Message ID | 20240123002814.1396804-43-keescook@chromium.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp79826dyi; Mon, 22 Jan 2024 18:23:30 -0800 (PST) X-Google-Smtp-Source: AGHT+IE5cJp+QM1eI4IFXXAdzDuwtbvJN5yCU5nMe5GDm01vpqWc91MMynPQzsucjpALe62iaip2 X-Received: by 2002:a05:6a20:3b2a:b0:19a:4b93:250c with SMTP id c42-20020a056a203b2a00b0019a4b93250cmr2267908pzh.51.1705976610352; Mon, 22 Jan 2024 18:23:30 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705976610; cv=pass; d=google.com; s=arc-20160816; b=IFoNlv6NUl31EZ98WbgrnDlXvnXYn5gVXUimnd9cCT4wAQ33I6juAGZSnu76JJ7Zmz tbccwozcBV4rRQdMPCedRRLMeC/cuLwaD0n3ink47EXEU4KliyuUap6UieL8Itg1T7Ut WGoOwWb5gU6j5Fl+gTBvy7JAXDj6kp+SbvAs1IYyk0Gs1asZr+sKAwD+2l13v1dtKZpX hb/dxknpbbg1RTl43FUxnVj0koTuwkrKvXrhlwEk7GN7m9MvheBkS2z6RRANp1KFkHSL RfFCZBysdy5B6xdLTA0yIiF4VvOO/D4jXJtp4qE4lHlfnmTdFvLk6x14ctmI2pUfG/jM kcQQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=PzCem6cup4TdiKSfzyjJWNqgMtspOXnXOALwscH4Wdk=; fh=olk3Vwo6flXNlhTR3+grEaNqvvzXozWB2Jd8QK1jV14=; b=dNaOWJfWHZ0SN7xMigeSIIwZFjP7D3dhIXLC6krqj27NaDpyBodSye0w1JNRGmSJ7b CwA0X5l4v+I7+/O8hCqGfJ2jaLZ7xMdyrpbCwb7M3Wct2FXJQQZ6J7PQB3G/tXiBlAn7 FDa0GB01I9ifsDstvo3I/Q0DJinQG58bEouiN9tSU5oJa7TTLG22gNJb4jA883VUpfw/ y576wPH5GQ2E0JeIjzFmCogpAguNOc6Wy3NPKvJHXLzFeJji9Y53315+ygYo66jRq1hf u2tT9KGIK4AHp5YjUAqOr+e/5vT+KNzT5g7qFlBbr+20NR+/M8y/ztc11AYbKi2p4mdj dPjg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="a2Idl6M/"; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id h22-20020a170902f7d600b001d73192de39si4782478plw.36.2024.01.22.18.23.29 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 18:23:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="a2Idl6M/"; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id B8926B227D0 for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 02:02:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BB47A133405; Tue, 23 Jan 2024 01:03:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="a2Idl6M/" Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 935CF130E3C for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705971825; cv=none; b=tu9ZmFJx4duh/v/ezX+SRq+zqShyGOtAqHQe0a7uVZsU64K1ZbS9d7usQoK2TbiapjwGbwyYIM4USRqy9AY6B1ajRW5KQLf+aybsekA8zR9qbeCFBl9uPm2sSZNQKnz732mGtGaCczVlys/aUnhIyxryeueELEggx8m6vPMWwOk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705971825; c=relaxed/simple; bh=2D/1q+K5ofLS3QNrb17mBia21R1L5nS1NTJwK1+Jywo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=DINcgAdNRFH20zUtBhvdY9rnqUlGnq2t7gKrJ3hkqY/TnkkEuGSfVbzAOQA+uL+uokxVZv5zR5bEXoUAOrjVmT1mFi7ldAlScSn3d3h8B8kdLr7W24nMIJRAUVwUnrTKyUsNpEL2QklGyF5Wypd9hKzAaWizAbe9EXKYG4dTXGo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=a2Idl6M/; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1d7393de183so8875065ad.3 for <linux-kernel@vger.kernel.org>; Mon, 22 Jan 2024 17:03:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705971822; x=1706576622; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PzCem6cup4TdiKSfzyjJWNqgMtspOXnXOALwscH4Wdk=; b=a2Idl6M/nB7uU5CS8xxzI/5QidtiR6E4Q3sFDrKD1RsiwxD4SvHlSntigxg2OfCWvP c8rfPE7nnYFHY2q1SxwpkUVxKwA5u1ZiZCJSyFpIRafFLbOAjEGK8VLDKHK1f0EPZK9c