mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-12-29 17:25:38 +00:00
4436df4788
The "struct batadv_tvlv_tt_data" uses a dynamically sized set of
trailing elements. Specifically, it uses an array of structures of type
"batadv_tvlv_tt_vlan_data". So, use the preferred way in the kernel
declaring a flexible array [1].
At the same time, prepare for the coming implementation by GCC and Clang
of the __counted_by attribute. Flexible array members annotated with
__counted_by can have their accesses bounds-checked at run-time via
CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for
strcpy/memcpy-family functions). In this case, it is important to note
that the attribute used is specifically __counted_by_be since variable
"num_vlan" is of type __be16.
The following change to the "batadv_tt_tvlv_ogm_handler_v1" function:
- tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(tt_data + 1);
- tt_change = (struct batadv_tvlv_tt_change *)(tt_vlan + num_vlan);
+ tt_change = (struct batadv_tvlv_tt_change *)((void *)tt_data
+ + flex_size);
is intended to prevent the compiler from generating an "out-of-bounds"
notification due to the __counted_by attribute. The compiler can do a
pointer calculation using the vlan_data flexible array memory, or in
other words, this may be calculated as an array offset, since it is the
same as:
&tt_data->vlan_data[num_vlan]
Therefore, we go past the end of the array. In other "multiple trailing
flexible array" situations, this has been solved by addressing from the
base pointer, since the compiler either knows the full allocation size
or it knows nothing about it (this case, since it came from a "void *"
function argument).
The order in which the structure batadv_tvlv_tt_data and the structure
batadv_tvlv_tt_vlan_data are defined must be swap to avoid an incomplete
type error.
Also, avoid the open-coded arithmetic in memory allocator functions [2]
using the "struct_size" macro and use the "flex_array_size" helper to
clarify some calculations, when possible.
Moreover, the new structure member also allow us to avoid the open-coded
arithmetic on pointers in some situations. Take advantage of this.
This code was detected with the help of Coccinelle, and audited and
modified manually.
Link: https://www.kernel.org/doc/html/next/process/deprecated.html#zero-length-and-one-element-arrays [1]
Link: https://www.kernel.org/doc/html/next/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [2]
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Erick Archer <erick.archer@outlook.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
|
||
|---|---|---|
| .. | ||
| bat_algo.c | ||
| bat_algo.h | ||
| bat_iv_ogm.c | ||
| bat_iv_ogm.h | ||
| bat_v_elp.c | ||
| bat_v_elp.h | ||
| bat_v_ogm.c | ||
| bat_v_ogm.h | ||
| bat_v.c | ||
| bat_v.h | ||
| bitarray.c | ||
| bitarray.h | ||
| bridge_loop_avoidance.c | ||
| bridge_loop_avoidance.h | ||
| distributed-arp-table.c | ||
| distributed-arp-table.h | ||
| fragmentation.c | ||
| fragmentation.h | ||
| gateway_client.c | ||
| gateway_client.h | ||
| gateway_common.c | ||
| gateway_common.h | ||
| hard-interface.c | ||
| hard-interface.h | ||
| hash.c | ||
| hash.h | ||
| Kconfig | ||
| log.c | ||
| log.h | ||
| main.c | ||
| main.h | ||
| Makefile | ||
| multicast_forw.c | ||
| multicast.c | ||
| multicast.h | ||
| netlink.c | ||
| netlink.h | ||
| network-coding.c | ||
| network-coding.h | ||
| originator.c | ||
| originator.h | ||
| routing.c | ||
| routing.h | ||
| send.c | ||
| send.h | ||
| soft-interface.c | ||
| soft-interface.h | ||
| tp_meter.c | ||
| tp_meter.h | ||
| trace.c | ||
| trace.h | ||
| translation-table.c | ||
| translation-table.h | ||
| tvlv.c | ||
| tvlv.h | ||
| types.h | ||