From patchwork Tue Jan 23 00:26:36 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190596
Return-Path: <linux-kernel+bounces-34466-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58090dyi;
        Mon, 22 Jan 2024 17:18:18 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE7BEve3mpFqgKsnZMIdK+IYNTd+ENzJ7nbbo8roXkt3Br0/5aAgJtUUiysqafdmRaEgXbE
X-Received: by 2002:a05:6870:b42a:b0:206:746b:5e96 with SMTP id
 x42-20020a056870b42a00b00206746b5e96mr671373oap.41.1705972698051;
        Mon, 22 Jan 2024 17:18:18 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972698; cv=pass;
        d=google.com; s=arc-20160816;
        b=Xo/ZHN9YfQYbJOgMDmfSCO4rebvqC8kMvS6padcpPp++JoCPVv8foQmtQ7zzh+hVYg
         ClKkclRbsy8/FhwGD9/pPPOtdsC8gyIdNBcEW7fXbnoqSBQUtFlFghLKphAe+N4HEfOU
         qBDrz5lboppc3zvdQeeeYVLvc/CPaOspuu/RMn9yUtQapbdCvpEmpAp9S5ntGwdXIvV1
         wDzeo/HzIsZftu3ddW6Z0i9FDIdGhh+Ck6mkSMUNqtjMU9CXULv6LXC20mgAcyfX6LDz
         4HCmBdQy6fl8uE8uL5qYhnn6UvJBz/9R2rXRJX3c0PwMFlVz66TnZR4JeY6EO6UruX2A
         SeOg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=lArTqUWjSpk/OeY3+qANt+dZXdElsgEYjM7TfGsNafw=;
        fh=Z75Ggq8j6Cjsps39qB4bndA+/lSK5o8xstcC0UD4AOA=;
        b=D2+KxlQKBUQ9ntuNDGsXxG0mpqzd/m//9/RNTEG/SGyOBGNoiu1brL+yFBgffckxXf
         Db84S71q+0xXRDZhtpE+u8Uskd3vXr6e9jX7AHaBlic8uXMrfrW+zdiTHGAjPO/yJif4
         q7Gj4Nn5UqJUu+6kWolbN00jdqjMzLmeJ+dm1qy4Re3NBDOyh/cFqo7DspQ02qibnio3
         EQGWR4+03VC0uP544V4yCLQt2uyUF4NXk3+WwP7RXDsj2tj0Ma+5iNGTB4CXKA0JzPOm
         yx8asZhJGeWFyYbDLOfvxosDaVgL5+u8b8DgnDXiy3taXLsNHYxexNqxaAIlDPGgANjs
         XuDQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=e78cyRK4;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34466-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34466-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 o13-20020a63e34d000000b005c6034ba3f4si8953102pgj.419.2024.01.22.17.18.17
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:18:18 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34466-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=e78cyRK4;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34466-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34466-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 68B0B29031B
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:13:53 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 12C3D1474C0;
	Tue, 23 Jan 2024 00:28:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="e78cyRK4"
Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com
 [209.85.215.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 767941468E8
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969711; cv=none;
 b=qK1JBI7va7msqaSTbLMem6VoKunFIdMGQfhORWqrC/AhU4QYMjUAq8S4ocZ8RjLFMWsMVabPmYs7of96p9gzHqdkCpRQ1pAzoqbpSdtMHe/wFZlLGtCZUtNY5bz6FIaDGzhvh1scQVO/z0xe/n7TjoxWlqQ9L3brVCL/iXL9t5k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969711; c=relaxed/simple;
	bh=GmPAxgHKHubLn9MGZBZdUQq9TsG2fUO2ZtsyyqCrjXQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=HWHqTy/sKuIDEhgMv5jrgvMGZctLVnpx5NKO8zGmN1cHwR5HnQWmOF8kpHiLpUN0Tjj06o7gpPZ9ukskMjEUo9yKN8dE0d8y94n6IgFS6UAYhGGh61CHtxCVFOp6zy31+kV1kDgwNBN4rhOhPbb4EPHLXmK7Ivj1y2MO5qSfL0M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=e78cyRK4; arc=none smtp.client-ip=209.85.215.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pg1-f180.google.com with SMTP id
 41be03b00d2f7-5d3912c9a83so2349a12.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969708; x=1706574508;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=lArTqUWjSpk/OeY3+qANt+dZXdElsgEYjM7TfGsNafw=;
        b=e78cyRK4J2W1iHVEI8zdJDTYHx197PlonyDIjYn2Ih2ngXE/iccjvOD/CLy0KpbASX
         nMt3dUjdom+vz3WOMhHDtY94QzGosA5jorPJ/tFtPC+RBDk3YmfP45XMWcl/IvYlRKT7
         34waM7kYU0V/rUdZJv0fnyAXyX+WVlESS0j/g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969708; x=1706574508;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=lArTqUWjSpk/OeY3+qANt+dZXdElsgEYjM7TfGsNafw=;
        b=vJzByxBi4f7ZVO0ji/rjbxjDimv4T53nmO9C9ys4AV0o2TEky5UKjvvXqhEVAO14Py
         isgLHm4pfZWsuQf/NOf9ySpLEFHxKIHA0glYtxrsfkDEbjzpBzxPNMu+AZmGBfIl3awv
         FFw4nsUUhD2n0pvB/K0N3+0O7FyJ1ij/2vlDdqTI0/vTe7QBfiwJ9ENYexAAi74WO7ma
         bfuqOPJ6d0pCCjvN1RBDDsuPwO/XXypGl/aY5Fxsm1KsKTYRBTTOuaHwkI6JVzCom/Qd
         I6Hg5UfADkqK3hmr8tggisvWAuaACXoLcdmlbL8PfTCiMBPB+uJev97sSGks++KKzdHZ
         DwTA==
X-Gm-Message-State: AOJu0Yyeg50jFwtFtbf/0FboU/A1VwQBWeKDrXiwobFnrqbX9Jhd6xnW
	1/yzAw98WuLdXVJJcDuwnNRxNzKPAbIkd+BOUwPIkfq/OZNDoxp4WOgB5qI71w==
X-Received: by 2002:a05:6a20:8f09:b0:195:2770:5b7e with SMTP id
 b9-20020a056a208f0900b0019527705b7emr2683349pzk.119.1705969707738;
        Mon, 22 Jan 2024 16:28:27 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 j14-20020a170902da8e00b001d564115807sm7664893plx.46.2024.01.22.16.28.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:23 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	llvm@lists.linux.dev,
	linux-kernel@vger.kernel.org
Subject: [PATCH 01/82] overflow: Expand check_add_overflow() for pointer
 addition
Date: Mon, 22 Jan 2024 16:26:36 -0800
Message-Id: <20240123002814.1396804-1-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=10628;
 i=keescook@chromium.org;
 h=from:subject; bh=GmPAxgHKHubLn9MGZBZdUQq9TsG2fUO2ZtsyyqCrjXQ=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgDoUKTmAuWb19BxZjUN7+ddA/jXHTbKdyVN
 EfDFJR+7eOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IAwAKCRCJcvTf3G3A
 JpSCEACQ5mYrM7i5JOmYbVd+Q5AkrUZpJML/LWSTJVslOGTKtFY7pOJ4b5nGs0MuTs4RA6hn1fb
 fwi3JkVl/ohmms70RbzK9zztLs5bUM4HYuL+lomFGyZrxI/fzmKPtla94BdVgpWTXhJRWjWv5Yn
 2NBYey87p5SzGF/++U1RVuiMq6irTQcHecMhx7h1MYdtta20/en2Dps48cCka58pdT3v+2fASMj
 459rPl8qXF7VEfxqWA9kdjoCHnV7iLUFsngzMmV4T5bfSiNylZs1Quyc/XV0qHDaBvtZU8ahbmC
 ZE7QtaJmnp303xY4TT1jeblUY/MKFrZ7gxzx9ATtJIsOXEsp/4YbFJPUff3iAc3pLczCXi8qLYL
 extKud6V9k/5mf5uuNS7O3VlrHPELWkn9o4qIlonPGnLzkqT5F+K3Q1TNxI8uucoejBpS2nCXzz
 LpYDCVGx3Cz9e3Etw3mQmvgQbiRvlsE1gbhqAc8KzV0rB2e7LjUrdH1pHfUvW1M5/ED8RNiI0Ni
 evuBn4TAQKwKKykbMCeHS9Z8Nxai3n7wmHR+G1VK7TtLr389KSIRwKVsnEdaP84x07FTHGaaAtL
 qQkir3gVSorK9Sv6pAedjKOW1Azqro0bZpCflFfsyE2QTuP22RUSNSKiKEl23FNt+1FTcexvBU8
 Zxt/lP9SN8nyIPA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842027610616335
X-GMAIL-MSGID: 1788842027610616335

The check_add_overflow() helper is mostly a wrapper around
__builtin_add_overflow(), but GCC and Clang refuse to operate on pointer
arguments that would normally be allowed if the addition were open-coded.

For example, we have many places where pointer overflow is tested:

	struct foo *ptr;
	...
	/* Check for overflow */
	if (ptr + count < ptr) ...

And in order to avoid running into the overflow sanitizers in the
future, we need to rewrite these "intended" overflow checks:

	if (check_add_overflow(ptr, count, &result)) ...

Frustratingly the argument type validation for __builtin_add_overflow()
is done before evaluating __builtin_choose_expr(), so for arguments to
be valid simultaneously for sizeof(*p) (when p may not be a pointer),
and __builtin_add_overflow(a, ...) (when a may be a pointer), we must
introduce wrappers that always produce a specific type (but they are
only used in the places where the bogus arguments will be ignored).

To test whether a variable is a pointer or not, introduce the __is_ptr()
helper, which uses __builtin_classify_type() to find arrays and pointers
(via the new __is_ptr_or_array() helper), and then decays arrays into
pointers (via the new __decay() helper), to distinguish pointers from
arrays.

Additionally update the unit tests to cover pointer addition.

Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: llvm@lists.linux.dev
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Justin Stitt <justinstitt@google.com>
---
 include/linux/compiler_types.h | 10 +++++
 include/linux/overflow.h       | 44 ++++++++++++++++++-
 lib/overflow_kunit.c           | 77 ++++++++++++++++++++++++++++++----
 3 files changed, 121 insertions(+), 10 deletions(-)

diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 6f1ca49306d2..d27b58fddfaa 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -375,6 +375,16 @@ struct ftrace_likely_data {
 /* Are two types/vars the same type (ignoring qualifiers)? */
 #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
 
+/* Is variable addressable? */
+#define __is_ptr_or_array(p)	(__builtin_classify_type(p) == 5)
+
+/* Return an array decayed to a pointer. */
+#define __decay(p)		\
+	(&*__builtin_choose_expr(__is_ptr_or_array(p), p, NULL))
+
+/* Report if variable is a pointer type. */
+#define __is_ptr(p)		__same_type(p, __decay(p))
+
 /*
  * __unqual_scalar_typeof(x) - Declare an unqualified scalar type, leaving
  *			       non-scalar types unchanged.
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 7b5cf4a5cd19..099f2e559aa8 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -51,6 +51,45 @@ static inline bool __must_check __must_check_overflow(bool overflow)
 	return unlikely(overflow);
 }
 
+/* Always produce an integral variable expression. */
+#define __filter_integral(x)		\
+	__builtin_choose_expr(!__is_ptr(x), (x), 0)
+
+/* Always produce a pointer value. */
+#define __filter_ptr(x)			\
+	__builtin_choose_expr(__is_ptr(x), (x), NULL)
+
+/* Always produce a pointer to an integral value. */
+#define __filter_ptrint(x)		\
+	__builtin_choose_expr(!__is_ptr(*(x)), x, &(int){ 0 })
+
+/**
+ * __check_ptr_add_overflow() - Calculate pointer addition with overflow checking
+ * @a: pointer addend
+ * @b: numeric addend
+ * @d: pointer to store sum
+ *
+ * Returns 0 on success.
+ *
+ * Do not use this function directly, use check_add_overflow() instead.
+ *
+ * *@d holds the results of the attempted addition, but is not considered
+ * "safe for use" on a non-zero return value, which indicates that the
+ * sum has overflowed or been truncated.
+ */
+#define __check_ptr_add_overflow(a, b, d)		\
+	({						\
+		typeof(a) __a = (a);			\
+		typeof(b) __b = (b);			\
+		size_t __bytes;				\
+		bool __overflow;			\
+							\
+		/* we want to perform the wrap-around, but retain the result */ \
+		__overflow = __builtin_mul_overflow(sizeof(*(__a)), __b, &__bytes); \
+		__builtin_add_overflow((unsigned long)(__a), __bytes, (unsigned long *)(d)) || \
+		__overflow;				\
+	})
+
 /**
  * check_add_overflow() - Calculate addition with overflow checking
  * @a: first addend
@@ -64,7 +103,10 @@ static inline bool __must_check __must_check_overflow(bool overflow)
  * sum has overflowed or been truncated.
  */
 #define check_add_overflow(a, b, d)	\
-	__must_check_overflow(__builtin_add_overflow(a, b, d))
+	__must_check_overflow(__builtin_choose_expr(__is_ptr(a),	\
+		__check_ptr_add_overflow(__filter_ptr(a), b, d),	\
+		__builtin_add_overflow(__filter_integral(a), b,		\
+				       __filter_ptrint(d))))
 
 /**
  * check_sub_overflow() - Calculate subtraction with overflow checking
diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
index c527f6b75789..2d106e880956 100644
--- a/lib/overflow_kunit.c
+++ b/lib/overflow_kunit.c
@@ -45,13 +45,18 @@
 # define SKIP_64_ON_32(t)	do { } while (0)
 #endif
 
-#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t)			\
-	static const struct test_ ## t1 ## _ ## t2 ## __ ## t {	\
+#define DEFINE_TEST_ARRAY_NAMED_TYPED(n1, n2, n, t1, t2, t)	\
+	static const struct test_ ## n1 ## _ ## n2 ## __ ## n {	\
 		t1 a;						\
 		t2 b;						\
-		t sum, diff, prod;				\
+		t sum;						\
+		t diff;						\
+		t prod;						\
 		bool s_of, d_of, p_of;				\
-	} t1 ## _ ## t2 ## __ ## t ## _tests[]
+	} n1 ## _ ## n2 ## __ ## n ## _tests[]
+
+#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t)			\
+	DEFINE_TEST_ARRAY_NAMED_TYPED(t1, t2, t, t1, t2, t)
 
 #define DEFINE_TEST_ARRAY(t)	DEFINE_TEST_ARRAY_TYPED(t, t, t)
 
@@ -251,8 +256,10 @@ DEFINE_TEST_ARRAY(s64) = {
 };
 
 #define check_one_op(t, fmt, op, sym, a, b, r, of) do {			\
-	int _a_orig = a, _a_bump = a + 1;				\
-	int _b_orig = b, _b_bump = b + 1;				\
+	typeof(a + 0) _a_orig = a;					\
+	typeof(a + 0) _a_bump = a + 1;					\
+	typeof(b + 0) _b_orig = b;					\
+	typeof(b + 0) _b_bump = b + 1;					\
 	bool _of;							\
 	t _r;								\
 									\
@@ -260,13 +267,13 @@ DEFINE_TEST_ARRAY(s64) = {
 	KUNIT_EXPECT_EQ_MSG(test, _of, of,				\
 		"expected "fmt" "sym" "fmt" to%s overflow (type %s)\n",	\
 		a, b, of ? "" : " not", #t);				\
-	KUNIT_EXPECT_EQ_MSG(test, _r, r,				\
+	KUNIT_EXPECT_TRUE_MSG(test, _r == r,				\
 		"expected "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \
 		a, b, r, _r, #t);					\
 	/* Check for internal macro side-effects. */			\
 	_of = check_ ## op ## _overflow(_a_orig++, _b_orig++, &_r);	\
-	KUNIT_EXPECT_EQ_MSG(test, _a_orig, _a_bump, "Unexpected " #op " macro side-effect!\n"); \
-	KUNIT_EXPECT_EQ_MSG(test, _b_orig, _b_bump, "Unexpected " #op " macro side-effect!\n"); \
+	KUNIT_EXPECT_TRUE_MSG(test, _a_orig == _a_bump, "Unexpected " #op " macro side-effect!\n"); \
+	KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected " #op " macro side-effect!\n"); \
 } while (0)
 
 #define DEFINE_TEST_FUNC_TYPED(n, t, fmt)				\
@@ -333,6 +340,55 @@ DEFINE_TEST_ARRAY_TYPED(int, int, u8) = {
 };
 DEFINE_TEST_FUNC_TYPED(int_int__u8, u8, "%d");
 
+#define DEFINE_TEST_PTR_FUNC_TYPED(n, t, fmt)				\
+static void do_ptr_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
+{									\
+	/* we're only doing single-direction sums, no product or division */ \
+	check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of);\
+}									\
+									\
+static void n ## _overflow_test(struct kunit *test) {			\
+	unsigned i;							\
+									\
+	for (i = 0; i < ARRAY_SIZE(n ## _tests); ++i)			\
+		do_ptr_test_ ## n(test, &n ## _tests[i]);		\
+	kunit_info(test, "%zu %s arithmetic tests finished\n",		\
+		ARRAY_SIZE(n ## _tests), #n);				\
+}
+
+DEFINE_TEST_ARRAY_NAMED_TYPED(void, int, void, void *, int, void *) = {
+	{NULL, 0, NULL, NULL, NULL, false, false, false},
+	{(void *)0x30, 0x10, (void *)0x40, NULL, NULL, false, false, false},
+	{(void *)ULONG_MAX, 0, (void *)ULONG_MAX, NULL, NULL, false, false, false},
+	{(void *)ULONG_MAX, 1, NULL, NULL, NULL, true, false, false},
+	{(void *)ULONG_MAX, INT_MAX, (void *)(INT_MAX - 1), NULL, NULL, true, false, false},
+};
+DEFINE_TEST_PTR_FUNC_TYPED(void_int__void, void *, "%lx");
+
+struct _sized {
+	int a;
+	char b;
+};
+
+DEFINE_TEST_ARRAY_NAMED_TYPED(sized, int, sized, struct _sized *, int, struct _sized *) = {
+	{NULL, 0, NULL, NULL, NULL, false, false, false},
+	{NULL, 1, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, false, false, false},
+	{NULL, 0x10, (struct _sized *)(sizeof(struct _sized) * 0x10), NULL, NULL, false, false, false},
+	{(void *)(ULONG_MAX - sizeof(struct _sized)), 1, (struct _sized *)ULONG_MAX, NULL, NULL, false, false, false},
+	{(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 1, NULL, NULL, NULL, true, false, false},
+	{(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 2, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, true, false, false},
+	{(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 3, (struct _sized *)(sizeof(struct _sized) * 2), NULL, NULL, true, false, false},
+};
+DEFINE_TEST_PTR_FUNC_TYPED(sized_int__sized, struct _sized *, "%lx");
+
+DEFINE_TEST_ARRAY_NAMED_TYPED(sized, size_t, sized, struct _sized *, size_t, struct _sized *) = {
+	{NULL, 0, NULL, NULL, NULL, false, false, false},
+	{NULL, 1, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, false, false, false},
+	{NULL, 0x10, (struct _sized *)(sizeof(struct _sized) * 0x10), NULL, NULL, false, false, false},
+	{NULL, SIZE_MAX - 10, (struct _sized *)18446744073709551528UL, NULL, NULL, true, false, false},
+};
+DEFINE_TEST_PTR_FUNC_TYPED(sized_size_t__sized, struct _sized *, "%zu");
+
 /* Args are: value, shift, type, expected result, overflow expected */
 #define TEST_ONE_SHIFT(a, s, t, expect, of)	do {			\
 	typeof(a) __a = (a);						\
@@ -1122,6 +1178,9 @@ static struct kunit_case overflow_test_cases[] = {
 	KUNIT_CASE(s32_s32__s32_overflow_test),
 	KUNIT_CASE(u64_u64__u64_overflow_test),
 	KUNIT_CASE(s64_s64__s64_overflow_test),
+	KUNIT_CASE(void_int__void_overflow_test),
+	KUNIT_CASE(sized_int__sized_overflow_test),
+	KUNIT_CASE(sized_size_t__sized_overflow_test),
 	KUNIT_CASE(u32_u32__int_overflow_test),
 	KUNIT_CASE(u32_u32__u8_overflow_test),
 	KUNIT_CASE(u8_u8__int_overflow_test),

From patchwork Tue Jan 23 00:26:37 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190597
Return-Path: <linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58158dyi;
        Mon, 22 Jan 2024 17:18:31 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFPsXs7nX2vCBFYch+fvWwzlniyCypLk08QNiTbolv3asTek7GOY+7yD7Nikw4nSaC39Dch
X-Received: by 2002:a17:90b:4007:b0:28d:9238:71bf with SMTP id
 ie7-20020a17090b400700b0028d923871bfmr5581458pjb.18.1705972711253;
        Mon, 22 Jan 2024 17:18:31 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972711; cv=pass;
        d=google.com; s=arc-20160816;
        b=KGgYpVb50eny/bM/SZy4JEa7eH3DAUwviHWdP7QYWAwJvsq9YG4Pk1I9TkOhNMjdNW
         9qI++1pNizJGv0FBeljGhpfpXi60IF3kRWu7L0FfLzKVN4L2LTB/Y0k/mf9hxEgxzvm0
         XUPWnnyH3XaeNCH1aegY0jsBPp4qAn+3w+e/8yym7NB+WL57WtfPrlIoSOxbvDj24ijG
         Z8e6lB6RVqAAeAoY2fxsgjaVo3o0kRspSF+ZsIGlA8rNIhsFR9pG2rBKzr2tIYNAJ5i/
         KnKbHB56fxe2j0ho2Lq90UTIZCBbe/YR4gZYHjuzZJ3eZy785a2N2Nd9EL0H82G8hP26
         cJow==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=;
        fh=9gX2BxLmuU+q8iAZT2l+1phY50ro1AnLuvWldfJlQuY=;
        b=alE6pAQicHLCnKKeGMDgznty2p7Jh6FaApb0K1pSF4o/OHWfY+CY/461LNNRWWzw0j
         8xRti0dDVJ8wcOwsVBOGi9i7HymqGvS8bBlN4YcjBWYOLEgg15dHKWgwJ+KT+T8HuAk2
         lanHxsTSQrs4MhIHdSGOF/taT8E3N+v0dERR78oUmDqEVGUFm8PDjhkOE9vMDeJhdMgI
         C6wt2OvklLAdqk2mWq+cBQNlDo/tgKK6mkQYsXkZCXbvJDy2ttZJ/4tyEvWyblltaB2o
         xajJYMxn5RRWQvaBZUPH9TqEh4Ddb8X8ZDv9Bs9b1tkuSzt5J5NE3Jnd02nD0bmuBUSj
         hErg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=QEWQMC5L;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 q1-20020a17090a938100b0028e281e020csi8751342pjo.101.2024.01.22.17.18.31
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:18:31 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=QEWQMC5L;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34468-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 14CC228B6C7
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:14:09 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C295E1482E0;
	Tue, 23 Jan 2024 00:28:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="QEWQMC5L"
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BF4A146907
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969714; cv=none;
 b=Rvp0UQ0IjGgkjfk82zdUdmVla0iJsQxe1UycjifYDTY9RHduu3TWpdw0Et7S/Pwa/SnAZ//Vdzmy19lBp0Srq+RWAWntIh3PyQYJyWwpkz6qihiAbMyJgk4cilEoN8oNmHaq+Z4txPqWi8+u/qw/mYs8Ce32VdjCh0jERzuan6I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969714; c=relaxed/simple;
	bh=rI7XvXs0gE8oB6y5lNdVJ89YzOLiYyZbayu1rCEj/HA=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ap+MGQosqGp4j9as1XN56oBHoGAwayVhsBRkhrikfH37oswox0hVnPokubkcWsAdQzBON0Mad6qe3A3NwzV+d/uS+5k5fMHYKI7FPOXXvLfakvIN3gpYJSrkKoXYc/vUX8/WCAHm14bN+//jQ8r2htkYTnnxT45xx0TIKepKoFY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=QEWQMC5L; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6dbb003be79so3306489b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969711; x=1706574511;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=;
        b=QEWQMC5LHFnUI+r+14MQmsNOrLfCXht+qZM2//2CWY2bxzWYDXkWdgeVHjhgOCoGVp
         YGizMpAGSsWnjQNPyR0jTpsRSJMmGMBY7UIsB9sfR8V82eLJefcWhydIfHO/aLo/bNyR
         IW52hKRTOAH+A/jFdd4qHndIEkwODR124a34Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969711; x=1706574511;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=;
        b=SgeL5J4KBXFGgU9h7Sv9GGM0A/fvMGGl/+NbmpSKh9UIixYSkFdHqtUTuVpmymPD1k
         WCUulnHcEwEvrTnCjIIP57CneEMUZnom1csxv84/ys2cMlJKxdjs5sN+LqtBWkZMLsS3
         sc1eKobTMH3HxecHk9/NZwrt0Z45thvZRNxnt2QAtfy7GxM0XxCICHFnoO9Zaz27I4RE
         G+lQNTusYBet81j5avOxx7R3hBCQj+9K72x5a3JxZdWs1m7QJSCYJAXxe4+L+2Yrpyae
         zETPh5QdrrH9BdJc/svev8X0vEQMcy0D6MiEBEK2VO+8D2PF2noyMrtoWAvNkFZQnUMx
         0mRA==
X-Gm-Message-State: AOJu0Yyt5Lu7sR3b/6iWbKPlJ0zt8h3aZW5/xGDq+pi6stlYkf+apact
	iTvjT3K2ebsgUl2bp4ZOGsnY41YQV1tzZKptj6VKMKAk2FAt7CE4C3viTue5IA==
X-Received: by 2002:a05:6a20:d046:b0:199:fffd:a3e3 with SMTP id
 hv6-20020a056a20d04600b00199fffda3e3mr5559743pzb.52.1705969711526;
        Mon, 22 Jan 2024 16:28:31 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 10-20020a056a00070a00b006dbe1d91426sm2202104pfl.84.2024.01.22.16.28.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:25 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 02/82] overflow: Introduce add_would_overflow()
Date: Mon, 22 Jan 2024 16:26:37 -0800
Message-Id: <20240123002814.1396804-2-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1326; i=keescook@chromium.org;
 h=from:subject; bh=rI7XvXs0gE8oB6y5lNdVJ89YzOLiYyZbayu1rCEj/HA=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgE/Rg2DOBwpGm23xchVNBK/FIvMg7Pi7tuc
 hrgqGce9zOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JpK6D/4k9MYFmrgc6c/TYlvkWlxk7cgUas0VJ225O0PQXNgzPrwydo5r9or8JHba1AD9K1lQdyq
 iY/c00/ng+L0pXMnyUYZ5RlfA76Q9JVIOFl2227BDoVAwb8sQ3Xlwhz/+p860wwoMqwno5TxLPM
 iEVrs2M2EZZo+enpPucZmQra1oVUfjoTc4LBwgzW1f4CO87CyxlQo3WW1qqFcQKlFDx9qK0bhpw
 KTu3fyF0WBOF1vHOAzXRGacuCBEbmLPsDAiDI6spRQTRIheANwd4kr0s5jXyY4d32MNm8D6kCdw
 6o57Cm5NgRuXHzXB1diePd8nslD5neVySw31GHfZqmj9wMhnwKXi2lEZ/wqk3TO9hQ8l3WcSa0O
 AtuJ/dQI0LMgGmHU9s2J6rb3+sZYro4mWaVm09UCM02cSGj62u7H1KH/vj6Zw6MMiJ3GVmZomD+
 JkjQ5AmlveqxnP7sv/7BdpK866HqpW9PimFvELyrCATtMf206HO00xxjv5an7q1CRv9KGSi3Ifk
 lVlTmvb5GZS8sUdV+rAqL0M0E7Q+RrNmT6cRlRLqCdAdwUOiUblUXUkpg3CEifH1S3OVgJzSHbq
 bM1kAoa9NqEH8gQAHKfJGo01p01MIhMFhfpnhrorrnpTBOFCgnmxVLdlC8Wzo7PaLcqetog57uK
 SjUZaEfaNTdpghQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842041475861527
X-GMAIL-MSGID: 1788842041475861527

For instances where only the overflow needs to be checked (and the sum
isn't used), provide the new helper add_would_overflow(), which is
a wrapper for check_add_overflow().

Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/overflow.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 099f2e559aa8..ac088f73e0fd 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -108,6 +108,22 @@ static inline bool __must_check __must_check_overflow(bool overflow)
 		__builtin_add_overflow(__filter_integral(a), b,		\
 				       __filter_ptrint(d))))
 
+/**
+ * add_would_overflow() - Check if an addition would overflow
+ * @a: first addend
+ * @b: second addend
+ *
+ * Returns true if the sum would overflow.
+ *
+ * To keep a copy of the sum when the addition doesn't overflow, use
+ * check_add_overflow() instead.
+ */
+#define add_would_overflow(a, b)			\
+	__must_check_overflow(({			\
+		size_t __result;			\
+		check_add_overflow(a, b, &__result);\
+	}))
+
 /**
  * check_sub_overflow() - Calculate subtraction with overflow checking
  * @a: minuend; value to subtract from

From patchwork Tue Jan 23 00:26:38 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190598
Return-Path: <linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58358dyi;
        Mon, 22 Jan 2024 17:19:03 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE588DffNvr3wWszFRhvmrpr5OzPdRJoqRcA+KkL2KzkqvGLmH3crpDSWBOFnE1m3miAT9e
X-Received: by 2002:a05:6a20:71d5:b0:199:dcc4:2512 with SMTP id
 t21-20020a056a2071d500b00199dcc42512mr4658886pzb.103.1705972743085;
        Mon, 22 Jan 2024 17:19:03 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972743; cv=pass;
        d=google.com; s=arc-20160816;
        b=Iw2TTqcKy45QQXUpoCLt6JMkGNByW60J88/DiHJ1BbAtFhUfzVSA3COFBG23mJIKG7
         M86dKK54YB0onjKb2Hk34ZDolchrQJb2NhHfWYsgnH9i2zu/MEgZRZQ+tzSlqETZxjmy
         NV60VyC5OdtOQPfHFNnNof9HvKAhk4yXySFope4qjoxd21mCVvSVzM4AYQzBxeLr1BRa
         V6xqzRWoxtXixmE2P1DsbnkTkZ/FbSL95ytgnNFzzmUPAN5Qmydba+wUicgGXdNnYD9T
         2vAWxvDDOs6/vj/vTiA+dIln62X6CeOVXQFziYHHtfmJvfloevfV0vcMPEC5WAJIsUtz
         hlQA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=+jDHEGsADozaBPzy87lyElMwpN6fXSBHhkt9/lWQvvg=;
        fh=9gX2BxLmuU+q8iAZT2l+1phY50ro1AnLuvWldfJlQuY=;
        b=LfhEPvExcteQso2havTQ+Zcv0ephREoIHWxmqr2VZjFmR1z2zmzjTkHPqs2+hEBtN4
         SDTbGqEcvrXoXHEEH9MhqdwOnB5BrCFQdUcEhQLxIxyTcMRO2PuIInGfIRXN6QdBWlRg
         M+m6nt+Ij8VMYQ3S7f+sj+iF5p33evrpShVzhM71JQ2Ri7Zx58fl/ynCL38nYce2kgfs
         R65wx7VPpQb0jlcNqV+quaduM9jFwq5RuTFSqTspwinBUX/b9JhpEF0MjIxXwhlduaDc
         nqcZBXwI8yA4m0eWsOZeoqfvqe+AH3OoLrfT6f/Kl3OFeHEf9y4asP0glM7FA9UX9UxG
         6aqA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=W9rZgYk6;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 jx1-20020a17090b46c100b002900606c264si8981954pjb.27.2024.01.22.17.19.02
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:19:03 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=W9rZgYk6;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34470-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 8383528BB01
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:14:48 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1F5CF155A44;
	Tue, 23 Jan 2024 00:28:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="W9rZgYk6"
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E56BC1482E4
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969719; cv=none;
 b=KWTUeRhWlYZ24NERpzfz7L/44d//EJv8KyClYWY6cVvxAmkz575C2eFne7mH85sQeYuTTIA/oY+uX1SPu7oKSkRUBWIvLB1Z+cNUXG39izXU2KQSd1zRGXk9wfRCOh0Lhl5jk5DYEy8tps7/8eqP8/rUNX6X/s3gMAt9UvpmEbw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969719; c=relaxed/simple;
	bh=IJQ4VwF/XdURhwqKb20pArJOcqYtWwEP77l8CXMEO9A=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=KX5fs5DgKa1rEMf/sk/qopUd/7utzsfe2sQY5F396eIzcZRey8Ldce87C58sdM/GtSZQyuOJiGiGsaLwofykqouVKlg+oLyc0ZAEWiCdRz2CcU2V3dPY3J3AGgvRFcJUMyibVUMMJiu6vo0q1kmiyyErBrRvtNIYmEh6TWa5uuk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=W9rZgYk6; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-1d74dce86f7so12993065ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969717; x=1706574517;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+jDHEGsADozaBPzy87lyElMwpN6fXSBHhkt9/lWQvvg=;
        b=W9rZgYk61Iqfn9prLeNiSbTv3OpvaKxT39TUkP67jd/whB29kbf6LTakGVWTEt8Wkx
         hmAInx6f7SDsGMYO2OQsyHb8EGdPJc1dTJZZv+SyotYn+UuygCeOn3loeMhi9yy07XB0
         xX3alspmGSmPMhqlu96sub12KM3bBEnJIw5Tc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969717; x=1706574517;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+jDHEGsADozaBPzy87lyElMwpN6fXSBHhkt9/lWQvvg=;
        b=WEcmnyd5g/3dv7HcL+nAQ5r8tcOMp6YZPGKgIzEAXhOO5nPSXWOhdxtw3moAJ1baJA
         LICttD6MYpqxKLtCzsZbJy6IBGEXvTEq8KkLRnZEPm3MHYBf4BnTOmYrHP6ySHE+45wz
         D9kC+jf2J/VRKO8U1eYLSoZH0OorxoTe27UPpKLCgVw3jU63N/HOzy5U3SlPo50o3lyn
         N5Zca2IZbNNsM9tbKe5NLWmDNirRxeI5zPVE1w04XhjXTlfEIAMAwsYPUcEyun2jvkjl
         2m/zxpf7LrkmQIg58owCpRgM96BxV0nFyRjX8zC4R28zQMRl5QVpm+eUxecbZYKc9BSa
         p4Dg==
X-Gm-Message-State: AOJu0YwowosQDPL7hUlXs9eixp1DoK/3ut5lPUce1/+aggfHeCV3Er3r
	LVh8jXVzxOotciQ0gJXjSrn806FtwvNTHaP/b9yzkiHevqhF8uWyXFFZS+TvfQ==
X-Received: by 2002:a17:903:1ca:b0:1d7:6c58:a654 with SMTP id
 e10-20020a17090301ca00b001d76c58a654mr321507plh.8.1705969717309;
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 k12-20020a170902f28c00b001d7492d9890sm2786498plc.146.2024.01.22.16.28.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:25 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 03/82] overflow: Introduce add_wrap()
Date: Mon, 22 Jan 2024 16:26:38 -0800
Message-Id: <20240123002814.1396804-3-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1195; i=keescook@chromium.org;
 h=from:subject; bh=IJQ4VwF/XdURhwqKb20pArJOcqYtWwEP77l8CXMEO9A=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEL8IucC9yEm2ouyrQ/hhMu5I3AUOX5/m7s
 cUy68MtvAaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JqGoD/0VbDA2K1vKkDXKw/XOmCvxckFsH1aXG4eTErag/Fyu11F/Hz71EheSTm63LgoPWiI+vwG
 vQcb3gzwgcA6Kv3ftEEWygG29jA30KCJdCnU7BgqLDouuIqhIzzubmXcqF0DF60tOIZCgObUYdW
 LboXVdtqnGzTV+ndwblWK6xc9gvy4kCGEHtQHUiTzqvKF3r0hNkAtTt/gyaIR8alh306zuznEUP
 Hy+3HE3U2/gyMkH8zjIoL7izNomyRAG+jGnzSTAQ+Y3Io/mDd4oLPhoQiGYK2gpGGj7B4xzcwGX
 ZfJsp3Ttomp+rMXKh/zDeoOy98JKGcFTIPxSR6pHgFfju/51K7XIIbJrWUYTJFCI+xGqAZoPJMA
 Z4nx57/RJXITaO74IOTE6xsVnwdW1XCDqNK8HVJcV4jcck3dqbaWeKq8G2Wn4oaUCpafB750LRo
 nG6bJ2EEORG+XgubtrKSu9fKiX5jB3Nua4vUxTjs3cpbB4Nn3+z1HECkX8puf7At08mJW7iuB9v
 eOLUNEvuugFexNTyysxKT9/pAWH+g8QUNUqvcuIpc1aKa+M51P2ektI1qunbV70+gASTfmfDtst
 8iHp9HNo7JldQqTsDLxzi7M2oSYZTd1Xnlv809kXKLW7oMGoxgBsHwO20fGby1A7AynToyEh9vY
 K6n3JQaCLci7AWg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842074969438493
X-GMAIL-MSGID: 1788842074969438493

Provide a helper that will perform wrapping addition without tripping
the arithmetic wrap-around sanitizers.

Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/overflow.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index ac088f73e0fd..30779905a77a 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -124,6 +124,22 @@ static inline bool __must_check __must_check_overflow(bool overflow)
 		check_add_overflow(a, b, &__result);\
 	}))
 
+/**
+ * add_wrap() - Intentionally perform a wrapping addition
+ * @a: first addend
+ * @b: second addend
+ *
+ * Return the potentially wrapped-around addition without
+ * tripping any overflow sanitizers that may be enabled.
+ */
+#define add_wrap(a, b)					\
+	({						\
+		typeof(a) __sum;			\
+		if (check_add_overflow(a, b, &__sum))	\
+			/* do nothing */;		\
+		__sum;					\
+	})
+
 /**
  * check_sub_overflow() - Calculate subtraction with overflow checking
  * @a: minuend; value to subtract from

From patchwork Tue Jan 23 00:26:39 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190587
Return-Path: <linux-kernel+bounces-34469-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp56805dyi;
        Mon, 22 Jan 2024 17:14:39 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEwDs7BeMsOgihOiGU/GRHoRuNnNq7nd9LReAbPYBCJiQiW+e3JGp8UHs5t9GSgYc/kWDtt
X-Received: by 2002:a05:620a:4620:b0:783:95f1:30f6 with SMTP id
 br32-20020a05620a462000b0078395f130f6mr5852755qkb.32.1705972479380;
        Mon, 22 Jan 2024 17:14:39 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972479; cv=pass;
        d=google.com; s=arc-20160816;
        b=Rz0BMaIiJ65nShyii4dFkd9nVgP1fYGgiOBT/cqf3mxxYZiDrOi1hN+/BWqvhS650v
         mw5Fhpz681hDdl9lGp4WAI4GgrpmsuSNddhUe/NGZP+8nxIq1ydD2xMXFPAsLS7eTUuV
         VPGkz0ZYM4hh2hV1xbbjXueeoFAd3b/NDUuwJ/mm+8vBkmcFqi9qibV0zp82m94zvVCq
         FheFlodBll3yi6Jwcm1e86fgkl5ciGxBAUSmNWG0cZjkojB/12i0moMrSykNg/K2amGR
         VHm14nZ/bJep6hyQCNrvXBEDTmXkFQtsbbrN5H4iMXeZNI+3BqR+l7Wct1Zz/+XCLo1t
         h7NQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=iepksXH/P2CFRPbU7KRUTTSDHuc6hLdiCJiseIVsFEY=;
        fh=UHKGxS5qJrRyoEqJ80R9y98vLquMjURWyWl06DZbAt4=;
        b=0ENldjLlmAhxPT6HDDu+u2rfg3zY3j8RbTZOwrmG6gI400MVFPLBd5NEWHwNnRFK5w
         m5Wc1SeQIrhzQiJ5BBhuxtI7URr3lbrzWywsc9icFV+Olr7MSbu7vdPFqD/mrUwZDcEW
         V6z1tQAs3+g4KESYEBgzYT7h9Qv05/OFIZX+nxySGfng1NQeaZ6s1K81j8UeZ1JY6OSJ
         8V6W4pRC/lJiLRAJmx9J82U95mM2ASupgfJaFkLuCaxUhtZRIM6sKQFzKPHxtxGVzdUn
         S6sWz6Zmhe34KhMpUG06qDpZt4bp9Ksnf/8cgdCbn5yBrJd56j0VQifdL302fmREcWKI
         cNjg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=S01NyATJ;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34469-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34469-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
 [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id
 bp34-20020a05620a45a200b007839c9e3772si4201689qkb.59.2024.01.22.17.14.39
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:14:39 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34469-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=S01NyATJ;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34469-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34469-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 211901C28BF0
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:14:39 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id AD4B2148308;
	Tue, 23 Jan 2024 00:28:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="S01NyATJ"
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 246FB1474A3
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:34 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969717; cv=none;
 b=fSQFeEBiClmmyfP6idk/EFFCE0bBiDj3Q7MC2evJNRIB/TRaV2DF0lSz+UYU92BdGD1PjQasykH7sqBAKSiTxAa81YJRWKDs02IO2SA5nEaPbYY6BLdA98f1fNv5VtG4zHkQR2tCSZ7BwoKAfIk52CS96qGnerqVQX9yXN3+WSY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969717; c=relaxed/simple;
	bh=+WA9Ct7l0slkMBBzNWpIPaSatsWk1P15wygbjb7RsC4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=dBhLfZ6xTdTXvlYZU1uyb9R3YEKGFxTEFZOgs2q4oVJEpxgT13B2o/wxsk+myAvBXC8vf5UTE9CjxCm80GycwePXf0zEco86J/u84mU6RlHjcMbR+xDEPyv1NksePPVIJb6c/rMUB4wGVWJ3M8RPYlZvE8SB/x0aWbAiMsjoVRg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=S01NyATJ; arc=none smtp.client-ip=209.85.214.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-1d70b0e521eso27261995ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969714; x=1706574514;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iepksXH/P2CFRPbU7KRUTTSDHuc6hLdiCJiseIVsFEY=;
        b=S01NyATJigLb2mLJpyjE33kRdf85I3Wf/nPkxVh7yDLUDdybZJ7AWdJ5I9kgEXJpV3
         kVaxs2UfcoKXhMM4OinqBGg+lc7hYcnBfMfbKB5hMjpHnOalQbZSw+NYIeGPJaZZjeAz
         C4nPU/miZEAGTjkPeWiYBj8UHpwiYe+PtrzKQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969714; x=1706574514;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=iepksXH/P2CFRPbU7KRUTTSDHuc6hLdiCJiseIVsFEY=;
        b=M5Gf35ZEApK9RHNVvNfG8Hoa+zZsEcryMsb7TV2788Cd6M7px8FFOTKj7ouo5RzB4x
         iDg1pT9nJZzkJ0WtSyImhncnOFI0lgPsXZ7wOdDz6Y7U3fkQZHWQwMYzDH12cesB52c/
         0Rcx7/Q7oOqAtm3c468AWzPBqN2f/8PSTw5jAU3rDHuek0VhrKH1LocJFsaPYkS1kb/c
         YxrSneSDWPyaEf6/wjpjtS64JwO17MI8X2+QqE0MZXgZ19NJlFsx4aQjM7satbtNCmcQ
         GGtDeY8IN/BLKHa7SGtpnFwGxR6QyTI7sv3d3cfhT9vdCz7kql9THbblb7X3kZt3egfz
         SmTA==
X-Gm-Message-State: AOJu0Yznh8sHSxEBhR6MsNSLzJfV+Iz176hoRsM3BY8Rj6JeTixx+Zra
	4nlEHpqR9RBWBuAsoHqNT5JcfE6lPeRP5yimMTxMy4fd3AXJiwA4Cq1K0fDm9Q==
X-Received: by 2002:a17:902:bf43:b0:1d6:f240:91eb with SMTP id
 u3-20020a170902bf4300b001d6f24091ebmr4675643pls.105.1705969714532;
        Mon, 22 Jan 2024 16:28:34 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 jv13-20020a170903058d00b001d72bd542d7sm4491222plb.139.2024.01.22.16.28.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:25 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Justin Stitt <justinstitt@google.com>,
	workflows@vger.kernel.org,
	linux-doc@vger.kernel.org,
	Bill Wendling <morbo@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 04/82] docs: deprecated.rst: deprecate open-coded arithmetic
 wrap-around
Date: Mon, 22 Jan 2024 16:26:39 -0800
Message-Id: <20240123002814.1396804-4-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2640; i=keescook@chromium.org;
 h=from:subject; bh=+WA9Ct7l0slkMBBzNWpIPaSatsWk1P15wygbjb7RsC4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEcKz/IVh6AHW78ErpCaprSPaxdFMlZJU/p
 nEc33LkKJKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JhDJD/4/hiDapZrRx3IUC8fORd2j7RQere5tpaqVjlU5VBEohjnZfgBrSaXLPJD3ittOSfiXpTV
 qwoChxq3tWBiw0rfSBAYOH5WTvj8crGO3YuggDjqh4H5lWZE77jcjns+LHN4vk56akzliSAXuZv
 VpJFUEbbPanlEo7ifJ9/ad7kPFB9q8vay7oT5hyuXlwp2drF/8gXQm+OisW84paPv9aM7FVgdSK
 BOXiuS6NzexkgeL8ppxZpxnGFruM8P5k0nKF6E+MskMuhJdeF7ZrwT9dFIeh2ZXUSNJ4k2Hxm9J
 hOaRQOVTLjPqkpfWOZKhvx4v908ITNUY0cicWNEJEXCDJzfpqMigkbIcLkrQ5xJk+7Mes5FAOdR
 fff5zKQdAT9bOjzhNoB8jjFopHoZ+gCVG4UoKKaHT2tx+gL2UnntgHBN8ErFZXqPzjO3vL48Vpy
 6zksiU8rnxZJOwYvYhiKE/0cxuoLBZh8MxA1OChyYAd+/1b2opzH1Xt/LXRZBz74jkFjCms7dpT
 U8+hjmblmd9nBpW3KwV3tVsXLztPgCXvBPZmoQp+0WaQPLGoqe0NE113GE6RGQyuaNN8QzmK3RK
 bPN3+gpjk7+hsX8K8CgR5LtYZJ0RCqkseGqMTmep+SuHpjigvNLo7eykHRtozTskavBta9U0tGc
 WLmj1ykhZxc4g5g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788841798286261611
X-GMAIL-MSGID: 1788841798286261611

In pursuit of gaining full kernel instrumentation for signed[1],
unsigned[2], and pointer[3] arithmetic overflow, we need to replace
the handful of instances in the kernel where we intentionally depend on
arithmetic wrap-around. Document this goal and provide an example for
the most common code pattern, checking for simple overflow:

	if (VAR + OFFSET < VAR) ...

Link: https://github.com/KSPP/linux/issues/26 [1]
Link: https://github.com/KSPP/linux/issues/27 [2]
Link: https://github.com/KSPP/linux/issues/344 [3]
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Justin Stitt <justinstitt@google.com>
Cc: workflows@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 Documentation/process/deprecated.rst | 32 ++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/Documentation/process/deprecated.rst b/Documentation/process/deprecated.rst
index 1f7f3e6c9cda..270f3af13b86 100644
--- a/Documentation/process/deprecated.rst
+++ b/Documentation/process/deprecated.rst
@@ -109,6 +109,38 @@ For more details, also see array3_size() and flex_array_size(),
 as well as the related check_mul_overflow(), check_add_overflow(),
 check_sub_overflow(), and check_shl_overflow() family of functions.
 
+open-coded intentional arithmetic wrap-around
+---------------------------------------------
+Depending on arithmetic wrap-around without annotations means the
+kernel cannot distinguish between intentional wrap-around and accidental
+wrap-around (when using things like the overflow sanitizers).
+
+For example, where an addition is intended to wrap around::
+
+	magic = counter + rotation;
+
+please use the add_wrap() helper::
+
+	magic = add_wrap(counter, rotation);
+
+Another common code pattern in the kernel open coded testing for overflow
+by performing an overflow and looking for wrap-around::
+
+	if (var + offset < var) ...
+
+Instead, use either check_add_overflow() (when you want to use the
+resulting sum when it doesn't overflow) or add_would_overflow()::
+
+	if (add_would_overflow(var, offset)) ...
+
+In rare cases where helpers aren't available (e.g. in early boot code,
+etc) but overflow instrumentation still needs to be avoided, it can be
+replaced with a type max subtraction test instead::
+
+	int var;
+	...
+	if (INT_MAX - var < offset) ...
+
 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
 ----------------------------------------------------------------------
 The simple_strtol(), simple_strtoll(),

From patchwork Tue Jan 23 00:26:40 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190589
Return-Path: <linux-kernel+bounces-34471-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp57067dyi;
        Mon, 22 Jan 2024 17:15:29 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEHULRf5F4BW7ht45nr0w2UhU93Ude5nq7yhYCef2VKPhMYSs8Ouz46GBmkBgDhIYOV/FcA
X-Received: by 2002:a05:622a:1442:b0:42a:3942:312d with SMTP id
 v2-20020a05622a144200b0042a3942312dmr126358qtx.53.1705972529763;
        Mon, 22 Jan 2024 17:15:29 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972529; cv=pass;
        d=google.com; s=arc-20160816;
        b=qp68O4U8VlKVOsCJmjdZvH7B1JwGPOQ/5BK8BcE3RvY/NXVOa6Vn9tI/0ndDBpuepd
         nE3ela1wfodm4ExeWhMffSWm0cXF958O+8R7CBgzUkWHL8M8YlosF5CXKJMQQFVRU2WM
         iqi9HbiM794o+i7bRLRHrlFTpsG2t7Z7HXETSvxvOSuwetRBoh5063cbCMcNGkrzcUMH
         8zPVzZjuCi28BNH3uRzvLTWDa/1VqY+PskXMShs6jw9b/eABEeOWgz3UuvjwNBHbpA2Q
         xUBY0BEriQb6sWckvmNpg88bDvXy7nSRINSb8rYi1rWVsnBjqWXqCfklo4f7+I43lChU
         CnoQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=+JeEyKGn0lV8WeyRQc6wAgA/9wi6Y7j/WpnhdAob6+w=;
        fh=uIaKvaijwRYGsVcyAWU3mezoqwuf2v1F7sl7QsD00cc=;
        b=BKdo3Op0r90FEHN/IZS4MJ2HhRbtIrsbHokjoubytjrjvBJe+PKYV87r6Py5C6UWZd
         wlITBoUEGDT9CMT7vGMskrmNeoO+M4dZ5HMzcMJqBO61aSxeeilsSZndEpZLLDysKT/g
         YMtOc+smnfWuKZ/OTgYrsy0jxp16/dpYvLBWl7TcQAptyiXEVsLPJYTp8hmf7jEkLF2n
         2+T7vHLKoi797Rcwd3TDBOsfuk49TefEJR/Rsr9Mf8NjzmWiqRZhWYxObBrR16BzYVmq
         LhDyGidX+UO9UhlULiCho/oEVJpE27pxjWZRVtEgqboeQ4Tkmk7Bu7/7ro0z2yhvsISH
         qY4g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=mSLykj4R;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34471-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34471-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 a17-20020ac85b91000000b0042a3274a190si5735069qta.627.2024.01.22.17.15.29
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:15:29 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34471-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=mSLykj4R;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34471-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34471-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 862451C251F1
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:15:10 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 739DB15696C;
	Tue, 23 Jan 2024 00:28:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="mSLykj4R"
Received: from mail-oo1-f42.google.com (mail-oo1-f42.google.com
 [209.85.161.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C121155A33
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969722; cv=none;
 b=goQNHy2/TfGoFWr/ncFRYKyoZGOuZvviDhadfeuHTeuCxIKDn4q8uU7QpOcy4fyEUzZ5Jq2Ik7feAyuAWyy+rI6Ge/CkdPO/VqaAINo36aYZx/WhpBIY7kLygmfdw3vUYOofuImAwNdhVQ1kBgDskYeoDrsRJ3kJ8akGej/BsGM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969722; c=relaxed/simple;
	bh=l7HVvTdScmVUEBhzQFpCKcbiCA9potNAVoRVMmpE5Cw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=IJXu3PISv8dCjUWG6vI29jmcKCYFguTxXolwnuGOSJEJs8/vHwMdegFPdC7d/4LyY6ZWmr+Dfi9iH2UK+7iXlOl0lzFzELbfcHCr2JJTOJZ4yVpMzEMR0+yT5EeMZ36F7VWjbjhfiJtGdUCmVruURSAqRQRBgn+F7MgVCC6pzdM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=mSLykj4R; arc=none smtp.client-ip=209.85.161.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oo1-f42.google.com with SMTP id
 006d021491bc7-599a5266066so48083eaf.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969719; x=1706574519;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+JeEyKGn0lV8WeyRQc6wAgA/9wi6Y7j/WpnhdAob6+w=;
        b=mSLykj4R/hoz2kveKtbBhu0zXi+tfZGaVsKmdvKaMvnBiacg6+ZDXwmEQu/LbcW7aD
         R5V86tcbaasCiHyxVpbJNfehr6hrw52j/jzETUWVJzaqFKTEB/gs4Jacvdzp+jtmYSyO
         U462ee3VMJ5G/NyWTHO0KoyCmmmVdzWgEvhNE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969719; x=1706574519;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+JeEyKGn0lV8WeyRQc6wAgA/9wi6Y7j/WpnhdAob6+w=;
        b=ioZ/ZwOGPYXBdoiuIJzgosif+HfLpokynDSRpkxGA3VdgIduAz55qW1fefh5e2gdOa
         FUIcnB1XZJG0kQgOb0ew+8lJ8CGJiOCLOTcKcPY7KsbLirXQpCe10QMaoYz8oXLkoVAl
         8iMhn1HuSpNGKMKKYFf/Fuli8FoC1xSmrQPVujDGlSNLll6URPse9KzeUiho0D4qw3ew
         dLlvEgcGMlufcycVe40T4kbSeJiz0X5Y7qxmWNJSGNU+42yIHi/DPLJzt6P/WwlQnfXp
         wf5eUTRsJhQocSGnIE/bU/TJFWhJIQsgEHm6mTSaZXXCNoPdb2kfG7k2+Xr07Vzddtuh
         dCxg==
X-Gm-Message-State: AOJu0YwwdKmr28mhPYzHaFIAETiF2LVjkK0MbHowYaa0RKuIG4wdwPes
	t7r8dOu8MShdJk4VmLDqoGa5ohbmZAb1ix7xMsk9bYy6S3uxfbWj9qGC+M0gJw==
X-Received: by 2002:a05:6358:ca5:b0:176:70d4:eb64 with SMTP id
 o37-20020a0563580ca500b0017670d4eb64mr388585rwj.10.1705969719547;
        Mon, 22 Jan 2024 16:28:39 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 rs14-20020a17090b2b8e00b0028c465b050asm10217097pjb.54.2024.01.22.16.28.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Julia Lawall <Julia.Lawall@inria.fr>,
	Nicolas Palix <nicolas.palix@imag.fr>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Justin Stitt <justinstitt@google.com>,
	cocci@inria.fr,
	Bill Wendling <morbo@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 05/82] cocci: Refactor open-coded arithmetic wrap-around
Date: Mon, 22 Jan 2024 16:26:40 -0800
Message-Id: <20240123002814.1396804-5-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2537; i=keescook@chromium.org;
 h=from:subject; bh=l7HVvTdScmVUEBhzQFpCKcbiCA9potNAVoRVMmpE5Cw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEsqMAH8qryJJXGj8e8QN0W9DMFFKrS9uda
 cVz4Vs0YzeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JsTiEACd8SkTPHWAe1kX56wx0lNF5c674TcY9C2ijoqRJGl/0QtJHQVrBWgFzStTMFRvdjVmSft
 OhisPGmKR6BjwIhxS8K5uADuSfceqnrcsSEq4gyGDysofHMym4LMXl0gyup0oUDHnTxmzDDExp8
 axLDbZ1DRxktaofds7/FAwvtSg9Npx8Xq5Zx4tpivhC+OR8ZgYaUX0FnfXi8mzwN5bhbZAMP3qH
 zi0ast7Pgu3OHTsqOvXYYT87SM3mnt0N24+ILjlZAdKkVKotxC/m33ndLhs9LII8dKzdCfL29Rs
 VdZmA4MtigsvUnzrrfEjFbZIMynSrgWPIUe2gFy1mJy2dkam07GXcuXbtLldd2EeuZN7D+r7RVd
 4+vlNouoeK8rsf39E9wUneF9w8ZEtnDG9Td4520g5ev1+d7MN2kp8jJVnYTIJLZFYRcpFk8LygE
 uf/9zPB/2zREBkdwxAKTln0vcFw6GHYhZi2F56FRL2tHXmxxw81CdKjM2fsB19JV5iG94WNZCGO
 Zu2C1agT5RsXzn+z37spD9fyW0/F1jNBMeiUiXU9IW8erIHEQqyA3HieDE8casRZj64hSFICMOa
 cLCu/yo1/gx4lr5s6qpSm4oZrC88HxZZVlZvy1WK6SRp2cGdT2tEJvOCA98bxxqAyXYYEoa1IrG
 FsID4fl2hSNgW1w==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788841851377983999
X-GMAIL-MSGID: 1788841851377983999

In pursuit of gaining full kernel instrumentation for signed[1],
unsigned[2], and pointer[3] arithmetic overflow, we need to replace
the handful of instances in the kernel where we intentionally depend on
arithmetic wrap-around. Introduce Coccinelle script for finding these
and replacing them with the new add_would_overflow() helper, for this
common code pattern:

	if (VAR + OFFSET < VAR) ...

