Received: by 10.192.165.148 with SMTP id m20csp5159809imm; Tue, 1 May 2018 10:02:29 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqwG/L0Cpkh6+1xKwfqzD70+HwcQB02zo813N0cZ+VQ8sqDEw5AdglOG0Nb4ehejkdItko9 X-Received: by 10.98.76.83 with SMTP id z80mr16510458pfa.181.1525194149833; Tue, 01 May 2018 10:02:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525194149; cv=none; d=google.com; s=arc-20160816; b=AbySlmpk10oWkoIF/2hn14BGPqSN94ZIF81zr7DumI3YoUza4vTFxFOI7upeXHTlVE UJUTnGNt6GMzj5i+/soh5mE1JqHWxahBhyBUJDAe0ih4q/LCk5zztmM9zrb71miSWcw+ tmYnENXfyyK9+Q/p6FO7+6bOa9eImSKzg6vUV4LpMb2L2VhGkhZr4eDRGy7jvf7jWYUW FuGoZMfB8e41PCsUYwIN1gLrCmjCx+aAetG4RY7CVCdr69Ou76fSAmdzUWnMoenjyWYx p68I7yjOBxZJHT7ABPkEFZBqGggxdxQch+BN9tDSNgt2VrrNJbwaA8GW+BKRORjH6nDM OX3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=P79Y3RwH0ngtI5Xuo/oaVfVpWfn0fCLEFQsLnvWhgYA=; b=bVIpIWhb9CV/IGt2PY+kanFJMOybgu+dqRXrnx0EfY/w0AChdctGO/beliEwcHxSm1 qEgJ6CeSbtflXKr0ii9TUFJLXSJoB5V8XyGmP6/XfYlFwirxRbZHgG9JxlCiLRueG2FY rK9dVg0EieA6gctwHrjmkJTmPWSMufFCn+jTXZ/xBXhbTRNVeyx8YrndncQTHHDIHjmB GJg1OCE6wQu9zdTxDNn1gMwb7xhZWUh+cMS2BU2XxBu4UT53sM81B2zaoTxcJUWryKtI FibrqUPIiuPQddqjiOAfK4h+H3/HVO3UNI+tJ0gQ1zzFrReA26GaMN8hh9/7XGbon3Rr J07Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=SMNrRiUz; dkim=fail header.i=@chromium.org header.s=google header.b=e5brLg52; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p3si9471253pff.356.2018.05.01.10.02.13; Tue, 01 May 2018 10:02:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=SMNrRiUz; dkim=fail header.i=@chromium.org header.s=google header.b=e5brLg52; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756171AbeEARAb (ORCPT + 99 others); Tue, 1 May 2018 13:00:31 -0400 Received: from mail-vk0-f52.google.com ([209.85.213.52]:42079 "EHLO mail-vk0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755905AbeEARAa (ORCPT ); Tue, 1 May 2018 13:00:30 -0400 Received: by mail-vk0-f52.google.com with SMTP id j7-v6so7180408vkc.9 for ; Tue, 01 May 2018 10:00:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=P79Y3RwH0ngtI5Xuo/oaVfVpWfn0fCLEFQsLnvWhgYA=; b=SMNrRiUzSi1TUsAKCcuU/6Bc6xD4SmRtV8JvjaA8oTmqcPJ4ovVcg/Hn2dkQD1M/ph kHJNLSgZo3RitNaN9CmJhdoCv2Opf2s/QbEELSbS/QIng+rMf+We1zU7om2n2SE0RgjJ ISJwy98CZrQcXIg8RNbk5kGsAVF9yZMi+nKhqJbjC83HLI+2vCkgpIOPJDRM9FBfcpvT 0ptoS6qyB9YdfofArkzfx/9htdX8mgE1zrTJoXD1S2aWTAnCM9L7ll7ySPaXKBHX8UdK vRFYOOkPMlAx4Fl2iQRDA/Fy7pIbNQNATe9uCUnV5QWolR+vtia5Zq8AL694S8H+wXTS g9Vw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=P79Y3RwH0ngtI5Xuo/oaVfVpWfn0fCLEFQsLnvWhgYA=; b=e5brLg52nUhbWxW2HX3aBrFiAmT+naDfSQnwu6g3EBw/EZXa8J7BdnW6mPfVBbXUqh cGPlqfzC07VyF1EicWHWYuAh1YXl1K+IMyR2rbNH6jpYFYortJmOlrbvEP3ZN4PR5XeM qW7XkLQkZdJYIYDmz8cxwFV7409SqGiKstRRs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=P79Y3RwH0ngtI5Xuo/oaVfVpWfn0fCLEFQsLnvWhgYA=; b=C4grzZv/oRKqsdZjE8IfqMwYMmKWeW9XllrBG/PEDyMOl5Owh64+0bfQJsaV7hRpyZ Ombr6n2ZgG2X7cJ0BkuGBe3Ft2ur45/o+UGehe8pGcnWM2YY8JKRSCwVP2U9OA2kyrSv TJT4EcXY342zmk4gdhRsJi6KmN/ZPYiyocjyw6+2/c+K9cDb0AkSWspayzTioF9RwEfC BYIe8tzHrrEQUEKn9AR/mAQl9yFxUjkkPOxT22NS1OmJugase8BPdudzA5oFzZkM+OTb GdfKpAXCnFSM2ndzBI551oajcJD8J0RHz3RhvXuUo1zmpLr3ulpPqD6qw18xGNVLeZ1W gKlA== X-Gm-Message-State: ALQs6tCq49ORIOCRqGSQds+NKug+q030IxpvsmapRkmb0apo2CwX+GjX 2lZe2HFoyPDAFqjql35S4n8IOtYuvoPM4sLaichDLw== X-Received: by 2002:a1f:824a:: with SMTP id e71-v6mr13725540vkd.7.1525194029145; Tue, 01 May 2018 10:00:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.11.209 with HTTP; Tue, 1 May 2018 10:00:27 -0700 (PDT) In-Reply-To: <4ad99a55-9c93-5ea1-5954-3cb6e5ba7df9@rasmusvillemoes.dk> References: <20180308025812.GA9082@bombadil.infradead.org> <20180308230512.GD29073@bombadil.infradead.org> <20180313183220.GA21538@bombadil.infradead.org> <20180429203023.GA11891@bombadil.infradead.org> <20180430201607.GA7041@bombadil.infradead.org> <4ad99a55-9c93-5ea1-5954-3cb6e5ba7df9@rasmusvillemoes.dk> From: Kees Cook Date: Tue, 1 May 2018 10:00:27 -0700 X-Google-Sender-Auth: I71GrQZNrT8Uko8P2mO2r9dAHoY Message-ID: Subject: Re: [PATCH 2/2] mm: Add kvmalloc_ab_c and kvzalloc_struct To: Rasmus Villemoes , Daniel Vetter Cc: Matthew Wilcox , Julia Lawall , Andrew Morton , Matthew Wilcox , Linux-MM , LKML , Kernel Hardening , cocci@systeme.lip6.fr, Himanshu Jha Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 30, 2018 at 2:29 PM, Rasmus Villemoes wrote: > On 2018-04-30 22:16, Matthew Wilcox wrote: >> On Mon, Apr 30, 2018 at 12:02:14PM -0700, Kees Cook wrote: >>> >>> Getting the constant ordering right could be part of the macro >>> definition, maybe? i.e.: >>> >>> static inline void *kmalloc_ab(size_t a, size_t b, gfp_t flags) >>> { >>> if (__builtin_constant_p(a) && a != 0 && \ >>> b > SIZE_MAX / a) >>> return NULL; >>> else if (__builtin_constant_p(b) && b != 0 && \ >>> a > SIZE_MAX / b) >>> return NULL; >>> >>> return kmalloc(a * b, flags); >>> } >> >> Ooh, if neither a nor b is constant, it just didn't do a check ;-( This >> stuff is hard. >> >>> (I just wish C had a sensible way to catch overflow...) >> >> Every CPU I ever worked with had an "overflow" bit ... do we have a >> friend on the C standards ctte who might figure out a way to let us >> write code that checks it? > > gcc 5.1+ (I think) have the __builtin_OP_overflow checks that should > generate reasonable code. Too bad there's no completely generic > check_all_ops_in_this_expression(a+b*c+d/e, or_jump_here). Though it's > hard to define what they should be checked against - probably would > require all subexpressions (including the variables themselves) to have > the same type. > > plug: https://lkml.org/lkml/2015/7/19/358 That's a very nice series. Why did it never get taken? It seems to do the right things quite correctly. Daniel, while this isn't a perfect solution, is this something you'd use in graphics-land? -Kees -- Kees Cook Pixel Security