From owner-freebsd-arch@freebsd.org  Mon Feb  1 19:57:45 2016
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4B8FA9801A
 for <freebsd-arch@mailman.ysv.freebsd.org>;
 Mon,  1 Feb 2016 19:57:44 +0000 (UTC)
 (envelope-from cturt@hardenedbsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id C8E96B03
 for <freebsd-arch@freebsd.org>; Mon,  1 Feb 2016 19:57:44 +0000 (UTC)
 (envelope-from cturt@hardenedbsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id C5D48A98017; Mon,  1 Feb 2016 19:57:44 +0000 (UTC)
Delivered-To: arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD169A98016
 for <arch@mailman.ysv.freebsd.org>; Mon,  1 Feb 2016 19:57:44 +0000 (UTC)
 (envelope-from cturt@hardenedbsd.org)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com
 [IPv6:2a00:1450:400c:c09::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BF3BB02
 for <arch@freebsd.org>; Mon,  1 Feb 2016 19:57:44 +0000 (UTC)
 (envelope-from cturt@hardenedbsd.org)
Received: by mail-wm0-x22e.google.com with SMTP id l66so86733783wml.0
 for <arch@freebsd.org>; Mon, 01 Feb 2016 11:57:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=oWKOTh4/JXgVwQdoHyQhbI6mbYmxrYpXdnT/HTNMR/U=;
 b=EJtewfZFnwENBGLJAR+IDt8BN5W1atNMT+4Xh+6OJshi8BcwIpdSobbzc2IFBBpIfa
 GwqAZ44cjthxAXR/wRn5fPtfrPbLjFiADnKDg/2wUkCnzQPCpH7QoOgEJfqzRYgmzp0E
 IU9lEUP6EhhhfUtxz1HiwYjUV51eKOUiEAIynY9OAQrFfavPsk7aZ56b/Xrb9GVYveZk
 rmWV0VXr1zZ2eFPqXI7oFGBhAhFG8lKnMmShlV7z9PEIz6Lc3A7rs9w4jMgAv9Rtb6TP
 F+LxxylF3lvHwFlC1AlKA/jgqk8vxl4immEqI4yV3oOkkmD+1wv5CJ6mfttw98gcwniz
 JFsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:date:message-id:subject:from:to
 :content-type;
 bh=oWKOTh4/JXgVwQdoHyQhbI6mbYmxrYpXdnT/HTNMR/U=;
 b=hnnsL127bHqxk/pB4I7Qq/c96x3eZr5f8jiEvWcKAiFBGIXxlJcgxIdD8GZdp6ecs9
 UPh9ie8agT/z7wNgzMmPh/6mzzCFPLXrTsOPHuQKXViHWTFm+UhWea2sHGQNjSKhSyXP
 2lwF4Ix34O9AsB+iiN5iPW1Cpd8nqLISI/gaCV1vLgshzA6EV1e5BQJQYdlJ6uvtrNXe
 mf6yxY+Hq+ze8vf1GzmKCOj1f7LVNG6YnYHTnrIpHQBtdZQro6MRDq/M13uKKzby8QnK
 QXSoSFHfATfloTmIsL1P8SA0LdlIEPrFmjOKPqqC5u7fgHbuX9jBZnkK+eFPD0HgnoKX
 tRKw==
X-Gm-Message-State: AG10YORyV/FKgyGGYaBqskIfxVxPbdRYFbAI6mpr8Chp59AeelgfjZmLcmwTzVYUmiXsQP1ESn6ZQvPT/XzhHqe4
MIME-Version: 1.0
X-Received: by 10.194.21.101 with SMTP id u5mr29009098wje.53.1454356662819;
 Mon, 01 Feb 2016 11:57:42 -0800 (PST)
Received: by 10.27.157.18 with HTTP; Mon, 1 Feb 2016 11:57:42 -0800 (PST)
Date: Mon, 1 Feb 2016 19:57:42 +0000
Message-ID: <CAB815ZafpqJoqr1oH8mDJM=0RxLptQJpoJLexw6P6zOi7oSXTQ@mail.gmail.com>
Subject: OpenBSD mallocarray
From: C Turt <cturt@hardenedbsd.org>
To: arch@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2016 19:57:45 -0000

I've recently started browsing the OpenBSD kernel source code, and have
found the mallocarray function positively wonderful. I would like to
discuss the possibility of getting this into FreeBSD kernel.

For example, many parts of kernel code in FreeBSD use something like
malloc(xxx * sizeof(struct xxx)). If xxx is 64bit and controllable by user,
this allocation can easily overflow, resulting in a heap overflow later on.

The mallocarray is a wrapper for malloc which can be used in this
situations to detect an integer overflow before allocating:

/*
 * Copyright (c) 2008 Otto Moerbeek <otto@drijf.net>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

/*
 * This is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX
 * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW
 */
#define MUL_NO_OVERFLOW    (1UL << (sizeof(size_t) * 4))

void *
mallocarray(size_t nmemb, size_t size, int type, int flags)
{
    if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) &&
        nmemb > 0 && SIZE_MAX / nmemb < size) {
        if (flags & M_CANFAIL)
            return (NULL);
        panic("mallocarray: overflow %zu * %zu", nmemb, size);
    }
    return (malloc(size * nmemb, type, flags));
}