From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23333C2BD09 for ; Tue, 9 Jul 2024 16:10:03 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8E67A6B0095; Tue, 9 Jul 2024 12:10:02 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 896226B0096; Tue, 9 Jul 2024 12:10:02 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7851C6B0098; Tue, 9 Jul 2024 12:10:02 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 594726B0095 for ; Tue, 9 Jul 2024 12:10:02 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id C3404419B6 for ; Tue, 9 Jul 2024 16:10:01 +0000 (UTC) X-FDA: 82320700602.10.78BC401 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf05.hostedemail.com (Postfix) with ESMTP id 12C26100014 for ; Tue, 9 Jul 2024 16:09:58 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="CCsife4/"; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf05.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1720541376; a=rsa-sha256; cv=none; b=b3hduaaLdJ/QAWa2o3K70xwSuG5IQapfyB+BBbToAh0IrpB3Dd5FGMF9DQePg3pNz9Vkee t+UGg/PpRMQYEPg5sWFRf0oqGxioM8Unk2HzuJXk/PUzLloi8MjOEuTflRtenpUvGxUSrU 5cKvUyFFRPM0X2+n2Rhub5/dpZFguzU= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="CCsife4/"; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf05.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1720541376; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=mGhOh+O3aSw/lvZZI7Mg7kwGbrP+aFoPU90jj16Z694=; b=We3u1IAFkevGaKY+3rjyUvCk8gse0tqW/ij1sLuo6fuPL1qBWgT5GCQ3BfovnsX8b8aLzZ ZOttUyO0TzMFCJdQhXoN+tpa0FWqlB8Ol/JimeadoVLXEI8wjcb1ohrJC+yAhO1yZCwevL bdiHScNo/ICxX+ygoXBXHy+TwoeNXw0= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id D8B45614A9; Tue, 9 Jul 2024 16:09:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8397AC3277B; Tue, 9 Jul 2024 16:09:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1720541397; bh=uC+UbPQo4xxV5hC4nWLzCH3ncmgP4biBjlcal1ceo/4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=CCsife4/CYvHvy2wqd6hQxFWZyjy6RBNr4SO4ugKRQa+0lnJ31ZFm0c4m0pokrAdC k02vWnFtUEeB0Q+mUDgXkfs9O34eri/mjlMVvSL0sku/633TTiXvqioMg5k/K68Efc KQbWI7i5jW+mpHEdj/gjitHXpacV1Kc1FeyDhKBUwpXHGwR71U6EqNHacA+MjxpTjm x63TS/Ii8olmk4ULslABkxJj5UJFcbkL5qgGmuwf9BrJQN3JIFdUbWPuG3okG7OA+4 +FmhUxW9CP7c+Fdhj99ECBNYq1+5c8u9oFm+W0qsu+tOg4NmrobJpUDKxCyr7KRBpJ t3+dOUikwnAjQ== Date: Tue, 9 Jul 2024 09:09:57 -0700 From: Kees Cook To: Przemek Kitszel Cc: Vlastimil Babka , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-mm@kvack.org, Jann Horn , Tony Luck , Nick Desaulniers , Miguel Ojeda , Marco Elver , Nathan Chancellor , Hao Luo , "Guilherme G. Piccoli" , Mark Rutland , Jakub Kicinski , Petr Pavlu , Alexander Lobakin , Tony Ambardar , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [RFC][PATCH 2/4] slab: Detect negative size values and saturate Message-ID: <202407090903.38C2F463@keescook> References: <20240708190924.work.846-kees@kernel.org> <20240708191840.335463-2-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 12C26100014 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: z61fd56dyw5yo38uwucho999cmofyc11 X-HE-Tag: 1720541398-189839 X-HE-Meta: U2FsdGVkX1+Of767a7t+MdNFXfNHfkIHf2RF/THTf7KXUYRUX5f6BMivTWYup/ZiKwVo+nHe1CLvf34LfSXrZBz9ZaNgI0p4kOnRVO8ZF9I1dVgWP4GPQh2i0nKfw/DGsX3cImVCxZL7TEVcrbibyBHEhUON9JbE7oqCjUnVXJkmpQ9PGQr8xluHQGui92imkryrPJtR4uBVFOmgZHjJoC99swUpFtMDjWBBR8ZWjTJaEWjwVI4GOhOXo7fMVoafwpVyYumkqj5SXpV9zrAsyzFvtwHI3qD3/nAHNw0yesoP3ejsibnrkrsp9D7aE2DJD7FwCg0SjplHdRb29l21ehWcpAocI7msDw4sAXS2jrXwkdvq8QYXjeFREdJpicz83LHn94dAtcYwukvH307V5gtmRfTKvumHGqctFIA3yHGrtWsJZTcAY5MRe657Ex1gs4jwTOTAbDyUlMEPc7F0SvuN2ErWKpQ4fSf8rwBbaRrEwWU6KwuFI+dARl+oK2KJFvmybHAEM++aRCEDsEAT3IC+fsotdufW2djNrfQf2T4dU4e0J/qyqwRCd6llA+TNPPMtdEtFliYxq3cRmSpPmuHTm2+WkBsn9yASNBFPLmrAkA92TWwMwvdTnTHKUWYV35F38b+nkMC0mR7dPyoJErpkVhsrjVMpinIn79igqxWGaL21cZ6HrneTw8SAMmoHa7d9LHvnHKrPPHREtnwHscUjsX/stnBqKXQXFJDt5Zj4LSJadZGpHrcWD0PhYBU2UlftuKR90WUMp2uA+Wn0IEYeaTmXAkBA9ZtUU0U00kljP+wzXyHwOCr1LloWgKGTxkBqD6Ux7RNTtp4koUtLBMpeoJf+f126PAUCl+f9i7pX9hS5HflFb+eRaXWCWV62Kp6HNliYJi1pX/9xXxY/HcdvRgk14V/wQkVRfhmpE1tzupHYqlCaCTzv4PxfAF2R7YRdqvcQ1/qSOUjo6lC aaXAiCSw HpP0Afp2+rdGjs7FzweSJWk/Xidvb5l2QJeWHQZNpgCBiuDc6iaoKhR2qlan+DZc0hgKhB+zIHK/qrIIzfi58w7ckTLwrgcYM3/cuFLt7FK6VqsXi4MAz0zaP+Oln77fiBwi1H+WMnVOHP05Yz7LxMvB8AaW/mxoLo+zvamNiFzOvDdIQ0oCxmEnwzIcb6UptnxRZofRb1Ts2o7GLGMps2+CmMJ7csjqT4iJX9kGiB41wo6vK30F/UMVA+x+IhYyucRArX/mA9iVuUwrNnS36KdtTIAhgraXGo/RhUJCpH9/aCwr1WbON5ncFK4JITI1dGWlauocuPp0Lo/q27P952mLFLaJDGZpaoNWLZUbNpAlVdzYsyWdWMAUIKp839vbFamewWhoTBsveX6NUl1S/CkwsqbANDjYuWVV3cZIGMxD/3oaBFG7LDFckalGqECiIT3Ek+x4TJKdTCo8MNn9CsITC8sFTKE2XW4KmHgYwReZ7itEezbY5zyTRAgycfgqBpdiOsxsZ+kNf2TbBvCNYN7uh0qVd7nTckd5mJxOAxaV5V4gslLAIryhEhX72LEIuoORrglAF0c/QvqSBQJ/T0KDyh6AnoOvEPjPiHfc6Wsx5CXHr05lGjMeAH9zpT0ER5sWF X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Jul 09, 2024 at 08:57:55AM +0200, Przemek Kitszel wrote: > On 7/8/24 21:18, Kees Cook wrote: > > The allocator will already reject giant sizes seen from negative size > > arguments, so this commit mainly services as an example for initial > > type-based filtering. The size argument is checked for negative values > > in signed arguments, saturating any if found instead of passing them on. > > > > For example, now the size is checked: > > > > Before: > > /* %rdi unchecked */ > > 1eb: be c0 0c 00 00 mov $0xcc0,%esi > > 1f0: e8 00 00 00 00 call 1f5 > > 1f1: R_X86_64_PLT32 __kmalloc_noprof-0x4 > > > > After: > > 6d0: 48 63 c7 movslq %edi,%rax > > 6d3: 85 ff test %edi,%edi > > 6d5: be c0 0c 00 00 mov $0xcc0,%esi > > 6da: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx > > 6e1: 48 0f 49 d0 cmovns %rax,%rdx > > 6e5: 48 89 d7 mov %rdx,%rdi > > 6e8: e8 00 00 00 00 call 6ed > > 6e9: R_X86_64_PLT32 __kmalloc_noprof-0x4 > > > > Signed-off-by: Kees Cook > > --- > > Cc: Christoph Lameter > > Cc: Pekka Enberg > > Cc: David Rientjes > > Cc: Joonsoo Kim > > Cc: Andrew Morton > > Cc: Vlastimil Babka > > Cc: Roman Gushchin > > Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> > > Cc: linux-mm@kvack.org > > --- > > include/linux/slab.h | 19 ++++++++++++++++++- > > 1 file changed, 18 insertions(+), 1 deletion(-) > > > > diff --git a/include/linux/slab.h b/include/linux/slab.h > > index d99afce36098..7353756cbec6 100644 > > --- a/include/linux/slab.h > > +++ b/include/linux/slab.h > > @@ -684,7 +684,24 @@ static __always_inline __alloc_size(1) void *kmalloc_noprof(size_t size, gfp_t f > > } > > return __kmalloc_noprof(size, flags); > > } > > -#define kmalloc(...) alloc_hooks(kmalloc_noprof(__VA_ARGS__)) > > +#define kmalloc_sized(...) alloc_hooks(kmalloc_noprof(__VA_ARGS__)) > > + > > +#define __size_force_positive(x) \ > > + ({ \ > > + typeof(__force_integral_expr(x)) __forced_val = \ > > + __force_integral_expr(x); \ > > + __forced_val < 0 ? SIZE_MAX : __forced_val; \ > > + }) > > + > > +#define kmalloc(p, gfp) _Generic((p), \ > > + unsigned char: kmalloc_sized(__force_integral_expr(p), gfp), \ > > + unsigned short: kmalloc_sized(__force_integral_expr(p), gfp), \ > > + unsigned int: kmalloc_sized(__force_integral_expr(p), gfp), \ > > + unsigned long: kmalloc_sized(__force_integral_expr(p), gfp), \ > > + signed char: kmalloc_sized(__size_force_positive(p), gfp), \ > > + signed short: kmalloc_sized(__size_force_positive(p), gfp), \ > > + signed int: kmalloc_sized(__size_force_positive(p), gfp), \ > > + signed long: kmalloc_sized(__size_force_positive(p), gfp)) > > I like this idea and series very much, thank you! Thanks! > What about bool? > What about long long? Ah yes, I will add these. LKP also found a weird one (a bitfield!) that I'm fixing at the source: https://lore.kernel.org/lkml/20240709154953.work.953-kees@kernel.org/ -- Kees Cook