diff mbox series

sctp: prefer struct_size over open coded arithmetic

Message ID PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com (mailing list archive)
State Accepted
Commit e5c5f3596de224422561d48eba6ece5210d967b3
Delegated to: Netdev Maintainers
Headers show
Series sctp: prefer struct_size over open coded arithmetic | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 927 this patch: 927
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 937 this patch: 937
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 938 this patch: 938
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 21 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-04-29--15-00 (tests: 994)

Commit Message

Erick Archer April 27, 2024, 5:23 p.m. UTC
This is an effort to get rid of all multiplications from allocation
functions in order to prevent integer overflows [1][2].

As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
structure ends in a flexible array:

struct sctp_assoc_ids {
	[...]
	sctp_assoc_t	gaids_assoc_id[];
};

the preferred way in the kernel is to use the struct_size() helper to
do the arithmetic instead of the calculation "size + size * count" in
the kmalloc() function.

Also, refactor the code adding the "ids_size" variable to avoid sizing
twice.

This way, the code is more readable and safer.

This code was detected with the help of Coccinelle, and audited and
modified manually.

Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
Link: https://github.com/KSPP/linux/issues/160 [2]
Signed-off-by: Erick Archer <erick.archer@outlook.com>
---
Hi,

The Coccinelle script used to detect this code pattern is the following:

virtual report

@rule1@
type t1;
type t2;
identifier i0;
identifier i1;
identifier i2;
identifier ALLOC =~ "kmalloc|kzalloc|kmalloc_node|kzalloc_node|vmalloc|vzalloc|kvmalloc|kvzalloc";
position p1;
@@

i0 = sizeof(t1) + sizeof(t2) * i1;
...
i2 = ALLOC@p1(..., i0, ...);

@script:python depends on report@
p1 << rule1.p1;
@@

msg = "WARNING: verify allocation on line %s" % (p1[0].line)
coccilib.report.print_report(p1[0],msg)

Regards,
Erick
---
 net/sctp/socket.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Xin Long April 28, 2024, 11:33 p.m. UTC | #1
On Sat, Apr 27, 2024 at 1:23 PM Erick Archer <erick.archer@outlook.com> wrote:
>
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1][2].
>
> As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
> structure ends in a flexible array:
>
> struct sctp_assoc_ids {
>         [...]
>         sctp_assoc_t    gaids_assoc_id[];
> };
>
> the preferred way in the kernel is to use the struct_size() helper to
> do the arithmetic instead of the calculation "size + size * count" in
> the kmalloc() function.
>
> Also, refactor the code adding the "ids_size" variable to avoid sizing
> twice.
>
> This way, the code is more readable and safer.
>
> This code was detected with the help of Coccinelle, and audited and
> modified manually.
>
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
> Link: https://github.com/KSPP/linux/issues/160 [2]
> Signed-off-by: Erick Archer <erick.archer@outlook.com>
> ---
> Hi,
>
> The Coccinelle script used to detect this code pattern is the following:
>
> virtual report
>
> @rule1@
> type t1;
> type t2;
> identifier i0;
> identifier i1;
> identifier i2;
> identifier ALLOC =~ "kmalloc|kzalloc|kmalloc_node|kzalloc_node|vmalloc|vzalloc|kvmalloc|kvzalloc";
> position p1;
> @@
>
> i0 = sizeof(t1) + sizeof(t2) * i1;
> ...
> i2 = ALLOC@p1(..., i0, ...);
>
> @script:python depends on report@
> p1 << rule1.p1;
> @@
>
> msg = "WARNING: verify allocation on line %s" % (p1[0].line)
> coccilib.report.print_report(p1[0],msg)
>
> Regards,
> Erick
> ---
>  net/sctp/socket.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index e416b6d3d270..64196b1dce1d 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7119,6 +7119,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
>         struct sctp_sock *sp = sctp_sk(sk);
>         struct sctp_association *asoc;
>         struct sctp_assoc_ids *ids;
> +       size_t ids_size;
>         u32 num = 0;
>
>         if (sctp_style(sk, TCP))
> @@ -7131,11 +7132,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
>                 num++;
>         }
>
> -       if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)
> +       ids_size = struct_size(ids, gaids_assoc_id, num);
> +       if (len < ids_size)
>                 return -EINVAL;
>
> -       len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
> -
> +       len = ids_size;
>         ids = kmalloc(len, GFP_USER | __GFP_NOWARN);
>         if (unlikely(!ids))
>                 return -ENOMEM;
> --
> 2.25.1
>
Acked-by: Xin Long <lucien.xin@gmail.com>
Kees Cook April 29, 2024, 5:45 p.m. UTC | #2
On Sat, Apr 27, 2024 at 07:23:36PM +0200, Erick Archer wrote:
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1][2].
> 
> As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
> structure ends in a flexible array:
> 
> struct sctp_assoc_ids {
        __u32           gaids_number_of_ids;
> 	sctp_assoc_t	gaids_assoc_id[];
> };

This could gain __counted_by:

diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index b7d91d4cf0db..836173e73401 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -1007,7 +1007,7 @@ enum sctp_sstat_state {
  */
 struct sctp_assoc_ids {
 	__u32		gaids_number_of_ids;
-	sctp_assoc_t	gaids_assoc_id[];
+	sctp_assoc_t	gaids_assoc_id[] __counted_by(gaids_number_of_ids);
 };
 
