Message ID | 20240123002814.1396804-3-keescook@chromium.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58358dyi; Mon, 22 Jan 2024 17:19:03 -0800 (PST) X-Google-Smtp-Source: AGHT+IE588DffNvr3wWszFRhvmrpr5OzPdRJoqRcA+KkL2KzkqvGLmH3crpDSWBOFnE1m3miAT9e X-Received: by 2002:a05:6a20:71d5:b0:199:dcc4:2512 with SMTP id t21-20020a056a2071d500b00199dcc42512mr4658886pzb.103.1705972743085; Mon, 22 Jan 2024 17:19:03 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705972743; cv=pass; d=google.com; s=arc-20160816; b=Iw2TTqcKy45QQXUpoCLt6JMkGNByW60J88/DiHJ1BbAtFhUfzVSA3COFBG23mJIKG7 M86dKK54YB0onjKb2Hk34ZDolchrQJb2NhHfWYsgnH9i2zu/MEgZRZQ+tzSlqETZxjmy NV60VyC5OdtOQPfHFNnNof9HvKAhk4yXySFope4qjoxd21mCVvSVzM4AYQzBxeLr1BRa V6xqzRWoxtXixmE2P1DsbnkTkZ/FbSL95ytgnNFzzmUPAN5Qmydba+wUicgGXdNnYD9T 2vAWxvDDOs6/vj/vTiA+dIln62X6CeOVXQFziYHHtfmJvfloevfV0vcMPEC5WAJIsUtz hlQA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=+jDHEGsADozaBPzy87lyElMwpN6fXSBHhkt9/lWQvvg=; fh=9gX2BxLmuU+q8iAZT2l+1phY50ro1AnLuvWldfJlQuY=; b=LfhEPvExcteQso2havTQ+Zcv0ephREoIHWxmqr2VZjFmR1z2zmzjTkHPqs2+hEBtN4 SDTbGqEcvrXoXHEEH9MhqdwOnB5BrCFQdUcEhQLxIxyTcMRO2PuIInGfIRXN6QdBWlRg M+m6nt+Ij8VMYQ3S7f+sj+iF5p33evrpShVzhM71JQ2Ri7Zx58fl/ynCL38nYce2kgfs R65wx7VPpQb0jlcNqV+quaduM9jFwq5RuTFSqTspwinBUX/b9JhpEF0MjIxXwhlduaDc nqcZBXwI8yA4m0eWsOZeoqfvqe+AH3OoLrfT6f/Kl3OFeHEf9y4asP0glM7FA9UX9UxG 6aqA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=W9rZgYk6; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id jx1-20020a17090b46c100b002900606c264si8981954pjb.27.2024.01.22.17.19.02 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 17:19:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=W9rZgYk6; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 8383528BB01 for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:14:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1F5CF155A44; Tue, 23 Jan 2024 00:28:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="W9rZgYk6" Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E56BC1482E4 for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705969719; cv=none; b=KWTUeRhWlYZ24NERpzfz7L/44d//EJv8KyClYWY6cVvxAmkz575C2eFne7mH85sQeYuTTIA/oY+uX1SPu7oKSkRUBWIvLB1Z+cNUXG39izXU2KQSd1zRGXk9wfRCOh0Lhl5jk5DYEy8tps7/8eqP8/rUNX6X/s3gMAt9UvpmEbw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705969719; c=relaxed/simple; bh=IJQ4VwF/XdURhwqKb20pArJOcqYtWwEP77l8CXMEO9A=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KX5fs5DgKa1rEMf/sk/qopUd/7utzsfe2sQY5F396eIzcZRey8Ldce87C58sdM/GtSZQyuOJiGiGsaLwofykqouVKlg+oLyc0ZAEWiCdRz2CcU2V3dPY3J3AGgvRFcJUMyibVUMMJiu6vo0q1kmiyyErBrRvtNIYmEh6TWa5uuk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=W9rZgYk6; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-1d74dce86f7so12993065ad.2 for <linux-kernel@vger.kernel.org>; Mon, 22 Jan 2024 16:28:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705969717; x=1706574517; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+jDHEGsADozaBPzy87lyElMwpN6fXSBHhkt9/lWQvvg=; b=W9rZgYk61Iqfn9prLeNiSbTv3OpvaKxT39TUkP67jd/whB29kbf6LTakGVWTEt8Wkx