have their accesses bounds-checked at run-time via > CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for > strcpy/memcpy-family functions). In this case, it is important to note > that the attribute used is specifically __counted_by_be since variable > "num_vlan" is of type __be16. > > The following change to the "batadv_tt_tvlv_ogm_handler_v1" function: > > - tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(tt_data + 1); > - tt_change = (struct batadv_tvlv_tt_change *)(tt_vlan + num_vlan); > > + tt_change = (struct batadv_tvlv_tt_change *)((void *)tt_data > + + flex_size); > > is intended to prevent the compiler from generating an "out-of-bounds" > notification due to the __counted_by attribute. The compiler can do a > pointer calculation using the vlan_data flexible array memory, or in > other words, this may be calculated as an array offset, since it is the > same as: > > &tt_data->vlan_data[num_vlan] > > Therefore, we go past the end of the array. In other "multiple trailing > flexible array" situations, this has been solved by addressing from the > base pointer, since the compiler either knows the full allocation size > or it knows nothing about it (this case, since it came from a "void *" > function argument). > > The order in which the structure batadv_tvlv_tt_data and the structure > batadv_tvlv_tt_vlan_data are defined must be swap to avoid an incomplete > type error. > > Also, avoid the open-coded arithmetic in memory allocator functions [2] > using the "struct_size" macro and use the "flex_array_size" helper to > clarify some calculations, when possible. > > Moreover, the new structure member also allow us to avoid the open-coded > arithmetic on pointers in some situations. Take advantage of this. > > This code was detected with the help of Coccinelle, and audited and > modified manually. > > Link: https://www.kernel.org/doc/html/next/process/deprecated.html#zero-length-and-one-element-arrays [1] > Link: https://www.kernel.org/doc/html/next/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [2] > Signed-off-by: Erick Archer Thanks for the tweak! Reviewed-by: Kees Cook -- Kees Cook