Received: by 10.192.165.148 with SMTP id m20csp181229imm;
        Thu, 3 May 2018 17:36:58 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqQXesKS8cKaY2HVXA2mrRkpXti1iaLEaK1yNZzZCb4tgmX1PGUO55dny8DARYOj8sZ5sPY
X-Received: by 2002:a17:902:bb06:: with SMTP id l6-v6mr25964243pls.255.1525394218417;
        Thu, 03 May 2018 17:36:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525394218; cv=none;
        d=google.com; s=arc-20160816;
        b=aKjsMNR3AhFRLc2BVhJOXgSBhnq9duEz0fYbHZF2AIG+KkHOzdMqwdAdKMk4zhoTWp
         4LNSkkV7neWesTghs8x0ZHrd/IboxY8r92gaef1+9KtPmRgEfeEzHV2ecVC+uT1UYH60
         x9khL9+xNR/sXt3R0IBRmDKv/9mf6+0/hXMv0Er+HNkozNiFxx6KhCt285KIUzrwMJSU
         5alhdIfjhH/C/2ze+e9yUMBbpJ4hQ92IrPT36c0Q14raQm1XKH6L2KAg1FK/drnuhs2k
         YSmtWHaQW/62C9m2mbJaw2YtbsiOmsTMz9LF0B6YDqy8uwX5rvBo0qJx9ZDaVtgDoI8H
         G2pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=8oKvc1pel2CSC0j73v/Uf35ZU6seJ4UWF+sinjxw/ow=;
        b=0V+xWDbKTPRpYyssABG+ofwn8rSROdz07ZSWb576uOOcsnRYD7J+6QbYUtGq0psWvz
         hYqCFEC7Vp3Ad8J3FT9jWgRcckiGbTySaHK6kTZZMXuZfCsGlNa5dIwEUGRMiuWmyME9
         TdWsBc68YEiNYrV3ebq9Bn5SfQZjY66HloGl0/EVpQ+xCYh6yd7W9tSsLhhASdzZrNWh
         3Xe6CcNU35CeMKEaYV84/MJBJ1lxRb3JmIckxN9g6/huClMh69AZXDwDAuFID210nDW9
         7WXBYT+gpWaQwXB4AWKwwEBJbfHsbbQDjwZ5+vnCF9ZMWN83Qv3xLfQID/r228BtCtZ/
         BBXw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=jHwbH6Ad;
       dkim=fail header.i=@chromium.org header.s=google header.b=VfF8v/Bo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d18-v6si11913037pgo.310.2018.05.03.17.36.44;
        Thu, 03 May 2018 17:36:58 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=jHwbH6Ad;
       dkim=fail header.i=@chromium.org header.s=google header.b=VfF8v/Bo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751240AbeEDAgc (ORCPT <rfc822;ereslibre@gmail.com> + 99 others);
        Thu, 3 May 2018 20:36:32 -0400
Received: from mail-vk0-f47.google.com ([209.85.213.47]:45622 "EHLO
        mail-vk0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750965AbeEDAga (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 May 2018 20:36:30 -0400
Received: by mail-vk0-f47.google.com with SMTP id 203-v6so12400789vka.12
        for <linux-kernel@vger.kernel.org>; Thu, 03 May 2018 17:36:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=8oKvc1pel2CSC0j73v/Uf35ZU6seJ4UWF+sinjxw/ow=;
        b=jHwbH6AdEAEVFVFNdo8Wz1V+wxII3g1Mwn7ZB7qk8ykEsDe2r6191NYGd/4qrVdnj4
         yF4JTtxaQwM9gf0PkW550XHdlGDgPqNTF/w3WbteCWuvNu96wPQ9CzH3tLXs1kRmXWz7
         iavklVMIVz3WNQ5ozKVLXfI5CG9qjZB9lTLoRTweOCII9d0bFNpj15uL9SR023d2/PTs
         24N/YC9+Z6eMgu3Fed6zoKK08OWoDwoRDv6U9bbHGVKVqUrAPbzi/I3tM5Jvq8JW2lsE
         px4ijKW8bzB4tsM4WAOjNcM0FKXxLIvkzQRFPkj0aH8wompPb80+Ic6JCPq0gyCAOfeo
         x1KQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=8oKvc1pel2CSC0j73v/Uf35ZU6seJ4UWF+sinjxw/ow=;
        b=VfF8v/Bo3ehDPKPVN/pCJ2Efbkm/aHzUPDrlbmo5M2DZ3xdOdP33smMXDF/Hchd2s9
         HsemXqacypkvf7B8jYlHfu2YVHNpyrVWdKq5YXX1ekHFel2g8XD/Wg60jUDHEQ55xJBx
         LEviZbH1pb0pOlj0NOuy+Rlpj9EC1maLLObHs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=8oKvc1pel2CSC0j73v/Uf35ZU6seJ4UWF+sinjxw/ow=;
        b=gBJKLgXhGXhmMpCAYfLrVzOWXGlaQcB/SC0ghpXi7smnVTBV8yYCvOp5PGRm95HnMv
         vAy5KglJ26Hft1ULd+n+eCBtxyU/z0MztF8AzbA003wg7pm2I0qgnw7H0kjnfO7XKFHa
         kwik29Vz50wcWdwLrzpQ59DnxE6QgBpmApb/UVHtehEYJRfJijVlMn5IomM6MYoTV6Dw
         ZaBCkPWu2B+Fy67lYcyjmEjwrKT4gzCFa3K3wemPaWqjH2wPPqiEHIZbGR/KHNYw4Qnq
         K0UFPz3LNRtUTkVThejqM6QDuD4zPF8qnd9aqZgYm1R6NTduXHl4tcNicIEgSSPo0aZp
         84Fg==
X-Gm-Message-State: ALQs6tBRna6gUdXqmPVem3LOEweKbWji5ZSHbqAgLnyWNF6xG3+KoOa8
        3duI0Y23aKz5FTpfbxs2eT6FRn8d/SakVoJCobAeiw==
X-Received: by 2002:a1f:b084:: with SMTP id z126-v6mr13816576vke.96.1525394189644;
 Thu, 03 May 2018 17:36:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.11.209 with HTTP; Thu, 3 May 2018 17:36:28 -0700 (PDT)