hmAInx6f7SDsGMYO2OQsyHb8EGdPJc1dTJZZv+SyotYn+UuygCeOn3loeMhi9yy07XB0 xX3alspmGSmPMhqlu96sub12KM3bBEnJIw5Tc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705969717; x=1706574517; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+jDHEGsADozaBPzy87lyElMwpN6fXSBHhkt9/lWQvvg=; b=WEcmnyd5g/3dv7HcL+nAQ5r8tcOMp6YZPGKgIzEAXhOO5nPSXWOhdxtw3moAJ1baJA LICttD6MYpqxKLtCzsZbJy6IBGEXvTEq8KkLRnZEPm3MHYBf4BnTOmYrHP6ySHE+45wz D9kC+jf2J/VRKO8U1eYLSoZH0OorxoTe27UPpKLCgVw3jU63N/HOzy5U3SlPo50o3lyn N5Zca2IZbNNsM9tbKe5NLWmDNirRxeI5zPVE1w04XhjXTlfEIAMAwsYPUcEyun2jvkjl 2m/zxpf7LrkmQIg58owCpRgM96BxV0nFyRjX8zC4R28zQMRl5QVpm+eUxecbZYKc9BSa p4Dg== X-Gm-Message-State: AOJu0YwowosQDPL7hUlXs9eixp1DoK/3ut5lPUce1/+aggfHeCV3Er3r LVh8jXVzxOotciQ0gJXjSrn806FtwvNTHaP/b9yzkiHevqhF8uWyXFFZS+TvfQ== X-Received: by 2002:a17:903:1ca:b0:1d7:6c58:a654 with SMTP id e10-20020a17090301ca00b001d76c58a654mr321507plh.8.1705969717309; Mon, 22 Jan 2024 16:28:37 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id k12-20020a170902f28c00b001d7492d9890sm2786498plc.146.2024.01.22.16.28.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:28:25 -0800 (PST) From: Kees Cook <keescook@chromium.org> To: linux-hardening@vger.kernel.org Cc: Kees Cook <keescook@chromium.org>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, Bill Wendling <morbo@google.com>, Justin Stitt <justinstitt@google.com>, linux-kernel@vger.kernel.org Subject: [PATCH 03/82] overflow: Introduce add_wrap() Date: Mon, 22 Jan 2024 16:26:38 -0800 Message-Id: <20240123002814.1396804-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1195; i=keescook@chromium.org; h=from:subject; bh=IJQ4VwF/XdURhwqKb20pArJOcqYtWwEP77l8CXMEO9A=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEL8IucC9yEm2ouyrQ/hhMu5I3AUOX5/m7s cUy68MtvAaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A JqGoD/0VbDA2K1vKkDXKw/XOmCvxckFsH1aXG4eTErag/Fyu11F/Hz71EheSTm63LgoPWiI+vwG vQcb3gzwgcA6Kv3ftEEWygG29jA30KCJdCnU7BgqLDouuIqhIzzubmXcqF0DF60tOIZCgObUYdW LboXVdtqnGzTV+ndwblWK6xc9gvy4kCGEHtQHUiTzqvKF3r0hNkAtTt/gyaIR8alh306zuznEUP Hy+3HE3U2/gyMkH8zjIoL7izNomyRAG+jGnzSTAQ+Y3Io/mDd4oLPhoQiGYK2gpGGj7B4xzcwGX ZfJsp3Ttomp+rMXKh/zDeoOy98JKGcFTIPxSR6pHgFfju/51K7XIIbJrWUYTJFCI+xGqAZoPJMA Z4nx57/RJXITaO74IOTE6xsVnwdW1XCDqNK8HVJcV4jcck3dqbaWeKq8G2Wn4oaUCpafB750LRo nG6bJ2EEORG+XgubtrKSu9fKiX5jB3Nua4vUxTjs3cpbB4Nn3+z1HECkX8puf7At08mJW7iuB9v eOLUNEvuugFexNTyysxKT9/pAWH+g8QUNUqvcuIpc1aKa+M51P2ektI1qunbV70+gASTfmfDtst 8iHp9HNo7JldQqTsDLxzi7M2oSYZTd1Xnlv809kXKLW7oMGoxgBsHwO20fGby1A7AynToyEh9vY K6n3JQaCLci7AWg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1788842074969438493 X-GMAIL-MSGID: 1788842074969438493 |
Series |
overflow: Refactor open-coded arithmetic wrap-around
|
|
Commit Message
Kees Cook
Jan. 23, 2024, 12:26 a.m. UTC
Provide a helper that will perform wrapping addition without tripping
the arithmetic wrap-around sanitizers.