 /*

> 
> the preferred way in the kernel is to use the struct_size() helper to
> do the arithmetic instead of the calculation "size + size * count" in
> the kmalloc() function.
> 
> Also, refactor the code adding the "ids_size" variable to avoid sizing
> twice.
> 
> This way, the code is more readable and safer.
> 
> This code was detected with the help of Coccinelle, and audited and
> modified manually.
> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
> Link: https://github.com/KSPP/linux/issues/160 [2]
> Signed-off-by: Erick Archer <erick.archer@outlook.com>
> ---
> Hi,
> 
> The Coccinelle script used to detect this code pattern is the following:
> 
> virtual report
> 
> @rule1@
> type t1;
> type t2;
> identifier i0;
> identifier i1;
> identifier i2;
> identifier ALLOC =~ "kmalloc|kzalloc|kmalloc_node|kzalloc_node|vmalloc|vzalloc|kvmalloc|kvzalloc";
> position p1;
> @@
> 
> i0 = sizeof(t1) + sizeof(t2) * i1;
> ...
> i2 = ALLOC@p1(..., i0, ...);
> 
> @script:python depends on report@
> p1 << rule1.p1;
> @@
> 
> msg = "WARNING: verify allocation on line %s" % (p1[0].line)
> coccilib.report.print_report(p1[0],msg)
> 
> Regards,
> Erick
> ---
>  net/sctp/socket.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index e416b6d3d270..64196b1dce1d 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7119,6 +7119,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
>  	struct sctp_sock *sp = sctp_sk(sk);
>  	struct sctp_association *asoc;
>  	struct sctp_assoc_ids *ids;
> +	size_t ids_size;
>  	u32 num = 0;
>  
>  	if (sctp_style(sk, TCP))
> @@ -7131,11 +7132,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
>  		num++;
>  	}
>  
> -	if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)
> +	ids_size = struct_size(ids, gaids_assoc_id, num);
> +	if (len < ids_size)
>  		return -EINVAL;
>  
> -	len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
> -
> +	len = ids_size;
>  	ids = kmalloc(len, GFP_USER | __GFP_NOWARN);
>  	if (unlikely(!ids))
>  		return -ENOMEM;

But yes, this looks fine to me.

Reviewed-by: Kees Cook <keescook@chromium.org>
patchwork-bot+netdevbpf@kernel.org April 30, 2024, 10 a.m. UTC | #3
Hello:

This patch was applied to netdev/net-next.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Sat, 27 Apr 2024 19:23:36 +0200 you wrote:
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1][2].
> 
> As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
> structure ends in a flexible array:
> 
> struct sctp_assoc_ids {
> 	[...]
> 	sctp_assoc_t	gaids_assoc_id[];
> };
> 
> [...]

Here is the summary with links:
  - sctp: prefer struct_size over open coded arithmetic
    https://git.kernel.org/netdev/net-next/c/e5c5f3596de2

You are awesome, thank you!
Erick Archer May 1, 2024, 4:37 p.m. UTC | #4
Hi Kees and Xin,

On Mon, Apr 29, 2024 at 10:45:20AM -0700, Kees Cook wrote:
> On Sat, Apr 27, 2024 at 07:23:36PM +0200, Erick Archer wrote:
> > This is an effort to get rid of all multiplications from allocation
> > functions in order to prevent integer overflows [1][2].
> > 
> > As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
> > structure ends in a flexible array:
> > 
> > struct sctp_assoc_ids {
>         __u32           gaids_number_of_ids;
> > 	sctp_assoc_t	gaids_assoc_id[];
> > };
> 
> This could gain __counted_by:
> 
> diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
> index b7d91d4cf0db..836173e73401 100644
> --- a/include/uapi/linux/sctp.h
> +++ b/include/uapi/linux/sctp.h
> @@ -1007,7 +1007,7 @@ enum sctp_sstat_state {
>   */
>  struct sctp_assoc_ids {
>  	__u32		gaids_number_of_ids;
> -	sctp_assoc_t	gaids_assoc_id[];
> +	sctp_assoc_t	gaids_assoc_id[] __counted_by(gaids_number_of_ids);
>  };
>  

Since this patch has been applied to the linux-next tree, I will send an
incremental one.

Thanks Kees and Xin for the review.

Regards,
Erick
diff mbox series

Patch

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index e416b6d3d270..64196b1dce1d 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7119,6 +7119,7 @@  static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
 	struct sctp_sock *sp = sctp_sk(sk);
 	struct sctp_association *asoc;
 	struct sctp_assoc_ids *ids;
+	size_t ids_size;
 	u32 num = 0;
 
 	if (sctp_style(sk, TCP))
@@ -7131,11 +7132,11 @@  static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
 		num++;
 	}
 
-	if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)
+	ids_size = struct_size(ids, gaids_assoc_id, num);
+	if (len < ids_size)
 		return -EINVAL;
 
-	len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
-
+	len = ids_size;
 	ids = kmalloc(len, GFP_USER | __GFP_NOWARN);
 	if (unlikely(!ids))
 		return -ENOMEM;