From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=m6BX=NQ=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C337FC4320A
	for <linux-mm@archiver.kernel.org>; Wed, 25 Aug 2021 16:34:06 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 4B87861184
	for <linux-mm@archiver.kernel.org>; Wed, 25 Aug 2021 16:34:06 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 4B87861184
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id CF01E6B0072; Wed, 25 Aug 2021 12:34:05 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C9F706B0073; Wed, 25 Aug 2021 12:34:05 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B8F668D0001; Wed, 25 Aug 2021 12:34:05 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0240.hostedemail.com [216.40.44.240])
	by kanga.kvack.org (Postfix) with ESMTP id A02FB6B0072
	for <linux-mm@kvack.org>; Wed, 25 Aug 2021 12:34:05 -0400 (EDT)
Received: from smtpin10.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 3CDBB25F5D
	for <linux-mm@kvack.org>; Wed, 25 Aug 2021 16:34:05 +0000 (UTC)
X-FDA: 78514150050.10.49E190E
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172])
	by imf03.hostedemail.com (Postfix) with ESMTP id EB78330000AB
	for <linux-mm@kvack.org>; Wed, 25 Aug 2021 16:34:04 +0000 (UTC)
Received: by mail-pf1-f172.google.com with SMTP id t42so191045pfg.12
        for <linux-mm@kvack.org>; Wed, 25 Aug 2021 09:34:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=6gejzDovBE5iuyuLz1hruEggadPtmSQG8HRcS9hcb10=;
        b=GbxNR4ElwFyWcJgWo+tCWcZLf00B+Z2Vmtk9ZQCzbpZRuGR+62kJB5UXPUdLfMZ7qe
         8I3BkoiVwC3G1+hadZLEeX/h0WjlD4pX70B8Z13Njs5KI3H4x7xDKgl5zdPDNCkJkAHZ
         dsDLLSPuCR7BNJ1zf42UHS2YUuTtZLC3fG3ys=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=6gejzDovBE5iuyuLz1hruEggadPtmSQG8HRcS9hcb10=;
        b=Mbx3bpgQvAPgaScTc/3zI4wXtzaXwuF8Tdj8rjM9Xz/5m5M411YwBHp62iGdKIKrnm
         5YSYhNtaLo5vb63PeOZB2tFHAHHCjOydPZMZaBT0jXGor17rseRRYMVznV3TOH1ccWVF
         Xy+eTZBv0/WtKLZYHbXZv5YefNRa6zBKtVyBVrVf8QzrYvaZBBAKUzLTFVfNtgfmHMTF
         byoPVQ2k9+e9DXQR3QG7lfuBUv2S+9E2cHSTvXxiD4VhXMhQ7/9FulRjaVFT6nD8lEBJ
         5p9n0tOa5iTFxzo0U5s0zw2XgHpJ3OjYJfiVgckICAjQsKqx7IOTZZAbGvxT+zEXeM4k
         Jieg==
X-Gm-Message-State: AOAM530Kdrmm6bPfgiXrOeeKoU52DMufHSar0AIxJTSoFZK5qS9O+RKG
	mF9xz/3xjwS/PG1g6xJa/eRVZw==
X-Google-Smtp-Source: ABdhPJx0d2gtu/6AIisV6tawjy+0JIqWnbbfAIMeMMyluAgBJFE83MjdsKdasSqsPWqClwNX5kV2Xg==
X-Received: by 2002:a63:705:: with SMTP id 5mr8798958pgh.265.1629909243823;
        Wed, 25 Aug 2021 09:34:03 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id h20sm278384pfn.173.2021.08.25.09.34.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 25 Aug 2021 09:34:03 -0700 (PDT)
Date: Wed, 25 Aug 2021 09:34:01 -0700
From: Kees Cook <keescook@chromium.org>
To: Christoph Lameter <cl@gentwo.de>
Cc: Daniel Micay <danielmicay@gmail.com>,
	Christoph Hellwig <hch@infradead.org>,
	kernel list <linux-kernel@vger.kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Miguel Ojeda <ojeda@kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Vlastimil Babka <vbabka@suse.cz>, Dennis Zhou <dennis@kernel.org>,
	Tejun Heo <tj@kernel.org>, Masahiro Yamada <masahiroy@kernel.org>,
	Michal Marek <michal.lkml@markovi.net>,
	clang-built-linux@googlegroups.com, Linux-MM <linux-mm@kvack.org>,
	linux-kbuild <linux-kbuild@vger.kernel.org>,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH 0/5] Add __alloc_size() for better bounds checking
Message-ID: <202108250930.EED99F6@keescook>
References: <20210818050841.2226600-1-keescook@chromium.org>
 <YR4frlpfJQonPuKp@infradead.org>
 <CA+DvKQL6pLfK1vRzaOkEWR7DQLgTh=WZTka2L5yuS8Lf_1ZmoA@mail.gmail.com>
 <alpine.DEB.2.22.394.2108251158420.317806@gentwo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.22.394.2108251158420.317806@gentwo.de>
Authentication-Results: imf03.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=GbxNR4El;
	spf=pass (imf03.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.172 as permitted sender) smtp.mailfrom=keescook@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: EB78330000AB
X-Stat-Signature: cymnh3xj7ydfsycbwqur17fshbi889ew
X-HE-Tag: 1629909244-654525
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Aug 25, 2021 at 12:01:42PM +0200, Christoph Lameter wrote:
> On Thu, 19 Aug 2021, Daniel Micay wrote:
> 
> > For example, it will know that kmalloc(n) returns either NULL or an
> > allocation of size n. A simple sample program with calloc in
> > userspace:
> >
> >     #include <stdlib.h>
> >     #include <stdio.h>
> >
> >     int main(void) {
> >         char *p = calloc(64, 1);
> >         if (!p) {
> >             return 1;
> >         }
> >         printf("%zu\n", __builtin_object_size(p, 1));
> >         return 0;
> >     }
> >
> > It will also detect an out-of-bounds access via the allocation with
> > -fsanitize=object-size including with a runtime value as the index.
> >
> > It's not as useful as it should be yet because __builtin_object_size
> > must return a compile-time constant. Clang has a new
> > __builtin_dynamic_object_size that's allowed to return a value that's
> > not a compile-time constant so it can work for kmalloc(n) where n is a
> > runtime value. It might not be quite ready for use yet but it should
> > be able to make it a lot more useful. GCC also seems open to adding it
> > too.
> 
> The other complication with kmalloc etc is that the slab allocators may
> decided to allocate more bytes than needed because it does not support
> that particular allocation size. Some functions check the allocated true
> size and make use of that. See ksize().

Yup, this is known. For the current iteration, this doesn't pose a
problem since the compile-time checking has very limited scope.

-- 
Kees Cook