diff mbox series

bpf: Use kmalloc_size_roundup() to match ksize() usage

Message ID 20221018090550.never.834-kees@kernel.org (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series bpf: Use kmalloc_size_roundup() to match ksize() usage | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 10 this patch: 10
netdev/cc_maintainers success CCed 12 of 12 maintainers
netdev/build_clang success Errors and warnings before: 5 this patch: 5
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 10 this patch: 10
netdev/checkpatch warning WARNING: line length of 84 exceeds 80 columns WARNING: line length of 86 exceeds 80 columns WARNING: line length of 89 exceeds 80 columns WARNING: line length of 94 exceeds 80 columns
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-4 success Logs for llvm-toolchain
bpf/vmtest-bpf-next-VM_Test-5 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-2 success Logs for build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-3 success Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next-VM_Test-1 success Logs for build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-6 success Logs for test_maps on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-7 success Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-8 success Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-9 success Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-11 success Logs for test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-12 success Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-13 success Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-14 success Logs for test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-15 success Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-16 success Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-17 success Logs for test_verifier on x86_64 with llvm-16

Commit Message

Kees Cook Oct. 18, 2022, 9:06 a.m. UTC
Round up allocations with kmalloc_size_roundup() so that the verifier's
use of ksize() is always accurate and no special handling of the memory
is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE. Pass the new size
information back up to callers so they can use the space immediately,
so array resizing to happen less frequently as well. Explicitly zero
any trailing bytes in new allocations.

Additionally fix a memory allocation leak: if krealloc() fails, "arr"
wasn't freed, but NULL was return to the caller of realloc_array() would
be writing NULL to the lvalue, losing the reference to the original
memory.

Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Song Liu <song@kernel.org>
Cc: Yonghong Song <yhs@fb.com>
Cc: KP Singh <kpsingh@kernel.org>
Cc: Stanislav Fomichev <sdf@google.com>
Cc: Hao Luo <haoluo@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: bpf@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 kernel/bpf/verifier.c | 49 +++++++++++++++++++++++++++----------------
 1 file changed, 31 insertions(+), 18 deletions(-)

Comments

Stanislav Fomichev Oct. 18, 2022, 6:07 p.m. UTC | #1
On 10/18, Kees Cook wrote:
> Round up allocations with kmalloc_size_roundup() so that the verifier's
> use of ksize() is always accurate and no special handling of the memory
> is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE. Pass the new size
> information back up to callers so they can use the space immediately,
> so array resizing to happen less frequently as well. Explicitly zero
> any trailing bytes in new allocations.

> Additionally fix a memory allocation leak: if krealloc() fails, "arr"
> wasn't freed, but NULL was return to the caller of realloc_array() would
> be writing NULL to the lvalue, losing the reference to the original
> memory.

> Cc: Alexei Starovoitov <ast@kernel.org>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Andrii Nakryiko <andrii@kernel.org>
> Cc: Martin KaFai Lau <martin.lau@linux.dev>
> Cc: Song Liu <song@kernel.org>
> Cc: Yonghong Song <yhs@fb.com>
> Cc: KP Singh <kpsingh@kernel.org>
> Cc: Stanislav Fomichev <sdf@google.com>
> Cc: Hao Luo <haoluo@google.com>
> Cc: Jiri Olsa <jolsa@kernel.org>
> Cc: bpf@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>   kernel/bpf/verifier.c | 49 +++++++++++++++++++++++++++----------------
>   1 file changed, 31 insertions(+), 18 deletions(-)

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 014ee0953dbd..8a0b60207d0e 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -1000,42 +1000,53 @@ static void print_insn_state(struct  
> bpf_verifier_env *env,
>    */
>   static void *copy_array(void *dst, const void *src, size_t n, size_t  
> size, gfp_t flags)
>   {
> -	size_t bytes;
> +	size_t src_bytes, dst_bytes;

>   	if (ZERO_OR_NULL_PTR(src))
>   		goto out;

> -	if (unlikely(check_mul_overflow(n, size, &bytes)))
> +	if (unlikely(check_mul_overflow(n, size, &src_bytes)))
>   		return NULL;

> -	if (ksize(dst) < bytes) {
> +	dst_bytes = kmalloc_size_roundup(src_bytes);
> +	if (ksize(dst) < dst_bytes) {

Why not simply do the following here?

	if (ksize(dst) < ksize(src)) {

?

