From patchwork Fri Jun  1 00:42:25 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10442259
Return-Path: 
 <kernel-hardening-return-13481-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	985E6603D7 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Fri,  1 Jun 2018 00:45:33 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 94EC828E43
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Fri,  1 Jun 2018 00:45:33 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 87D8E28E58; Fri,  1 Jun 2018 00:45:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id B605728E43
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Fri,  1 Jun 2018 00:45:32 +0000 (UTC)
Received: (qmail 28276 invoked by uid 550); 1 Jun 2018 00:44:04 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 28176 invoked from network); 1 Jun 2018 00:44:01 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=7XKqD0uwptRTWTsv7lmAcV/cMTd4waW5o5MaWTUpnRc=;
	b=k+ROhkPj4yqwXzrpj5XXCx+1cCW3riU2WUCBTey2JW0RKCk13UnwxNldvienBOMZIX
	42n9Am2s7LoM/fBRp2UtOymC6coonvsOpI17OvSnv7vPkKdxFbJl+cB7vxck3mRfZa/N
	jFDvFgq60fOdVgQGuOFqyHDAKuAnL054qoQoc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=7XKqD0uwptRTWTsv7lmAcV/cMTd4waW5o5MaWTUpnRc=;
	b=f787FMclR6Kz4ln62szxEOCR86acnYuDTDoFoWBwBHR0JfVhj7VlcPSpG0bMuVxwGh
	J7KnXtnL7R3DFkLdRu5vngXdWiel7k2Tl8mt5DHpsul6XGNEYbjj2a9ExIaodbhlyV/L
	PqcEAbx2c3NnryzL/Z2HV4PLdeVPWqX8zt6vMHKlFZwYcyfRR8VXDinu6sPC+OPr9pDA
	EAhsUDlcy5X/gcwS59BzzR3t5/BlM31JMPYfEmkKZ6rS0jI6PTPztNrnwtRlF6GtsOvM
	xV2haM47qF6yrSbBVxg4IQKd0rs82EvodR9f5Y1A4Q3EDJFXhXbct4trXhwfGgxcVEBn
	4Ozw==
X-Gm-Message-State: ALKqPwcvx7tzzGbbu2uLMLb26FbG8R3M4hUH6FSLCClzLCHG1vVIPp48
	TV8Gsg3p7wh8zCxIr/9E1qNLAw==
X-Google-Smtp-Source: 
 ADUXVKISgGjeSJ7yvGy03E9ZNVTwpF/bRLjF6zTIpPg40zADjKtGiQFKPU6MnNexQEErTH/giXgGCA==
X-Received: by 2002:a62:ab0e:: with SMTP id
	p14-v6mr3114266pff.211.1527813829443;
	Thu, 31 May 2018 17:43:49 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Matthew Wilcox <mawilcox@microsoft.com>
Cc: Kees Cook <keescook@chromium.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	Matthew Wilcox <willy@infradead.org>,
	LKML <linux-kernel@vger.kernel.org>, Linux-MM <linux-mm@kvack.org>,
	Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: [PATCH v3 08/16] device: Use overflow helpers for devm_kmalloc()
Date: Thu, 31 May 2018 17:42:25 -0700
Message-Id: <20180601004233.37822-9-keescook@chromium.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180601004233.37822-1-keescook@chromium.org>
References: <20180601004233.37822-1-keescook@chromium.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Use the overflow helpers both in existing multiplication-using inlines as
well as the addition-overflow case in the core allocation routine.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/base/devres.c  | 7 ++++++-
 include/linux/device.h | 8 ++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/drivers/base/devres.c b/drivers/base/devres.c
index 95b67281cd2a..f98a097e73f2 100644
--- a/drivers/base/devres.c
+++ b/drivers/base/devres.c
@@ -84,9 +84,14 @@ static struct devres_group * node_to_group(struct devres_node *node)
 static __always_inline struct devres * alloc_dr(dr_release_t release,
 						size_t size, gfp_t gfp, int nid)
 {
-	size_t tot_size = sizeof(struct devres) + size;
+	size_t tot_size;
 	struct devres *dr;
 
+	/* We must catch any near-SIZE_MAX cases that could overflow. */
+	if (unlikely(check_add_overflow(sizeof(struct devres), size,
+					&tot_size)))
+		return NULL;
+
 	dr = kmalloc_node_track_caller(tot_size, gfp, nid);
 	if (unlikely(!dr))
 		return NULL;
diff --git a/include/linux/device.h b/include/linux/device.h
index 477956990f5e..897efa647203 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -25,6 +25,7 @@
 #include <linux/ratelimit.h>
 #include <linux/uidgid.h>
 #include <linux/gfp.h>
+#include <linux/overflow.h>
 #include <asm/device.h>
 
 struct device;
@@ -668,9 +669,12 @@ static inline void *devm_kzalloc(struct device *dev, size_t size, gfp_t gfp)
 static inline void *devm_kmalloc_array(struct device *dev,
 				       size_t n, size_t size, gfp_t flags)
 {
-	if (size != 0 && n > SIZE_MAX / size)
+	size_t bytes;
+
+	if (unlikely(check_mul_overflow(n, size, &bytes)))
 		return NULL;
-	return devm_kmalloc(dev, n * size, flags);
+
+	return devm_kmalloc(dev, bytes, flags);
 }
 static inline void *devm_kcalloc(struct device *dev,
 				 size_t n, size_t size, gfp_t flags)