In-Reply-To: <4e25ff5b-f8fc-7012-83c2-b56e6928e8bc@rasmusvillemoes.dk>
References: <CAGXu5jL9hqQGe672CmvFwqNbtTr=qu7WRwHuS4Vy7o5sX_UTgg@mail.gmail.com>
 <alpine.DEB.2.20.1803072212160.2814@hadrien> <20180308025812.GA9082@bombadil.infradead.org>
 <alpine.DEB.2.20.1803080722300.3754@hadrien> <20180308230512.GD29073@bombadil.infradead.org>
 <alpine.DEB.2.20.1803131818550.3117@hadrien> <20180313183220.GA21538@bombadil.infradead.org>
 <CAGXu5jKLaY2vzeFNaEhZOXbMgDXp4nF4=BnGCFfHFRwL6LXNHA@mail.gmail.com>
 <20180429203023.GA11891@bombadil.infradead.org> <CAGXu5j+N9tt4rxaUMxoZnE-ziqU_yu-jkt-cBZ=R8wmYq6XBTg@mail.gmail.com>
 <20180430201607.GA7041@bombadil.infradead.org> <4ad99a55-9c93-5ea1-5954-3cb6e5ba7df9@rasmusvillemoes.dk>
 <CAGXu5j+tYhQOfVMkZdPzW5CX103LHpm8SYSN51VFLufn0Z0y6Q@mail.gmail.com> <4e25ff5b-f8fc-7012-83c2-b56e6928e8bc@rasmusvillemoes.dk>
From:   Kees Cook <keescook@chromium.org>
Date:   Thu, 3 May 2018 17:36:28 -0700
X-Google-Sender-Auth: Eds825Hgv_4OMAgndL7zIWE58UE
Message-ID: <CAGXu5jJ9Uw9pDOYfBH8iXTVqiQXgNrEqzpk7a5mOCrH0G3CoyA@mail.gmail.com>
Subject: Re: [PATCH 2/2] mm: Add kvmalloc_ab_c and kvzalloc_struct
To:     Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc:     Daniel Vetter <daniel.vetter@intel.com>,
        Matthew Wilcox <willy@infradead.org>,
        Julia Lawall <julia.lawall@lip6.fr>,
        Andrew Morton <akpm@linux-foundation.org>,
        Matthew Wilcox <mawilcox@microsoft.com>,
        Linux-MM <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        cocci@systeme.lip6.fr, Himanshu Jha <himanshujha199640@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, May 3, 2018 at 4:00 PM, Rasmus Villemoes
<linux@rasmusvillemoes.dk> wrote:
> On 2018-05-01 19:00, Kees Cook wrote:
>> On Mon, Apr 30, 2018 at 2:29 PM, Rasmus Villemoes
>> <linux@rasmusvillemoes.dk> wrote:
>>>
>>> gcc 5.1+ (I think) have the __builtin_OP_overflow checks that should
>>> generate reasonable code. Too bad there's no completely generic
>>> check_all_ops_in_this_expression(a+b*c+d/e, or_jump_here). Though it's
>>> hard to define what they should be checked against - probably would
>>> require all subexpressions (including the variables themselves) to have
>>> the same type.
>>>
>>> plug: https://lkml.org/lkml/2015/7/19/358
>>
>> That's a very nice series. Why did it never get taken?
>
> Well, nobody seemed particularly interested, and then
> https://lkml.org/lkml/2015/10/28/215 happened... but he did later seem
> to admit that it could be useful for the multiplication checking, and
> that "the gcc interface for multiplication overflow is fine".

Oh, excellent. Thank you for that pointer! That conversation covered a
lot of ground. I need to think a little more about how to apply the
thoughts there with the kmalloc() needs and the GPU driver needs...

> I still think even for unsigned types overflow checking can be subtle. E.g.
>
> u32 somevar;
>
> if (somevar + sizeof(foo) < somevar)
>   return -EOVERFLOW;
> somevar += sizeof(this);
>
> is broken, because the LHS is promoted to unsigned long/size_t, then so
> is the RHS for the comparison, and the comparison is thus always false
> (on 64bit). It gets worse if the two types are more "opaque", and in any
> case it's not always easy to verify at a glance that the types are the
> same, or at least that the expression of the widest type is on the RHS.

That's an excellent example, yes. (And likely worth including in the
commit log somewhere.)

>
>> It seems to do the right things quite correctly.
>
> Yes, I wouldn't suggest it without the test module verifying corner
> cases, and checking it has the same semantics whether used with old or
> new gcc.
>
> Would you shepherd it through if I updated the patches and resent?

Yes, though we may need reworking if we actually want to do the
try/catch style (since that was talked about with GPU stuff too...)

Either way, yes, a refresh would be lovely! :)

-Kees

-- 
Kees Cook
Pixel Security