From patchwork Tue Jan 30 22:06:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 194342 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1524051dyb; Tue, 30 Jan 2024 14:08:22 -0800 (PST) X-Google-Smtp-Source: AGHT+IGxU4eWzhCKJatMrBSTMjgrA6jB6qyNBIAMWC/xGYjUNEvFQmZ7VMaFtvChYxKMbtqruhv6 X-Received: by 2002:a05:6870:6109:b0:218:470a:e053 with SMTP id s9-20020a056870610900b00218470ae053mr5848262oae.8.1706652502090; Tue, 30 Jan 2024 14:08:22 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706652502; cv=pass; d=google.com; s=arc-20160816; b=Kzrv+y9DOFv9ciZpgzK+9gfagLjfc6zG1M2HesVNHenfzMnO72y4VyvNkNANP4n1Tg ZzjuyVZnVlLS6HIvPW/iGDv5Ci0+Kt1lxo8EPu/bbA1yt/G7qXHuzD1Pjq3Mpq+1rI5V CkKvmNNYIVNFFS5rZDC7DKRdDNDhIaNf26JHJD7XOsKgB8yQrbETdkjNx54QaLIdUQPf SbhCOBiC0o2m+Vsv11k4WZslCYIivRvm4DGxFRq7XkN2fApapu7ZNYQmBSEW6gZDAPoN PHj6yChrqkr90aE0G6+UanosfsWy/J3b+/kY1N3BFD0LXCiYFM4kZDQ1DzFd+GOxfh4u QKQA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=TXEWZ+ijn2Mktyo3GgFFo1opylml2uwjVnLpw+L5S/k=; fh=vuK/cNm1J+xDY8eBdRZZ00Oi6XMYQysn5BO4MCYg3cs=; b=q1NsHwklldi6HXmokau5Z4rVQP1N+8N6BFz5GVMo20DNesX2BgMudsXSs7yPDj9TtR U51JmlT+8GSU4KWDRyc0z92BpBEoua4mp0F8JLvDu1YgUkEe1R5YXFMWd48f255umkYr KG46LNr0pFMUyEMwnqqJknOdiQkHwPn6bzvr7jzBlAVM6kwdutmiKn25g57P3IwqJARY BV1CBrh1Q23tr1OzMMOfUY0LU1RgV30rdc0uiutp4rwQs7IDpiBeT8TqbDcuQ2yqmbP/ 1I2Spl1tv8/qXrw+vj1aOYrobwJ72GH3EfdsAsp0zw5bVHhi40+lxj3zq/FFCLNzU8+6 O0LA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=MhAo+yD3; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id t16-20020a639550000000b005ce087e0049si8108213pgn.696.2024.01.30.14.08.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:08:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=MhAo+yD3; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 5B5F0B23AD4 for ; Tue, 30 Jan 2024 22:07:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DBF977AE74; Tue, 30 Jan 2024 22:06:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="MhAo+yD3" Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E384F762EB for ; Tue, 30 Jan 2024 22:06:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652380; cv=none; b=FTtWD5PhFAckqmK+BAODPiVdUbSCr09+UmEq45WtPy4NtvECUnz6yJQYWZrpoGXkOs0F9e8OqIqipSoEhqEcTeh7Nbvp/YJPcd6p4IG8m8mpm4DyOtLn1eQSnpVFQ9JxdjpUWF9L4gHGKtKNpx2jmTdMN+wXC/fJ/WIJg/IwPg8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652380; c=relaxed/simple; bh=mjbhQQsJHZNHQElAJyka1am+OsaRRifuj4xn9QRfLGM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=l8NEfrPsLCYQ03ewSKnsw0SBjao/+ylHCXhcrw93ahnBCA6hDitEWPwI7FVkagnW5FJW9hlWyFjiNnb3MZgFDGz+FxsO0PPDvZXARN740AhDL4dExYWdBmIdJVbijb9K/+U9SPWiQyEVNDhCsYxLymw0kgDm5eACOD5dmFT20/I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=MhAo+yD3; arc=none smtp.client-ip=209.85.210.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-6d9f94b9186so3400251b3a.0 for ; Tue, 30 Jan 2024 14:06:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706652378; x=1707257178; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TXEWZ+ijn2Mktyo3GgFFo1opylml2uwjVnLpw+L5S/k=; b=MhAo+yD3yaTWH8UHw3ebbIh/luRgWzh6Pnhtrm+K8yG7sVe892qUaYABmE4jmoPlOd 5m02QtNfy57NU8uQEFV1sR8TTIC1NK66Z0jtp3DFcHk0JZF17PnnVS3mzE4x74Ll8b7A 4OrIp5OlKlVWa9UOSjcLknmAlb9tvlz48jvK4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706652378; x=1707257178; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TXEWZ+ijn2Mktyo3GgFFo1opylml2uwjVnLpw+L5S/k=; b=p7BcVUNKXU4dDS0+AcZGN91kRQ6tXfuTVtOufupUahKaQski6gruITpGtx7+O+Tgsk oXcrO77tUlLvZaIy2/Mwen06NJzTJm1JxnSIcUQLewXvyg28Kpo8QrpTY+MroedyLAS7 prsNoD5/mxfCcn2wm8VbQquyEANYvLZlm9BFNILJAPlCz8BlVnn/CooQfkJGAW0w0Wuk SspF1KTTnroWFN6Df40Xwdp4pV855GkHb/Vf7YI/U5aYQ+ZB6Gz6pJ6BeqnBELYZC/SI yAR8a/Kfqb/uVn4LtiQnsfRPm2CKaDBw4QsOTXm0g78kNtCTRKC2FFFBvPBpaumJU1Ub bRww== X-Gm-Message-State: AOJu0YyUuTVwY+UJ1Gv4/NBFVQxjyNHIEHDPgJOY0S2w90SSecHcVLLa LCoL+BqYoIyEjoAl9raYc4GX/pd/N61jaMgpacJ8JRpkwJYDQH9eT2RxetLAVQ== X-Received: by 2002:a05:6a20:c411:b0:19a:360c:75d8 with SMTP id en17-20020a056a20c41100b0019a360c75d8mr8249397pzb.14.1706652378406; Tue, 30 Jan 2024 14:06:18 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id r11-20020a170903014b00b001d8dedeb0casm4331642plc.180.2024.01.30.14.06.