Message ID | 20240123002814.1396804-2-keescook@chromium.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58158dyi; Mon, 22 Jan 2024 17:18:31 -0800 (PST) X-Google-Smtp-Source: AGHT+IFPsXs7nX2vCBFYch+fvWwzlniyCypLk08QNiTbolv3asTek7GOY+7yD7Nikw4nSaC39Dch X-Received: by 2002:a17:90b:4007:b0:28d:9238:71bf with SMTP id ie7-20020a17090b400700b0028d923871bfmr5581458pjb.18.1705972711253; Mon, 22 Jan 2024 17:18:31 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705972711; cv=pass; d=google.com; s=arc-20160816; b=KGgYpVb50eny/bM/SZy4JEa7eH3DAUwviHWdP7QYWAwJvsq9YG4Pk1I9TkOhNMjdNW 9qI++1pNizJGv0FBeljGhpfpXi60IF3kRWu7L0FfLzKVN4L2LTB/Y0k/mf9hxEgxzvm0 XUPWnnyH3XaeNCH1aegY0jsBPp4qAn+3w+e/8yym7NB+WL57WtfPrlIoSOxbvDj24ijG Z8e6lB6RVqAAeAoY2fxsgjaVo3o0kRspSF+ZsIGlA8rNIhsFR9pG2rBKzr2tIYNAJ5i/ KnKbHB56fxe2j0ho2Lq90UTIZCBbe/YR4gZYHjuzZJ3eZy785a2N2Nd9EL0H82G8hP26 cJow== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=; fh=9gX2BxLmuU+q8iAZT2l+1phY50ro1AnLuvWldfJlQuY=; b=alE6pAQicHLCnKKeGMDgznty2p7Jh6FaApb0K1pSF4o/OHWfY+CY/461LNNRWWzw0j 8xRti0dDVJ8wcOwsVBOGi9i7HymqGvS8bBlN4YcjBWYOLEgg15dHKWgwJ+KT+T8HuAk2 lanHxsTSQrs4MhIHdSGOF/taT8E3N+v0dERR78oUmDqEVGUFm8PDjhkOE9vMDeJhdMgI C6wt2OvklLAdqk2mWq+cBQNlDo/tgKK6mkQYsXkZCXbvJDy2ttZJ/4tyEvWyblltaB2o xajJYMxn5RRWQvaBZUPH9TqEh4Ddb8X8ZDv9Bs9b1tkuSzt5J5NE3Jnd02nD0bmuBUSj hErg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QEWQMC5L; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id q1-20020a17090a938100b0028e281e020csi8751342pjo.101.2024.01.22.17.18.31 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 17:18:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QEWQMC5L; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 14CC228B6C7 for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:14:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C295E1482E0; Tue, 23 Jan 2024 00:28:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="QEWQMC5L" Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BF4A146907 for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705969714; cv=none; b=Rvp0UQ0IjGgkjfk82zdUdmVla0iJsQxe1UycjifYDTY9RHduu3TWpdw0Et7S/Pwa/SnAZ//Vdzmy19lBp0Srq+RWAWntIh3PyQYJyWwpkz6qihiAbMyJgk4cilEoN8oNmHaq+Z4txPqWi8+u/qw/mYs8Ce32VdjCh0jERzuan6I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705969714; c=relaxed/simple; bh=rI7XvXs0gE8oB6y5lNdVJ89YzOLiYyZbayu1rCEj/HA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ap+MGQosqGp4j9as1XN56oBHoGAwayVhsBRkhrikfH37oswox0hVnPokubkcWsAdQzBON0Mad6qe3A3NwzV+d/uS+5k5fMHYKI7FPOXXvLfakvIN3gpYJSrkKoXYc/vUX8/WCAHm14bN+//jQ8r2htkYTnnxT45xx0TIKepKoFY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=QEWQMC5L; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-6dbb003be79so3306489b3a.0 for <linux-kernel@vger.kernel.org>; Mon, 22 Jan 2024 16:28:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705969711; x=1706574511; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=; b=QEWQMC5LHFnUI+r+14MQmsNOrLfCXht+qZM2//2CWY2bxzWYDXkWdgeVHjhgOCoGVp