LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Vincent MAILHOL <mailhol.vincent@wanadoo.fr>
Cc: Wolfgang Grandegger <wg@grandegger.com>,
	Marc Kleine-Budde <mkl@pengutronix.de>,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Arunachalam Santhanam <arunachalam.santhanam@in.bosch.com>,
	linux-can <linux-can@vger.kernel.org>,
	netdev <netdev@vger.kernel.org>,
	open list <linux-kernel@vger.kernel.org>,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH] can: etas_es58x: Replace 0-element raw_msg array
Date: Tue, 17 Aug 2021 23:48:40 -0700	[thread overview]
Message-ID: <202108172320.1540EC10C@keescook> (raw)
In-Reply-To: <CAMZ6RqK4Rn4d-1CZsg9vJiAMHhxN6fgcqukdHpGwXoGTyNVr_Q@mail.gmail.com>

On Wed, Aug 18, 2021 at 02:13:51PM +0900, Vincent MAILHOL wrote:
> On Wed. 18 Aug 2021 at 12:40, Kees Cook <keescook@chromium.org> wrote:
> > While raw_msg isn't a fixed size, it does have a maximum size. Adjust the
> > struct to represent this and avoid the following warning when building
> > with -Wzero-length-bounds:
> >
> > drivers/net/can/usb/etas_es58x/es58x_fd.c: In function 'es58x_fd_tx_can_msg':
> > drivers/net/can/usb/etas_es58x/es58x_fd.c:360:35: warning: array subscript 65535 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[]'} [-Wzero-length-bounds]
> >   360 |  tx_can_msg = (typeof(tx_can_msg))&es58x_fd_urb_cmd->raw_msg[msg_len];
> >       |                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > In file included from drivers/net/can/usb/etas_es58x/es58x_core.h:22,
> >                  from drivers/net/can/usb/etas_es58x/es58x_fd.c:17:
> > drivers/net/can/usb/etas_es58x/es58x_fd.h:231:6: note: while referencing 'raw_msg'
> >   231 |   u8 raw_msg[0];
> >       |      ^~~~~~~
> >
> > Cc: Wolfgang Grandegger <wg@grandegger.com>
> > Cc: Marc Kleine-Budde <mkl@pengutronix.de>
> > Cc: "David S. Miller" <davem@davemloft.net>
> > Cc: Jakub Kicinski <kuba@kernel.org>
> > Cc: Arunachalam Santhanam <arunachalam.santhanam@in.bosch.com>
> > Cc: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
> > Cc: linux-can@vger.kernel.org
> > Cc: netdev@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> >  drivers/net/can/usb/etas_es58x/es581_4.h  | 2 +-
> >  drivers/net/can/usb/etas_es58x/es58x_fd.h | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/can/usb/etas_es58x/es581_4.h b/drivers/net/can/usb/etas_es58x/es581_4.h
> > index 4bc60a6df697..af38c4938859 100644
> > --- a/drivers/net/can/usb/etas_es58x/es581_4.h
> > +++ b/drivers/net/can/usb/etas_es58x/es581_4.h
> > @@ -192,7 +192,7 @@ struct es581_4_urb_cmd {
> >                 struct es581_4_rx_cmd_ret rx_cmd_ret;
> >                 __le64 timestamp;
> >                 u8 rx_cmd_ret_u8;
> > -               u8 raw_msg[0];
> > +               u8 raw_msg[USHRT_MAX];
> >         } __packed;
> >
> >         __le16 reserved_for_crc16_do_not_use;
> > diff --git a/drivers/net/can/usb/etas_es58x/es58x_fd.h b/drivers/net/can/usb/etas_es58x/es58x_fd.h
> > index ee18a87e40c0..e0319b8358ef 100644
> > --- a/drivers/net/can/usb/etas_es58x/es58x_fd.h
> > +++ b/drivers/net/can/usb/etas_es58x/es58x_fd.h
> > @@ -228,7 +228,7 @@ struct es58x_fd_urb_cmd {
> >                 struct es58x_fd_tx_ack_msg tx_ack_msg;
> >                 __le64 timestamp;
> >                 __le32 rx_cmd_ret_le32;
> > -               u8 raw_msg[0];
> > +               u8 raw_msg[USHRT_MAX];
> >         } __packed;
> >
> >         __le16 reserved_for_crc16_do_not_use;
> > --
> > 2.30.2
> 
> raw_msg is part of a union so its maximum size is implicitly the
> biggest size of the other member of that union:

Yup, understood. See below...

> 
> | struct es58x_fd_urb_cmd {
> |     __le16 SOF;
> |    u8 cmd_type;
> |    u8 cmd_id;
> |    u8 channel_idx;
> |    __le16 msg_len;
> |
> |    union {
> |        struct es58x_fd_tx_conf_msg tx_conf_msg;
> |        u8 tx_can_msg_buf[ES58X_FD_TX_BULK_MAX * ES58X_FD_CANFD_TX_LEN];
> |        u8 rx_can_msg_buf[ES58X_FD_RX_BULK_MAX * ES58X_FD_CANFD_RX_LEN];
> |        struct es58x_fd_echo_msg echo_msg[ES58X_FD_ECHO_BULK_MAX];
> |        struct es58x_fd_rx_event_msg rx_event_msg;
> |        struct es58x_fd_tx_ack_msg tx_ack_msg;
> |        __le64 timestamp;
> |        __le32 rx_cmd_ret_le32;
> |        u8 raw_msg[0];
> |    } __packed;
> |
> |    __le16 reserved_for_crc16_do_not_use;
> | } __packed;
> 
> ram_msg can then be used to manipulate the other fields at the byte level.
> I am sorry but I fail to understand why this is an issue.

The issue is with using a 0-element array (these are being removed from
the kernel[1] so we can add -Warray-bounds). Normally in this situation I
would replace the 0-element array with a flexible array, but this
case is unusual in several ways:

- There is a trailing struct member (reserved_for_crc16_do_not_use),
  which is never accessed (good), and documented as "please never access
  this".

- struct es58x_fd_urb_cmd is statically allocated (it is written into
  from the URB handler).

- The message lengths coming from the USB device are stored in a u16,
  which looked like it was possible to overflow the buffer.

In taking a closer look, I see that the URB command length is checked,
and the in-data length is checked as well, so the overflow concern
appears to be addressed.

> Also, the proposed fix drastically increases the size of the structure.

Indeed. I will send a v2, now that I see that the overflow concern isn't
an issue.

Thanks!

-Kees

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays

-- 
Kees Cook

  reply	other threads:[~2021-08-18  6:48 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-18  3:40 Kees Cook
2021-08-18  5:13 ` Vincent MAILHOL
2021-08-18  6:48   ` Kees Cook [this message]
2021-08-18  7:55     ` Vincent MAILHOL
2021-08-18  9:03       ` Kees Cook
2021-08-18  9:33         ` Vincent MAILHOL
2021-08-19  0:02           ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202108172320.1540EC10C@keescook \
    --to=keescook@chromium.org \
    --cc=arunachalam.santhanam@in.bosch.com \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=linux-can@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mailhol.vincent@wanadoo.fr \
    --cc=mkl@pengutronix.de \
    --cc=netdev@vger.kernel.org \
    --cc=wg@grandegger.com \
    --subject='Re: [PATCH] can: etas_es58x: Replace 0-element raw_msg array' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).