Re: [PATCH] misc: bcm-vk: Annotate struct bcm_vk_wkent with __counted_by

Sat, 23 Sep 2023 08:02:16 -0700 



On 9/22/23 11:50, Kees Cook wrote:

Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).

As found with Coccinelle[1], add __counted_by for struct bcm_vk_wkent.
Additionally, since the element count member must be set before accessing
the annotated flexible array member, move its initialization earlier.

[1] 
https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci

Cc: Scott Branden <[email protected]>
Cc: Broadcom internal kernel review list <[email protected]>
Cc: Arnd Bergmann <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Kees Cook <[email protected]>


Reviewed-by: Gustavo A. R. Silva <[email protected]>

Thanks
--
Gustavo


---
  drivers/misc/bcm-vk/bcm_vk_msg.c | 2 +-
  drivers/misc/bcm-vk/bcm_vk_msg.h | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/bcm-vk/bcm_vk_msg.c b/drivers/misc/bcm-vk/bcm_vk_msg.c
index e17d81231ea6..1f42d1d5a630 100644
--- a/drivers/misc/bcm-vk/bcm_vk_msg.c
+++ b/drivers/misc/bcm-vk/bcm_vk_msg.c
@@ -703,12 +703,12 @@ int bcm_vk_send_shutdown_msg(struct bcm_vk *vk, u32 
shut_type,
        entry = kzalloc(struct_size(entry, to_v_msg, 1), GFP_KERNEL);
        if (!entry)
                return -ENOMEM;
+       entry->to_v_blks = 1;        /* always 1 block */

  
  	/* fill up necessary data */

        entry->to_v_msg[0].function_id = VK_FID_SHUTDOWN;
        set_q_num(&entry->to_v_msg[0], q_num);
        set_msg_id(&entry->to_v_msg[0], VK_SIMPLEX_MSG_ID);
-       entry->to_v_blks = 1; /* always 1 block */

  
  	entry->to_v_msg[0].cmd = shut_type;

        entry->to_v_msg[0].arg = pid;
diff --git a/drivers/misc/bcm-vk/bcm_vk_msg.h b/drivers/misc/bcm-vk/bcm_vk_msg.h
index 56784c8896d8..157495e48f15 100644
--- a/drivers/misc/bcm-vk/bcm_vk_msg.h
+++ b/drivers/misc/bcm-vk/bcm_vk_msg.h
@@ -116,7 +116,7 @@ struct bcm_vk_wkent {
        u32 usr_msg_id;
        u32 to_v_blks;
        u32 seq_num;
-       struct vk_msg_blk to_v_msg[];
+       struct vk_msg_blk to_v_msg[] __counted_by(to_v_blks);
  };

  
  /* queue stats counters */
























					Reply via email to