From owner-svn-src-head@freebsd.org Wed Jan 24 18:30:05 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 882B8EBBBDE; Wed, 24 Jan 2018 18:30:05 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mail-io0-f177.google.com (mail-io0-f177.google.com [209.85.223.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1EA4C6E940; Wed, 24 Jan 2018 18:30:04 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mail-io0-f177.google.com with SMTP id t22so5832802ioa.7; Wed, 24 Jan 2018 10:30:04 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=kcMin/AbLyXvvyoAtKVeJBcp5zEygg4tlm3QThaRG24=; b=JaLHdww3AQ0Llr10DmnErE/dEx3BrOnzNGtZNL2ER0UMvaGyfzcjmnDGbkPUQFEZwd XWi7v4myw1N4Cm1JXlhnenH6uE39Vg/2encm8gZ0Jb59U5pUaAl6VGffNXkukdjDgRLQ yUEh/srC7dh1cgYXehQl2to1wHSjIvLCV6ijKLS8zATXVB94XKYbuDaOSzowplz+l1/O od7G+lfA6rPtMx13bKPpnPjeAlZXcQsI7+mQlqCyHj1iTs3iwQ7F6G5t8iMIJFDNcAMj TY4rpLtWT2Ep35m1Eu7JKyRlPW9WUvgaceuHWH9vAN1znardJYgmXcPLKWTsrWgy0UwG NQQg== X-Gm-Message-State: AKwxytcBR7MgSNVLbGP8FFYof+HBOje4WxicmlxnAcrbf33YnxGQ1V9T xQbDABDcSkFpQKqDP6VzZLZclRqa X-Google-Smtp-Source: AH8x227LtAe8rQrwx8itxzCg9CbDFfeK244Q2mUotV//7cT2V/bhVHTO9imSyAc6WIZnMvxiVkJJHw== X-Received: by 10.107.16.71 with SMTP id y68mr9689480ioi.266.1516818603855; Wed, 24 Jan 2018 10:30:03 -0800 (PST) Received: from mail-io0-f180.google.com (mail-io0-f180.google.com. [209.85.223.180]) by smtp.gmail.com with ESMTPSA id y35sm445024ita.20.2018.01.24.10.30.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jan 2018 10:30:03 -0800 (PST) Received: by mail-io0-f180.google.com with SMTP id d13so5840968iog.5; Wed, 24 Jan 2018 10:30:03 -0800 (PST) X-Received: by 10.107.15.89 with SMTP id x86mr9878981ioi.38.1516818603506; Wed, 24 Jan 2018 10:30:03 -0800 (PST) MIME-Version: 1.0 Reply-To: cem@freebsd.org Received: by 10.2.95.152 with HTTP; Wed, 24 Jan 2018 10:30:03 -0800 (PST) In-Reply-To: References: <201801211542.w0LFgbsp005980@repo.freebsd.org> <51ff8aef-5660-7857-e4d5-12cdc77bc071@FreeBSD.org> <20180124182548.X1063@besplex.bde.org> From: Conrad Meyer Date: Wed, 24 Jan 2018 10:30:03 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: svn commit: r328218 - in head/sys: amd64/amd64 arm/xscale/ixp425 arm64/arm64 cam cam/ctl compat/ndis dev/aacraid dev/advansys dev/ath dev/beri/virtio dev/bnxt dev/bwn dev/ciss dev/cxgbe/crypto dev/... To: Warner Losh Cc: src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2018 18:30:05 -0000 On Wed, Jan 24, 2018 at 10:05 AM, Warner Losh wrote: > It changes the fundamental 'can't fail' allocations into 'maybe panic' > allocations, which was my big objection. No, it doesn't make any such change. The only calls that will panic now would have "succeeded" before but returned a smaller size than the naive caller thought they were asking for. This allows an attacker to dereference beyond the ends of the actually allocated region. >> Your description of two years ago is inaccurate =E2=80=94 you thought it= was a >> bad idea, and were the most vocal on the mailing list about it, but >> that viewpoint was not universally shared. In a pure headcount vote I >> think you were even outvoted, but as the initiative was headed by a >> non-committer, it sputtered out. > > > I don't recall that happening. But regardless, mallocarray, as implemente= d > today, is useless. Search your email inbox for the mallocarray thread from Feb 2016. I don't think it's useless. > Let's start with his point about u_long vs size_t causing problems: > > void *malloc(unsigned long size, struct malloc_type *type, int flags) > vs > void *mallocarray(size_t nmemb, size_t size, struct malloc_type *type, > > Since size_t is long long on i386, for example, It is? Since when? __size_t is uint32_t on !__LP64__. > this can result in > undetected overflows. Such inattention to detail makes me extremely uneas= y > about the rest of the code. A similar snarky comment can be made here about inattention to detail when making criticisms. If __LP64__ is true, long long is the same size as long anyway. (malloc() should also use size_t.) > It's an important function, but it's so poorly implement we should try > again. It is not safe nor wise to use it blindly, which was bde's larger > point. Citation needed? > #define MUL_NO_OVERFLOW (1UL << (sizeof(size_t) * 8 / 2)) > static inline bool > WOULD_OVERFLOW(size_t nmemb, size_t size) > { > > return ((nmemb >=3D MUL_NO_OVERFLOW || size >=3D MUL_NO_OVERFLOW)= && > nmemb > 0 && __SIZE_T_MAX / nmemb < size); > } > > So if I pass in 1GB and 10, this will tell me it won't overflow because o= f > size_t can handle 10GB, but u_long can't. This whole argument hinges upon incorrect assumption that size_t is larger than u_long. > ... (deleted bogus argument) > Many places that use mallocarray likely should use WOULD_OVERFLOW instead= to > do proper error handling, assuming it is fixed to match the actual malloc > interface. This is especially true in the NO_WAIT cases. I disagree. They should be doing a much more restrictive check instead. WOULD_OVERFLOW is really the lowest bar, a seatbelt. I agree with Bruce that most callers should instead be checking for sizes in the dozens of kB range. Both checks are useful. Best, Conrad