xen/xenbus: Add __counted_by for struct read_buffer and use struct_size()

Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).

While there, use struct_size() helper, instead of the open-coded
version, to calculate the size for the allocation of the whole
flexible structure, including of course, the flexible-array member.

This code was found with the help of Coccinelle, and audited and
fixed manually.

Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
Link: https://lore.kernel.org/r/ZSRMosLuJJS5Y/io@work
Signed-off-by: Juergen Gross <jgross@suse.com>

diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 0792fda49a15f39f1325d94c51b361f83fab4384..6f56640092a9b7e4e1dfcf42207f9cfc88b37a00 100644 (file)
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -82,7 +82,7 @@ struct read_buffer {
        struct list_head list;
        unsigned int cons;
        unsigned int len;
-       char msg[];
+       char msg[] __counted_by(len);
 };
 
 struct xenbus_file_priv {
@@ -195,7 +195,7 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len)
        if (len > XENSTORE_PAYLOAD_MAX)
                return -EINVAL;
 
-       rb = kmalloc(sizeof(*rb) + len, GFP_KERNEL);
+       rb = kmalloc(struct_size(rb, msg, len), GFP_KERNEL);
        if (rb == NULL)
                return -ENOMEM;