Link: https://github.com/KSPP/linux/issues/26 [1]
Link: https://github.com/KSPP/linux/issues/27 [2]
Link: https://github.com/KSPP/linux/issues/344 [3]
Cc: Julia Lawall <Julia.Lawall@inria.fr>
Cc: Nicolas Palix <nicolas.palix@imag.fr>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Justin Stitt <justinstitt@google.com>
Cc: cocci@inria.fr
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 .../coccinelle/misc/add_would_overflow.cocci  | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 scripts/coccinelle/misc/add_would_overflow.cocci

diff --git a/scripts/coccinelle/misc/add_would_overflow.cocci b/scripts/coccinelle/misc/add_would_overflow.cocci
new file mode 100644
index 000000000000..b9b67c9c3714
--- /dev/null
+++ b/scripts/coccinelle/misc/add_would_overflow.cocci
@@ -0,0 +1,70 @@
+// SPDX-License-Identifier: GPL-2.0-only
+///
+/// Replace intentional wrap-around addition with calls to
+/// check_add_overflow() and add_would_overflow(), see
+/// Documentation/process/deprecated.rst
+///
+//
+// Confidence: High
+// Comments:
+// Options: --no-includes --include-headers
+
+virtual context
+virtual report
+virtual org
+virtual patch
+
+@report_wrap_sum depends on !patch@
+type RESULT;
+RESULT VAR;
+expression OFFSET;
+@@
+
+ {
+        RESULT sum;
+        ...
+        (
+*       VAR + OFFSET < VAR
+        )
+        ...
+        (
+        VAR + OFFSET
+        )
+        ...
+ }
+
+@wrap_sum depends on patch@
+type RESULT;
+RESULT VAR;
+expression OFFSET;
+@@
+
+ {
++       RESULT sum;
+        ...
+        (
+-       VAR + OFFSET < VAR
++       check_add_overflow(VAR, OFFSET, &sum)
+        )
+        ...
+        (
+-       VAR + OFFSET
++       sum
+        )
+        ...
+ }
+
+@report_wrap depends on !patch && !report_wrap_sum@
+identifier PTR;
+expression OFFSET;
+@@
+
+*       PTR + OFFSET < PTR
+
+@patch_wrap depends on patch && !wrap_sum@
+identifier PTR;
+expression OFFSET;
+@@
+
+-       PTR + OFFSET < PTR
++       add_would_overflow(PTR, OFFSET)

From patchwork Tue Jan 23 00:26:41 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190657
Return-Path: <linux-kernel+bounces-34475-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp69226dyi;
        Mon, 22 Jan 2024 17:51:57 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHeIttQ2wa31YiUi23V1At5ojVXZ+OjsPef8aD3SnvTTpWjUqspvt/guVBGcRhr2F4JU1gs
X-Received: by 2002:a05:6358:ed15:b0:176:3446:6ff6 with SMTP id
 hy21-20020a056358ed1500b0017634466ff6mr2965508rwb.33.1705974717113;
        Mon, 22 Jan 2024 17:51:57 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974717; cv=pass;
        d=google.com; s=arc-20160816;
        b=VNvCIOeENOSeABl1VbkryMwe+tAURcUZJrg6fBLBYpyK1J7e3FuoQpVh/sgT2JyS1F
         /NTP4imWBn9qt2oq30m9vtPq4vV76HHZtrtu5PODLachzYYWesyiV0Y0eWhE1wkIQuwd
         vt/fWi/BVPdVBm0B5R+xOW3clNmWADGEUbAHWGpf+lX6WfYydWpyJ435H6WOG4ss6IMD
         lqsL0SWnFFJeJDUya62Fq1VpDbww1L1phkRIXsCWhfUlU8nl1k7I4fBKHdwCItdQ064o
         dgQL7nJJ9NnQuHGwEglow7To9QbKRf5zbr5YmF+Lqoo77gqbwjHNwAvKuMIrCuwHvgq9
         XVwQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=BiCGHQCW4gkVIwAHs5whfe0Jo8nWbZkRUEu+EMnzU5w=;
        fh=bjj09vdvEfLUohH06IiYn4zYZ5nw6Z7nb/tfdMymUWs=;
        b=OlZXE5Zs4cQJiJkJkQJ6vgu+d781ez2VpqD24e1on2Ew1woQ8MCzFxj5Kvb64fyAtH
         pvnlMh/jr5Y9ANNmf/Bg9vDS+j3wQFOKgYlEtqr7BXgf/Tep//eTlW/RWR1zme2buaf2
         KzJEcpXTWlpHPhCWm1zyPP5AEbZ3lOAbttHOkSR0099nNpcLuZ5a9Nfz4pNeE3yAIkB6
         X4s+TXMni6S6TxF4U4OZJn8HH0jmO56H/ogfayCx1VxT3TEiVvC2dQEV/KzICJ6TesaL
         r/NXKydAOZ3n4hCueHjyZIMZuct2IIeuHKVXT/ob1H6Anw4dL2iMOnQNJR02xqFMP8lQ
         TCEw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=A9qDI91W;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34475-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34475-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id
 gj23-20020a17090b109700b0028ba37adbfasi8836287pjb.55.2024.01.22.17.51.56
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:51:57 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34475-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=A9qDI91W;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34475-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34475-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 4F04FB2BB48
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:16:53 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7E4351586C1;
	Tue, 23 Jan 2024 00:28:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="A9qDI91W"
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com
 [209.85.167.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD61815699C
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969729; cv=none;
 b=mCnT9GHdNP8C0mpuwrJbbrmB5D9RIETk8tFujcYaJ31U6nZ4U0876kp7DHhoFX57nZTM5NEsZhsy60Xqo3MdAH2Kf0TTKT/HwKaUueV7L7fEh9Iz3bLHG0UCplTCpyamySSnFJRPst/hRE3bGl2DnBgaxnkcZ8dpPBqU0Ktodmc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969729; c=relaxed/simple;
	bh=gb1n+W1s5M95ctI44Q78KR4JuU4AKXHCS49FRg23Idk=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=dLHxxYQq4e3hqi56Uprob52ArotBNdJf0BdS4XpMebud3IFAZmIu+xXOj6V638gpHuOUdXSRIbElw5iAGyu3+SOczYBjw0vtUTo2tUKrwSQ3kYx+UwBWAaakTPw+3NmfDMhqIvbPS/hE4NNYdTTepvmuVTy1h0eJJRK8VqDnOxk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=A9qDI91W; arc=none smtp.client-ip=209.85.167.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oi1-f173.google.com with SMTP id
 5614622812f47-3bd3b34a58dso2445593b6e.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969727; x=1706574527;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=BiCGHQCW4gkVIwAHs5whfe0Jo8nWbZkRUEu+EMnzU5w=;
        b=A9qDI91WAiNRJ2GAcq+oPlJ2gv1qQntYjPDaZuBSwkJPQGRE4JfseG0CguYV3GLi70
         FriJJXtD7FLBCwHzLBi/Vi+hqhtxragxctBtSDZEyzuFKP9O1PkylV0kSRMCPrtz1xTo
         khkVk20L/PuKXAcsJWWcEMIavMGnxdSCy9Mg8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969727; x=1706574527;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=BiCGHQCW4gkVIwAHs5whfe0Jo8nWbZkRUEu+EMnzU5w=;
        b=mazy430KHYLj0irsI8oMy9H7uf6vdiCBR++QUSeFxxGGR9AIxJtdITgcVaxbhnOq8x
         AyuBeOyzNW58BQQa11Gz2CTrdB1oLSa+pwN9IJs75bEKr9Y70mdBT3h+L9xrmLZJowiZ
         Pk+Lhw9KWoJx0YFWFmOxWsAKapsPwXsb11iPe1Bel7Mn/JURS76p7UYZIOMPSlhD9HQ/
         fWlU1CG3W+Hvw2LroP7kplmoY5kyiBX2b3PcHDf03/u6BhioqNq6bcMaa/EmdoXTYnxq
         KmS9IhQ/Ow5wZYH2wpVghBMQ4XG4C779yMdNsWqF/DeVQQDDJnBJ+q7uTeHKjM1itDyK
         Bujg==
X-Gm-Message-State: AOJu0YzuywBuXKa9sNPm4kBGV+g3z0XiMRr+ZeWOLcSZaacNzQUk3lpp
	iAhbUT8DLskCcfSseFf0Jl9be5FpOleiMADaAly9Ua17R5rc7dszpGkh4I3q5w==
X-Received: by 2002:a05:6808:2094:b0:3bd:c568:faee with SMTP id
 s20-20020a056808209400b003bdc568faeemr103256oiw.74.1705969726746;
        Mon, 22 Jan 2024 16:28:46 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 v23-20020aa78517000000b006d9b8572e77sm10193889pfn.120.2024.01.22.16.28.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Justin Stitt <justinstitt@google.com>,
	Miguel Ojeda <ojeda@kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Marco Elver <elver@google.com>,
	Hao Luo <haoluo@google.com>,
	Przemek Kitszel <przemyslaw.kitszel@intel.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 06/82] overflow: Reintroduce signed and unsigned overflow
 sanitizers
Date: Mon, 22 Jan 2024 16:26:41 -0800
Message-Id: <20240123002814.1396804-6-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=10721;
 i=keescook@chromium.org;
 h=from:subject; bh=gb1n+W1s5M95ctI44Q78KR4JuU4AKXHCS49FRg23Idk=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEA8JtBdMXVlroZLnnJVqsE33+zfz01FBiy
 8wUuHAFgcuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 Jj7NEACQQm0AHeLUrG6Oi/9wnlDXtoUdVl1Mv/wQrYOsP79X65ZjO3hVSGvZCS7S0NNRNJ0+nM6
 faKW9qCG6h1SeV7Mq9tvvaeCPuz3eIpIwMMS3fbAESR0tYSuFgeKwKuUVbjEuNxqoUsjqfdU/XY
 Mujtuxq0jUTmXnSlLLCxjlYOtGJZM5rHwDsFRQYqF2hNNU1a6y5Bli0xLbT7KIYKOkYcKyYzo4h
 kmlDcYc1Hz4u3u5034zX8ThC77WVARvs//wMN6gQrNQl6jsb3Lmb2SYDb0L9Z6fGMctdDDHCzxZ
 coY9O2cJfrEZmoZSHxKW9OJfhIvbh14/2OIgP/GDqgQOh3l3elc48kUJprXmkH4F3GG+2xAIPBy
 riT7ABS/uMTCYdTgB0FqU9sEF9bWr/bbho0UDv49OphdQRwITiU1MjU3elMsFVSbXBt1MiByaMc
 Q6PMq91AfNUkClrlc3b2z1CmZKUzUQ6CwGtYUvwLRA5ggnEa6LsvOzIbTxpTxPTfofKpvdInh3k
 LmU6tamHSR6Q6mil7gT3LFOGB7kkzr2T6R2R6DaxrT4I1iQtD6WXGUnNYqSQLeYH7IrDmI1Q/57
 XX/8YpLCx9jHKWB6Yp6z9elE2HGVjb4BKKDGsU94dCJ3Zl8qf9GIt/pX2+nx2TmmYPzWNEm81VL
 zIsWJE46ig2NcLA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844145095166194
X-GMAIL-MSGID: 1788844145095166194

Effectively revert commit 6aaa31aeb9cf ("ubsan: remove overflow
checks"), to allow the kernel to be built with the "*-overflow"
sanitizers again. This gives developers a chance to experiment[1][2][3]
with the instrumentation again, while dealing with the impact of
-fno-strict-oveflow.

Notably, the naming of the options is adjusted to use the name "WRAP"
instead of "OVERFLOW". In the strictest sense, arithmetic "overflow"
happens when a result exceeds the storage of the type, and is considered
by the C standard and compilers to be undefined behavior for signed
and pointer types (without -fno-strict-overflow). Unsigned arithmetic
overflow is defined as always wrapping around.

Because the kernel is built with -fno-strict-overflow, signed and pointer
arithmetic is defined to always wrap around instead of "overflowing"
(which would either be elided due to being undefined behavior or would
wrap around, which led to very weird bugs in the kernel).

So, the config options are added back as CONFIG_UBSAN_SIGNED_WRAP and
CONFIG_UBSAN_UNSIGNED_WRAP. Since the kernel has several places that
explicitly depend on wrap-around behavior (e.g. counters, atomics, etc),
also introduce the __signed_wrap and __unsigned_wrap function attributes
for annotating functions where wrapping is expected and should not
be caught. This will allow us to distinguish in the kernel between
intentional and unintentional cases of arithmetic wrap-around.

Additionally keep these disabled under CONFIG_COMPILE_TEST for now.

Link: https://github.com/KSPP/linux/issues/26 [1]
Link: https://github.com/KSPP/linux/issues/27 [2]
Link: https://github.com/KSPP/linux/issues/344 [3]
Cc: Justin Stitt <justinstitt@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Marco Elver <elver@google.com>
Cc: Hao Luo <haoluo@google.com>
Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 Documentation/process/deprecated.rst |  4 ++
 include/linux/compiler_types.h       | 14 +++++-
 lib/Kconfig.ubsan                    | 19 ++++++++
 lib/test_ubsan.c                     | 49 ++++++++++++++++++++
 lib/ubsan.c                          | 68 ++++++++++++++++++++++++++++
 lib/ubsan.h                          |  4 ++
 scripts/Makefile.ubsan               |  2 +
 7 files changed, 159 insertions(+), 1 deletion(-)

diff --git a/Documentation/process/deprecated.rst b/Documentation/process/deprecated.rst
index 270f3af13b86..aebd7c6cd2fc 100644
--- a/Documentation/process/deprecated.rst
+++ b/Documentation/process/deprecated.rst
@@ -141,6 +141,10 @@ replaced with a type max subtraction test instead::
 	...
 	if (INT_MAX - var < offset) ...
 
+For inline helpers that are performing wrapping arithmetic, the entire
+function can be annotated as intentionally wrapping by adding the
+`__signed_wrap` or `__unsigned_wrap` function attribute.
+
 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
 ----------------------------------------------------------------------
 The simple_strtol(), simple_strtoll(),
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index d27b58fddfaa..d24f43fc79c6 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -282,11 +282,23 @@ struct ftrace_likely_data {
 #define __no_sanitize_or_inline __always_inline
 #endif
 
+/* Allow wrapping arithmetic within an annotated function. */
+#ifdef CONFIG_UBSAN_SIGNED_WRAP
+# define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow")))
+#else
+# define __signed_wrap
+#endif
+#ifdef CONFIG_UBSAN_UNSIGNED_WRAP
+# define __unsigned_wrap __attribute__((no_sanitize("unsigned-integer-overflow")))
+#else
+# define __unsigned_wrap
+#endif
+
 /* Section for code which can't be instrumented at all */
 #define __noinstr_section(section)					\
 	noinline notrace __attribute((__section__(section)))		\
 	__no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage \
-	__no_sanitize_memory
+	__no_sanitize_memory __signed_wrap __unsigned_wrap
 
 #define noinstr __noinstr_section(".noinstr.text")
 
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index 59e21bfec188..a7003e5bd2a1 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -116,6 +116,25 @@ config UBSAN_UNREACHABLE
 	  This option enables -fsanitize=unreachable which checks for control
 	  flow reaching an expected-to-be-unreachable position.
 
+config UBSAN_SIGNED_WRAP
+	bool "Perform checking for signed arithmetic wrap-around"
+	default UBSAN
+	depends on !COMPILE_TEST
+	depends on $(cc-option,-fsanitize=signed-integer-overflow)
+	help
+	  This option enables -fsanitize=signed-integer-overflow which checks
+	  for wrap-around of any arithmetic operations with signed integers.
+
+config UBSAN_UNSIGNED_WRAP
+	bool "Perform checking for unsigned arithmetic wrap-around"
+	depends on $(cc-option,-fsanitize=unsigned-integer-overflow)
+	depends on !X86_32 # avoid excessive stack usage on x86-32/clang
+	depends on !COMPILE_TEST
+	help
+	  This option enables -fsanitize=unsigned-integer-overflow which checks
+	  for wrap-around of any arithmetic operations with unsigned integers. This
+	  currently causes x86 to fail to boot.
+
 config UBSAN_BOOL
 	bool "Perform checking for non-boolean values used as boolean"
 	default UBSAN
diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
index 2062be1f2e80..84d8092d6c32 100644
--- a/lib/test_ubsan.c
+++ b/lib/test_ubsan.c
@@ -11,6 +11,51 @@ typedef void(*test_ubsan_fp)(void);
 			#config, IS_ENABLED(config) ? "y" : "n");	\
 	} while (0)
 
+static void test_ubsan_add_overflow(void)
+{
+	volatile int val = INT_MAX;
+	volatile unsigned int uval = UINT_MAX;
+
+	UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP);
+	val += 2;
+
+	UBSAN_TEST(CONFIG_UBSAN_UNSIGNED_WRAP);
+	uval += 2;
+}
+
+static void test_ubsan_sub_overflow(void)
+{
+	volatile int val = INT_MIN;
+	volatile unsigned int uval = 0;
+	volatile int val2 = 2;
+
+	UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP);
+	val -= val2;
+
+	UBSAN_TEST(CONFIG_UBSAN_UNSIGNED_WRAP);
+	uval -= val2;
+}
+
+static void test_ubsan_mul_overflow(void)
+{
+	volatile int val = INT_MAX / 2;
+	volatile unsigned int uval = UINT_MAX / 2;
+
+	UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP);
+	val *= 3;
+
+	UBSAN_TEST(CONFIG_UBSAN_UNSIGNED_WRAP);
+	uval *= 3;
+}
+
+static void test_ubsan_negate_overflow(void)
+{
+	volatile int val = INT_MIN;
+
+	UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP);
+	val = -val;
+}
+
 static void test_ubsan_divrem_overflow(void)
 {
 	volatile int val = 16;
@@ -90,6 +135,10 @@ static void test_ubsan_misaligned_access(void)
 }
 
 static const test_ubsan_fp test_ubsan_array[] = {
+	test_ubsan_add_overflow,
+	test_ubsan_sub_overflow,
+	test_ubsan_mul_overflow,
+	test_ubsan_negate_overflow,
 	test_ubsan_shift_out_of_bounds,
 	test_ubsan_out_of_bounds,
 	test_ubsan_load_invalid_value,
diff --git a/lib/ubsan.c b/lib/ubsan.c
index df4f8d1354bb..5fc107f61934 100644
--- a/lib/ubsan.c
+++ b/lib/ubsan.c
@@ -222,6 +222,74 @@ static void ubsan_epilogue(void)
 	check_panic_on_warn("UBSAN");
 }
 
+static void handle_overflow(struct overflow_data *data, void *lhs,
+			void *rhs, char op)
+{
+
+	struct type_descriptor *type = data->type;
+	char lhs_val_str[VALUE_LENGTH];
+	char rhs_val_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, type_is_signed(type) ?
+			"signed-integer-overflow" :
+			"unsigned-integer-overflow");
+
+	val_to_string(lhs_val_str, sizeof(lhs_val_str), type, lhs);
+	val_to_string(rhs_val_str, sizeof(rhs_val_str), type, rhs);
+	pr_err("%s %c %s cannot be represented in type %s\n",
+		lhs_val_str,
+		op,
+		rhs_val_str,
+		type->type_name);
+
+	ubsan_epilogue();
+}
+
+void __ubsan_handle_add_overflow(void *data,
+				void *lhs, void *rhs)
+{
+
+	handle_overflow(data, lhs, rhs, '+');
+}
+EXPORT_SYMBOL(__ubsan_handle_add_overflow);
+
+void __ubsan_handle_sub_overflow(void *data,
+				void *lhs, void *rhs)
+{
+	handle_overflow(data, lhs, rhs, '-');
+}
+EXPORT_SYMBOL(__ubsan_handle_sub_overflow);
+
+void __ubsan_handle_mul_overflow(void *data,
+				void *lhs, void *rhs)
+{
+	handle_overflow(data, lhs, rhs, '*');
+}
+EXPORT_SYMBOL(__ubsan_handle_mul_overflow);
+
+void __ubsan_handle_negate_overflow(void *_data, void *old_val)
+{
+	struct overflow_data *data = _data;
+	char old_val_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, "negation-overflow");
+
+	val_to_string(old_val_str, sizeof(old_val_str), data->type, old_val);
+
+	pr_err("negation of %s cannot be represented in type %s:\n",
+		old_val_str, data->type->type_name);
+
+	ubsan_epilogue();
+}
+EXPORT_SYMBOL(__ubsan_handle_negate_overflow);
+
+
 void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs)
 {
 	struct overflow_data *data = _data;
diff --git a/lib/ubsan.h b/lib/ubsan.h
index 5d99ab81913b..0abbbac8700d 100644
--- a/lib/ubsan.h
+++ b/lib/ubsan.h
@@ -124,6 +124,10 @@ typedef s64 s_max;
 typedef u64 u_max;
 #endif
 
+void __ubsan_handle_add_overflow(void *data, void *lhs, void *rhs);
+void __ubsan_handle_sub_overflow(void *data, void *lhs, void *rhs);
+void __ubsan_handle_mul_overflow(void *data, void *lhs, void *rhs);
+void __ubsan_handle_negate_overflow(void *_data, void *old_val);
 void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs);
 void __ubsan_handle_type_mismatch(struct type_mismatch_data *data, void *ptr);
 void __ubsan_handle_type_mismatch_v1(void *_data, void *ptr);
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index 4749865c1b2c..de4fc0ae448a 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -8,6 +8,8 @@ ubsan-cflags-$(CONFIG_UBSAN_LOCAL_BOUNDS)	+= -fsanitize=local-bounds
 ubsan-cflags-$(CONFIG_UBSAN_SHIFT)		+= -fsanitize=shift
 ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO)		+= -fsanitize=integer-divide-by-zero
 ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE)	+= -fsanitize=unreachable
+ubsan-cflags-$(CONFIG_UBSAN_SIGNED_WRAP)	+= -fsanitize=signed-integer-overflow
+ubsan-cflags-$(CONFIG_UBSAN_UNSIGNED_WRAP)	+= -fsanitize=unsigned-integer-overflow
 ubsan-cflags-$(CONFIG_UBSAN_BOOL)		+= -fsanitize=bool
 ubsan-cflags-$(CONFIG_UBSAN_ENUM)		+= -fsanitize=enum
 ubsan-cflags-$(CONFIG_UBSAN_TRAP)		+= -fsanitize-undefined-trap-on-error

From patchwork Tue Jan 23 00:26:42 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190602
Return-Path: <linux-kernel+bounces-34474-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58757dyi;
        Mon, 22 Jan 2024 17:20:15 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFDV2YEIjBs/qfeE9dciqcSlF/ZU9CDolDlKoWut1r5tvqIQd5NsqRpPpl2rvAGu1TzTV5F
X-Received: by 2002:a05:6a21:78a3:b0:19a:fa4c:343a with SMTP id
 bf35-20020a056a2178a300b0019afa4c343amr2807484pzc.92.1705972815049;
        Mon, 22 Jan 2024 17:20:15 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972815; cv=pass;
        d=google.com; s=arc-20160816;
        b=nhjLooH4ZjbWgkOBEIiAkwcb5QVWH51T/lu5i3imeNBgGgvWaGfQGCZrc1ORjhDsPJ
         7cVKuUiI1ONwpwTYGpAp41cD3eCuCJeeqIJmZh0vTVRxVeduujFqYS/NQKYyUN9r34dG
         Pr0XXzwpsSPL87UHv4nVRYdmWiJxOMlecfByzI3BviRE/fmQzQJCjU95GymwKKmJX8JB
         wjKw3/hYj1XDXFdz3ZkvsDnkUAt2B9CihyDWJUV+qGMKViiQgZgOLOLiXcddVuapsbDy
         CVzCfBmaXq9l4Nsig84xYsojheHhL3dIrcVGbcbBuI8PS63FvQYAbcVWKf/533feftua
         VjCA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=MOuaDiRRvzJvgJST5lr851xVVDyg4sr9GwwDxREBfGs=;
        fh=F1fITE4rFQxdzJqJmrFBX1U9t7ulVTmqa2zRlupiL4g=;
        b=m1yKvLkxMH0a6P84ndxnKAMgy+sWtFYYDiVMMhj+TXxGFlT3fdvXaxHr4v2YgZe/D/
         Cwa45yL9TZ9xZrReXPK4V06c0fOJNP1eaQDf8jKEF//eZBbjm/xExUbWGQGXrzd65Z5Q
         TCpwP1mMj1FLLXJ4VO4AgEqh6SGIzg1qgEDZPMIdMSpq1Exrii+hR3JYASwCP5NpFTKe
         vkBZfyV7ifFzy/bViRkp4ZEHBLzR6l+2K4XUzpcB3LGDYFaIuQX+87/pXWLXT0XNGm07
         54TcWLFVmUbDTR5+S5YrLD0TPw9DieFlhGkc9+3BOTYh1Nb0Bv/FiOZY3q6mnGZ3KNVM
         yx0g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=g6KI+FqU;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34474-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34474-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 o4-20020a17090a420400b002900e5c0955si8974852pjg.117.2024.01.22.17.20.14
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:20:15 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34474-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=g6KI+FqU;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34474-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34474-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id A160C2910B0
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:16:21 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 78BAB157E6A;
	Tue, 23 Jan 2024 00:28:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="g6KI+FqU"
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A39B7156984
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969728; cv=none;
 b=LWr3IgeNuT86QrgSB4bo4akKKP+ISB1ZqngWG0aBsSVMk0puogdWdUzMxgKPeNZYl3+Kn69tp7Nh1xaEw8xdmqB8E0R3aB90IvDC6TSzJlxAUk1OqvX+11kd5hEtQV3DIJVPiNO1Ig7aDiqEJVOC1QsXUxtZsaW42Tmpb3pVLIs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969728; c=relaxed/simple;
	bh=C+paLqxuFlWRTx/mjhIvhRPgaDtYk9vCEUD11OqlcCI=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=PHzj+K6p2q1EGkLN8HpzhPYWBwCXdBCrKaIiEDEWSXtewURO+9HHNFwa3P38XfE2i5cYbDVnxCTPqK62J3ZDQWBbpQF56LLdmdr7GVefMhsNohyqMmrIaihQyk4gEIhx4LwuBnV/CdMy77necJTyBImqZh3dZf6TfrwWMOqZdBc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=g6KI+FqU; arc=none smtp.client-ip=209.85.214.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-1d720c7fc04so19100585ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969726; x=1706574526;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MOuaDiRRvzJvgJST5lr851xVVDyg4sr9GwwDxREBfGs=;
        b=g6KI+FqUBOdebEdDOJA1SK+ASpBYukkrOtOGOPNBHOWE8PjMl3/IB1eyxjiqtg95fp
         vOaYbEV32Fz9zEtJtkHDqhqRIrSvE+gi9y+DzkhQuTdPr7K59UNpI2ewNxLOCOqH8iFZ
         YW0vpdlt7kiQ6KAt93LianzuAfMpZJrURgX8Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969726; x=1706574526;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MOuaDiRRvzJvgJST5lr851xVVDyg4sr9GwwDxREBfGs=;
        b=XnFUEHtAFR5zPYnv1eT7eGnWAh8IcBpfyvZvqd45PBQ2eXGKcmlNDUlEUAIHXiy5Z7
         NtAg3K9/Q0x2idaKXwWGZb34c0jdIcFhTlFCrmkHNcCFevw3NZ2Dynp1qrjhuvv38H0w
         EqjeuCwrMfPMFjKWzsEo1sI89hf0bJK5KlhIAOg/17KL0nOaZFUTm+KV/Q3h0qNqk3Tm
         OUZ9ia43eO+8VkwUHOQ0pNtidtAgz7e/GS3R/p/U4AojbamTguLFTA7HqPEV4hpakLKq
         wMUFYeiG1SWEC/AuZB9e7lHVUyKX9XUlA9lpQhp18URqRoG4aJCvSOlMHgzdwO/vh12l
         bsxQ==
X-Gm-Message-State: AOJu0YzEYl/HGhCCJpW1YKnH475Uw5Mry1pihkbqODeN3GtE2Z5a0qCZ
	cuT34zbCnJZgqrmCNGLMywLcmK1v7mbWLZI1vs9B6dKlt2Wszom2Xu/R8FibwBqGesPFGLoawQw
	=
X-Received: by 2002:a17:903:2782:b0:1d7:6343:e0f3 with SMTP id
 jw2-20020a170903278200b001d76343e0f3mr1050390plb.113.1705969726027;
        Mon, 22 Jan 2024 16:28:46 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 b5-20020a170902bd4500b001d74c170f2dsm2628770plx.90.2024.01.22.16.28.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Masahiro Yamada <masahiroy@kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nicolas Schier <nicolas@fjasle.eu>,
	linux-kbuild@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 07/82] overflow: Introduce CONFIG_UBSAN_POINTER_WRAP
Date: Mon, 22 Jan 2024 16:26:42 -0800
Message-Id: <20240123002814.1396804-7-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=6942; i=keescook@chromium.org;
 h=from:subject; bh=C+paLqxuFlWRTx/mjhIvhRPgaDtYk9vCEUD11OqlcCI=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgE1og5efJNhjKy5Q1+0ssByVxR6aJKZkw//
 XUDXODt8X2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 Jhb8D/oClO4uy32MUB/8Q9w0fFrcHiAthgnFfgxXS9v7zpnRqWirFxjdNMvEosVHK1wH10OEvQj
 OzrmAnWj9nGt2vZCAGk0Yel0I5e05q57I9rK5Qc2H1/5zTunlMIphYJBCzGp6ySKTYuOCEtRzVj
 cIIbHxJbOh9Z9TU3SweMVfOG4LrSqDyzCE0TKxiQkjt9fG7NuoKdqkHQySCMH9kd+6BZjGjP0jK
 yk5/X2K5lR3aTv+dZcsANfdk8s7z3u7yuXGp2rBtZmcs4RrsgsFEjR0fAggKx/65aE2eoZocs3v
 X7RwQbqPdPZef6+GKbEbDFShLokOsGmn2vmyGOi66Ph1buPm5OQsQ1zCU+75rHdTou7wxYLt3li
 nC91e512ZPlE5upQjtRb4BIl+Gnr0kI7IlF9YctYSwGg9QpWB1syjbwVW/53Q9i/lyt8Q/VwE7Z
 AzzKMJJ4Ry+vZomftuWws7kHewjOxEwzwiAJgRZl1a9TOsUq66KTXyRXDob1K7ALMVhO+nh0ftk
 50+m7VWiGiPujZu6hAMGYjMG7dyFAgfeGhrByYKN+DU0G2UOoihqStFIJJwRdUCfoqwvbzFXzej
 fihfMb64SYCKKrJ92PZVSi3mIZ4WYycTSaLsmDsbMUHFBoJXW/2h759jKxMBt7p9/AQU06Q7YNF
 uiXs1EiNMEkG9dA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842150531358987
X-GMAIL-MSGID: 1788842150531358987

Gain coverage for pointer wrap-around checking. Adds support for
-fsanitize=pointer-overflow, and introduces the __pointer_wrap function
attribute to match the signed and unsigned attributes. Also like the
others, it is currently disabled under CONFIG_COMPILE_TEST.

Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nicolas Schier <nicolas@fjasle.eu>
Cc: linux-kbuild@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 Documentation/process/deprecated.rst |  2 +-
 include/linux/compiler_types.h       |  7 +++++-
 lib/Kconfig.ubsan                    |  8 +++++++
 lib/test_ubsan.c                     | 33 ++++++++++++++++++++++++++++
 lib/ubsan.c                          | 21 ++++++++++++++++++
 lib/ubsan.h                          |  1 +
 scripts/Makefile.ubsan               |  1 +
 7 files changed, 71 insertions(+), 2 deletions(-)

diff --git a/Documentation/process/deprecated.rst b/Documentation/process/deprecated.rst
index aebd7c6cd2fc..15e77cbd4259 100644
--- a/Documentation/process/deprecated.rst
+++ b/Documentation/process/deprecated.rst
@@ -143,7 +143,7 @@ replaced with a type max subtraction test instead::
 
 For inline helpers that are performing wrapping arithmetic, the entire
 function can be annotated as intentionally wrapping by adding the
-`__signed_wrap` or `__unsigned_wrap` function attribute.
+`__signed_wrap`, `__unsigned_wrap`, or `__pointer_wrap` function attribute.
 
 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
 ----------------------------------------------------------------------
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index d24f43fc79c6..84cfd9d55453 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -293,12 +293,17 @@ struct ftrace_likely_data {
 #else
 # define __unsigned_wrap
 #endif
+#ifdef CONFIG_UBSAN_POINTER_WRAP
+# define __pointer_wrap __attribute__((no_sanitize("pointer-overflow")))
+#else
+# define __pointer_wrap
+#endif
 
 /* Section for code which can't be instrumented at all */
 #define __noinstr_section(section)					\
 	noinline notrace __attribute((__section__(section)))		\
 	__no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage \
-	__no_sanitize_memory __signed_wrap __unsigned_wrap
+	__no_sanitize_memory __signed_wrap __unsigned_wrap __pointer_wrap
 
 #define noinstr __noinstr_section(".noinstr.text")
 
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index a7003e5bd2a1..04222a6d7fd9 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -135,6 +135,14 @@ config UBSAN_UNSIGNED_WRAP
 	  for wrap-around of any arithmetic operations with unsigned integers. This
 	  currently causes x86 to fail to boot.
 
+config UBSAN_POINTER_WRAP
+	bool "Perform checking for pointer arithmetic wrap-around"
+	depends on !COMPILE_TEST
+	depends on $(cc-option,-fsanitize=pointer-overflow)
+	help
+	  This option enables -fsanitize=pointer-overflow which checks
+	  for wrap-around of any arithmetic operations with pointers.
+
 config UBSAN_BOOL
 	bool "Perform checking for non-boolean values used as boolean"
 	default UBSAN
diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
index 84d8092d6c32..1cc049b3ef34 100644
--- a/lib/test_ubsan.c
+++ b/lib/test_ubsan.c
@@ -56,6 +56,36 @@ static void test_ubsan_negate_overflow(void)
 	val = -val;
 }
 
+static void test_ubsan_pointer_overflow_add(void)
+{
+	volatile void *top = (void *)ULONG_MAX;
+
+	UBSAN_TEST(CONFIG_UBSAN_POINTER_WRAP);
+	top += 2;
+}
+
+static void test_ubsan_pointer_overflow_sub(void)
+{
+	volatile void *bottom = (void *)1;
+
+	UBSAN_TEST(CONFIG_UBSAN_POINTER_WRAP);
+	bottom -= 3;
+}
+
+struct ptr_wrap {
+	int a;
+	int b;
+};
+
+static void test_ubsan_pointer_overflow_mul(void)
+{
+	volatile struct ptr_wrap *half = (void *)(ULONG_MAX - 128);
+	volatile int bump = 128;
+
+	UBSAN_TEST(CONFIG_UBSAN_POINTER_WRAP);
+	half += bump;
+}
+
 static void test_ubsan_divrem_overflow(void)
 {
 	volatile int val = 16;
@@ -139,6 +169,9 @@ static const test_ubsan_fp test_ubsan_array[] = {
 	test_ubsan_sub_overflow,
 	test_ubsan_mul_overflow,
 	test_ubsan_negate_overflow,
+	test_ubsan_pointer_overflow_add,
+	test_ubsan_pointer_overflow_sub,
+	test_ubsan_pointer_overflow_mul,
 	test_ubsan_shift_out_of_bounds,
 	test_ubsan_out_of_bounds,
 	test_ubsan_load_invalid_value,
diff --git a/lib/ubsan.c b/lib/ubsan.c
index 5fc107f61934..d49580ff6aea 100644
--- a/lib/ubsan.c
+++ b/lib/ubsan.c
@@ -289,6 +289,27 @@ void __ubsan_handle_negate_overflow(void *_data, void *old_val)
 }
 EXPORT_SYMBOL(__ubsan_handle_negate_overflow);
 
+void __ubsan_handle_pointer_overflow(void *_data, void *lhs, void *rhs)
+{
+	struct overflow_data *data = _data;
+	unsigned long before = (unsigned long)lhs;
+	unsigned long after  = (unsigned long)rhs;
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, "pointer-overflow");
+
+	if (after == 0)
+		pr_err("overflow wrapped to NULL\n");
+	else if (after < before)
+		pr_err("overflow wrap-around\n");
+	else
+		pr_err("underflow wrap-around\n");
+
+	ubsan_epilogue();
+}
+EXPORT_SYMBOL(__ubsan_handle_pointer_overflow);
 
 void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs)
 {
diff --git a/lib/ubsan.h b/lib/ubsan.h
index 0abbbac8700d..5dd27923b78b 100644
--- a/lib/ubsan.h
+++ b/lib/ubsan.h
@@ -128,6 +128,7 @@ void __ubsan_handle_add_overflow(void *data, void *lhs, void *rhs);
 void __ubsan_handle_sub_overflow(void *data, void *lhs, void *rhs);
 void __ubsan_handle_mul_overflow(void *data, void *lhs, void *rhs);
 void __ubsan_handle_negate_overflow(void *_data, void *old_val);
+void __ubsan_handle_pointer_overflow(void *_data, void *lhs, void *rhs);
 void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs);
 void __ubsan_handle_type_mismatch(struct type_mismatch_data *data, void *ptr);
 void __ubsan_handle_type_mismatch_v1(void *_data, void *ptr);
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index de4fc0ae448a..37e8c31dc655 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -10,6 +10,7 @@ ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO)		+= -fsanitize=integer-divide-by-zero
 ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE)	+= -fsanitize=unreachable
 ubsan-cflags-$(CONFIG_UBSAN_SIGNED_WRAP)	+= -fsanitize=signed-integer-overflow
 ubsan-cflags-$(CONFIG_UBSAN_UNSIGNED_WRAP)	+= -fsanitize=unsigned-integer-overflow
+ubsan-cflags-$(CONFIG_UBSAN_POINTER_WRAP)	+= -fsanitize=pointer-overflow
 ubsan-cflags-$(CONFIG_UBSAN_BOOL)		+= -fsanitize=bool
 ubsan-cflags-$(CONFIG_UBSAN_ENUM)		+= -fsanitize=enum
 ubsan-cflags-$(CONFIG_UBSAN_TRAP)		+= -fsanitize-undefined-trap-on-error

From patchwork Tue Jan 23 00:26:43 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190594
Return-Path: <linux-kernel+bounces-34477-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp57935dyi;
        Mon, 22 Jan 2024 17:17:52 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEl0KOgkMshTWH5VtHa629en0NXuNmO1vMpqEcWe00edTq852NGwAgGS8pnkKJ+uSTwfuGg
X-Received: by 2002:a05:6402:270c:b0:559:c624:5997 with SMTP id
 y12-20020a056402270c00b00559c6245997mr503612edd.68.1705972672210;
        Mon, 22 Jan 2024 17:17:52 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972672; cv=pass;
        d=google.com; s=arc-20160816;
        b=NeI9IsWehByChEiF57rd9gl+J88uzyMFxndofc+hsoDkG2oo72R8UT2F1gb1p6FHOE
         dBso9qA5oScQx7+Kp0NFLnscVJu4KQsXxtKNOLRubopkXZhLmee2Tlc0KQAZD1Jst+R+
         jvk/EkKwSDu7cEL8pbHgh0Xjw43yElGpFpURLUkuMVKU9cwkBgdErv9h50Q7NQFIKlaF
         TupS8v98jLoX6mOsMzkMkXhGujvmjV10e/lW4xH+QFxC9Dv1XSQ1T8l4Kq0TsWH22QPQ
         3sPSLYmyJ/b/qr4zIJXwvaU/wT6dzaX8C35QpC0awZTNpOqq87RvneHq7jB8VozHHdZl
         /SzQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=PF/i2yiDIRENT0mwh/2n9kzjWsYDnfFtPr14I/rXEpM=;
        fh=FvLmwDSRiUPYimTE3FIxx0OhioL/tlzgX6HKHk1ALRY=;
        b=D+BI6WfKgBVbY9lGygdiv+Cx2rjPRiH1/eMu+BsF6mw6dzSyJGt0FmRymz4d1QM+w8
         GNJg5izBuuY5zygaEIZZ7Tlh6024lLGkKGb3+/MmEh9Qg2eZsCTeni+KeUsaEnQ/D6c8
         D0qorSnPVGoFxkA6JLrQPQf7zoUon72b8oFHgAIctgc007mvyPb404JtF8q1MOqF73Dv
         +LPfIOZtACMPKDYHiAFMRHCPxVgsjQ1BH0RvYHizHtQLjwAQimNsWOxfdW67fXrwWXKA
         3oGGMyfkm0Q+GxhKmKVw9R5gdTQjqmxWhK01JL7NrGu9T8b/eDUBUe89dLV24I1OGIbL
         E+SA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="nNO7D+O/";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34477-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34477-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 v4-20020a056402184400b0055a8614aff0si3371295edy.672.2024.01.22.17.17.52
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:17:52 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34477-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="nNO7D+O/";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34477-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34477-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 964221F292D6
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:16:57 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E76E21586CC;
	Tue, 23 Jan 2024 00:28:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="nNO7D+O/"
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com
 [209.85.210.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C9E71157031
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969731; cv=none;
 b=Du9jSccwQdm5vEDXHZNIEwpsEPJa1H6FvQ7qWIn7Gzyi2BlB7yOw3TzcSWDsXBM7SQVOwlBXskpaA93DnOzsVIDz5845+oTOt+keGNla1cG1sVR8k1cOo0jQUi8/7CWhDhvdiV+5zDrNT61tzG3BY8t9VA8sdabtFLw0b4oy5QU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969731; c=relaxed/simple;
	bh=wh7+GBhkNO1sVmVaz1rCepK3Q+pc7moaQJ0Rt+76i3M=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=n6zFSK0V5dApMpGHjLFEQDXEphFKGkxXU76xnPW63oLiAjKUdMTMsg9SsLXHuoQ3IoDWLgeZK8ft4GKY/VvrIeOVkkeAFbTfeG7zsVBrptKIyL9UJ/VNUTDdEbapObseQKiBjw7xxhSOxZtyCmG1rEzAmPWmFf8ER8npUEvYwq4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=nNO7D+O/; arc=none smtp.client-ip=209.85.210.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f171.google.com with SMTP id
 d2e1a72fcca58-6dbe3fc1421so785229b3a.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969729; x=1706574529;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PF/i2yiDIRENT0mwh/2n9kzjWsYDnfFtPr14I/rXEpM=;
        b=nNO7D+O/BFrDRrFSaF8132Z3RKBIkV40MmsmE23WuSWbwl+jIUzyIJEhgsSbIHe59G
         SWQl2vWk7lQkgM9yGiweSA7otlcJOyommcAtj5ZgbAMAkLkBlvCrf3F68lA78nzH1A9n
         m227tXr6wn9YTRIOQGmKOHeTeNx+TeXsqTWy8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969729; x=1706574529;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PF/i2yiDIRENT0mwh/2n9kzjWsYDnfFtPr14I/rXEpM=;
        b=ceL4vZRWTY1xLpXNXpZizZedw8sQUTKXzFI+p+ZCtqxf3i2WbdQn21UNI152nu04Cb
         TbHPEKiQzrcP/TR5lLKOGMqNqZpt3cUKxTcMaAUsdCc4/Lr/2TVchDcfswsixWnAiQA7
         tdVM3DBGZxKuyOWOErz4I7C9azmHRIjPgPQR7C08PDAFY2WgOh1fws7gl/ZreJHtjkbz
         ZmRvYZOH+eq7S/0q2J+gBBprwziTQJ2cZ7frP7KtIwbwu+gDqliA5z16scJLD8vDxw3A
         +d5L1xNxL1KJ4YMnFFEemqeO18iOWhUFKL3g2WAXAbIO4RLFphoQvooQ4e94Hiy5XYoi
         Kd+w==
X-Gm-Message-State: AOJu0YwAtl9OYMe+V4w0olAdOH4bfAA3MMAj0KvlHBUjfyhExSEsDxQC
	6Sdd7DpvN73zM2cN7er4fwoCrQ+CGNJOM71S0LV/tNXqQQEhZWRhk2abl2EzH5TSB5dbIe35XmM
	=
X-Received: by 2002:a05:6a00:244e:b0:6d9:b385:26f9 with SMTP id
 d14-20020a056a00244e00b006d9b38526f9mr3480265pfj.2.1705969729016;
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 s25-20020a639e19000000b005d3646ae6e4sm66443pgd.24.2024.01.22.16.28.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 08/82] iov_iter: Avoid wrap-around instrumentation in
 copy_compat_iovec_from_user
Date: Mon, 22 Jan 2024 16:26:43 -0800
Message-Id: <20240123002814.1396804-8-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1539; i=keescook@chromium.org;
 h=from:subject; bh=wh7+GBhkNO1sVmVaz1rCepK3Q+pc7moaQJ0Rt+76i3M=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEV0qAxoV3HSGdN5QKjvrPLDYsC3mVorule
 CjY0wDbzwWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JqycD/9F1q9lCA/qtcVMnJ/DbvpEtV4bCUN2UDhmCqtFaVSmfFz5GkBooadVTFFRdc0AU81Eaa2
 fDh1T4zdDWUy3eY0HD9GbxBCvyRrzPljX/d2rE9odidCZus4n+8I2N+F/h/FEwwsKZ9EBOTDkcj
 cK32kXDBzm53ZIYIm/4H1LjN8V+y9LaKNXRzKSUWIvHqDOelWrBYY1mSfmsL6TdQL8rfw9a52Yc
 e06Sgl0/CiFLFyVzHwrfnuX8t6gEJWfWIIE6G2UJpuIObJUtAixAUIofBbBQLdfeRRpgq4Blat7
 C/qFo7mUuIeEj/S7hDCAdrqjkeSxDbf4ddevVFlhCMXQfg1YX4Nw+T0tfWPj1yx51nWSvUFScDG
 3Zvgmhrqi0Vdmbz5LtLlq9v1ZhZ3PwPtr+0uY9fBXdYJ2nDEdlXURt1qv5oOvg3IIsg/S8797+V
 bxAXszSNVbDYeOgEeQDgw+ecqzfwF+ntVpS6I4XQ1JOagLyuGTvf+fGNW+ATif0Z1useQk5i9rT
 YMpY4vcRMVQtV4BU79pBMA4gHMs6CQWUXNizjjetcvAtSgGtmJ0x+Td2X5k/z7zha6ny/SyzxSr
 GT+w0Hht9fp/RugdC94ZvrlMjDNgwjN4Od9qWIogtUvKIz55RmiSjjgIshFdIRladAbPAPsBJCM
 Arv9af5S8HAeKFA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842000862906725
X-GMAIL-MSGID: 1788842000862906725

The loop counter "i" in copy_compat_iovec_from_user() is an int, but
because the nr_segs argument is unsigned long, the signed overflow
sanitizer got worried "i" could wrap around. Instead of making "i" an
unsigned long (which may enlarge the type size), switch both nr_segs
and i to u32. There is no truncation with nr_segs since its is never
larger than UIO_MAXIOV anyway. This keeps sanitizer instrumentation[1]
out of a UACCESS path:

vmlinux.o: warning: objtool: copy_compat_iovec_from_user+0xa9: call to __ubsan_handle_add_overflow() with UACCESS enabled

Link: https://github.com/KSPP/linux/issues/26 [1]
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/iov_iter.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index e0aa6b440ca5..d797a43dca91 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1166,11 +1166,12 @@ const void *dup_iter(struct iov_iter *new, struct iov_iter *old, gfp_t flags)
 EXPORT_SYMBOL(dup_iter);
 
 static __noclone int copy_compat_iovec_from_user(struct iovec *iov,
-		const struct iovec __user *uvec, unsigned long nr_segs)
+		const struct iovec __user *uvec, u32 nr_segs)
 {
 	const struct compat_iovec __user *uiov =
 		(const struct compat_iovec __user *)uvec;
-	int ret = -EFAULT, i;
+	int ret = -EFAULT;
+	u32 i;
 
 	if (!user_access_begin(uiov, nr_segs * sizeof(*uiov)))
 		return -EFAULT;

From patchwork Tue Jan 23 00:26:44 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190592
Return-Path: <linux-kernel+bounces-34476-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp57639dyi;
        Mon, 22 Jan 2024 17:16:58 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHbHmjUKt/YGLEPTmUlH2LhUEcQB2PvMK+jKSsKib4MvXrRo1p4peXQmoauJwmEoytDOT8j
X-Received: by 2002:a05:620a:1452:b0:783:9af9:40e4 with SMTP id
 i18-20020a05620a145200b007839af940e4mr3782057qkl.10.1705972618033;
        Mon, 22 Jan 2024 17:16:58 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972618; cv=pass;
        d=google.com; s=arc-20160816;
        b=rceDMiSCP1hp5cktxsqULkQpT6TZ0DPlgtlAgAK4qoMdE7K5v67945AaL9hzEWtBrM
         2lJV6oHGpsBFCTCKI0FgAVFkDhdxtIc4OAWSbGqVHwtr2ajjN1NxZEnnbTKGNvHeE9R0
         4rEHW6wV6BCgavds97B/yUevHaM0o0Uj02pfjPbhic9KaMYO+CehMUoobgJK2cy3ZekF
         GkM8hEa90p+V5hrxOlGrosBgv5o7dlEJ67E+kDghAuPom1L83gOcLtXbNnARZ/BXbryG
         RG4PHj0B6QHvcUCFG2tU3eso79P+CMn3cJN2N/IA0BnKuwbMdpBgX2mmUzP1mdfT9CC7
         u4Sw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=3TGYFkY09Xk6GAlz0uNRUAdH36K12Z/wH1iFNj2bT+k=;
        fh=d5rNQ23pB2Zlmqvw18xq2m24RVe2VavKGSy6OTlUJ6I=;
        b=kJ1m3lEUCxGAMqWgwVKil1F6yObx6peg6AQZHnz15DawnnN1fr8TzeCUq5N7Lkj+Bg
         bQlmlxRoQP6zG1jpv0VsOfhBYgkU/ogTz9/H3l4nFIPJAZ1q4worKgR2/wpmtKlNStf8
         rBc5yquYwqhRCbqpgXnExkA1LlinYWw45GQl4755QzPtJAg3rgfzRrOiMDAv+UAftEx3
         e+autWfr6JipqN1h+4qtvMxFGr9/6UmQAOZ3p8sdOMpLyokKF9lbsUogzQ0rlzfWfnvl
         gCT9W3qo+TIBHm7cHVL7PvRkW5dBw9gbz1NUG2LAOxDvZlsAFse3/VdP5VJ+riVeedJD
         F32A==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KxLuwfNe;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34476-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34476-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 h26-20020a37de1a000000b007833177257esi6465759qkj.557.2024.01.22.17.16.57
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:16:58 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34476-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KxLuwfNe;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34476-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34476-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id BF3841C220D2
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:16:57 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id EFD1A1586CF;
	Tue, 23 Jan 2024 00:28:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="KxLuwfNe"
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com
 [209.85.210.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BC26157046
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969731; cv=none;
 b=SuGwtEpTDgue9nNQWjMFUyA+q0rVrNKpkD5QXW6OZhPcop16Gb8PfqHZmNtyDAXeocrildZ5z3sl+j68UCnMpLmaO33KszsWQ9r4qS/LQuJ3q3gGkGnkhUrwdz+IeTMo4Eg/hN+VC4wvSBd18cmrIvb5EI+32GKgyEupdvnyqnk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969731; c=relaxed/simple;
	bh=PmD97Weq3WllHYy9c/D1C/9IrSV8qUdF4whlDGfFZE8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Q8y3fo52RXTgUKmUyX7xw+hHeuQNlrxPUwzNKeGcfxGPeH5JvV57rDuC8V4oH6j2YUj9ZVfx7O6i5iZgFI0sOIRHe2XdnnyrWVjYd3kyyW+WIxYShddHgLYqt3yuvwhUOTvQuGfbdSE200Du8uxmSGXi7Av4/MhOo8VGysjdve4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=KxLuwfNe; arc=none smtp.client-ip=209.85.210.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f172.google.com with SMTP id
 d2e1a72fcca58-6dbb003be79so3306634b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969729; x=1706574529;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=3TGYFkY09Xk6GAlz0uNRUAdH36K12Z/wH1iFNj2bT+k=;
        b=KxLuwfNeRJ+hmFoGPgKZdlSk+AYoOwcnwNz/P+4GZsPoSKEZ9HNAHLvM+HANHQRZT4
         IkXcv9H6RXrMOIwSYUYQinVC0WWTcub5AISix0D2fUXvIdSWUUfQmcTkEZYPNnWvb/0j
         MbKKp5qCJvCY3jSKGtEiavNakTz/xerufCI8Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969729; x=1706574529;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=3TGYFkY09Xk6GAlz0uNRUAdH36K12Z/wH1iFNj2bT+k=;
        b=LpEbBSFnfLUQW5ha7+VfSSRs3NkWco549Iwyg/j4uMjk0B7klbtWddt89xVfBlcRgs
         xVUNUdXlephtB5zo5V93umX10ipTlMmN3HpjpRwVbyS0EV/PqxMprXbbwwPYRJPdWdUm
         Sut8QLjkfnyiaf0Ya8M9wyrZP0ssuDWEbv6HZAh97xs9swJ+2WSJDFQQxeemRbZTcXOU
         bk1hKvwhIm5Qi4w8SSN/Dfgf1glqhZDF69lExEhxcxDaw6fj+Vu5fdB8v5TmUNSVuwQs
         EdupkB9qxFVbqVshnnBePqck9oyshJ9lRdPl9eDSjkJtNS+7gdGuIOIVgefoBWzm6Hko
         g79Q==
X-Gm-Message-State: AOJu0Yxh1/+/sa0LV9gFk4raBwGjzeYSrGHz1NAC6GfCx4kuOi0S35/2
	sWYCVnplMaUY4R+CXOwAUAyU6HdOl2RyKCJJeZ9nNYGm65culnjkunLujkLAzQ==
X-Received: by 2002:a05:6a21:a59a:b0:19b:5b08:1f4b with SMTP id
 gd26-20020a056a21a59a00b0019b5b081f4bmr5434332pzc.15.1705969729702;
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 j3-20020a056a00130300b006d9c216a9e6sm10138528pfu.56.2024.01.22.16.28.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	linux-fsdevel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 09/82] select: Avoid wrap-around instrumentation in
 do_sys_poll()
Date: Mon, 22 Jan 2024 16:26:44 -0800
Message-Id: <20240123002814.1396804-9-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2641; i=keescook@chromium.org;
 h=from:subject; bh=PmD97Weq3WllHYy9c/D1C/9IrSV8qUdF4whlDGfFZE8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEytnksz1bThGRY5DK5TacZnS6Yl60KDnSM
 2MX5BKOiv6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 Jsc5D/4y3WYeKpzWOOCxgpOBEmELwR2i5cXRFClXQT8Dh5kznbNc+qjzrcINPA5tfSMCKqksOx2
 waq122UgLgvDs7kGRlptl6E9Kprq6DsDw7wdLfNoA3H+ez8jQf7JMzOFjWisqc+q+jJGBKio24e
 t5vJf6GnubB4mzBH4cZa61OqBJLmA1GNOx2gzWHE7j2iHZt5Iy2clBMGTO3SJukqU+UEfX1LM96
 E6oSsKlWVm1gG+iB/RYC5pJmH5aFoHPKxdNYXiMUR6/fPhx42TmcBw7unDDy1oG+rxPjMPPMZT2
 leZok2gnYc4BwgPfLMNk9ETxLWf+k36o/uDLrgpw/LraN9jvCqUzOUFCpFPD5+N4O0XII2AdJ+A
 tJK7FysfIpkuh80CwTkFnjC8SIOpbkM+mSyJ7PdArgrVe0L63H/dBv6ZlwKDZ5C/XX09BrbP3QC
 q2Yy0UBMTqv1wOFi9U04tsQ5mQ07h1ZuvDzmUtltQobblFJDqZq8WS6mT/pfB26btDsAJ2hBv6v
 YQEZZaUcq9UKzCcx9V1ZRnULm3/5JmndEptvjMNPeJk7dKuVUADDoSQYcb0YgpFZrwk1LSVwvLY
 wjTpDJn01qEVtVti3Y1lPIiR2B4JRJTy/PVM5W6p1kAdrkPJjFXMwq+zftEur4gCaiNYE5uahWZ
 R3xr3G8bEQBxjAw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788841943998993129
X-GMAIL-MSGID: 1788841943998993129

The mix of int, unsigned int, and unsigned long used by struct
poll_list::len, todo, len, and j meant that the signed overflow
sanitizer got worried it needed to instrument several places where
arithmetic happens between these variables. Since all of the variables
are always positive and bounded by unsigned int, use a single type in
all places. Additionally expand the zero-test into an explicit range
check before updating "todo".

