1. 10 Jan, 2019 1 commit
  2. 08 Jan, 2019 9 commits
  3. 20 Dec, 2018 1 commit
  4. 12 Dec, 2018 1 commit
    • Paul Gortmaker's avatar
      security: audit and remove any unnecessary uses of module.h · 876979c9
      Paul Gortmaker authored
      Historically a lot of these existed because we did not have
      a distinction between what was modular code and what was providing
      support to modules via EXPORT_SYMBOL and friends.  That changed
      when we forked out support for the latter into the export.h file.
      This means we should be able to reduce the usage of module.h
      in code that is obj-y Makefile or bool Kconfig.
      
      The advantage in removing such instances is that module.h itself
      sources about 15 other headers; adding significantly to what we feed
      cpp, and it can obscure what headers we are effectively using.
      
      Since module.h might have been the implicit source for init.h
      (for __init) and for export.h (for EXPORT_SYMBOL) we consider each
      instance for the presence of either and replace as needed.
      
      Cc: James Morris <jmorris@namei.org>
      Cc: "Serge E. Hallyn" <serge@hallyn.com>
      Cc: John Johansen <john.johansen@canonical.com>
      Cc: Mimi Zohar <zohar@linux.ibm.com>
      Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: linux-security-module@vger.kernel.org
      Cc: linux-integrity@vger.kernel.org
      Cc: keyrings@vger.kernel.org
      Signed-off-by: 's avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      Signed-off-by: 's avatarJames Morris <james.morris@microsoft.com>
      876979c9
  5. 20 Nov, 2018 1 commit
  6. 14 Nov, 2018 1 commit
  7. 02 Nov, 2018 2 commits
  8. 13 Oct, 2018 1 commit
    • Arnd Bergmann's avatar
      apparmor: add #ifdef checks for secmark filtering · e1af4779
      Arnd Bergmann authored
      The newly added code fails to build when either SECMARK or
      NETFILTER are disabled:
      
      security/apparmor/lsm.c: In function 'apparmor_socket_sock_rcv_skb':
      security/apparmor/lsm.c:1138:12: error: 'struct sk_buff' has no member named 'secmark'; did you mean 'mark'?
      
      security/apparmor/lsm.c:1671:21: error: 'struct nf_hook_state' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
      
      Add a set of #ifdef checks around it to only enable the code that
      we can compile and that makes sense in that configuration.
      
      Fixes: ab9f2115 ("apparmor: Allow filtering based on secmark policy")
      Signed-off-by: 's avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      e1af4779
  9. 11 Oct, 2018 2 commits
  10. 03 Oct, 2018 7 commits
    • Eric W. Biederman's avatar
      signal: Distinguish between kernel_siginfo and siginfo · ae7795bc
      Eric W. Biederman authored
      Linus recently observed that if we did not worry about the padding
      member in struct siginfo it is only about 48 bytes, and 48 bytes is
      much nicer than 128 bytes for allocating on the stack and copying
      around in the kernel.
      
      The obvious thing of only adding the padding when userspace is
      including siginfo.h won't work as there are sigframe definitions in
      the kernel that embed struct siginfo.
      
      So split siginfo in two; kernel_siginfo and siginfo.  Keeping the
      traditional name for the userspace definition.  While the version that
      is used internally to the kernel and ultimately will not be padded to
      128 bytes is called kernel_siginfo.
      
      The definition of struct kernel_siginfo I have put in include/signal_types.h
      
      A set of buildtime checks has been added to verify the two structures have
      the same field offsets.
      
      To make it easy to verify the change kernel_siginfo retains the same
      size as siginfo.  The reduction in size comes in a following change.
      Signed-off-by: 's avatar"Eric W. Biederman" <ebiederm@xmission.com>
      ae7795bc
    • Zubin Mithra's avatar
      apparmor: Fix uninitialized value in aa_split_fqname · 250f2da4
      Zubin Mithra authored
      Syzkaller reported a OOB-read with the stacktrace below. This occurs
      inside __aa_lookupn_ns as `n` is not initialized. `n` is obtained from
      aa_splitn_fqname. In cases where `name` is invalid, aa_splitn_fqname
      returns without initializing `ns_name` and `ns_len`.
      
      Fix this by always initializing `ns_name` and `ns_len`.
      
      	__dump_stack lib/dump_stack.c:77 [inline]
      	dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
      	print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
      	kasan_report_error mm/kasan/report.c:354 [inline]
      	kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
      	__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
      	memcmp+0xe3/0x160 lib/string.c:861
      	strnstr+0x4b/0x70 lib/string.c:934
      	__aa_lookupn_ns+0xc1/0x570 security/apparmor/policy_ns.c:209
      	aa_lookupn_ns+0x88/0x1e0 security/apparmor/policy_ns.c:240
      	aa_fqlookupn_profile+0x1b9/0x1010 security/apparmor/policy.c:468
      	fqlookupn_profile+0x80/0xc0 security/apparmor/label.c:1844
      	aa_label_strn_parse+0xa3a/0x1230 security/apparmor/label.c:1908
      	aa_label_parse+0x42/0x50 security/apparmor/label.c:1943
      	aa_change_profile+0x513/0x3510 security/apparmor/domain.c:1362
      	apparmor_setprocattr+0xaa4/0x1150 security/apparmor/lsm.c:658
      	security_setprocattr+0x66/0xc0 security/security.c:1298
      	proc_pid_attr_write+0x301/0x540 fs/proc/base.c:2555
      	__vfs_write+0x119/0x9f0 fs/read_write.c:485
      	vfs_write+0x1fc/0x560 fs/read_write.c:549
      	ksys_write+0x101/0x260 fs/read_write.c:598
      	__do_sys_write fs/read_write.c:610 [inline]
      	__se_sys_write fs/read_write.c:607 [inline]
      	__x64_sys_write+0x73/0xb0 fs/read_write.c:607
      	do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
      	entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 3b0aaf58 ("apparmor: add lib fn to find the "split" for fqnames")
      Reported-by: syzbot+61e4b490d9d2da591b50@syzkaller.appspotmail.com
      Signed-off-by: 's avatarZubin Mithra <zsm@chromium.org>
      Reviewed-by: 's avatarKees Cook <keescook@chromium.org>
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      250f2da4
    • Jann Horn's avatar
      apparmor: don't try to replace stale label in ptraceme check · ca3fde52
      Jann Horn authored
      begin_current_label_crit_section() must run in sleepable context because
      when label_is_stale() is true, aa_replace_current_label() runs, which uses
      prepare_creds(), which can sleep.
      
      Until now, the ptraceme access check (which runs with tasklist_lock held)
      violated this rule.
      
      Fixes: b2d09ae4 ("apparmor: move ptrace checks to using labels")
      Reported-by: 's avatarCyrill Gorcunov <gorcunov@gmail.com>
      Reported-by: 's avatarkernel test robot <rong.a.chen@intel.com>
      Signed-off-by: 's avatarJann Horn <jannh@google.com>
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      ca3fde52
    • Lance Roy's avatar
      apparmor: Replace spin_is_locked() with lockdep · 0fb871cc
      Lance Roy authored
      lockdep_assert_held() is better suited to checking locking requirements,
      since it won't get confused when someone else holds the lock. This is
      also a step towards possibly removing spin_is_locked().
      Signed-off-by: 's avatarLance Roy <ldr709@gmail.com>
      Cc: John Johansen <john.johansen@canonical.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: "Serge E. Hallyn" <serge@hallyn.com>
      Cc: <linux-security-module@vger.kernel.org>
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      0fb871cc
    • Matthew Garrett's avatar
      apparmor: Allow filtering based on secmark policy · ab9f2115
      Matthew Garrett authored
      Add support for dropping or accepting packets based on their secmark
      tags.
      Signed-off-by: 's avatarMatthew Garrett <mjg59@google.com>
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      ab9f2115
    • Matthew Garrett's avatar
      apparmor: Parse secmark policy · 9caafbe2
      Matthew Garrett authored
      Add support for parsing secmark policy provided by userspace, and
      store that in the overall policy.
      Signed-off-by: 's avatarMatthew Garrett <mjg59@google.com>
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      9caafbe2
    • Matthew Garrett's avatar
      apparmor: Add a wildcard secid · 617a629c
      Matthew Garrett authored
      Reserve a secid value that we can use as a wildcard, allowing us to
      define policy that's expected to match against all secids.
      Signed-off-by: 's avatarMatthew Garrett <mjg59@google.com>
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      617a629c
  11. 13 Sep, 2018 1 commit
    • Jann Horn's avatar
      apparmor: don't try to replace stale label in ptrace access check · 1f8266ff
      Jann Horn authored
      As a comment above begin_current_label_crit_section() explains,
      begin_current_label_crit_section() must run in sleepable context because
      when label_is_stale() is true, aa_replace_current_label() runs, which uses
      prepare_creds(), which can sleep.
      Until now, the ptrace access check (which runs with a task lock held)
      violated this rule.
      
      Also add a might_sleep() assertion to begin_current_label_crit_section(),
      because asserts are less likely to be ignored than comments.
      
      Fixes: b2d09ae4 ("apparmor: move ptrace checks to using labels")
      Signed-off-by: 's avatarJann Horn <jannh@google.com>
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      1f8266ff
  12. 07 Sep, 2018 1 commit
    • Tony Jones's avatar
      apparmor: Fix network performance issue in aa_label_sk_perm · 5f997580
      Tony Jones authored
      The netperf benchmark shows a 5.73% reduction in throughput for
      small (64 byte) transfers by unconfined tasks.
      
      DEFINE_AUDIT_SK() in aa_label_sk_perm() should not be performed
      unconditionally, rather only when the label is confined.
      
      netperf-tcp
                                  56974a6f^              56974a6f
      Min       64         563.48 (   0.00%)      531.17 (  -5.73%)
      Min       128       1056.92 (   0.00%)      999.44 (  -5.44%)
      Min       256       1945.95 (   0.00%)     1867.97 (  -4.01%)
      Min       1024      6761.40 (   0.00%)     6364.23 (  -5.87%)
      Min       2048     11110.53 (   0.00%)    10606.20 (  -4.54%)
      Min       3312     13692.67 (   0.00%)    13158.41 (  -3.90%)
      Min       4096     14926.29 (   0.00%)    14457.46 (  -3.14%)
      Min       8192     18399.34 (   0.00%)    18091.65 (  -1.67%)
      Min       16384    21384.13 (   0.00%)    21158.05 (  -1.06%)
      Hmean     64         564.96 (   0.00%)      534.38 (  -5.41%)
      Hmean     128       1064.42 (   0.00%)     1010.12 (  -5.10%)
      Hmean     256       1965.85 (   0.00%)     1879.16 (  -4.41%)
      Hmean     1024      6839.77 (   0.00%)     6478.70 (  -5.28%)
      Hmean     2048     11154.80 (   0.00%)    10671.13 (  -4.34%)
      Hmean     3312     13838.12 (   0.00%)    13249.01 (  -4.26%)
      Hmean     4096     15009.99 (   0.00%)    14561.36 (  -2.99%)
      Hmean     8192     18975.57 (   0.00%)    18326.54 (  -3.42%)
      Hmean     16384    21440.44 (   0.00%)    21324.59 (  -0.54%)
      Stddev    64           1.24 (   0.00%)        2.85 (-130.64%)
      Stddev    128          4.51 (   0.00%)        6.53 ( -44.84%)
      Stddev    256         11.67 (   0.00%)        8.50 (  27.16%)
      Stddev    1024        48.33 (   0.00%)       75.07 ( -55.34%)
      Stddev    2048        54.82 (   0.00%)       65.16 ( -18.86%)
      Stddev    3312       153.57 (   0.00%)       56.29 (  63.35%)
      Stddev    4096       100.25 (   0.00%)       88.50 (  11.72%)
      Stddev    8192       358.13 (   0.00%)      169.99 (  52.54%)
      Stddev    16384       43.99 (   0.00%)      141.82 (-222.39%)
      Signed-off-by: 's avatarTony Jones <tonyj@suse.de>
      Fixes: 56974a6f ("apparmor: add base infastructure for socket
      mediation")
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      5f997580
  13. 03 Sep, 2018 1 commit
    • John Johansen's avatar
      apparmor: fix bad debug check in apparmor_secid_to_secctx() · edf4e7b7
      John Johansen authored
      apparmor_secid_to_secctx() has a bad debug statement tripping on a
      condition handle by the code.  When kconfig SECURITY_APPARMOR_DEBUG is
      enabled the debug WARN_ON will trip when **secdata is NULL resulting
      in the following trace.
      
