From: Kees Cook <kees@kernel.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Vlastimil Babka <vbabka@suse.cz>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Roman Gushchin <roman.gushchin@linux.dev>,
Hyeonggon Yoo <42.hyeyoo@gmail.com>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
Jann Horn <jannh@google.com>,
Przemek Kitszel <przemyslaw.kitszel@intel.com>,
Marco Elver <elver@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-mm@kvack.org, Randy Dunlap <rdunlap@infradead.org>,
Miguel Ojeda <ojeda@kernel.org>,
Vegard Nossum <vegard.nossum@oracle.com>,
Harry Yoo <harry.yoo@oracle.com>,
Nathan Chancellor <nathan@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Jakub Kicinski <kuba@kernel.org>,
Yafang Shao <laoar.shao@gmail.com>,
Tony Ambardar <tony.ambardar@gmail.com>,
Alexander Lobakin <aleksander.lobakin@intel.com>,
Jan Hendrik Farr <kernel@jfarr.cc>,
Alexander Potapenko <glider@google.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
linux-doc@vger.kernel.org, llvm@lists.linux.dev
Subject: Re: [PATCH v5 2/4] slab: Introduce kmalloc_obj() and family
Date: Mon, 24 Nov 2025 13:20:21 -0800 [thread overview]
Message-ID: <202511241317.516BDE7B@keescook> (raw)
In-Reply-To: <aSTKLsRNiEKtDqPI@casper.infradead.org>
On Mon, Nov 24, 2025 at 09:12:14PM +0000, Matthew Wilcox wrote:
> On Mon, Nov 24, 2025 at 12:38:57PM -0800, Kees Cook wrote:
> > For code like:
> >
> > u8 size;
> > ...
> > size = struct_size(ptr, flex_member, count);
> > ptr = kmalloc(size, gfp);
> >
> > While struct_size() is designed to deal with overflows beyond SIZE_MAX,
> > it can't do anything about truncation of its return value since it has
> > no visibility into the lvalue type. So this code pattern happily
> > truncates, allocates too little memory, and then usually does stuff like
> > runs a for-loop based on "count" instead of "size" and walks right off
> > the end of the heap allocation, clobbering whatever follows it.
>
> Have we investigated a compiler warning like
> -Wimplicit-arithmetic-truncation that would complain about this kind of
> thing and could be shut up by an explicit cast:
>
> size = (u8)struct_size(ptr, flex_member, count);
>
> or arithmetic that can be proven to not overflow:
> size = struct_size(ptr, flex_member, count) & 0xff;
>
> Maybe such a warning already exists and it's just too noisy to even
> start thinking about turning it on?
Yes, -Wconversion (W=3) is mind-blowingly noisy, unfortunately.
--
Kees Cook
next prev parent reply other threads:[~2025-11-24 21:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-22 1:42 [PATCH v5 0/4] slab: Introduce kmalloc_obj() and family Kees Cook
2025-11-22 1:42 ` [PATCH v5 1/4] compiler_types: Introduce __flex_counter() " Kees Cook
2025-11-22 1:42 ` [PATCH v5 2/4] slab: Introduce kmalloc_obj() " Kees Cook
2025-11-22 19:53 ` Linus Torvalds
2025-11-22 20:54 ` Linus Torvalds
2025-11-25 18:56 ` Vlastimil Babka
2025-11-25 22:41 ` Linus Torvalds
2025-11-24 20:38 ` Kees Cook
2025-11-24 21:12 ` Matthew Wilcox
2025-11-24 21:20 ` Kees Cook [this message]
2025-11-24 21:33 ` Matthew Wilcox
2025-11-24 21:44 ` Matthew Wilcox
2025-11-24 21:50 ` Kees Cook
2025-11-24 23:30 ` Linus Torvalds
2025-11-25 1:09 ` Matthew Wilcox
2025-11-25 3:47 ` Kees Cook
2025-11-25 11:54 ` david laight
2025-11-26 0:49 ` John Hubbard
2025-11-24 21:35 ` Linus Torvalds
2025-11-25 0:29 ` Kees Cook
2025-11-25 1:25 ` Linus Torvalds
2025-12-01 10:49 ` Przemek Kitszel
2025-11-22 1:42 ` [PATCH v5 3/4] checkpatch: Suggest kmalloc_obj family for sizeof allocations Kees Cook
2025-11-22 4:51 ` Joe Perches
2025-12-03 23:12 ` Kees Cook
2025-11-22 1:43 ` [cocci] [PATCH v5 4/4] coccinelle: Add kmalloc_objs conversion script Kees Cook
2025-11-22 1:43 ` Kees Cook
2025-11-24 12:50 ` [cocci] " Markus Elfring
2025-12-11 22:00 ` Kees Cook
2025-12-12 9:51 ` Markus Elfring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202511241317.516BDE7B@keescook \
--to=kees@kernel.org \
--cc=42.hyeyoo@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=aleksander.lobakin@intel.com \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavoars@kernel.org \
--cc=harry.yoo@oracle.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jannh@google.com \
--cc=justinstitt@google.com \
--cc=kernel@jfarr.cc \
--cc=kuba@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=llvm@lists.linux.dev \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=ojeda@kernel.org \
--cc=penberg@kernel.org \
--cc=peterz@infradead.org \
--cc=przemyslaw.kitszel@intel.com \
--cc=rdunlap@infradead.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=sashal@kernel.org \
--cc=tony.ambardar@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=vegard.nossum@oracle.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.