| Message ID | 20240123002814.1396804-2-keescook@chromium.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58158dyi;
Mon, 22 Jan 2024 17:18:31 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFPsXs7nX2vCBFYch+fvWwzlniyCypLk08QNiTbolv3asTek7GOY+7yD7Nikw4nSaC39Dch
X-Received: by 2002:a17:90b:4007:b0:28d:9238:71bf with SMTP id
ie7-20020a17090b400700b0028d923871bfmr5581458pjb.18.1705972711253;
Mon, 22 Jan 2024 17:18:31 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972711; cv=pass;
d=google.com; s=arc-20160816;
b=KGgYpVb50eny/bM/SZy4JEa7eH3DAUwviHWdP7QYWAwJvsq9YG4Pk1I9TkOhNMjdNW
9qI++1pNizJGv0FBeljGhpfpXi60IF3kRWu7L0FfLzKVN4L2LTB/Y0k/mf9hxEgxzvm0
XUPWnnyH3XaeNCH1aegY0jsBPp4qAn+3w+e/8yym7NB+WL57WtfPrlIoSOxbvDj24ijG
Z8e6lB6RVqAAeAoY2fxsgjaVo3o0kRspSF+ZsIGlA8rNIhsFR9pG2rBKzr2tIYNAJ5i/
KnKbHB56fxe2j0ho2Lq90UTIZCBbe/YR4gZYHjuzZJ3eZy785a2N2Nd9EL0H82G8hP26
cJow==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:references:in-reply-to:message-id
:date:subject:cc:to:from:dkim-signature;
bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=;
fh=9gX2BxLmuU+q8iAZT2l+1phY50ro1AnLuvWldfJlQuY=;
b=alE6pAQicHLCnKKeGMDgznty2p7Jh6FaApb0K1pSF4o/OHWfY+CY/461LNNRWWzw0j
8xRti0dDVJ8wcOwsVBOGi9i7HymqGvS8bBlN4YcjBWYOLEgg15dHKWgwJ+KT+T8HuAk2
lanHxsTSQrs4MhIHdSGOF/taT8E3N+v0dERR78oUmDqEVGUFm8PDjhkOE9vMDeJhdMgI
C6wt2OvklLAdqk2mWq+cBQNlDo/tgKK6mkQYsXkZCXbvJDy2ttZJ/4tyEvWyblltaB2o
xajJYMxn5RRWQvaBZUPH9TqEh4Ddb8X8ZDv9Bs9b1tkuSzt5J5NE3Jnd02nD0bmuBUSj
hErg==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=QEWQMC5L;
arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
spf=pass (google.com: domain of
linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
by mx.google.com with ESMTPS id
q1-20020a17090a938100b0028e281e020csi8751342pjo.101.2024.01.22.17.18.31
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 22 Jan 2024 17:18:31 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=QEWQMC5L;
arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
spf=pass (google.com: domain of
linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id 14CC228B6C7
for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:14:09 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id C295E1482E0;
Tue, 23 Jan 2024 00:28:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
header.b="QEWQMC5L"
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
[209.85.210.181])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BF4A146907
for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1705969714; cv=none;
b=Rvp0UQ0IjGgkjfk82zdUdmVla0iJsQxe1UycjifYDTY9RHduu3TWpdw0Et7S/Pwa/SnAZ//Vdzmy19lBp0Srq+RWAWntIh3PyQYJyWwpkz6qihiAbMyJgk4cilEoN8oNmHaq+Z4txPqWi8+u/qw/mYs8Ce32VdjCh0jERzuan6I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1705969714; c=relaxed/simple;
bh=rI7XvXs0gE8oB6y5lNdVJ89YzOLiYyZbayu1rCEj/HA=;
h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
MIME-Version;
b=ap+MGQosqGp4j9as1XN56oBHoGAwayVhsBRkhrikfH37oswox0hVnPokubkcWsAdQzBON0Mad6qe3A3NwzV+d/uS+5k5fMHYKI7FPOXXvLfakvIN3gpYJSrkKoXYc/vUX8/WCAHm14bN+//jQ8r2htkYTnnxT45xx0TIKepKoFY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=chromium.org;
spf=pass smtp.mailfrom=chromium.org;
dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
