From patchwork Fri Jun 1 00:42:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10442245 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C937D603D7 for ; Fri, 1 Jun 2018 00:45:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C7C6428E43 for ; Fri, 1 Jun 2018 00:45:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BC72428E58; Fri, 1 Jun 2018 00:45:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id D785C28E43 for ; Fri, 1 Jun 2018 00:44:59 +0000 (UTC) Received: (qmail 28145 invoked by uid 550); 1 Jun 2018 00:43:59 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 27860 invoked from network); 1 Jun 2018 00:43:55 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=NrIBfyyqyx8jb8dbKBswbeGqrEMLMvOWV2ml3aS6UOY=; b=EXk+RP02joUquARcmSVcxcz4nKFrbdlzGalSKg6hr5iZk/ZU/Q7uJ9z27PBYhgt5t6 ZIpLmd1Y5rsCW9ow02Uzsatv8F8+RbQYLlesVlcQLldRzBcXCussCqEC95exlPTSI0kR mSOsvWzoZr7aguf2+Gpru7gEjm0HHG07LT/34= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=NrIBfyyqyx8jb8dbKBswbeGqrEMLMvOWV2ml3aS6UOY=; b=QcAYtQag4JhVLB3C5EzVV9w93fDwKXoR2DTfYypkfGA7q65LNGZFWEKoETfIEam0U3 rVOMpl++iwv5gCKH8aeTIzw9jTb0Y3e4Vw/EcbZJo0owlaCFhZ7uQKlvWgRNZvWaNHd4 x//Q2tEQB7/5NhuJY+4a7QimRwst+bbMXUdy0kop+Jn8QGk98BfLVHwQBfXyISCUUBJm DWofcWLLiyvwy3YHVu4m9vzmdd0qtkpCHsNrAmgmPN0ifliTBk/kzUqAjvomep+LvkZW unzzfv5XggE9E1Afs9poTVbdYbL4/qZOmGUY9eQqRXq7hj5MNeOs+kTF29fDOWp54sOV 1HGA== X-Gm-Message-State: ALKqPwcZ7NuLg8xo/gy6WbatwDtmGazJh4UxmrIdAKzufE+vOKpYkKQQ yw5AJvyL20UQtbBVWf1N9OAQfA== X-Google-Smtp-Source: ADUXVKLMrKRSE4/s7HVmnLXp3WMkLCLxX5QpUKWNicT1OIr8m5ZGikdbvvNY5/9nN5TR6fKkXLZNtg== X-Received: by 2002:a62:d712:: with SMTP id b18-v6mr8811422pfh.70.1527813824083; Thu, 31 May 2018 17:43:44 -0700 (PDT) From: Kees Cook To: Matthew Wilcox Cc: Kees Cook , Linus Torvalds , Rasmus Villemoes , Matthew Wilcox , LKML , Linux-MM , Kernel Hardening Subject: [PATCH v3 04/16] overflow.h: Add allocation size calculation helpers Date: Thu, 31 May 2018 17:42:21 -0700 Message-Id: <20180601004233.37822-5-keescook@chromium.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180601004233.37822-1-keescook@chromium.org> References: <20180601004233.37822-1-keescook@chromium.org> X-Virus-Scanned: ClamAV using ClamSMTP In preparation for replacing unchecked overflows for memory allocations, this creates helpers for the 3 most common calculations: array_size(a, b): 2-dimensional array array3_size(a, b, c): 3-dimensional array struct_size(ptr, member, n): struct followed by n-many trailing members Each of these return SIZE_MAX on overflow instead of wrapping around. (Additionally renames a variable named "array_size" to avoid future collision.) Co-developed-by: Matthew Wilcox Signed-off-by: Kees Cook --- drivers/md/dm-table.c | 10 +++--- include/linux/overflow.h | 73 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+), 5 deletions(-) diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 0589a4da12bb..caa51dd351b6 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -548,14 +548,14 @@ static int adjoin(struct dm_table *table, struct dm_target *ti) * On the other hand, dm-switch needs to process bulk data using messages and * excessive use of GFP_NOIO could cause trouble. */ -static char **realloc_argv(unsigned *array_size, char **old_argv) +static char **realloc_argv(unsigned *size, char **old_argv) { char **argv; unsigned new_size; gfp_t gfp; - if (*array_size) { - new_size = *array_size * 2; + if (*size) { + new_size = *size * 2; gfp = GFP_KERNEL; } else { new_size = 8; @@ -563,8 +563,8 @@ static char **realloc_argv(unsigned *array_size, char **old_argv) } argv = kmalloc(new_size * sizeof(*argv), gfp); if (argv) { - memcpy(argv, old_argv, *array_size * sizeof(*argv)); - *array_size = new_size; + memcpy(argv, old_argv, *size * sizeof(*argv)); + *size = new_size; } kfree(old_argv); diff --git a/include/linux/overflow.h b/include/linux/overflow.h index c8890ec358a7..8712ff70995f 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -202,4 +202,77 @@ #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ +/** + * array_size() - Calculate size of 2-dimensional array. + * + * @a: dimension one + * @b: dimension two + * + * Calculates size of 2-dimensional array: @a * @b. + * + * Returns: number of bytes needed to represent the array or SIZE_MAX on + * overflow. + */ +static inline __must_check size_t array_size(size_t a, size_t b) +{ + size_t bytes; + + if (check_mul_overflow(a, b, &bytes)) + return SIZE_MAX; + + return bytes; +} + +/** + * array3_size() - Calculate size of 3-dimensional array. + * + * @a: dimension one + * @b: dimension two + * @c: dimension three + * + * Calculates size of 3-dimensional array: @a * @b * @c. + * + * Returns: number of bytes needed to represent the array or SIZE_MAX on + * overflow. + */ +static inline __must_check size_t array3_size(size_t a, size_t b, size_t c) +{ + size_t bytes; + + if (check_mul_overflow(a, b, &bytes)) + return SIZE_MAX; + if (check_mul_overflow(bytes, c, &bytes)) + return SIZE_MAX; + + return bytes; +} + +static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c) +{ + size_t bytes; + + if (check_mul_overflow(n, size, &bytes)) + return SIZE_MAX; + if (check_add_overflow(bytes, c, &bytes)) + return SIZE_MAX; + + return bytes; +} + +/** + * struct_size() - Calculate size of structure with trailing array. + * @p: Pointer to the structure. + * @member: Name of the array member. + * @n: Number of elements in the array. + * + * Calculates size of memory needed for structure @p followed by an + * array of @n @member elements. + * + * Return: number of bytes needed or SIZE_MAX on overflow. + */ +#define struct_size(p, member, n) \ + __ab_c_size(n, \ + sizeof(*(p)->member) + __must_be_array((p)->member),\ + sizeof(*(p))) + #endif /* __LINUX_OVERFLOW_H */