From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 55EE2C6FA82
	for <linux-mm@archiver.kernel.org>; Thu, 22 Sep 2022 15:55:24 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 9D901940008; Thu, 22 Sep 2022 11:55:23 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 989556B0072; Thu, 22 Sep 2022 11:55:23 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8519F940008; Thu, 22 Sep 2022 11:55:23 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 738666B0071
	for <linux-mm@kvack.org>; Thu, 22 Sep 2022 11:55:23 -0400 (EDT)
Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 0EFB61A147A
	for <linux-mm@kvack.org>; Thu, 22 Sep 2022 15:55:23 +0000 (UTC)
X-FDA: 79940170926.21.83540BB
Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48])
	by imf30.hostedemail.com (Postfix) with ESMTP id 7E32780013
	for <linux-mm@kvack.org>; Thu, 22 Sep 2022 15:55:22 +0000 (UTC)
Received: by mail-pj1-f48.google.com with SMTP id q35-20020a17090a752600b002038d8a68fbso2881225pjk.0
        for <linux-mm@kvack.org>; Thu, 22 Sep 2022 08:55:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:from:to
         :cc:subject:date;
        bh=5YOa+gv1sIPcp5S2eMDxZrJPz51jsjFGvspNVL+ych0=;
        b=LEFzWbqksCDh4S4OiJrbR7XAYMyOC2rDNgEzxm4wNn6u+IvIuPSxz7ChVzcXYCA9kN
         JUv48f4jgPup+CHrzZf6w+AfSyBn13B+QQpM2W85KtMMefowgfzF6SEkXu9wDa88gO2B
         nN2k3CYK4Hh5e/4TzZfHnbEaM6zaDEwuByIkk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :x-gm-message-state:from:to:cc:subject:date;
        bh=5YOa+gv1sIPcp5S2eMDxZrJPz51jsjFGvspNVL+ych0=;
        b=8NAiCZleuzLAHNIHN5+GKEzQvLAwm0kzKzS0xwVOwGUrdj2akQgnEvwi5TQrmtcFVh
         kCdSNDJae7XRyIxSKyB5FZ5Ew19LG4yKXkm8Osk5kh++wdirUh4/YeddDpfQ3brz7Dt+
         nxwr5BDT9vMl5KuNMjbFO+RT+hq9YU99pjx5QLMZNe87y7ZpXrX414YdMszr6r2+ADIV
         z97RqjAt+kz7TB1HRq75rsxgqsLkyHq1dH2Hh6FZPRvdgFThAlwovgRz4Nl1fmdfTTaa
         k6KoVhk/QOSsmuCy+amcVoh43PVckV72JJnQYop5MMkQHHHF/MBnPL822f5DarG7yVkB
         SjrQ==
X-Gm-Message-State: ACrzQf0WFwRVRmCUnDGm3IvwJYN7YTvMVcKIq/Al2in/4K1RLMbskASV
	zjHljkwkTY7BSs+PWk6Ke7M1rQ==
X-Google-Smtp-Source: AMsMyM6pj2YmcAiXg6SonP+gJGRIk20ZQXjacFA/fb+08tqqdtojyBlUHrRZT8F0Z+9OyQ05xLAwxg==
X-Received: by 2002:a17:90b:3ec9:b0:203:246e:4370 with SMTP id rm9-20020a17090b3ec900b00203246e4370mr15665429pjb.221.1663862121161;
        Thu, 22 Sep 2022 08:55:21 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id b7-20020a170902650700b001754fa42065sm4270774plk.143.2022.09.22.08.55.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 22 Sep 2022 08:55:20 -0700 (PDT)
Date: Thu, 22 Sep 2022 08:55:19 -0700
From: Kees Cook <keescook@chromium.org>
To: Christian =?iso-8859-1?Q?K=F6nig?= <christian.koenig@amd.com>
Cc: Vlastimil Babka <vbabka@suse.cz>, Pekka Enberg <penberg@kernel.org>,
	Feng Tang <feng.tang@intel.com>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Alex Elder <elder@kernel.org>, Josef Bacik <josef@toxicpanda.com>,
	David Sterba <dsterba@suse.com>,
	Sumit Semwal <sumit.semwal@linaro.org>,
	Jesse Brandeburg <jesse.brandeburg@intel.com>,
	Daniel Micay <danielmicay@gmail.com>, Yonghong Song <yhs@fb.com>,
	Marco Elver <elver@google.com>, Miguel Ojeda <ojeda@kernel.org>,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	netdev@vger.kernel.org, linux-btrfs@vger.kernel.org,
	linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
	linaro-mm-sig@lists.linaro.org, linux-fsdevel@vger.kernel.org,
	intel-wired-lan@lists.osuosl.org, dev@openvswitch.org,
	x86@kernel.org, linux-wireless@vger.kernel.org,
	llvm@lists.linux.dev, linux-hardening@vger.kernel.org
Subject: Re: [PATCH 00/12] slab: Introduce kmalloc_size_roundup()
Message-ID: <202209220845.2F7A050@keescook>
References: <20220922031013.2150682-1-keescook@chromium.org>
 <673e425d-1692-ef47-052b-0ff2de0d9c1d@amd.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <673e425d-1692-ef47-052b-0ff2de0d9c1d@amd.com>
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1663862122;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=5YOa+gv1sIPcp5S2eMDxZrJPz51jsjFGvspNVL+ych0=;
	b=1IMdjeBD8EJO1Xda54zMPcbOmTn9bpa7a+S+6oNUiQ/mY9Z+vCq32GrkPQBpTLohIqWFbp
	iLnuWSl6Mv/JhTOXvaa/ClvKhVz57fVvNrXg8v7Y3ZUDhJSbEFD9jaAeKmx0ahqet6bzws
	mYQUr7jFpUyNcwsTUqqfXV9Cf/DjIXY=
ARC-Authentication-Results: i=1;
	imf30.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=LEFzWbqk;
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf30.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.48 as permitted sender) smtp.mailfrom=keescook@chromium.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1663862122; a=rsa-sha256;
	cv=none;
	b=g8BsgGOVow2AOuX2DDGQB7ghuGXZqyTABEIrJjFs76wAxoBcaZDST03V4lqwYJZ1UHcioQ
	XLENAjV7v75mZtLaL32MCBY6HGNgcg/IedT8zcLxYrJTuiGwnVDUqUa0xbcIyAHdvkp7jV
	aykfbC7/n2pdtnzwd6HpYVwJboITYkc=
Authentication-Results: imf30.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=LEFzWbqk;
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf30.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.48 as permitted sender) smtp.mailfrom=keescook@chromium.org
X-Rspam-User: 
X-Stat-Signature: toftbymc9d774r71iftprf5r4yq51nwi
X-Rspamd-Queue-Id: 7E32780013
X-Rspamd-Server: rspam06
X-HE-Tag: 1663862122-786156
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, Sep 22, 2022 at 09:10:56AM +0200, Christian König wrote:
> Am 22.09.22 um 05:10 schrieb Kees Cook:
> > Hi,
> > 
> > This series fixes up the cases where callers of ksize() use it to
> > opportunistically grow their buffer sizes, which can run afoul of the
> > __alloc_size hinting that CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE
> > use to perform dynamic buffer bounds checking.
> 
> Good cleanup, but one question: What other use cases we have for ksize()
> except the opportunistically growth of buffers?

The remaining cases all seem to be using it as a "do we need to resize
yet?" check, where they don't actually track the allocation size
themselves and want to just depend on the slab cache to answer it. This
is most clearly seen in the igp code:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/intel/igb/igb_main.c?h=v6.0-rc6#n1204

My "solution" there kind of side-steps it, and leaves ksize() as-is:
https://lore.kernel.org/linux-hardening/20220922031013.2150682-8-keescook@chromium.org/

The more correct solution would be to add per-v_idx size tracking,
similar to the other changes I sent:
https://lore.kernel.org/linux-hardening/20220922031013.2150682-11-keescook@chromium.org/

I wonder if perhaps I should just migrate some of this code to using
something like struct membuf.

> Off hand I can't see any.
> 
> So when this patch set is about to clean up this use case it should probably
> also take care to remove ksize() or at least limit it so that it won't be
> used for this use case in the future.

Yeah, my goal would be to eliminate ksize(), and it seems possible if
other cases are satisfied with tracking their allocation sizes directly.

-Kees

-- 
Kees Cook