header.b=QEWQMC5L; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f181.google.com with SMTP id
d2e1a72fcca58-6dbb003be79so3306489b3a.0
for <linux-kernel@vger.kernel.org>;
Mon, 22 Jan 2024 16:28:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1705969711; x=1706574511;
darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=;
b=QEWQMC5LHFnUI+r+14MQmsNOrLfCXht+qZM2//2CWY2bxzWYDXkWdgeVHjhgOCoGVp
YGizMpAGSsWnjQNPyR0jTpsRSJMmGMBY7UIsB9sfR8V82eLJefcWhydIfHO/aLo/bNyR
IW52hKRTOAH+A/jFdd4qHndIEkwODR124a34Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1705969711; x=1706574511;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=;
b=SgeL5J4KBXFGgU9h7Sv9GGM0A/fvMGGl/+NbmpSKh9UIixYSkFdHqtUTuVpmymPD1k
WCUulnHcEwEvrTnCjIIP57CneEMUZnom1csxv84/ys2cMlJKxdjs5sN+LqtBWkZMLsS3
sc1eKobTMH3HxecHk9/NZwrt0Z45thvZRNxnt2QAtfy7GxM0XxCICHFnoO9Zaz27I4RE
G+lQNTusYBet81j5avOxx7R3hBCQj+9K72x5a3JxZdWs1m7QJSCYJAXxe4+L+2Yrpyae
zETPh5QdrrH9BdJc/svev8X0vEQMcy0D6MiEBEK2VO+8D2PF2noyMrtoWAvNkFZQnUMx
0mRA==
X-Gm-Message-State: AOJu0Yyt5Lu7sR3b/6iWbKPlJ0zt8h3aZW5/xGDq+pi6stlYkf+apact
iTvjT3K2ebsgUl2bp4ZOGsnY41YQV1tzZKptj6VKMKAk2FAt7CE4C3viTue5IA==
X-Received: by 2002:a05:6a20:d046:b0:199:fffd:a3e3 with SMTP id
hv6-20020a056a20d04600b00199fffda3e3mr5559743pzb.52.1705969711526;
Mon, 22 Jan 2024 16:28:31 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
by smtp.gmail.com with ESMTPSA id
10-20020a056a00070a00b006dbe1d91426sm2202104pfl.84.2024.01.22.16.28.20
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 22 Jan 2024 16:28:25 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH 02/82] overflow: Introduce add_would_overflow()
Date: Mon, 22 Jan 2024 16:26:37 -0800
Message-Id: <20240123002814.1396804-2-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1326; i=keescook@chromium.org;
h=from:subject; bh=rI7XvXs0gE8oB6y5lNdVJ89YzOLiYyZbayu1rCEj/HA=;
b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgE/Rg2DOBwpGm23xchVNBK/FIvMg7Pi7tuc
hrgqGce9zOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
JpK6D/4k9MYFmrgc6c/TYlvkWlxk7cgUas0VJ225O0PQXNgzPrwydo5r9or8JHba1AD9K1lQdyq
iY/c00/ng+L0pXMnyUYZ5RlfA76Q9JVIOFl2227BDoVAwb8sQ3Xlwhz/+p860wwoMqwno5TxLPM
iEVrs2M2EZZo+enpPucZmQra1oVUfjoTc4LBwgzW1f4CO87CyxlQo3WW1qqFcQKlFDx9qK0bhpw
KTu3fyF0WBOF1vHOAzXRGacuCBEbmLPsDAiDI6spRQTRIheANwd4kr0s5jXyY4d32MNm8D6kCdw
6o57Cm5NgRuXHzXB1diePd8nslD5neVySw31GHfZqmj9wMhnwKXi2lEZ/wqk3TO9hQ8l3WcSa0O
AtuJ/dQI0LMgGmHU9s2J6rb3+sZYro4mWaVm09UCM02cSGj62u7H1KH/vj6Zw6MMiJ3GVmZomD+
JkjQ5AmlveqxnP7sv/7BdpK866HqpW9PimFvELyrCATtMf206HO00xxjv5an7q1CRv9KGSi3Ifk
lVlTmvb5GZS8sUdV+rAqL0M0E7Q+RrNmT6cRlRLqCdAdwUOiUblUXUkpg3CEifH1S3OVgJzSHbq
bM1kAoa9NqEH8gQAHKfJGo01p01MIhMFhfpnhrorrnpTBOFCgnmxVLdlC8Wzo7PaLcqetog57uK
SjUZaEfaNTdpghQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: 8bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842041475861527
X-GMAIL-MSGID: 1788842041475861527
|
| Series |
overflow: Refactor open-coded arithmetic wrap-around
|
|
Commit Message
Kees Cook
Jan. 23, 2024, 12:26 a.m. UTC
For instances where only the overflow needs to be checked (and the sum
isn't used), provide the new helper add_would_overflow(), which is
a wrapper for check_add_overflow().
