From patchwork Fri Jun 1 00:42:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10442259 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 985E6603D7 for ; Fri, 1 Jun 2018 00:45:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 94EC828E43 for ; Fri, 1 Jun 2018 00:45:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 87D8E28E58; Fri, 1 Jun 2018 00:45:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id B605728E43 for ; Fri, 1 Jun 2018 00:45:32 +0000 (UTC) Received: (qmail 28276 invoked by uid 550); 1 Jun 2018 00:44:04 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 28176 invoked from network); 1 Jun 2018 00:44:01 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7XKqD0uwptRTWTsv7lmAcV/cMTd4waW5o5MaWTUpnRc=; b=k+ROhkPj4yqwXzrpj5XXCx+1cCW3riU2WUCBTey2JW0RKCk13UnwxNldvienBOMZIX 42n9Am2s7LoM/fBRp2UtOymC6coonvsOpI17OvSnv7vPkKdxFbJl+cB7vxck3mRfZa/N jFDvFgq60fOdVgQGuOFqyHDAKuAnL054qoQoc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7XKqD0uwptRTWTsv7lmAcV/cMTd4waW5o5MaWTUpnRc=; b=f787FMclR6Kz4ln62szxEOCR86acnYuDTDoFoWBwBHR0JfVhj7VlcPSpG0bMuVxwGh J7KnXtnL7R3DFkLdRu5vngXdWiel7k2Tl8mt5DHpsul6XGNEYbjj2a9ExIaodbhlyV/L PqcEAbx2c3NnryzL/Z2HV4PLdeVPWqX8zt6vMHKlFZwYcyfRR8VXDinu6sPC+OPr9pDA EAhsUDlcy5X/gcwS59BzzR3t5/BlM31JMPYfEmkKZ6rS0jI6PTPztNrnwtRlF6GtsOvM xV2haM47qF6yrSbBVxg4IQKd0rs82EvodR9f5Y1A4Q3EDJFXhXbct4trXhwfGgxcVEBn 4Ozw== X-Gm-Message-State: ALKqPwcvx7tzzGbbu2uLMLb26FbG8R3M4hUH6FSLCClzLCHG1vVIPp48 TV8Gsg3p7wh8zCxIr/9E1qNLAw== X-Google-Smtp-Source: ADUXVKISgGjeSJ7yvGy03E9ZNVTwpF/bRLjF6zTIpPg40zADjKtGiQFKPU6MnNexQEErTH/giXgGCA== X-Received: by 2002:a62:ab0e:: with SMTP id p14-v6mr3114266pff.211.1527813829443; Thu, 31 May 2018 17:43:49 -0700 (PDT) From: Kees Cook To: Matthew Wilcox Cc: Kees Cook , Linus Torvalds , Rasmus Villemoes , Matthew Wilcox , LKML , Linux-MM , Kernel Hardening Subject: [PATCH v3 08/16] device: Use overflow helpers for devm_kmalloc() Date: Thu, 31 May 2018 17:42:25 -0700 Message-Id: <20180601004233.37822-9-keescook@chromium.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180601004233.37822-1-keescook@chromium.org> References: <20180601004233.37822-1-keescook@chromium.org> X-Virus-Scanned: ClamAV using ClamSMTP Use the overflow helpers both in existing multiplication-using inlines as well as the addition-overflow case in the core allocation routine. Signed-off-by: Kees Cook --- drivers/base/devres.c | 7 ++++++- include/linux/device.h | 8 ++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/base/devres.c b/drivers/base/devres.c index 95b67281cd2a..f98a097e73f2 100644 --- a/drivers/base/devres.c +++ b/drivers/base/devres.c @@ -84,9 +84,14 @@ static struct devres_group * node_to_group(struct devres_node *node) static __always_inline struct devres * alloc_dr(dr_release_t release, size_t size, gfp_t gfp, int nid) { - size_t tot_size = sizeof(struct devres) + size; + size_t tot_size; struct devres *dr; + /* We must catch any near-SIZE_MAX cases that could overflow. */ + if (unlikely(check_add_overflow(sizeof(struct devres), size, + &tot_size))) + return NULL; + dr = kmalloc_node_track_caller(tot_size, gfp, nid); if (unlikely(!dr)) return NULL; diff --git a/include/linux/device.h b/include/linux/device.h index 477956990f5e..897efa647203 100644 --- a/include/linux/device.h +++ b/include/linux/device.h @@ -25,6 +25,7 @@ #include #include #include +#include #include struct device; @@ -668,9 +669,12 @@ static inline void *devm_kzalloc(struct device *dev, size_t size, gfp_t gfp) static inline void *devm_kmalloc_array(struct device *dev, size_t n, size_t size, gfp_t flags) { - if (size != 0 && n > SIZE_MAX / size) + size_t bytes; + + if (unlikely(check_mul_overflow(n, size, &bytes))) return NULL; - return devm_kmalloc(dev, n * size, flags); + + return devm_kmalloc(dev, bytes, flags); } static inline void *devm_kcalloc(struct device *dev, size_t n, size_t size, gfp_t flags)