Date: Mon, 20 Jan 2020 18:43:39 +1100 From: Daniel Axtens <dja@...ens.net> To: kernel-hardening@...ts.openwall.com, linux-mm@...ck.org, keescook@...omium.org Cc: linux-kernel@...r.kernel.org, akpm@...ux-foundation.org, Daniel Axtens <dja@...ens.net> Subject: [PATCH 0/5] Annotate allocation functions with alloc_size attribute Both gcc and clang support the 'alloc_size' function attribute. It tells the compiler that a function returns a pointer to a certain amount of memory. This series tries applying that attribute to a number of our memory allocation functions. This provides much more information to things that use __builtin_object_size() (FORTIFY_SOURCE and some copy_to/from_user stuff), as well as enhancing inlining opportunities where __builtin_mem* or __builtin_str* are used. With this series, FORTIFY_SOURCE picks up a bug in altera-stapl, which is fixed in patch 1. It also generates a bunch of warnings about times memory allocation functions can be called with SIZE_MAX as the parameter. For example, from patch 3: drivers/staging/rts5208/rtsx_chip.c: In function ‘rtsx_write_cfg_seq’: drivers/staging/rts5208/rtsx_chip.c:1453:7: warning: argument 1 value ‘18446744073709551615’ exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=] data = vzalloc(array_size(dw_len, 4)); ~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The parameter to array_size is a size_t, but it is called with a signed integer argument. If the argument is a negative integer, it will become a very large positive number when cast to size_t. This could cause an overflow, so array_size() will return SIZE_MAX _at compile time_. gcc then notices that this value is too large for an allocation and throws a warning. I propose two ways to deal with this: - Individually go through and address these warnings, usualy by catching when struct_size/array_size etc are called with a signed type, and insert bounds checks or change the type where appropriate. Patch 3 is an example. - Patch 4: make kmalloc(_node) catch SIZE_MAX and return NULL early, preventing an annotated kmalloc-family allocation function from seeing SIZE_MAX as a parameter. I'm not sure whether I like the idea of catching SIZE_MAX in the inlined functions. Here are some pros and cons, and I'd be really interested to hear feedback: * Making kmalloc return NULL early doesn't change _runtime_ behaviour: obviously no SIZE_MAX allocation will ever succeed. And it means we could have this feature earlier, which will help to catch issues like what we catch in altera-stapl. * However, it does mean we don't audit callsites where perhaps we should have stricter types or bounds-checking. It also doesn't cover any of the v*alloc functions. Overall I think this is a meaningful strengthening of FORTIFY_SOURCE and worth pursuing. Daniel Axtens (5): altera-stapl: altera_get_note: prevent write beyond end of 'key' [RFC] kasan: kasan_test: hide allocation sizes from the compiler [RFC] staging: rts5208: make len a u16 in rtsx_write_cfg_seq [VERY RFC] mm: kmalloc(_node): return NULL immediately for SIZE_MAX [RFC] mm: annotate memory allocation functions with their sizes drivers/misc/altera-stapl/altera.c | 12 ++++---- drivers/staging/rts5208/rtsx_chip.c | 2 +- drivers/staging/rts5208/rtsx_chip.h | 2 +- include/linux/compiler_attributes.h | 6 ++++ include/linux/kasan.h | 12 ++++---- include/linux/slab.h | 44 +++++++++++++++++--------- include/linux/vmalloc.h | 26 ++++++++-------- lib/test_kasan.c | 48 +++++++++++++++++++++-------- 8 files changed, 98 insertions(+), 54 deletions(-) -- 2.20.1
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.