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/overflow.h | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
Comments
On 23/01/2024 01.26, Kees Cook wrote: > For instances where only the overflow needs to be checked (and the sum > isn't used), provide the new helper add_would_overflow(), which is > a wrapper for check_add_overflow(). > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > include/linux/overflow.h | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > index 099f2e559aa8..ac088f73e0fd 100644 > --- a/include/linux/overflow.h > +++ b/include/linux/overflow.h > @@ -108,6 +108,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > __builtin_add_overflow(__filter_integral(a), b, \ > __filter_ptrint(d)))) > > +/** > + * add_would_overflow() - Check if an addition would overflow > + * @a: first addend > + * @b: second addend > + * > + * Returns true if the sum would overflow. > + * > + * To keep a copy of the sum when the addition doesn't overflow, use > + * check_add_overflow() instead. > + */ > +#define add_would_overflow(a, b) \ > + __must_check_overflow(({ \ > + size_t __result; \ > + check_add_overflow(a, b, &__result);\ > + })) Hm, I think this is a bit too ill-defined. Why is the target type hard-coded as size_t? What if a and b are u64, and we're on a 32 bit target? Then a+b might not overflow but this helper would claim it did. But we also cannot just use typeof(a+b) instead of size_t, since that breaks when a and b are narrower than int (adding two u16 never overflows since they get promoted to int, but then if assigning the result to a u16 one truncates...). Perhaps the target type must be explicit? sum_fits_in_type(T, a, b) ? IDK, I just don't think size_t is the right thing to use in something that is otherwise supposed to be type-generic. Rasmus
On Tue, Jan 23, 2024 at 09:03:10AM +0100, Rasmus Villemoes wrote: > On 23/01/2024 01.26, Kees Cook wrote: > > For instances where only the overflow needs to be checked (and the sum > > isn't used), provide the new helper add_would_overflow(), which is > > a wrapper for check_add_overflow(). > > > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > > Cc: linux-hardening@vger.kernel.org > > Signed-off-by: Kees Cook <keescook@chromium.org> > > --- > > include/linux/overflow.h | 16 ++++++++++++++++ > > 1 file changed, 16 insertions(+) > > > > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > > index 099f2e559aa8..ac088f73e0fd 100644 > > --- a/include/linux/overflow.h > > +++ b/include/linux/overflow.h > > @@ -108,6 +108,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > > __builtin_add_overflow(__filter_integral(a), b, \ > > __filter_ptrint(d)))) > > > > +/** > > + * add_would_overflow() - Check if an addition would overflow > > + * @a: first addend > > + * @b: second addend > > + * > > + * Returns true if the sum would overflow. > > + * > > + * To keep a copy of the sum when the addition doesn't overflow, use > > + * check_add_overflow() instead. > > + */ > > +#define add_would_overflow(a, b) \ > > + __must_check_overflow(({ \ > > + size_t __result; \ > > + check_add_overflow(a, b, &__result);\ > > + })) > > Hm, I think this is a bit too ill-defined. Why is the target type > hard-coded as size_t? What if a and b are u64, and we're on a 32 bit > target? Then a+b might not overflow but this helper would claim it did. Oooh, yes. That's no good. Thanks. > But we also cannot just use typeof(a+b) instead of size_t, since that > breaks when a and b are narrower than int (adding two u16 never > overflows since they get promoted to int, but then if assigning the > result to a u16 one truncates...). The add_would_overflow() is aimed at replacing the "v + o < v" pattern, so perhaps use typeof(a) ? > Perhaps the target type must be explicit? sum_fits_in_type(T, a, b) ? > IDK, I just don't think size_t is the right thing to use in something > that is otherwise supposed to be type-generic. I will use typeof(a) and check binary differences to see if there are any places doing something unexpected... -Kees
diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 099f2e559aa8..ac088f73e0fd 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -108,6 +108,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) __builtin_add_overflow(__filter_integral(a), b, \ __filter_ptrint(d)))) +/** + * add_would_overflow() - Check if an addition would overflow + * @a: first addend + * @b: second addend + * + * Returns true if the sum would overflow. + * + * To keep a copy of the sum when the addition doesn't overflow, use + * check_add_overflow() instead. + */ +#define add_would_overflow(a, b) \ + __must_check_overflow(({ \ + size_t __result; \ + check_add_overflow(a, b, &__result);\ + })) + /** * check_sub_overflow() - Calculate subtraction with overflow checking * @a: minuend; value to subtract from