kmem: Check for overflows when rounding up allocation sizes
Needs ReviewPublic
Actions

Authored by markj on Jul 24 2024, 9:31 PM.

Details

Reviewers

Summary

In the past we've had bugs where lack of argument validation allowed a
user-controlled size to be passed to kmem_malloc() and friends.
Explicitly check before rounding up the allocation size to the page size.

This requires a bit of reorganization for kmem_alloc_san(), which wants
both the requested size and the true allocation size.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 58809
Build 55696: arc lint + arc unit

Event Timeline

markj created this revision.Jul 24 2024, 9:31 PM

Herald added a subscriber: imp. · View Herald TranscriptJul 24 2024, 9:31 PM

markj requested review of this revision.Jul 24 2024, 9:31 PM

Harbormaster completed remote builds in B58809: Diff 141335.Jul 24 2024, 9:31 PM

markj added a parent revision: D46110: malloc: Check for overflow when rounding up to the page size.Jul 24 2024, 9:31 PM

markj mentioned this in D45661: malloc: Handle large malloc sizes in malloc_size().Jul 24 2024, 9:32 PM

dougm added inline comments.Jul 24 2024, 10:57 PM

sys/vm/vm_kern.c
332	addr could be NULL. Add a check.
432	add addr != NULL check.
529	Add addr != NULL check.

alc added a subscriber: alc.Jul 25 2024, 5:12 AM

alc added inline comments.

sys/vm/vm_kern.c
165	This rounding operation has always been redundant, since vmem_xalloc() also rounds. I would suggest moving the overflow test into vmem_xalloc().
188–191	vmem_xfree() already asserts that the rounded, passed-in size matches the boundary tag, which basically accomplishes the same.

emaste added a subscriber: emaste.Jul 25 2024, 2:34 PM

Revision Contents
Changeset List

Path

Size

sys/

vm/

vm_kern.c

120 lines

Diff 141335

View Options

kmem: Check for overflows when rounding up allocation sizesNeeds ReviewPublicActions