This keeps sanitizer instrumentation[1] out of a UACCESS path:

vmlinux.o: warning: objtool: do_sys_poll+0x285: call to __ubsan_handle_sub_overflow() with UACCESS enabled

Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/select.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/fs/select.c b/fs/select.c
index 0ee55af1a55c..11a3b1312abe 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -839,7 +839,7 @@ SYSCALL_DEFINE1(old_select, struct sel_arg_struct __user *, arg)
 
 struct poll_list {
 	struct poll_list *next;
-	int len;
+	unsigned int len;
 	struct pollfd entries[];
 };
 
@@ -975,14 +975,15 @@ static int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
 		struct timespec64 *end_time)
 {
 	struct poll_wqueues table;
-	int err = -EFAULT, fdcount, len;
+	int err = -EFAULT, fdcount;
 	/* Allocate small arguments on the stack to save memory and be
 	   faster - use long to make sure the buffer is aligned properly
 	   on 64 bit archs to avoid unaligned access */
 	long stack_pps[POLL_STACK_ALLOC/sizeof(long)];
 	struct poll_list *const head = (struct poll_list *)stack_pps;
  	struct poll_list *walk = head;
- 	unsigned long todo = nfds;
+	unsigned int todo = nfds;
+	unsigned int len;
 
 	if (nfds > rlimit(RLIMIT_NOFILE))
 		return -EINVAL;
@@ -998,9 +999,9 @@ static int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
 					sizeof(struct pollfd) * walk->len))
 			goto out_fds;
 
-		todo -= walk->len;
-		if (!todo)
+		if (walk->len >= todo)
 			break;
+		todo -= walk->len;
 
 		len = min(todo, POLLFD_PER_PAGE);
 		walk = walk->next = kmalloc(struct_size(walk, entries, len),
@@ -1020,7 +1021,7 @@ static int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
 
 	for (walk = head; walk; walk = walk->next) {
 		struct pollfd *fds = walk->entries;
-		int j;
+		unsigned int j;
 
 		for (j = walk->len; j; fds++, ufds++, j--)
 			unsafe_put_user(fds->revents, &ufds->revents, Efault);

From patchwork Tue Jan 23 00:26:45 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190600
Return-Path: <linux-kernel+bounces-34472-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58555dyi;
        Mon, 22 Jan 2024 17:19:39 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFnY0EqaMcWc8qNP5UmrWQFQkQFuNrYkH/h7vSKisVrRJQD7Yu8zgDrVMzF8mLy7V1PBEJr
X-Received: by 2002:a05:6a20:3242:b0:19a:3f15:82c1 with SMTP id
 hm2-20020a056a20324200b0019a3f1582c1mr4823563pzc.60.1705972779134;
        Mon, 22 Jan 2024 17:19:39 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972779; cv=pass;
        d=google.com; s=arc-20160816;
        b=WQHPcXXPJl+mawM/l4iIucfEfmT5mxmvq+yDKkYBxsoOOOrVrDowEyv8FNECl5uON6
         6bloHqMxZYbn8AhBKoMFoQ8u/PjVAf7oCybrVmGf4GI0+CUSPKHevd1GZbKGsCLScPf2
         OwlgPHXORj7dqhm+iqPinnPovnv2uVkIfk+V3/yygXcN5I+IiO0Yhs/7zft2y7CAyD3p
         6c3fDHNG4LS45zFM+k3Pu0KTZJ32F3Kpjnm+Gt5xh+FkJIoPN+ipWjxtOomLiW2fQRT2
         7y5dm5fmMEXOkRasESZCxYfbXH4LJGCHCFHVXS9zig7XuhZZgqWEomIqnihZwLKWrysq
         m1NA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=7ba+SJRXi6zigp5yNKxV6w56BvmmlI5rW36eVy3OGs8=;
        fh=R39NrVeTix1vTCeQKQulkZWOaHYsoIG6Rq3ya80TRqI=;
        b=YOCltP7VTxO8cGpHmwgqa2TzPUrlCVKCwwryrCjQYraZvzxoV+6N5sFil3l06zqJ92
         AksrNWMehoAu2c0gKaaHhmNvGu3Ky3UjaTmhOqhVdDt5c+tpw8vQZO7agVIpY55lpqpD
         837bVkhvA9GrgLcEHClV68oKpiJyDW/WdOdlyeOXMSst422YsRdnN0fRoBfAxD6R+viA
         ZXu0ZyBtQfG4prdSnT4i4lGVXKgeOy+PaUGx0HqgiXSZ/HwODKKDlSDus1ur1GOb2jkG
         zahWIuNwwSq+xaXw7X8CBd/sbsvxjb+CbxSIPiIT8e863Sw/rzwn2GBFgApa37cE2596
         BeAQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Y8S9QdP8;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34472-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34472-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 f36-20020a631f24000000b0058556a636dbsi8624439pgf.434.2024.01.22.17.19.39
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:19:39 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34472-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Y8S9QdP8;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34472-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34472-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 453DA2909EC
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:15:36 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id BD0A715699B;
	Tue, 23 Jan 2024 00:28:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Y8S9QdP8"
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com
 [209.85.214.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 946DB155A52
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969725; cv=none;
 b=MQJ+xZ5czKItT6FnQ76/FzmJpO7pNyyTYVYpj1dUbK6F8L6NhH2WVBN/40lMwnvyRhQlQcWjoxj1pr6+6/di3AStcAoUVqOtIGkV0H8mGBimFz7kQuZkyrjkGHP2m1SZvcGDUcacctIMG6k9SnxyGj+ZLeognna5aC5HELHJSL0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969725; c=relaxed/simple;
	bh=NL4i6bTrYINnZ5CxcbHpw8YCfhRtLA5nCGl1fzFiRXM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=M0SG5h7H6SCudBcYu6zAu7Auf6hPCoQSHlZgeeBPugyFCZdss2U/N4nb3EcDE//KjQppd8qNsMeXEnZp3wUjRqoWcO2EY4hFEiOjzJ+74jsOSqasP0kTkEkpIxBsHbucSqBZHgg9DzmI2BZnAGVSjoyHcQjyIdlCJAN9FHBmQ5A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Y8S9QdP8; arc=none smtp.client-ip=209.85.214.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f181.google.com with SMTP id
 d9443c01a7336-1d50d0c98c3so38101175ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969723; x=1706574523;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7ba+SJRXi6zigp5yNKxV6w56BvmmlI5rW36eVy3OGs8=;
        b=Y8S9QdP8DgqPUnzAiLlxiMBNfBsuFwXYSulxpTZqqNXQYDD6DQR3yK8its2d1GJ/+X
         xMh0/0KydNdEQ/2cXW5f2AlpRKtRo9yHorGdqjCPXdhKXSxAg5XVocCYHE1gCqjZtagA
         U1g68YwzIDaFUDA+ZfLMq0UA2nS2XRaY4maIM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969723; x=1706574523;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=7ba+SJRXi6zigp5yNKxV6w56BvmmlI5rW36eVy3OGs8=;
        b=pxvyaAz27ppY7QDbahczpEF00DF93Jy+H8iO0+v47FQq45AkTzZNqDta2NmraiIovh
         g4xqPjbkq0rNB4yh+agGXO8UlPyY3eyoj1XzeEj+WTupFpkcC0bZgmSfgfm0dRo1h4gB
         rwhFNYQCIOY92LOtlBiU9X4+eZvd+YPXhHKX2HJOdD/4q+irYWeWqbDbCBQD24ysWNAS
         7Qcv22xZNHcHIYmBbjlxcVvHSZaOcsbWgQRjlZBVH14xFNfRRi/cnUp978cseYNceQe+
         6wSiXtigt2n77V/z7UtAUZ6RhetD7pOMdP3jpxXlv1AuE25xoi6aR1Rm9ULn2wPDr3UA
         OD0A==
X-Gm-Message-State: AOJu0YyiufH6Gz75CdotNjMF88Nr7x1ECU2fRUYVpRmiQ5AQjDMuPRMr
	3RablcZqANmM9Y51m+BQ8y64Lv2sSnWsVg6XpxI1iOPuuRtH74VbGred++U4Kw==
X-Received: by 2002:a17:902:eecd:b0:1d7:6c6:9fca with SMTP id
 h13-20020a170902eecd00b001d706c69fcamr6811474plb.30.1705969722956;
        Mon, 22 Jan 2024 16:28:42 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mj6-20020a1709032b8600b001d7057c2fbasm7670974plb.100.2024.01.22.16.28.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Will Deacon <will@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Boqun Feng <boqun.feng@gmail.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org,
	"H. Peter Anvin" <hpa@zytor.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 10/82] locking/atomic/x86: Silence intentional wrapping
 addition
Date: Mon, 22 Jan 2024 16:26:45 -0800
Message-Id: <20240123002814.1396804-10-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1192; i=keescook@chromium.org;
 h=from:subject; bh=NL4i6bTrYINnZ5CxcbHpw8YCfhRtLA5nCGl1fzFiRXM=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEtlYLVvMON6u8nAd+7f45eDDaD4MUEJz3n
 57bKZbOnZ+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JlP6D/4u8pYwPHBrl199KKA3Xl2ZV9zqU8Mw8Os7Nd8y33hZwj6LsS01wPP6z6jSiddM3/hGchv
 rQHONauEIxmyByTRV5HT85mPCm/ncSaT719PWXFKVjyUXSkiKjO3QQdPfz2MfOyoEW7WIva6W2t
 Zd35j2E0rg0u2zkGqPAAHzmhK2/nD+c93RmUgoR2tEko0m3iEOnQFdzhw61Nm3YlbYUH3xKPbGQ
 jW0TXuROEnkxi/GOtXU82d5qC1xM2yk79p0LknCPi8iSgDQguTeMOg2LJLrKIdG6NfkeFYWfqFg
 yGPUiPtzOwyZnbHfUHNwOW3r+Ncg0xVW10JrHniCo5XDIzPoncXKJBzHri1+EaHKRvBTERunaZg
 05dn1owdZtkZAbaVP/ALiduc9RkerbYaQFv/xruC08jnijnw/6cGUzo48MfOi9J0TobE4ffCtAU
 udL/itLTV39/A+dHftTu0mT6oxKO8RfiMXPEhKG0eVjHoxp8HwETwJ4aqqKzbhlToIXkRhP7MP6
 Fytnvxr78dbMrfa3vQ0NPQHyZOl04u/dSGBORaKVBkA7mkn2kh54bggtXaWmvkPmnOiH4h0LbLi
 kfJw/tV2RV4idwY9ZVRu71pPQSZd7OqBz85j8Fy5dO7RGDrTsjRVDEnjwhtW8oxa70vIMYx6w66
 f0o7nKMznSYPssA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842112937488091
X-GMAIL-MSGID: 1788842112937488091

Annotate atomic_add_return() to avoid signed overflow instrumentation.
It is expected to wrap around.

Cc: Will Deacon <will@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/include/asm/atomic.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
index 55a55ec04350..4120cdd87da8 100644
--- a/arch/x86/include/asm/atomic.h
+++ b/arch/x86/include/asm/atomic.h
@@ -80,7 +80,7 @@ static __always_inline bool arch_atomic_add_negative(int i, atomic_t *v)
 }
 #define arch_atomic_add_negative arch_atomic_add_negative
 
-static __always_inline int arch_atomic_add_return(int i, atomic_t *v)
+static __always_inline __signed_wrap int arch_atomic_add_return(int i, atomic_t *v)
 {
 	return i + xadd(&v->counter, i);
 }

From patchwork Tue Jan 23 00:26:46 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190675
Return-Path: <linux-kernel+bounces-34545-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp75075dyi;
        Mon, 22 Jan 2024 18:08:15 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHEGPpzrk6kBuNxSlfNOaCU5+zQj+qohonORC0+MKer/1D41z+0xrvMZocnw9M8x+qo6f1l
X-Received: by 2002:a9d:6946:0:b0:6e0:c031:6814 with SMTP id
 p6-20020a9d6946000000b006e0c0316814mr6029814oto.10.1705975694902;
        Mon, 22 Jan 2024 18:08:14 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975694; cv=pass;
        d=google.com; s=arc-20160816;
        b=mI65k6zruZoDLkjtm71W3QAidMTP2IkAQcjr/OltIG8cDXZn+xhzy5R6GuXhHSUlDi
         Ooj9a5HsEknNxfDrHRoipHaMdkCDz/AQA5T7BBBYIpwOZiWYLbdqzew5CXJNY+jfaroH
         HLFV3RSLKB4SP/5cb8AOcBs0lvkxet3zEkPTkT3YHhRpJgyWN/QLWp/mrLYs8z5ACFY+
         zsoQg422sws/9DAKetX0Qn9OBq9Nqk6ttnhULdMpDSWsHZ/zJfI5VKsyHxTSzZGtCYda
         vAQ/3NUiz1/R5tfVM1i7coZKiVFnl+q+NxkY9o7M5Xt9CuCnB6QoRTFreGaGXIuFSOna
         yOoA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=SlB1so7iSYMMc+zMA5tTSobm4T+1cPSbyb1VsiUjWnA=;
        fh=wXRKheEovYm0b0/C5HcX/wOWSnacBtt/eikMkljGZG4=;
        b=HWv/ZHbxKSic2ao5J5Xiatuu02/60nkHltbBZQz6uomu6omp4ojwRljlsMBIXhe5RQ
         xlQdjViC+p78AGjnb2OpkdoKt5CcR27o8KPPmyGrUaN75eluDIC91JIxhU3+nN56cFTI
         TqbBSzWW//rtbD8Xv7lxmXKddZ56j/uUi5eXlzEeYihDa1zdlkWQ57i9wHeFdImOWVtl
         vQtBghSHQvKZvJ4lK6NtMM5xsYk6ZrCkt+5JJ84C6Szlv3rSrFDVANchMeHr3Fgzj1C1
         Hipl6QEHDMwSo8EHPFYBZlrgFBZ+GVVJwauN7hnUxOa/4P5nERpgQ9/qwc90TBayImUa
         Vdhw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KCUf8pvh;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34545-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34545-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org.
 [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id
 p8-20020a63e648000000b005cee0fe93aesi8717618pgj.472.2024.01.22.18.08.14
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:08:14 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34545-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KCUf8pvh;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34545-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34545-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 008D4B2765A
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:45:24 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 98D6913D514;
	Tue, 23 Jan 2024 00:46:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="KCUf8pvh"
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D61ED13B79C
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970764; cv=none;
 b=bfwqiSVnFv9sHSg8+Tp5dArjETVpRN5+LuKq1NrALfIhW8oledkKI7G1BQjWL++SOoTxy+wGg6R7J0et4/kczZO0qnHwCitWPI4A8bhSQ5kn/F+HON0XHPANVn5tDm5NwLhw613u47D0sFaqlaKpEOvtlcyGVWmjaNYvR3jihS4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970764; c=relaxed/simple;
	bh=2wCmjbrcMRqWZC1sS4cD9WCoJa0FFJk9am0EA3arqac=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=rVEw2X4kWVms0frjo3I3BIG+QXvjzZr2excYzSsL/p9n3VPCpgpFaQ9sh/dYXddFmseuLI/GV/AOfvq9do2kieURdTNvBBkqN2nJ/6ZAX0gzTmfYeCGu7/EAFfNT5rx9MNELCPaxnHXq5IqZSlnQGFGtDaCREKebv2Dx/s1YoIQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=KCUf8pvh; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6dbd146c76cso1191894b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970762; x=1706575562;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SlB1so7iSYMMc+zMA5tTSobm4T+1cPSbyb1VsiUjWnA=;
        b=KCUf8pvhW5lDoA62Dg0ho5AAF7eES6N0E3wggigmWcLD4gBwfdHbAYU1jnQ/blWyf2
         gWy5xMKOy5dVNn41i1esbHP54VLr83dMOdMVv/vVGXE+dMib14/gz1MrdDASkEeqXoTP
         +e/1a6mSkwYNbTEdDngbGpncZDCe941m2vQNQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970762; x=1706575562;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=SlB1so7iSYMMc+zMA5tTSobm4T+1cPSbyb1VsiUjWnA=;
        b=XovwYxR4XH9rpZSqWZMcWb1bk6715gRctthHpDjljYyg1WJS3tkUlPva88JrLE9i3k
         U0yFK4/bK2nHLCLfQasJEsEjFaJS5dVp7Op5qpE21ySYXxOfw70UF9qYmpp0+coaLvdj
         Kxw3OagbNJ0/Aq4fuTCrPtqv0W9UDkLbo+Tpz9GBK8QZKapozz9dFYxiNkel7T1ahUZn
         1yEktWfD5Nt8exFStave8Vk0tGQlgcFKQDWFNMI1eXH+fnDOetHHZgxFMvjdsfM3HtfE
         T6cGUrqWBxnbAVfxWhbmsq/udajySJ7Q0VTL1ZDrBHUJ8aKNrsxNKxI+SpT/9HxACWl3
         Wk3w==
X-Gm-Message-State: AOJu0YyOXKpD6UZImCE8trS4uEL+0+W9rYdy3asyILBhbQsVIwjhKJvd
	bNrvm68oDHRLZ3iDkDZAi1b7pjElMkc5o3DxaAbKAs6sueREb3gNtJcWlGW6wQ==
X-Received: by 2002:a62:5342:0:b0:6da:dc40:8a20 with SMTP id
 h63-20020a625342000000b006dadc408a20mr2301791pfb.33.1705970762317;
        Mon, 22 Jan 2024 16:46:02 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 ei5-20020a056a0080c500b006d9c1fb00c3sm10312922pfb.9.2024.01.22.16.45.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Will Deacon <will@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Boqun Feng <boqun.feng@gmail.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	linux-arm-kernel@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 11/82] arm64: atomics: lse: Silence intentional wrapping
 addition
Date: Mon, 22 Jan 2024 16:26:46 -0800
Message-Id: <20240123002814.1396804-11-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1927; i=keescook@chromium.org;
 h=from:subject; bh=2wCmjbrcMRqWZC1sS4cD9WCoJa0FFJk9am0EA3arqac=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFuIsRbthegybO8MY9YK3hU2NvgRq1O2YBO
 IjKE+N7ASyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JmSfD/4g1+DgHXHG72Hbmbb46rOcoRFhxRGXi7T5E+bZnxGlykSxPf0G1ANroXNNRfIaH6+o5qK
 35TXw+v7btBElrd4MhK4ZbF8bSpQvVhskXDNsG57NNiroN46LsPQA8rEzRHYhG5Eyc38fTe127A
 3uUz42N+LY2siqQGD2Ge2b4r0+8aGX/TL8kV/lNpzt3w6jnX9r7Z8vBrneYHiRSnfednC+Av3Pf
 RyCs0/HKJZcTjfnDEx1k3P3Fd18p2TW908PSpyBk06V72hx9SUZgSJ9SGH464OCpkN0xwipXw9+
 Nw+92WpGwHyD3dXcrFGs3E6SKlw14ZCPEccJAR+5CUKhOue2w42127aNFW4RDhqyYMWStyDHkCc
 8jLmwwWfs099pHTnMi6MvnMOljVyfXlkw8GdYMs2Lq/TXUAOMRpCTNnB4jgKK82LyeprXA1sOi2
 BVQVkAgQI0bQryBcaVLgoT3sRUmxuBKf/augjFVrSWSBXy2zdC0d0xxmMq4bCDtGucY1l/2xra7
 zAxQ6sOmpKKjLBiTo3y5+k90sf659nAJj8+4nIVWi+zKbtw/iOjer+EkTgQepBrzv/sgtu9EGTf
 KxBXUYWlM3yIUrnzexGV+3Ismg32ENElWW6xv1XZQUlvJr5IrgGwdbNbkzgTYRGZHPrDZjvzgWR
 m5rc8KKgBXxVe7A==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788845170272881114
X-GMAIL-MSGID: 1788845170272881114

Annotate atomic_add_return() and atomic_sub_return() to avoid signed
overflow instrumentation. They are expected to wrap around.

Cc: Will Deacon <will@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm64/include/asm/atomic_lse.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/arm64/include/asm/atomic_lse.h b/arch/arm64/include/asm/atomic_lse.h
index 87f568a94e55..30572458d702 100644
--- a/arch/arm64/include/asm/atomic_lse.h
+++ b/arch/arm64/include/asm/atomic_lse.h
@@ -79,13 +79,13 @@ ATOMIC_FETCH_OP_SUB(        )
 #undef ATOMIC_FETCH_OP_SUB
 
 #define ATOMIC_OP_ADD_SUB_RETURN(name)					\
-static __always_inline int						\
+static __always_inline __signed_wrap int				\
 __lse_atomic_add_return##name(int i, atomic_t *v)			\
 {									\
 	return __lse_atomic_fetch_add##name(i, v) + i;			\
 }									\
 									\
-static __always_inline int						\
+static __always_inline __signed_wrap int				\
 __lse_atomic_sub_return##name(int i, atomic_t *v)			\
 {									\
 	return __lse_atomic_fetch_sub(i, v) - i;			\
@@ -186,13 +186,13 @@ ATOMIC64_FETCH_OP_SUB(        )
 #undef ATOMIC64_FETCH_OP_SUB
 
 #define ATOMIC64_OP_ADD_SUB_RETURN(name)				\
-static __always_inline long						\
+static __always_inline __signed_wrap long				\
 __lse_atomic64_add_return##name(s64 i, atomic64_t *v)			\
 {									\
 	return __lse_atomic64_fetch_add##name(i, v) + i;		\
 }									\
 									\
-static __always_inline long						\
+static __always_inline __signed_wrap long				\
 __lse_atomic64_sub_return##name(s64 i, atomic64_t *v)			\
 {									\
 	return __lse_atomic64_fetch_sub##name(i, v) - i;		\

From patchwork Tue Jan 23 00:26:47 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190590
Return-Path: <linux-kernel+bounces-34473-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp57193dyi;
        Mon, 22 Jan 2024 17:15:50 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IG89Ghnwn2kZsMB5U9PX8VjCPlVg0RbXXFbQTe7+U/OugwG+1qlat58XpbgvlzXzfQU7Hao
X-Received: by 2002:a05:6512:3048:b0:50e:7d8a:5e84 with SMTP id
 b8-20020a056512304800b0050e7d8a5e84mr2429615lfb.111.1705972550127;
        Mon, 22 Jan 2024 17:15:50 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972550; cv=pass;
        d=google.com; s=arc-20160816;
        b=JjKfzuPRYthFSSMK8IfHVq9R2Bxz3e05ymvuDhMUOba7oQb/g9GkyzVOEec/UoQ3ai
         6v6CNTJDMg3U6wLa9uiywl+QmNt3ECo/lsVXrOcCRZL/HsnlWWJ7KPPNn8/XcOJknjz1
         K5f1x7zqLWxG4KvCl6B1olrnnByfHNaenKuUAc/FIrG/W2W3EVsaKK8CTGGBILCb5axx
         GYldghcK3Yh5lD272FUI1eNpMIhwhCpgUBJLtzyKgH9so2DoST5JwCqc16/Z92GlfmZ4
         JlsQIWykn/FcoUNoova2A8UDVgGsbTlrMuOtvt/RLJ5V0f/jq1AglYNnPIxHdioNu0rk
         vnAw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=WnvzwX4y80p5z83E6IpBrKurnrIIBIFVjaFxfKXwLnU=;
        fh=O/S7+95ZPZYV1R+KdVKe8q+/NlmLtf5DIB4uCcATljM=;
        b=pykjlY7C+f/eU9o4XknlUMaeTTrOcuGYZZOJqN0cs0VflR2sp6yh7egeRfTc8wd86m
         F3omWTTRnGj4NlBku7PyHjhw2QoHOIaQT9A6nlZSjnY0eWtpJ73JR1dcaEgdXwmsVrl4
         hYvtERPZnBcNzIIRBlxF7Lhu8GjreauwfdaDHu3UUvgauxMp2MNKJQfoY6uHnURmDa9M
         0aBkT2Fu2CEU57lwyqFA/b5zRnXcv88lwrO2HQkaNXnoIEkaUUKjFxOgdmB/57fB9yHH
         9g3yiUJSMrcUb6Ryeu6PAvk9yt66AA4njp9XjD5DrJp1g93pNbBeFv3yPJpTE4bGB9BU
         H8fg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=aRs2Fpzh;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34473-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34473-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 o23-20020a1709061b1700b00a30a4b3bb67si418557ejg.1017.2024.01.22.17.15.49
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:15:50 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34473-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=aRs2Fpzh;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34473-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34473-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 8AF441F290E9
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:15:49 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 2AEDF15702F;
	Tue, 23 Jan 2024 00:28:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="aRs2Fpzh"
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E75F155A50
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969726; cv=none;
 b=JBRh/+kpVbs1tnQmxBPfaahnQy3t92sz/N68JXq3VZl/BPhg8mUZ3LUHfYxKgryxwcGXJS5o9ru20OXg4uNSrI3JMf+D8OMCpuY2K6eLgKwqmjgZyDi62efqfR83zJgATTi4juekeazYqHWiREcTTzt9/kQUDB8pJZ/Y5Mr/63E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969726; c=relaxed/simple;
	bh=gNYUL4lkD/q4q2Iw6mvmjCERgWt/Zx4ayDxuFa3qc3A=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=XhHWUS4dEZerrtm1zdKnAMBtmFQZ2APWmdw26hOGe9pYgHxwVrjd8RGJ6vTHR0hbMUTu1IyJya0phQVetxeCgtLTpFCWUNdM51uLiPCGdW7DpuuIp5DVjORUUOHJ0G8q1MYc8i4Z9GvpdbL/jutKw6RYa5vEDKe/+kCIw6qNOBE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=aRs2Fpzh; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6db0fdd2b8fso1781870b3a.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969723; x=1706574523;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WnvzwX4y80p5z83E6IpBrKurnrIIBIFVjaFxfKXwLnU=;
        b=aRs2FpzhVlwpX6B1WZcqtvJnPve6adqUUdPqokmDearzfsvYssSEJIYvCbYUSAeN37
         0Tu6lm0QwtCkMjZvyE6guBPdsh8NHE9CPt1sayLebWOAFOrX5KpPGVZYXmde/2IvP47Y
         6ozI5NtgJjfNtiyyig6NJyZ6KPvfCAyMidGhg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969723; x=1706574523;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WnvzwX4y80p5z83E6IpBrKurnrIIBIFVjaFxfKXwLnU=;
        b=cB9u0kiuY3G1ibkC24C2MJIIchE+sIa6ZFvTTwPDmkY2tRhm38CTmREN2Bo8/ebscC
         wS4LcIh4kHdU1eYc7fbTEoBpPrHptPlzwov3JzRA9IWSKdd8k1gCr6P2lT8xcV0mGTBF
         aIC1O2sSBnv/Hce7dY8EohliScdr0ljunikvvVrSrP8aqyz5iWZhXiHGaHrNmmeyGw2j
         doHWmC7xGseVjPR3M2h8OQVNPXxJTsZ0xXsXMEo00T3r1d03q7/iFKZkftmXlmk9ajYr
         mM3f3i7083qRByVMvcwVL2+QGsn0RHXGXrJfdNotHuZA5Dc8R53hgcLYWpw8ce1osWEb
         67Sw==
X-Gm-Message-State: AOJu0Ywh1492S9lh1Owy9SaBMQK90YbiSx6DOUR0p7j9QoBW0UDoF197
	VlSXYJj+IA3bOZkIH5B8up6yRhDmFqOwW56/2Hqyb2v2u8hY3nM4cWZpkhOvEw==
X-Received: by 2002:a05:6a00:2e9e:b0:6db:d040:4d05 with SMTP id
 fd30-20020a056a002e9e00b006dbd0404d05mr2702259pfb.22.1705969722109;
        Mon, 22 Jan 2024 16:28:42 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 j18-20020a056a00175200b006dbd8dd4d49sm3283190pfc.112.2024.01.22.16.28.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	David Ahern <dsahern@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 12/82] ipv4: Silence intentional wrapping addition
Date: Mon, 22 Jan 2024 16:26:47 -0800
Message-Id: <20240123002814.1396804-12-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2170; i=keescook@chromium.org;
 h=from:subject; bh=gNYUL4lkD/q4q2Iw6mvmjCERgWt/Zx4ayDxuFa3qc3A=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFvlBO2la5fghnKIu98p+FkONV/wNVLTQSX
 IKk33CsfLWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JrmBD/9kKc8XzjSQWEXd+h2tu5y1xWCQNfVqCF8dPAmWo/5I58GZuuA5f0M1dCs8yLp/C8K+gn2
 VK1GNKHkGaTKkIuLqGdzPCV6K0KdIFC1RD9GWJCaPAKIH1ECgMvXF1pdJPgU3nVMvA5aEWn7S+l
 Yjz26ICJMWCYFnODX3nnptzdaOXv/giXZfGfPsfy8GpjWspiOnSLvKAzppic92dnlscOIYhAdzB
 qqh+Mxo7z04JwgzJT1sPoc/t0TRsmfabuJshG6qjUM6EfsCHUR/hBZP1TByMomhhjKZ6P8/pTxI
 bNZF2LT8ST8/uyEx4XzId+YeMdS66RVCa5tVAuWRQBXXzqAaDWExi+yjj1jbgBReLolsbbuOSc4
 yV+wC/7eXE0+vH6mVN2Vnae+iO0BS/UN7WUy3GJ7VJK/p+fNcuwOXVW22rI0hu5++1l09g1KUdJ
 WNNuP6lgZITL1NcGzIePLIoHjlXg2Ojobu//ovxGxWtoOoYX95DwVrnDQpO2sC0OVjAIuDgdOY4
 GOflLXPfmQWqRL53HgQNsFra7YLRm7D8mncQQRH+32SCoDsTrX+MFpKEkWwLraLheDi+0D+NjvT
 BV5/C9ql6p4WXJsvsGJB9Cu8v2eZ2Z/mv0OAWOuD0cNL8umP0Ps9I8ak+NZ7xOs+drWeBXjzu1k
 0xgg6au/qio0hFg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788841872282885131
X-GMAIL-MSGID: 1788841872282885131

The overflow sanitizer quickly noticed what appears to have been an old
sore spot involving intended wrap around:

[   22.192362] ------------[ cut here ]------------
[   22.193329] UBSAN: signed-integer-overflow in ../arch/x86/include/asm/atomic.h:85:11
[   22.194844] 1469769800 + 1671667352 cannot be represented in type 'int'
[   22.195975] CPU: 2 PID: 2260 Comm: nmbd Not tainted 6.7.0 #1
[   22.196927] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
[   22.198231] Call Trace:
[   22.198641]  <TASK>
[   22.198641]  dump_stack_lvl+0x64/0x80
[   22.199533]  handle_overflow+0x152/0x1a0
[   22.200382]  __ip_select_ident+0xe3/0x100

Explicitly perform a wrapping addition to solve for the needed
-fno-strict-overflow behavior but still allow the sanitizers to operate
correctly.

To see the (unchanged) assembly results more clearly, see:
https://godbolt.org/z/EhYhz6zTT

Cc: Jakub Kicinski <kuba@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: David Ahern <dsahern@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 net/ipv4/route.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 16615d107cf0..c52e85b06fe7 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -473,11 +473,11 @@ static u32 ip_idents_reserve(u32 hash, int segs)
 	if (old != now && cmpxchg(p_tstamp, old, now) == old)
 		delta = get_random_u32_below(now - old);
 
-	/* If UBSAN reports an error there, please make sure your compiler
-	 * supports -fno-strict-overflow before reporting it that was a bug
-	 * in UBSAN, and it has been fixed in GCC-8.
+	/* If UBSAN reports an error there, please make sure your arch's
+	 * atomic_add_return() implementation has been annotated with
+	 * __signed_wrap.
 	 */
-	return atomic_add_return(segs + delta, p_id) - segs;
+	return atomic_add_return(add_wrap(segs, delta), p_id) - segs;
 }
 
 void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)

From patchwork Tue Jan 23 00:26:48 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190643
Return-Path: <linux-kernel+bounces-34538-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp66441dyi;
        Mon, 22 Jan 2024 17:43:21 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGFHe6RLMDIhFHwZAgb9Yj9Xx6bhKkRyKAP2ilTmQ0gawDvFQ6RCDsmd5EYtzez11wrCm1I
X-Received: by 2002:ac8:5a88:0:b0:42a:384a:78a6 with SMTP id
 c8-20020ac85a88000000b0042a384a78a6mr168203qtc.30.1705974201235;
        Mon, 22 Jan 2024 17:43:21 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974201; cv=pass;
        d=google.com; s=arc-20160816;
        b=BecwhIhjXN4n/w0BL4RQHUvCFqMjARMC95Avo28briSN3Gnwu0qskRn7qzve9vwXhE
         OUSTECjZjkivsl6ZS60I8GANfolg47tl/uiRFACacUE5WdQ7EGkVkbUMGKbouw21+bCz
         etfRMvjL+7tXib6IApxo8mxLAX94x3bOIXh6ZFoOGAN6o1O5S04fGuRuEI4BFL5Q8m2o
         4aJVOMdBF4WMn2QVJeutH+0PptYVBnsTl091jobMvmuwwW2ZaQ53ab3Iwx1GSHAt+Pdt
         G/GDXsA8R3ibChht/6jT99Qdx6Mvz+piirkMisewTUIdWzqVYxII/SCdOn4WXbYtwEud
         qVPQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=OiT3/py78kD8Owr5bvLrUn8dFen8dEuc/D42dgSMckc=;
        fh=5z9qtbyGZZcz/XQmEf6Wl/38JzMcsA3W2Z1hp5egQ0k=;
        b=xlAeWnKy/oktviSMJsXhX6canBFXVisogMHu+Xhnq199YYddJxmc/7ybdWWhspAd9A
         kdfU1z5QfMeaYbNlxmv0ZALmS9Em4xAOhYmHMm8SG+uCRtKDvP4KA+M5SkjzIEUrQOqa
         j0dxy70VWJoY8yW5iZVbf3G0z7+ZdhZNAte9g+St2w2iw1DDrFg8LEeMrhGeZ1L7RcjR
         QvpXThGrIyfi6AC6x5iny6nKwWApbGRd0oOkDiRDqMWPTchi8ADFmiK1rfYd67HW8kvK
         2MBtgbLq2EwJtxgNa8iu7eejZXaGsbCK80p4uuQqmZg3mKtQim0OngwUD9KuX1qYhoKx
         IapQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=DhIrRYCc;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34538-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34538-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
 [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id
 s1-20020a05622a1a8100b0042a509f323bsi80767qtc.382.2024.01.22.17.43.21
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:43:21 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34538-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=DhIrRYCc;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34538-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34538-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id F201E1C26EEE
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:43:20 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8767A12836E;
	Tue, 23 Jan 2024 00:46:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="DhIrRYCc"
Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com
 [209.85.210.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CC84612F6
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970758; cv=none;
 b=ty6U9xctyGUmbC4n7sXvd4dIv8ErH0JAIsVn0SLMslkGziRiPd1kapTu8KgbYcVSxJZysPQS61RWhYNc8arOPmoUOxNs2eQnR0yjn1bN8R17OrvVdAC+Pr25Ywe6JbD9xDmAlxY+HsYOY3yjyYWZbATJIZLyj+0wFgWuZwJiwQY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970758; c=relaxed/simple;
	bh=TpR6teHZ/mpSlljZAe5k5kCh5DgjaXZFO8tyJAngV40=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=YRLgpDcJCY8CMZOnf+IKjUoPJnR7tjXKE6uXAvamy0UOxJ0DoCL+ZqKKO7CNXtHV3dg9XEpfuDA2qFhIAFscHAWc5nTKFSZ1t7dy71OO2fZ7Zbxo81vfGBwLNnJrQMT42zJ59h7spn/t98ZWVEB1bcAKP3KAS0IeRW0Fyz5I3sQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=DhIrRYCc; arc=none smtp.client-ip=209.85.210.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-ot1-f49.google.com with SMTP id
 46e09a7af769-6e0d86d4659so2667870a34.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970755; x=1706575555;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=OiT3/py78kD8Owr5bvLrUn8dFen8dEuc/D42dgSMckc=;
        b=DhIrRYCcvsDroyytmKzTBuWGR+vYa4okBNfNQKFOLkLerzs7SBzhm0R8SS+8YCvz9+
         W4tj+9TgBIv6tEvUrjxrUO39yvMxrMbzaYE/nLBSJqx5wPSeJkVIqgHIQiHnV9AvSfLx
         //dVx4d/s6CkRPdyQdd3hWj8pHXEW6ZEYb/Fg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970755; x=1706575555;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=OiT3/py78kD8Owr5bvLrUn8dFen8dEuc/D42dgSMckc=;
        b=iThP5WRjTUTGdkcTEEQoXKxPHXEz5+hgNcis/WZFhuWU0ZJLbswgHBK8WJDa1x/jbK
         H0rBzkxe2zSUq5hJUGllUjfYK/0D4gPwcf2NfWyER02s6eyrUa44Hg4xIA/QePmWAiS8
         PItXMBjqibUWYqsBbfVc/wEoQr77DiJa85n3DxooeUkpZozcE2saWd/1py54K00DtnX5
         TAkJ7qi2pqh5cHc2e3MNZHh/sdDDwv1owk5uLyv/BWLsCXqcJRbfOSxLEZwUXemB/f9i
         V5LV3m+uEpafANS0oGn299MzN0NZh54N7xpGpaEbWGWQ/0AOmgJ+xA5aqfTTNXAXGBSc
         WOEg==
X-Gm-Message-State: AOJu0YwlglTpqcCGzOPCkl20IiEqG3BrLrqR93J/hzb5aF/53XsOSdrB
	vZvZUVFNP3GnR3Po9LvVV1I8Sue9zSrACxN7i1Ci+DGnY6wpeXPJhyWKQsKTIg==
X-Received: by 2002:a05:6358:3a14:b0:176:411b:888b with SMTP id
 g20-20020a0563583a1400b00176411b888bmr4129504rwe.17.1705970755473;
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 32-20020a631160000000b005d32c807296sm134222pgr.68.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:54 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Chris Mason <clm@fb.com>,
	Josef Bacik <josef@toxicpanda.com>,
	David Sterba <dsterba@suse.com>,
	linux-btrfs@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 13/82] btrfs: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:48 -0800
Message-Id: <20240123002814.1396804-13-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2625; i=keescook@chromium.org;
 h=from:subject; bh=TpR6teHZ/mpSlljZAe5k5kCh5DgjaXZFO8tyJAngV40=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFfeVx2CwOxlQgJ6mdRUkjPKVsQ4wxQm8Eo
 0Fb22rxTrCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JtzMD/9eNR4myrR+1tOyMuPMfapd+Ep06GScRoVLgXKneVxiu0hmGlhtdzsHV1+AssbXdzOoJoW
 QxIVv3tr8VyrsCER1WPzf8VB2OQDS1dx7+ZaUTsznUwIiIOgAKkXBPi6mkVhSSB+VX//N0JkgJP
 9RuBQW8XpW9OuwfYclTiOjBQkejhwC5BIUuOMVKKnoOl6yVeyjCG7EnQj6qvk5sHelweXKF5xni
 rsdhQajVbbYHfPt5J0yDlhyRq7CFRRz+2g4fpAJXm7O/HZ9vaQvUZuVnMwhqvR/pBRCKtJUdxAy
 ITO7VVMQb+9gqG0S2to8c+Co6OURs7vo7MVGtt+gqIuNxs36otBVuePIz/eIhgNT/2ZHMLjct4Q
 ZyXnSbdqUzASQ7HL22SFnuTktI+YVp7uYuwPBJUFo2M7fOdsI77QWeDtrk6/omOocXBoRJ6bMZL
 86BG+Dh0WW8OWMaqgaCqjXQNdkWx9mPXgNuDBmKae/XNAgxA1twHKiasClUXIor/5ZIavg2lUsc
 JfbVN8cw+vltYIADHJIA2E8VPpKOhlCsIc68x6+DM2Z+p2TBNr1qlDZGnHZqKlkiLt8UGhpsNLo
 aEgMRmK0YTJW6fJId38qQmkVt2IoPug3NTPqLBc6Pq6tD3UXznkmfxhYHxgBYPa2iCxUyzlwm6G
 9MSor/xafFdN3yw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843603712955927
X-GMAIL-MSGID: 1788843603712955927

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizer in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Chris Mason <clm@fb.com>
Cc: Josef Bacik <josef@toxicpanda.com>
Cc: David Sterba <dsterba@suse.com>
Cc: linux-btrfs@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/extent_map.c | 6 ++++--
 fs/btrfs/extent_map.h | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c
index b61099bf97a8..29a649507857 100644
--- a/fs/btrfs/extent_map.c
+++ b/fs/btrfs/extent_map.c
@@ -73,9 +73,11 @@ void free_extent_map(struct extent_map *em)
 /* Do the math around the end of an extent, handling wrapping. */
 static u64 range_end(u64 start, u64 len)
 {
-	if (start + len < start)
+	u64 sum;
+
+	if (check_add_overflow(start, len, &sum))
 		return (u64)-1;
-	return start + len;
+	return sum;
 }
 
 static int tree_insert(struct rb_root_cached *root, struct extent_map *em)
diff --git a/fs/btrfs/extent_map.h b/fs/btrfs/extent_map.h
index e380fc08bbe4..3c4a6b977662 100644
--- a/fs/btrfs/extent_map.h
+++ b/fs/btrfs/extent_map.h
@@ -108,9 +108,11 @@ static inline int extent_map_in_tree(const struct extent_map *em)
 
 static inline u64 extent_map_end(const struct extent_map *em)
 {
-	if (em->start + em->len < em->start)
+	u64 sum;
+
+	if (check_add_overflow(em->start, em->len, &sum))
 		return (u64)-1;
-	return em->start + em->len;
+	return sum;
 }
 
 void extent_map_tree_init(struct extent_map_tree *tree);

From patchwork Tue Jan 23 00:26:49 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190666
Return-Path: <linux-kernel+bounces-34540-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp71533dyi;
        Mon, 22 Jan 2024 17:59:56 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE7vxrsSDEABaYJGkLuhnfJMwYZdeWGU7qAPbOvtqZoAe6LmlOPTe/wwiA9HrJFPKgq+RTf
X-Received: by 2002:a05:6871:888:b0:210:da44:c885 with SMTP id
 r8-20020a056871088800b00210da44c885mr779499oaq.45.1705975196559;
        Mon, 22 Jan 2024 17:59:56 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975196; cv=pass;
        d=google.com; s=arc-20160816;
        b=t+j4LIULaAEE6B4Hxf4/yvuxUJlMX/Cw5jkWCNvl7sM6wQwRC/wQmvzcu6UtM9Zf4W
         3amAEfu6haTwcvaRrurXA4j//+gJubjGodBo+LoEBBE0LieG3e7TH275lSAshnm0lORy
         Q2C3V47VJ3EvhPhUefwwYuWgBntr6y6CufuxEblQaS+8bFMJG/BvTZT7KK2amv2pGLqn
         wo+QX3lI4Kr5ZPMt1n3DfCgJnRDvWatFeUZew6Fvq0XHgcw3JUO9714YrFdsLFlF77qB
         w+oNeuF1qjJToo/AseIMycMeR4iicPUpOBgdVIJq7RoXq31dRmA1hNdPGEpw+Qn/j248
         m9lQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=cRtEgA24maRm+G5gcEke23eL30Vj6MIdNe5RQrjo/8E=;
        fh=NyPVitXt7IyLGuSycd4f9pWvm/UkqeBqmhBqD4PIveM=;
        b=fhLRZx++xIizTiUWTq1fsCrAHu/4svr8TCvVFASimIZoGxvmuQf1hezJL8CtEiiIFP
         ktISzP0HX6KLrgTKPX020owu8E5VI/zE7QQoOJ1JwWJhcbYh42ZUkEG3XpRoCt84KvcE
         WZPEAfaY0PTjMB8v1s9Ejs2fOAmtbK/nVZFxKnpjjwLx+BfNBjii6jN6GI9Wz9ABZ2A5
         8bMXOIn64AKntdaLLyuZnr1iY+qwB0pJ5QRMQkcNimnDAEoZNnq5BKEpM9dCxIl2mnBs
         FWoQTpnL793U6UmQ8eI8pZ40c7psd5uMto0qPCCwEeKEoJiuGEp/z9f6s5BhnPRrZrWW
         RO3A==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=QsDkKLfB;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34540-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34540-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 cd11-20020a056a02078b00b005d3a4d63989si41959pgb.605.2024.01.22.17.59.56
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:59:56 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34540-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=QsDkKLfB;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34540-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34540-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 81C1D297E5C
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:43:44 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 983E713B790;
	Tue, 23 Jan 2024 00:46:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="QsDkKLfB"
Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com
 [209.85.216.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA09A61663
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970759; cv=none;
 b=i6tVGnoa+3eIjGW4Sjn5z7lJ4QxMwEOx2SqiSx0gvIKwkfyqMfiHv40Tjut31TlUCaEKFHL7y45yN2krkTzr0hc6d4iGM9wS/gsFcKBFtBRhrFT78QacTZdW6qUw0d8+8NQOmiwxIgdJ/8b3+V3STcg9ImVH4MgkCCbdMddZ49Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970759; c=relaxed/simple;
	bh=pqahPWCtiilVxi2Cwewikz7N45reJkQJ7UJUXEGvxo0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=QI90Pb7AZC3DejsWondnlvQKPa7mzz+yUFGqbTbMIdPvVYp7MeOnzogQpi0u+j9h2hAKk72/ysfHrw9MQkl0n7swUfi/DnkPqqSbzp6mCE2tqePl0VCRTFg5+BgZ4wQlRlhVUu99B3WQ658+Xi0YxEZ/V1iWZ5kXT7l86Zq1iLY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=QsDkKLfB; arc=none smtp.client-ip=209.85.216.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pj1-f50.google.com with SMTP id
 98e67ed59e1d1-2907748497dso1579347a91.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970757; x=1706575557;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cRtEgA24maRm+G5gcEke23eL30Vj6MIdNe5RQrjo/8E=;
        b=QsDkKLfBWO7BdvpXfam5uZ0BIQsXQUO1qqd6M4QpYpsO6sd9MIZZXJRrNzTO65Y+hQ
         VoqSbft5M1Ckz5+NXB7r1zvru8OJj2GpsyfbuQVY0xcJkP/hmvGl+woNudrUVbPI+/EG
         fK1awRwMQqC+OwibXTaOtxGj+3ZYu6pnwWa9M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970757; x=1706575557;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=cRtEgA24maRm+G5gcEke23eL30Vj6MIdNe5RQrjo/8E=;
        b=j0WiKZBXEY3bC/CxtDUrvOkXucPRO9i34wKut1I3phO52N27U4ACTk1xQE5IQ8DS4z
         aHJWqBiEl8wQIFqwgrMMzBhLbaeSEYa8e6S3XwwVXf8T+PgC2O8AahHQsTDKBZDMAaQt
         x+0Rfy2PvVXh9Ik32mYHbQJxHdWOUYcTDCPqFEHuXGaqUyiPIZeZ5UYsIdTO1zm6wkQF
         KMlJrjjn/zqHyTGNUfF8dz3e9ekXyU5zuF9TJAHDRat51n+kv9GNuhVpOZlKD+6uhfel
         GFxm0q75jLfnUns7AWjmf4cKSAnMsUpsb3OcihdxSub5Ff+Ho+l5+0ksxB0aWubsUWMk
         Czhg==
X-Gm-Message-State: AOJu0YwbgVI/5ZD/ai/fDKgJLIeAxFSRXGPg8fvr69v8K356LUe4UZnO
	/CERuhRKRiDgx4dzS9x+Y9m0HVJn1RZfhjAizEcvs/zt4L/BEc2efH9Oki/3Qw==
X-Received: by 2002:a17:90a:3941:b0:290:caf7:7a16 with SMTP id
 n1-20020a17090a394100b00290caf77a16mr435126pjf.0.1705970757093;
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 so18-20020a17090b1f9200b002909c6bf228sm3237373pjb.51.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Steve French <sfrench@samba.org>,
	Paulo Alcantara <pc@manguebit.com>,
	Ronnie Sahlberg <lsahlber@redhat.com>,
	Shyam Prasad N <sprasad@microsoft.com>,
	Tom Talpey <tom@talpey.com>,
	linux-cifs@vger.kernel.org,
	samba-technical@lists.samba.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 14/82] smb: client: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:26:49 -0800
Message-Id: <20240123002814.1396804-14-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2356; i=keescook@chromium.org;
 h=from:subject; bh=pqahPWCtiilVxi2Cwewikz7N45reJkQJ7UJUXEGvxo0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgF+RrezY1R+vJeoB3MoQno65kcsaFJYE8T7
 TFT3XWlULSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JghND/9sxXRpGBChydX6oXKHlWt5zCT0j1qCewzIX5EZfL6bLAAMMvbrryh0Kxi9Sj4hqZGsIHg
 LtEJVktXPEirje72RefP1RpOxo01UzeUOLmDOWUHMoB4B0z+XubPvEaAaQ93LFS0A5Cf2GSblOc
 Hx+I37mBMNSY3YGAsN9F86amVO0lc8gZY8oppvXg0goQD2o031eriElKHB3uK26o2m9SokcDyZW
 Q4di9IdRGvGZ4IPTbQ0R5Uc/QqdPqSBZ/tJyncI0bhVLAYKfqLdKCWvKzpFkbsxSnLFey7WJTtL
 N6JxOZoVgb+cu14E6OubQIRM4a2MF6lWjK/TSXxKa741TuGCCZWHVWy8HfQg/nEehtsBojQR5Ke
 n4ZK0eZDc+TVrnTYX09u87bgIwCCnlVBad9RNxR6MYfbB5PCTvmdApJodAX+eamo/22YvttIlV2
 lHj7KOeoKn1Ybl67n+iX3eJgQ4EssmZnEZG7XmODkiw6AR1iDdWqIvIfoThRxBNs46UjYdzaIa/
 KZn9l3Z/958uJ9DYefApgztvC4i06O+FIGSIYVn45yV+CgRlLA9VZjRlrzzgLoEgZrklYDey13J
 IlbCxjn/tjXnvRrqNAWm/i7hglaOoYH5il7sEsia1iH8bIkOkbWmiSISrRcH/ojibVnpKp/vaxx
 ikviov4jRF0L/Hg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844647557268284
X-GMAIL-MSGID: 1788844647557268284

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded pointer wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizer in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Steve French <sfrench@samba.org>
Cc: Paulo Alcantara <pc@manguebit.com>
Cc: Ronnie Sahlberg <lsahlber@redhat.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/smb/client/readdir.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/smb/client/readdir.c b/fs/smb/client/readdir.c
index 94255401b38d..7715297359ab 100644
--- a/fs/smb/client/readdir.c
+++ b/fs/smb/client/readdir.c
@@ -467,12 +467,13 @@ static char *nxt_dir_entry(char *old_entry, char *end_of_smb, int level)
 				pfData->FileNameLength;
 	} else {
 		u32 next_offset = le32_to_cpu(pDirInfo->NextEntryOffset);
+		char *sum;
 
-		if (old_entry + next_offset < old_entry) {
+		if (check_add_overflow(old_entry, next_offset, &sum)) {
 			cifs_dbg(VFS, "Invalid offset %u\n", next_offset);
 			return NULL;
 		}
-		new_entry = old_entry + next_offset;
+		new_entry = sum;
 	}
 	cifs_dbg(FYI, "new entry %p old entry %p\n", new_entry, old_entry);
 	/* validate that new_entry is not past end of SMB */

From patchwork Tue Jan 23 00:26:50 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190630
Return-Path: <linux-kernel+bounces-34517-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp62791dyi;
        Mon, 22 Jan 2024 17:32:15 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGnVb/ZpGUAET2wHdEXNSj8tTFDmBUNp/MvJJEulpJRMl598CbiA1RN0tCMUOPOhuJxOqod
X-Received: by 2002:a05:6402:3ca:b0:55c:3ab:acc with SMTP id
 t10-20020a05640203ca00b0055c03ab0accmr383332edw.2.1705973535272;
        Mon, 22 Jan 2024 17:32:15 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973535; cv=pass;
        d=google.com; s=arc-20160816;
        b=0oZPpuBYgQCCv2CueeNkwlsFs4c5w1WNCDPCgyKxXaEg8sXjBRwdtQFNhlrvIYOd8m
         zqC+mO7sW+S4fFEGy2eVM9HyEbqAytT6kgXF+S6G0EoKLL4y1Apj/Fjxe/jmTiNRND1j
         +Xgcq++9rRNvu/XctOi2VS/BmnjUeoJk09Omsfp/NwZAbTeNUsQtq3ZbeLUD2+HsYpPt
         3NKMClB0grUrorDp6OiN58B6RJRhPNW7ESeLK5+93ufoimJOYUvMluYsVbwPFXrgYXEg
         1jIxBs69LVPP+V4OD0CPZcCyLZ6nhY2s7WzF0Q3PRZT90Afv7/NQ4tRsGCzED2wTlEDu
         IQrQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=SKixWzqfowMzvUX6r00bx/1VlD3LFsId3tPJIJRuIR0=;
        fh=kbrKCpx0PuAj8LkwgmrvnTdKocRovaiWWdLZpuzXMQk=;
        b=zcCHm8iuORgXljybMYB4hSEun8/pyHg00alOO6447YQn6RVxmcvbB+3gwP5YOuWb+K
         NCNNvtvJlolVKg/dJRIg0jv9SQ5O0ysLSEuSwieVDTZFZK+hdPpuZk21s5FJ+dvd6gOu
         U4CdNpvUibFmXI7430wahmWBUoN0MTXPOz3w/hElg7RxboELB6DDZabEGP5eCdsADBoC
         Svmx08w8zyoi7eHz0fb4X/nDKFI5d0PmioyaE6UjYasBjritWyqhJ016RmNg3BCjF0Kj
         EbJdQ0P3B8r+9Uo0hdpTdVNB5aIg0nwNNsLH47oTa5r6vj7S+vsrvxa4/lnGU0V08TDS
         4gNA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="HFC2D/w8";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34517-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34517-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 m28-20020a50d7dc000000b00559f60ec86dsi5717934edj.199.2024.01.22.17.32.15
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:32:15 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34517-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="HFC2D/w8";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34517-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34517-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id A43941F29597
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:32:14 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9E0BB16088E;
	Tue, 23 Jan 2024 00:36:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="HFC2D/w8"
Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com
 [209.85.210.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 145CE15EA90
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970176; cv=none;
 b=CPRvF2+PaxPkcwIgRdvEEFD0KxuRDgckKO9UAac4i/Pr7CmKzWBkKtocYLuWeQofLvvda6IUHRpNIuNWIvdtpV1F/G6H9UE1ucBqfWj6wVqBFTJGSjTodaV2TBQ5Vvods7b2FPRxOPPVBlVNl7wMjm/icDcMF4e2byN5GPA8bS0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970176; c=relaxed/simple;
	bh=O50T+ehgWO04+/PTwK/XEjtbdWM1siGuxiWx5Y9VWF8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=TkLCuvKljkHhLvWPBYLeZNHc7Qg8sqXyE7gVGwRy+CrHUQ7wVpCtS+/1VObruGkQw+2RT4zeAVZ7f1Fd0ZVfhuBtC3rWC+iZ2b5MJ3qQ5r8jE8AhmYTsHZ9ertDWd8txxFz0mOGPMw5gGPvNBOOKfb6t61oUu+XzLXAG1PxYqwQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=HFC2D/w8; arc=none smtp.client-ip=209.85.210.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-ot1-f54.google.com with SMTP id
 46e09a7af769-6e0af93fdaaso3439645a34.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970172; x=1706574972;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SKixWzqfowMzvUX6r00bx/1VlD3LFsId3tPJIJRuIR0=;
        b=HFC2D/w8uclQu1y30dfKDrOf3EDdjqB5rPeIVnPGsAqsah4CP4enAkdphiBcykqKpz
         EAo95xODZqXsiNOS4A+vkjjOuGBI+mWHfVKsgsH/IR798pDBAST9TLl5ibXCe0VYwil3
         AGFLKlu8M/+rFzg6fRtzH7YaH9yB+Xewexpk4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970172; x=1706574972;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=SKixWzqfowMzvUX6r00bx/1VlD3LFsId3tPJIJRuIR0=;
        b=xIGtwu/GfBxPEyPL0VKh1roaoHsGFf7PyzCFgSswdTna7XkOTE/v89Cj/K5SrjiMxB
         jZco43lPm8sGikN75g/qTW3gb2I5+fZqk3cEAcofcgoD2t+Gigp62QsSR71fpBZ8OuPG
         DlosqG/snWxaMzvXR7yf2iE6P3LV3+QUl9m4hlZNLK66qOJy3ufEhdwe7CTpLUj3A/8s
         rBTKZ6/nG8fj0BiObpEm0vcRlpI0s2TubPiC8YNkDDn4k60wIw1p7XooREqiFflZC5VT
         EMiJDa9mEfYjwMrrvcZGXdrrd1VkTxY8cU3F4IdEayijY+Xut/EYYfGHDezJNjL/ugOY
         VDUg==
X-Gm-Message-State: AOJu0YyAT2TGWv1gxVOMPv9QzbYbefFsdqU5cog5Q/uRvZon3ijeSv2W
	J6QIA6T1AuOFZkKPrA8suIRmH6lh9HEvdB39VoF4ENjht+1i/U36w8n3jMxvhQ==
X-Received: by 2002:a05:6358:719:b0:176:5d0d:4c6a with SMTP id
 e25-20020a056358071900b001765d0d4c6amr1659265rwj.29.1705970172214;
        Mon, 22 Jan 2024 16:36:12 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sb12-20020a17090b50cc00b0028cef2025ddsm10440436pjb.15.2024.01.22.16.36.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>, Sumit Semwal <sumit.semwal@linaro.org>,
	=?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>,
 linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
 linaro-mm-sig@lists.linaro.org,
 "Gustavo A. R. Silva" <gustavoars@kernel.org>,
 Bill Wendling <morbo@google.com>, Justin Stitt <justinstitt@google.com>,
 linux-kernel@vger.kernel.org
Subject: [PATCH 15/82] dma-buf: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:50 -0800
Message-Id: <20240123002814.1396804-15-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2493; i=keescook@chromium.org;
 h=from:subject; bh=O50T+ehgWO04+/PTwK/XEjtbdWM1siGuxiWx5Y9VWF8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFQ84pwHJOpkJM7cBBjZQ+dyB2q0GyyRoUN
 phvzaNFVByJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 Jju2D/9msHfBekreecuP9d0fYucPYwOuP/5LSP35dnh1uQL9A/+S6Af8H21MOl+me8AiycS0dk2
 0Nd3au8vn2Nl78aIRV+C7DFP3rFOa3KdUfS/qJRRlEE9tAeJXHJECtKEMp7t9CehEJHacXZIT45
 r8trE7qdtUW4JMqG9sya72KThUcsRNHfVbJQQ536OU9zvx/NhCHm1onTJ2C9o3h+1II4GGGKmlJ
 1zJ3W0eVSeM24egFgMxHcqvYy+Cue+A5RfFDwojwaBnfmWhBtXesTBwFJTsQanPGWE9JxbSxsbz
 CglnWiNPjq9pDs31mtBqwR8DgmONGfQIo9NhxiQ+1Cdjx4VWvmPO49vDUmd1yNPDgbj/QxI/cRq
 ARVjAjmWNHxVGH0lTnwUrrDgtkF+R44Iuhdim/nvBSBZrpaG8yrRA+4NFpPtsZOwVdXMSnfI7wQ
 gE0joPsgazTDQFUqzcRtfyqrcvYXIeIiXdh/Y4Ej/km9tQ0/0DLxTbTCqoGtnoSuEVfvCzs+unU
 tfzaCnbjn45fawrtcGUb6pVdFQzPQRUw9P1lmZqDc+GxwioZP4dCvcu/bG0+essTAlw/09sdKqu
 O/ci8K7u1AkUc7NcLes5iGCNf8aWaXBCSkX8vB/mu6PUk7piIN/1FYcQTY+LYW8Hq5cLwHBPmQn
 wygzmyMo3p0bqsw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842906034528551
X-GMAIL-MSGID: 1788842906034528551

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Christian König <christian.koenig@amd.com>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: linux-media@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: linaro-mm-sig@lists.linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/dma-buf/dma-buf.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 8fe5aa67b167..3743c63a9b59 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -1458,6 +1458,8 @@ EXPORT_SYMBOL_NS_GPL(dma_buf_end_cpu_access, DMA_BUF);
 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
 		 unsigned long pgoff)
 {
+	unsigned long sum;
+
 	if (WARN_ON(!dmabuf || !vma))
 		return -EINVAL;
 
@@ -1466,12 +1468,11 @@ int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
 		return -EINVAL;
 
 	/* check for offset overflow */
-	if (pgoff + vma_pages(vma) < pgoff)
+	if (check_add_overflow(pgoff, vma_pages(vma), &sum))
 		return -EOVERFLOW;
 
 	/* check for overflowing the buffer's size */
-	if (pgoff + vma_pages(vma) >
-	    dmabuf->size >> PAGE_SHIFT)
+	if (sum > dmabuf->size >> PAGE_SHIFT)
 		return -EINVAL;
 
