From patchwork Sat Oct 29 02:54:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13024463 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0E50C38A02 for ; Sat, 29 Oct 2022 02:55:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229783AbiJ2CzI (ORCPT ); Fri, 28 Oct 2022 22:55:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229767AbiJ2CzD (ORCPT ); Fri, 28 Oct 2022 22:55:03 -0400 Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B6ABD1EAC1 for ; Fri, 28 Oct 2022 19:54:36 -0700 (PDT) Received: by mail-pf1-x42e.google.com with SMTP id m6so6326523pfb.0 for ; Fri, 28 Oct 2022 19:54:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8qJ7S49lyvTDwTt3B9pGKn80j22VNRERALv+i33GLIM=; b=a46NttKTxFJVeKEP0dM7f1ceG9rDOhMGHKQnxUUJMFVzoMrz3QWrUqBt38mmTWnQGA 8G1JSVaxdV2ultNUYGygLC1wslfCRLrH79sALmI8ORz1+jGNFsRL611hD53/yntVNw4B Zkdm1wBz/oX3OLbzldKPiIaZUw9YL8uJwjLBg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8qJ7S49lyvTDwTt3B9pGKn80j22VNRERALv+i33GLIM=; b=CvgeF0JQtvcg1O2fonbJNdLsYFdlTxnjKcYdoF5Xfv+eCBIJABguI/OT15XW07pt3K 6xZ6Og728vw9t976e47wPfFsOBm+HcNH1cOX5QV8iQBwe8RNfjTHt0htfNxpiPN0RYIN v1Vs1vzhuhMiB4h1gs4HfyptAgAR/wQy9ailNB3VGanU2denM+bH9Ow3DIaO1c5jqQiZ SirkAyhTx1RMlQYCIsFZh7rhxTAhWkdFkm6Xql4vK8+N8zDM1JeV7ClMM8jTuNY1pkOY gYYt5GR2MxYAxtTtWOkBfJBLDbKcExoBkRHCAHSclLT+3DD3X+t7iY4y16XW/cXXcKJh tK4w== X-Gm-Message-State: ACrzQf26EixkBvm9EvUShmxIJmIA2w6OT7BibvUIYNpvVri3GYUIeauA 61RnGt+XL0e3Hv1pn2n1GA1FGA== X-Google-Smtp-Source: AMsMyM6uHJfLJTmqpTUJGpVT4+/uLAGaB6HoSdxLoSHvhmHZwW2kNEnJvIGSouS1s5ZG+ccVJbZ7tA== X-Received: by 2002:a05:6a00:1ac9:b0:56c:e35b:3ce with SMTP id f9-20020a056a001ac900b0056ce35b03cemr2405674pfv.76.1667012075865; Fri, 28 Oct 2022 19:54:35 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k3-20020a170902ce0300b00176b63535adsm144895plg.260.2022.10.28.19.54.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Oct 2022 19:54:34 -0700 (PDT) From: Kees Cook To: Alexei Starovoitov Cc: Kees Cook , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH bpf-next v2 1/3] bpf/verifier: Fix potential memory leak in array reallocation Date: Fri, 28 Oct 2022 19:54:30 -0700 Message-Id: <20221029025433.2533810-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221029024444.gonna.633-kees@kernel.org> References: <20221029024444.gonna.633-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1619; h=from:subject; bh=R3dgFp0WNEaE5DyG4WxLN0RrYSteV9dcGhEkWDiXzvE=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjXJXnp3Ea19E3WkEr9o8FAh2necyessJ+7If2U/2x vL4vvxyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY1yV5wAKCRCJcvTf3G3AJkffD/ 495y2Ah8ie6a9DRLJ56z541wAuD1q1LglGfd3C1cbGoOR76OU5kPPGuDGY8Npallv6VrFij94Z81sA 4zyFjmaROOGYwctXbNfnfbp5rKO7FMsPe+NZ72GoCxuE6dWHc9XOsS2KRMAc4SaeDz8ZgZSVr3hZTX CeMuHtwh0BnXQ8JR4WstYUjUpLWQy4S9kpJJJ2KicSVC8iEWYWkavGVV3zZT4gDE1j4bKhq0FH1iwa iBZ+KB4Ubg7hEgqx/2o6raZKsUlCQLv5C0krkqAeKTisXS/5x4cqu1LYGxE4KKXvKjMyfv+/lXp6XR GXYnwp7rReKyUA+ajg3BVlvXPvGkLW3R1Zd3vUbg4HpFEGF+MkTCsRz5Tvbb4B/M7J9PnIWBEL4g4I dccXIQa3RVocJ/4jixQTLo8BBqkTub/60/5zl5mJVCUdD0Vz7XTh52FqroKRh1Vy1TSDYseP+AZfh+ p0WkmHXJKX9n31sJSgSB7J+rz1bu1syxfbeQf8jMKFgQ+EeH1SxGlNnTbS2DBF2Akh0vNbJMsVNuRr tDAVlwSuRS9YURTtlMBMpJ27+Sqb6mGhKWpkHoqo3hfTM5rjKK8caNpk+TFmRkiXcyFHaNHIAYf33j xCahoS/rV03jEY2g6AYq81K4kUoYC+3ycJMhysPhSQn5B04YHUtjliF3oaEg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net If an error (NULL) is returned by krealloc(), callers of realloc_array() were setting their allocation pointers to NULL, but on error krealloc() does not touch the original allocation. This would result in a memory resource leak. Instead, free the old allocation on the error handling path. Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: John Fastabend Cc: Andrii Nakryiko Cc: Martin KaFai Lau Cc: Song Liu Cc: Yonghong Song Cc: KP Singh Cc: Stanislav Fomichev Cc: Hao Luo Cc: Jiri Olsa Cc: bpf@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Bill Wendling --- kernel/bpf/verifier.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 014ee0953dbd..eb8c34db74c7 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1027,12 +1027,17 @@ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t */ static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size) { + void *new_arr; + if (!new_n || old_n == new_n) goto out; - arr = krealloc_array(arr, new_n, size, GFP_KERNEL); - if (!arr) + new_arr = krealloc_array(arr, new_n, size, GFP_KERNEL); + if (!new_arr) { + kfree(arr); return NULL; + } + arr = new_arr; if (new_n > old_n) memset(arr + old_n * size, 0, (new_n - old_n) * size); From patchwork Sat Oct 29 02:54:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13024465 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51F1EC38A02 for ; Sat, 29 Oct 2022 02:55:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229789AbiJ2CzO (ORCPT ); Fri, 28 Oct 2022 22:55:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229792AbiJ2CzK (ORCPT ); Fri, 28 Oct 2022 22:55:10 -0400 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4AB98248F7 for ; Fri, 28 Oct 2022 19:54:38 -0700 (PDT) Received: by mail-pj1-x1035.google.com with SMTP id d13-20020a17090a3b0d00b00213519dfe4aso6064805pjc.2 for ; Fri, 28 Oct 2022 19:54:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8tl37lwqGAPyFTOLYOb65cx9juvzNTvoWHjwD7xYuFQ=; b=Cd9tmgsJJdWf0loxgAfE2HPeppCYbVz4D5gJ5tQcKB6L+ovA12Ew9mChsqPQXbuSUK P+EKoy+7WwL8q2rj931dqINtyZh6kEENAED1WS3uD8thf4KfTiTnMhSt3//hP3fVmfyz 3nim0DVM7yPvIiHCyNEkq1nGp3MR8CSWdqGbo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8tl37lwqGAPyFTOLYOb65cx9juvzNTvoWHjwD7xYuFQ=; b=I3SQK+WFLo6k5Gzqu/PS5uFJgz/8SAuPQ0KdjjmL9OdATbO7nMsUasTkh1rVY2chKs tAVMhu9JRm0EVKhWE1nI+9sLH2IyInORk7Ij1vZWZ6PiiftOjhRin2B6yF8mCz/+0X2c WP96JboMgKf/2XT7dQowaSD4BLdGu3c9dZyHkQgx7lQMuomwhWePf0+SDXHkCxyXlnMn p/aTO0phBpq9NBJH2Qi49GkarHfqi3XW5m3ONWb4weZsWKk8oXGVB5qmRsNzYbGvg5xt 5gQESBDMixoqzssmu6Uz5GyeEE+3Ri5Ieylrb/AMMHNmmhzwsuCXKZP6KpVkRs7qhiWa kNgA== X-Gm-Message-State: ACrzQf2jXFA5JYCheqyp+iz01TeH2fzXgEZZ/Om9nw5sSwFWuoMbBO0c AUNCsI5WRBdWE7QOEaRlXuYtPg== X-Google-Smtp-Source: AMsMyM4pP7ShODaS+Vv2buYU2g/jVJzW9tIyo/uOr9kvGNsRBVt6bMvVzIkugYCjOKGHoyJnVIuKXA== X-Received: by 2002:a17:902:6b45:b0:186:878e:3b92 with SMTP id g5-20020a1709026b4500b00186878e3b92mr2222756plt.173.1667012077781; Fri, 28 Oct 2022 19:54:37 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p68-20020a625b47000000b0056b9c2699cesm170223pfb.46.2022.10.28.19.54.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Oct 2022 19:54:34 -0700 (PDT) From: Kees Cook To: Alexei Starovoitov Cc: Kees Cook , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH bpf-next v2 2/3] bpf/verifier: Use kmalloc_size_roundup() to match ksize() usage Date: Fri, 28 Oct 2022 19:54:31 -0700 Message-Id: <20221029025433.2533810-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221029024444.gonna.633-kees@kernel.org> References: <20221029024444.gonna.633-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2473; h=from:subject; bh=cAZzQf4nJI/2AavYPElJQqPl11xZNu41P29+G33SJ9M=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjXJXnQGC8fPZwalh9l14/jG4kobQw8yjDcH8NbjSJ /XPIE3yJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY1yV5wAKCRCJcvTf3G3AJtu9EA CXJjb2SNBE0dlmaXWQ51VUbBpWbuJYO6erazxkwDl20aLVHHY3Axth5HAjZff0RAgI1VuEgK0XZp1r RE0TT1eYl9G5ixdAC59qd1CyEHIcrq8+ifEZo8FgjuCM+csjbDGyrKYcgszia+gdt0jTBIbTc9RPDk h49CV0gy5UmirPGgX8dGIyGnpKI4FNyJSxPrtKEYB1NNT0NKDCYYx+RfELfzFCEUHszzQjq2QGPcoS MQCDLvOy6b2RiQLtsraXNMaGqb45mx9P5O9CTysRsnzDMvCA7NXwCuQuXsdjO/2HsBfxhz7Ar/YR9W Q9PmyZ/L0otSPcROBpRG2q6CUmDpOthzfBzcW58TTyDeLip32DmQpFbyiXtSgKMujj/DUh8fnY/DR8 2j1VH+mqdaYP7FiWIMA+ed88554A/22x76JzNS5Caj75Gk5klIWA9DRXxqyAIhkWj0AZZY0oDA+/bI BaXI9irmdN/ojaCMS7GiewpfSz1XqXzoo+a2/IHb6qtOmcwGzuRXjvvCvZc3nO7FmlQUzB23V63ndC YIDPWXj/8EpTHHzYIkslH/ROZny/WlLvaMSrDlNnM8CWhQz5RGWiBaLDqtr2+lr8CzFydwOd9JaxoT 275n7Yb5433TpvdeSuKo/IQkPJI9tpzIZx8/08+btiQkdvPTHYsFe9hnV9Iw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Round up allocations with kmalloc_size_roundup() so that the verifier's use of ksize() is always accurate and no special handling of the memory is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE. Pass the new size information back up to callers so they can use the space immediately, so array resizing to happen less frequently as well. Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: John Fastabend Cc: Andrii Nakryiko Cc: Martin KaFai Lau Cc: Song Liu Cc: Yonghong Song Cc: KP Singh Cc: Stanislav Fomichev Cc: Hao Luo Cc: Jiri Olsa Cc: bpf@vger.kernel.org Signed-off-by: Kees Cook --- kernel/bpf/verifier.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index eb8c34db74c7..1c040d27b8f6 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1008,9 +1008,9 @@ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t if (unlikely(check_mul_overflow(n, size, &bytes))) return NULL; - if (ksize(dst) < bytes) { + if (ksize(dst) < ksize(src)) { kfree(dst); - dst = kmalloc_track_caller(bytes, flags); + dst = kmalloc_track_caller(kmalloc_size_roundup(bytes), flags); if (!dst) return NULL; } @@ -1027,12 +1027,14 @@ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t */ static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size) { + size_t alloc_size; void *new_arr; if (!new_n || old_n == new_n) goto out; - new_arr = krealloc_array(arr, new_n, size, GFP_KERNEL); + alloc_size = kmalloc_size_roundup(size_mul(new_n, size)); + new_arr = krealloc(arr, alloc_size, GFP_KERNEL); if (!new_arr) { kfree(arr); return NULL; @@ -2504,9 +2506,11 @@ static int push_jmp_history(struct bpf_verifier_env *env, { u32 cnt = cur->jmp_history_cnt; struct bpf_idx_pair *p; + size_t alloc_size; cnt++; - p = krealloc(cur->jmp_history, cnt * sizeof(*p), GFP_USER); + alloc_size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p))); + p = krealloc(cur->jmp_history, alloc_size, GFP_USER); if (!p) return -ENOMEM; p[cnt - 1].idx = env->insn_idx; From patchwork Sat Oct 29 02:54:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13024464 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18CFFFA3742 for ; Sat, 29 Oct 2022 02:55:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229718AbiJ2CzL (ORCPT ); Fri, 28 Oct 2022 22:55:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229786AbiJ2CzK (ORCPT ); Fri, 28 Oct 2022 22:55:10 -0400 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2572248D5 for ; Fri, 28 Oct 2022 19:54:37 -0700 (PDT) Received: by mail-pl1-x62c.google.com with SMTP id c2so6360503plz.11 for ; Fri, 28 Oct 2022 19:54:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3aOLv5bd0FLV/mnE8/fEeex6Wf+bGxAwiWHAjCPeob8=; b=F1CIddvjILhqwJkQTMNC9hHvJYNArr9ey/ZbzNYqitzzHQZy3r7uM2qGWEgnpwLm8D 2kScoECk2psL1KqyxHSF4Rd2eD8r7UkizqsMCsaURAOY8eTeMT9EhLycnkY/5dYIVixg Phcsf1C/VDjddGLVWbrt40HOPyI0z5cfUGem0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3aOLv5bd0FLV/mnE8/fEeex6Wf+bGxAwiWHAjCPeob8=; b=6bQGxe2phyWupwirSsXT9AJVLgen2lUg/YL582GKS0LxvAMqEpMiI2Sbv87vlepIHU oVzuDaqvEDCeu3XMqnS+8qJtJUjj3wNhDWsejXKdYogLU7ZcDBM4CFYZT20HVfYPR8Ic mpbVtIW5q3jyhdjaHIpXWbi1SwOYPGFovNTXFTWJ8YFtwfD7y5F1MN0F6v7H3c98mPeS Pm4G8R0NYqENOEYtkWeqENG+S8pKKML4iiXFP/3aHbefMbMWSBj1VUSzn/oJEFuhxFnL Z4e0As810pGkKSs3CI/CYjnrV/nD1iAuPd7VD1eEE4g58RGAIMrH+LPeG15i8bZBZnQ1 3D+Q== X-Gm-Message-State: ACrzQf1Qym/GUXSebNzcAkUUGrUeJF1duy3MFeT1yx20FUue7n+bpQwP sAw/1tz+TD/ZvFPRasVs1BUhfA== X-Google-Smtp-Source: AMsMyM6HJPQNNHUKo0hqSZ77eYX6lSBHvTuXFvuJmE1nVwBFZI8X4MsvRQFTWCL3yLz9vbqzCuWTBw== X-Received: by 2002:a17:902:dad1:b0:183:243c:d0d0 with SMTP id q17-20020a170902dad100b00183243cd0d0mr2229535plx.157.1667012077434; Fri, 28 Oct 2022 19:54:37 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p15-20020a634f4f000000b00429c5270710sm166610pgl.1.2022.10.28.19.54.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Oct 2022 19:54:34 -0700 (PDT) From: Kees Cook To: Alexei Starovoitov Cc: Kees Cook , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH bpf-next v2 3/3] bpf/verifier: Take advantage of full allocation sizes Date: Fri, 28 Oct 2022 19:54:32 -0700 Message-Id: <20221029025433.2533810-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221029024444.gonna.633-kees@kernel.org> References: <20221029024444.gonna.633-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3544; h=from:subject; bh=kUtgUSzjHG/StpxeZ/gAkJuSWQ81P7If0wKJuguKsQA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjXJXoKq5ZWOaEe0w9wu2rU5+gTlHcFnfDONzx5rl8 2MO2kVmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY1yV6AAKCRCJcvTf3G3AJjZFEA CbaiZHl1X/Eo7Q6u7OrXXEEu/Fc8P8Egz+2f9weQmvTFT6k8pHEJ646zRGYaElHNuF8dWLLFMJzM1Y uArHQVBqs6LQJ42PuY5l3YGl7j7pmWZwLgscvoR5jyYaXK+/r4zeRdhSbld8X/9cqZ6Jxk8SiPWveK dR/nJPs+tNkPLMdmyWbiEcz5A5+/tAzCBLmZjrgFBEokROEOl+TXx4IIpQbyqgzIDH3+gZ70I1NUhW lPjsvBvh52LVVOaWPV+GLV49VL/tK9veQLcWdWjSMzbnibeWn/xi9OCf94VNP/sAud9eO3w2PFBOij dA4dB88NxOwPgBSoN72V20mybNtqDdfmFCsI3osTyRAdnS+aFgUZ46I72yHpxd016UXEu6QcEUoTgu hKZz6nCyDNN/LfR5C6KER5YAYDzU+MC2uVFAdvE8GeabTsB5cO9kmujEadXdzd4j3C/ZCm6NsUSXG8 LtqGbSpbXDkuteqDDR8dhqIwYkp1t6sajZpOkWVSrKCyEaP65KGhzNwurPBOwlkjyg/K1aQxVys/l4 WVq86oBHhGxemD+KPFGaiLNBxljDw59+kpBi/I8VyCjT7lfHHIqmjFTKNREDkjg5izXZHA9wWJEJ7z CXrUKoUSAdUN08z2u+RbVOxApyfeLHAPi9Jty6yKPofgiYJneRRiZCO0gQjg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Since the full kmalloc bucket size is being explicitly allocated, pass back the resulting details to take advantage of the full size so that reallocation checking will be needed less frequently. Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: John Fastabend Cc: Andrii Nakryiko Cc: Martin KaFai Lau Cc: Song Liu Cc: Yonghong Song Cc: KP Singh Cc: Stanislav Fomichev Cc: Hao Luo Cc: Jiri Olsa Cc: bpf@vger.kernel.org Signed-off-by: Kees Cook --- kernel/bpf/verifier.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 1c040d27b8f6..e58b554e862b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1020,20 +1020,23 @@ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t return dst ? dst : ZERO_SIZE_PTR; } -/* resize an array from old_n items to new_n items. the array is reallocated if it's too - * small to hold new_n items. new items are zeroed out if the array grows. +/* Resize an array from old_n items to *new_n items. The array is + * reallocated if it's too small to hold *new_n items. New items are + * zeroed out if the array grows. Allocation is rounded up to next kmalloc + * bucket size to reduce frequency of resizing. *new_n contains the new + * total number of items that will fit. * - * Contrary to krealloc_array, does not free arr if new_n is zero. + * Contrary to krealloc, does not free arr if new_n is zero. */ -static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size) +static void *realloc_array(void *arr, size_t old_n, size_t *new_n, size_t size) { size_t alloc_size; void *new_arr; - if (!new_n || old_n == new_n) + if (!new_n || !*new_n || old_n == *new_n) goto out; - alloc_size = kmalloc_size_roundup(size_mul(new_n, size)); + alloc_size = kmalloc_size_roundup(size_mul(*new_n, size)); new_arr = krealloc(arr, alloc_size, GFP_KERNEL); if (!new_arr) { kfree(arr); @@ -1041,8 +1044,9 @@ static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size) } arr = new_arr; - if (new_n > old_n) - memset(arr + old_n * size, 0, (new_n - old_n) * size); + *new_n = alloc_size / size; + if (*new_n > old_n) + memset(arr + old_n * size, 0, (*new_n - old_n) * size); out: return arr ? arr : ZERO_SIZE_PTR; @@ -1074,7 +1078,7 @@ static int copy_stack_state(struct bpf_func_state *dst, const struct bpf_func_st static int resize_reference_state(struct bpf_func_state *state, size_t n) { - state->refs = realloc_array(state->refs, state->acquired_refs, n, + state->refs = realloc_array(state->refs, state->acquired_refs, &n, sizeof(struct bpf_reference_state)); if (!state->refs) return -ENOMEM; @@ -1090,11 +1094,12 @@ static int grow_stack_state(struct bpf_func_state *state, int size) if (old_n >= n) return 0; - state->stack = realloc_array(state->stack, old_n, n, sizeof(struct bpf_stack_state)); + state->stack = realloc_array(state->stack, old_n, &n, + sizeof(struct bpf_stack_state)); if (!state->stack) return -ENOMEM; - state->allocated_stack = size; + state->allocated_stack = n * BPF_REG_SIZE; return 0; }