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/overflow.h | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
Comments
On 23/01/2024 01.26, Kees Cook wrote: > Provide a helper that will perform wrapping addition without tripping > the arithmetic wrap-around sanitizers. > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > include/linux/overflow.h | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > index ac088f73e0fd..30779905a77a 100644 > --- a/include/linux/overflow.h > +++ b/include/linux/overflow.h > @@ -124,6 +124,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > check_add_overflow(a, b, &__result);\ > })) > > +/** > + * add_wrap() - Intentionally perform a wrapping addition > + * @a: first addend > + * @b: second addend > + * > + * Return the potentially wrapped-around addition without > + * tripping any overflow sanitizers that may be enabled. > + */ > +#define add_wrap(a, b) \ > + ({ \ > + typeof(a) __sum; \ > + if (check_add_overflow(a, b, &__sum)) \ > + /* do nothing */; \ > + __sum; \ > + }) > + I don't know where this is supposed to be used, but at first glance this seems to introduce a footgun. This is not symmetric in a and b, so both the type and value of the result may differ between add_wrap(a, b) and add_wrap(b, a). That seems dangerous. Rasmus
On Mon, Jan 22, 2024 at 04:26:38PM -0800, Kees Cook wrote: > Provide a helper that will perform wrapping addition without tripping > the arithmetic wrap-around sanitizers. > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > include/linux/overflow.h | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > index ac088f73e0fd..30779905a77a 100644 > --- a/include/linux/overflow.h > +++ b/include/linux/overflow.h > @@ -124,6 +124,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > check_add_overflow(a, b, &__result);\ > })) > > +/** > + * add_wrap() - Intentionally perform a wrapping addition > + * @a: first addend > + * @b: second addend > + * > + * Return the potentially wrapped-around addition without > + * tripping any overflow sanitizers that may be enabled. > + */ > +#define add_wrap(a, b) \ > + ({ \ > + typeof(a) __sum; \ > + if (check_add_overflow(a, b, &__sum)) \ > + /* do nothing */; \ > + __sum; \ > + }) It's really difficult to see the semicolon for the empty statement here; could we make that part: if ((check_add_overflow(a, b, &__sum)) { \ /* do nothing */ \ } \ .. to be a little clearer (and less at risk of breakage in a refactoring)? I realise coding style says not to use braces for a single statement, but IMO it's far clearer in this instance with the braces. Mark. > + > /** > * check_sub_overflow() - Calculate subtraction with overflow checking > * @a: minuend; value to subtract from > -- > 2.34.1 > >
On Tue, Jan 23, 2024 at 09:14:20AM +0100, Rasmus Villemoes wrote: > On 23/01/2024 01.26, Kees Cook wrote: > > Provide a helper that will perform wrapping addition without tripping > > the arithmetic wrap-around sanitizers. > > > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > > Cc: linux-hardening@vger.kernel.org > > Signed-off-by: Kees Cook <keescook@chromium.org> > > --- > > include/linux/overflow.h | 16 ++++++++++++++++ > > 1 file changed, 16 insertions(+) > > > > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > > index ac088f73e0fd..30779905a77a 100644 > > --- a/include/linux/overflow.h > > +++ b/include/linux/overflow.h > > @@ -124,6 +124,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > > check_add_overflow(a, b, &__result);\ > > })) > > > > +/** > > + * add_wrap() - Intentionally perform a wrapping addition > > + * @a: first addend > > + * @b: second addend > > + * > > + * Return the potentially wrapped-around addition without > > + * tripping