Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp897551iob; Wed, 4 May 2022 10:09:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzG50F0dALPSYngZqP0RCqlPnhgQ8JcyluwgDSqxNZnaah87Ygl3OuyiqIE7FBX26EWneQe X-Received: by 2002:a17:907:868e:b0:6f4:2c01:fe5c with SMTP id qa14-20020a170907868e00b006f42c01fe5cmr17793470ejc.360.1651684198823; Wed, 04 May 2022 10:09:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651684198; cv=none; d=google.com; s=arc-20160816; b=lyW7s/YygO2wOBVru7hDFBhxl1N0uW8Hu6LZZCE0RSRVc3nAcL37Q3qWq0e/JM9lSQ z6fD7LUKpVvTZ5yOt02rjXiKJQD3QLKYZ4DdnjyGbbr6esNbt8zY5Ueytnxon5qoO/6g V9DzSxuoVtzEFRnpw7QkD5BH6ywSKzdZKoDnO4lfSDyVojWqG6ymWfGd/ltdcC3eECP5 AfylNTIdBQRXnNLTUzYLYxvrMVWxWtU58Dgjlr5im3hLVmY7eYg0DNmh1JslKxR3iRL4 Dn/5TTmWkCOTYGHOdaVowEuJFq/0Cz52ZnEscaya6+endNYxvCjMSa8XCyC6iKm4rgze FW6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=KqAJb/V6gfBBDG6bSPIb4vESmdq1P/sKe2F177CTgUM=; b=M07/M1+9nyr5tDjAFcyAzShq6HFZSNJnBmtcy1MXqostMMik7z3MRL24xZMIc0j8Ko CMjOv79xdjLpzUrIwuGwRJpT0VeQCZiBIXnmpSw1RLEvIZJ0z+oDKb5BQ2TBqeKoqKx5 m0/SgFIMz5ZtMXV1+iIajRnSRRIX/5m8omq8zVIZolOFRSySgvIWz4X7fL/th5GShIK+ 5wpnsa8YkDHoC//dHGbvKtfKfHO+IeH503a5Bj1FmTk33k9xUyl3edxOT9Ej8cMPeyOm s4ervk4I50b04zXsqpQL6P4xH7s29rHRqXOLpVhr5Z0T5UQ8bd95llkJpepGQ+OspyTU ufkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=fQrMYNAI; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s14-20020a508d0e000000b0041d7932031bsi16388485eds.59.2022.05.04.10.09.32; Wed, 04 May 2022 10:09:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=fQrMYNAI; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352587AbiEDPnl (ORCPT + 99 others); Wed, 4 May 2022 11:43:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36442 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352591AbiEDPlz (ORCPT ); Wed, 4 May 2022 11:41:55 -0400 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BAE5018E23 for ; Wed, 4 May 2022 08:38:16 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id v11so1428536pff.6 for ; Wed, 04 May 2022 08:38:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=KqAJb/V6gfBBDG6bSPIb4vESmdq1P/sKe2F177CTgUM=; b=fQrMYNAIqMyggez1Cxk6MO5ffmDcMsHa95ZyVgeB+XLocHYSpcdXLdDMIvfhtVHebJ c6KLuD9O1zHpfXOArUQ9i6OPKZN0wLEdS36xK8UGnJ7GhAZoY1ZaUI/INEIjt/aYGDme 7yPqIKR/2ePc228VdQYx3R6Gd7ox0JMkE5pTk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=KqAJb/V6gfBBDG6bSPIb4vESmdq1P/sKe2F177CTgUM=; b=6Am0cnVS+KxjCQZ5uDLE3bz/Lw4kIS6ceQ/ilCcpr2yAb+ddaTJFeYc/RWfzwZoiFr BJ1MFyzHLbzJKcMC0oY5zwU0BT/1cQvJXK1Jhc3FSyhmIaKvg2rwphZbmyNe5dQMs0HL 20IwmwuRdGtP7EWJfvIFbT556nVVRcU4mKAS/arDCP6MSrut2DcOCHOVu36Tg/vQoyKr othqWENbLIjdIv+RTUZ1AHPqufGTqep++tg16J7Lw2BdqA7fa+YYmswafCZf30zNCYrW vs0AE2dDZUlnBfh+Qp9w6xmaoF6KzrNtnsVNVUXheAprBsE/F2mJV1GIx38TjpjMHICr ke4w== X-Gm-Message-State: AOAM532eqHecMCorwObpfRBubC8GdQYRhjz0i/4I00zozkqXIqUx7a2P 9XNPyuBOVjCB8+xzfHR7o73mFg== X-Received: by 2002:a63:6b82:0:b0:39d:a6ce:14dc with SMTP id g124-20020a636b82000000b0039da6ce14dcmr8170661pgc.476.1651678695154; Wed, 04 May 2022 08:38:15 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id t4-20020a170902bc4400b0015e8d4eb1f9sm8430240plz.67.2022.05.04.08.38.