Skip to content

Audit open-coded instances and transform them with size_t saturating arithmetic helpers (size_mul, size_add, struct_size, array_size, flex_array_size, etc...)  #160

Description

@GustavoARSilva

Audit and (when possible) transform the following open-coded instances:

$ git grep -n alloc | grep sizeof | grep ' + ' | grep -v ' \* ' | wc -l
1008
$ git grep -n alloc | grep sizeof | grep ' \* ' | wc -l
816

Here are just a few of the above:

drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c:1389:	ssid = kzalloc(RTW_SSID_SCAN_AMOUNT * sizeof(struct ndis_802_11_ssid),
drivers/staging/rtl8723bs/os_dep/osdep_service.c:277:	cbuf = rtw_malloc(sizeof(*cbuf) + sizeof(void *) * size);
drivers/target/target_core_user.c:1295:	tmr = kmalloc(sizeof(*tmr) + cmd_cnt * sizeof(*cmd_ids), GFP_NOIO);
drivers/thermal/gov_power_allocator.c:423:	req_power = kcalloc(num_actors * 5, sizeof(*req_power), GFP_KERNEL);
drivers/thermal/thermal_sysfs.c:445:	attrs = kcalloc(tz->trips * 3 + 1, sizeof(*attrs), GFP_KERNEL);
drivers/thunderbolt/debugfs.c:195:	buf = kcalloc(COUNTER_SET_LEN * port->config.max_counters, sizeof(u32),
drivers/thunderbolt/test.c:2568:	block = kunit_kzalloc(test, block_len * sizeof(u32), GFP_KERNEL);
drivers/tty/serial/ip22zilog.c:963:		alloc_one_table(NUM_CHANNELS * sizeof(struct uart_ip22zilog_port));
drivers/tty/serial/ip22zilog.c:965:		alloc_one_table(NUM_IP22ZILOG * sizeof(struct zilog_layout *));
drivers/tty/tty_buffer.c:177:	p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC);
drivers/usb/atm/usbatm.c:1020:	instance = kzalloc(sizeof(*instance) + sizeof(struct urb *) * (num_rcv_urbs + num_snd_urbs), GFP_KERNEL);
drivers/usb/gadget/function/f_midi.c:919:	midi_function = kcalloc((MAX_PORTS * 4) + 11, sizeof(*midi_function),
drivers/usb/gadget/function/f_uvc.c:547:	mem = kmalloc((n_desc + 1) * sizeof(*src) + bytes, GFP_KERNEL);
drivers/usb/gadget/legacy/g_ffs.c:193:	f_ffs[0] = kcalloc(func_num * N_CONF, sizeof(*f_ffs), GFP_KERNEL);
drivers/usb/gadget/udc/fsl_qe_udc.c:363:	tmp_addr = cpm_muram_alloc(sizeof(struct qe_bd) * (bdring_len +
drivers/usb/host/ehci-dbg.c:1013:	buf->alloc_size = (sizeof(void *) == 4 ? 6 : 8) * PAGE_SIZE;
drivers/usb/host/fhci.h:475:	return kfifo_alloc(fifo, size * sizeof(void *), GFP_KERNEL);
drivers/usb/mtu3/mtu3_core.c:616:	ep_array = kcalloc(mtu->num_eps * 2, sizeof(*ep_array), GFP_KERNEL);
drivers/video/backlight/led_bl.c:92:	leds = devm_kzalloc(dev, sizeof(struct led_classdev *) * nb_leds,
drivers/video/backlight/led_bl.c:140:		levels = devm_kzalloc(dev, sizeof(u32) * num_levels,
drivers/video/console/newport_con.c:514:	if (!(new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size,
drivers/video/fbdev/asiliantfb.c:557:	p = framebuffer_alloc(sizeof(u32) * 16, &dp->dev);
drivers/video/fbdev/core/fbcon.c:2449:	new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
drivers/video/fbdev/efifb.c:443:	info = framebuffer_alloc(sizeof(u32) * 16, &dev->dev);
drivers/video/fbdev/fm2fb.c:241:	info = framebuffer_alloc(16 * sizeof(u32), &z->dev);
...
net/wireless/nl80211.c:14871:	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
net/wireless/scan.c:640:			entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN,
net/wireless/scan.c:1719:		new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size,
net/wireless/scan.c:1931:	ies = kzalloc(sizeof(*ies) + ielen, gfp);
net/wireless/scan.c:2264:	new_ies = kzalloc(sizeof(*new_ies) + new_ie_len, GFP_ATOMIC);
net/wireless/scan.c:2383:	ies = kzalloc(sizeof(*ies) + ielen, gfp);
net/wireless/scan.c:2704:	creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
net/wireless/sme.c:80:	request = kzalloc(sizeof(*request) + sizeof(request->ssids[0]) +