      ------------[ cut here ]------------
      AppArmor WARN apparmor_secid_to_secctx: ((!secdata)):
      WARNING: CPU: 0 PID: 14826 at security/apparmor/secid.c:82 apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 0 PID: 14826 Comm: syz-executor1 Not tainted 4.19.0-rc1+ #193
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       panic+0x238/0x4e7 kernel/panic.c:184
       __warn.cold.8+0x163/0x1ba kernel/panic.c:536
       report_bug+0x252/0x2d0 lib/bug.c:186
       fixup_bug arch/x86/kernel/traps.c:178 [inline]
       do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
       invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993
      RIP: 0010:apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82
      Code: c7 c7 40 66 58 87 e8 6a 6d 0f fe 0f 0b e9 6c fe ff ff e8 3e aa 44 fe 48 c7 c6 80 67 58 87 48 c7 c7 a0 65 58 87 e8 4b 6d 0f fe <0f> 0b e9 3f fe ff ff 48 89 df e8 fc a7 83 fe e9 ed fe ff ff bb f4
      RSP: 0018:ffff8801ba1bed10 EFLAGS: 00010286
      RAX: 0000000000000000 RBX: ffff8801ba1beed0 RCX: ffffc9000227e000
      RDX: 0000000000018482 RSI: ffffffff8163ac01 RDI: 0000000000000001
      RBP: ffff8801ba1bed30 R08: ffff8801b80ec080 R09: ffffed003b603eca
      R10: ffffed003b603eca R11: ffff8801db01f657 R12: 0000000000000001
      R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801ba1beed0
       security_secid_to_secctx+0x63/0xc0 security/security.c:1314
       ctnetlink_secctx_size net/netfilter/nf_conntrack_netlink.c:621 [inline]
       ctnetlink_nlmsg_size net/netfilter/nf_conntrack_netlink.c:659 [inline]
       ctnetlink_conntrack_event+0x303/0x1470 net/netfilter/nf_conntrack_netlink.c:706
       nf_conntrack_eventmask_report+0x55f/0x930 net/netfilter/nf_conntrack_ecache.c:151
       nf_conntrack_event_report include/net/netfilter/nf_conntrack_ecache.h:112 [inline]
       nf_ct_delete+0x33c/0x5d0 net/netfilter/nf_conntrack_core.c:601
       nf_ct_iterate_cleanup+0x48c/0x5e0 net/netfilter/nf_conntrack_core.c:1892
       nf_ct_iterate_cleanup_net+0x23c/0x2d0 net/netfilter/nf_conntrack_core.c:1974
       ctnetlink_flush_conntrack net/netfilter/nf_conntrack_netlink.c:1226 [inline]
       ctnetlink_del_conntrack+0x66c/0x850 net/netfilter/nf_conntrack_netlink.c:1258
       nfnetlink_rcv_msg+0xd88/0x1070 net/netfilter/nfnetlink.c:228
       netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2454
       nfnetlink_rcv+0x1c0/0x4d0 net/netfilter/nfnetlink.c:560
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1908
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:631
       ___sys_sendmsg+0x7fd/0x930 net/socket.c:2114
       __sys_sendmsg+0x11d/0x290 net/socket.c:2152
       __do_sys_sendmsg net/socket.c:2161 [inline]
       __se_sys_sendmsg net/socket.c:2159 [inline]
       __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2159
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x457089
      Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f7bc6e03c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f7bc6e046d4 RCX: 0000000000457089
      RDX: 0000000000000000 RSI: 0000000020d65000 RDI: 0000000000000003
      RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000004d4588 R14: 00000000004c8d5c R15: 0000000000000000
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Kernel Offset: disabled
      Rebooting in 86400 seconds..
      
