Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Sun, 22 Aug 2021 17:41:02 +0200
From:   Len Baker <len.baker@gmx.com>
To:     Kees Cook <keescook@chromium.org>
Cc:     Len Baker <len.baker@gmx.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Michael Straube <straube.linux@gmail.com>,
        Lee Jones <lee.jones@linaro.org>,
        linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
        linux-hardening@vger.kernel.org
Subject: Re: [PATCH 2/2] staging/rtl8192u: Prefer kcalloc over open coded
 arithmetic
Message-ID: <20210822154044.GA8942@titan>
References: <20210822142820.5109-1-len.baker@gmx.com>
 <20210822142820.5109-3-len.baker@gmx.com>
 <202108220751.4E6ADBA@keescook>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202108220751.4E6ADBA@keescook>
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

Hi Kees,

On Sun, Aug 22, 2021 at 07:59:51AM -0700, Kees Cook wrote:
> On Sun, Aug 22, 2021 at 04:28:20PM +0200, Len Baker wrote:
> > Dynamic size calculations (especially multiplication) should not be
> > performed in memory allocator (or similar) function arguments due to t=
he
> > risk of them overflowing. This could lead to values wrapping around an=
d
> > a smaller allocation being made than the caller was expecting. Using
> > those allocations could lead to linear overflows of heap memory and
> > other misbehaviors.
> >
> > So, use the purpose specific kcalloc() function instead of the argumen=
t
> > size * count in the kzalloc() function.
>
> It might be useful to reference the documentation on why this change is
> desired:
> https://www.kernel.org/doc/html/latest/process/deprecated.html#open-code=
d-arithmetic-in-allocator-arguments

Ok, I will add this info to the next version. Thanks for the advise.

> Here and in the docs, though, it's probably worth noting that these
> aren't actually dynamic sizes: both sides of the multiplication are
> constant values. I still think it's best to refactor these anyway, just
> to keep the open-coded math idiom out of code, though.

Ok, I will change the commit message to note this. Also I will send
a patch to add this info to the documentation.

> Also, have you looked at Coccinelle at all? I have a hideous pile of
> rules that try to find these instances, but it really needs improvement:
> https://github.com/kees/coccinelle-linux-allocator-overflow/tree/trunk/a=
rray_size

I think my script is even worst ;) but find some arithmetic to improve :)
I will take a look. Thanks for the info.

> Reviewed-by: Kees Cook <keescook@chromium.org>
>

Regards,
Len

> >
> > Signed-off-by: Len Baker <len.baker@gmx.com>
> > ---
> >  drivers/staging/rtl8192u/r819xU_phy.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/staging/rtl8192u/r819xU_phy.c b/drivers/staging/r=
tl8192u/r819xU_phy.c
> > index ff6fe2ee3349..97f4d89500ae 100644
> > --- a/drivers/staging/rtl8192u/r819xU_phy.c
> > +++ b/drivers/staging/rtl8192u/r819xU_phy.c
> > @@ -1195,17 +1195,17 @@ static u8 rtl8192_phy_SwChnlStepByStep(struct =
net_device *dev, u8 channel,
> >  	u8 e_rfpath;
> >  	bool ret;
> >
> > -	pre_cmd =3D kzalloc(sizeof(*pre_cmd) * MAX_PRECMD_CNT, GFP_KERNEL);
> > +	pre_cmd =3D kcalloc(MAX_PRECMD_CNT, sizeof(*pre_cmd), GFP_KERNEL);
> >  	if (!pre_cmd)
> >  		return false;
> >
> > -	post_cmd =3D kzalloc(sizeof(*post_cmd) * MAX_POSTCMD_CNT, GFP_KERNEL=
);
> > +	post_cmd =3D kcalloc(MAX_POSTCMD_CNT, sizeof(*post_cmd), GFP_KERNEL)=
;
> >  	if (!post_cmd) {
> >  		kfree(pre_cmd);
> >  		return false;
> >  	}
> >
> > -	rf_cmd =3D kzalloc(sizeof(*rf_cmd) * MAX_RFDEPENDCMD_CNT, GFP_KERNEL=
);
> > +	rf_cmd =3D kcalloc(MAX_RFDEPENDCMD_CNT, sizeof(*rf_cmd), GFP_KERNEL)=
;
> >  	if (!rf_cmd) {
> >  		kfree(pre_cmd);
> >  		kfree(post_cmd);
> > --
> > 2.25.1
> >
>
> --
> Kees Cook