From owner-svn-src-all@freebsd.org Wed Jan 10 21:49:47 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61693E7914A; Wed, 10 Jan 2018 21:49:47 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 21B4B6E940; Wed, 10 Jan 2018 21:49:47 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5EE7F38D4; Wed, 10 Jan 2018 21:49:46 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w0ALnkTF034412; Wed, 10 Jan 2018 21:49:46 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w0ALnjwa034409; Wed, 10 Jan 2018 21:49:45 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201801102149.w0ALnjwa034409@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: Conrad Meyer Date: Wed, 10 Jan 2018 21:49:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r327796 - in head: share/man/man9 sys/kern sys/sys X-SVN-Group: head X-SVN-Commit-Author: cem X-SVN-Commit-Paths: in head: share/man/man9 sys/kern sys/sys X-SVN-Commit-Revision: 327796 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jan 2018 21:49:47 -0000 Author: cem Date: Wed Jan 10 21:49:45 2018 New Revision: 327796 URL: https://svnweb.freebsd.org/changeset/base/327796 Log: mallocarray(9): panic if the requested allocation would overflow Additionally, move the overflow check logic out to WOULD_OVERFLOW() for consumers to have a common means of testing for overflowing allocations. WOULD_OVERFLOW() should be a secondary check -- on 64-bit platforms, just because an allocation won't overflow size_t does not mean it is a sane size to request. Callers should be imposing reasonable allocation limits far, far, below overflow. Discussed with: emaste, jhb, kp Sponsored by: Dell EMC Isilon Modified: head/share/man/man9/malloc.9 head/sys/kern/kern_malloc.c head/sys/sys/malloc.h Modified: head/share/man/man9/malloc.9 ============================================================================== --- head/share/man/man9/malloc.9 Wed Jan 10 21:40:36 2018 (r327795) +++ head/share/man/man9/malloc.9 Wed Jan 10 21:49:45 2018 (r327796) @@ -29,7 +29,7 @@ .\" $NetBSD: malloc.9,v 1.3 1996/11/11 00:05:11 lukem Exp $ .\" $FreeBSD$ .\" -.Dd November 19, 2015 +.Dd January 10, 2018 .Dt MALLOC 9 .Os .Sh NAME @@ -154,6 +154,7 @@ If the request cannot be immediately fulfilled, the cu to sleep to wait for resources to be released by other processes. The .Fn malloc , +.Fn mallocarray , .Fn realloc , and .Fn reallocf @@ -162,15 +163,13 @@ functions cannot return if .Dv M_WAITOK is specified. -The -.Fn mallocarray -function can return -.Dv NULL if the multiplication of .Fa nmemb and .Fa size -would cause an integer overflow. +would cause an integer overflow, the +.Fn mallocarray +function induces a panic. .It Dv M_USE_RESERVE Indicates that the system can use its reserve of memory to satisfy the request. Modified: head/sys/kern/kern_malloc.c ============================================================================== --- head/sys/kern/kern_malloc.c Wed Jan 10 21:40:36 2018 (r327795) +++ head/sys/kern/kern_malloc.c Wed Jan 10 21:49:45 2018 (r327796) @@ -535,18 +535,12 @@ malloc(unsigned long size, struct malloc_type *mtp, in return ((void *) va); } -/* - * This is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX - * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW - */ -#define MUL_NO_OVERFLOW (1UL << (sizeof(size_t) * 8 / 2)) void * mallocarray(size_t nmemb, size_t size, struct malloc_type *type, int flags) { - if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && - nmemb > 0 && SIZE_MAX / nmemb < size) - return (NULL); + if (WOULD_OVERFLOW(nmemb, size)) + panic("mallocarray: %zu * %zu overflowed", nmemb, size); return (malloc(size * nmemb, type, flags)); } Modified: head/sys/sys/malloc.h ============================================================================== --- head/sys/sys/malloc.h Wed Jan 10 21:40:36 2018 (r327795) +++ head/sys/sys/malloc.h Wed Jan 10 21:49:45 2018 (r327796) @@ -41,6 +41,7 @@ #include #include #include +#include #define MINALLOCSIZE UMA_SMALLEST_UNIT @@ -192,6 +193,20 @@ void *reallocf(void *addr, unsigned long size, struct int flags) __result_use_check __alloc_size(2); struct malloc_type *malloc_desc2type(const char *desc); + +/* + * This is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX + * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW + */ +#define MUL_NO_OVERFLOW (1UL << (sizeof(size_t) * 8 / 2)) +static inline bool +WOULD_OVERFLOW(size_t nmemb, size_t size) +{ + + return ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && + nmemb > 0 && __SIZE_T_MAX / nmemb < size); +} +#undef MUL_NO_OVERFLOW #endif /* _KERNEL */ #endif /* !_SYS_MALLOC_H_ */