lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 15 Sep 2022 17:09:45 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     "Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc:     Peter Rosin <peda@...ntia.se>, Wolfram Sang <wsa@...nel.org>,
        "Gustavo A. R. Silva" <gustavo@...eddedor.com>,
        linux-i2c@...r.kernel.org, linux-kernel@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] i2c: mux: harden i2c_mux_alloc() against integer
 overflows

On Thu, Sep 15, 2022 at 02:51:21PM +0100, Gustavo A. R. Silva wrote:
> On Thu, Sep 15, 2022 at 02:30:58PM +0300, Dan Carpenter wrote:
> > A couple years back we went through the kernel an automatically
> > converted size calculations to use struct_size() instead.  The
> > struct_size() calculation is protected against integer overflows.
> > 
> > However it does not make sense to use the result from struct_size()
> > for additional math operations as that would negate any safeness.
> 
> Right; there most be a couple more similar cases out there. I'll
> look for them and fix them. Thanks!
> 

That thought occured to me too.  :P  The main problem with that theory
is that sometimes people use struct_size() for readability instead of
just for checking for integer overflows.  Also there are some places
which check for integer overflows manually before doing the math.  So
this code is not perfect.

It would probaby be useful to mark passed data as explicitly unsafe for
integer overflows.  Smatch already tracks user data.  And if the user
data has been capped to an unknown value.  But this would be a
completely separate flag which says that "this value came from
size_add/mul()".

regards,
dan carpenter

drivers/char/tpm/eventlog/tpm2.c:57 tpm2_bios_measurements_start() warn: using integer overflow function 'size_add()' for math
drivers/i2c/i2c-mux.c:248 i2c_mux_alloc() warn: using integer overflow function 'size_add()' for math
drivers/infiniband/hw/qib/qib_user_sdma.c:949 qib_user_sdma_queue_pkts() warn: using integer overflow function 'size_add()' for math
drivers/spi/spi.c:3320 spi_replace_transfers() warn: using integer overflow function 'size_add()' for math
drivers/gpu/drm/msm/msm_gem_submit.c:35 submit_create() warn: using integer overflow function 'size_add()' for math
drivers/cxl/pmem.c:151 cxl_pmem_set_config_data() warn: using integer overflow function 'size_add()' for math
drivers/md/dm-stats.c:295 dm_stats_create() warn: using integer overflow function 'size_add()' for math
drivers/md/dm-ioctl.c:1607 retrieve_deps() warn: using integer overflow function 'size_add()' for math
drivers/remoteproc/remoteproc_core.c:527 rproc_handle_vdev() warn: using integer overflow function 'size_add()' for math
drivers/rpmsg/qcom_glink_native.c:984 qcom_glink_handle_intent() warn: using integer overflow function 'size_add()' for math
drivers/net/ethernet/qlogic/qed/qed_ll2.c:1610 qed_ll2_establish_connection() warn: using integer overflow function 'size_add()' for math
drivers/net/ethernet/chelsio/cxgb4/sge.c:2551 cxgb4_ethofld_send_flowc() warn: using integer overflow function 'size_add()' for math
drivers/net/ethernet/intel/ice/ice_flex_pipe.c:2070 ice_pkg_buf_reserve_section() warn: using integer overflow function 'size_mul()' for math
drivers/net/ethernet/intel/ice/ice_switch.c:2562 ice_add_marker_act() warn: using integer overflow function 'size_add()' for math
drivers/net/ethernet/intel/ice/ice_switch.c:2567 ice_add_marker_act() warn: using integer overflow function 'size_add()' for math
drivers/net/ethernet/intel/ice/ice_switch.c:5478 ice_dummy_packet_add_vlan() warn: using integer overflow function 'size_mul()' for math
drivers/net/ethernet/intel/ice/ice_switch.c:5501 ice_dummy_packet_add_vlan() warn: using integer overflow function 'size_mul()' for math
drivers/gpio/gpiolib.c:4261 gpiod_get_array() warn: using integer overflow function 'size_add()' for math
drivers/gpio/gpiolib.c:4261 gpiod_get_array() warn: using integer overflow function 'size_add()' for math
fs/ntfs3/xattr.c:26 unpacked_ea_size() warn: using integer overflow function 'size_add()' for math
fs/ntfs3/xattr.c:291 ntfs_set_ea() warn: using integer overflow function 'size_add()' for math
io_uring/io_uring.c:2477 rings_size() warn: using integer overflow function 'size_add()' for math
kernel/module/sysfs.c:83 add_sect_attrs() warn: using integer overflow function 'size_add()' for math
kernel/irq/generic-chip.c:310 __irq_alloc_domain_generic_chips() warn: using integer overflow function 'size_add()' for math
kernel/irq/generic-chip.c:310 __irq_alloc_domain_generic_chips() warn: using integer overflow function 'size_add()' for math
kernel/dma/swiotlb.c:355 swiotlb_init_remap() warn: using integer overflow function 'size_mul()' for math
kernel/dma/swiotlb.c:476 swiotlb_exit() warn: using integer overflow function 'size_mul()' for math
sound/soc/qcom/qdsp6/q6apm.c:103 audioreach_graph_mgmt_cmd() warn: using integer overflow function 'size_add()' for math
sound/soc/qcom/qdsp6/audioreach.c:458 audioreach_populate_graph() warn: using integer overflow function 'size_add()' for math
sound/soc/qcom/qdsp6/audioreach.c:501 audioreach_alloc_graph_pkt() warn: using integer overflow function 'size_add()' for math
sound/soc/qcom/qdsp6/audioreach.c:502 audioreach_alloc_graph_pkt() warn: using integer overflow function 'size_add()' for math
sound/soc/qcom/qdsp6/audioreach.c:503 audioreach_alloc_graph_pkt() warn: using integer overflow function 'size_add()' for math
sound/soc/qcom/qdsp6/audioreach.c:505 audioreach_alloc_graph_pkt() warn: using integer overflow function 'size_add()' for math
sound/soc/qcom/qdsp6/audioreach.c:506 audioreach_alloc_graph_pkt() warn: using integer overflow function 'size_add()' for math
sound/soc/qcom/qdsp6/audioreach.c:842 audioreach_pcm_set_media_format() warn: using integer overflow function 'size_add()' for math
net/wireless/scan.c:765 cfg80211_scan_6ghz() warn: using integer overflow function 'size_add()' for math
net/tls/tls_sw.c:1486 tls_decrypt_sg() warn: using integer overflow function 'size_add()' for math
net/bridge/br_multicast.c:2770 br_ip6_multicast_mld2_report() warn: using integer overflow function 'size_add()' for math
net/bluetooth/hci_codec.c:153 hci_read_supported_codecs() warn: using integer overflow function 'size_mul()' for math
net/bluetooth/hci_codec.c:165 hci_read_supported_codecs() warn: using integer overflow function 'size_mul()' for math
net/bluetooth/hci_codec.c:172 hci_read_supported_codecs() warn: using integer overflow function 'size_mul()' for math
net/bluetooth/hci_codec.c:220 hci_read_supported_codecs_v2() warn: using integer overflow function 'size_mul()' for math
net/bluetooth/hci_codec.c:232 hci_read_supported_codecs_v2() warn: using integer overflow function 'size_mul()' for math
net/bluetooth/hci_codec.c:239 hci_read_supported_codecs_v2() warn: using integer overflow function 'size_mul()' for math
lib/stackdepot.c:125 depot_alloc_stack() warn: using integer overflow function 'size_add()' for math
mm/percpu.c:2444 pcpu_alloc_alloc_info() warn: using integer overflow function 'size_add()' for math

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