[PATCH 1/2] KASan: test_kasan: hide buggy accesses from compiler

[PATCH 1/2] KASan: test_kasan: hide buggy accesses from compiler

[Ahmad Fatoum]

Once we add __alloc_size attributes to allocations, GCC will complain
about violation of memory safety in test_kasan.c.

That memory violation is intended though as test_kasan is meant to
trigger kasan at runtime to verify correct operation.

Silence the warnings by hiding the origin of ptr, so the compiler loses
context about the size of the allocation.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 lib/kasan/test_kasan.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/kasan/test_kasan.c b/lib/kasan/test_kasan.c
index 14511cdb80bd..a74251a6d9ad 100644
--- a/lib/kasan/test_kasan.c
+++ b/lib/kasan/test_kasan.c
@@ -38,6 +38,8 @@ static noinline void malloc_oob_right(void)
 		return;
 	}
 
+	OPTIMIZER_HIDE_VAR(ptr);
+
 	ptr[size] = 'x';
 
 	free(ptr);
@@ -55,6 +57,8 @@ static noinline void malloc_oob_left(void)
 		return;
 	}
 
+	OPTIMIZER_HIDE_VAR(ptr);
+
 	*ptr = *(ptr - 1);
 	free(ptr);
 }
@@ -75,6 +79,8 @@ static noinline void malloc_oob_realloc_more(void)
 		return;
 	}
 
+	OPTIMIZER_HIDE_VAR(ptr2);
+
 	ptr2[size2] = 'x';
 
 	free(ptr2);
@@ -95,6 +101,8 @@ static noinline void malloc_oob_realloc_less(void)
 		return;
 	}
 
+	OPTIMIZER_HIDE_VAR(ptr2);
+
 	ptr2[size2] = 'x';
 
 	free(ptr2);
@@ -115,6 +123,9 @@ static noinline void malloc_oob_16(void)
 		free(ptr2);
 		return;
 	}
+
+	OPTIMIZER_HIDE_VAR(ptr1);
+
 	*ptr1 = *ptr2;
 	free(ptr1);
 	free(ptr2);
-- 
2.39.2

[PATCH 2/2] malloc: use __attribute((alloc_size)) for dynamic memory allocation

[Ahmad Fatoum]

Adorning functions allocating dynamic memory with __alloc_size allows
GCC to warn about heap overflows it notices during normal compilation.

Import the definitions from Linux and switch over barebox <malloc.h>
to make use of it.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 include/linux/compiler-gcc.h   |  8 ++++++++
 include/linux/compiler_types.h | 24 ++++++++++++++++++++++++
 include/malloc.h               |  9 +++++----
 3 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index 4d36b27214fd..2534386d040f 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -234,3 +234,11 @@
 #else
 #define __diag_GCC_8(s)
 #endif
+
+/*
+ * Prior to 9.1, -Wno-alloc-size-larger-than (and therefore the "alloc_size"
+ * attribute) do not work, and must be disabled.
+ */
+#if GCC_VERSION < 90100
+#undef __alloc_size__
+#endif
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 800bc518feea..9ef8115a396f 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -56,6 +56,16 @@ extern void __chk_io_ptr(const volatile void __iomem *);
 
 #ifdef __KERNEL__
 
+/*
+ * Note: do not use this directly. Instead, use __alloc_size() since it is conditionally
+ * available and includes other attributes. For GCC < 9.1, __alloc_size__ gets undefined
+ * in compiler-gcc.h, due to misbehaviors.
+ *
+ *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-alloc_005fsize-function-attribute
+ * clang: https://clang.llvm.org/docs/AttributeReference.html#alloc-size
+ */
+#define __alloc_size__(x, ...)		__attribute__((__alloc_size__(x, ## __VA_ARGS__)))
+
 /* Compiler specific macros. */
 #ifdef __clang__
 #include <linux/compiler-clang.h>
@@ -188,6 +198,20 @@ struct ftrace_likely_data {
 #define __assume_aligned(a, ...)
 #endif
 
