| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202511241317.516BDE7B@keescook> Date: Mon, 24 Nov 2025 13:20:21 -0800 From: Kees Cook <kees@...nel.org> To: Matthew Wilcox <willy@...radead.org> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Vlastimil Babka <vbabka@...e.cz>, Christoph Lameter <cl@...ux.com>, Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>, Joonsoo Kim <iamjoonsoo.kim@....com>, Andrew Morton <akpm@...ux-foundation.org>, Roman Gushchin <roman.gushchin@...ux.dev>, Hyeonggon Yoo <42.hyeyoo@...il.com>, "Gustavo A . R . Silva" <gustavoars@...nel.org>, Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>, Jann Horn <jannh@...gle.com>, Przemek Kitszel <przemyslaw.kitszel@...el.com>, Marco Elver <elver@...gle.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Sasha Levin <sashal@...nel.org>, linux-mm@...ck.org, Randy Dunlap <rdunlap@...radead.org>, Miguel Ojeda <ojeda@...nel.org>, Vegard Nossum <vegard.nossum@...cle.com>, Harry Yoo <harry.yoo@...cle.com>, Nathan Chancellor <nathan@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Nick Desaulniers <nick.desaulniers+lkml@...il.com>, Jonathan Corbet <corbet@....net>, Jakub Kicinski <kuba@...nel.org>, Yafang Shao <laoar.shao@...il.com>, Tony Ambardar <tony.ambardar@...il.com>, Alexander Lobakin <aleksander.lobakin@...el.com>, Jan Hendrik Farr <kernel@...rr.cc>, Alexander Potapenko <glider@...gle.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, linux-doc@...r.kernel.org, llvm@...ts.linux.dev Subject: Re: [PATCH v5 2/4] slab: Introduce kmalloc_obj() and family On Mon, Nov 24, 2025 at 09:12:14PM +0000, Matthew Wilcox wrote: > On Mon, Nov 24, 2025 at 12:38:57PM -0800, Kees Cook wrote: > > For code like: > > > > u8 size; > > ... > > size = struct_size(ptr, flex_member, count); > > ptr = kmalloc(size, gfp); > > > > While struct_size() is designed to deal with overflows beyond SIZE_MAX, > > it can't do anything about truncation of its return value since it has > > no visibility into the lvalue type. So this code pattern happily > > truncates, allocates too little memory, and then usually does stuff like > > runs a for-loop based on "count" instead of "size" and walks right off > > the end of the heap allocation, clobbering whatever follows it. > > Have we investigated a compiler warning like > -Wimplicit-arithmetic-truncation that would complain about this kind of > thing and could be shut up by an explicit cast: > > size = (u8)struct_size(ptr, flex_member, count); > > or arithmetic that can be proven to not overflow: > size = struct_size(ptr, flex_member, count) & 0xff; > > Maybe such a warning already exists and it's just too noisy to even > start thinking about turning it on? Yes, -Wconversion (W=3) is mind-blowingly noisy, unfortunately. -- Kees Cook
Powered by blists - more mailing lists