      CC: <stable@vger.kernel.org> #4.18
      Fixes: c0929212 ("apparmor: add support for mapping secids and using secctxes")
      Reported-by: syzbot+21016130b0580a9de3b5@syzkaller.appspotmail.com
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      edf4e7b7
  14. 23 Aug, 2018 1 commit
    • John Johansen's avatar
      apparmor: remove no-op permission check in policy_unpack · c037bd61
      John Johansen authored
      The patch 736ec752: "AppArmor: policy routines for loading and
      unpacking policy" from Jul 29, 2010, leads to the following static
      checker warning:
      
          security/apparmor/policy_unpack.c:410 verify_accept()
          warn: bitwise AND condition is false here
      
          security/apparmor/policy_unpack.c:413 verify_accept()
          warn: bitwise AND condition is false here
      
      security/apparmor/policy_unpack.c
         392  #define DFA_VALID_PERM_MASK             0xffffffff
         393  #define DFA_VALID_PERM2_MASK            0xffffffff
         394
         395  /**
         396   * verify_accept - verify the accept tables of a dfa
         397   * @dfa: dfa to verify accept tables of (NOT NULL)
         398   * @flags: flags governing dfa
         399   *
         400   * Returns: 1 if valid accept tables else 0 if error
         401   */
         402  static bool verify_accept(struct aa_dfa *dfa, int flags)
         403  {
         404          int i;
         405
         406          /* verify accept permissions */
         407          for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
         408                  int mode = ACCEPT_TABLE(dfa)[i];
         409
         410                  if (mode & ~DFA_VALID_PERM_MASK)
         411                          return 0;
         412
         413                  if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
         414                          return 0;
      
      fixes: 736ec752 ("AppArmor: policy routines for loading and unpacking policy")
      Reported-by: 's avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      c037bd61
  15. 21 Aug, 2018 1 commit
  16. 20 Jul, 2018 1 commit
  17. 19 Jul, 2018 2 commits
  18. 12 Jul, 2018 1 commit
  19. 12 Jun, 2018 1 commit
    • Kees Cook's avatar
      treewide: kzalloc() -> kcalloc() · 6396bb22
      Kees Cook authored
      The kzalloc() function has a 2-factor argument form, kcalloc(). This
      patch replaces cases of:
      
              kzalloc(a * b, gfp)
      
      with:
              kcalloc(a * b, gfp)
      
      as well as handling cases of:
      
              kzalloc(a * b * c, gfp)
      
      with:
      
              kzalloc(array3_size(a, b, c), gfp)
      
      as it's slightly less ugly than:
      
              kzalloc_array(array_size(a, b), c, gfp)
      
      This does, however, attempt to ignore constant size factors like:
      
              kzalloc(4 * 1024, gfp)
      
      though any constants defined via macros get caught up in the conversion.
      
      Any factors with a sizeof() of "unsigned char", "char", and "u8" were
      dropped, since they're redundant.
      
      The Coccinelle script used for this was:
      
      // Fix redundant parens around sizeof().
      @@
      type TYPE;
      expression THING, E;
      @@
      
      (
        kzalloc(
      -	(sizeof(TYPE)) * E
      +	sizeof(TYPE) * E
        , ...)
      |
        kzalloc(
      -	(sizeof(THING)) * E
      +	sizeof(THING) * E
        , ...)
      )
      
      // Drop single-byte sizes and redundant parens.
      @@
      expression COUNT;
      typedef u8;
      typedef __u8;
      @@
      
      (
        kzalloc(
      -	sizeof(u8) * (COUNT)
      +	COUNT
        , ...)
      |
        kzalloc(
      -	sizeof(__u8) * (COUNT)
      +	COUNT
        , ...)
      |
        kzalloc(
      -	sizeof(char) * (COUNT)
      +	COUNT
        , ...)
      |
        kzalloc(
      -	sizeof(unsigned char) * (COUNT)
      +	COUNT
        , ...)
      |
        kzalloc(
      -	sizeof(u8) * COUNT
      +	COUNT
        , ...)
      |
        kzalloc(
      -	sizeof(__u8) * COUNT
      +	COUNT
        , ...)
      |
        kzalloc(
      -	sizeof(char) * COUNT
      +	COUNT
        , ...)
      |
        kzalloc(
      -	sizeof(unsigned char) * COUNT
      +	COUNT
        , ...)
      )
      
      // 2-factor product with sizeof(type/expression) and identifier or constant.
      @@
      type TYPE;
      expression THING;
      identifier COUNT_ID;
      constant COUNT_CONST;
      @@
      
