kernel-hardening.lists.openwall.com archive mirror
 help / color / mirror / Atom feed
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
To: Kees Cook <keescook@chromium.org>,
	Matthew Wilcox <mawilcox@microsoft.com>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 03/13] overflow.h: Add allocation size calculation helpers
Date: Wed, 9 May 2018 20:27:22 +0200	[thread overview]
Message-ID: <b481bbb2-758f-dcd3-3e1a-8b3137081614@rasmusvillemoes.dk> (raw)
In-Reply-To: <20180509004229.36341-4-keescook@chromium.org>

On 2018-05-09 02:42, Kees Cook wrote:
> In preparation for replacing unchecked overflows for memory allocations,
> this creates helpers for the 3 most common calculations:
> 
> array_size(a, b): 2-dimensional array
> array3_size(a, b, c): 2-dimensional array

yeah... complete confusion...

> +/**
> + * array_size() - Calculate size of 2-dimensional array.
> + *
> + * @a: dimension one
> + * @b: dimension two
> + *
> + * Calculates size of 2-dimensional array: @a * @b.
> + *
> + * Returns: number of bytes needed to represent the array or SIZE_MAX on
> + * overflow.
> + */
> +static inline __must_check size_t array_size(size_t a, size_t b)
> +{
> +	size_t bytes;
> +
> +	if (check_mul_overflow(a, b, &bytes))
> +		return SIZE_MAX;
> +
> +	return bytes;
> +}
> +
> +/**
> + * array3_size() - Calculate size of 3-dimensional array.
> + *

...IDGI. array_size is/will most often be used to calculate the size of
a one-dimensional array, count*elemsize, accessed as foo[i]. Won't a
three-factor product usually be dim1*dim2*elemsize, i.e. 2-dimensional,
accessed (because C is lame) as foo[i*dim2 + j]?

> +/**
> + * struct_size() - Calculate size of structure with trailing array.
> + * @p: Pointer to the structure.
> + * @member: Name of the array member.
> + * @n: Number of elements in the array.
> + *
> + * Calculates size of memory needed for structure @p followed by an
> + * array of @n @member elements.
> + *
> + * Return: number of bytes needed or SIZE_MAX on overflow.
> + */
> +#define struct_size(p, member, n)					\
> +	__ab_c_size(n,							\
> +		    sizeof(*(p)->member) + __must_be_array((p)->member),\
> +		    offsetof(typeof(*(p)), member))
> +
> +

struct s { int a; char b; char c[]; } has sizeof > offsetof(c), so for
small enough n, we end up allocating less than sizeof(struct s). And the
caller might reasonably do memset(s, 0, sizeof(*s)) to initialize all
members before c. In practice our allocators round up to a multiple of
8, so I don't think it's a big problem, but some sanitizer might
complain. But I do think you should make that addend sizeof() instead of
offsetof().

Rasmus

  reply	other threads:[~2018-05-09 18:27 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-09  0:42 [RFC][PATCH 00/13] Provide saturating helpers for allocation Kees Cook
2018-05-09  0:42 ` [PATCH 01/13] compiler.h: enable builtin overflow checkers and add fallback code Kees Cook
2018-05-09  0:42 ` [PATCH 02/13] lib: add runtime test of check_*_overflow functions Kees Cook
2018-05-09  0:42 ` [PATCH 03/13] overflow.h: Add allocation size calculation helpers Kees Cook
2018-05-09 18:27   ` Rasmus Villemoes [this message]
2018-05-09 18:49     ` Kees Cook
2018-05-09  0:42 ` [PATCH 04/13] mm: Use array_size() helpers for kmalloc() Kees Cook
2018-05-09 11:34   ` Matthew Wilcox
2018-05-09 17:58     ` Kees Cook
2018-05-09 18:00     ` Rasmus Villemoes
2018-05-09 18:07       ` Kees Cook
2018-05-09 18:39         ` Rasmus Villemoes
2018-05-09  0:42 ` [PATCH 05/13] mm: Use array_size() helpers for kvmalloc() Kees Cook
2018-05-09  0:42 ` [PATCH 06/13] treewide: Use struct_size() for kmalloc()-family Kees Cook
2018-05-09  0:42 ` [PATCH 07/13] treewide: Use struct_size() for vmalloc()-family Kees Cook
2018-05-09  0:42 ` [PATCH 08/13] treewide: Use struct_size() for devm_kmalloc() and friends Kees Cook
2018-05-09  0:42 ` [PATCH 09/13] treewide: Use array_size() for kmalloc()-family Kees Cook
2018-05-09  0:42 ` [PATCH 10/13] treewide: Use array_size() for kmalloc()-family, leftovers Kees Cook
2018-05-09  0:42 ` [PATCH 11/13] treewide: Use array_size() for vmalloc() Kees Cook
2018-05-09  0:42 ` [PATCH 12/13] treewide: Use array_size() for devm_*alloc()-like Kees Cook
2018-05-09  0:42 ` [PATCH 13/13] treewide: Use array_size() for devm_*alloc()-like, leftovers Kees Cook
2018-05-09 16:08 ` [RFC][PATCH 00/13] Provide saturating helpers for allocation Laura Abbott
2018-05-09 17:01   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b481bbb2-758f-dcd3-3e1a-8b3137081614@rasmusvillemoes.dk \
    --to=linux@rasmusvillemoes.dk \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mawilcox@microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).