On Mon, May 18, 2020 at 12:09:16PM -0700, Joe Perches wrote:
> On Mon, 2020-05-18 at 14:01 -0500, Gustavo A. R. Silva wrote:
> > The current codebase makes use of one-element arrays in the following
> > form:
> >
> > struct something {
> > int length;
> > u8 data[1];
> > };
> []
> > This issue has been out there since 2009.
> > This issue was found with the help of Coccinelle and fixed _manually_.
> []
> > diff --git a/arch/x86/platform/uv/uv_time.c b/arch/x86/platform/uv/uv_time.c
> > index 7af31b245636..993a8ae6fdfb 100644
> > --- a/arch/x86/platform/uv/uv_time.c
> > +++ b/arch/x86/platform/uv/uv_time.c
> > @@ -52,7 +52,7 @@ struct uv_rtc_timer_head {
> > struct {
> > int lcpu; /* systemwide logical cpu number */
> > u64 expires; /* next timer expiration for this cpu */
> > - } cpu[1];
> > + } cpu[];
> > };
> >
> > /*
> > @@ -156,9 +156,8 @@ static __init int uv_rtc_allocate_timers(void)
> > struct uv_rtc_timer_head *head = blade_info[bid];
> >
> > if (!head) {
> > - head = kmalloc_node(sizeof(struct uv_rtc_timer_head) +
> > - (uv_blade_nr_possible_cpus(bid) *
> > - 2 * sizeof(u64)),
> > + head = kmalloc_node(struct_size(head, cpu,
> > + uv_blade_nr_possible_cpus(bid)),
>
> It's probably safer to use kzalloc_node here as well.
Hm, I think it's not actually needed here. All three members are
immediately initialized and it doesn't look to ever be copied to
userspace.
>
> > GFP_KERNEL, nid);
> > if (!head) {
> > uv_rtc_deallocate_timers();
>
FWIW, I think this change is good as-is. Always nice to get back a
little memory. ;)
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
--
Kees Cook
