Replace zero-length arrays with flexible-array members

[GustavoARSilva]

There is a regular need in the kernel to provide a way to declare having a
dynamically sized set of trailing elements in a structure. Kernel code should
always use “flexible array members” for these cases. The older style of
one-element or zero-length arrays should no longer be used.

In older C code, dynamically sized trailing elements were done by specifying
a one-element array at the end of a structure:

struct something {
        size_t count;
        struct foo items[1];
};

This led to fragile size calculations via sizeof() (which would need to remove
the size of the single trailing element to get a correct size of the “header”).
A GNU C extension was introduced to allow for zero-length arrays, to avoid
these kinds of size problems:

struct something {
        size_t count;
        struct foo items[0];
};

But this led to other problems, and didn’t solve some problems shared by both
styles, like not being able to detect when such an array is accidentally being
used not at the end of a structure (which could happen directly, or when
such a struct was in unions, structs of structs, etc).

C99 introduced “flexible array members”, which lacks a numeric size for the
array declaration entirely:

struct something {
        size_t count;
        struct foo items[];
};

This is the way the kernel expects dynamically sized trailing elements to be
declared. It allows the compiler to generate errors when the flexible array
does not occur last in the structure, which helps to prevent some kind of
undefined behavior bugs from being inadvertently introduced to the codebase.
It also allows the compiler to correctly analyze array sizes (via sizeof(),
CONFIG_FORTIFY_SOURCE, and CONFIG_UBSAN_BOUNDS). For instance, there is no
mechanism that warns us that the following application of the sizeof() operator
to a zero-length array always results in zero:

struct something {
        size_t count;
        struct foo items[0];
};

struct something *instance;

instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
instance->count = count;

size = sizeof(instance->items) * instance->count;
memcpy(instance->items, source, size);

At the last line of code above, size turns out to be zero, when one might have
thought it represents the total size in bytes of the dynamic memory recently
allocated for the trailing array items. Here are a couple examples of this
issue: link 1, link 2. Instead, flexible array members have incomplete type, and so the
sizeof() operator may not be applied, so any misuse of such operators will
be immediately noticed at build time.

With respect to one-element arrays, one has to be acutely aware that such
arrays occupy at least as much space as a single object of the type, hence they
contribute to the size of the enclosing structure. This is prone to error every
time people want to calculate the total size of dynamic memory to allocate for
a structure containing an array of this kind as a member:

struct something {
        size_t count;
        struct foo items[1];
};

struct something *instance;

instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);
instance->count = count;

size = sizeof(instance->items) * instance->count;
memcpy(instance->items, source, size);

In the example above, we had to remember to calculate count - 1 when using the
struct_size() helper, otherwise we would have –unintentionally– allocated memory
for one too many items objects. The cleanest and least error-prone way to
implement this is through the use of a flexible array member, instead:

struct something {
        size_t count;
        struct foo items[];
};

struct something *instance;

instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
instance->count = count;

size = sizeof(instance->items[0]) * instance->count;
memcpy(instance->items, source, size);

NOTE: this documentation will be merged into mainline for Linux 5.9 (https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=68e4cd17e218971a2fd60c30fe14078dc0d8a68e)

[kees]

See also #25 (comment) with regard to adding compiler warnings.

[kees]

See also commit 5a76021 for re-enabling stringop-overflow warnings.

[GustavoARSilva]

The documentation is already in mainline v5.9 and the official document has been generated:

https://www.kernel.org/doc/html/v5.9/process/deprecated.html#zero-length-and-one-element-arrays

[JoseExposito]

Hi! I'd like to get involved in the KSPP project.

I found a couple of places in linux-next where we could take advantage of flexible array members. For example in drivers/net/ethernet/marvell/prestera/prestera_hw.c we could use both flexible array members and struct_size.

I wasn't able to find any related work in patchwork, but since I'm new to the project I decided to ask before emailing the patch and also say hello :)

Is this bug fully addressed or should I email the patch?

Also, if there is a task for newcomers that I can look into, feel free to send me the link, I'll be happy to help.

[kees]

Welcome!

Yeah, I say go for it. @GustavoARSilva has been working on a treewide change too:
https://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux.git/commit/?h=for-next/kspp-misc-fixes&id=fb29d640e9640985e307deaee123e83144305633
But I don't see that driver listed. Make a patch and send it out, we can get it reviewed, etc.

[JoseExposito]

Thanks a lot Kees,

I just emailed the patch:

https://lore.kernel.org/linux-hardening/VI1P190MB07344B3C160E9A73165422A28F6B9@VI1P190MB0734.EURP190.PROD.OUTLOOK.COM/T/#t

I'm going to have a look to the issue tracker and see where l can help.

Jose

[GustavoARSilva]

Welcome!

Yeah, I say go for it. @GustavoARSilva has been working on a treewide change too: https://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux.git/commit/?h=for-next/kspp-misc-fixes&id=fb29d640e9640985e307deaee123e83144305633 But I don't see that driver listed.

Yep; my patch is applied on top of v5.16-rc2, and the code José mentions was recently added and only appears in linux-next.