[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 25/32] Drivers: hv: utils: Use mem_to_flex_dup() with struct cn_msg

To: "Gustavo A . R . Silva" <gustavoars@xxxxxxxxxx>
From: Kees Cook <keescook@xxxxxxxxxxxx>
Date: Tue, 3 May 2022 18:44:34 -0700
Cc: Kees Cook <keescook@xxxxxxxxxxxx>, "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>, Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>, Stephen Hemminger <sthemmin@xxxxxxxxxxxxx>, Wei Liu <wei.liu@xxxxxxxxxx>, Dexuan Cui <decui@xxxxxxxxxxxxx>, linux-hyperv@xxxxxxxxxxxxxxx, Alexei Starovoitov <ast@xxxxxxxxxx>, alsa-devel@xxxxxxxxxxxxxxxx, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Andrew Gabbasov <andrew_gabbasov@xxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, Andy Gross <agross@xxxxxxxxxx>, Andy Lavr <andy.lavr@xxxxxxxxx>, Arend van Spriel <aspriel@xxxxxxxxx>, Baowen Zheng <baowen.zheng@xxxxxxxxxxxx>, Bjorn Andersson <bjorn.andersson@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Bradley Grove <linuxdrivers@xxxxxxxxxxxx>, brcm80211-dev-list.pdl@xxxxxxxxxxxx, Christian Brauner <brauner@xxxxxxxxxx>, Christian Göttsche <cgzones@xxxxxxxxxxxxxx>, Christian Lamparter <chunkeey@xxxxxxxxxxxxxx>, Chris Zankel <chris@xxxxxxxxxx>, Cong Wang <cong.wang@xxxxxxxxxxxxx>, Daniel Axtens <dja@xxxxxxxxxx>, Daniel Vetter <daniel.vetter@xxxxxxxx>, Dan Williams <dan.j.williams@xxxxxxxxx>, David Gow <davidgow@xxxxxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Dennis Dalessandro <dennis.dalessandro@xxxxxxxxxxxxxxxxxxxx>, devicetree@xxxxxxxxxxxxxxx, Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx>, Eli Cohen <elic@xxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>, Eric Paris <eparis@xxxxxxxxxxxxxx>, Eugeniu Rosca <erosca@xxxxxxxxxxxxxx>, Felipe Balbi <balbi@xxxxxxxxxx>, Francis Laniel <laniel_francis@xxxxxxxxxxxxxxxxxxx>, Frank Rowand <frowand.list@xxxxxxxxx>, Franky Lin <franky.lin@xxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Gregory Greenman <gregory.greenman@xxxxxxxxx>, Guenter Roeck <linux@xxxxxxxxxxxx>, Hante Meuleman <hante.meuleman@xxxxxxxxxxxx>, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, Hulk Robot <hulkci@xxxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>, "James E.J. Bottomley" <jejb@xxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, Jarkko Sakkinen <jarkko@xxxxxxxxxx>, Jaroslav Kysela <perex@xxxxxxxx>, Jason Gunthorpe <jgg@xxxxxxxx>, Jens Axboe <axboe@xxxxxxxxx>, Johan Hedberg <johan.hedberg@xxxxxxxxx>, Johannes Berg <johannes.berg@xxxxxxxxx>, Johannes Berg <johannes@xxxxxxxxxxxxxxxx>, John Keeping <john@xxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Kalle Valo <kvalo@xxxxxxxxxx>, Keith Packard <keithp@xxxxxxxxxx>, keyrings@xxxxxxxxxxxxxxx, kunit-dev@xxxxxxxxxxxxxxxx, Kuniyuki Iwashima <kuniyu@xxxxxxxxxxxx>, Lars-Peter Clausen <lars@xxxxxxxxxx>, Lee Jones <lee.jones@xxxxxxxxxx>, Leon Romanovsky <leon@xxxxxxxxxx>, Liam Girdwood <lgirdwood@xxxxxxxxx>, linux1394-devel@xxxxxxxxxxxxxxxxxxxxx, linux-afs@xxxxxxxxxxxxxxxxxxx, linux-arm-kernel@xxxxxxxxxxxxxxxxxxx, linux-arm-msm@xxxxxxxxxxxxxxx, linux-bluetooth@xxxxxxxxxxxxxxx, linux-hardening@xxxxxxxxxxxxxxx, linux-integrity@xxxxxxxxxxxxxxx, linux-rdma@xxxxxxxxxxxxxxx, linux-scsi@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, linux-usb@xxxxxxxxxxxxxxx, linux-wireless@xxxxxxxxxxxxxxx, linux-xtensa@xxxxxxxxxxxxxxxx, llvm@xxxxxxxxxxxxxxx, Loic Poulain <loic.poulain@xxxxxxxxxx>, Louis Peens <louis.peens@xxxxxxxxxxxx>, Luca Coelho <luciano.coelho@xxxxxxxxx>, Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx>, Marc Dionne <marc.dionne@xxxxxxxxxxxx>, Marcel Holtmann <marcel@xxxxxxxxxxxx>, Mark Brown <broonie@xxxxxxxxxx>, "Martin K. Petersen" <martin.petersen@xxxxxxxxxx>, Max Filippov <jcmvbkbc@xxxxxxxxx>, Mimi Zohar <zohar@xxxxxxxxxxxxx>, Muchun Song <songmuchun@xxxxxxxxxxxxx>, Nathan Chancellor <nathan@xxxxxxxxxx>, netdev@xxxxxxxxxxxxxxx, Nick Desaulniers <ndesaulniers@xxxxxxxxxx>, Nuno Sá <nuno.sa@xxxxxxxxxx>, Paolo Abeni <pabeni@xxxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>, Rich Felker <dalias@xxxxxxxxxx>, Rob Herring <robh+dt@xxxxxxxxxx>, Russell King <linux@xxxxxxxxxxxxxxx>, selinux@xxxxxxxxxxxxxxx, "Serge E. Hallyn" <serge@xxxxxxxxxx>, SHA-cyfmac-dev-list@xxxxxxxxxxxx, Simon Horman <simon.horman@xxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx>, Steffen Klassert <steffen.klassert@xxxxxxxxxxx>, Stephen Smalley <stephen.smalley.work@xxxxxxxxx>, Tadeusz Struk <tadeusz.struk@xxxxxxxxxx>, Takashi Iwai <tiwai@xxxxxxxx>, Tom Rix <trix@xxxxxxxxxx>, Udipto Goswami <quic_ugoswami@xxxxxxxxxxx>, Vincenzo Frascino <vincenzo.frascino@xxxxxxx>, wcn36xx@xxxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, Xiu Jianfeng <xiujianfeng@xxxxxxxxxx>, Yang Yingliang <yangyingliang@xxxxxxxxxx>
Delivery-date: Wed, 04 May 2022 05:17:11 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>
Cc: Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>
Cc: Stephen Hemminger <sthemmin@xxxxxxxxxxxxx>
Cc: Wei Liu <wei.liu@xxxxxxxxxx>
Cc: Dexuan Cui <decui@xxxxxxxxxxxxx>
Cc: linux-hyperv@xxxxxxxxxxxxxxx
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
 drivers/hv/hv_utils_transport.c | 7 ++-----
 include/uapi/linux/connector.h  | 4 ++--
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/hv/hv_utils_transport.c b/drivers/hv/hv_utils_transport.c
index 832885198643..43b4f8893cc0 100644
--- a/drivers/hv/hv_utils_transport.c
+++ b/drivers/hv/hv_utils_transport.c
@@ -217,20 +217,17 @@ static void hvt_cn_callback(struct cn_msg *msg, struct 
netlink_skb_parms *nsp)
 int hvutil_transport_send(struct hvutil_transport *hvt, void *msg, int len,
                          void (*on_read_cb)(void))
 {
-       struct cn_msg *cn_msg;
+       struct cn_msg *cn_msg = NULL;
        int ret = 0;
 