It seems like we care about src_bytes/bytes only in this case, so maybe
move that check_mul_overflow under this branch as well?


>   		kfree(dst);
> -		dst = kmalloc_track_caller(bytes, flags);
> +		dst = kmalloc_track_caller(dst_bytes, flags);
>   		if (!dst)
>   			return NULL;
>   	}

> -	memcpy(dst, src, bytes);
> +	memcpy(dst, src, src_bytes);
> +	memset(dst + src_bytes, 0, dst_bytes - src_bytes);
>   out:
>   	return dst ? dst : ZERO_SIZE_PTR;
>   }

> -/* resize an array from old_n items to new_n items. the array is  
> reallocated if it's too
> - * small to hold new_n items. new items are zeroed out if the array  
> grows.
> +/* Resize an array from old_n items to *new_n items. The array is  
> reallocated if it's too
> + * small to hold *new_n items. New items are zeroed out if the array  
> grows. Allocation
> + * is rounded up to next kmalloc bucket size to reduce frequency of  
> resizing. *new_n
> + * contains the new total number of items that will fit.
>    *
> - * Contrary to krealloc_array, does not free arr if new_n is zero.
> + * Contrary to krealloc, does not free arr if new_n is zero.
>    */
> -static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t  
> size)
> +static void *realloc_array(void *arr, size_t old_n, size_t *new_n,  
> size_t size)
>   {
> -	if (!new_n || old_n == new_n)
> +	void *old_arr = arr;
> +	size_t alloc_size;
> +
> +	if (!new_n || !*new_n || old_n == *new_n)
>   		goto out;


[..]

> -	arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
> -	if (!arr)
> +	alloc_size = kmalloc_size_roundup(size_mul(*new_n, size));
> +	arr = krealloc(old_arr, alloc_size, GFP_KERNEL);
> +	if (!arr) {
> +		kfree(old_arr);
>   		return NULL;
> +	}

Any reason not do hide this complexity behind krealloc_array? Why can't
it take care of those roundup details?


> -	if (new_n > old_n)
> -		memset(arr + old_n * size, 0, (new_n - old_n) * size);
> +	*new_n = alloc_size / size;
> +	if (*new_n > old_n)
> +		memset(arr + old_n * size, 0, (*new_n - old_n) * size);

>   out:
>   	return arr ? arr : ZERO_SIZE_PTR;
> @@ -1067,7 +1078,7 @@ static int copy_stack_state(struct bpf_func_state  
> *dst, const struct bpf_func_st

>   static int resize_reference_state(struct bpf_func_state *state, size_t n)
>   {
> -	state->refs = realloc_array(state->refs, state->acquired_refs, n,
> +	state->refs = realloc_array(state->refs, state->acquired_refs, &n,
>   				    sizeof(struct bpf_reference_state));
>   	if (!state->refs)
>   		return -ENOMEM;
> @@ -1083,11 +1094,11 @@ static int grow_stack_state(struct bpf_func_state  
> *state, int size)
>   	if (old_n >= n)
>   		return 0;

> -	state->stack = realloc_array(state->stack, old_n, n, sizeof(struct  
> bpf_stack_state));
> +	state->stack = realloc_array(state->stack, old_n, &n, sizeof(struct  
> bpf_stack_state));
>   	if (!state->stack)
>   		return -ENOMEM;

> -	state->allocated_stack = size;
> +	state->allocated_stack = n * BPF_REG_SIZE;
>   	return 0;
>   }

> @@ -2499,9 +2510,11 @@ static int push_jmp_history(struct  
> bpf_verifier_env *env,
>   {
>   	u32 cnt = cur->jmp_history_cnt;
>   	struct bpf_idx_pair *p;
> +	size_t size;

