diff mbox series

[v2,21/24] x86/sgx: use vmalloc_array and vcalloc

Message ID	20230627144339.144478-22-Julia.Lawall@inria.fr
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Julia Lawall <Julia.Lawall@inria.fr> To: Jarkko Sakkinen <jarkko@kernel.org> Cc: kernel-janitors@vger.kernel.org, keescook@chromium.org, christophe.jaillet@wanadoo.fr, kuba@kernel.org, Dave Hansen <dave.hansen@linux.intel.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>, linux-sgx@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 21/24] x86/sgx: use vmalloc_array and vcalloc Date: Tue, 27 Jun 2023 16:43:36 +0200 Message-Id: <20230627144339.144478-22-Julia.Lawall@inria.fr> In-Reply-To: <20230627144339.144478-1-Julia.Lawall@inria.fr> References: <20230627144339.144478-1-Julia.Lawall@inria.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	use vmalloc_array and vcalloc \| [v2,00/24] use vmalloc_array and vcalloc [v2,01/24] lib/test_vmalloc.c: use vmalloc_array and vcalloc [v2,02/24] octeon_ep: use vmalloc_array and vcalloc [v2,03/24] drm/gud: use vmalloc_array and vcalloc [v2,04/24] gve: use vmalloc_array and vcalloc [v2,05/24] RDMA/erdma: use vmalloc_array and vcalloc [v2,06/24] dma-buf: system_heap: use vmalloc_array and vcalloc [v2,07/24] scsi: fnic: use vmalloc_array and vcalloc [v2,08/24] virtio-mem: use vmalloc_array and vcalloc [v2,09/24] pds_core: use vmalloc_array and vcalloc [v2,10/24] bus: mhi: host: use vmalloc_array and vcalloc [v2,11/24] ionic: use vmalloc_array and vcalloc [v2,12/24] btrfs: zoned: use vmalloc_array and vcalloc [v2,13/24] iommu/tegra: gart: use vmalloc_array and vcalloc [v2,14/24] RDMA/siw: use vmalloc_array and vcalloc [v2,15/24] habanalabs: use vmalloc_array and vcalloc [v2,16/24] drm/i915/gvt: use vmalloc_array and vcalloc [v2,17/24] kcov: use vmalloc_array and vcalloc [v2,18/24] net: enetc: use vmalloc_array and vcalloc [v2,19/24] RDMA/bnxt_re: use vmalloc_array and vcalloc [v2,20/24] comedi: use vmalloc_array and vcalloc [v2,21/24] x86/sgx: use vmalloc_array and vcalloc [v2,22/24] net: mana: use vmalloc_array and vcalloc [v2,23/24] vduse: use vmalloc_array and vcalloc [v2,24/24] scsi: qla2xxx: use vmalloc_array and vcalloc

Commit Message

Julia Lawall June 27, 2023, 2:43 p.m. UTC

  Use vmalloc_array and vcalloc to protect against
multiplication overflows.

The changes were done using the following Coccinelle
semantic patch:

// <smpl>
@initialize:ocaml@
@@

let rename alloc =
  match alloc with
    "vmalloc" -> "vmalloc_array"
  | "vzalloc" -> "vcalloc"
  | _ -> failwith "unknown"

@@
    size_t e1,e2;
    constant C1, C2;
    expression E1, E2, COUNT, x1, x2, x3;
    typedef u8;
    typedef __u8;
    type t = {u8,__u8,char,unsigned char};
    identifier alloc = {vmalloc,vzalloc};
    fresh identifier realloc = script:ocaml(alloc) { rename alloc };
@@

(
      alloc(x1*x2*x3)
|
      alloc(C1 * C2)
|
      alloc((sizeof(t)) * (COUNT), ...)
|
-     alloc((e1) * (e2))
+     realloc(e1, e2)
|
-     alloc((e1) * (COUNT))
+     realloc(COUNT, e1)
|
-     alloc((E1) * (E2))
+     realloc(E1, E2)
)
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>

---
v2: Use vmalloc_array and vcalloc instead of array_size.
This also leaves a multiplication of a constant by a sizeof
as is.  Two patches are thus dropped from the series.