DfyzEhjlT9cFFPR3DAiY0bQeHB4rNqJhDAha4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705971822; x=1706576622; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PzCem6cup4TdiKSfzyjJWNqgMtspOXnXOALwscH4Wdk=; b=PpiWUg535BXXYnf1azCdpM+1kcal3j/zxCNJunJKqRAgeXyx1cCaZRkJI3RD9b9jmS nmShTBV7q3+c0XPLvasQYFuq0yHD8x5qaIpdDLjMvKM9UjQGZXlZxcshZjtzfSOwDdyC jNEclNRmH7lvOOunwE+HUkQi942mXOfdq7ZO5EDwp8YlaCEn1bmRSgDiiLfuho6eeMcZ /vMtDFtMlvD0XoUFJqalICRDKB316z9zU3dohCcEcHSuWAww9RwweIRn4cRQuL3ezciZ Hmyf7REfiIrUgBt5/CA5tEfnGylCFlHbIteQQLOdmnLhV2sJm6wEEi+gAIUa0SrfbuKs o7nQ== X-Gm-Message-State: AOJu0YwbtX9NhcnFw9rQDvvdkYoX66RHCudC0BBqMUqiDwAR8FdH7TaS ua0tQKkRCpAcOo+j8YG5Tld6E4haSlomhlcRgnz81cyHciPb2J/gKcGNk5ppdg== X-Received: by 2002:a17:902:8e8a:b0:1d4:2ebf:66e9 with SMTP id bg10-20020a1709028e8a00b001d42ebf66e9mr2195121plb.66.1705971822051; Mon, 22 Jan 2024 17:03:42 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id k17-20020a170902f29100b001d707a14316sm7510636plc.75.2024.01.22.17.03.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 17:03:38 -0800 (PST) From: Kees Cook <keescook@chromium.org> To: linux-hardening@vger.kernel.org Cc: Kees Cook <keescook@chromium.org>, Alexei Starovoitov <ast@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, John Fastabend <john.fastabend@gmail.com>, Andrii Nakryiko <andrii@kernel.org>, Martin KaFai Lau <martin.lau@linux.dev>, Song Liu <song@kernel.org>, Yonghong Song <yonghong.song@linux.dev>, KP Singh <kpsingh@kernel.org>, Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>, bpf@vger.kernel.org, "Gustavo A. R. Silva" <gustavoars@kernel.org>, Bill Wendling <morbo@google.com>, Justin Stitt <justinstitt@google.com>, linux-kernel@vger.kernel.org Subject: [PATCH 43/82] bpf: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:18 -0800 Message-Id: <20240123002814.1396804-43-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3267; i=keescook@chromium.org; h=from:subject; bh=2D/1q+K5ofLS3QNrb17mBia21R1L5nS1NTJwK1+Jywo=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIT/Z3KUQ2veJhvQyEt4ONL7c5mrClKFuYO X8phZz1OWKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A JkHTD/4qgBnK24plRIXO+yoz2iQ+LnLu7ceo46R+EFzo/2zE4dZ+2u1CDIt1eEMllnG7GdIK+rx pbMn643YxLdpkcs5J68KMVdKkniWV1XXHwbVnmqxCo4f3HtuQS09iFdsyX5XJs2halhjXZuW75R y811Tm0ilp4N9T2dCDFe9xf02ruR51njy47egnuRN0VU3wH5eVAM2v+jk3FCeD3rlPEUpSpDQ6P IbHZAs1mjAVXG/iORESIdH1l+V5XRdrAhwLvmouMutwbyBdRSeemCsROlWgyRUEMAyCYANg0N2J iFtFwycRzbLWW6oOtS9lcxUUXATx7bjcDODVDigeUo9lnVhJgT4k3Eox4y7Xsl6jC7/Wo6rdWDk tWxp2TXKIwFm7GrPKQ9G6WCadosfMVqMKU9XxyQU+LGrgXVuV2vtDworRcNS4cTWKdWH32fhgnm PbPrx493hufpiEUxiHBg5a0Cx3Vp0nGNmEUyLl0IICmlG8MJJSdrh6iubiBRHOgFdZZIN0MGO0D jipUiaIzyLiQ0IoPELof8qAAkUP239U2GzBeV6tfZDmRwot08eR3a1n4Ghqvp72J6PkxFLB94r9 /D9CqYn4moMTyD6tGRDSqYZ7623ETbGfVy32TpB8S7loBlaOQTbv+FJCb2GqADyXmCvziiN3rOI GVEF4TSjuaYfhyw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1788846130613116996 X-GMAIL-MSGID: 1788846130613116996 |
Series |
overflow: Refactor open-coded arithmetic wrap-around
|
|
Commit Message
Kees Cook
Jan. 23, 2024, 12:27 a.m. UTC
In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:
VAR + value < VAR
Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.
Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.
Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Song Liu <song@kernel.org>
Cc: Yonghong Song <yonghong.song@linux.dev>
Cc: KP Singh <kpsingh@kernel.org>
Cc: Stanislav Fomichev <sdf@google.com>
Cc: Hao Luo <haoluo@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: bpf@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
kernel/bpf/verifier.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
Comments
On 1/22/24 4:27 PM, Kees Cook wrote: > In an effort to separate intentional arithmetic wrap-around from > unexpected wrap-around, we need to refactor places that depend on this > kind of math. One of the most common code patterns of this is: > > VAR + value < VAR > > Notably, this is considered "undefined behavior" for signed and pointer > types, which the kernel works around by using the -fno-strict-overflow > option in the build[1] (which used to just be -fwrapv). Regardless, we > want to get the kernel source to the position where we can meaningfully > instrument arithmetic wrap-around conditions and catch them when they > are unexpected, regardless of whether they are signed[2], unsigned[3], > or pointer[4] types. > > Refactor open-coded wrap-around addition test to use add_would_overflow(). > This paves the way to enabling the wrap-around sanitizers in the future. > > Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] > Link: https://github.com/KSPP/linux/issues/26 [2] > Link: https://github.com/KSPP/linux/issues/27 [3] > Link: https://github.com/KSPP/linux/issues/344 [4] > Cc: Alexei Starovoitov <ast@kernel.org> > Cc: Daniel Borkmann <daniel@iogearbox.net> > Cc: John Fastabend <john.fastabend@gmail.com> > Cc: Andrii Nakryiko <andrii@kernel.org> > Cc: Martin KaFai Lau <martin.lau@linux.dev> > Cc: Song Liu <song@kernel.org> > Cc: Yonghong Song <yonghong.song@linux.dev> > Cc: KP Singh <kpsingh@kernel.org> > Cc: Stanislav Fomichev <sdf@google.com> > Cc: Hao Luo <haoluo@google.com> > Cc: Jiri Olsa <jolsa@kernel.org> > Cc: bpf@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > kernel/bpf/verifier.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 65f598694d55..21e3f30c8757 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -12901,8 +12901,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, > dst_reg->smin_value = smin_ptr + smin_val; > dst_reg->smax_value = smax_ptr + smax_val; > } > - if (umin_ptr + umin_val < umin_ptr || > - umax_ptr + umax_val < umax_ptr) { > + if (add_would_overflow(umin_ptr, umin_val) || > + add_would_overflow(umax_ptr, umax_val)) { Maybe you could give a reference to the definition of add_would_overflow()? A link or a patch with add_would_overflow() defined cc'ed to bpf program. The patch itselfs looks good to me. > dst_reg->umin_value = 0; > dst_reg->umax_value = U64_MAX; > } else { > @@ -13023,8 +13023,8 @@ static void scalar32_min_max_add(struct bpf_reg_state *dst_reg, > dst_reg->s32_min_value += smin_val; > dst_reg->s32_max_value += smax_val; > } > - if (dst_reg->u32_min_value + umin_val < umin_val || > - dst_reg->u32_max_value + umax_val < umax_val) { > + if (add_would_overflow(umin_val, dst_reg->u32_min_value) || > + add_would_overflow(umax_val, dst_reg->u32_max_value)) { > dst_reg->u32_min_value = 0; > dst_reg->u32_max_value = U32_MAX; > } else { > @@ -13049,8 +13049,8 @@ static void scalar_min_max_add(struct bpf_reg_state *dst_reg, > dst_reg->smin_value += smin_val; > dst_reg->smax_value += smax_val; > } > - if (dst_reg->umin_value + umin_val < umin_val || > - dst_reg->umax_value + umax_val < umax_val) { > + if (add_would_overflow(umin_val, dst_reg->umin_value) || > + add_would_overflow(umax_val, dst_reg->umax_value)) { > dst_reg->umin_value = 0; > dst_reg->umax_value = U64_MAX; > } else {
