linux-hardening.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc()
@ 2021-09-27 22:43 Gustavo A. R. Silva
  2021-09-29 17:35 ` Bodo Stroesser
  2021-10-12 20:35 ` Martin K. Petersen
  0 siblings, 2 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2021-09-27 22:43 UTC (permalink / raw)
  To: Bodo Stroesser, Martin K. Petersen
  Cc: linux-scsi, target-devel, linux-kernel, Gustavo A. R. Silva,
	linux-hardening

Make use of the struct_size() helper instead of an open-coded version,
in order to avoid any potential type mistakes or integer overflows
that, in the worst scenario, could lead to heap overflows.

Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/target/target_core_user.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index 9f552f48084c..dc220fad06fa 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1255,7 +1255,6 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
 {
 	int i = 0, cmd_cnt = 0;
 	bool unqueued = false;
-	uint16_t *cmd_ids = NULL;
 	struct tcmu_cmd *cmd;
 	struct se_cmd *se_cmd;
 	struct tcmu_tmr *tmr;
@@ -1292,7 +1291,7 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
 	pr_debug("TMR event %d on dev %s, aborted cmds %d, afflicted cmd_ids %d\n",
 		 tcmu_tmr_type(tmf), udev->name, i, cmd_cnt);
 
-	tmr = kmalloc(sizeof(*tmr) + cmd_cnt * sizeof(*cmd_ids), GFP_NOIO);
+	tmr = kmalloc(struct_size(tmr, tmr_cmd_ids, cmd_cnt), GFP_NOIO);
 	if (!tmr)
 		goto unlock;
 
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc()
  2021-09-27 22:43 [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc() Gustavo A. R. Silva
@ 2021-09-29 17:35 ` Bodo Stroesser
  2021-10-12 20:35 ` Martin K. Petersen
  1 sibling, 0 replies; 3+ messages in thread
From: Bodo Stroesser @ 2021-09-29 17:35 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Martin K. Petersen
  Cc: linux-scsi, target-devel, linux-kernel, linux-hardening

On 28.09.21 00:43, Gustavo A. R. Silva wrote:
> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows
> that, in the worst scenario, could lead to heap overflows.
> 
> Link: https://github.com/KSPP/linux/issues/160
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
>   drivers/target/target_core_user.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
> index 9f552f48084c..dc220fad06fa 100644
> --- a/drivers/target/target_core_user.c
> +++ b/drivers/target/target_core_user.c
> @@ -1255,7 +1255,6 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
>   {
>   	int i = 0, cmd_cnt = 0;
>   	bool unqueued = false;
> -	uint16_t *cmd_ids = NULL;
>   	struct tcmu_cmd *cmd;
>   	struct se_cmd *se_cmd;
>   	struct tcmu_tmr *tmr;
> @@ -1292,7 +1291,7 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
>   	pr_debug("TMR event %d on dev %s, aborted cmds %d, afflicted cmd_ids %d\n",
>   		 tcmu_tmr_type(tmf), udev->name, i, cmd_cnt);
>   
> -	tmr = kmalloc(sizeof(*tmr) + cmd_cnt * sizeof(*cmd_ids), GFP_NOIO);
> +	tmr = kmalloc(struct_size(tmr, tmr_cmd_ids, cmd_cnt), GFP_NOIO);
>   	if (!tmr)
>   		goto unlock;
>   
> 

Looks good. Thank you.

Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc()
  2021-09-27 22:43 [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc() Gustavo A. R. Silva
  2021-09-29 17:35 ` Bodo Stroesser
@ 2021-10-12 20:35 ` Martin K. Petersen
  1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2021-10-12 20:35 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Bodo Stroesser
  Cc: Martin K . Petersen, target-devel, linux-scsi, linux-kernel,
	linux-hardening

On Mon, 27 Sep 2021 17:43:44 -0500, Gustavo A. R. Silva wrote:

> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows
> that, in the worst scenario, could lead to heap overflows.
> 
> 

Applied to 5.16/scsi-queue, thanks!

[1/1] scsi: target: tcmu: Use struct_size() helper in kmalloc()
      https://git.kernel.org/mkp/scsi/c/c20bda341946

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-12 20:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-27 22:43 [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc() Gustavo A. R. Silva
2021-09-29 17:35 ` Bodo Stroesser
2021-10-12 20:35 ` Martin K. Petersen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).