YGizMpAGSsWnjQNPyR0jTpsRSJMmGMBY7UIsB9sfR8V82eLJefcWhydIfHO/aLo/bNyR IW52hKRTOAH+A/jFdd4qHndIEkwODR124a34Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705969711; x=1706574511; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=; b=SgeL5J4KBXFGgU9h7Sv9GGM0A/fvMGGl/+NbmpSKh9UIixYSkFdHqtUTuVpmymPD1k WCUulnHcEwEvrTnCjIIP57CneEMUZnom1csxv84/ys2cMlJKxdjs5sN+LqtBWkZMLsS3 sc1eKobTMH3HxecHk9/NZwrt0Z45thvZRNxnt2QAtfy7GxM0XxCICHFnoO9Zaz27I4RE G+lQNTusYBet81j5avOxx7R3hBCQj+9K72x5a3JxZdWs1m7QJSCYJAXxe4+L+2Yrpyae zETPh5QdrrH9BdJc/svev8X0vEQMcy0D6MiEBEK2VO+8D2PF2noyMrtoWAvNkFZQnUMx 0mRA== X-Gm-Message-State: AOJu0Yyt5Lu7sR3b/6iWbKPlJ0zt8h3aZW5/xGDq+pi6stlYkf+apact iTvjT3K2ebsgUl2bp4ZOGsnY41YQV1tzZKptj6VKMKAk2FAt7CE4C3viTue5IA== X-Received: by 2002:a05:6a20:d046:b0:199:fffd:a3e3 with SMTP id hv6-20020a056a20d04600b00199fffda3e3mr5559743pzb.52.1705969711526; Mon, 22 Jan 2024 16:28:31 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id 10-20020a056a00070a00b006dbe1d91426sm2202104pfl.84.2024.01.22.16.28.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:28:25 -0800 (PST) From: Kees Cook <keescook@chromium.org> To: linux-hardening@vger.kernel.org Cc: Kees Cook <keescook@chromium.org>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, Bill Wendling <morbo@google.com>, Justin Stitt <justinstitt@google.com>, linux-kernel@vger.kernel.org Subject: [PATCH 02/82] overflow: Introduce add_would_overflow() Date: Mon, 22 Jan 2024 16:26:37 -0800 Message-Id: <20240123002814.1396804-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1326; i=keescook@chromium.org; h=from:subject; bh=rI7XvXs0gE8oB6y5lNdVJ89YzOLiYyZbayu1rCEj/HA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgE/Rg2DOBwpGm23xchVNBK/FIvMg7Pi7tuc hrgqGce9zOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A JpK6D/4k9MYFmrgc6c/TYlvkWlxk7cgUas0VJ225O0PQXNgzPrwydo5r9or8JHba1AD9K1lQdyq iY/c00/ng+L0pXMnyUYZ5RlfA76Q9JVIOFl2227BDoVAwb8sQ3Xlwhz/+p860wwoMqwno5TxLPM iEVrs2M2EZZo+enpPucZmQra1oVUfjoTc4LBwgzW1f4CO87CyxlQo3WW1qqFcQKlFDx9qK0bhpw KTu3fyF0WBOF1vHOAzXRGacuCBEbmLPsDAiDI6spRQTRIheANwd4kr0s5jXyY4d32MNm8D6kCdw 6o57Cm5NgRuXHzXB1diePd8nslD5neVySw31GHfZqmj9wMhnwKXi2lEZ/wqk3TO9hQ8l3WcSa0O AtuJ/dQI0LMgGmHU9s2J6rb3+sZYro4mWaVm09UCM02cSGj62u7H1KH/vj6Zw6MMiJ3GVmZomD+ JkjQ5AmlveqxnP7sv/7BdpK866HqpW9PimFvELyrCATtMf206HO00xxjv5an7q1CRv9KGSi3Ifk lVlTmvb5GZS8sUdV+rAqL0M0E7Q+RrNmT6cRlRLqCdAdwUOiUblUXUkpg3CEifH1S3OVgJzSHbq bM1kAoa9NqEH8gQAHKfJGo01p01MIhMFhfpnhrorrnpTBOFCgnmxVLdlC8Wzo7PaLcqetog57uK SjUZaEfaNTdpghQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1788842041475861527 X-GMAIL-MSGID: 1788842041475861527 |
Series |
overflow: Refactor open-coded arithmetic wrap-around
|
|
Commit Message
Kees Cook
Jan. 23, 2024, 12:26 a.m. UTC
For instances where only the overflow needs to be checked (and the sum
isn't used), provide the new helper add_would_overflow(), which is
a wrapper for check_add_overflow().
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/overflow.h | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
Comments
On 23/01/2024 01.26, Kees Cook wrote: > For instances where only the overflow needs to be checked (and the sum > isn't used), provide the new helper add_would_overflow(), which is > a wrapper for check_add_overflow(). > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > include/linux/overflow.h | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > index 099f2e559aa8..ac088f73e0fd 100644 > --- a/include/linux/overflow.h > +++ b/include/linux/overflow.h > @@ -108,6 +108,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > __builtin_add_overflow(__filter_integral(a), b, \ > __filter_ptrint(d)))) > > +/** > + * add_would_overflow() - Check if an addition would overflow > + * @a: first addend > + * @b: second addend > + * > + * Returns true if the sum would overflow. > + * > + * To keep a copy of the sum when the addition doesn't overflow, use > + * check_add_overflow() instead. > + */ > +#define add_would_overflow(a, b) \ > + __must_check_overflow(({ \ > + size_t __result; \ > + check_add_overflow(a, b, &__result);\ > + })) Hm, I think this is a bit too ill-defined. Why is the target type hard-coded as size_t? What if a and b are u64, and we're on a 32 bit target? Then a+b might not overflow but this helper would claim it did. But we also cannot just use typeof(a+b) instead of size_t, since that breaks when a and b are narrower than int (adding two u16 never overflows since they get promoted to int, but then if assigning the result to a u16 one truncates...). Perhaps the target type must be explicit? sum_fits_in_type(T, a, b) ? IDK, I just don't think size_t is the right thing to use in something that is otherwise supposed to be type-generic. Rasmus
On Tue, Jan 23, 2024 at 09:03:10AM +0100, Rasmus Villemoes wrote: > On 23/01/2024 01.26, Kees Cook wrote: > > For instances where only the overflow needs to be checked (and the sum > > isn't used), provide the new helper add_would_overflow(), which is > > a wrapper for check_add_overflow(). > > > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > > Cc: linux-hardening@vger.kernel.org > > Signed-off-by: Kees Cook <keescook@chromium.org> > > --- > > include/linux/overflow.h | 16 ++++++++++++++++ > > 1 file changed, 16 insertions(+) > > > > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > > index 099f2e559aa8..ac088f73e0fd 100644 > > --- a/include/linux/overflow.h > > +++ b/include/linux/overflow.h > > @@ -108,6 +108,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > > __builtin_add_overflow(__filter_integral(a), b, \ > > __filter_ptrint(d)))) > > > > +/** > > + * add_would_overflow() - Check if an addition would overflow > > + * @a: first addend > > + * @b: second addend > > + * > > + * Returns true if the sum would overflow. > > + * > > + * To keep a copy of the sum when the addition doesn't overflow, use > > + * check_add_overflow() instead. > > + */ > > +#define add_would_overflow(a, b) \ > > + __must_check_overflow(({ \ > > + size_t __result; \ > > + check_add_overflow(a, b, &__result);\ > > + })) > > Hm, I think this is a bit too ill-defined. Why is the target type > hard-coded as size_t? What if a and b are u64, and we're on a 32 bit > target? Then a+b might not overflow but this helper would claim it did. Oooh, yes. That's no good. Thanks. > But we also cannot just use typeof(a+b) instead of size_t, since that > breaks when a and b are narrower than int (adding two u16 never > overflows since they get promoted to int, but then if assigning the > result to a u16 one truncates...). The add_would_overflow() is aimed at replacing the "v + o < v" pattern, so perhaps use typeof(a) ? > Perhaps the target type must be explicit? sum_fits_in_type(T, a, b) ? > IDK, I just don't think size_t is the right thing to use in something > that is otherwise supposed to be type-generic. I will use typeof(a) and check binary differences to see if there are any places doing something unexpected... -Kees
diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 099f2e559aa8..ac088f73e0fd 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -108,6 +108,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) __builtin_add_overflow(__filter_integral(a), b, \ __filter_ptrint(d)))) +/** + * add_would_overflow() - Check if an addition would overflow + * @a: first addend + * @b: second addend + * + * Returns true if the sum would overflow. + * + * To keep a copy of the sum when the addition doesn't overflow, use + * check_add_overflow() instead. + */ +#define add_would_overflow(a, b) \ + __must_check_overflow(({ \ + size_t __result; \ + check_add_overflow(a, b, &__result);\ + })) + /** * check_sub_overflow() - Calculate subtraction with overflow checking * @a: minuend; value to subtract from