On January 22, 2024 8:00:26 PM PST, Yonghong Song <yonghong.song@linux.dev> wrote: > >On 1/22/24 4:27 PM, Kees Cook wrote: >> In an effort to separate intentional arithmetic wrap-around from >> unexpected wrap-around, we need to refactor places that depend on this >> kind of math. One of the most common code patterns of this is: >> >> VAR + value < VAR >> >> Notably, this is considered "undefined behavior" for signed and pointer >> types, which the kernel works around by using the -fno-strict-overflow >> option in the build[1] (which used to just be -fwrapv). Regardless, we >> want to get the kernel source to the position where we can meaningfully >> instrument arithmetic wrap-around conditions and catch them when they >> are unexpected, regardless of whether they are signed[2], unsigned[3], >> or pointer[4] types. >> >> Refactor open-coded wrap-around addition test to use add_would_overflow(). >> This paves the way to enabling the wrap-around sanitizers in the future. >> >> Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] >> Link: https://github.com/KSPP/linux/issues/26 [2] >> Link: https://github.com/KSPP/linux/issues/27 [3] >> Link: https://github.com/KSPP/linux/issues/344 [4] >> Cc: Alexei Starovoitov <ast@kernel.org> >> Cc: Daniel Borkmann <daniel@iogearbox.net> >> Cc: John Fastabend <john.fastabend@gmail.com> >> Cc: Andrii Nakryiko <andrii@kernel.org> >> Cc: Martin KaFai Lau <martin.lau@linux.dev> >> Cc: Song Liu <song@kernel.org> >> Cc: Yonghong Song <yonghong.song@linux.dev> >> Cc: KP Singh <kpsingh@kernel.org> >> Cc: Stanislav Fomichev <sdf@google.com> >> Cc: Hao Luo <haoluo@google.com> >> Cc: Jiri Olsa <jolsa@kernel.org> >> Cc: bpf@vger.kernel.org >> Signed-off-by: Kees Cook <keescook@chromium.org> >> --- >> kernel/bpf/verifier.c | 12 ++++++------ >> 1 file changed, 6 insertions(+), 6 deletions(-) >> >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >> index 65f598694d55..21e3f30c8757 100644 >> --- a/kernel/bpf/verifier.c >> +++ b/kernel/bpf/verifier.c >> @@ -12901,8 +12901,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, >> dst_reg->smin_value = smin_ptr + smin_val; >> dst_reg->smax_value = smax_ptr + smax_val; >> } >> - if (umin_ptr + umin_val < umin_ptr || >> - umax_ptr + umax_val < umax_ptr) { >> + if (add_would_overflow(umin_ptr, umin_val) || >> + add_would_overflow(umax_ptr, umax_val)) { > >Maybe you could give a reference to the definition of add_would_overflow()? >A link or a patch with add_would_overflow() defined cc'ed to bpf program. Sure! It was earlier in the series: https://lore.kernel.org/linux-hardening/20240123002814.1396804-2-keescook@chromium.org/ The cover letter also has more details: https://lore.kernel.org/linux-hardening/20240122235208.work.748-kees@kernel.org/ >The patch itselfs looks good to me. Thanks! -Kees
On 1/22/24 8:07 PM, Kees Cook wrote: > > On January 22, 2024 8:00:26 PM PST, Yonghong Song <yonghong.song@linux.dev> wrote: >> On 1/22/24 4:27 PM, Kees Cook wrote: >>> In an effort to separate intentional arithmetic wrap-around from >>> unexpected wrap-around, we need to refactor places that depend on this >>> kind of math. One of the most common code patterns of this is: >>> >>> VAR + value < VAR >>> >>> Notably, this is considered "undefined behavior" for signed and pointer >>> types, which the kernel works around by using the -fno-strict-overflow >>> option in the build[1] (which used to just be -fwrapv). Regardless, we >>> want to get the kernel source to the position where we can meaningfully >>> instrument arithmetic wrap-around