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 May 2022 08:38:14 -0700 (PDT) Date: Wed, 4 May 2022 08:38:13 -0700 From: Kees Cook To: Johannes Berg Cc: "Gustavo A . R . Silva" , Keith Packard , Francis Laniel , Daniel Axtens , Dan Williams , Vincenzo Frascino , Guenter Roeck , Daniel Vetter , Tadeusz Struk , Alexei Starovoitov , alsa-devel@alsa-project.org, Al Viro , Andrew Gabbasov , Andrew Morton , Andy Gross , Andy Lavr , Arend van Spriel , Baowen Zheng , Bjorn Andersson , Boris Ostrovsky , Bradley Grove , brcm80211-dev-list.pdl@broadcom.com, Christian Brauner , Christian =?iso-8859-1?Q?G=F6ttsche?= , Christian Lamparter , Chris Zankel , Cong Wang , David Gow , David Howells , "David S. Miller" , Dennis Dalessandro , devicetree@vger.kernel.org, Dexuan Cui , Dmitry Kasatkin , Eli Cohen , Eric Dumazet , Eric Paris , Eugeniu Rosca , Felipe Balbi , Frank Rowand , Franky Lin , Greg Kroah-Hartman , Gregory Greenman , Haiyang Zhang , Hante Meuleman , Herbert Xu , Hulk Robot , Jakub Kicinski , "James E.J. Bottomley" , James Morris , Jarkko Sakkinen , Jaroslav Kysela , Jason Gunthorpe , Jens Axboe , Johan Hedberg , John Keeping , Juergen Gross , Kalle Valo , keyrings@vger.kernel.org, kunit-dev@googlegroups.com, Kuniyuki Iwashima , "K. Y. Srinivasan" , Lars-Peter Clausen , Lee Jones , Leon Romanovsky , Liam Girdwood , linux1394-devel@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-integrity@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-xtensa@linux-xtensa.org, llvm@lists.linux.dev, Loic Poulain , Louis Peens , Luca Coelho , Luiz Augusto von Dentz , Marc Dionne , Marcel Holtmann , Mark Brown , "Martin K. Petersen" , Max Filippov , Mimi Zohar , Muchun Song , Nathan Chancellor , netdev@vger.kernel.org, Nick Desaulniers , Nuno =?iso-8859-1?Q?S=E1?= , Paolo Abeni , Paul Moore , Rich Felker , Rob Herring , Russell King , selinux@vger.kernel.org, "Serge E. Hallyn" , SHA-cyfmac-dev-list@infineon.com, Simon Horman , Stefano Stabellini , Stefan Richter , Steffen Klassert , Stephen Hemminger , Stephen Smalley , Takashi Iwai , Tom Rix , Udipto Goswami , wcn36xx@lists.infradead.org, Wei Liu , xen-devel@lists.xenproject.org, Xiu Jianfeng , Yang Yingliang Subject: Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers Message-ID: <202205040819.DEA70BD@keescook> References: <20220504014440.3697851-1-keescook@chromium.org> <20220504014440.3697851-3-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On Wed, May 04, 2022 at 09:25:56AM +0200, Johannes Berg wrote: > On Tue, 2022-05-03 at 18:44 -0700, Kees Cook wrote: > > > > For example, using the most complicated helper, mem_to_flex_dup(): > > > > /* Flexible array struct with members identified. */ > > struct something { > > int mode; > > DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, how_many); > > unsigned long flags; > > DECLARE_FLEX_ARRAY_ELEMENTS(u32, value); > > In many cases, the order of the elements doesn't really matter, so maybe > it'd be nicer to be able to write it as something like > > DECLARE_FLEX_STRUCT(something, > int mode; > unsigned long flags; > , > int, how_many, > u32, value); > > perhaps? OK, that doesn't seem so nice either. > > Maybe > > struct something { > int mode; > unsigned long flags; > FLEX_ARRAY( > int, how_many, > u32, value > ); > }; Yeah, I mention some of my exploration of this idea in the sibling reply: https://lore.kernel.org/linux-hardening/202205040730.161645EC@keescook/#t It seemed like requiring a structure be rearranged to take advantage of the "automatic