From patchwork Mon Jul 8 19:18:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13726979 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05A4FC3271E for ; Mon, 8 Jul 2024 19:18:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 60CE86B009E; Mon, 8 Jul 2024 15:18:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4FE496B00A1; Mon, 8 Jul 2024 15:18:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 343406B00A0; Mon, 8 Jul 2024 15:18:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 14CA76B009D for ; Mon, 8 Jul 2024 15:18:45 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id B83B7A153C for ; Mon, 8 Jul 2024 19:18:44 +0000 (UTC) X-FDA: 82317547368.11.07BED26 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf21.hostedemail.com (Postfix) with ESMTP id BFF441C0027 for ; Mon, 8 Jul 2024 19:18:42 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ut65n4tt; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf21.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1720466300; a=rsa-sha256; cv=none; b=hDFWtolJmjBMxcGby+doS3DISYy1nqm84774ukCyt4wddz7rFkybVxdvADcr930WDeeqMr o6NCreE2OTc24Zu9USn0oZx9P4UgZ7CVlloXl+HWMLea0/e8AB2g2eg/qBII15xWL0cyG+ OqYuz5R+rSahY5EQDHjbAGwcYQdEYEM= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ut65n4tt; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf21.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1720466300; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Vs8RFIeEUuAKX9ton37zGp8nOc77+yzF+ZjMttSf9k0=; b=Qv1O1bb/Rto7nJfwMYZCajNNoYOMliz3gw/FS7JHbdGZOFsg1neIICEGXjoqtgjg+HJD1N UlvxcFUmoUEBF0u3NqEYZbLFRZuWEQC/N8qeag/FQVp0CyN/vBW+FuTuG3oO9CuWdi08f2 z6lVBiQwxFwfRq+u7srVolHwU9bwnaM= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id F284F610A0; Mon, 8 Jul 2024 19:18:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 37087C3277B; Mon, 8 Jul 2024 19:18:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1720466321; bh=uANC145QcD7DtmOmXpWRLhF0n/zqG8SYT4uWyFnv9BY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ut65n4ttGog05ECx2J7Ldhpidc1j6a0Kg5kWfNkx5hEy2XKc4T74clrOBRyrT2GJ2 CSQZtSl9G+pY2KfI2kLVU3EYynPPP960w63i+RsXCwZVSlnAzmExTguHq/jE0knrMM X7Z9+ZkzVzNMI7DgFbeHkR5RLzQVMYQKvka2ssC0ulRh9HdvY14lvLjnROkAPejfqa i3tcAgr/1wTJrgxGXnR+m3TngfcUKH9xaqrqOIC9WSVBimd+A0+lEv7nalw1ELiJ9j PInNsXUs9wMhgis609Ppl5l4djbXdb9B2flDlTDLjDaaETeJ5l72a6Wi1oM6t7XTFM uJMg0bR3VpwEQ== From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-mm@kvack.org, Jann Horn , Tony Luck , Nick Desaulniers , Miguel Ojeda , Marco Elver , Nathan Chancellor , Hao Luo , Przemek Kitszel , "Guilherme G. Piccoli" , Mark Rutland , Jakub Kicinski , Petr Pavlu , Alexander Lobakin , Tony Ambardar , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [RFC][PATCH 