      (
      - kzalloc
      + kcalloc
        (
      -	sizeof(TYPE) * (COUNT_ID)
      +	COUNT_ID, sizeof(TYPE)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(TYPE) * COUNT_ID
      +	COUNT_ID, sizeof(TYPE)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(TYPE) * (COUNT_CONST)
      +	COUNT_CONST, sizeof(TYPE)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(TYPE) * COUNT_CONST
      +	COUNT_CONST, sizeof(TYPE)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(THING) * (COUNT_ID)
      +	COUNT_ID, sizeof(THING)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(THING) * COUNT_ID
      +	COUNT_ID, sizeof(THING)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(THING) * (COUNT_CONST)
      +	COUNT_CONST, sizeof(THING)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(THING) * COUNT_CONST
      +	COUNT_CONST, sizeof(THING)
        , ...)
      )
      
      // 2-factor product, only identifiers.
      @@
      identifier SIZE, COUNT;
      @@
      
      - kzalloc
      + kcalloc
        (
      -	SIZE * COUNT
      +	COUNT, SIZE
        , ...)
      
      // 3-factor product with 1 sizeof(type) or sizeof(expression), with
      // redundant parens removed.
      @@
      expression THING;
      identifier STRIDE, COUNT;
      type TYPE;
      @@
      
      (
        kzalloc(
      -	sizeof(TYPE) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kzalloc(
      -	sizeof(TYPE) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kzalloc(
      -	sizeof(TYPE) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kzalloc(
      -	sizeof(TYPE) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kzalloc(
      -	sizeof(THING) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        kzalloc(
      -	sizeof(THING) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        kzalloc(
      -	sizeof(THING) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        kzalloc(
      -	sizeof(THING) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      )
      
      // 3-factor product with 2 sizeof(variable), with redundant parens removed.
      @@
      expression THING1, THING2;
      identifier COUNT;
      type TYPE1, TYPE2;
      @@
      
      (
        kzalloc(
      -	sizeof(TYPE1) * sizeof(TYPE2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        kzalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        kzalloc(
      -	sizeof(THING1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        kzalloc(
      -	sizeof(THING1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        kzalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      |
        kzalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      )
      
      // 3-factor product, only identifiers, with redundant parens removed.
      @@
      identifier STRIDE, SIZE, COUNT;
      @@
      
      (
        kzalloc(
      -	(COUNT) * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kzalloc(
      -	COUNT * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kzalloc(
      -	COUNT * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kzalloc(
      -	(COUNT) * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kzalloc(
      -	COUNT * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kzalloc(
      -	(COUNT) * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kzalloc(
      -	(COUNT) * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kzalloc(
      -	COUNT * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      )
      
      // Any remaining multi-factor products, first at least 3-factor products,
      // when they're not all constants...
      @@
      expression E1, E2, E3;
      constant C1, C2, C3;
      @@
      
      (
        kzalloc(C1 * C2 * C3, ...)
      |
        kzalloc(
      -	(E1) * E2 * E3
      +	array3_size(E1, E2, E3)
        , ...)
      |
        kzalloc(
      -	(E1) * (E2) * E3
      +	array3_size(E1, E2, E3)
        , ...)
      |
        kzalloc(
      -	(E1) * (E2) * (E3)
      +	array3_size(E1, E2, E3)
        , ...)
      |
        kzalloc(
      -	E1 * E2 * E3
      +	array3_size(E1, E2, E3)
        , ...)
      )
      
      // And then all remaining 2 factors products when they're not all constants,
      // keeping sizeof() as the second factor argument.
      @@
      expression THING, E1, E2;
      type TYPE;
      constant C1, C2, C3;
      @@
      
      (
        kzalloc(sizeof(THING) * C2, ...)
      |
        kzalloc(sizeof(TYPE) * C2, ...)
      |
        kzalloc(C1 * C2 * C3, ...)
      |
        kzalloc(C1 * C2, ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(TYPE) * (E2)
      +	E2, sizeof(TYPE)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(TYPE) * E2
      +	E2, sizeof(TYPE)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(THING) * (E2)
      +	E2, sizeof(THING)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	sizeof(THING) * E2
      +	E2, sizeof(THING)
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	(E1) * E2
      +	E1, E2
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	(E1) * (E2)
      +	E1, E2
        , ...)
      |
      - kzalloc
      + kcalloc
        (
      -	E1 * E2
      +	E1, E2
        , ...)
      )
      Signed-off-by: 's avatarKees Cook <keescook@chromium.org>
      6396bb22
  20. 07 Jun, 2018 4 commits