layout introspection" wasn't very friendly. On the other hand, looking at the examples, most of them are already neighboring members. Hmmm. > or so? The long and duplicated DECLARE_FLEX_ARRAY_ELEMENTS_COUNT and > DECLARE_FLEX_ARRAY_ELEMENTS seems a bit tedious to me, at least in cases > where the struct layout is not the most important thing (or it's already > at the end anyway). The names aren't great, but I wanted to distinguish "elements" as the array not the count. Yay naming. However, perhaps the solution is to have _both_. i.e using BOUNDED_FLEX_ARRAY(count_type, count_name, array_type, array_name) for the "neighboring" case, and the DECLARE...{ELEMENTS,COUNT} for the "split" case. And DECLARE_FLEX_ARRAY_ELEMENTS could actually be expanded to include the count_name too, so both methods could be "forward portable" to a future where C grew the syntax for bounded flex arrays. > > > struct something *instance = NULL; > > int rc; > > > > rc = mem_to_flex_dup(&instance, byte_array, count, GFP_KERNEL); > > if (rc) > > return rc; > > This seems rather awkward, having to set it to NULL, then checking rc > (and possibly needing a separate variable for it), etc. I think the errno return is completely required. I had an earlier version of this that was much more like a drop-in replacement for memcpy that would just truncate or panic, and when I had it all together, I could just imagine hearing Linus telling me to start over because it was unsafe (truncation may be just as bad as overflow) and disruptive ("never BUG"), and that it should be recoverable. So, I rewrote it all to return a __must_check errno. Requiring instance to be NULL is debatable, but I feel pretty strongly about it because it does handle a class of mistakes (resource leaks), and it's not much of a burden to require a known-good starting state. > But I can understand how you arrived at this: > - need to pass instance or &instance or such for typeof() > or offsetof() or such Right. > - instance = mem_to_flex_dup(instance, ...) > looks too much like it would actually dup 'instance', rather than > 'byte_array' And I need an errno output to keep imaginary Linus happy. :) > - if you pass &instance anyway, checking for NULL is simple and adds a > bit of safety Right. > but still, honestly, I don't like it. As APIs go, it feels a bit > cumbersome and awkward to use, and you really need everyone to use this, > and not say "uh what, I'll memcpy() instead". Sure, and I have tried to get it down as small as possible. The earlier "just put all the member names in every call" version was horrid. :P I realize it's more work to check errno, but the memcpy() API we've all been trained to use is just plain dangerous. I don't think it's unreasonable to ask people to retrain themselves to avoid it. All that said, yes, I want it to be as friendly as possible. > Maybe there should also be a realloc() version of it? Sure! Seems reasonable. I'd like to see the code pattern for this though. Do you have any examples? Most of what I'd been able to find for the fragile memcpy() usage was just basic serialize/deserialize or direct copying. > > +/** __fas_bytes - Calculate potential size of flexible array structure > > I think you forgot "\n *" in many cases here after "/**". Oops! Yes, thank you. I'll fix these. -Kees -- Kees Cook