From: David Laight <David.Laight@ACULAB.COM>
To: 'Dan Carpenter' <dan.carpenter@linaro.org>,
Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Justin Stitt <justinstitt@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Mark Rutland <mark.rutland@arm.com>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"llvm@lists.linux.dev" <llvm@lists.linux.dev>
Subject: RE: [RFC] Mitigating unexpected arithmetic overflow
Date: Sat, 18 May 2024 15:39:41 +0000 [thread overview]
Message-ID: <d95664b24ec94436b6cf906fefcc0b4f@AcuMS.aculab.com> (raw)
In-Reply-To: <0480d602-3ad7-4f8e-a480-9860d56eab30@suswa.mountain>
From: Dan Carpenter
> Sent: 14 May 2024 09:45
>
> Snipped all the bits where you are clearly correct.
>
> On Mon, May 13, 2024 at 12:43:37PM -0700, Kees Cook wrote:
> > > drivers/usb/class/usbtmc.c:852 usbtmc_generic_read() warn: potential integer overflow from user
> 'max_transfer_size + 1'
> > > 842 * wMaxPacketSize – 1) to avoid sending a zero-length
> > > 843 * packet
> > > 844 */
> > > 845 remaining = transfer_size;
> > > 846 if ((max_transfer_size % data->wMaxPacketSize) == 0)
> > > 847 max_transfer_size += (data->wMaxPacketSize - 1);
> > > 848 } else {
> > > 849 /* round down to bufsize to avoid truncated data left */
> > > 850 if (max_transfer_size > bufsize) {
> > > 851 max_transfer_size =
> > > 852 roundup(max_transfer_size + 1 - bufsize,
> > > ^^^^^^^^^^^^^^^^^^^^^
> > > This can overflow. We should make it a rule that all size variables
> > > have to be unsigned long. That would have made this safe on 64 bit
> > > systems.
> > >
> > > 853 bufsize);
> > > 854 }
> > > 855 remaining = max_transfer_size;
> >
> > Again, do we _want_ this to overflow? It looks like not. I'm not sure
> > what this code is trying to do, though. The comment doesn't seem to
> > match the code. Why isn't this just roundup(max_transfer_size, bufsize) ?
> >
Isn't it just max_transfer_size / bufsize * bufsize?
> roundup() has an integer overflow in it.
Which is a generic problem with these 'helpers'.
If the function is open coded any overflow is obvious.
But hide it in a wrapper and it is just 'assumed to work'.
DIV_ROUNDUP(x, y) can be either (x + y - 1)/y or (x - 1)/y + 1.
The first is valid for 0 but can overflow, the second is valid for x != 0.
(Who knows what is expected for negative values!)
In most places one of the pair will always be correct.
Obfuscating the code tend to stop readers (and the kernel code does get some)
spotting things in passing.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
prev parent reply other threads:[~2024-05-18 15:42 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-07 23:27 [RFC] Mitigating unexpected arithmetic overflow Kees Cook
2024-05-08 12:22 ` David Laight
2024-05-08 23:43 ` Kees Cook
2024-05-08 17:52 ` Linus Torvalds
2024-05-08 19:44 ` Kees Cook
2024-05-08 20:07 ` Linus Torvalds
2024-05-08 22:54 ` Kees Cook
2024-05-08 23:47 ` Linus Torvalds
2024-05-09 0:06 ` Linus Torvalds
2024-05-09 0:23 ` Linus Torvalds
2024-05-09 6:11 ` Kees Cook
2024-05-09 14:08 ` Theodore Ts'o
2024-05-09 15:38 ` Linus Torvalds
2024-05-09 17:54 ` Al Viro
2024-05-09 18:08 ` Linus Torvalds
2024-05-09 18:39 ` Linus Torvalds
2024-05-09 18:48 ` Al Viro
2024-05-09 19:15 ` Linus Torvalds
2024-05-09 19:28 ` Al Viro
2024-05-09 21:06 ` David Laight
2024-05-18 5:11 ` Matthew Wilcox
2024-05-09 21:23 ` David Laight
2024-05-12 8:03 ` Martin Uecker
2024-05-12 16:09 ` Linus Torvalds
2024-05-12 19:29 ` Martin Uecker
2024-05-13 18:34 ` Kees Cook
2024-05-15 7:36 ` Peter Zijlstra
2024-05-15 17:12 ` Justin Stitt
2024-05-16 7:45 ` Peter Zijlstra
2024-05-16 13:30 ` Kees Cook
2024-05-16 14:09 ` Peter Zijlstra
2024-05-16 19:48 ` Justin Stitt
2024-05-16 20:07 ` Kees Cook
2024-05-16 20:51 ` Theodore Ts'o
2024-05-17 21:15 ` Kees Cook
2024-05-18 2:51 ` Theodore Ts'o
2024-05-17 22:04 ` Fangrui Song
2024-05-18 13:08 ` David Laight
2024-05-15 7:57 ` Peter Zijlstra
2024-05-17 7:45 ` Jonas Oberhauser
2024-05-11 16:19 ` Dan Carpenter
2024-05-13 19:43 ` Kees Cook
2024-05-14 8:45 ` Dan Carpenter
2024-05-18 15:39 ` David Laight [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d95664b24ec94436b6cf906fefcc0b4f@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=dan.carpenter@linaro.org \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=mark.rutland@arm.com \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox