Received: by 2002:ab2:68c1:0:b0:1fd:9a81:d0e4 with SMTP id e1csp70951lqp; Sat, 8 Jun 2024 06:41:57 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV8TdddcwmVXJFeJyTZtQ4SmjnOidPFWbaNycCUowzED/JGHZ2blOG1FPkP301UN4+pWf2o5fcml3nSWrmUG5Tq8/F1abyxNcWJZ1G5Mg== X-Google-Smtp-Source: AGHT+IFGW5TnbkO8KQniSu+p1RcqollDGAtQRMzmT7oQvGQrq5TC64EainMwslZfrStet8D2ENeN X-Received: by 2002:a05:6e02:1a8a:b0:375:9c7e:d04 with SMTP id e9e14a558f8ab-3759c7e1044mr3767155ab.10.1717854117614; Sat, 08 Jun 2024 06:41:57 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717854117; cv=pass; d=google.com; s=arc-20160816; b=dlwc4trooSViZTfy5guhtZwt1rsTjFbsI4OyhCasIMaEHch9OIXAcI4NqHMK4b3CkQ Jdm2T6jznmvR6V9n9qrnOcimW4wZgCrB76xgKDxAfqiExhvGwCn4mP9ZJtftBFF8LBk9 O2HCtDsCrmuev+g4Tfn2DBzS0kVXoYxeoQFvIXyQKdqRX3NSTNW+sNOkFwvt+sKJHz+Q spWd18NEhum3IpAOwFjm+KkWDkYWLEeJUUFeXe5ToogKUat/fuCOU7lgNgqHi7ZbQW/5 cW3d/bzVhKzaSBEMQDR7svyAfJ8PemRMP6/758YxQ8Vg6oXoxO4GPR8OJc1LakPtBM63 thKg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:content-transfer-encoding:references:in-reply-to:date:cc :to:from:subject:message-id:dkim-signature; bh=L9TZwEiZq4/w+GASrcJQnBC+sOrmrhv/4YOSYxoGQSk=; fh=YhDFggHxOCzHNWZ1Vr8uKdb6B2k1GlCgCY9t9Zf7SSc=; b=QmAy3QZ8GQnhTai9svxGR+trzAEdrB69/n6GQXo1LYz/sNcugNy2u/7gOk+Au9CShA dBY145snIzfYVo9496tV+Hzt/5y5USuWasRtcTvfyXRtK9fOPcemjztO6IArVjFIRifm R29XKlH80uynD8QqRF/6mBVh6jEl3sMMn5tYtUer+XehDX6VNcpLdbi/hC2UO/NpKigw zyiFVsrVM9v9H2Q1PTU0k4TtKlNluoO5SD+yzTtkGSmCkf3a4z4ydlcuA/32EQNFBZ72 lAMT6Z5K7CdXvxHCWWXtWUgfk/KU2o/eBKjEs4IiYPOkTTCEmRxECUTngyYIWFPwlpIb miHw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=LhnDXmnS; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-206953-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-206953-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id 41be03b00d2f7-6e3e3ca1b1csi2570855a12.681.2024.06.08.06.41.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 08 Jun 2024 06:41:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-206953-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=LhnDXmnS; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-206953-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-206953-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 5CFF0B21CB8 for ; Sat, 8 Jun 2024 08:43:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0EF12176FB2; Sat, 8 Jun 2024 08:43:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="LhnDXmnS" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7BEDE556; Sat, 8 Jun 2024 08:43:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.16 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717836185; cv=none; b=pjXR8VS2DiOW7B7YwUoY5ONwpwvH1sbN9rYTDTxmm+E6GjwQISENzjM34+SwYfhxtVl17E+PtNE3x/ITnzi4OPvfTJKlAd6OfWwxY8OgVbM7iy4553zCdlhIdm0JRAjHqFu2t1JvsaX79DKtPfXzDdviUAaTnpFoyLpUpq2SED8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717836185; c=relaxed/simple; bh=EqCVKZDIk6FDyFGl5sxCLIWYXrYbLWcXG0JefBSgnk8=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=Sx/fWI73UZB/Dr/j6N+lMWuwpZ8cGyuBNTHpMtan/0ArKHRIaMXxZGKh13hUe5wx9Iti6GKrxzO4V6N8/ob+TEdN+2Dn2Wo2YzB4ovSh2dEEq/9wEzeXTnTkZt5snA1nnFLgojV2C+3mK51jPTsED7MWNn2Eybw4auVaK4unTUk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=LhnDXmnS; arc=none smtp.client-ip=198.175.65.