From patchwork Wed May 9 00:42:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10387835 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A38486055D for ; Wed, 9 May 2018 00:45:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7A9CA2871B for ; Wed, 9 May 2018 00:45:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4846F288D3; Wed, 9 May 2018 00:44:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 0944A29504 for ; Wed, 9 May 2018 00:44:12 +0000 (UTC) Received: (qmail 21603 invoked by uid 550); 9 May 2018 00:43:05 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 20207 invoked from network); 9 May 2018 00:42:54 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Fs1R8fhxLn9VHmjwm71Kxnx780Zzasp1aS4oCzaot1Y=; b=D4UzdA4ux03aIQ9tn/956h2Td2D1E7Xn+m6Y1UraRr6oHPiXGolxhbSrV42eInZWto Czli4PIZjh3J0d6oqjy6TnMMB0cLGUSHH4B1EHmsDhrmxMp+T0TWRQDaZaToNFnWf23C AgDjIgFlEhxKAFgHpCZalY6UpmQfpDnsOOvDk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Fs1R8fhxLn9VHmjwm71Kxnx780Zzasp1aS4oCzaot1Y=; b=Q08RZj5tz4ypHDQ1BAbKnH/PQ7Ym9DGcTW1NXNNwjtGlVeCrisVWKqAQwx7Bb9EGeS NSQ1eZgPypDEPnOXduE8cmBbf8nGtX1wDmx4oHA1mmK8zSp5zf5H0QJbbXeMP3U112bS YGigvUdavDOdySVCJftzjkms5FwH1MKRij1e0OQf84ybjcOMrW2Ub2zbpAZ+/MGuV9dk WB/BBkDwvJ6/5682jP8U4Q07exZWVnep/lcM0GGscvkNp/cTb8pglQNCajoUZ91kgCIK 0IfSMFS2u+sK56UjF/eyoiead74T/qYTLvhiNYnxDfSsl5zfYcq7FNZ0qcdfdXmJVtWT 3fRQ== X-Gm-Message-State: ALQs6tDL7jvcq7S0hQT47ZBFX6c0jZq97ngSZse634yXPuX3SPQqwLP5 qBo+98/cMJtwlrRIvr6lRL8cVw== X-Google-Smtp-Source: AB8JxZr05m9z1shJLA71eajJK3IXVEQ0zU6qwEBEAXzAxleu0yc4lXQ7ndqfxlGQM615//0THGp2gg== X-Received: by 10.98.226.17 with SMTP id a17mr40985038pfi.126.1525826562806; Tue, 08 May 2018 17:42:42 -0700 (PDT) From: Kees Cook To: Matthew Wilcox Cc: Kees Cook , Rasmus Villemoes , linux-kernel@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Subject: [PATCH 03/13] overflow.h: Add allocation size calculation helpers Date: Tue, 8 May 2018 17:42:19 -0700 Message-Id: <20180509004229.36341-4-keescook@chromium.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180509004229.36341-1-keescook@chromium.org> References: <20180509004229.36341-1-keescook@chromium.org> X-Virus-Scanned: ClamAV using ClamSMTP In preparation for replacing unchecked overflows for memory allocations, this creates helpers for the 3 most common calculations: array_size(a, b): 2-dimensional array array3_size(a, b, c): 2-dimensional array struct_size(ptr, member, n): struct followed by n-many trailing members Each of these return SIZE_MAX on overflow instead of wrapping around. (Additionally renames a variable named "array_size" to avoid future collision.) Co-developed-by: Matthew Wilcox Signed-off-by: Kees Cook --- drivers/md/dm-table.c | 10 +++--- include/linux/overflow.h | 74 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+), 5 deletions(-) diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 0589a4da12bb..caa51dd351b6 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -548,14 +548,14 @@ static int adjoin(struct dm_table *table, struct dm_target *ti) * On the other hand, dm-switch needs to process bulk data using messages and * excessive use of GFP_NOIO could cause trouble. */ -static char **realloc_argv(unsigned *array_size, char **old_argv) +static char **realloc_argv(unsigned *size, char **old_argv) { char **argv; unsigned new_size; gfp_t gfp; - if (*array_size) { - new_size = *array_size * 2; + if (*size) { + new_size = *size * 2; gfp = GFP_KERNEL; } else { new_size = 8; @@ -563,8 +563,8 @@ static char **realloc_argv(unsigned *array_size, char **old_argv) } argv = kmalloc(new_size * sizeof(*argv), gfp); if (argv) { - memcpy(argv, old_argv, *array_size * sizeof(*argv)); - *array_size = new_size; + memcpy(argv, old_argv, *size * sizeof(*argv)); + *size = new_size; } kfree(old_argv); diff --git a/include/linux/overflow.h b/include/linux/overflow.h index c8890ec358a7..76ff298e97b7 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -202,4 +202,78 @@ #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ +/** + * array_size() - Calculate size of 2-dimensional array. + * + * @a: dimension one + * @b: dimension two + * + * Calculates size of 2-dimensional array: @a * @b. + * + * Returns: number of bytes needed to represent the array or SIZE_MAX on + * overflow. + */ +static inline __must_check size_t array_size(size_t a, size_t b) +{ + size_t bytes; + + if (check_mul_overflow(a, b, &bytes)) + return SIZE_MAX; + + return bytes; +} + +/** + * array3_size() - Calculate size of 3-dimensional array. + * + * @a: dimension one + * @b: dimension two + * @c: dimension three + * + * Calculates size of 3-dimensional array: @a * @b * @c. + * + * Returns: number of bytes needed to represent the array or SIZE_MAX on + * overflow. + */ +static inline __must_check size_t array3_size(size_t a, size_t b, size_t c) +{ + size_t bytes; + + if (check_mul_overflow(a, b, &bytes)) + return SIZE_MAX; + if (check_mul_overflow(bytes, c, &bytes)) + return SIZE_MAX; + + return bytes; +} + +static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c) +{ + size_t bytes; + + if (check_mul_overflow(n, size, &bytes)) + return SIZE_MAX; + if (check_add_overflow(bytes, c, &bytes)) + return SIZE_MAX; + + return bytes; +} + +/** + * struct_size() - Calculate size of structure with trailing array. + * @p: Pointer to the structure. + * @member: Name of the array member. + * @n: Number of elements in the array. + * + * Calculates size of memory needed for structure @p followed by an + * array of @n @member elements. + * + * Return: number of bytes needed or SIZE_MAX on overflow. + */ +#define struct_size(p, member, n) \ + __ab_c_size(n, \ + sizeof(*(p)->member) + __must_be_array((p)->member),\ + offsetof(typeof(*(p)), member)) + + #endif /* __LINUX_OVERFLOW_H */