2022-10-18 09:48:30

by Kees Cook

[permalink] [raw]
Subject: [PATCH v3 0/2] igb: Proactively round up to kmalloc bucket size

Hi,

In preparation for removing the "silently change allocation size"
users of ksize(), explicitly round up all q_vector allocations so that
allocations can be correctly compared to ksize().

Before that, fix a potential Use After Free under memory pressure.

Thanks,

-Kees

v3; split UAF fix from bucket rounding.
v2: https://lore.kernel.org/lkml/[email protected]/

Kees Cook (2):
igb: Do not free q_vector unless new one was allocated
igb: Proactively round up to kmalloc bucket size

drivers/net/ethernet/intel/igb/igb_main.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

--
2.34.1


2022-10-18 09:55:30

by Kees Cook

[permalink] [raw]
Subject: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size

In preparation for removing the "silently change allocation size"
users of ksize(), explicitly round up all q_vector allocations so that
allocations can be correctly compared to ksize().

Cc: Jesse Brandeburg <[email protected]>
Cc: Tony Nguyen <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: Eric Dumazet <[email protected]>
Cc: Jakub Kicinski <[email protected]>
Cc: Paolo Abeni <[email protected]>
Cc: [email protected]
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
---
drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 6256855d0f62..7a3a41dc0276 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -1195,7 +1195,7 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter,
return -ENOMEM;

ring_count = txr_count + rxr_count;
- size = struct_size(q_vector, ring, ring_count);
+ size = kmalloc_size_roundup(struct_size(q_vector, ring, ring_count));

/* allocate q_vector and rings */
q_vector = adapter->q_vector[v_idx];
--
2.34.1

2022-10-18 10:15:02

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH v3 0/2] igb: Proactively round up to kmalloc bucket size

On Tue, Oct 18, 2022 at 02:25:23AM -0700, Kees Cook wrote:
> Kees Cook (2):
> igb: Do not free q_vector unless new one was allocated
> igb: Proactively round up to kmalloc bucket size
>
> drivers/net/ethernet/intel/igb/igb_main.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)

Ugh, yay for my MUA vs commas. Sorry for any future typo bounce spam. :(

--
Kees Cook

2022-10-29 03:32:40

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size

On Tue, Oct 18, 2022 at 02:25:25AM -0700, Kees Cook wrote:
> In preparation for removing the "silently change allocation size"
> users of ksize(), explicitly round up all q_vector allocations so that
> allocations can be correctly compared to ksize().
>
> Signed-off-by: Kees Cook <[email protected]>

Hi! Any feedback on this part of the patch pair?

> ---
> drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
> index 6256855d0f62..7a3a41dc0276 100644
> --- a/drivers/net/ethernet/intel/igb/igb_main.c
> +++ b/drivers/net/ethernet/intel/igb/igb_main.c
> @@ -1195,7 +1195,7 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter,
> return -ENOMEM;
>
> ring_count = txr_count + rxr_count;
> - size = struct_size(q_vector, ring, ring_count);
> + size = kmalloc_size_roundup(struct_size(q_vector, ring, ring_count));
>
> /* allocate q_vector and rings */
> q_vector = adapter->q_vector[v_idx];

Thanks! :)

-Kees

--
Kees Cook

2022-10-29 03:45:24

by G, GurucharanX

[permalink] [raw]
Subject: RE: [Intel-wired-lan] [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size



> -----Original Message-----
> From: Intel-wired-lan <[email protected]> On Behalf Of
> Kees Cook
> Sent: Tuesday, October 18, 2022 2:55 PM
> To: Ruhl@http://www.outflux.net; Ruhl, Michael J <[email protected]>
> Cc: Kees Cook <[email protected]>; [email protected];
> [email protected]; Eric Dumazet <[email protected]>;
> [email protected]; [email protected]; Jakub Kicinski
> <[email protected]>; Paolo Abeni <[email protected]>; David S. Miller
> <[email protected]>
> Subject: [Intel-wired-lan] [PATCH v3 2/2] igb: Proactively round up to kmalloc
> bucket size
>
> In preparation for removing the "silently change allocation size"
> users of ksize(), explicitly round up all q_vector allocations so that allocations
> can be correctly compared to ksize().
>
> Cc: Jesse Brandeburg <[email protected]>
> Cc: Tony Nguyen <[email protected]>
> Cc: "David S. Miller" <[email protected]>
> Cc: Eric Dumazet <[email protected]>
> Cc: Jakub Kicinski <[email protected]>
> Cc: Paolo Abeni <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Signed-off-by: Kees Cook <[email protected]>
> ---
> drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>

Tested-by: Gurucharan <[email protected]> (A Contingent worker at Intel)

2022-10-31 21:20:27

by Michael J. Ruhl

[permalink] [raw]
Subject: RE: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size

>-----Original Message-----
>From: Kees Cook <[email protected]>
>Sent: Friday, October 28, 2022 11:18 PM
>To: Ruhl, Michael J <[email protected]>
>Cc: Brandeburg, Jesse <[email protected]>; Nguyen, Anthony L
><[email protected]>; David S. Miller <[email protected]>;
>Eric Dumazet <[email protected]>; Jakub Kicinski <[email protected]>;
>Paolo Abeni <[email protected]>; [email protected];
>[email protected]; [email protected]; linux-
>[email protected]
>Subject: Re: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size
>
>On Tue, Oct 18, 2022 at 02:25:25AM -0700, Kees Cook wrote:
>> In preparation for removing the "silently change allocation size"
>> users of ksize(), explicitly round up all q_vector allocations so that
>> allocations can be correctly compared to ksize().
>>
>> Signed-off-by: Kees Cook <[email protected]>
>
>Hi! Any feedback on this part of the patch pair?
>
>> ---
>> drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/ethernet/intel/igb/igb_main.c
>b/drivers/net/ethernet/intel/igb/igb_main.c
>> index 6256855d0f62..7a3a41dc0276 100644
>> --- a/drivers/net/ethernet/intel/igb/igb_main.c
>> +++ b/drivers/net/ethernet/intel/igb/igb_main.c
>> @@ -1195,7 +1195,7 @@ static int igb_alloc_q_vector(struct igb_adapter
>*adapter,
>> return -ENOMEM;
>>
>> ring_count = txr_count + rxr_count;
>> - size = struct_size(q_vector, ring, ring_count);
>> + size = kmalloc_size_roundup(struct_size(q_vector, ring, ring_count));
>>
>> /* allocate q_vector and rings */
>> q_vector = adapter->q_vector[v_idx];

Hi Kees,

Looking at the size usage (from elixir), I see:

--
if (!q_vector) {
q_vector = kzalloc(size, GFP_KERNEL);
} else if (size > ksize(q_vector)) {
kfree_rcu(q_vector, rcu);
q_vector = kzalloc(size, GFP_KERNEL);
} else {
memset(q_vector, 0, size);
}
--

If the size is rounded up, will the (size > ksize()) check ever be true?

I.e. have you eliminated this check (and maybe getting rid of the need for first patch?)?

Thanks,

Mike


>
>Thanks! :)
>
>-Kees
>
>--
>Kees Cook

2022-11-01 21:55:35

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size

On Mon, Oct 31, 2022 at 08:42:36PM +0000, Ruhl, Michael J wrote:
> Looking at the size usage (from elixir), I see:
>
> --
> if (!q_vector) {
> q_vector = kzalloc(size, GFP_KERNEL);
> } else if (size > ksize(q_vector)) {
> kfree_rcu(q_vector, rcu);
> q_vector = kzalloc(size, GFP_KERNEL);
> } else {
> memset(q_vector, 0, size);
> }
> --
>
> If the size is rounded up, will the (size > ksize()) check ever be true?
>
> I.e. have you eliminated this check (and maybe getting rid of the need for first patch?)?

Hi!

It looked like igb_alloc_q_vector() was designed to be called multiple
times on the same q_vector (i.e. to grow its allocation size over time).
So for that case, yes, the "size > ksize(q_vector)" check is needed. If
it's only ever called once (which is hard for me to tell), then no. (And
if "no", why was the alloc/free case even there in the first place?)

-Kees

--
Kees Cook

2022-11-02 15:03:34

by Michael J. Ruhl

[permalink] [raw]
Subject: RE: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size

>-----Original Message-----
>From: Kees Cook <[email protected]>
>Sent: Tuesday, November 1, 2022 5:37 PM
>To: Ruhl, Michael J <[email protected]>
>Cc: Brandeburg, Jesse <[email protected]>; Nguyen, Anthony L
><[email protected]>; David S. Miller <[email protected]>;
>Eric Dumazet <[email protected]>; Jakub Kicinski <[email protected]>;
>Paolo Abeni <[email protected]>; [email protected];
>[email protected]; [email protected]; linux-
>[email protected]
>Subject: Re: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size
>
>On Mon, Oct 31, 2022 at 08:42:36PM +0000, Ruhl, Michael J wrote:
>> Looking at the size usage (from elixir), I see:
>>
>> --
>> if (!q_vector) {
>> q_vector = kzalloc(size, GFP_KERNEL);
>> } else if (size > ksize(q_vector)) {
>> kfree_rcu(q_vector, rcu);
>> q_vector = kzalloc(size, GFP_KERNEL);
>> } else {
>> memset(q_vector, 0, size);
>> }
>> --
>>
>> If the size is rounded up, will the (size > ksize()) check ever be true?
>>
>> I.e. have you eliminated this check (and maybe getting rid of the need for
>first patch?)?
>
>Hi!
>
>It looked like igb_alloc_q_vector() was designed to be called multiple
>times on the same q_vector (i.e. to grow its allocation size over time).
>So for that case, yes, the "size > ksize(q_vector)" check is needed. If
>it's only ever called once (which is hard for me to tell), then no. (And
>if "no", why was the alloc/free case even there in the first place?)

Ahh, Ok, I missed the fact that size is based on ring_count. When I saw
the "struct_size" I assumed that size would be the same every time and
missed this point.

So can vary over time, and this ksize check is needed.

With that in mind these patches look good to me.

Reviewed-by: Michael J. Ruhl <[email protected]>

Mike

>-Kees
>
>--
>Kees Cook