On 9/22/22 17:55, Kees Cook wrote: > On Thu, Sep 22, 2022 at 09:10:56AM +0200, Christian König wrote: >> Am 22.09.22 um 05:10 schrieb Kees Cook: >> > Hi, >> > >> > This series fixes up the cases where callers of ksize() use it to >> > opportunistically grow their buffer sizes, which can run afoul of the >> > __alloc_size hinting that CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE >> > use to perform dynamic buffer bounds checking. >> >> Good cleanup, but one question: What other use cases we have for ksize() >> except the opportunistically growth of buffers? > > The remaining cases all seem to be using it as a "do we need to resize > yet?" check, where they don't actually track the allocation size > themselves and want to just depend on the slab cache to answer it. This > is most clearly seen in the igp code: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/intel/igb/igb_main.c?h=v6.0-rc6#n1204 > > My "solution" there kind of side-steps it, and leaves ksize() as-is: > https://lore.kernel.org/linux-hardening/20220922031013.2150682-8-keescook@xxxxxxxxxxxx/ > > The more correct solution would be to add per-v_idx size tracking, > similar to the other changes I sent: > https://lore.kernel.org/linux-hardening/20220922031013.2150682-11-keescook@xxxxxxxxxxxx/ > > I wonder if perhaps I should just migrate some of this code to using > something like struct membuf. > >> Off hand I can't see any. >> >> So when this patch set is about to clean up this use case it should probably >> also take care to remove ksize() or at least limit it so that it won't be >> used for this use case in the future. > > Yeah, my goal would be to eliminate ksize(), and it seems possible if > other cases are satisfied with tracking their allocation sizes directly. I think we could leave ksize() to determine the size without a need for external tracking, but from now on forbid callers from using that hint to overflow the allocation size they actually requested? Once we remove the kasan/kfence hooks in ksize() that make the current kinds of usage possible, we should be able to catch any offenders of the new semantics that would appear? > -Kees >