net/wireless/sme.c:832:	ev = kzalloc(sizeof(*ev) + (params->bssid ? ETH_ALEN : 0) +
net/wireless/sme.c:977:	ev = kzalloc(sizeof(*ev) + info->req_ie_len + info->resp_ie_len +
net/wireless/sme.c:1150:	ev = kzalloc(sizeof(*ev) + ie_len, gfp);
net/wireless/util.c:728:	frame = dev_alloc_skb(hlen + sizeof(struct ethhdr) + 2 + cur_len);
net/xfrm/xfrm_user.c:357:	p = kmalloc(sizeof(*p) + (ualg->alg_key_len + 7) / 8, GFP_KERNEL);
samples/bpf/map_perf_test_user.c:376:	key = alloca(sizeof(*key) + 4);
samples/bpf/xdp_router_ipv4_user.c:212:			prefix_key = alloca(sizeof(*prefix_key) + 3);
samples/connector/cn_test.c:122:	m = kzalloc(sizeof(*m) + sizeof(data), GFP_ATOMIC);
scripts/asn1_compiler.c:763:	types = type_list = calloc(nr + 1, sizeof(type_list[0]));
scripts/basic/fixdep.c:167:	struct item *aux = malloc(sizeof(*aux) + len);
scripts/kallsyms.c:234:	sym = malloc(sizeof(*sym) + len + 1);
scripts/mod/modpost.c:184:	mod = NOFAIL(malloc(sizeof(*mod) + strlen(modname) + 1));
scripts/mod/modpost.c:236:	struct symbol *s = NOFAIL(malloc(sizeof(*s) + strlen(name) + 1));
scripts/mod/sumversion.c:310:	cmd = NOFAIL(malloc(strlen(objfile) + sizeof("..cmd")));
security/apparmor/apparmorfs.c:91:	ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL);
security/apparmor/lib.c:139:	str = kmalloc(sizeof(struct counted_str) + size, gfp);
security/integrity/evm/evm_crypto.c:121:	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm),
security/integrity/ima/ima_modsig.c:68:	hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL);
security/keys/encrypted-keys/encrypted.c:644:	epayload = kzalloc(sizeof(*epayload) + payload_datalen +
security/keys/user_defined.c:67:	upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL);
security/security.c:323:	ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),
security/selinux/ss/sidtab.c:573:	cache = kmalloc(sizeof(struct sidtab_str_cache) + str_len, GFP_ATOMIC);
security/selinux/xfrm.c:92:	ctx = kmalloc(sizeof(*ctx) + str_len + 1, gfp);
security/selinux/xfrm.c:363:	ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
security/tomoyo/domain.c:476:	entry = kzalloc(sizeof(*entry) + len + 1, GFP_NOFS | __GFP_NOWARN);
security/tomoyo/memory.c:173:	ptr = kzalloc(sizeof(*ptr) + len, GFP_NOFS | __GFP_NOWARN);
sound/core/init.c:176:	card = kzalloc(sizeof(*card) + extra_size, GFP_KERNEL);
sound/core/init.c:221:	card = devres_alloc(__snd_card_release, sizeof(*card) + extra_size,
sound/core/oss/pcm_plugin.c:161:	plugin = kzalloc(sizeof(*plugin) + extra, GFP_KERNEL);
sound/core/seq_device.c:217:	dev = kzalloc(sizeof(*dev) + argsize, GFP_KERNEL);
sound/drivers/vx/vx_core.c:806:	chip = devres_alloc(snd_vx_release, sizeof(*chip) + extra_size,
sound/hda/hdac_component.c:296:	acomp = devres_alloc(hdac_acomp_release, sizeof(*acomp) + extra_size,
sound/hda/hdac_sysfs.c:375:	tree->nodes = kcalloc(codec->num_nodes + 1, sizeof(*tree->nodes),
sound/hda/hdac_sysfs.c:437:	tree->nodes = kcalloc(num_nodes + 1, sizeof(*tree->nodes), GFP_KERNEL);
sound/pci/emu10k1/emufx.c:666:	tlv = kmalloc(data[1] + sizeof(data), GFP_KERNEL);
sound/soc/codecs/cros_ec_codec.c:81:	msg = kmalloc(sizeof(*msg) + max(outsize, insize), GFP_KERNEL);
sound/soc/codecs/sigmadsp.c:226:	ctrl = kzalloc(sizeof(*ctrl) + num_bytes, GFP_KERNEL);
sound/soc/codecs/sigmadsp.c:275:	data = kzalloc(sizeof(*data) + length, GFP_KERNEL);
sound/soc/codecs/sigmadsp.c:418:		data = kzalloc(sizeof(*data) + len - 2, GFP_KERNEL);

Link: https://lore.kernel.org/linux-hardening/20210920180853.1825195-1-keescook@chromium.org/

Metadata

Metadata

Labels

researchResearch needed to evaluate next steps

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions