From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 99DA5C4332F
	for <linux-mm@archiver.kernel.org>; Fri, 18 Nov 2022 16:43:26 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 0D4196B0071; Fri, 18 Nov 2022 11:43:26 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 084E46B0072; Fri, 18 Nov 2022 11:43:26 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E8E2D8E0001; Fri, 18 Nov 2022 11:43:25 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id DA1006B0071
	for <linux-mm@kvack.org>; Fri, 18 Nov 2022 11:43:25 -0500 (EST)
Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay07.hostedemail.com (Postfix) with ESMTP id B214F160445
	for <linux-mm@kvack.org>; Fri, 18 Nov 2022 16:43:25 +0000 (UTC)
X-FDA: 80147133570.22.25424BB
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45])
	by imf23.hostedemail.com (Postfix) with ESMTP id 514FF140004
	for <linux-mm@kvack.org>; Fri, 18 Nov 2022 16:43:25 +0000 (UTC)
Received: by mail-pj1-f45.google.com with SMTP id k2-20020a17090a4c8200b002187cce2f92so3586673pjh.2
        for <linux-mm@kvack.org>; Fri, 18 Nov 2022 08:43:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:from:to
         :cc:subject:date:message-id:reply-to;
        bh=bFpydVEsN0sToFVtM7jELuhoofQy9t2jPUFLTcIXRx8=;
        b=PHxZLY8Iha2TaDny05JWQTVe0OvBw0y5kIlu1jrIxQ+y043xEur9SKJwSXJGZdYF/C
         zq1dqTPaNBWrbbSY2FkMBWe5upYYu4TBKzmWhWP/uY+H7Mu+CtEdN3peJYoo9fHOgNqT
         R5v38A+RV3qaU4RRHUv5Htt/vmgr5kCH78AXk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=bFpydVEsN0sToFVtM7jELuhoofQy9t2jPUFLTcIXRx8=;
        b=t6KcKjWCWlcz0gyTMo9xAgnsSkx7YmVkN6HiSJe2c6g0mjuagY8QgKkEgVe3Sn/O6C
         EtQnn+LHk440GPW/n3WBawst5jtBiYBwWoesCGkGaqLfI0FBr5rbHzZbZgYsRWm5Fbd4
         N27m5Il76bwNOMPDTNBLroQ8NDWaEITNwRim/LTz5C0XL/e4/ZxZDTHBCkZcn48v5Sip
         8MlkpD5QVmdQ7f+n0pRqlJ+8kjFjteZQWcWWetmHNfk0lQZbwAzNhxmsIsfGIsWi4uTC
         jkiKxcQ+SKmlkm9vnAv+rNt4x6FDYTedkEzFEYDLbjUhDJm5HSxs/lRvlTaWIfVI1x2Z
         yRMw==
X-Gm-Message-State: ANoB5pkI5b/dVzxWCEsC1c895XXWm8tdlIOh2qtdEIucWeoAAC9KdU6M
	AanQmKnnTxp5Jb0+DkDY/9fidw==
X-Google-Smtp-Source: AA0mqf40QW2uM/mdUZtAUwUfmrT0ybXaxtav/kplbk3xWLYOjhj55pBX/fcy0ASDVHC8fxxYw0QVxA==
X-Received: by 2002:a17:902:7242:b0:17c:4ae7:cf23 with SMTP id c2-20020a170902724200b0017c4ae7cf23mr448359pll.2.1668789804136;
        Fri, 18 Nov 2022 08:43:24 -0800 (PST)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id c3-20020a170903234300b0017f59ebafe7sm3928259plh.212.2022.11.18.08.43.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 18 Nov 2022 08:43:20 -0800 (PST)
Date: Fri, 18 Nov 2022 08:43:19 -0800
From: Kees Cook <keescook@chromium.org>
To: Ananda Badmaev <a.badmaev@clicknet.pro>
Cc: Jonathan Corbet <corbet@lwn.net>, linux-kernel@vger.kernel.org,
	Minchan Kim <minchan@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Sergey Senozhatsky <senozhatsky@chromium.org>, linux-mm@kvack.org,
	linux-doc@vger.kernel.org, Vitaly Wool <vitaly.wool@konsulko.com>,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	linux-next@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: Coverity: zblock_alloc(): Memory - illegal accesses
Message-ID: <202211180841.39558B5E5@keescook>
References: <202211171419.FCDC8EE@keescook>
 <74337ebd-0222-2e78-9149-8fa40b0c815e@clicknet.pro>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <74337ebd-0222-2e78-9149-8fa40b0c815e@clicknet.pro>
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1668789805; a=rsa-sha256;
	cv=none;
	b=t5RBAk8qPyydRfM/jhx997ZXMf4Nxce97Z2Rzqj1hcsoAvFFyZRxM8uaNjuJuT20W2i45x
	wUb3mt6INRQQqMtAZYU6KfVwDC5jJlDmzjuKMvHPZDAugkP+uQrDAELW6bgUm+ZDtPAG1I
	AkkHLgF8PAjam+NqBu7XUlzN9iWK9Ak=
ARC-Authentication-Results: i=1;
	imf23.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=PHxZLY8I;
	spf=pass (imf23.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.45 as permitted sender) smtp.mailfrom=keescook@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1668789805;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=bFpydVEsN0sToFVtM7jELuhoofQy9t2jPUFLTcIXRx8=;
	b=rmBN2afkf+Fu6N023Fmaw5VoyiXNdHr5V8pBQ3N0Wx0Sw3w7x9Z+c3CKyBifnRGhOOimeK
	aCfqtRkM/mxjHIRAv4gVWZFMPe+xsgiMnlcvOLeiZOUZM6DduNtis9IlZeplG/+i8gy2qh
	pZ1YlDn5l8i0Gc9cHBrvMyDBw98VPOk=
X-Stat-Signature: 8795j9tzcx733x5f5eoj6b59wmg3wb1a
X-Rspamd-Queue-Id: 514FF140004
Authentication-Results: imf23.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=PHxZLY8I;
	spf=pass (imf23.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.45 as permitted sender) smtp.mailfrom=keescook@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
X-Rspam-User: 
X-Rspamd-Server: rspam10
X-HE-Tag: 1668789805-567273
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000008, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Nov 18, 2022 at 04:05:36PM +0300, Ananda Badmaev wrote:
> 18.11.2022 01:20, coverity-bot пишет:
> > Coverity reported the following:
> > 
> > *** CID 1527352:  Memory - illegal accesses  (OVERRUN)
> > mm/zblock.c:320 in zblock_alloc()
> > 314     	}
> > 315     	list = &(pool->block_lists[block_type]);
> > 316
> > 317     check:
> > 318     	spin_lock(&list->lock);
> > 319     	/* check if there are free slots in cache */
> > vvv     CID 1527352:  Memory - illegal accesses  (OVERRUN)
> > vvv     Overrunning array of 10208 bytes at byte offset 10208 by dereferencing pointer "list".
> > 320     	block = cache_find_block(list);
> > 321     	if (block)
> > 322     		goto found;
> > 323     	spin_unlock(&list->lock);
> > 324
> > 325     	/* not found block with free slots try to allocate new empty block */
> > 
> > If this is a false positive, please let us know so we can mark it as
> > such, or teach the Coverity rules to be smarter. If not, please make
> > sure fixes get into linux-next. :) For patches fixing this, please
> > include these lines (but double-check the "Fixes" first):
> > 
> > Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> > Addresses-Coverity-ID: 1527352 ("Memory - illegal accesses")
> > Fixes: 9097e28c25c8 ("mm: add zblock - new allocator for use via zpool API")
> > 
> > It looks like block_type is not checked to be < ARRAY_SIZE(block_desc)
> > after exiting the earlier loop, so the access through "list" may be past
> > the end of pool->block_lists.
> > 
> 
> There is no need for this check because it is guaranteed that this code will
> be executed only if size <= PAGE_SIZE. Since slot_size for the last list
> even exceeds PAGE_SIZE, block_type will be always valid.

Ah-ha, understood. Well, if you do want to catch it if there is ever a
typo in the block_desc values (which are not obviously >4096 without
sitting down and calculating them), perhaps add:

        if (WARN_ON(block_type >= ARRAY_SIZE(block_desc))
                return -ENOSPC;


-- 
Kees Cook