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1717836183; x=1749372183; h=message-id:subject:from:to:cc:date:in-reply-to: references:content-transfer-encoding:mime-version; bh=EqCVKZDIk6FDyFGl5sxCLIWYXrYbLWcXG0JefBSgnk8=; b=LhnDXmnSXMDpEj6pf7OdpnYxewxQCiEDqppdoQkmXQ1KoS/xlKAWalIx yI+lp3xzXNvZHbZR4R6zMe4FVTGmbpHkAwU097UEIL4nN6TU1VJHAbtem jYjP+baENcB8q3p+NefvsLLyNL4w6bYnxvzX1VL26Rn3colj7h4bUwg8s Oc3E+7wlDEG4XF5YyUm1KrBiZLDUN5SqMZALF7aBAS2/87TqIbSw1qsbf 0/x8JrJtZ2HXHN+iF5ELnIB8WtON515fHXjFfWNlZnvMulJRKvlCmnpX3 JcAmxoqytIIAVkpg+YVaazqzbXbDVhsY+qfvHtl9TVAxIvECLqZrp3Ax6 w==; X-CSE-ConnectionGUID: Z1VOb1tHQfivRMycVuWIDg== X-CSE-MsgGUID: l4sp/v17Rt2yEoAAjPMXOw== X-IronPort-AV: E=McAfee;i="6600,9927,11096"; a="14697122" X-IronPort-AV: E=Sophos;i="6.08,222,1712646000"; d="scan'208";a="14697122" Received: from orviesa006.jf.intel.com ([10.64.159.146]) by orvoesa108.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jun 2024 01:43:02 -0700 X-CSE-ConnectionGUID: FMBw9gggSNGLnjklFIzBgQ== X-CSE-MsgGUID: C2qGwC5mRUKbW94NtTsHBA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,222,1712646000"; d="scan'208";a="38993968" Received: from anmitta2-mobl3.gar.corp.intel.com ([10.247.118.37]) by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jun 2024 01:42:59 -0700 Message-ID: <80976997acb82fe3e6ba54fa2708c8f40fb3eb00.camel@linux.intel.com> Subject: Re: [RFC] HID: ishtp-hid-client: replace fake-flex arrays with flex-array members From: srinivas pandruvada To: Erick Archer , Jiri Kosina , Benjamin Tissoires , Justin Stitt , Kees Cook , "Gustavo A. R. Silva" Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Date: Sat, 08 Jun 2024 01:42:54 -0700 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.50.0-1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 On Sun, 2024-05-26 at 15:32 +0200, Erick Archer wrote: > One-element arrays as fake flex arrays are deprecated [1] and we are > moving towards adopting C99 flexible-array members, instead. This > case > also has more complexity because it is a flexible array of flexible > arrays and this patch needs to be ready to enable the new compiler > flag > -Wflex-array-member-not-at-end (coming in GCC-14) globally. >=20 > So, define a new struct type for the single reports: >=20 > struct report { > uint16_t size; > struct hostif_msg_hdr msg; > } __packed; >=20 > but without the payload (flex array) in it. And add this payload to > the > "hostif_msg" structure. This way, in the "report_list" structure we > can > declare a flex array of single reports which now do not contain > another > flex array. >=20 > struct report_list { > [...] > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 struct report reports[]; > } __packed; >=20 > Also, use "container_of()" whenever we need to retrieve a pointer to > the flexible structure, through which we can access the flexible > array > if needed. >=20 > Moreover, refactor the code accordingly to use the new structures and > take advantage of this avoiding some pointer arithmetic and using the > "struct_size" helper when possible. >=20 > This way, the code is more readable and safer. Applied and tested, atleast didn't break anything. But the explanation above didn't give me enough clue. You have added a payload[] in the struct hostif_msg {} then using that as a message pointer following the header. I think this description needs to be better. Thanks, Srinivas >=20 > Link: > https://www.kernel.org/doc/html/next/process/deprecated.html#zero-length-= and-one-element-arrays > =C2=A0[1] > Closes: https://github.com/KSPP/linux/issues/333 > Signed-off-by: Erick Archer > --- > Hi, >=20 > The idea behind this patch is extracted from the ones sent by Gustavo > A. R. Silva [1] but without the use of "struct_group_tagged()" helper > to separate the flexible array from the rest of the members in the > flexible structures. >=20 > Regarding adding the "__counted_by" attribute to the flexible arrays, > I can say that I have not dared. The reasons are: >=20 > 1.- In both arrays there are a no direct assignment to the counter > =C2=A0=C2=A0=C2=A0 member. Only exists a cast from a raw stream of bytes = to a > pointer > =C2=A0=C2=A0=C2=A0 of a structure and this way the counter member has the= value. >=20 > 2.- The outer flexible array (in the struct report_list) has elements > =C2=A0=C2=A0=C2=A0 of different size. I believe that every report can hav= e a > different > =C2=A0=C2=A0=C2=A0 size, so I think the "__counted_by" will not work as e= xpected. >=20 > Comments are welcome ;) >=20 > Regards, > Erick >=20 > [1] Here are some patches that use the same idea: > Link: > https://lore.kernel.org/linux-hardening/cover.1709658886.git.gustavoars@k= ernel.org/ > Link: https://lore.kernel.org/linux-hardening/ZgYWlkxdrrieDYIu@neat/ > Link: https://lore.kernel.org/linux-hardening/ZgG8bbEzhmX5nGRE@neat/ > --- > =C2=A0drivers/hid/intel-ish-hid/ishtp-hid-client.c | 27 ++++++++++-------= - > -- > =C2=A0drivers/hid/intel-ish-hid/ishtp-hid.h=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 | 11 +++++--- > =C2=A02 files changed, 20 insertions(+), 18 deletions(-) >=20 > diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c > b/drivers/hid/intel-ish-hid/ishtp-hid-client.c > index fbd4f8ea1951..c0c8f4d7b0e3 100644 > --- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c > +++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c > @@ -70,10 +70,10 @@ static void process_recv(struct ishtp_cl > *hid_ishtp_cl, void *recv_buf, > =C2=A0 unsigned char *payload; > =C2=A0 struct device_info *dev_info; > =C2=A0 int i, j; > - size_t payload_len, total_len, cur_pos, raw_len; > + size_t payload_len, total_len, cur_pos, raw_len, msg_len; > =C2=A0 int report_type; > =C2=A0 struct report_list *reports_list; > - char *reports; > + struct report *report; > =C2=A0 size_t report_len; > =C2=A0 struct ishtp_cl_data *client_data =3D > ishtp_get_client_data(hid_ishtp_cl); > =C2=A0 int curr_hid_dev =3D client_data->cur_hid_dev; > @@ -99,7 +99,7 @@ static void