Received-SPF: pass (google.com: domain of linux-kernel+bounces-161629-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Precedence: bulk
MIME-Version: 1.0
References: <PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com>
In-Reply-To: <PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com>
From: Xin Long <lucien.xin@gmail.com>
Date: Sun, 28 Apr 2024 19:33:05 -0400
Message-ID: <CADvbK_fzB3z-f-SJz+E6Q6hac5UyyqDPMB4r8GnCwYK8N8f=2g@mail.gmail.com>
Subject: Re: [PATCH] sctp: prefer struct_size over open coded arithmetic
To: Erick Archer <erick.archer@outlook.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>, "David S. Miller" <davem@davemloft.net>, 
	Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, 
	Kees Cook <keescook@chromium.org>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, 
	Justin Stitt <justinstitt@google.com>, linux-sctp@vger.kernel.org, netdev@vger.kernel.org, 
	linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sat, Apr 27, 2024 at 1:23=E2=80=AFPM Erick Archer <erick.archer@outlook.=
com> wrote:
>
> This is an effort to get rid of all multiplications from allocation
> functions in order to prevent integer overflows [1][2].
>
> As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
> structure ends in a flexible array:
>
> struct sctp_assoc_ids {
>         [...]
>         sctp_assoc_t    gaids_assoc_id[];
> };
>
> the preferred way in the kernel is to use the struct_size() helper to
> do the arithmetic instead of the calculation "size + size * count" in
> the kmalloc() function.
>
> Also, refactor the code adding the "ids_size" variable to avoid sizing
> twice.
>
> This way, the code is more readable and safer.
>
> This code was detected with the help of Coccinelle, and audited and
> modified manually.
>
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open=
-coded-arithmetic-in-allocator-arguments [1]
> Link: https://github.com/KSPP/linux/issues/160 [2]
> Signed-off-by: Erick Archer <erick.archer@outlook.com>
> ---
> Hi,
>
> The Coccinelle script used to detect this code pattern is the following:
>
> virtual report
>
> @rule1@
> type t1;
> type t2;
> identifier i0;
> identifier i1;
> identifier i2;
> identifier ALLOC =3D~ "kmalloc|kzalloc|kmalloc_node|kzalloc_node|vmalloc|=
vzalloc|kvmalloc|kvzalloc";
> position p1;
> @@
>
> i0 =3D sizeof(t1) + sizeof(t2) * i1;
> ...
> i2 =3D ALLOC@p1(..., i0, ...);
>
> @script:python depends on report@
> p1 << rule1.p1;
> @@
>
> msg =3D "WARNING: verify allocation on line %s" % (p1[0].line)
> coccilib.report.print_report(p1[0],msg)
>
> Regards,
> Erick
> ---
>  net/sctp/socket.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index e416b6d3d270..64196b1dce1d 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7119,6 +7119,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *s=
k, int len,
>         struct sctp_sock *sp =3D sctp_sk(sk);
>         struct sctp_association *asoc;
>         struct sctp_assoc_ids *ids;
> +       size_t ids_size;
>         u32 num =3D 0;
>
>         if (sctp_style(sk, TCP))
> @@ -7131,11 +7132,11 @@ static int sctp_getsockopt_assoc_ids(struct sock =
*sk, int len,
>                 num++;
>         }
>
> -       if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * =
num)
> +       ids_size =3D struct_size(ids, gaids_assoc_id, num);
> +       if (len < ids_size)
>                 return -EINVAL;
>
> -       len =3D sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * nu=
m;
> -
> +       len =3D ids_size;
>         ids =3D kmalloc(len, GFP_USER | __GFP_NOWARN);
>         if (unlikely(!ids))
>                 return -ENOMEM;
> --
> 2.25.1
>
Acked-by: Xin Long <lucien.xin@gmail.com>