2022-05-04 02:41:26

by Kees Cook

[permalink] [raw]
Subject: [PATCH 25/32] Drivers: hv: utils: Use mem_to_flex_dup() with struct cn_msg

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: "K. Y. Srinivasan" <[email protected]>
Cc: Haiyang Zhang <[email protected]>
Cc: Stephen Hemminger <[email protected]>
Cc: Wei Liu <[email protected]>
Cc: Dexuan Cui <[email protected]>
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
---
drivers/hv/hv_utils_transport.c | 7 ++-----
include/uapi/linux/connector.h | 4 ++--
2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/hv/hv_utils_transport.c b/drivers/hv/hv_utils_transport.c
index 832885198643..43b4f8893cc0 100644
--- a/drivers/hv/hv_utils_transport.c
+++ b/drivers/hv/hv_utils_transport.c
@@ -217,20 +217,17 @@ static void hvt_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
int hvutil_transport_send(struct hvutil_transport *hvt, void *msg, int len,
void (*on_read_cb)(void))
{
- struct cn_msg *cn_msg;
+ struct cn_msg *cn_msg = NULL;
int ret = 0;

if (hvt->mode == HVUTIL_TRANSPORT_INIT ||
hvt->mode == HVUTIL_TRANSPORT_DESTROY) {
return -EINVAL;
} else if (hvt->mode == HVUTIL_TRANSPORT_NETLINK) {
- cn_msg = kzalloc(sizeof(*cn_msg) + len, GFP_ATOMIC);
- if (!cn_msg)
+ if (mem_to_flex_dup(&cn_msg, msg, len, GFP_ATOMIC))
return -ENOMEM;
cn_msg->id.idx = hvt->cn_id.idx;
cn_msg->id.val = hvt->cn_id.val;
- cn_msg->len = len;
- memcpy(cn_msg->data, msg, len);
ret = cn_netlink_send(cn_msg, 0, 0, GFP_ATOMIC);
kfree(cn_msg);
/*
diff --git a/include/uapi/linux/connector.h b/include/uapi/linux/connector.h
index 3738936149a2..b85bbe753dae 100644
--- a/include/uapi/linux/connector.h
+++ b/include/uapi/linux/connector.h
@@ -73,9 +73,9 @@ struct cn_msg {
__u32 seq;
__u32 ack;

- __u16 len; /* Length of the following data */
+ __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, len);
__u16 flags;
- __u8 data[0];
+ __DECLARE_FLEX_ARRAY_ELEMENTS(__u8, data);
};

#endif /* _UAPI__CONNECTOR_H */
--
2.32.0