>   	cnt++;
> -	p = krealloc(cur->jmp_history, cnt * sizeof(*p), GFP_USER);
> +	size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p)));
> +	p = krealloc(cur->jmp_history, size, GFP_USER);
>   	if (!p)
>   		return -ENOMEM;
>   	p[cnt - 1].idx = env->insn_idx;
> --
> 2.34.1
Kees Cook Oct. 18, 2022, 6:19 p.m. UTC | #2
On Tue, Oct 18, 2022 at 11:07:38AM -0700, sdf@google.com wrote:
> On 10/18, Kees Cook wrote:
> > Round up allocations with kmalloc_size_roundup() so that the verifier's
> > use of ksize() is always accurate and no special handling of the memory
> > is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE. Pass the new size
> > information back up to callers so they can use the space immediately,
> > so array resizing to happen less frequently as well. Explicitly zero
> > any trailing bytes in new allocations.
> 
> > Additionally fix a memory allocation leak: if krealloc() fails, "arr"
> > wasn't freed, but NULL was return to the caller of realloc_array() would
> > be writing NULL to the lvalue, losing the reference to the original
> > memory.
> 
> > Cc: Alexei Starovoitov <ast@kernel.org>
> > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > Cc: John Fastabend <john.fastabend@gmail.com>
> > Cc: Andrii Nakryiko <andrii@kernel.org>
> > Cc: Martin KaFai Lau <martin.lau@linux.dev>
> > Cc: Song Liu <song@kernel.org>
> > Cc: Yonghong Song <yhs@fb.com>
> > Cc: KP Singh <kpsingh@kernel.org>
> > Cc: Stanislav Fomichev <sdf@google.com>
> > Cc: Hao Luo <haoluo@google.com>
> > Cc: Jiri Olsa <jolsa@kernel.org>
> > Cc: bpf@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> >   kernel/bpf/verifier.c | 49 +++++++++++++++++++++++++++----------------
> >   1 file changed, 31 insertions(+), 18 deletions(-)
> 
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 014ee0953dbd..8a0b60207d0e 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -1000,42 +1000,53 @@ static void print_insn_state(struct
> > bpf_verifier_env *env,
> >    */
> >   static void *copy_array(void *dst, const void *src, size_t n, size_t
> > size, gfp_t flags)
> >   {
> > -	size_t bytes;
> > +	size_t src_bytes, dst_bytes;
> 
> >   	if (ZERO_OR_NULL_PTR(src))
> >   		goto out;
> 
> > -	if (unlikely(check_mul_overflow(n, size, &bytes)))
> > +	if (unlikely(check_mul_overflow(n, size, &src_bytes)))
> >   		return NULL;
> 
> > -	if (ksize(dst) < bytes) {
> > +	dst_bytes = kmalloc_size_roundup(src_bytes);
> > +	if (ksize(dst) < dst_bytes) {
> 
> Why not simply do the following here?
> 
> 	if (ksize(dst) < ksize(src)) {
> 
> ?

Yeah, if src always passes through rounding-up allocation path, that
might work. I need to double-check that there isn't a case where "size"
makes this go weird -- e.g. a rounded up "src" may be larger than
"n * size", but I think that's okay because the memcpy/memset does the
right thing.