 arch/x86/kernel/cpu/sgx/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Dave Hansen June 27, 2023, 2:54 p.m. UTC | #1

On 6/27/23 07:43, Julia Lawall wrote:
> Use vmalloc_array and vcalloc to protect against
> multiplication overflows.
...
> diff -u -p a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
> --- a/arch/x86/kernel/cpu/sgx/main.c
> +++ b/arch/x86/kernel/cpu/sgx/main.c
> @@ -628,7 +628,7 @@ static bool __init sgx_setup_epc_section
>  	if (!section->virt_addr)
>  		return false;
>  
> -	section->pages = vmalloc(nr_pages * sizeof(struct sgx_epc_page));
> +	section->pages = vmalloc_array(nr_pages, sizeof(struct sgx_epc_page));
>  	if (!section->pages) {

I'm not sure that changelog matches the code.

'nr_pages' here is an 'unsigned long' and The sizeof()==32.  In
practice, the multiplication can be done with a shift, and the ulong is
a *LONG* way from overflowing.

I'll accept that, as a general rule, vmalloc_array() is the preferred
form.  It's totally possible that someone could copy and paste the
nr_foo*sizeof(struct bar) code over to a place where nr_foo is a more
troublesome type.

But, if that's the true motivation, could we please say that in the
changelog?  As it stands, it's a bit silly to be talking about
multiplication overflows, unless I'm missing something totally obvious.

Julia Lawall June 27, 2023, 3:01 p.m. UTC | #2

On Tue, 27 Jun 2023, Dave Hansen wrote:

> On 6/27/23 07:43, Julia Lawall wrote:
> > Use vmalloc_array and vcalloc to protect against
> > multiplication overflows.
> ...
> > diff -u -p a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
> > --- a/arch/x86/kernel/cpu/sgx/main.c
> > +++ b/arch/x86/kernel/cpu/sgx/main.c
> > @@ -628,7 +628,7 @@ static bool __init sgx_setup_epc_section
> >  	if (!section->virt_addr)
> >  		return false;
> >
> > -	section->pages = vmalloc(nr_pages * sizeof(struct sgx_epc_page));
> > +	section->pages = vmalloc_array(nr_pages, sizeof(struct sgx_epc_page));
> >  	if (!section->pages) {
>
> I'm not sure that changelog matches the code.
>
> 'nr_pages' here is an 'unsigned long' and The sizeof()==32.  In
> practice, the multiplication can be done with a shift, and the ulong is
> a *LONG* way from overflowing.
>
> I'll accept that, as a general rule, vmalloc_array() is the preferred
> form.  It's totally possible that someone could copy and paste the
> nr_foo*sizeof(struct bar) code over to a place where nr_foo is a more
> troublesome type.
>
> But, if that's the true motivation, could we please say that in the
> changelog?  As it stands, it's a bit silly to be talking about
> multiplication overflows, unless I'm missing something totally obvious.

If it is certain that no overflow is possible, then perhaps it is fine to
drop the patch?  I didn't change cases where both arguments are constants
nor where the result of the sizeof is 1.  But I also didn't do a careful
analysis to see if an overflow is possible given the possible values
involved.

Or if it seems better to keep the change, I can also change the log
message.

julia

Dave Hansen June 27, 2023, 3:06 p.m. UTC | #3

On 6/27/23 08:01, Julia Lawall wrote:
> If it is certain that no overflow is possible, then perhaps it is fine to
> drop the patch? 

It's impossible in practice in this case because the code is 64-bit only
and uses an 'unsigned long'.  But, like I said, I can see that same
vmalloc() being copied-and-pasted or moved to a 32-bit system and
theoretically causing problems in rare scenarios.

I'd probably just drop this patch.

diff mbox series

Patch

diff -u -p a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
--- a/arch/x86/kernel/cpu/sgx/main.c
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -628,7 +628,7 @@  static bool __init sgx_setup_epc_section
 	if (!section->virt_addr)
 		return false;
 
-	section->pages = vmalloc(nr_pages * sizeof(struct sgx_epc_page));
+	section->pages = vmalloc_array(nr_pages, sizeof(struct sgx_epc_page));
 	if (!section->pages) {
 		memunmap(section->virt_addr);
 		return false;