 	/* readjust the vma */

From patchwork Tue Jan 23 00:26:51 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190640
Return-Path: <linux-kernel+bounces-34518-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp65945dyi;
        Mon, 22 Jan 2024 17:41:51 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEx1VR+2qaASVKlAC7YGe46aknRRv+x3yq/TqAN7yiLXPuz9fGEYbCpHo6g+ohsSyNCeSol
X-Received: by 2002:aca:1311:0:b0:3bd:a61c:745b with SMTP id
 e17-20020aca1311000000b003bda61c745bmr5314810oii.77.1705974111085;
        Mon, 22 Jan 2024 17:41:51 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974111; cv=pass;
        d=google.com; s=arc-20160816;
        b=a4fokUi82AiL2ycz5fkfoKeTOtqq9gC7m84HfYjs/a18xTwLvfWIX+IgxwTQa76bUM
         2zQO1lvTIwjazCvVoLVodLPOz+XT0MTrwgCNlESo1PkGgOK2q9ApHIwrOAOG8Upqzgk7
         ZtBugi14qw7YFrzIy0YY5WAB2xFXcbDFwaLL/S9AwCKL+7zkJzlye24QZD6VhQYsTGmo
         DXmA3A3zBBjIJE4xmt/pz45m9DUWmCWq36mOxvrfjvQQ59i4NuMGLBWlUzTifgtta8oD
         7MyFgh+tKiMy4IsZCS2F7LJMjfDDETSQRX2aX1y1lRsZM8ATGbjjvuSxoQvx/FhXB7qd
         C1qA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=FQ7xzZ4X+f3NMzxQv1jPrp9LwmGb/TMGKf+Qoe38F3w=;
        fh=+y7AZGYCwTyYcJoMaksJ5pot7g9LwjRSRRnYaHYEsTw=;
        b=j2hGzJZdGz+qCh3RKZRtvzN969A38tG4VIyAl+m6WnyJIfHHtn8Mhsw8LD8mlu0cf6
         Lp8j5QswOkn4Ty309pmK5EBGf/EoNV2s4pz3M7E1F8e87sFfR7KL8vym39H5mpdZ+Vjl
         mjvt+7sBsv5zA5k1bdqUsRA3omy/DDqRry7jtrVP2LDcIARLvG62I1hHhxVOYiI3J/TT
         vdjJHoTdwed4bAO5Bu0X2Juot1+RI3ZXQ0GkQ4gXlHUfXF+210fQdfeTxc4N9YnGNDzZ
         tXFTR2TGFoKC2ia8kUingAhVaM4GGl7JMpZESv779YbLTEQXNbmBJYSEZZIxT8CY6WDA
         K18g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Hf8E9Q0Y;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34518-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34518-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 g8-20020a056a0023c800b006dbc6457c80si6335747pfc.224.2024.01.22.17.41.50
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:41:51 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34518-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Hf8E9Q0Y;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34518-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34518-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 7A51329044E
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:32:32 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id CC6FD161592;
	Tue, 23 Jan 2024 00:36:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Hf8E9Q0Y"
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
 [209.85.214.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B526515F32E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970177; cv=none;
 b=SAwdo26jSVMeq8uKD69N1AmEsgYpT5unRem4N/Q5aGpeSs/FPz7C/TNenDh5a+APttJk0Nxd0oycisr6GqdTHKWs8gm2JJcEAQjdnHCQ6AvCIHYWzxbTDI01CrIMJD0svTkfoenVusFyDs8/79mBYw4jNq95ym1fl+i4RZLBz5I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970177; c=relaxed/simple;
	bh=GfYx3pgFmjHNgd1GYzBGO0bWTMyDF98VVZ9Uwwibr6I=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=btu9+HzxuUGWlXHbLnihDknuZzoBzPf6z//PJE8aQ2HVW77EtL50VprYXD0TXBnW0ZNxfiN/reTsVco4B29BfFro3Ho7cSVFT0wfSZobB+r0OpgXryTIzIYKtzW3f7dCSqHpumVMmJBxRZMUnzOA50cTK3OIVUCS5yIxwYX51g4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Hf8E9Q0Y; arc=none smtp.client-ip=209.85.214.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f177.google.com with SMTP id
 d9443c01a7336-1d720c7fc04so19130025ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970175; x=1706574975;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FQ7xzZ4X+f3NMzxQv1jPrp9LwmGb/TMGKf+Qoe38F3w=;
        b=Hf8E9Q0YOgyRnW5HLUlHbReR4RXAGk34E4UEyV0pTgBl7Vl/nniCdv9Vq46xPoQVxT
         b5gYFIDCIMKxj2xRIEh5y9BXCysBCNseBXhCZNf/Kl/xG+SPrNU7D7K+pDmGCT3SYN2g
         g8ZJq0HlWpzRqYajStdVeowG9WkQr+xXzmYjs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970175; x=1706574975;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=FQ7xzZ4X+f3NMzxQv1jPrp9LwmGb/TMGKf+Qoe38F3w=;
        b=vcy+5Co+jDx9/MjVC+JNeWSBkUGAqDMHIrf2OZGCt5kFt50IsSSitkAPhMmsh1VuR5
         UEko9bgfFPYGKi+J4aKcR4ha8TSM2OXd3JMWC1nYRLut/2JtzIpOhEyjYvr/0MflEyr2
         F3GWuDL5dppQP8NzwNh7wBZeHibFqzzzD/UnKixlGX/D2efTsVOCgP+ziaUTYynUIw7D
         5VO+G3+sRdGn19XAvQsxSgfGKIi9y7B9IOO7xfAs0e1rIIYNR2r+9Lt76yA7IxRK9jSJ
         j6G3IZDNPKnfMmREm0J6joQ3rHQrWQ9NBN3zwZ5KJXdkPmdABmPM/hM8ciQgh87nbXjq
         2MLQ==
X-Gm-Message-State: AOJu0Ywt0i9G3XzwvU+IlFrTIORE2E0h2pHrjO2Wcr/UYq5z/hQqio9f
	tT3Vucl6Eiqot3P7SvISg9WJiacSxPoPo2oZPZCQj7rSHi686aJkxQw/2fKFUA==
X-Received: by 2002:a17:903:2b0e:b0:1d7:2f55:c8a2 with SMTP id
 mc14-20020a1709032b0e00b001d72f55c8a2mr2946552plb.11.1705970175230;
        Mon, 22 Jan 2024 16:36:15 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e6-20020a170902784600b001d70125ebcdsm8018696pln.277.2024.01.22.16.36.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:09 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Karol Herbst <kherbst@redhat.com>,
	Lyude Paul <lyude@redhat.com>,
	Danilo Krummrich <dakr@redhat.com>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	Ben Skeggs <bskeggs@redhat.com>,
	Dave Airlie <airlied@redhat.com>,
	Julia Lawall <Julia.Lawall@inria.fr>,
	Jiang Jian <jiangjian@cdjrlc.com>,
	dri-devel@lists.freedesktop.org,
	nouveau@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 16/82] drm/nouveau/mmu: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:26:51 -0800
Message-Id: <20240123002814.1396804-16-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2914; i=keescook@chromium.org;
 h=from:subject; bh=GfYx3pgFmjHNgd1GYzBGO0bWTMyDF98VVZ9Uwwibr6I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgF0R3cMIb0bEJahqxzDH8aYuSuLtzDbLBcK
 MwJi5ln/oiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JiWKD/9QgeDTjHor+aVubrm/891iXDAk7jazHlj5v3/F2SnXTi+bmLLP4OtopjBdUMsPCx2UIAX
 2Op2QtDm8HkUK+QQ6zmG4KUaapZRcdeqnGmu9M0qvSuxvVVcJJI7xJUumjx7Q6vhbwjQGSQ5PHx
 tw7o/vHgfuo8HqWcIQlyDVJeim5ZIIs6Qsa/2lGfMnyEf6ggYmPPgDdwi3q8gy/Z2R5EmQXitFZ
 02jYxw8yJtqK7iQMIw/+DdCmJga+zhFwFiajePglGFS280vfynresbsR/Ab5I9K/mF6hoaW5Nzj
 /9JADfxQJ+B/7RwcqVQt9//klWcituWydCxmm2pAJKa5qB1+5bM1cNbZfS+7Gqg7d5DQbpkhWvR
 FCz4RotvOZUU11+L/g0NMZhLFyUrsoS3XnWMJPQKLzLuqMIEwYdpUHTsgp2fGFgbJo6v8zILL3/
 K7cq5u/axld11AryCmtQE6Xcl/NUaROikBH/clnZ621DMh6R2SgfHqHLq8LeFb+PV40D1lpjTUv
 KfPtyyrZh7N+9mj3AvF1kzruNYxNyozqGbZnhobgBHDiUh3Nc49GDnZWn5rot0j/cj4bNCHrvDK
 mkRTpRNTiSCzx1W+apGBT6IE6vC71q+Jq/tE64KklEKJ7L0Jq24pax9Z2T6UMrnNYMaRk8d5pT9
 b0LSPqP/mgvSy0A==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843509262649052
X-GMAIL-MSGID: 1788843509262649052

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Karol Herbst <kherbst@redhat.com>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Danilo Krummrich <dakr@redhat.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Julia Lawall <Julia.Lawall@inria.fr>
Cc: Jiang Jian <jiangjian@cdjrlc.com>
Cc: dri-devel@lists.freedesktop.org
Cc: nouveau@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
index 9c97800fe037..6ca1a82ccbc1 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
@@ -1149,13 +1149,15 @@ nvkm_vmm_ctor(const struct nvkm_vmm_func *func, struct nvkm_mmu *mmu,
 	vmm->root = RB_ROOT;
 
 	if (managed) {
+		u64 sum;
+
 		/* Address-space will be managed by the client for the most
 		 * part, except for a specified area where NVKM allocations
 		 * are allowed to be placed.
 		 */
 		vmm->start = 0;
 		vmm->limit = 1ULL << bits;
-		if (addr + size < addr || addr + size > vmm->limit)
+		if (check_add_overflow(addr, size, &sum) || sum > vmm->limit)
 			return -EINVAL;
 
 		/* Client-managed area before the NVKM-managed area. */
@@ -1174,7 +1176,7 @@ nvkm_vmm_ctor(const struct nvkm_vmm_func *func, struct nvkm_mmu *mmu,
 		}
 
 		/* Client-managed area after the NVKM-managed area. */
-		addr = addr + size;
+		addr = sum;
 		size = vmm->limit - addr;
 		if (size && (ret = nvkm_vmm_ctor_managed(vmm, addr, size)))
 			return ret;

From patchwork Tue Jan 23 00:26:52 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190614
Return-Path: <linux-kernel+bounces-34481-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp60889dyi;
        Mon, 22 Jan 2024 17:26:49 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHetMAJFELqEsGsg5Jo2m/spxrhqe0NyAb8nofx+bZ1NIVcpxIPN4lMBrkqR7G9lRZJHlb2
X-Received: by 2002:a05:6a00:234d:b0:6db:d2ef:cc36 with SMTP id
 j13-20020a056a00234d00b006dbd2efcc36mr1711521pfj.68.1705973209646;
        Mon, 22 Jan 2024 17:26:49 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973209; cv=pass;
        d=google.com; s=arc-20160816;
        b=SNd7spjUnsG6i5LZGsUPdtsXAviWE899ePcqp0GBW36uCZqO7faXc0ytQPYD5pRj5O
         FKBnD4SSq3Dd7lGo73QfjP0k9cVBd0adFBM9rr+l8GiGdjMFw5F8rJw+bQsaR05/T7qh
         kW72AxJx3M4ZCCHEjg85ostBM7CDT+xw+UxwknvlxRQXgO12zKFbrLk+5eUmP11GERJu
         Ajto3FGk2eenW6G2ZyZ53ZqjYJ4p9Qi8nTs8KjuCYaF37ThmvrBgShs6X1o0ZClkzhxt
         1zMbXKJ3VnSRTQpDJHbl9p2cBx7yzv2M87sO4R8iFapUqge95o1SZZDE5Xw9ltut+/64
         dyrg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=ti9Pce6Lpu2kUzlJNdDw3MDPT1cyRxs9AHo9YOvXXwc=;
        fh=y9/jwU0dPaK6SZ5tvGhLblUX2myjfqJf6lK6h/y0v2Q=;
        b=r222IU5e26FXU1GGCQziD/aTe1opLlPa/D4DCLce+GKMuMVi4/WfMGSfCsXedig75t
         HEx1ek6BHUoSFnxwlTnQvSs81ZELukdn3REoTM/2RuMT/Q45wcPcEf1b3XApzzKAlbH0
         +A0QBKjm128h+hrqWfWaqXY7En4tPY09FiEHMxyOvkWDA7n+gHOreD5zJMAz1i7uenvj
         4oN0iQcs9BElmUynoZleW/73VgB4VogjtxUNfu2g6bgXjHY1jG42K2FpasHwalGt/zQi
         mri28gApLSwAqzxNZCCekJQ7K5x5vEMnt8gPt75Ncb3O+Ov6k3ThpElgmUKZYupXo7s6
         pitg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=aH4tfvw3;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34481-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34481-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 k3-20020aa79983000000b006d97238a396si10973581pfh.85.2024.01.22.17.26.49
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:26:49 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34481-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=aH4tfvw3;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34481-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34481-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id CED98283AD2
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:18:18 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3C8C75820B;
	Tue, 23 Jan 2024 00:29:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="aH4tfvw3"
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C86DC158D60
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969740; cv=none;
 b=C66PsrRJ7a9o2+CZZuBhiTfeDQ50CejEXxuViG09oiqkqOQ9h99cIa3nkajd5llVf1ZzlKspzkS6SuTbuKOyESaXlSs+rNN+p6vmfWStmakbdp8kkllMmwpTO1hzrReKYUGTMthJnwQ/6JWFe19G4iVy0SUux00ZYe+irMDj0JU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969740; c=relaxed/simple;
	bh=JgonJZnxkTCS8vYti6xK+vM63BFoTeMVUBVyb+CU9a8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=hnyR9nq9lNOPsUON+/2/+fUBF8rc0vTCgORktcsD6WaOskRUokdCXMcCV3Z0Cfq6e59Ab7JjwKJYvxleX7kyVUDUx2zStacuWHMHvvU4vSk3lPQYb47hnuf0rkXfuG8z+aR3VIL3qtcZTudhGl9MNdIjNGII2lDPY/H7+pQQWkw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=aH4tfvw3; arc=none smtp.client-ip=209.85.215.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-5d3912c9a83so2541a12.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969738; x=1706574538;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ti9Pce6Lpu2kUzlJNdDw3MDPT1cyRxs9AHo9YOvXXwc=;
        b=aH4tfvw3xYJkOkqDFOs7n+3cdJvceqVk7JpZkM1/qFbNECn7IeL0tXqXxwUt9oPyCH
         EnNWu62AsknRSDAIoMBL4mBXKHiUG606IYrPR6VrltQWWaNW1pZMoNtJVFs8znoNu1/y
         yfoJuOEyHHjI6Wa95nfhkNjriVK1oVIWGC754=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969738; x=1706574538;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ti9Pce6Lpu2kUzlJNdDw3MDPT1cyRxs9AHo9YOvXXwc=;
        b=CBaP+BAuXM6de5YDVqm9Nh5Qbamk1zbpku1JrAMGg2zUXmVNJCr8Qehf6NHGms3LWb
         PnP8oWDBEz0E5+K4UtERBsBSaInFZ9vaNWj91I0KFW2RSegqhPm0OkZPOXxjTYHts1N+
         lDeWVC2L/I5s7xiLZRoZTQL0MsL5rZUzperLZWCdsl1t70XN/Tep9iI4ntaEe5P+jdLE
         v4HF9GPupExCtj/ppqFEdcQBBz/EbeU6qP9cSBJWmTstIHXoHfjzLWdpIR7jy6g5oc4r
         cUU3bMP2Mqcu7JLEkkC5sU3cwCPFcnL17GvGwNRD07cPfV7KxoxOpUgsfBpk1h5PTH+a
         IIBw==
X-Gm-Message-State: AOJu0YyNhMktiIQ/pJzPbLiAhdWiXl3gd5Vhx0nuEMD8n4WKr6kWcAaq
	guFp8JmuF2sjFnz4k5ow9CQ1ah9bYTdZHIy8wKtk4+83K6+46X9/ZmPevBX8eg==
X-Received: by 2002:a17:90b:3786:b0:290:666f:7be2 with SMTP id
 mz6-20020a17090b378600b00290666f7be2mr1543735pjb.82.1705969738187;
        Mon, 22 Jan 2024 16:28:58 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 eu7-20020a17090af94700b002902076c395sm9968033pjb.34.2024.01.22.16.28.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:46 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Maxime Ripard <mripard@kernel.org>,
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	dri-devel@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 17/82] drm/vc4: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:52 -0800
Message-Id: <20240123002814.1396804-17-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2558; i=keescook@chromium.org;
 h=from:subject; bh=JgonJZnxkTCS8vYti6xK+vM63BFoTeMVUBVyb+CU9a8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFu/g3mFw6uq5pHkL3E8AN7SiAjt9KR8Xix
 +PwApphAJCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 Jge3D/4u45AQKfLOVnFIwiv0NBxYETFmX3tUKTuc2dXJyNb2JL5HZVqwUSUaSPll1jigd0ESq+3
 vBUnoJAMixRc0Wcmv8+S+NzuWlj/nljcpFOhIBrWsZt2Zdv0oFPuvDGXKWBwxohbLWGWqb2Otbc
 y99plRk4kHDWrILvbtqc+mviNEDD63DUOu70L2aT0MgDBP2WJHf/KckoFqWe9Gh49tuCZQHmX0e
 b9/uQAFad4dpfrO0Y7gWYu7QKC3HKK/EUXkvazbYav+WeTBL3JuifNiSmEE7wjLNSEod/GqFdt4
 tnTvyCjEqXGwfLzjaX8TyuOvKZZsj+VZ6ZypG+E8d9qBmL3zZoVTvVXLyaQKv8sSLmPT87PN2tA
 jlCMKrZYqld0WN2mSdTGlYWazdKvBvQ/wfaaeUY70H8G0dj2cWTwoC+wF/Wp/Ph1MIymiasAvIV
 Ntw3se/q/tquahs2oNjMCDDmarRwr38iKcMtNt8Pewb9eY75hXI61eRzFQWcI7e+ksu9xOdHTgy
 eV5ukAWCsrtg03FBRVxNX2eKCgWHTheAxQaBRGBD/XowDB712zwukECG7veQEoxDhY4DqRk3DlO
 ts+/zz0xpt30cc8yvKxN1v+A5ldw0a38veiStkHBXthkzyl3wr9n0DChf/4UhYKH7XME3RBusVq
 0W443HcucToeoOg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842564434656147
X-GMAIL-MSGID: 1788842564434656147

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/vc4/vc4_validate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/vc4/vc4_validate.c b/drivers/gpu/drm/vc4/vc4_validate.c
index 7dff3ca5af6b..9affba9c58b3 100644
--- a/drivers/gpu/drm/vc4/vc4_validate.c
+++ b/drivers/gpu/drm/vc4/vc4_validate.c
@@ -305,6 +305,7 @@ validate_gl_array_primitive(VALIDATE_ARGS)
 	uint32_t length = *(uint32_t *)(untrusted + 1);
 	uint32_t base_index = *(uint32_t *)(untrusted + 5);
 	uint32_t max_index;
+	uint32_t sum;
 	struct vc4_shader_state *shader_state;
 
 	/* Check overflow condition */
@@ -314,11 +315,11 @@ validate_gl_array_primitive(VALIDATE_ARGS)
 	}
 	shader_state = &exec->shader_state[exec->shader_state_count - 1];
 
-	if (length + base_index < length) {
+	if (check_add_overflow(length, base_index, &sum)) {
 		DRM_DEBUG("primitive vertex count overflow\n");
 		return -EINVAL;
 	}
-	max_index = length + base_index - 1;
+	max_index = sum - 1;
 
 	if (max_index > shader_state->max_index)
 		shader_state->max_index = max_index;

From patchwork Tue Jan 23 00:26:53 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190613
Return-Path: <linux-kernel+bounces-34480-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp60846dyi;
        Mon, 22 Jan 2024 17:26:42 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEDoCYvuBC27YtpuvmJcmSk0wPl+oyFpCLYshapStEupoip06GSmHpMwR2abvEzV4kLEd5c
X-Received: by 2002:a05:6a00:3cc3:b0:6db:c6b3:2470 with SMTP id
 ln3-20020a056a003cc300b006dbc6b32470mr7293403pfb.3.1705973202127;
        Mon, 22 Jan 2024 17:26:42 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973202; cv=pass;
        d=google.com; s=arc-20160816;
        b=siav2MoASwVXxdwZxb7SesKhxyMDyYjQ4RRdMiefc9FV/srHAs5DRy2KNPW3wETHPO
         9PCRkFaKRXABo8UykF8qEcw2ggSxiJ3TJKuFTERl6Sk7hrshybDeU66ip3JdwJfZzHl6
         QSHGpQz69ylc/2Oks1wfASYT/rNONOZPF4mUQUP3mm7VbZxmGgLj1dRyByUfZhIWfU78
         NrPxTfkBKg7UJ5Tv5m6uwdtKKIUpzRiGMZ8rKbFI1UIoMUaWTtfcqCiuWb9N78CnevLY
         2lZ3ZVcehGOSx+jpkA4aL/nfj8OArm4S/5uwGVWdfuh1wwMNqDL1InnTQockdk1q8XEK
         MrIg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=C4oSe2hXJ7pk/KBc8BZUNuxdPjm8v3u2X/zj6TSNySI=;
        fh=ebDSL27HtzwY3/qsqV93sskhqWH9dhs0p+Rr1fuQhOw=;
        b=mj52VGkKi6r7NMrli9OaEUrrAIlxHjU+TmGFkEwV9I5bWnVkVGu7cjnwg0iOzoCDBy
         NEbAq0Sjdao31wAvlCXzSDsc9OPwn0tQkuM7zzS7mJbx8s9hpNJx6BWSvBlHGC+LPiHh
         EyCcNe8gRTnF/JXL0eqDfNz5/CVg1m/L7lCvqpgiiMNOS/F1BvSa72bXFybKYZqY5wXS
         dgI2aXA9HIDJ6wafcnRb6HBS5axFssK1b2Z1rnIJvBm451lyh5RbWQlp9qm48d1uIvZP
         IyC+b1do7MP+5VVehWet9K71y62+ZPZSsSkO8vwOSwil4iJNy9nsHVmp8CO8vkyr0Yrr
         pp0w==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=eQHr8rK1;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34480-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34480-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 136-20020a63008e000000b005cdf7386eabsi8979607pga.885.2024.01.22.17.26.42
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:26:42 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34480-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=eQHr8rK1;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34480-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34480-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 30F6528ABB0
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:18:09 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 766F6159563;
	Tue, 23 Jan 2024 00:29:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="eQHr8rK1"
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com
 [209.85.216.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DD23157E9E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969739; cv=none;
 b=OVsyrpOqiaS9+lYNRGoXFMTPKYjLYVL5k3hkbQ21xgoug6b1Uuwfk0pTzJvQFEvGeEFSJ/C8XrUZJ+wn5MsCdzA0wmcBcwDhlBIxEpW9TYt5hzLcWPj7cAqD9zFbc7O03dDa8AHBqLtV1wYdOKA5CIPvnFWP7D+SWKKSpVuftuw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969739; c=relaxed/simple;
	bh=TZe3odnvBVyfJhPUF1EWalH3cmWYwjoOXmYkt8y83LM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Q6k4Bpsg7VXtGfIMDk0U/72Dj9gXfzZPO5MxfKGirOhNUA9GKRRbpg2W/6WKDUpTfkUlJ8zVKeSzGY30hdjJaTFZyvkcm9CbgT5Z87vztwHJ0uofwxhYvE0zHikqcMXE0oNwd24cSaqWCuouoDUiyuh9iseEfMttwJfGe0M2c3w=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=eQHr8rK1; arc=none smtp.client-ip=209.85.216.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pj1-f49.google.com with SMTP id
 98e67ed59e1d1-290483f8c7bso2818884a91.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969734; x=1706574534;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=C4oSe2hXJ7pk/KBc8BZUNuxdPjm8v3u2X/zj6TSNySI=;
        b=eQHr8rK1pXHDUT50RVrwiy+mFABk4BVUlZ8EGtAUzckPC8XjwoN3Y/YvOngdCTBAho
         rdgcWm229QFuNWJ57i+i6dI7AVJLhEX/KS77ylf1sB+NuJd60QQuB2lgH9fHTIbPfluA
         sJIq2IBhTOtgVt67ULQxSpbGAzIFfekBCxzBE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969734; x=1706574534;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=C4oSe2hXJ7pk/KBc8BZUNuxdPjm8v3u2X/zj6TSNySI=;
        b=DQtjJTqMOLyqpVg/qG/+x7L3+Ud4mGHG7SZXiUlsBTx9syalc/K2DANWR+iIJdi2Rn
         7CJDjTCTz5LkmCdLiABgzHA/B5VoH2F71p5xb4tmX2yYs/2I9qYLarg/+lkjw2P1shsp
         wF6DvZjMGv9b70RQePr53yL0Nw8cnEij87gAK96nOP745h8dwQ0JPmA4vV7XYf5XYZEU
         2lRT9hLR6V0gsKMzLQXVKSoRSbvJYvI+72tUOjFIOaEZutaVZzjuMC1XxJJ0B3/JSvCQ
         XXK0cqyDDVMQzZKMCQcHJ33kbl9Q+hc9P57Zvw2CASdDYNLjmNRqnmbdqyZF4n3GqHID
         wwWg==
X-Gm-Message-State: AOJu0YxjqEcjvmvN9Aft91hWzVCKlJLZOL/H5HSt5NlLE22qAZm9FjFu
	dlqO7ZYnDkO4igsXYTPY+M7SBihnc3wXhaYc97nZc91j8dwwjeUnsf3bJkOtDg==
X-Received: by 2002:a17:90b:890:b0:28d:f5db:70b8 with SMTP id
 bj16-20020a17090b089000b0028df5db70b8mr2628693pjb.37.1705969733837;
        Mon, 22 Jan 2024 16:28:53 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 px7-20020a17090b270700b002905f7b522fsm6607168pjb.15.2024.01.22.16.28.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	linux-ext4@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 18/82] ext4: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:53 -0800
Message-Id: <20240123002814.1396804-18-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2310; i=keescook@chromium.org;
 h=from:subject; bh=TZe3odnvBVyfJhPUF1EWalH3cmWYwjoOXmYkt8y83LM=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFt+QnG4/gVyM/p6dahmulSl2Pw5idqpssJ
 WhpHokSfNyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 Jl0BD/9Pq5dTMm0CvjsiDWoQ1WYiyg9B+Wl+VgmLFVzKjTb9Vbh+kZ7941xqPmleNwKfc28+892
 k4xn+mthv04qX2uimn/Qxjevj5zYOceZihc2UW0aNLwGjkCTcYf14TAqaqQEzY7CcT24cglyiO5
 sAUegw6S1rR6HqbuscZpd/dXrpaO81EMLwSbRGZi3FqURQTL1lOYbAFnSbaeyjK1T+WvPo3Tvdi
 bPw2D9CRzN8q7pCQ6GsS0KY5B/yrr2zfrDGPaJreRhHTFuSdAZSEkysMuZkh+09ROe0Ss9ZBn8p
 hING4Os64RCt1A1dyf6aoekoS1gD7Bda/KFFuVORIFi+czT3KD7fxOgIP6bzVzJuvzyZr9Qvryg
 U4SmUZ6o20SC8pHtGRXWjFaGRzD6X6vE+C4oyTPPSfSfQWpv2QtBL03gFWxw2HtV0DZ1GGQuq/1
 DvxQN/zBq1TSF0FtacemCsLl0BgDUR/C17WpAzCJ9tGVne9mzmTk9BFdjDKogCgs3z5wmtoWu8j
 kv4pRr+lwm8I1atVSuTFQmEAM5OAJQNbwSe9X9Nsk+2qe1BbHtdiWdWdLpQNwgtq8xk26tFWEnu
 adPmFtAIUM4nZUezpakHIvAcpSJslW4W08o27WMIZYogw/W5ZfRKPfTZ8o+D1TiEUlqygb7gZOE
 swUqE8VtwkrZLTw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842556636247015
X-GMAIL-MSGID: 1788842556636247015

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Cc: linux-ext4@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/ext4/extents.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 01299b55a567..aa30b2c75959 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1920,6 +1920,7 @@ static unsigned int ext4_ext_check_overlap(struct ext4_sb_info *sbi,
 					   struct ext4_extent *newext,
 					   struct ext4_ext_path *path)
 {
+	ext4_lblk_t sum;
 	ext4_lblk_t b1, b2;
 	unsigned int depth, len1;
 	unsigned int ret = 0;
@@ -1943,14 +1944,14 @@ static unsigned int ext4_ext_check_overlap(struct ext4_sb_info *sbi,
 	}
 
 	/* check for wrap through zero on extent logical start block*/
-	if (b1 + len1 < b1) {
+	if (check_add_overflow(b1, len1, &sum)) {
 		len1 = EXT_MAX_BLOCKS - b1;
 		newext->ee_len = cpu_to_le16(len1);
 		ret = 1;
 	}
 
 	/* check for overlap */
-	if (b1 + len1 > b2) {
+	if (sum > b2) {
 		newext->ee_len = cpu_to_le16(b2 - b1);
 		ret = 1;
 	}