2/4] slab: Detect negative size values and saturate Date: Mon, 8 Jul 2024 12:18:36 -0700 Message-Id: <20240708191840.335463-2-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240708190924.work.846-kees@kernel.org> References: <20240708190924.work.846-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2917; i=kees@kernel.org; h=from:subject; bh=uANC145QcD7DtmOmXpWRLhF0n/zqG8SYT4uWyFnv9BY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBmjDuONss2HaGaoXnvMw6YATx2x2Smf4BEOjQW7 uHB+UwHbbiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZow7jgAKCRCJcvTf3G3A JpNWEACsSqZxKHvZ7EzYarhtHgRtezUJVoSb5d0p/QDZ1pIlQRudtH/v5C446CA6MwZGgOnK+Fe gvW+lh4/Nse3mJwCt6zIp5Hmszca534ybfPGJ1f2lmqP8WC187ToIlZ18g1VuZi1YMdWUbgVHmz 1v+MGEZd7jTPa3dxhAhy0jdXamCYtyf2x3vXuPOUCtpvg5KBn1xYEQgOyOC+uD6xJumWNebym1m 23l2UgNPi43g5bg1ji+gjrMcSpiCU9vKIRqD14K/m9xaYJinwUbaJDri8UWItePlAe3/TimtaZa 9sGERC9xqNHHzmBo009EyLRyvkp635+FCCSpy1kAJVE72UTuh6v0wY6373ZpVGkeAfrAbnyrOji teF56Y//AEWe+GeeIaz+3p8pW73CyBuYf+PS0R47/zvCdzB7K5GhsvRGpEZin1Iv0BS2F9Z3dz2 XloogfHgtO+Z6ayNcm0tRMZ4napyGwOq+VUlCx15GM0Kont3N+v5gx8BJaTOIV8cvey81K3F0OE vuJtxGTSwjOjw0269OcMQHdZOQAYYZUIOjumwVkN6OnG3N8PPiiEGx/dB4ROz71ZMz+N+lqXHIb zpT7z7g4b8mnD3XnkBb9Dp+HSiqVQ747eJjuHjVjIzJ1RVf0+bMXUJwXSrHysPt7GWU7z1zaOb4 k+QYgVvnbVehHqA= = X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: BFF441C0027 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 5crm9k9wyenpfiqqqhxznxynnnxo1gu5 X-HE-Tag: 1720466322-654412 X-HE-Meta: U2FsdGVkX1/bQvNcidw0ullquW26wWsa4WO0e3Jog7DaTRQs05Opw+B6y1KAZIPybMo+pK+FSb8IV8Z4/urHN684qP/fY3LQzlZQSvXZApHjvm9F6IOkpUNxe2cCpmdogcqc0jCxOyVzlGUTh5nNo+iwFHs4XQgSayfPfi4MMonHZbZn0O1PqyDuPFVQOz044Nro/rWnhSiGxivzakLwv+jefOIHjpnL+EwvbzaDiOm/SThlDMJU6W3gkKVJCuJo/9tgcnNw2CnDmPcuroCrH4GKYebBHR4oGPa0m2EyVJZj4XzK2w//ZlCaIsDlVoBzyGIqcA551uLghCyvsrxR9UaVZlI47phc7jvkVN2TSDoBsDLp5QktBePEqHLtl6MzQPXcJLgyDyWR28jHXEmTBc8lbK4CA5Xn2D8RLl4Z0bh04DTsR4wGHx8mIEtefIUTD1KDcG/ZX7dh60CLrDFkPrGZLNU1X4NOiyUcuwmeL7TtSiBIuJhytDBlH1T0rpdn/WxS+7AZAexaogxHaX8Pq285N8pTJpv5VZ2B5gBVSuQsjnAENBCeN2kK/YD14mqAudKHgggo5SnBThmMM6XB6yAMkP9tg5Ico246RPFOMnkNVodICGf6b7I1UH+FvMUZhH3MyRDeYvNAR1u4K7VvcVKzNtRYS0/6ykQSJWyhMV0nQmluOi6vHGU3V6FaMtg8EuQO58ajqvT1mKPogGfGEmsFopTFlUrU0dPXJ7biM1clj+YAigvjwalDjrhiLrRZXssr3872J6ypSIFxrUIqbIiiYUJsMj360bK/3PZPaSSsURhNF/Zdec8B0joZ6vwAEr76J9P8ypx3lOUhsoa9v4c3QcKH1Z2r3ftcgjBL3PuPzmnC6dno5LepoVz3FgzVa4hQ9k5KdNPyWVHv7vijZfE1xcdqRFdIN0b00Xx0ImDIsaAugOBSnBP8sAw9dDg3Rfvm1vbIXyzt/GAfFHr Li3HUvtm