| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 22 Aug 2021 07:59:51 -0700
From: Kees Cook <keescook@...omium.org>
To: Len Baker <len.baker@....com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Michael Straube <straube.linux@...il.com>,
Lee Jones <lee.jones@...aro.org>,
linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH 2/2] staging/rtl8192u: Prefer kcalloc over open coded
arithmetic
On Sun, Aug 22, 2021 at 04:28:20PM +0200, Len Baker wrote:
> Dynamic size calculations (especially multiplication) should not be
> performed in memory allocator (or similar) function arguments due to the
> risk of them overflowing. This could lead to values wrapping around and
> a smaller allocation being made than the caller was expecting. Using
> those allocations could lead to linear overflows of heap memory and
> other misbehaviors.
>
> So, use the purpose specific kcalloc() function instead of the argument
> size * count in the kzalloc() function.
It might be useful to reference the documentation on why this change is
desired:
https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments
Here and in the docs, though, it's probably worth noting that these
aren't actually dynamic sizes: both sides of the multiplication are
constant values. I still think it's best to refactor these anyway, just
to keep the open-coded math idiom out of code, though.
Also, have you looked at Coccinelle at all? I have a hideous pile of
rules that try to find these instances, but it really needs improvement:
https://github.com/kees/coccinelle-linux-allocator-overflow/tree/trunk/array_size
Reviewed-by: Kees Cook <keescook@...omium.org>
>
> Signed-off-by: Len Baker <len.baker@....com>
> ---
> drivers/staging/rtl8192u/r819xU_phy.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/staging/rtl8192u/r819xU_phy.c b/drivers/staging/rtl8192u/r819xU_phy.c
> index ff6fe2ee3349..97f4d89500ae 100644
> --- a/drivers/staging/rtl8192u/r819xU_phy.c
> +++ b/drivers/staging/rtl8192u/r819xU_phy.c
> @@ -1195,17 +1195,17 @@ static u8 rtl8192_phy_SwChnlStepByStep(struct net_device *dev, u8 channel,
> u8 e_rfpath;
> bool ret;
>
> - pre_cmd = kzalloc(sizeof(*pre_cmd) * MAX_PRECMD_CNT, GFP_KERNEL);
> + pre_cmd = kcalloc(MAX_PRECMD_CNT, sizeof(*pre_cmd), GFP_KERNEL);
> if (!pre_cmd)
> return false;
>
> - post_cmd = kzalloc(sizeof(*post_cmd) * MAX_POSTCMD_CNT, GFP_KERNEL);
> + post_cmd = kcalloc(MAX_POSTCMD_CNT, sizeof(*post_cmd), GFP_KERNEL);
> if (!post_cmd) {
> kfree(pre_cmd);
> return false;
> }
>
> - rf_cmd = kzalloc(sizeof(*rf_cmd) * MAX_RFDEPENDCMD_CNT, GFP_KERNEL);
> + rf_cmd = kcalloc(MAX_RFDEPENDCMD_CNT, sizeof(*rf_cmd), GFP_KERNEL);
> if (!rf_cmd) {
> kfree(pre_cmd);
> kfree(post_cmd);
> --
> 2.25.1
>
--
Kees Cook
Powered by blists - more mailing lists