Skip to content

Commit bf58022

Browse files
keesjgross1
authored andcommitted
xen/gntalloc: Replace UAPI 1-element array
Without changing the structure size (since it is UAPI), add a proper flexible array member, and reference it in the kernel so that it will not be trip the array-bounds sanitizer[1]. Link: KSPP#113 [1] Cc: Juergen Gross <jgross@suse.com> Cc: Stefano Stabellini <sstabellini@kernel.org> Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com> Cc: Gustavo A. R. Silva <gustavoars@kernel.org> Cc: xen-devel@lists.xenproject.org Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org> Link: https://lore.kernel.org/r/20240206170320.work.437-kees@kernel.org Signed-off-by: Juergen Gross <jgross@suse.com>
1 parent b0f2f82 commit bf58022

File tree

2 files changed

+5
-2
lines changed

2 files changed

+5
-2
lines changed

drivers/xen/gntalloc.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -317,7 +317,7 @@ static long gntalloc_ioctl_alloc(struct gntalloc_file_private_data *priv,
317317
rc = -EFAULT;
318318
goto out_free;
319319
}
320-
if (copy_to_user(arg->gref_ids, gref_ids,
320+
if (copy_to_user(arg->gref_ids_flex, gref_ids,
321321
sizeof(gref_ids[0]) * op.count)) {
322322
rc = -EFAULT;
323323
goto out_free;

include/uapi/xen/gntalloc.h

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,10 @@ struct ioctl_gntalloc_alloc_gref {
3131
__u64 index;
3232
/* The grant references of the newly created grant, one per page */
3333
/* Variable size, depending on count */
34-
__u32 gref_ids[1];
34+
union {
35+
__u32 gref_ids[1];
36+
__DECLARE_FLEX_ARRAY(__u32, gref_ids_flex);
37+
};
3538
};
3639

3740
#define GNTALLOC_FLAG_WRITABLE 1

0 commit comments

Comments
 (0)