Re: [RESEND PATCH] mux: Convert mux_control_ops to a flex array member in mux_chip
From: Thorsten Blum
Date: Sun Apr 13 2025 - 08:43:16 EST
Hi Peter,
On 7. Apr 2025, at 20:20, Kees Cook wrote:
> On Fri, Mar 07, 2025 at 12:32:07PM +0100, Thorsten Blum wrote:
>> On 3. Mar 2025, at 19:44, Kees Cook wrote:
>>> On Mon, Mar 03, 2025 at 12:02:22AM +0100, Thorsten Blum wrote:
>>>> Convert mux_control_ops to a flexible array member at the end of the
>>>> mux_chip struct and add the __counted_by() compiler attribute to
>>>> improve access bounds-checking via CONFIG_UBSAN_BOUNDS and
>>>> CONFIG_FORTIFY_SOURCE.
>>>>
>>>> Use struct_size() to calculate the number of bytes to allocate for a new
>>>> mux chip and to remove the following Coccinelle/coccicheck warning:
>>>>
>>>> WARNING: Use struct_size
>>>>
>>>> Use size_add() to safely add any extra bytes.
>>>>
>>>> Compile-tested only.
>>>
>>> I believe this will fail at runtime. Note that sizeof_priv follows the
>>> allocation, so at the very least, you'd need to update:
>>>
>>> static inline void *mux_chip_priv(struct mux_chip *mux_chip)
>>> {
>>> return &mux_chip->mux[mux_chip->controllers];
>>> }
>>>
>>> to not use the mux array itself as a location reference because it will
>>> be seen as out of bounds.
>>>
>>> To deal with this, the location will need to be calculated using
>>> mux_chip as the base, not mux_chip->mux as the base. For example, see
>>> commit 838ae9f45c4e ("nouveau/gsp: Avoid addressing beyond end of rpc->entries")
>>
>> Since this should work and is well-defined C code according to [1][2],
>> could you give this patch another look or should I still change it and
>> submit a v2?
>
> I think C is wrong here, but it seems it will continue to accidentally
> work. I personally would like a v3 that fixes this, but I leave it to
> Peter who is the MUX maintainer...
What's your take on this?
Thanks,
Thorsten