Use array_size to protect against multiplication overflows.
This follows up on the following patches by Kees Cook from 2018.
42bc47b35320 ("treewide: Use array_size() in vmalloc()") fad953ce0b22 ("treewide: Use array_size() in vzalloc()")
The changes were done using the following Coccinelle semantic patch, adapted from the one posted by Kees.
// Drop single-byte sizes and redundant parens. @@ expression COUNT; typedef u8; typedef __u8; type t = {u8,__u8,char,unsigned char}; identifier alloc = {vmalloc,vzalloc}; @@ alloc( - (sizeof(t)) * (COUNT) + COUNT , ...)
// 3-factor product with 2 sizeof(variable), with redundant parens removed. @@ expression COUNT; size_t e1, e2, e3; identifier alloc = {vmalloc,vzalloc}; @@
( alloc( - (e1) * (e2) * (e3) + array3_size(e1, e2, e3) ,...) | alloc( - (e1) * (e2) * (COUNT) + array3_size(COUNT, e1, e2) ,...) )
// 3-factor product with 1 sizeof(type) or sizeof(expression), with // redundant parens removed. @@ expression STRIDE, COUNT; size_t e; identifier alloc = {vmalloc,vzalloc}; @@
alloc( - (e) * (COUNT) * (STRIDE) + array3_size(COUNT, STRIDE, e) ,...)
// Any remaining multi-factor products, first at least 3-factor products // when they're not all constants... @@ expression E1, E2, E3; constant C1, C2, C3; identifier alloc = {vmalloc,vzalloc}; @@
( alloc(C1 * C2 * C3,...) | alloc( - (E1) * (E2) * (E3) + array3_size(E1, E2, E3) ,...) )
// 2-factor product with sizeof(type/expression) and identifier or constant. @@ size_t e1,e2; expression COUNT; identifier alloc = {vmalloc,vzalloc}; @@
( alloc( - (e1) * (e2) + array_size(e1, e2) ,...) | alloc( - (e1) * (COUNT) + array_size(COUNT, e1) ,...) )
// And then all remaining 2 factors products when they're not all constants. @@ expression E1, E2; constant C1, C2; identifier alloc = {vmalloc,vzalloc}; @@
( alloc(C1 * C2,...) | alloc( - (E1) * (E2) + array_size(E1, E2) ,...) )
---
arch/x86/kernel/cpu/sgx/main.c | 3 ++- drivers/accel/habanalabs/common/device.c | 3 ++- drivers/accel/habanalabs/common/state_dump.c | 6 +++--- drivers/bus/mhi/host/init.c | 4 ++-- drivers/comedi/comedi_buf.c | 4 ++-- drivers/dma-buf/heaps/system_heap.c | 2 +- drivers/gpu/drm/gud/gud_pipe.c | 2 +- drivers/gpu/drm/i915/gvt/gtt.c | 6 ++++-- drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++-- drivers/infiniband/hw/erdma/erdma_verbs.c | 4 ++-- drivers/infiniband/sw/siw/siw_qp.c | 4 ++-- drivers/infiniband/sw/siw/siw_verbs.c | 6 +++--- drivers/iommu/tegra-gart.c | 4 ++-- drivers/net/ethernet/amd/pds_core/core.c | 4 ++-- drivers/net/ethernet/freescale/enetc/enetc.c | 4 ++-- drivers/net/ethernet/google/gve/gve_tx.c | 2 +- drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 2 +- drivers/net/ethernet/microsoft/mana/hw_channel.c | 2 +- drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++-- drivers/scsi/fnic/fnic_trace.c | 2 +- drivers/scsi/qla2xxx/qla_init.c | 4 ++-- drivers/staging/media/ipu3/ipu3-mmu.c | 2 +- drivers/vdpa/vdpa_user/iova_domain.c | 3 +-- drivers/virtio/virtio_mem.c | 6 +++--- fs/btrfs/zoned.c | 5 +++-- kernel/kcov.c | 2 +- lib/test_vmalloc.c | 12 ++++++------ 28 files changed, 56 insertions(+), 52 deletions(-)
Use array_size to protect against multiplication overflows.
The changes were done using the following Coccinelle semantic patch:
// <smpl> @@ size_t e1,e2; expression COUNT; identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc}; @@
( alloc( - (e1) * (e2) + array_size(e1, e2) ,...) | alloc( - (e1) * (COUNT) + array_size(COUNT, e1) ,...) ) // </smpl>
Signed-off-by: Julia Lawall Julia.Lawall@inria.fr
--- drivers/dma-buf/heaps/system_heap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma-buf/heaps/system_heap.c b/drivers/dma-buf/heaps/system_heap.c index ee7059399e9c..fb7867599874 100644 --- a/drivers/dma-buf/heaps/system_heap.c +++ b/drivers/dma-buf/heaps/system_heap.c @@ -221,7 +221,7 @@ static void *system_heap_do_vmap(struct system_heap_buffer *buffer) { struct sg_table *table = &buffer->sg_table; int npages = PAGE_ALIGN(buffer->len) / PAGE_SIZE; - struct page **pages = vmalloc(sizeof(struct page *) * npages); + struct page **pages = vmalloc(array_size(npages, sizeof(struct page *))); struct page **tmp = pages; struct sg_page_iter piter; void *vaddr;
On Fri, Jun 23, 2023 at 2:15 PM Julia Lawall Julia.Lawall@inria.fr wrote:
Use array_size to protect against multiplication overflows.
The changes were done using the following Coccinelle semantic patch:
// <smpl> @@ size_t e1,e2; expression COUNT; identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc}; @@
( alloc(
(e1) * (e2)
array_size(e1, e2) ,...)
| alloc(
(e1) * (COUNT)
array_size(COUNT, e1) ,...)
) // </smpl>
Signed-off-by: Julia Lawall Julia.Lawall@inria.fr
Thanks for sending this out!
Acked-by: John Stultz jstultz@google.com
linaro-mm-sig@lists.linaro.org