> It seems like we care about src_bytes/bytes only in this case, so maybe
> move that check_mul_overflow under this branch as well?
> 
> 
> >   		kfree(dst);
> > -		dst = kmalloc_track_caller(bytes, flags);
> > +		dst = kmalloc_track_caller(dst_bytes, flags);
> >   		if (!dst)
> >   			return NULL;
> >   	}
> 
> > -	memcpy(dst, src, bytes);
> > +	memcpy(dst, src, src_bytes);
> > +	memset(dst + src_bytes, 0, dst_bytes - src_bytes);
> >   out:
> >   	return dst ? dst : ZERO_SIZE_PTR;
> >   }
> 
> > -/* resize an array from old_n items to new_n items. the array is
> > reallocated if it's too
> > - * small to hold new_n items. new items are zeroed out if the array
> > grows.
> > +/* Resize an array from old_n items to *new_n items. The array is
> > reallocated if it's too
> > + * small to hold *new_n items. New items are zeroed out if the array
> > grows. Allocation
> > + * is rounded up to next kmalloc bucket size to reduce frequency of
> > resizing. *new_n
> > + * contains the new total number of items that will fit.
> >    *
> > - * Contrary to krealloc_array, does not free arr if new_n is zero.
> > + * Contrary to krealloc, does not free arr if new_n is zero.
> >    */
> > -static void *realloc_array(void *arr, size_t old_n, size_t new_n,
> > size_t size)
> > +static void *realloc_array(void *arr, size_t old_n, size_t *new_n,
> > size_t size)
> >   {
> > -	if (!new_n || old_n == new_n)
> > +	void *old_arr = arr;
> > +	size_t alloc_size;
> > +
> > +	if (!new_n || !*new_n || old_n == *new_n)
> >   		goto out;
> 
> 
> [..]
> 
> > -	arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
> > -	if (!arr)
> > +	alloc_size = kmalloc_size_roundup(size_mul(*new_n, size));
> > +	arr = krealloc(old_arr, alloc_size, GFP_KERNEL);
> > +	if (!arr) {
> > +		kfree(old_arr);
> >   		return NULL;
> > +	}
> 
> Any reason not do hide this complexity behind krealloc_array? Why can't
> it take care of those roundup details?

It might be possible to do this with a macro, yes, but then callers
aren't in a position to take advantage of the new size. Maybe we need
something like:

	arr = krealloc_up(old_arr, alloc_size, &new_size, GFP_KERNEL);

