lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 18 Oct 2022 12:43:08 +0200
From:   Rasmus Villemoes <rasmus.villemoes@...vas.dk>
To:     Kees Cook <keescook@...omium.org>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Jason Gunthorpe <jgg@...pe.ca>, Nishanth Menon <nm@...com>,
        Michael Kelley <mikelley@...rosoft.com>,
        Dan Williams <dan.j.williams@...el.com>,
        Won Chung <wonchung@...gle.com>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] driver core: Add __alloc_size hint to devm allocators

On 18/10/2022 12.15, Kees Cook wrote:
> On Tue, Oct 18, 2022 at 12:09:30PM +0200, Rasmus Villemoes wrote:
>> On 18/10/2022 09.34, Kees Cook wrote:
>>> Mark the devm_*alloc()-family of allocations with appropriate
>>> __alloc_size() hints so the compiler can attempt to reason about buffer
>>> lengths from allocations.
>>>
>>
>>> @@ -226,7 +226,8 @@ static inline void *devm_kcalloc(struct device *dev,
>>>  void devm_kfree(struct device *dev, const void *p);
>>>  char *devm_kstrdup(struct device *dev, const char *s, gfp_t gfp) __malloc;
>>>  const char *devm_kstrdup_const(struct device *dev, const char *s, gfp_t gfp);
>>> -void *devm_kmemdup(struct device *dev, const void *src, size_t len, gfp_t gfp);
>>> +void *devm_kmemdup(struct device *dev, const void *src, size_t len, gfp_t gfp)
>>> +	__alloc_size(3);
>>
>> I think it's wrong to apply the __malloc attribute to kmemdup() and
>> variants.
>>
>> 'malloc'
>>      This tells the compiler that a function is 'malloc'-like, i.e.,
>>      that the pointer P returned by the function cannot alias any other
>>      pointer valid when the function returns, and moreover no pointers
>>      to valid objects occur in any storage addressed by P.
> 
> Oh, ew, it defines rules about _contents_ as well. Thank you for
> pointing that out!
> 
> I suppose we can use __realloc_size for these cases then?

Probably, but it's gonna be mighty confusing for people reading the code.

I was never really a fan of including __malloc in __alloc_size in the
first place, this is the kind of confusion that comes from having one
attribute include another without having the developer forced to think
about whether both actually apply in a given situation.

And that malloc documentation (both the old and the fixed) even came up
in what I assume is the thread that led up to that

    Since anything marked with __alloc_size would also qualify for marking
    with __malloc, just include __malloc along with it to avoid redundant
    markings.  (Suggested by Linus Torvalds.)

in commit 86cffecd, namely
https://lore.kernel.org/mm-commits/202109101138.53FCADF5C@keescook/ .

Rasmus

Powered by blists - more mailing lists