Details

Reviewers

ngie
delphij
bapt
araujo
cy

Summary

(This is not meant to be the proposed commit log)
We brought allocarray(3) from OpenBSD for FreeBSD 11. I will admit I was
never a huge fan of it and it makes things less portable to other OSs, but
given the support is already here, I do think we should make the best
possible use of it.

There are some advantages, other than the theoretical overflow prevention:
static checkers benefit from the extra attributes we have defined in our
headers and it somewhat easier to read to have the arguments of the
multiplication separated.

I looked through opengrok and then I crosschecked some of my changes with
OpenBSD. I don't have any intention of adopting the changes everywhere. Also, dueto compiler errors, it seems particularly important to make sure the parameters are unsigned.

Test Plan

Updated tinderbox but crossreading is always helpful.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 60021

Event Timeline

pfg updated this revision to Diff 26050.Mar 7 2017, 1:37 AM

pfg retitled this revision from to Extensive use of reallocarray(3) in userland..

pfg updated this object.

pfg edited the test plan for this revision. (Show Details)

pfg added reviewers: delphij, bapt, araujo, ngie.

Herald added a reviewer: gnn. · View Herald TranscriptMar 7 2017, 1:37 AM

Herald added a subscriber: imp. · View Herald Transcript

I'm agnostic to the change.
I get why they are doing malloc(a * b) -> reallocarray(NULL, a, b), but wonder if it would be better to have a wider API that's mallocarray(a,b) if you are looking for syntactic goodness along with your overflow protection....

Please do not commit as-is.

I think reallocarray() have some benefits, but it still need to be used carefully and it's not a cure of cancer and when doing so, it's better to conduct an audit of surrounding code, or we are just giving us some false sense of safety.

Could you please split this into smaller and reviewable pieces (e.g. one per module, or one per a few modules) so they can be looked closer, by the way? I'm asking for this because when presented with a thousand lines of diff people would tend to say "fine, someone else must have looked at this very carefully" rather than actually looking, and when making comments, we can easily lose track for it if the change is revised, and more importantly large changesets are usually for one logical change across different modules, like refactors, while this is actually trying to address same type of issues across multiple modules.

usr.sbin/uhsoctl/uhsoctl.c
1120	What if list_size reaches INTMAX?

This revision now requires changes to proceed.Mar 10 2017, 6:29 PM

In D9915#205626, @delphij wrote:

Please do not commit as-is.

Indeed, that was not the plan.

I think reallocarray() have some benefits, but it still need to be used carefully and it's not a cure of cancer and when doing so, it's better to conduct an audit of surrounding code, or we are just giving us some false sense of safety.

Could you please split this into smaller and reviewable pieces (e.g. one per module, or one per a few modules) so they can be looked closer, by the way? I'm asking for this because when presented with a thousand lines of diff people would tend to say "fine, someone else must have looked at this very carefully" rather than actually looking, and when making comments, we can easily lose track for it if the change is revised, and more importantly large changesets are usually for one logical change across different modules, like refactors, while this is actually trying to address same type of issues across multiple modules.

That's reasonable, yes. I would like to have it by areas: I will start with the libc changes.

usr.sbin/uhsoctl/uhsoctl.c
1120	reallocarray() handles size_t on each argument, so it has better chances of detecting overflows there than the realloc had. It doesn't look like there is any chance that list_size reaches INTMAX but it does look like we can unsign it to further extend the limits.

Resurrect this Differential Revision with a much reduced scope.

Due to some bug, clang 4.0 can sometimes generate wrong code if the
arguments are signed. In general it also happens that the allocation
arguments are so small that using reallocarray() is a waste of time.

Thi is a reduced subset of the previous changes. The mayor changes to libc
and the systems libraries have already been independently reviewed and
committed.

The changes to fsck_ffs and pmcstat are meant to be committed
independently as they include some other adjustments.

Oops .. drop the change in route6d, it's not likely to overflow.

Harbormaster completed remote builds in B8831: Diff 27614.Apr 21 2017, 8:26 PM

Harbormaster completed remote builds in B8832: Diff 27615.Apr 21 2017, 9:17 PM

Since fsck_ffs and pmcstat are done, the remaining cases are trivial.

Harbormaster failed remote builds in B8851: Diff 27637!Apr 22 2017, 4:05 PM

pfg retitled this revision from Extensive use of reallocarray(3) in userland. to Use of reallocarray(3) in userland..Apr 22 2017, 5:01 PM

pfg edited the summary of this revision. (Show Details)

pfg removed a reviewer: gnn.

Most of these don't make sense as they cant overflow, and those that do were committed.

Herald added a reviewer: cy. · View Herald TranscriptApr 27 2019, 2:41 PM

Removed most of the stuff that was stale already, specially since the removal of the X11 drivers from the tree.
This remains only as a reference, it is not intended to be committed.

Herald added subscribers: jrtc27, donner. · View Herald TranscriptOct 15 2024, 8:34 PM

Harbormaster completed remote builds in B60021: Diff 144948.Oct 15 2024, 8:34 PM

pfg abandoned this revision.Oct 15 2024, 8:35 PM

Use of reallocarray(3) in userland.AbandonedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 144948

bin/ls/print.c

bin/pax/options.c

bin/ps/ps.c

lib/libutil/login_ok.c

sbin/camcontrol/camcontrol.c

sbin/ccdconfig/ccdconfig.c

sbin/ipfw/ipfw2.c

sbin/mount/getmntopts.c

sbin/mount/mount.c

usr.bin/c99/c99.c

usr.bin/col/col.c

usr.bin/column/column.c

usr.bin/fold/fold.c

usr.bin/fortune/strfile/strfile.c

usr.bin/indent/lexi.c

usr.bin/join/join.c

usr.bin/last/last.c

usr.bin/localedef/collate.c

usr.bin/localedef/ctype.c

usr.bin/localedef/scanner.c

usr.bin/locate/locate/util.c

usr.bin/ministat/ministat.c

usr.bin/ruptime/ruptime.c

usr.bin/sed/process.c

usr.bin/systat/devs.c

usr.bin/systat/netcmds.c

usr.bin/top/machine.c

usr.bin/ul/ul.c

usr.bin/vmstat/vmstat.c

usr.bin/whereis/whereis.c

usr.sbin/bsdinstall/partedit/part_wizard.c

usr.sbin/bsdinstall/partedit/partedit.c

usr.sbin/cron/lib/env.c

usr.sbin/inetd/inetd.c

usr.sbin/iostat/iostat.c

usr.sbin/jls/jls.c

usr.sbin/lastlogin/lastlogin.c

usr.sbin/mailwrapper/mailwrapper.c

usr.sbin/mountd/mountd.c

usr.sbin/newsyslog/newsyslog.c

usr.sbin/nfsd/nfsd.c

usr.sbin/portsnap/make_index/make_index.c

usr.sbin/powerd/powerd.c

usr.sbin/ppp/iface.c

usr.sbin/ppp/ncp.c

usr.sbin/ppp/route.c

usr.sbin/route6d/route6d.c

usr.sbin/rpc.lockd/lockd.c

usr.sbin/rpc.statd/statd.c

usr.sbin/rpcbind/rpcbind.c

usr.sbin/rtsold/rtsold.c

usr.sbin/uhsoctl/uhsoctl.c

Use of reallocarray(3) in userland.
AbandonedPublic
Actions

Revision Contents
Changeset List