search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
81 stars 5 forks source link

Replace 1-element arrays in drivers/scsi/smartpqi/ #204

Closed GustavoARSilva closed 1 year ago

GustavoARSilva commented 1 year ago

drivers/scsi/smartpqi/smartpqi.h:

 955 struct report_log_lun_list {                                                                        
 956         struct report_lun_header header;                                                            
 957         struct report_log_lun lun_entries[1];                                                       
 958 };
...
 983 struct report_phys_lun_8byte_wwid_list {                                                            
 984         struct report_lun_header header;                                                            
 985         struct report_phys_lun_8byte_wwid lun_entries[1];                                           
 986 };                                                                                                  
 987                                                                                                     
 988 struct report_phys_lun_16byte_wwid_list {                                                           
 989         struct report_lun_header header;                                                            
 990         struct report_phys_lun_16byte_wwid lun_entries[1];                                          
 991 };

Audit (at least) all these places where the flex array is being used:

diff -u -p drivers/scsi/smartpqi/smartpqi_init.c /tmp/nothing/smartpqi/smartpqi_init.c
--- drivers/scsi/smartpqi/smartpqi_init.c
+++ /tmp/nothing/smartpqi/smartpqi_init.c
@@ -1191,7 +1191,6 @@ static inline int pqi_report_phys_luns(s
        }

        rpl_8byte_wwid_list = rpl_list;
-       num_physicals = get_unaligned_be32(&rpl_8byte_wwid_list->header.list_length) / sizeof(rpl_8byte_wwid_list->lun_entries[0]);
        rpl_16byte_wwid_list_length = sizeof(struct report_lun_header) + (num_physicals * sizeof(struct report_phys_lun_16byte_wwid));

        rpl_16byte_wwid_list = kmalloc(rpl_16byte_wwid_list_length, GFP_KERNEL);
@@ -1203,14 +1202,6 @@ static inline int pqi_report_phys_luns(s
        rpl_16byte_wwid_list->header.flags = rpl_8byte_wwid_list->header.flags;

        for (i = 0; i < num_physicals; i++) {
-               memcpy(&rpl_16byte_wwid_list->lun_entries[i].lunid, &rpl_8byte_wwid_list->lun_entries[i].lunid, sizeof(rpl_8byte_wwid_list->lun_entries[i].lunid));
-               memcpy(&rpl_16byte_wwid_list->lun_entries[i].wwid[0], &rpl_8byte_wwid_list->lun_entries[i].wwid, sizeof(rpl_8byte_wwid_list->lun_entries[i].wwid));
-               memset(&rpl_16byte_wwid_list->lun_entries[i].wwid[8], 0, 8);
-               rpl_16byte_wwid_list->lun_entries[i].device_type = rpl_8byte_wwid_list->lun_entries[i].device_type;
-               rpl_16byte_wwid_list->lun_entries[i].device_flags = rpl_8byte_wwid_list->lun_entries[i].device_flags;
-               rpl_16byte_wwid_list->lun_entries[i].lun_count = rpl_8byte_wwid_list->lun_entries[i].lun_count;
-               rpl_16byte_wwid_list->lun_entries[i].redundant_paths = rpl_8byte_wwid_list->lun_entries[i].redundant_paths;
-               rpl_16byte_wwid_list->lun_entries[i].aio_handle = rpl_8byte_wwid_list->lun_entries[i].aio_handle;
        }

        kfree(rpl_8byte_wwid_list);
@@ -2369,14 +2360,12 @@ static int pqi_update_scsi_devices(struc
        if (physdev_list)
                num_physicals =
                        get_unaligned_be32(&physdev_list->header.list_length)
-                               / sizeof(physdev_list->lun_entries[0]);
        else
                num_physicals = 0;

        if (logdev_list)
                num_logicals =
                        get_unaligned_be32(&logdev_list->header.list_length)
-                               / sizeof(logdev_list->lun_entries[0]);
        else
                num_logicals = 0;

@@ -2397,7 +2386,6 @@ static int pqi_update_scsi_devices(struc

                if (pqi_hide_vsep) {
                        for (i = num_physicals - 1; i >= 0; i--) {
-                               phys_lun = &physdev_list->lun_entries[i];
                                if (CISS_GET_DRIVE_NUMBER(phys_lun->lunid) == PQI_VSEP_CISS_BTL) {
                                        pqi_mask_device(phys_lun->lunid);
                                        break;
@@ -2443,13 +2431,11 @@ static int pqi_update_scsi_devices(struc
                if ((!pqi_expose_ld_first && i < num_physicals) ||
                        (pqi_expose_ld_first && i >= num_logicals)) {
                        is_physical_device = true;
-                       phys_lun = &physdev_list->lun_entries[physical_index++];
                        log_lun = NULL;
                        scsi3addr = phys_lun->lunid;
                } else {
                        is_physical_device = false;
                        phys_lun = NULL;
-                       log_lun = &logdev_list->lun_entries[logical_index++];
                        scsi3addr = log_lun->lunid;
                }
GustavoARSilva commented 1 year ago

Patch series for this: https://lore.kernel.org/linux-hardening/cover.1663816572.git.gustavoars@kernel.org/