lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 22 Aug 2021 17:41:02 +0200
From:   Len Baker <len.baker@....com>
To:     Kees Cook <keescook@...omium.org>
Cc:     Len Baker <len.baker@....com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Michael Straube <straube.linux@...il.com>,
        Lee Jones <lee.jones@...aro.org>,
        linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH 2/2] staging/rtl8192u: Prefer kcalloc over open coded
 arithmetic

Hi Kees,

On Sun, Aug 22, 2021 at 07:59:51AM -0700, Kees Cook wrote:
> On Sun, Aug 22, 2021 at 04:28:20PM +0200, Len Baker wrote:
> > Dynamic size calculations (especially multiplication) should not be
> > performed in memory allocator (or similar) function arguments due to the
> > risk of them overflowing. This could lead to values wrapping around and
> > a smaller allocation being made than the caller was expecting. Using
> > those allocations could lead to linear overflows of heap memory and
> > other misbehaviors.
> >
> > So, use the purpose specific kcalloc() function instead of the argument
> > size * count in the kzalloc() function.
>
> It might be useful to reference the documentation on why this change is
> desired:
> https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments

Ok, I will add this info to the next version. Thanks for the advise.

> Here and in the docs, though, it's probably worth noting that these
> aren't actually dynamic sizes: both sides of the multiplication are
> constant values. I still think it's best to refactor these anyway, just
> to keep the open-coded math idiom out of code, though.

Ok, I will change the commit message to note this. Also I will send
a patch to add this info to the documentation.

> Also, have you looked at Coccinelle at all? I have a hideous pile of
> rules that try to find these instances, but it really needs improvement:
> https://github.com/kees/coccinelle-linux-allocator-overflow/tree/trunk/array_size

I think my script is even worst ;) but find some arithmetic to improve :)
I will take a look. Thanks for the info.

> Reviewed-by: Kees Cook <keescook@...omium.org>
>

Regards,
Len

> >
> > Signed-off-by: Len Baker <len.baker@....com>
> > ---
> >  drivers/staging/rtl8192u/r819xU_phy.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/staging/rtl8192u/r819xU_phy.c b/drivers/staging/rtl8192u/r819xU_phy.c
> > index ff6fe2ee3349..97f4d89500ae 100644
> > --- a/drivers/staging/rtl8192u/r819xU_phy.c
> > +++ b/drivers/staging/rtl8192u/r819xU_phy.c
> > @@ -1195,17 +1195,17 @@ static u8 rtl8192_phy_SwChnlStepByStep(struct net_device *dev, u8 channel,
> >  	u8 e_rfpath;
> >  	bool ret;
> >
> > -	pre_cmd = kzalloc(sizeof(*pre_cmd) * MAX_PRECMD_CNT, GFP_KERNEL);
> > +	pre_cmd = kcalloc(MAX_PRECMD_CNT, sizeof(*pre_cmd), GFP_KERNEL);
> >  	if (!pre_cmd)
> >  		return false;
> >
> > -	post_cmd = kzalloc(sizeof(*post_cmd) * MAX_POSTCMD_CNT, GFP_KERNEL);
> > +	post_cmd = kcalloc(MAX_POSTCMD_CNT, sizeof(*post_cmd), GFP_KERNEL);
> >  	if (!post_cmd) {
> >  		kfree(pre_cmd);
> >  		return false;
> >  	}
> >
> > -	rf_cmd = kzalloc(sizeof(*rf_cmd) * MAX_RFDEPENDCMD_CNT, GFP_KERNEL);
> > +	rf_cmd = kcalloc(MAX_RFDEPENDCMD_CNT, sizeof(*rf_cmd), GFP_KERNEL);
> >  	if (!rf_cmd) {
> >  		kfree(pre_cmd);
> >  		kfree(post_cmd);
> > --
> > 2.25.1
> >
>
> --
> Kees Cook

Powered by blists - more mailing lists