        if (hvt->mode == HVUTIL_TRANSPORT_INIT ||
            hvt->mode == HVUTIL_TRANSPORT_DESTROY) {
                return -EINVAL;
        } else if (hvt->mode == HVUTIL_TRANSPORT_NETLINK) {
-               cn_msg = kzalloc(sizeof(*cn_msg) + len, GFP_ATOMIC);
-               if (!cn_msg)
+               if (mem_to_flex_dup(&cn_msg, msg, len, GFP_ATOMIC))
                        return -ENOMEM;
                cn_msg->id.idx = hvt->cn_id.idx;
                cn_msg->id.val = hvt->cn_id.val;
-               cn_msg->len = len;
-               memcpy(cn_msg->data, msg, len);
                ret = cn_netlink_send(cn_msg, 0, 0, GFP_ATOMIC);
                kfree(cn_msg);
                /*
diff --git a/include/uapi/linux/connector.h b/include/uapi/linux/connector.h
index 3738936149a2..b85bbe753dae 100644
--- a/include/uapi/linux/connector.h
+++ b/include/uapi/linux/connector.h
@@ -73,9 +73,9 @@ struct cn_msg {
        __u32 seq;
        __u32 ack;
 
-       __u16 len;              /* Length of the following data */
+       __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, len);
        __u16 flags;
-       __u8 data[0];
+       __DECLARE_FLEX_ARRAY_ELEMENTS(__u8, data);
 };
 
 #endif /* _UAPI__CONNECTOR_H */
-- 
2.32.0

References:
- [PATCH 00/32] Introduce flexible array struct memcpy() helpers
  - From: Kees Cook

Prev by Date: [PATCH 23/32] Bluetooth: Use mem_to_flex_dup() with struct hci_op_configure_data_path
Next by Date: Re: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary
Previous by thread: [PATCH 23/32] Bluetooth: Use mem_to_flex_dup() with struct hci_op_configure_data_path
Next by thread: Re: [PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.