Page MenuHomeFreeBSD
Differential D45661

malloc: Handle large malloc sizes in malloc_size()
ClosedPublic
Actions

Authored by markj on Jun 20 2024, 4:08 PM.
Tags
None
Referenced Files
F98616811: D45661.diff
Fri, Oct 4, 1:56 AM
F98534569: D45661.diff
Thu, Oct 3, 6:20 PM
Unknown Object (File)
Thu, Oct 3, 11:58 AM
Unknown Object (File)
Wed, Oct 2, 4:51 PM
Unknown Object (File)
Wed, Oct 2, 3:31 AM
Unknown Object (File)
Tue, Oct 1, 8:17 PM
Unknown Object (File)
Fri, Sep 27, 2:29 PM
Unknown Object (File)
Thu, Sep 26, 9:31 PM
View All 24 Files
Subscribers
imp
olce
wulf

Details

Reviewers
kib
emaste
Commits
rG067adbb4beac: malloc: Handle large malloc sizes in malloc_size()
rG1c30cf95098e: malloc: Handle large malloc sizes in malloc_size()

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jun 20 2024, 4:08 PM
Herald added subscribers: olce, imp. · View Herald TranscriptJun 20 2024, 4:08 PM
markj requested review of this revision.Jun 20 2024, 4:08 PM
Harbormaster completed remote builds in B58266: Diff 140037.Jun 20 2024, 4:08 PM
emaste accepted this revision.Jun 20 2024, 5:12 PM
This revision is now accepted and ready to land.Jun 20 2024, 5:12 PM
kib accepted this revision.Jun 21 2024, 3:36 AM

I think malloc_large() and this one need to check that round_page(size) does not overflow.

wulf added a subscriber: wulf.Jun 22 2024, 8:46 PM
wulf added inline comments.
sys/kern/kern_malloc.c
1133

Should we return size intact if kernel config options DEBUG_REDZONE or DEBUG_MEMGUARD are set?

markj marked an inline comment as done.Jun 23 2024, 12:30 AM
In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

sys/kern/kern_malloc.c
1133

For DEBUG_MEMGUARD, there is no way to do that correctly, since we don't know whether memguard is enabled for the allocation. But, the current behaviour is safe in that the returned value is always less than or equal to the true allocation size.

For DEBUG_REDZONE, what is the right behaviour? Should we just return size (so that consumers do not trigger false positives by attempting to write outside of the allocation bounds) or should we try to implement it properly? I would presume the former, but I don't know how this function will be used.

BTW, I think DEBUG_REDZONE and DEBUG_MEMGUARD are of limited use now that we have kernel sanitizers.

kib added a comment.Jun 23 2024, 2:50 AM
In D45661#1042253, @markj wrote:
In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

It would be useful, but only for debug kernels. For instance, an unhandled unbound allocation leaking from some device' ioctl is my worry there.

imp added a comment.Jun 23 2024, 3:19 AM
In D45661#1042261, @kib wrote:
In D45661#1042253, @markj wrote:
In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

It would be useful, but only for debug kernels. For instance, an unhandled unbound allocation leaking from some device' ioctl is my worry there.

I think we need the stronger if. I don't think we bounds check enough down the stack for this to be a simple assert

markj marked an inline comment as done.Jun 23 2024, 3:29 AM
In D45661#1042261, @kib wrote:
In D45661#1042253, @markj wrote:
In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

It would be useful, but only for debug kernels. For instance, an unhandled unbound allocation leaking from some device' ioctl is my worry there.

Indeed, we have had examples like this, e.g., https://syzkaller.appspot.com/bug?extid=72022fa9163fa958b66c

In a debug kernel, vmem(size == 0) will trigger an assertion failure, so the bug is caught easily, but I'm not sure what happens otherwise. I will write a patch.

wulf added a child revision: D45841: LinuxKPI: Add kmalloc_size_roundup function.Jul 2 2024, 11:32 PM
wulf added a comment.Jul 21 2024, 11:49 AM

Any plans to commit?

Closed by commit rG1c30cf95098e: malloc: Handle large malloc sizes in malloc_size() (authored by markj). · Explain WhyJul 24 2024, 9:26 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG1c30cf95098e: malloc: Handle large malloc sizes in malloc_size().
markj added a comment.Jul 24 2024, 9:32 PM
In D45661#1042261, @kib wrote:
In D45661#1042253, @markj wrote:
In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

It would be useful, but only for debug kernels. For instance, an unhandled unbound allocation leaking from some device' ioctl is my worry there.

https://reviews.freebsd.org/D46110 and https://reviews.freebsd.org/D46111

markj added a commit: rG067adbb4beac: malloc: Handle large malloc sizes in malloc_size().Aug 6 2024, 4:41 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
2 lines

Diff 141333

View Options

sys/kern/kern_malloc.c

Loading...