Re: [Nouveau] [RESEND][PATCH] drm/nouveau/fb/ga102: Replace zero-length array of trailing structs with flex-array
On Tue, Jan 03, 2023 at 03:48:36PM -0800, Kees Cook wrote:
> Zero-length arrays are deprecated[1] and are being replaced with
> flexible array members in support of the ongoing efforts to tighten the
> FORTIFY_SOURCE routines on memcpy(), correctly instrument array indexing
> with UBSAN_BOUNDS, and to globally enable -fstrict-flex-arrays=3.
>
> Replace zero-length array with flexible-array member.
>
> This results in no differences in binary output.
>
> [1] https://github.com/KSPP/linux/issues/78
>
> Cc: Ben Skeggs
> Cc: Karol Herbst
> Cc: Lyude Paul
> Cc: David Airlie
> Cc: Daniel Vetter
> Cc: Gourav Samaiya
> Cc: "Gustavo A. R. Silva"
> Cc: dri-de...@lists.freedesktop.org
> Cc: nouveau@lists.freedesktop.org
> Signed-off-by: Kees Cook
Here is my RB again:
Reviewed-by: Gustavo A. R. Silva
Thanks!
--
Gustavo
> ---
> Sent before as:
> https://lore.kernel.org/all/20221118211207.never.039-k...@kernel.org/
> ---
> drivers/gpu/drm/nouveau/include/nvfw/hs.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/nouveau/include/nvfw/hs.h
> b/drivers/gpu/drm/nouveau/include/nvfw/hs.h
> index 8c4cd08a7b5f..8b58b668fc0c 100644
> --- a/drivers/gpu/drm/nouveau/include/nvfw/hs.h
> +++ b/drivers/gpu/drm/nouveau/include/nvfw/hs.h
> @@ -52,7 +52,7 @@ struct nvfw_hs_load_header_v2 {
> struct {
> u32 offset;
> u32 size;
> - } app[0];
> + } app[];
> };
>
> const struct nvfw_hs_load_header_v2 *nvfw_hs_load_header_v2(struct
> nvkm_subdev *, const void *);
> --
> 2.34.1
>
[Nouveau] [RESEND][PATCH] drm/nouveau/fb/ga102: Replace zero-length array of trailing structs with flex-array
Zero-length arrays are deprecated[1] and are being replaced with
flexible array members in support of the ongoing efforts to tighten the
FORTIFY_SOURCE routines on memcpy(), correctly instrument array indexing
with UBSAN_BOUNDS, and to globally enable -fstrict-flex-arrays=3.
Replace zero-length array with flexible-array member.
This results in no differences in binary output.
[1] https://github.com/KSPP/linux/issues/78
Cc: Ben Skeggs
Cc: Karol Herbst
Cc: Lyude Paul
Cc: David Airlie
Cc: Daniel Vetter
Cc: Gourav Samaiya
Cc: "Gustavo A. R. Silva"
Cc: dri-de...@lists.freedesktop.org
Cc: nouveau@lists.freedesktop.org
Signed-off-by: Kees Cook
---
Sent before as:
https://lore.kernel.org/all/20221118211207.never.039-k...@kernel.org/
---
drivers/gpu/drm/nouveau/include/nvfw/hs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/include/nvfw/hs.h
b/drivers/gpu/drm/nouveau/include/nvfw/hs.h
index 8c4cd08a7b5f..8b58b668fc0c 100644
--- a/drivers/gpu/drm/nouveau/include/nvfw/hs.h
+++ b/drivers/gpu/drm/nouveau/include/nvfw/hs.h
@@ -52,7 +52,7 @@ struct nvfw_hs_load_header_v2 {
struct {
u32 offset;
u32 size;
- } app[0];
+ } app[];
};
const struct nvfw_hs_load_header_v2 *nvfw_hs_load_header_v2(struct nvkm_subdev
*, const void *);
--
2.34.1
Re: [Nouveau] [PATCH] drm/nouveau/mmu: fix Use after Free bug in nvkm_vmm_node_split
On Fri, 30 Dec 2022 08:27:58 +0100,
Zheng Wang wrote:
>
> Here is a function call chain.
> nvkm_vmm_pfn_map->nvkm_vmm_pfn_split_merge->nvkm_vmm_node_split
> If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will
> finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which
> will free the vma. However, nvkm_vmm_pfn_map didn't notice that.
> It goes into next label and UAF happens.
>
> Fix it by returning the return-value of nvkm_vmm_node_merge
> instead of NULL.
>
> Signed-off-by: Zheng Wang
FWIW, CVE-2023-0030 has been assigned to this bug.
It's a question whether it really deserves as a security issue, but a
bug is a bug...
Ben, could you review this please?
thanks,
Takashi
> ---
> drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
> b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
> index ae793f400ba1..84d6fc87b2e8 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
> @@ -937,8 +937,8 @@ nvkm_vmm_node_split(struct nvkm_vmm *vmm,
> if (vma->size != size) {
> struct nvkm_vma *tmp;
> if (!(tmp = nvkm_vma_tail(vma, vma->size - size))) {
> - nvkm_vmm_node_merge(vmm, prev, vma, NULL, vma->size);
> - return NULL;
> + tmp = nvkm_vmm_node_merge(vmm, prev, vma, NULL,
> vma->size);
> + return tmp;
> }
> tmp->part = true;
> nvkm_vmm_node_insert(vmm, tmp);
> --
> 2.25.1
>
