From: Daniel Axtens <dja@axtens.net>
To: kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
keescook@chromium.org
Cc: linux-kernel@vger.kernel.org, akpm@linux-foundation.org,
Daniel Axtens <dja@axtens.net>
Subject: [PATCH 0/5] Annotate allocation functions with alloc_size attribute
Date: Mon, 20 Jan 2020 18:43:39 +1100 [thread overview]
Message-ID: <20200120074344.504-1-dja@axtens.net> (raw)
Both gcc and clang support the 'alloc_size' function attribute. It tells
the compiler that a function returns a pointer to a certain amount of
memory.
This series tries applying that attribute to a number of our memory
allocation functions. This provides much more information to things that
use __builtin_object_size() (FORTIFY_SOURCE and some copy_to/from_user
stuff), as well as enhancing inlining opportunities where __builtin_mem* or
__builtin_str* are used.
With this series, FORTIFY_SOURCE picks up a bug in altera-stapl, which is
fixed in patch 1.
It also generates a bunch of warnings about times memory allocation
functions can be called with SIZE_MAX as the parameter. For example, from
patch 3:
drivers/staging/rts5208/rtsx_chip.c: In function ‘rtsx_write_cfg_seq’:
drivers/staging/rts5208/rtsx_chip.c:1453:7: warning: argument 1 value ‘18446744073709551615’ exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]
data = vzalloc(array_size(dw_len, 4));
~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The parameter to array_size is a size_t, but it is called with a signed
integer argument. If the argument is a negative integer, it will become a
very large positive number when cast to size_t. This could cause an
overflow, so array_size() will return SIZE_MAX _at compile time_. gcc then
notices that this value is too large for an allocation and throws a
warning.
I propose two ways to deal with this:
- Individually go through and address these warnings, usualy by
catching when struct_size/array_size etc are called with a signed
type, and insert bounds checks or change the type where
appropriate. Patch 3 is an example.
- Patch 4: make kmalloc(_node) catch SIZE_MAX and return NULL early,
preventing an annotated kmalloc-family allocation function from seeing
SIZE_MAX as a parameter.
I'm not sure whether I like the idea of catching SIZE_MAX in the inlined
functions. Here are some pros and cons, and I'd be really interested to
hear feedback:
* Making kmalloc return NULL early doesn't change _runtime_ behaviour:
obviously no SIZE_MAX allocation will ever succeed. And it means we
could have this feature earlier, which will help to catch issues like
what we catch in altera-stapl.
* However, it does mean we don't audit callsites where perhaps we should
have stricter types or bounds-checking. It also doesn't cover any of the
v*alloc functions.
Overall I think this is a meaningful strengthening of FORTIFY_SOURCE
and worth pursuing.
Daniel Axtens (5):
altera-stapl: altera_get_note: prevent write beyond end of 'key'
[RFC] kasan: kasan_test: hide allocation sizes from the compiler
[RFC] staging: rts5208: make len a u16 in rtsx_write_cfg_seq
[VERY RFC] mm: kmalloc(_node): return NULL immediately for SIZE_MAX
[RFC] mm: annotate memory allocation functions with their sizes
drivers/misc/altera-stapl/altera.c | 12 ++++----
drivers/staging/rts5208/rtsx_chip.c | 2 +-
drivers/staging/rts5208/rtsx_chip.h | 2 +-
include/linux/compiler_attributes.h | 6 ++++
include/linux/kasan.h | 12 ++++----
include/linux/slab.h | 44 +++++++++++++++++---------
include/linux/vmalloc.h | 26 ++++++++--------
lib/test_kasan.c | 48 +++++++++++++++++++++--------
8 files changed, 98 insertions(+), 54 deletions(-)
--
2.20.1
next reply other threads:[~2020-01-20 7:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-20 7:43 Daniel Axtens [this message]
2020-01-20 7:43 ` [PATCH 1/5] altera-stapl: altera_get_note: prevent write beyond end of 'key' Daniel Axtens
2020-01-20 7:43 ` [PATCH 2/5] [RFC] kasan: kasan_test: hide allocation sizes from the compiler Daniel Axtens
2020-01-20 7:43 ` [PATCH 3/5] [RFC] staging: rts5208: make len a u16 in rtsx_write_cfg_seq Daniel Axtens
2020-01-20 7:43 ` [PATCH 4/5] [VERY RFC] mm: kmalloc(_node): return NULL immediately for SIZE_MAX Daniel Axtens
2020-01-20 11:14 ` Michal Hocko
2020-01-20 22:51 ` Daniel Axtens
2020-01-20 7:43 ` [PATCH 5/5] [RFC] mm: annotate memory allocation functions with their sizes Daniel Axtens
2020-02-07 20:38 ` Daniel Micay
2020-02-25 18:35 ` Kees Cook
2020-02-26 6:07 ` Daniel Axtens
2020-02-26 21:56 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200120074344.504-1-dja@axtens.net \
--to=dja@axtens.net \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).