Thanks for looking this over!
Stanislav Fomichev Oct. 18, 2022, 8:07 p.m. UTC | #3
On Tue, Oct 18, 2022 at 11:19 AM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Oct 18, 2022 at 11:07:38AM -0700, sdf@google.com wrote:
> > On 10/18, Kees Cook wrote:
> > > Round up allocations with kmalloc_size_roundup() so that the verifier's
> > > use of ksize() is always accurate and no special handling of the memory
> > > is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE. Pass the new size
> > > information back up to callers so they can use the space immediately,
> > > so array resizing to happen less frequently as well. Explicitly zero
> > > any trailing bytes in new allocations.
> >
> > > Additionally fix a memory allocation leak: if krealloc() fails, "arr"
> > > wasn't freed, but NULL was return to the caller of realloc_array() would
> > > be writing NULL to the lvalue, losing the reference to the original
> > > memory.
> >
> > > Cc: Alexei Starovoitov <ast@kernel.org>
> > > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > > Cc: John Fastabend <john.fastabend@gmail.com>
> > > Cc: Andrii Nakryiko <andrii@kernel.org>
> > > Cc: Martin KaFai Lau <martin.lau@linux.dev>
> > > Cc: Song Liu <song@kernel.org>
> > > Cc: Yonghong Song <yhs@fb.com>
> > > Cc: KP Singh <kpsingh@kernel.org>
> > > Cc: Stanislav Fomichev <sdf@google.com>
> > > Cc: Hao Luo <haoluo@google.com>
> > > Cc: Jiri Olsa <jolsa@kernel.org>
> > > Cc: bpf@vger.kernel.org
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > >   kernel/bpf/verifier.c | 49 +++++++++++++++++++++++++++----------------
> > >   1 file changed, 31 insertions(+), 18 deletions(-)
> >
> > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > > index 014ee0953dbd..8a0b60207d0e 100644
> > > --- a/kernel/bpf/verifier.c
> > > +++ b/kernel/bpf/verifier.c
> > > @@ -1000,42 +1000,53 @@ static void print_insn_state(struct
> > > bpf_verifier_env *env,
> > >    */
> > >   static void *copy_array(void *dst, const void *src, size_t n, size_t
> > > size, gfp_t flags)
> > >   {
> > > -   size_t bytes;
> > > +   size_t src_bytes, dst_bytes;
> >
> > >     if (ZERO_OR_NULL_PTR(src))
> > >             goto out;
> >
> > > -   if (unlikely(check_mul_overflow(n, size, &bytes)))
> > > +   if (unlikely(check_mul_overflow(n, size, &src_bytes)))
> > >             return NULL;
> >
> > > -   if (ksize(dst) < bytes) {
> > > +   dst_bytes = kmalloc_size_roundup(src_bytes);
> > > +   if (ksize(dst) < dst_bytes) {
> >
> > Why not simply do the following here?
> >
> >       if (ksize(dst) < ksize(src)) {
> >
> > ?
>
> Yeah, if src always passes through rounding-up allocation path, that
> might work. I need to double-check that there isn't a case where "size"
> makes this go weird -- e.g. a rounded up "src" may be larger than
> "n * size", but I think that's okay because the memcpy/memset does the
> right thing.
>
> > It seems like we care about src_bytes/bytes only in this case, so maybe
> > move that check_mul_overflow under this branch as well?
> >
> >
> > >             kfree(dst);
> > > -           dst = kmalloc_track_caller(bytes, flags);
> > > +           dst = kmalloc_track_caller(dst_bytes, flags);
> > >             if (!dst)
> > >                     return NULL;
> > >     }
> >
> > > -   memcpy(dst, src, bytes);
> > > +   memcpy(dst, src, src_bytes);
> > > +   memset(dst + src_bytes, 0, dst_bytes - src_bytes);
> > >   out:
> > >     return dst ? dst : ZERO_SIZE_PTR;
> > >   }
> >
> > > -/* resize an array from old_n items to new_n items. the array is
> > > reallocated if it's too
> > > - * small to hold new_n items. new items are zeroed out if the array
> > > grows.
> > > +/* Resize an array from old_n items to *new_n items. The array is
> > > reallocated if it's too
> > > + * small to hold *new_n items. New items are zeroed out if the array
> > > grows. Allocation
> > > + * is rounded up to next kmalloc bucket size to reduce frequency of
> > > resizing. *new_n
> > > + * contains the new total number of items that will fit.
> > >    *
> > > - * Contrary to krealloc_array, does not free arr if new_n is zero.
> > > + * Contrary to krealloc, does not free arr if new_n is zero.
> > >    */
> > > -static void *realloc_array(void *arr, size_t old_n, size_t new_n,
> > > size_t size)
> > > +static void *realloc_array(void *arr, size_t old_n, size_t *new_n,
> > > size_t size)
> > >   {
> > > -   if (!new_n || old_n == new_n)
> > > +   void *old_arr = arr;
> > > +   size_t alloc_size;
> > > +
> > > +   if (!new_n || !*new_n || old_n == *new_n)
> > >             goto out;
> >
> >
> > [..]
> >
> > > -   arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
> > > -   if (!arr)
> > > +   alloc_size = kmalloc_size_roundup(size_mul(*new_n, size));
> > > +   arr = krealloc(old_arr, alloc_size, GFP_KERNEL);
> > > +   if (!arr) {
> > > +           kfree(old_arr);
> > >             return NULL;
> > > +   }
> >
> > Any reason not do hide this complexity behind krealloc_array? Why can't
> > it take care of those roundup details?
>
> It might be possible to do this with a macro, yes, but then callers
> aren't in a position to take advantage of the new size. Maybe we need
> something like:
>
>         arr = krealloc_up(old_arr, alloc_size, &new_size, GFP_KERNEL);

Maybe even krealloc_array_up(arr, &new_n, size, flags) or similar
where we return a new size?
Though I don't know if there are any other places in the kernel to
reuse it and warrant a new function..