+/*
+ * Any place that could be marked with the "alloc_size" attribute is also
+ * a place to be marked with the "malloc" attribute, except those that may
+ * be performing a _reallocation_, as that may alias the existing pointer.
+ * For these, use __realloc_size().
+ */
+#ifdef __alloc_size__
+# define __alloc_size(x, ...)	__alloc_size__(x, ## __VA_ARGS__) __malloc
+# define __realloc_size(x, ...)	__alloc_size__(x, ## __VA_ARGS__)
+#else
+# define __alloc_size(x, ...)	__malloc
+# define __realloc_size(x, ...)
+#endif
+
 /* Are two types/vars the same type (ignoring qualifiers)? */
 #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
 
diff --git a/include/malloc.h b/include/malloc.h
index 971fc4058bc6..d63853b91e91 100644
--- a/include/malloc.h
+++ b/include/malloc.h
@@ -2,13 +2,14 @@
 #ifndef __MALLOC_H
 #define __MALLOC_H
 
+#include <linux/compiler.h>
 #include <types.h>
 
-void *malloc(size_t);
+void *malloc(size_t) __alloc_size(1);
 void free(void *);
-void *realloc(void *, size_t);
-void *memalign(size_t, size_t);
-void *calloc(size_t, size_t);
+void *realloc(void *, size_t) __realloc_size(2);
+void *memalign(size_t, size_t) __alloc_size(2);
+void *calloc(size_t, size_t) __alloc_size(1, 2);
 void malloc_stats(void);
 void *sbrk(ptrdiff_t increment);
 
-- 
2.39.2

Re: [PATCH 1/2] KASan: test_kasan: hide buggy accesses from compiler

[Sascha Hauer]

On Thu, Nov 09, 2023 at 12:38:06PM +0100, Ahmad Fatoum wrote:
> Once we add __alloc_size attributes to allocations, GCC will complain
> about violation of memory safety in test_kasan.c.
> 
> That memory violation is intended though as test_kasan is meant to
> trigger kasan at runtime to verify correct operation.
> 
> Silence the warnings by hiding the origin of ptr, so the compiler loses
> context about the size of the allocation.
> 
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
>  lib/kasan/test_kasan.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)

Applied, thanks

Sascha

> 
> diff --git a/lib/kasan/test_kasan.c b/lib/kasan/test_kasan.c
> index 14511cdb80bd..a74251a6d9ad 100644
> --- a/lib/kasan/test_kasan.c
> +++ b/lib/kasan/test_kasan.c
> @@ -38,6 +38,8 @@ static noinline void malloc_oob_right(void)
>  		return;
>  	}
>  
> +	OPTIMIZER_HIDE_VAR(ptr);
> +
>  	ptr[size] = 'x';
>  
>  	free(ptr);
> @@ -55,6 +57,8 @@ static noinline void malloc_oob_left(void)
>  		return;
>  	}
>  
> +	OPTIMIZER_HIDE_VAR(ptr);
> +
>  	*ptr = *(ptr - 1);
>  	free(ptr);
>  }
> @@ -75,6 +79,8 @@ static noinline void malloc_oob_realloc_more(void)
>  		return;
>  	}
>  
> +	OPTIMIZER_HIDE_VAR(ptr2);
> +
>  	ptr2[size2] = 'x';
>  
>  	free(ptr2);
> @@ -95,6 +101,8 @@ static noinline void malloc_oob_realloc_less(void)
>  		return;
>  	}
>  
> +	OPTIMIZER_HIDE_VAR(ptr2);
> +
>  	ptr2[size2] = 'x';
>  
>  	free(ptr2);
> @@ -115,6 +123,9 @@ static noinline void malloc_oob_16(void)
>  		free(ptr2);
>  		return;
>  	}
> +
> +	OPTIMIZER_HIDE_VAR(ptr1);
> +
>  	*ptr1 = *ptr2;
>  	free(ptr1);
>  	free(ptr2);
> -- 
> 2.39.2
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |