Page MenuHomeFreeBSD

malloc: Handle large malloc sizes in malloc_size()
ClosedPublic

Authored by markj on Jun 20 2024, 4:08 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jan 8, 4:38 AM
Unknown Object (File)
Nov 19 2024, 2:17 PM
Unknown Object (File)
Oct 4 2024, 1:56 AM
Unknown Object (File)
Oct 3 2024, 6:20 PM
Unknown Object (File)
Oct 3 2024, 11:58 AM
Unknown Object (File)
Oct 2 2024, 4:51 PM
Unknown Object (File)
Oct 2 2024, 3:31 AM
Unknown Object (File)
Oct 1 2024, 8:17 PM
Subscribers

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 58266
Build 55154: arc lint + arc unit

Event Timeline

markj requested review of this revision.Jun 20 2024, 4:08 PM
This revision is now accepted and ready to land.Jun 20 2024, 5:12 PM

I think malloc_large() and this one need to check that round_page(size) does not overflow.

wulf added inline comments.
sys/kern/kern_malloc.c
1069

Should we return size intact if kernel config options DEBUG_REDZONE or DEBUG_MEMGUARD are set?

In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

sys/kern/kern_malloc.c
1069

For DEBUG_MEMGUARD, there is no way to do that correctly, since we don't know whether memguard is enabled for the allocation. But, the current behaviour is safe in that the returned value is always less than or equal to the true allocation size.

For DEBUG_REDZONE, what is the right behaviour? Should we just return size (so that consumers do not trigger false positives by attempting to write outside of the allocation bounds) or should we try to implement it properly? I would presume the former, but I don't know how this function will be used.

BTW, I think DEBUG_REDZONE and DEBUG_MEMGUARD are of limited use now that we have kernel sanitizers.

In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

It would be useful, but only for debug kernels. For instance, an unhandled unbound allocation leaking from some device' ioctl is my worry there.

In D45661#1042261, @kib wrote:
In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

It would be useful, but only for debug kernels. For instance, an unhandled unbound allocation leaking from some device' ioctl is my worry there.

I think we need the stronger if. I don't think we bounds check enough down the stack for this to be a simple assert

In D45661#1042261, @kib wrote:
In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

It would be useful, but only for debug kernels. For instance, an unhandled unbound allocation leaking from some device' ioctl is my worry there.

Indeed, we have had examples like this, e.g., https://syzkaller.appspot.com/bug?extid=72022fa9163fa958b66c

In a debug kernel, vmem(size == 0) will trigger an assertion failure, so the bug is caught easily, but I'm not sure what happens otherwise. I will write a patch.

In D45661#1042261, @kib wrote:
In D45661#1041742, @kib wrote:

I think malloc_large() and this one need to check that round_page(size) does not overflow.

Hmm, kmem_malloc* also don't check for overflow. Presumably those functions and malloc_size() should KASSERT(round_page(size) >= size);?

It would be useful, but only for debug kernels. For instance, an unhandled unbound allocation leaking from some device' ioctl is my worry there.

https://reviews.freebsd.org/D46110 and https://reviews.freebsd.org/D46111