conditions and catch them when they >>> are unexpected, regardless of whether they are signed[2], unsigned[3], >>> or pointer[4] types. >>> >>> Refactor open-coded wrap-around addition test to use add_would_overflow(). >>> This paves the way to enabling the wrap-around sanitizers in the future. >>> >>> Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] >>> Link: https://github.com/KSPP/linux/issues/26 [2] >>> Link: https://github.com/KSPP/linux/issues/27 [3] >>> Link: https://github.com/KSPP/linux/issues/344 [4] >>> Cc: Alexei Starovoitov <ast@kernel.org> >>> Cc: Daniel Borkmann <daniel@iogearbox.net> >>> Cc: John Fastabend <john.fastabend@gmail.com> >>> Cc: Andrii Nakryiko <andrii@kernel.org> >>> Cc: Martin KaFai Lau <martin.lau@linux.dev> >>> Cc: Song Liu <song@kernel.org> >>> Cc: Yonghong Song <yonghong.song@linux.dev> >>> Cc: KP Singh <kpsingh@kernel.org> >>> Cc: Stanislav Fomichev <sdf@google.com> >>> Cc: Hao Luo <haoluo@google.com> >>> Cc: Jiri Olsa <jolsa@kernel.org> >>> Cc: bpf@vger.kernel.org >>> Signed-off-by: Kees Cook <keescook@chromium.org> >>> --- >>> kernel/bpf/verifier.c | 12 ++++++------ >>> 1 file changed, 6 insertions(+), 6 deletions(-) >>> >>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >>> index 65f598694d55..21e3f30c8757 100644 >>> --- a/kernel/bpf/verifier.c >>> +++ b/kernel/bpf/verifier.c >>> @@ -12901,8 +12901,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, >>> dst_reg->smin_value = smin_ptr + smin_val; >>> dst_reg->smax_value = smax_ptr + smax_val; >>> } >>> - if (umin_ptr + umin_val < umin_ptr || >>> - umax_ptr + umax_val < umax_ptr) { >>> + if (add_would_overflow(umin_ptr, umin_val) || >>> + add_would_overflow(umax_ptr, umax_val)) { >> Maybe you could give a reference to the definition of add_would_overflow()? >> A link or a patch with add_would_overflow() defined cc'ed to bpf program. > Sure! It was earlier in the series: > https://lore.kernel.org/linux-hardening/20240123002814.1396804-2-keescook@chromium.org/ > > The cover letter also has more details: > https://lore.kernel.org/linux-hardening/20240122235208.work.748-kees@kernel.org/ Thanks for the pointer. Acked-by: Yonghong Song <yonghong.song@linux.dev> > >> The patch itselfs looks good to me. > Thanks! > > -Kees >
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 65f598694d55..21e3f30c8757 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -12901,8 +12901,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, dst_reg->smin_value = smin_ptr + smin_val; dst_reg->smax_value = smax_ptr + smax_val; } - if (umin_ptr + umin_val < umin_ptr || - umax_ptr + umax_val < umax_ptr) { + if (add_would_overflow(umin_ptr, umin_val) || + add_would_overflow(umax_ptr, umax_val)) { dst_reg->umin_value = 0; dst_reg->umax_value = U64_MAX; } else { @@ -13023,8 +13023,8 @@ static void scalar32_min_max_add(struct bpf_reg_state *dst_reg, dst_reg->s32_min_value += smin_val; dst_reg->s32_max_value += smax_val; } - if (dst_reg->u32_min_value + umin_val < umin_val || - dst_reg->u32_max_value + umax_val < umax_val) { + if (add_would_overflow(umin_val, dst_reg->u32_min_value) || + add_would_overflow(umax_val, dst_reg->u32_max_value)) { dst_reg->u32_min_value = 0; dst_reg->u32_max_value = U32_MAX; } else { @@ -13049,8 +13049,8 @@ static void scalar_min_max_add(struct bpf_reg_state *dst_reg, dst_reg->smin_value += smin_val; dst_reg->smax_value += smax_val; } - if (dst_reg->umin_value + umin_val < umin_val || - dst_reg->umax_value + umax_val < umax_val) { + if (add_would_overflow(umin_val, dst_reg->umin_value) || + add_would_overflow(umax_val, dst_reg->umax_value)) { dst_reg->umin_value = 0; dst_reg->umax_value = U64_MAX; } else {