process_recv(struct ishtp_cl > *hid_ishtp_cl, void *recv_buf, > =C2=A0 payload_len =3D recv_msg->hdr.size; > =C2=A0 > =C2=A0 /* Sanity checks */ > - if (cur_pos + payload_len + sizeof(struct > hostif_msg) > > + if (cur_pos + struct_size(recv_msg, payload, > payload_len) > > =C2=A0 total_len) { > =C2=A0 ++client_data->bad_recv_cnt; > =C2=A0 report_bad_packet(hid_ishtp_cl, recv_msg, > cur_pos, > @@ -280,14 +280,13 @@ static void process_recv(struct ishtp_cl > *hid_ishtp_cl, void *recv_buf, > =C2=A0 case HOSTIF_PUBLISH_INPUT_REPORT_LIST: > =C2=A0 report_type =3D HID_INPUT_REPORT; > =C2=A0 reports_list =3D (struct report_list > *)payload; > - reports =3D (char *)reports_list->reports; > + report =3D reports_list->reports; > =C2=A0 > =C2=A0 for (j =3D 0; j < reports_list- > >num_of_reports; j++) { > - recv_msg =3D (struct hostif_msg > *)(reports + > - sizeof(uint16_t)); > - report_len =3D *(uint16_t *)reports; > - payload =3D reports + sizeof(uint16_t) > + > - sizeof(struct > hostif_msg_hdr); > + recv_msg =3D container_of(&report- > >msg, > + struct > hostif_msg, hdr); > + report_len =3D report->size; > + payload =3D recv_msg->payload; > =C2=A0 payload_len =3D report_len - > =C2=A0 sizeof(struct > hostif_msg_hdr); > =C2=A0 > @@ -304,7 +303,7 @@ static void process_recv(struct ishtp_cl > *hid_ishtp_cl, void *recv_buf, > =C2=A0 0); > =C2=A0 } > =C2=A0 > - reports +=3D sizeof(uint16_t) + > report_len; > + report +=3D sizeof(*report) + > payload_len; > =C2=A0 } > =C2=A0 break; > =C2=A0 default: > @@ -316,12 +315,12 @@ static void process_recv(struct ishtp_cl > *hid_ishtp_cl, void *recv_buf, > =C2=A0 > =C2=A0 } > =C2=A0 > - if (!cur_pos && cur_pos + payload_len + > - sizeof(struct hostif_msg) < > total_len) > + msg_len =3D struct_size(recv_msg, payload, > payload_len); > + if (!cur_pos && cur_pos + msg_len < total_len) > =C2=A0 ++client_data->multi_packet_cnt; > =C2=A0 > - cur_pos +=3D payload_len + sizeof(struct hostif_msg); > - payload +=3D payload_len + sizeof(struct hostif_msg); > + cur_pos +=3D msg_len; > + payload +=3D msg_len; > =C2=A0 > =C2=A0 } while (cur_pos < total_len); > =C2=A0} > diff --git a/drivers/hid/intel-ish-hid/ishtp-hid.h > b/drivers/hid/intel-ish-hid/ishtp-hid.h > index 35dddc5015b3..2bc19e8ba13e 100644 > --- a/drivers/hid/intel-ish-hid/ishtp-hid.h > +++ b/drivers/hid/intel-ish-hid/ishtp-hid.h > @@ -31,6 +31,7 @@ struct hostif_msg_hdr { > =C2=A0 > =C2=A0struct hostif_msg { > =C2=A0 struct hostif_msg_hdr hdr; > + uint8_t payload[]; > =C2=A0} __packed; > =C2=A0 > =C2=A0struct hostif_msg_to_sensor { > @@ -52,15 +53,17 @@ struct ishtp_version { > =C2=A0 uint16_t build; > =C2=A0} __packed; > =C2=A0 > +struct report { > + uint16_t size; > + struct hostif_msg_hdr msg; > +} __packed; > + > =C2=A0/* struct for ISHTP aggregated input data */ > =C2=A0struct report_list { > =C2=A0 uint16_t total_size; > =C2=A0 uint8_t num_of_reports; > =C2=A0 uint8_t flags; > - struct { > - uint16_t size_of_report; > - uint8_t report[1]; > - } __packed reports[1]; > + struct report reports[]; > =C2=A0} __packed; > =C2=A0 > =C2=A0/* HOSTIF commands */