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:06:17 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A. R. Silva" , Justin Stitt , linux-hardening@vger.kernel.org, Andrew Morton , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Mark Rutland , Miguel Ojeda , Marco Elver , Jakub Kicinski , Przemek Kitszel , Masahiro Yamada , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v2 1/5] overflow: Adjust check_*_overflow() kern-doc to reflect results Date: Tue, 30 Jan 2024 14:06:06 -0800 Message-Id: <20240130220614.1154497-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240130220218.it.154-kees@kernel.org> References: <20240130220218.it.154-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2716; i=keescook@chromium.org; h=from:subject; bh=mjbhQQsJHZNHQElAJyka1am+OsaRRifuj4xn9QRfLGM=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBluXLRXPWpxbxWBABUSnq7LV3ZR63LVVosG/CRP 5ZzpJGG3mKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbly0QAKCRCJcvTf3G3A JsZ3D/47FGhmdQqxJrZ9wW+IfjOj5Z+/JJdT4A88xjMViD8m2y+sZ66ET8cpz0UxvZb8wc5ydbm kKGJkwmx2MxOImy/n06QpmWo+Jj6Hcb2x4MhjJrvG7QbIC8no338Da90doAljPBJQardE1fF7BX TAwaqrSw+31TcmCP/J6CJ3Zy1M7SMmYp0HdBNg7mIDikbW2FYa3oKBphdZXiLt38fjJJQf2jUFd CBKnBPtpk2Q42oSJwkvv0+WZj3zuvoFhIgRyLYf0i9QuXdQFK8IfVBZQi3UUcyJRTHJDYshhaTS yfLfrJ6F0nr8PdL9h2/IqewAUyNk+YiE0J1j+Ds70hYy9YypS/JaeNCvKq9n42FWNRatqLbtMEs HweyCRNsTPMccrf/ZSHVhW83m0QZP3tZ00lVm3rgNhL2Q/oa/pqerx8fp8YgQ/JgLeRgJt1eK2R ino8gJHkQp7HkP+owrvPQZBSFUjFFBc+7ZHhkOiOYDQ/1v7RZHuIH1CYRNyhzUdlSU+QrcgUX9F XfRFoAkuBd8qYpVccYsV+1/zKrZDgEW72okrPtTNzp1Rjo+eXk5QFw9bDTl/qo/CClNbY1F0PxT LKPYm7R9P1tk0jtAkCFen/ejWNEp8jvYos5ar8T5/53t/xYMN7kEw1Cj4gw2iJwJ5U7ELiklaKW B5/Vgg5InWPF4Aw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789554854366451984 X-GMAIL-MSGID: 1789554854366451984 The check_*_overflow() helpers will return results with potentially wrapped-around values. These values have always been checked by the selftests, so avoid the confusing language in the kern-doc. The idea of "safe for use" was relative to the expectation of whether or not the caller wants a wrapped value -- the calculation itself will always follow arithmetic wrapping rules. Cc: "Gustavo A. R. Silva" Cc: Justin Stitt Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 7b5cf4a5cd19..4e741ebb8005 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -57,11 +57,9 @@ static inline bool __must_check __must_check_overflow(bool overflow) * @b: second addend * @d: pointer to store sum * - * Returns 0 on success. + * Returns 0 on success, 1 on wrap-around. * - * *@d holds the results of the attempted addition, but is not considered - * "safe for use" on a non-zero return value, which indicates that the - * sum has overflowed or been truncated. + * *@d holds the results of the attempted addition, which may wrap-around. */ #define check_add_overflow(a, b, d) \ __must_check_overflow(__builtin_add_overflow(a, b, d)) @@ -72,11 +70,9 @@ static inline bool __must_check __must_check_overflow(bool overflow) * @b: subtrahend; value to subtract from @a * @d: pointer to store difference * - * Returns 0 on success. + * Returns 0 on success, 1 on wrap-around. * - * *@d holds the results of the attempted subtraction, but is not considered - * "safe for use" on a non-zero return value, which indicates that the - * difference has underflowed or been truncated. + * *@d holds the results of the attempted subtraction, which may wrap-around. */ #define check_sub_overflow(a, b, d) \ __must_check_overflow(__builtin_sub_overflow(a, b, d)) @@ -87,11 +83,9 @@ static inline bool __must_check __must_check_overflow(bool overflow) * @b: second factor * @d: pointer to store product * - * Returns 0 on success. + * Returns 0 on success, 1 on wrap-around. * - * *@d holds the results of the attempted multiplication, but is not - * considered "safe for use" on a non-zero return value, which indicates - * that the product has overflowed or been truncated. + * *@d holds the results of the attempted multiplication, which may wrap-around. */ #define check_mul_overflow(a, b, d) \ __must_check_overflow(__builtin_mul_overflow(a, b, d))