From: Dan Carpenter <dan.carpenter@linaro.org>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: less size_t please (was Re: [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len())
Date: Fri, 7 Mar 2025 16:43:37 +0300 [thread overview]
Message-ID: <f5100325-4b43-446c-85c0-6e3535305af6@stanley.mountain> (raw)
In-Reply-To: <3c8d42ca-fcaf-497d-ac86-cc2fc9cf984f@p183>
On Thu, Feb 06, 2025 at 08:06:55PM +0300, Alexey Dobriyan wrote:
> On Thu, Jan 30, 2025 at 07:15:15PM +0300, Dan Carpenter wrote:
> > On Thu, Jan 30, 2025 at 04:44:42PM +0300, Alexey Dobriyan wrote:
> > > > -static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
> > > > +static inline size_t xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
> > > > {
> > > > - return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
> > > > + return size_add(sizeof(*replay_esn), size_mul(replay_esn->bmp_len, sizeof(__u32)));
> > >
> > > Please don't do this.
> > >
> > > You can (and should!) make calculations and check for overflow at the
> > > same time. It's very efficient.
> > >
> > > > 1) Use size_add() and size_mul(). This change is necessary for 32bit systems.
> > >
> > > This bloats code on 32-bit.
> > >
> >
> > I'm not sure I understand. On 32-bit systems a size_t and an unsigned
> > int are the same size. Did you mean to say 64-bit?
>
> It looks like yes.
>
> > Declaring sizes as u32 leads to integer overflows like this one.
>
> No, the problem is unchecked C addition and mixing types which confuses
> people (in the opposite direction too -- there were fake CVEs because
> someone thought "size_t len" in write hooks could be big enough).
>
> The answer is to use single type as much as possible and using checked
> additions on-the-go at every binary operator if possible.
In the write_hooks examples, we fixed those by moving to size_t.
64bit types are safer because 2**64 is a superset of 2**32. Anything
which can overflow 64bits can overflow 32bits. So obviously 64bits is
safer.
But it's surprising the extent of it. We avoid using ulong types in
UAPI because it's a headache for 32bit support. So normally we get
an u32 number_items from the user. That's 4 billion. It's a small
number and it's actually pretty hard for it to lead to an integer
overflow on 64bit systems. The struct_size() function is basically
not needed if you're on 64bit and you declare your length variables as
size_t.
The rest of the kernel has an assumption that sizes are saved in size_t.
The size_add() and struct_size() macros rely on it. In networking there
are a number of functions like sock_kmalloc() which truncate the size
parameter to int and they just make me itch to look at.
regards,
dan carpenter
prev parent reply other threads:[~2025-03-07 13:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-30 13:44 less size_t please (was Re: [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len()) Alexey Dobriyan
2025-01-30 16:15 ` Dan Carpenter
2025-02-06 17:06 ` Alexey Dobriyan
2025-02-07 7:46 ` Dan Carpenter
2025-03-07 13:43 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f5100325-4b43-446c-85c0-6e3535305af6@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=adobriyan@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox