Re: [PATCH] can: etas_es58x: Replace 0-element raw_msg array
From: Kees Cook <hidden>
Date: 2021-08-18 06:48:46
Also in:
linux-hardening, lkml, netdev
On Wed, Aug 18, 2021 at 02:13:51PM +0900, Vincent MAILHOL wrote:
On Wed. 18 Aug 2021 at 12:40, Kees Cook [off-list ref] wrote:quoted
While raw_msg isn't a fixed size, it does have a maximum size. Adjust the struct to represent this and avoid the following warning when building with -Wzero-length-bounds: drivers/net/can/usb/etas_es58x/es58x_fd.c: In function 'es58x_fd_tx_can_msg': drivers/net/can/usb/etas_es58x/es58x_fd.c:360:35: warning: array subscript 65535 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[]'} [-Wzero-length-bounds] 360 | tx_can_msg = (typeof(tx_can_msg))&es58x_fd_urb_cmd->raw_msg[msg_len]; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from drivers/net/can/usb/etas_es58x/es58x_core.h:22, from drivers/net/can/usb/etas_es58x/es58x_fd.c:17: drivers/net/can/usb/etas_es58x/es58x_fd.h:231:6: note: while referencing 'raw_msg' 231 | u8 raw_msg[0]; | ^~~~~~~ Cc: Wolfgang Grandegger <redacted> Cc: Marc Kleine-Budde <mkl@pengutronix.de> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Arunachalam Santhanam <redacted> Cc: Vincent Mailhol <redacted> Cc: linux-can@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <redacted> --- drivers/net/can/usb/etas_es58x/es581_4.h | 2 +- drivers/net/can/usb/etas_es58x/es58x_fd.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)diff --git a/drivers/net/can/usb/etas_es58x/es581_4.h b/drivers/net/can/usb/etas_es58x/es581_4.h index 4bc60a6df697..af38c4938859 100644 --- a/drivers/net/can/usb/etas_es58x/es581_4.h +++ b/drivers/net/can/usb/etas_es58x/es581_4.h@@ -192,7 +192,7 @@ struct es581_4_urb_cmd { struct es581_4_rx_cmd_ret rx_cmd_ret; __le64 timestamp; u8 rx_cmd_ret_u8; - u8 raw_msg[0]; + u8 raw_msg[USHRT_MAX]; } __packed; __le16 reserved_for_crc16_do_not_use;diff --git a/drivers/net/can/usb/etas_es58x/es58x_fd.h b/drivers/net/can/usb/etas_es58x/es58x_fd.h index ee18a87e40c0..e0319b8358ef 100644 --- a/drivers/net/can/usb/etas_es58x/es58x_fd.h +++ b/drivers/net/can/usb/etas_es58x/es58x_fd.h@@ -228,7 +228,7 @@ struct es58x_fd_urb_cmd { struct es58x_fd_tx_ack_msg tx_ack_msg; __le64 timestamp; __le32 rx_cmd_ret_le32; - u8 raw_msg[0]; + u8 raw_msg[USHRT_MAX]; } __packed; __le16 reserved_for_crc16_do_not_use; --2.30.2raw_msg is part of a union so its maximum size is implicitly the biggest size of the other member of that union:
Yup, understood. See below...
| struct es58x_fd_urb_cmd {
| __le16 SOF;
| u8 cmd_type;
| u8 cmd_id;
| u8 channel_idx;
| __le16 msg_len;
|
| union {
| struct es58x_fd_tx_conf_msg tx_conf_msg;
| u8 tx_can_msg_buf[ES58X_FD_TX_BULK_MAX * ES58X_FD_CANFD_TX_LEN];
| u8 rx_can_msg_buf[ES58X_FD_RX_BULK_MAX * ES58X_FD_CANFD_RX_LEN];
| struct es58x_fd_echo_msg echo_msg[ES58X_FD_ECHO_BULK_MAX];
| struct es58x_fd_rx_event_msg rx_event_msg;
| struct es58x_fd_tx_ack_msg tx_ack_msg;
| __le64 timestamp;
| __le32 rx_cmd_ret_le32;
| u8 raw_msg[0];
| } __packed;
|
| __le16 reserved_for_crc16_do_not_use;
| } __packed;
ram_msg can then be used to manipulate the other fields at the byte level.
I am sorry but I fail to understand why this is an issue.The issue is with using a 0-element array (these are being removed from the kernel[1] so we can add -Warray-bounds). Normally in this situation I would replace the 0-element array with a flexible array, but this case is unusual in several ways: - There is a trailing struct member (reserved_for_crc16_do_not_use), which is never accessed (good), and documented as "please never access this". - struct es58x_fd_urb_cmd is statically allocated (it is written into from the URB handler). - The message lengths coming from the USB device are stored in a u16, which looked like it was possible to overflow the buffer. In taking a closer look, I see that the URB command length is checked, and the in-data length is checked as well, so the overflow concern appears to be addressed.
Also, the proposed fix drastically increases the size of the structure.
Indeed. I will send a v2, now that I see that the overflow concern isn't an issue. Thanks! -Kees [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays -- Kees Cook