> Thanks for looking this over!
>
> --
> Kees Cook

On Tue, Oct 18, 2022 at 11:19 AM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Oct 18, 2022 at 11:07:38AM -0700, sdf@google.com wrote:
> > On 10/18, Kees Cook wrote:
> > > Round up allocations with kmalloc_size_roundup() so that the verifier's
> > > use of ksize() is always accurate and no special handling of the memory
> > > is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE. Pass the new size
> > > information back up to callers so they can use the space immediately,
> > > so array resizing to happen less frequently as well. Explicitly zero
> > > any trailing bytes in new allocations.
> >
> > > Additionally fix a memory allocation leak: if krealloc() fails, "arr"
> > > wasn't freed, but NULL was return to the caller of realloc_array() would
> > > be writing NULL to the lvalue, losing the reference to the original
> > > memory.
> >
> > > Cc: Alexei Starovoitov <ast@kernel.org>
> > > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > > Cc: John Fastabend <john.fastabend@gmail.com>
> > > Cc: Andrii Nakryiko <andrii@kernel.org>
> > > Cc: Martin KaFai Lau <martin.lau@linux.dev>
> > > Cc: Song Liu <song@kernel.org>
> > > Cc: Yonghong Song <yhs@fb.com>
> > > Cc: KP Singh <kpsingh@kernel.org>
> > > Cc: Stanislav Fomichev <sdf@google.com>
> > > Cc: Hao Luo <haoluo@google.com>
> > > Cc: Jiri Olsa <jolsa@kernel.org>
> > > Cc: bpf@vger.kernel.org
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > >   kernel/bpf/verifier.c | 49 +++++++++++++++++++++++++++----------------
> > >   1 file changed, 31 insertions(+), 18 deletions(-)
> >
> > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > > index 014ee0953dbd..8a0b60207d0e 100644
> > > --- a/kernel/bpf/verifier.c
> > > +++ b/kernel/bpf/verifier.c
> > > @@ -1000,42 +1000,53 @@ static void print_insn_state(struct
> > > bpf_verifier_env *env,
> > >    */
> > >   static void *copy_array(void *dst, const void *src, size_t n, size_t
> > > size, gfp_t flags)
> > >   {
> > > -   size_t bytes;
> > > +   size_t src_bytes, dst_bytes;
> >
> > >     if (ZERO_OR_NULL_PTR(src))
> > >             goto out;
> >
> > > -   if (unlikely(check_mul_overflow(n, size, &bytes)))
> > > +   if (unlikely(check_mul_overflow(n, size, &src_bytes)))
> > >             return NULL;
> >
> > > -   if (ksize(dst) < bytes) {
> > > +   dst_bytes = kmalloc_size_roundup(src_bytes);
> > > +   if (ksize(dst) < dst_bytes) {
> >
> > Why not simply do the following here?
> >
> >       if (ksize(dst) < ksize(src)) {
> >
> > ?
>
> Yeah, if src always passes through rounding-up allocation path, that
> might work. I need to double-check that there isn't a case where "size"
> makes this go weird -- e.g. a rounded up "src" may be larger than
> "n * size", but I think that's okay because the memcpy/memset does the
> right thing.
>
> > It seems like we care about src_bytes/bytes only in this case, so maybe
> > move that check_mul_overflow under this branch as well?
> >
> >
> > >             kfree(dst);
> > > -           dst = kmalloc_track_caller(bytes, flags);
> > > +           dst = kmalloc_track_caller(dst_bytes, flags);
> > >             if (!dst)
> > >                     return NULL;
> > >     }
> >
> > > -   memcpy(dst, src, bytes);
> > > +   memcpy(dst, src, src_bytes);
> > > +   memset(dst + src_bytes, 0, dst_bytes - src_bytes);
> > >   out:
> > >     return dst ? dst : ZERO_SIZE_PTR;
> > >   }
> >
> > > -/* resize an array from old_n items to new_n items. the array is
> > > reallocated if it's too
> > > - * small to hold new_n items. new items are zeroed out if the array