any overflow sanitizers that may be enabled. > > + */ > > +#define add_wrap(a, b) \ > > + ({ \ > > + typeof(a) __sum; \ > > + if (check_add_overflow(a, b, &__sum)) \ > > + /* do nothing */; \ > > + __sum; \ > > + }) > > + > > I don't know where this is supposed to be used, but at first glance this > seems to introduce a footgun. This is not symmetric in a and b, so both > the type and value of the result may differ between add_wrap(a, b) and > add_wrap(b, a). That seems dangerous. I see three options here (and for add_would_overflow()): 1- document that it is typed to the first argument (but this seems weak) 2- require a and b have the same type, and use typeof(a) (but is possibly inflexible, like the problems we've had with min()/max()) 3- explicitly require a result type (this seems overly verbose, and might have problems like we've had with min_t()/max_t()) In the one place this series uses add_wrap(), I have these arguments: int segs u32 delta and the result type is expected to be int: return atomic_add_return(add_wrap(segs, delta), p_id) - segs; So as written (option 1) it's (accidentally?) correct. It would be rejected with option 2, which seems a strong signal that it's not a good option. So, your idea about explicit typing is probably best, since I can't examine the lvalue type within the macro. return atomic_add_return(add_wrap(int, segs, delta), p_id) - segs; I'll give this a try and check for binary differences. -Kees
On Tue, Jan 23, 2024 at 09:22:52AM +0000, Mark Rutland wrote: > On Mon, Jan 22, 2024 at 04:26:38PM -0800, Kees Cook wrote: > > Provide a helper that will perform wrapping addition without tripping > > the arithmetic wrap-around sanitizers. > > > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > > Cc: linux-hardening@vger.kernel.org > > Signed-off-by: Kees Cook <keescook@chromium.org> > > --- > > include/linux/overflow.h | 16 ++++++++++++++++ > > 1 file changed, 16 insertions(+) > > > > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > > index ac088f73e0fd..30779905a77a 100644 > > --- a/include/linux/overflow.h > > +++ b/include/linux/overflow.h > > @@ -124,6 +124,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > > check_add_overflow(a, b, &__result);\ > > })) > > > > +/** > > + * add_wrap() - Intentionally perform a wrapping addition > > + * @a: first addend > > + * @b: second addend > > + * > > + * Return the potentially wrapped-around addition without > > + * tripping any overflow sanitizers that may be enabled. > > + */ > > +#define add_wrap(a, b) \ > > + ({ \ > > + typeof(a) __sum; \ > > + if (check_add_overflow(a, b, &__sum)) \ > > + /* do nothing */; \ > > + __sum; \ > > + }) > > It's really difficult to see the semicolon for the empty statement here; could > we make that part: > > if ((check_add_overflow(a, b, &__sum)) { \ > /* do nothing */ \ > } \ > > ... to be a little clearer (and less at risk of breakage in a refactoring)? Yeah, agreed -- that stands out more clearly. -Kees
diff --git a/include/linux/overflow.h b/include/linux/overflow.h index ac088f73e0fd..30779905a77a 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -124,6 +124,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) check_add_overflow(a, b, &__result);\ })) +/** + * add_wrap() - Intentionally perform a wrapping addition + * @a: first addend + * @b: second addend + * + * Return the potentially wrapped-around addition without + * tripping any overflow sanitizers that may be enabled. + */ +#define add_wrap(a, b) \ + ({ \ + typeof(a) __sum; \ + if (check_add_overflow(a, b, &__sum)) \ + /* do nothing */; \ + __sum; \ + }) + /** * check_sub_overflow() - Calculate subtraction with overflow checking * @a: minuend; value to subtract from