YBYNmDdCARCuqz7SEcX2rurUjZyqyAirpArnccQ1IE48CafxYeZPuLulF7VQlZ8n27pL/8r9SKJpCZPtmzjthNWBmH80d3wE3bAEgRt4ufrNRYV8lPrs+6N6iYp/9hOr+x8qZm41FfkHy9iwBKa0/fD/r7QIEizNUKGVTed5MxGtrs99fMVZDaI1Vk32nWZlBpAujJJjDO6QOfpaNcyA/Lgsnxvje1otm7WwQE6VJBLPJWUHKeaJgKF2h3X5lzlpy3cBrPF21YJTy6JoVASH6/CHUmOyOQ0OA5w6L4UZLhxMPWchi1HOSnkZ3lzONf3rxCrScWSEImxEJYDNgnIk7tOhH/3tt4Yd1PQFriL6RrQMc62c92YB36QAb3ooCB+BoQeC0PYtSMQ/ZfAOw0mMNPd85AAHlk/ok1Fjxfvr8xQhMqDPkvB/Bt8XcbbJ4+JdUZbDIE5tgKCuAlwGk8f/qkGUFNjQAQNSTQtmwmTHjp6zCBvp33Y4CQEBKGjm4dODRc4sS1zdP2lpp2w//k3aIJOvxSqLLJP2n9NNHrX4eENuTJ2Xuurv3YVsbYO2nI5H52tRHE+vrcIYrejfzj0zVuynHmg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The allocator will already reject giant sizes seen from negative size arguments, so this commit mainly services as an example for initial type-based filtering. The size argument is checked for negative values in signed arguments, saturating any if found instead of passing them on. For example, now the size is checked: Before: /* %rdi unchecked */ 1eb: be c0 0c 00 00 mov $0xcc0,%esi 1f0: e8 00 00 00 00 call 1f5 1f1: R_X86_64_PLT32 __kmalloc_noprof-0x4 After: 6d0: 48 63 c7 movslq %edi,%rax 6d3: 85 ff test %edi,%edi 6d5: be c0 0c 00 00 mov $0xcc0,%esi 6da: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 6e1: 48 0f 49 d0 cmovns %rax,%rdx 6e5: 48 89 d7 mov %rdx,%rdi 6e8: e8 00 00 00 00 call 6ed 6e9: R_X86_64_PLT32 __kmalloc_noprof-0x4 Signed-off-by: Kees Cook --- Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Cc: Andrew Morton Cc: Vlastimil Babka Cc: Roman Gushchin Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: linux-mm@kvack.org --- include/linux/slab.h | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/include/linux/slab.h b/include/linux/slab.h index d99afce36098..7353756cbec6 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -684,7 +684,24 @@ static __always_inline __alloc_size(1) void *kmalloc_noprof(size_t size, gfp_t f } return __kmalloc_noprof(size, flags); } -#define kmalloc(...) alloc_hooks(kmalloc_noprof(__VA_ARGS__)) +#define kmalloc_sized(...) alloc_hooks(kmalloc_noprof(__VA_ARGS__)) + +#define __size_force_positive(x) \ + ({ \ + typeof(__force_integral_expr(x)) __forced_val = \ + __force_integral_expr(x); \ + __forced_val < 0 ? SIZE_MAX : __forced_val; \ + }) + +#define kmalloc(p, gfp) _Generic((p), \ + unsigned char: kmalloc_sized(__force_integral_expr(p), gfp), \ + unsigned short: kmalloc_sized(__force_integral_expr(p), gfp), \ + unsigned int: kmalloc_sized(__force_integral_expr(p), gfp), \ + unsigned long: kmalloc_sized(__force_integral_expr(p), gfp), \ + signed char: kmalloc_sized(__size_force_positive(p), gfp), \ + signed short: kmalloc_sized(__size_force_positive(p), gfp), \ + signed int: kmalloc_sized(__size_force_positive(p), gfp), \ + signed long: kmalloc_sized(__size_force_positive(p), gfp)) #define kmem_buckets_alloc(_b, _size, _flags) \ alloc_hooks(__kmalloc_node_noprof(PASS_BUCKET_PARAMS(_size, _b), _flags, NUMA_NO_NODE))