> > > grows.
> > > +/* Resize an array from old_n items to *new_n items. The array is
> > > reallocated if it's too
> > > + * small to hold *new_n items. New items are zeroed out if the array
> > > grows. Allocation
> > > + * is rounded up to next kmalloc bucket size to reduce frequency of
> > > resizing. *new_n
> > > + * contains the new total number of items that will fit.
> > >    *
> > > - * Contrary to krealloc_array, does not free arr if new_n is zero.
> > > + * Contrary to krealloc, does not free arr if new_n is zero.
> > >    */
> > > -static void *realloc_array(void *arr, size_t old_n, size_t new_n,
> > > size_t size)
> > > +static void *realloc_array(void *arr, size_t old_n, size_t *new_n,
> > > size_t size)
> > >   {
> > > -   if (!new_n || old_n == new_n)
> > > +   void *old_arr = arr;
> > > +   size_t alloc_size;
> > > +
> > > +   if (!new_n || !*new_n || old_n == *new_n)
> > >             goto out;
> >
> >
> > [..]
> >
> > > -   arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
> > > -   if (!arr)
> > > +   alloc_size = kmalloc_size_roundup(size_mul(*new_n, size));
> > > +   arr = krealloc(old_arr, alloc_size, GFP_KERNEL);
> > > +   if (!arr) {
> > > +           kfree(old_arr);
> > >             return NULL;
> > > +   }
> >
> > Any reason not do hide this complexity behind krealloc_array? Why can't
> > it take care of those roundup details?
>
> It might be possible to do this with a macro, yes, but then callers
> aren't in a position to take advantage of the new size. Maybe we need
> something like:
>
>         arr = krealloc_up(old_arr, alloc_size, &new_size, GFP_KERNEL);
>
> Thanks for looking this over!
>
> --
> Kees Cook
Kees Cook Oct. 28, 2022, 11:19 p.m. UTC | #4
On Tue, Oct 18, 2022 at 01:07:45PM -0700, Stanislav Fomichev wrote:
> On Tue, Oct 18, 2022 at 11:19 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > On Tue, Oct 18, 2022 at 11:07:38AM -0700, sdf@google.com wrote:
> > > On 10/18, Kees Cook wrote:
> > > > Round up allocations with kmalloc_size_roundup() so that the verifier's
> > > > use of ksize() is always accurate and no special handling of the memory
> > > > is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE. Pass the new size
> > > > information back up to callers so they can use the space immediately,
> > > > so array resizing to happen less frequently as well. Explicitly zero
> > > > any trailing bytes in new allocations.
> > >
> > > > Additionally fix a memory allocation leak: if krealloc() fails, "arr"
> > > > wasn't freed, but NULL was return to the caller of realloc_array() would
> > > > be writing NULL to the lvalue, losing the reference to the original
> > > > memory.
> [...]
> > > > -   arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
> > > > -   if (!arr)
> > > > +   alloc_size = kmalloc_size_roundup(size_mul(*new_n, size));
> > > > +   arr = krealloc(old_arr, alloc_size, GFP_KERNEL);
> > > > +   if (!arr) {
> > > > +           kfree(old_arr);
> > > >             return NULL;
> > > > +   }
> > >
> > > Any reason not do hide this complexity behind krealloc_array? Why can't
> > > it take care of those roundup details?
> >
> > It might be possible to do this with a macro, yes, but then callers
> > aren't in a position to take advantage of the new size. Maybe we need
> > something like:
> >
> >         arr = krealloc_up(old_arr, alloc_size, &new_size, GFP_KERNEL);
> 
> Maybe even krealloc_array_up(arr, &new_n, size, flags) or similar
> where we return a new size?
> Though I don't know if there are any other places in the kernel to
> reuse it and warrant a new function..

Yeah, and it explicitly can't be a function, since GCC has broken
attribute handling[1] for inlines. :(

Regardless, I'll respin this with a macro and see how it looks.

-Kees

[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96503
diff mbox series

Patch

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 014ee0953dbd..8a0b60207d0e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1000,42 +1000,53 @@  static void print_insn_state(struct bpf_verifier_env *env,
  */
 static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t flags)
 {
-	size_t bytes;
+	size_t src_bytes, dst_bytes;
 
 	if (ZERO_OR_NULL_PTR(src))
 		goto out;
 
-	if (unlikely(check_mul_overflow(n, size, &bytes)))
+	if (unlikely(check_mul_overflow(n, size, &src_bytes)))
 		return NULL;
 
-	if (ksize(dst) < bytes) {
+	dst_bytes = kmalloc_size_roundup(src_bytes);
+	if (ksize(dst) < dst_bytes) {
 		kfree(dst);
-		dst = kmalloc_track_caller(bytes, flags);
+		dst = kmalloc_track_caller(dst_bytes, flags);
 		if (!dst)
 			return NULL;
 	}
 
-	memcpy(dst, src, bytes);
+	memcpy(dst, src, src_bytes);
+	memset(dst + src_bytes, 0, dst_bytes - src_bytes);
 out:
 	return dst ? dst : ZERO_SIZE_PTR;
 }
 
-/* resize an array from old_n items to new_n items. the array is reallocated if it's too
- * small to hold new_n items. new items are zeroed out if the array grows.
+/* Resize an array from old_n items to *new_n items. The array is reallocated if it's too
+ * small to hold *new_n items. New items are zeroed out if the array grows. Allocation
+ * is rounded up to next kmalloc bucket size to reduce frequency of resizing. *new_n
+ * contains the new total number of items that will fit.
  *
- * Contrary to krealloc_array, does not free arr if new_n is zero.
+ * Contrary to krealloc, does not free arr if new_n is zero.
  */
-static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size)
+static void *realloc_array(void *arr, size_t old_n, size_t *new_n, size_t size)
 {
-	if (!new_n || old_n == new_n)
+	void *old_arr = arr;
+	size_t alloc_size;
+
+	if (!new_n || !*new_n || old_n == *new_n)
 		goto out;
 
-	arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
-	if (!arr)
+	alloc_size = kmalloc_size_roundup(size_mul(*new_n, size));
+	arr = krealloc(old_arr, alloc_size, GFP_KERNEL);
+	if (!arr) {
+		kfree(old_arr);
 		return NULL;
+	}
 
-	if (new_n > old_n)
-		memset(arr + old_n * size, 0, (new_n - old_n) * size);
+	*new_n = alloc_size / size;
+	if (*new_n > old_n)
+		memset(arr + old_n * size, 0, (*new_n - old_n) * size);
 
 out:
 	return arr ? arr : ZERO_SIZE_PTR;
@@ -1067,7 +1078,7 @@  static int copy_stack_state(struct bpf_func_state *dst, const struct bpf_func_st
 
 static int resize_reference_state(struct bpf_func_state *state, size_t n)
 {
-	state->refs = realloc_array(state->refs, state->acquired_refs, n,
+	state->refs = realloc_array(state->refs, state->acquired_refs, &n,
 				    sizeof(struct bpf_reference_state));
 	if (!state->refs)
 		return -ENOMEM;
@@ -1083,11 +1094,11 @@  static int grow_stack_state(struct bpf_func_state *state, int size)
 	if (old_n >= n)
 		return 0;
 
-	state->stack = realloc_array(state->stack, old_n, n, sizeof(struct bpf_stack_state));
+	state->stack = realloc_array(state->stack, old_n, &n, sizeof(struct bpf_stack_state));
 	if (!state->stack)
 		return -ENOMEM;
 
-	state->allocated_stack = size;
+	state->allocated_stack = n * BPF_REG_SIZE;
 	return 0;
 }
 
@@ -2499,9 +2510,11 @@  static int push_jmp_history(struct bpf_verifier_env *env,
 {
 	u32 cnt = cur->jmp_history_cnt;
 	struct bpf_idx_pair *p;
+	size_t size;
 
 	cnt++;
-	p = krealloc(cur->jmp_history, cnt * sizeof(*p), GFP_USER);
+	size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p)));
+	p = krealloc(cur->jmp_history, size, GFP_USER);
 	if (!p)
 		return -ENOMEM;
 	p[cnt - 1].idx = env->insn_idx;