From patchwork Tue Jan 23 00:26:54 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190651
Return-Path: <linux-kernel+bounces-34479-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp68795dyi;
        Mon, 22 Jan 2024 17:50:36 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGBUjApTK0XpIvgZmJA3uz/OtQIsEwcHirhTWlog0QjvvG2Mdl8IgedO9iX7FB/jJuA48o0
X-Received: by 2002:a17:90b:128e:b0:28f:fa10:937c with SMTP id
 fw14-20020a17090b128e00b0028ffa10937cmr2148632pjb.36.1705974635682;
        Mon, 22 Jan 2024 17:50:35 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974635; cv=pass;
        d=google.com; s=arc-20160816;
        b=fwS/kij57c6pny3zZBEUjVrWdK0Dm+1cqg9zWCclmPZRw9gk4twdJM/yIF5hSXSAIz
         Ni/QSX2NZTIPDd2Bt7rlTtQm+Hq1kOT6tlqBLvYe+1gB+vS6kuoMywg+mxI/P78yZvbD
         bR75U7fP3jIAc/1FsRGFpBGpGFLkmBxaDOrJdRQzIuXF2rEhePUhfzm6d9xAH8ADhN1S
         IkUtKPOo/40SX5z3TtZuaXk3csbJC3kACfjQeWo86No7Ji6YSdHq60GvuwQ/bm+J0ZvO
         AXtR9LVaStNR9lACei+JMoMPD8hW78ZOOlpJmJWt99dHN2iXKqZGTC97zrTuL6EBIIoC
         uG4g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=Lj0wfLNXUIfcFcpxjFCj6rC1hxMeO39B1XcxU2Z6FQQ=;
        fh=d5rNQ23pB2Zlmqvw18xq2m24RVe2VavKGSy6OTlUJ6I=;
        b=k2R3Zdq1p9hcePT6Vev530oAji54ZGzQcBfts1Ppr7/atULm4VL9fd9AuKhx6GGLNV
         m7m52+5lLuIBlCxjF2yhm3tSr9XMNI0T36+M/2VDjdBuGHOe37eg/pGAbzDlb2Q+kM/t
         JdnW233b53di1bzoXbh8zZPlteMQEKMuLmdztVeA94KvlXg4ragxX74ST/1zmBd8Ayfm
         VYJSRB3cyAFM35B95DqqSGvHYycDCn5atLiSEN0t/yNPIsP78NGKbujj70jxGvyuP5Qs
         ZH9Wr4kEBRwhYZYAR5WAyEcgrzv4hutNJxdpNOrrotObRBqv97tJHhj6wRV+BHcWaOL1
         TpQA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=khxnD3rI;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34479-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34479-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org.
 [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id
 gb5-20020a17090b060500b002900ee516bdsi8918078pjb.24.2024.01.22.17.50.35
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:50:35 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34479-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=khxnD3rI;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34479-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34479-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 52FD4B2C5F5
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:17:56 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 36DCD158D8F;
	Tue, 23 Jan 2024 00:29:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="khxnD3rI"
Received: from mail-oo1-f45.google.com (mail-oo1-f45.google.com
 [209.85.161.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB61F1586CB
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969738; cv=none;
 b=cDJiptTkPD61diztOmUp/zh0G7ouyEcLPKNXr5TH/zjtjyuNDtC6KxSH0fyDg6GhwZ1PIGL+Eg+zd0H0QyU+2AlBXlYOyJDbfjeoRWAMuel5zDpzEamFwey0qh8zptEZfGtuB7sU6Kt81NYWipRQsju9XRf5D/WViUONjsX8QKA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969738; c=relaxed/simple;
	bh=hmcJNNt4Q4VRdZF2vWAi73bsrPppPr3nSkhgxxWjJIU=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=cLC4vyodZZqawuhI79USLLvLgDfrC8miKoEzkD4saj5z551lGJ1igFY72NDDCm4+M0hrEPueJM7XpFVhxOx7OinUEZRDwI69BAaVbtoRcb66BGnKQGxAzYuv8BnMtlLTptKc9zYn7d4IgYvWxEKHZ7Td4nljsnop6M3vD8Ck42k=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=khxnD3rI; arc=none smtp.client-ip=209.85.161.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oo1-f45.google.com with SMTP id
 006d021491bc7-58e256505f7so1916332eaf.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969736; x=1706574536;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Lj0wfLNXUIfcFcpxjFCj6rC1hxMeO39B1XcxU2Z6FQQ=;
        b=khxnD3rIeNf8wx6F/TQfF4EEXCdrUsJ4+NeWzVmT1mI1f+lo+i4Dk7LgSq+osT3SEA
         KxgxZpCW92L3GUsZh5Jyaz2aWeyeJRR/3iIi/HwlPFThTDlD1mrZopKzTtjEKgD7QVAh
         g71KNRZ9m20hb9ja0eqTu2qjZUyFjs032ZAKY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969736; x=1706574536;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Lj0wfLNXUIfcFcpxjFCj6rC1hxMeO39B1XcxU2Z6FQQ=;
        b=CDfMOR2ZwAwYyW14nscbYf+6lHh2CcVhQ6dXQ2vNEsb3lZ4D7X7W7O4x7j0KbX1+t2
         Qhugi/DZJ8ylLR6gPDLgZsag/nqDlKux3LjTxbYX1yYJM4dJUlbarWrnQC7mGVcsYJow
         WpZB90CTuyJkNaGI4mOZxVWhG2s/or94hYS6wuI7GKcWP6ZTxHz9jyLjQWnkZx3heGvN
         0i42lFCINKUG8aWpEl1lKBYl2u3XnVPSMmRgV2byouTQTix+2fJ66h1f+UAMYSXMoe1b
         MewDoeZ09/WaxpRv2RVmJLBovoihsKdoPfwdmYw7p459UDh1AMhqqg2ahcO7QUS2+XxS
         nV/w==
X-Gm-Message-State: AOJu0Yyx6RAFpxdVpbSg8Bl2vKIOJFR4KpU93NQ21VMlnaeQYYOeyw0r
	APSOEyhzTxREKJKC64PCGcyKbjbl+Xzshz4kw0lH/sa+ScjL6KPUPGYbhspXDQ==
X-Received: by 2002:a05:6358:9044:b0:171:4aa4:51 with SMTP id
 f4-20020a056358904400b001714aa40051mr2816637rwf.54.1705969735934;
        Mon, 22 Jan 2024 16:28:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sv13-20020a17090b538d00b0028d8fa0171asm10226018pjb.35.2024.01.22.16.28.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	linux-fsdevel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 19/82] fs: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:54 -0800
Message-Id: <20240123002814.1396804-19-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2642; i=keescook@chromium.org;
 h=from:subject; bh=hmcJNNt4Q4VRdZF2vWAi73bsrPppPr3nSkhgxxWjJIU=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFKlHII6LhFKix+ewETmVbpfBbbfsybJbPD
 x+7qNyR682JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JliJD/sHf6ZqD8B/KWziPKmgyfqtW/R2omfg5NRF8ncdgxikerGRRFZGCvxzR4FW8MnjOxVf1uq
 VTlOujj9IdXmUGBNs6tlOuMkwDYDNxnpu2AhJz2L1ONpzLxW1Wo9TMy8M28suhDxJcE4bIhyVGL
 Fx2SEqEqstNDAG3Rd3j69TdEahfsyFepNOoEczntilqiJVXn+EVQfiYKnLqJOs/ClIXcT4I3UA0
 K5aspcqb7nZa9d9oLHl/gnMr+7tzhUthPyt2nmE9yXR1trn1C7UxLbzym+BovDdAEmBNHATqitV
 gowcGG8q+UqAhrey3vsLtf5HImIOfkVd+TOcmaqoeKn0pdU+2ClklkZWWuSPZ487SM0cmDnz2C1
 iGtEgxQSBrtf6GBC2d/etauF2TPzcSWLiA50TwSZMMnEv0e4ZAjBomBLGt6/oodBN4EEKFko0IC
 z7lNnU1chyMq5++BG9oppW4tU35qUGbM70e7vW5R2VenZeVNle7WRMV9PM7aoCll9FDyToggtFh
 y3nM1tyfxmnPcmhkmr6Arv/MeRImecDofJlbA8Gq1/NTHBdFh5h7VJz33oSPSRmR4KNJajQwru0
 oV6bvQm+LM2rktW39ya9RNbnqonExofCyI0arK6BQ3PYO4mcSczuAwRcMy9ABCKxBGIs9zpXCoo
 aXWaEhK33clY8pQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844059675981549
X-GMAIL-MSGID: 1788844059675981549

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/read_write.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/fs/read_write.c b/fs/read_write.c
index d4c036e82b6c..e24b94a8937d 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1417,6 +1417,7 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
 	struct inode *inode_out = file_inode(file_out);
 	uint64_t count = *req_count;
 	loff_t size_in;
+	loff_t sum_in, sum_out;
 	int ret;
 
 	ret = generic_file_rw_checks(file_in, file_out);
@@ -1451,7 +1452,8 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
 		return -ETXTBSY;
 
 	/* Ensure offsets don't wrap. */
-	if (pos_in + count < pos_in || pos_out + count < pos_out)
+	if (check_add_overflow(pos_in, count, &sum_in) ||
+	    check_add_overflow(pos_out, count, &sum_out))
 		return -EOVERFLOW;
 
 	/* Shorten the copy to EOF */
@@ -1467,8 +1469,8 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
 
 	/* Don't allow overlapped copying within the same file. */
 	if (inode_in == inode_out &&
-	    pos_out + count > pos_in &&
-	    pos_out < pos_in + count)
+	    sum_out > pos_in &&
+	    pos_out < sum_in)
 		return -EINVAL;
 
 	*req_count = count;

From patchwork Tue Jan 23 00:26:55 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190652
Return-Path: <linux-kernel+bounces-34478-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp68884dyi;
        Mon, 22 Jan 2024 17:50:53 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHxOdeY0FcMugiRnXAWZPUXRzN9UhkqQcKzlAdhqm13vgqQ+RTiOhRFcGNwpZ+1HrbF01UM
X-Received: by 2002:a05:6358:9149:b0:175:e277:6c72 with SMTP id
 r9-20020a056358914900b00175e2776c72mr2723414rwr.58.1705974653048;
        Mon, 22 Jan 2024 17:50:53 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974652; cv=pass;
        d=google.com; s=arc-20160816;
        b=HPI3voGnDBCWLPj5jK0LlHsu1clXEYcUwJC80gViTDRWeil2LFUifgEGClH2/fdbn4
         bqu9vdv7vtJ2/nfq3VX314DSZvnWzOQdAZA53UISUMibwk34AbtdiIT6DFjTQLLqVRD6
         g9jG1ULGKo1zpJWEjcLHf5hvXI5avVTQWTVWZfr1hQSnyCZv/DDHYdAqf47z06FYTJFf
         e+WVdirlLQYtcPErtvqdmhPdEVuKSN4hW5iDjSKKUJQ/oG7h8VUBDfKQpWdasYdT+oGA
         UDW4XBFv54/x+0HkZ9uzoX5NsbDnNkiL3QA/DU0KUHM0pBdSEG0vZlYzHXZ3kUWeg+q6
         jgEg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=+mzYhNEk22l7ZoNe1NF04GNMHFMRe0cWF2yVmwT+ra0=;
        fh=Q23Yx3UTIxM9PTQ5YgCUpmvUURMqGztZskmtT4VzbhU=;
        b=lY6H/Fuk1gApu0LvFiMHvMco65u+fBEx/YmV4j3ujLEE3uroXsgFFr5Onai072Pb/F
         uRjPci9+5A+tMLByX+ey7e6W2aQsiJD7eg2cVh/rbkiC7lamiHAG1GjLZ24UacMIrAEp
         N1WXDD8G/ssbu4TCeoV0EHPTZFvDHUSQ47S6lEZ9fCo8TjKI2774ad8iLnXU86kFSF2m
         doch3dmQeup1gs144wAfBEizqaU0/2Z9hrnW0VyTgqaXot18rhM1NJpn3bEgKLfLh9Qp
         V/KREQfm3Or9W7T2t19EqgNhhzm8Wc9o/QCtMbF5tdcU1NRlrQw7iRLfFYudj6ADyqlR
         nm6Q==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=BRNBDGZB;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34478-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34478-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id
 pf2-20020a17090b1d8200b0028e79f12d31si9081554pjb.72.2024.01.22.17.50.51
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:50:52 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34478-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=BRNBDGZB;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34478-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34478-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id D93ADB30BFF
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:17:20 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 6501C1586F0;
	Tue, 23 Jan 2024 00:28:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="BRNBDGZB"
Received: from mail-oo1-f45.google.com (mail-oo1-f45.google.com
 [209.85.161.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0ABDB157E7E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969734; cv=none;
 b=auw2V7BKmmZ2QQDpTfUxsTV+EkxOjkHLesZmyK81CJ3ZzwJOW3VtvbCXVP4RkLi3jsiFYX3QFyyR4v25n8uD9O3qCFXhA2L3fze4I3Ins54WeqIp+FO5A6zgg/ARlqpsPQnk7UPF5FEuAxQNw2/QyBMVJMyh9QFwyklXE1ua81w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969734; c=relaxed/simple;
	bh=0vuR7p4ixw0RrC8ylPzI4bPxnFYZtvJs/dMTgGJ5vZw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=WzBilS+xw4zoSbXBWmDWeoBrlw09wOjvSXavv+1JhrHaXtlCkfNysYQ4N9q8wcVeOB8Zi81Gabkztu6q5jd3yaQlnw49F8d8lmXUY+9BhmO95dgH+MI2SZ6+6m25NtpuzNPZFlBYfgYtQFxhU2wqVjgIpT1LbptganuoK6Nw69g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=BRNBDGZB; arc=none smtp.client-ip=209.85.161.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oo1-f45.google.com with SMTP id
 006d021491bc7-598bcccca79so2068945eaf.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969732; x=1706574532;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+mzYhNEk22l7ZoNe1NF04GNMHFMRe0cWF2yVmwT+ra0=;
        b=BRNBDGZBMSAU9aDoATTUHu12p7MdSaKxA5X0EYOjPiDMomzyErl5tyrfoZkAvHTAFK
         k2tVSRquwV4dwqcx+G1nYmapU4n2kMr0FBoG3+1tEFeM9Zm8wNE4TMWOHGKqKxsuyWEF
         cYpDs0aBE87MIqfRD/EvQJ/eboax76PWm7Epc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969732; x=1706574532;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+mzYhNEk22l7ZoNe1NF04GNMHFMRe0cWF2yVmwT+ra0=;
        b=GOdbW1/OGZK5LB6W3SAzA6V4AZ9sdV2WvJ83qo185+aP4Jvkcf6O35FfaBzo46O/kl
         N+P2Gc3Ee0Ys0uiO1WgXcidqHZJj1fo3MJuTYhBize+e8/JzejJATpvgsy74Xos59uqM
         4vdB1E1282R6resXTjQ/qNyyGDdKtvln5rIqiTtymz35aIl5rwlYlEZvIcdscsJIaIAK
         342gtNy79E1SrfA1LP6hLZWH4TqXj+WjQx3MbCApN78Gl76zltG00/1wpAa1n6VYIIYE
         P4xS4NCg7Ga2ep0HMH8ZmFisKD3UGUYGbIXjoIy/7q24QajI1FgiN4wgN+8w1N3duZA1
         FSXg==
X-Gm-Message-State: AOJu0YxA9hbROGO5nHyEb6zR2OkvDzKqR/T7QvKPFT3+zyQhFE6I6C1R
	xoH0M8AY4RvAN96+N70uL6DipxlV9PtGIV2X3uHFgnGetmyVcZlppuLHfBSj2w==
X-Received: by 2002:a05:6358:89c:b0:176:302b:addf with SMTP id
 m28-20020a056358089c00b00176302baddfmr2445145rwj.11.1705969731980;
        Mon, 22 Jan 2024 16:28:51 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 t3-20020a628103000000b006d842c1eb6fsm10623083pfd.210.2024.01.22.16.28.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Wu Hao <hao.wu@intel.com>,
	Tom Rix <trix@redhat.com>,
	Moritz Fischer <mdf@kernel.org>,
	Xu Yilun <yilun.xu@intel.com>,
	linux-fpga@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 20/82] fpga: dfl: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:55 -0800
Message-Id: <20240123002814.1396804-20-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2215; i=keescook@chromium.org;
 h=from:subject; bh=0vuR7p4ixw0RrC8ylPzI4bPxnFYZtvJs/dMTgGJ5vZw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGHtjsSSN/FMeEK+eLhH3Rf2IQ7QXdGbQOh
 GLaFivRK7SJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JjwFEACq/xltKSW9/AcV8nURH4w+OhwZyCA5rN6lx9nRT19Yrrpsyh46ZacM7qLIRfXPyb9Wd+q
 W/ZaxHD6dec3ZWn2vr6dNx/S+6JulWL69SBFoD/Nui8MMG67egljBLYBcYz0NnTxdUaEovsRTjs
 00TCrQdq8uFVTCZ6uIY4TiHMPbUNMZSIsloMUE3cCSpElU7skC9RHl61eYgW3OZmEsMsFvxzNhS
 tSy6oEkp4ETYdA1qEZq5V7aiH2rIziK7CNNrYg5GM1xUrqRTAikI8yponLWEPC0Dm5IDWnB6ong
 LiLqB0xMeQYRH8YCAJLBZB5KVyHCESLS6n26/HQaNYaMcbMYmOCTuboxWSCxaJiz3OkSuxqErlH
 gpN5tMaUpGQzYwm39f2CsadQgOfSyR7i+g9+pFDdfY5st1jylp+v8o+Xc+b9M8gasnUpNSMyBKC
 i/KFVGgFOBzwf/a/iMqg81pPkTDiic9cMAzjQAni6b2u5Itiad2QmvNntQb8BMkqbhPwTMPJ8HB
 AMTt1Ok+GwJ+55EPC7JPQC73k/jEvTR3KlvYL98PqXom6c/pD+V9a1jSgu8JGydxhunOYziZ8Fm
 nCglfYM7BRv+8zjUyvboX5/hptVcbwqXJuzoAzMJd4vXJpZFuQ+bjhaph5jUnAq3ffbU6UEpTRw
 /dzTrO4kzPwetig==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844076794721085
X-GMAIL-MSGID: 1788844076794721085

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Wu Hao <hao.wu@intel.com>
Cc: Tom Rix <trix@redhat.com>
Cc: Moritz Fischer <mdf@kernel.org>
Cc: Xu Yilun <yilun.xu@intel.com>
Cc: linux-fpga@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/fpga/dfl.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
index e6d12fbab653..7d10780e3a98 100644
--- a/drivers/fpga/dfl.c
+++ b/drivers/fpga/dfl.c
@@ -1939,15 +1939,16 @@ static int do_set_irq_trigger(struct dfl_feature *feature, unsigned int idx,
 int dfl_fpga_set_irq_triggers(struct dfl_feature *feature, unsigned int start,
 			      unsigned int count, int32_t *fds)
 {
+	unsigned int sum;
 	unsigned int i;
 	int ret = 0;
 
 	/* overflow */
-	if (unlikely(start + count < start))
+	if (unlikely(check_add_overflow(start, count, &sum)))
 		return -EINVAL;
 
 	/* exceeds nr_irqs */
-	if (start + count > feature->nr_irqs)
+	if (sum > feature->nr_irqs)
 		return -EINVAL;
 
 	for (i = 0; i < count; i++) {

From patchwork Tue Jan 23 00:26:56 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190615
Return-Path: <linux-kernel+bounces-34482-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp60965dyi;
        Mon, 22 Jan 2024 17:27:08 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFSy6o/PKHlpcxs5uXaobWaEpuuR0W+DrNVco2ZgKfuLKqeR6LC4qX9N5pRRGv70mLjgHS/
X-Received: by 2002:a05:6808:220e:b0:3bd:a5aa:5f5 with SMTP id
 bd14-20020a056808220e00b003bda5aa05f5mr5684498oib.25.1705973228608;
        Mon, 22 Jan 2024 17:27:08 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973228; cv=pass;
        d=google.com; s=arc-20160816;
        b=sEltM5rxm5WcV4X3FNHSV+VJCPkBS1Jh3/REtBejmFPeJomlyECK+u4FO98AUJzDWg
         edAzFqE/PtIIplLo6NfB9erQCbN14SAIdMVUzkCnth2b4156Q9b4eLFe5oEVlEmWXGV1
         7iXhHKcmp7FnBu52RQqVj6glO8bz47nN5i+8Jlj4yu9K1Ygk2zUif4vCwMI87EOwR5N1
         ZLUqCX+lSx8JIG3X/ulTsZAsuLRoLo5REGxqve08qQoBloKexxjy31C37gsCFPBIV9p0
         qOM+0xiEQVinx/JTINUclvBN4Kw8u+W5qZ1YD9BfyoLF17ZV+Tp16TYbramFMnKzDEVr
         cOYA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=iYPePh3YDAX5XeUL0YItedWtvGPjAEL8L/FW2KUYqQo=;
        fh=UgqOrcfKF82ovqr/1dOkw1KUYCviqB3NOLl0A6r8RC8=;
        b=nBg0za6LqyCbGsUiLwaIbLaRA6Bh0ZSHA3i05uaXYZKjxV5ycmbS+gl7P/W7jNUcW+
         TylRLRHY7vWhZjfwC4iFu35le3hKdT0cpVBLeecfr0p/VWOsnKstTsuIm826T/MOPA+6
         m+aaekznPzu5csoQH/Dl7XPesFktTSRVYqeLTH/hQXrT9nsrkzWkwnmUy0+Hk798+IfY
         bTAe03FonUBDX9Ky7+ZFKUveNcJsZvnbFoXH9J/bwJ0jIKHyMpHbAPdAoOdWLh3NWm7D
         SqdiaSdS4OxZ6omDmxUocGi703RoKWT6QAXBjeK7kEGDRxpKjvhh4jlFZ5k2mubJuR8s
         8+2w==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=a9JLKB2a;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34482-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34482-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 b19-20020a63eb53000000b005ced2a6b89fsi8779720pgk.74.2024.01.22.17.27.08
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:27:08 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34482-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=a9JLKB2a;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34482-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34482-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id E1A06281679
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:18:43 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 89C6415A48A;
	Tue, 23 Jan 2024 00:29:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="a9JLKB2a"
Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com
 [209.85.210.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20A14158D8A
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969742; cv=none;
 b=NxR3zk8SYu81D2r4OvdMndeUrdm+4aYMUvEbQCXT5z1aLCSPy49Kw/EptTaRmPwtgO8rdSr11ju7FQJ1Wour80HkQ8wBSYyYUDYUKeE7M9iGzzzwCShaoTD8TA9cr0OX/Q5d7YpE1PLzaKnNVoRd0KKSOVDwabFR2y9pvA6OdBE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969742; c=relaxed/simple;
	bh=KXulPh4t4RiYFM61WwrsfgMxfDXtkwo2mrzOGlAVyok=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=g3FYD1xevt00MJ/Th32mDk1Ygg7BMzYV4nf5E2DxckILOvZZn11jWe4xDRPmZb0lXWnqDpAoJCS6euhCA6cqYzNptvwxOT70rFf/j4J37evII6o88CHl2vHHf+YUbYQREzvlQfvVIkYh/YPdw78PvjLWOXzPu8pmOZVY4FdX3Dc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=a9JLKB2a; arc=none smtp.client-ip=209.85.210.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-ot1-f54.google.com with SMTP id
 46e09a7af769-6ddf26eba3cso2445261a34.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969740; x=1706574540;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iYPePh3YDAX5XeUL0YItedWtvGPjAEL8L/FW2KUYqQo=;
        b=a9JLKB2asiiC2oxI2X2Vud+WSqjrEcwmdrULfbgjYyoLE6Lk1/sws4gcifbIALZvSM
         vdhss2aHv8lxOZx35d4nGg0pBUi5vyow6o0ZYW0kcMCcOwqDnoL+tnOFHmgD4UV6Z0Ku
         WrISTk1pzTCz73nd6bR/36Vnm0YkjnVEtzbwU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969740; x=1706574540;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=iYPePh3YDAX5XeUL0YItedWtvGPjAEL8L/FW2KUYqQo=;
        b=p8LE6zVMLXwtICKvdwGPtRws7aZAxNaN/3lwR70heZ7WuKVZN5fqBAc2St3RGlI+JU
         ALygRLfhN9NppNgjsoUfzE2WmcaMDSm3rDpvCSnE8pEe4v0Tem7Ne++LvAK/dq/lOIpk
         39+QUNTD7w01kXC3w0CUxBAmGg9MJUU16vJt9LZiTsk6BaSgb8J34r38zBtGjtkXSy7S
         g1ZtsKJoi2ogpfr4RM3X4H6m2DiZ3q59YNmFDQJQu+XZTAQkgl9/cF55SvtH0OTGpX3z
         zpXoXTAXZ0BTgmD3xO+yTl1FJDJna4WOQowYDyvXM4qULToxBEKt1JgXv2MvrwVjsjEM
         g9Yg==
X-Gm-Message-State: AOJu0Yw5G9hO73q6l8jNMlbl0HnIfEq3GbeSLHYKqipi3JbkmNidSoOE
	QfRWHQatm2wJZv4rE/dlBgFgbR0P1df2V7Hx8iwDFLqeR+zoLqRBFpN5OKIepQ==
X-Received: by 2002:a05:6358:d142:b0:176:5364:4c11 with SMTP id
 jz2-20020a056358d14200b0017653644c11mr1705146rwb.18.1705969740238;
        Mon, 22 Jan 2024 16:29:00 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sr4-20020a17090b4e8400b00290d1fe7004sm1125pjb.27.2024.01.22.16.28.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jeremy Kerr <jk@ozlabs.org>,
	Joel Stanley <joel@jms.id.au>,
	Alistar Popple <alistair@popple.id.au>,
	Eddie James <eajames@linux.ibm.com>,
	linux-fsi@lists.ozlabs.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 21/82] drivers/fsi: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:26:56 -0800
Message-Id: <20240123002814.1396804-21-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2068; i=keescook@chromium.org;
 h=from:subject; bh=KXulPh4t4RiYFM61WwrsfgMxfDXtkwo2mrzOGlAVyok=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGVuv+cx3dly309OCp0+qc8WOYsn33imp7w
 Era4ZtrnxCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JpxaD/wP0LVNx2em0pfpaFXC0tZD/FxxSF459U6XlRqkrqEKIO6/XBj3CX9EWp/TE005lzpc2N8
 +Lc4PJNwg6U/eOU70DhuzHbs8D4nlr4wf3TTdZrsyXO0gCVwv5qrfsz3rm69M4EflEjIN2dRsoJ
 T5hnFI3MQO4+iyiyBwSTAeEN1zN5PfiNBZyJQ/RbxU6y9hNJcfeaygZQLNELazPfzJg1gfA7h+X
 M9AH608Ag7OMHnQ/4P1gxYCwXpBF4fndGeeZW0aUW52myuvy3UBHiDNy6FnGILcAjJLe1lewKma
 K5K0wRZNO07RRdU71tSQDU5z8S6HhYWUQGHqMx11ubZamRt1q+ElS4USRGPyEogYbr08zGG5XNJ
 j8y1M6rdhGvpoO8GGjcNVeboA9LLCmkVNB4M+gN8yVtF8Dczbyl0sWbYvoesORKqvr2+t7VZELV
 AaSQmDgSAOTHrbYNZDGrZVxfowG/eHplD+Fw9oZIHuXHD4w2FuKcbOUzlq81MVW0/cgoejXmh/4
 0KUkG/jAHr0SfhYT0xvd015htl2LisW1Ma9fki+q2+kVV2h1Na7pn2PkxHlQ2pDDL8KVci3x/6H
 HttpHX/GSMfBm9LWUvZmaY0DRHHgMo7l1f9pb1A6YSdSejyOiQRR47YeFnuIbj4Wi2MfKXSZYKs
 bbHmMsPpbu9phdQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842584340654063
X-GMAIL-MSGID: 1788842584340654063

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jeremy Kerr <jk@ozlabs.org>
Cc: Joel Stanley <joel@jms.id.au>
Cc: Alistar Popple <alistair@popple.id.au>
Cc: Eddie James <eajames@linux.ibm.com>
Cc: linux-fsi@lists.ozlabs.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/fsi/fsi-core.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c
index 097d5a780264..46b24d0aadc6 100644
--- a/drivers/fsi/fsi-core.c
+++ b/drivers/fsi/fsi-core.c
@@ -381,10 +381,12 @@ EXPORT_SYMBOL_GPL(fsi_slave_write);
 int fsi_slave_claim_range(struct fsi_slave *slave,
 			  uint32_t addr, uint32_t size)
 {
-	if (addr + size < addr)
+	uint32_t sum;
+
+	if (check_add_overflow(addr, size, &sum))
 		return -EINVAL;
 
-	if (addr + size > slave->size)
+	if (sum > slave->size)
 		return -EINVAL;
 
 	/* todo: check for overlapping claims */

From patchwork Tue Jan 23 00:26:57 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190599
Return-Path: <linux-kernel+bounces-34484-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58457dyi;
        Mon, 22 Jan 2024 17:19:21 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEpv/WmNdjGqjzsPZnyTLDwGUZwtW6WQdGlyHPSSKyE6yC/gIco109Go/LF/rCltBkz+0+s
X-Received: by 2002:a05:622a:34c:b0:42a:2fa0:2383 with SMTP id
 r12-20020a05622a034c00b0042a2fa02383mr151135qtw.6.1705972761424;
        Mon, 22 Jan 2024 17:19:21 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972761; cv=pass;
        d=google.com; s=arc-20160816;
        b=zOOCWLFZzhY0kDbz5q2pzUcNQ6CZ9J5Lcun0V2B77yy3TrumYCWhgYBpkGS3h08UJD
         RP0hsVlvC7cr4DtDz5yqt0m1LmPFe02cWxgo39IH87jUSQfoZKkU85J+R0o3hk3AMkbo
         vtD3/4MWTkuAhu2B8aqhn+gr9YmHdaJMAttzs1As5FZA90iw2bK/d6544Mv4rglbV76N
         9X9fGSwkCQYvTmePrS1T7ZxAMjdqo5zgC9wpi9Ogpv+NJcIOEbKFOZYqez6c0Pp/0Q4c
         4f6PDSe92o2Dl6+yU+RKEd7ZSN6FhWNrK8Al0HqbRjuows5hFnoxOv7FmfrKup/YjKWA
         Z2vg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=WNxK54+O9qfEZ1Gy1nh3zm9qMlmtWIma8ubsBMOVD0k=;
        fh=pLQZCGWPHwHu2N9fRFCmr8y5s+n2MC23UYELKwAph10=;
        b=u5rqhd+A4kRsl09Q4Ul9uWkRfQoBBZ/ylnSg3paa1tzjUjAFyqiy5aUPH415YCCtPR
         QgXF44hvDCZNuxBHUbqyAc4ekV5fo6nIIeUHzbOqpZ8/EShOjDVrsZJbq0/65qjT6cJa
         RwmyjhmbSEznXvCCOyWkVcmgna0b+4B1WdfoXE1pVx3gSoQbHpR6xZfS/NSEh/Bj5apD
         8p//5DXSElktAwAQH6O/hjyBBYc+vfW6RTRCre+KC1x32PHyndyUHzF4hKB+WMJo6I/t
         e11WLKr0LMT6/ubU53e0wHdwbXw42+K4fJ0xq3gGZVpzbhQ9KdsAxd2YGbQz/Z7YWVuD
         jqSg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=ShOf69Of;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34484-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34484-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
 [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id
 16-20020ac85910000000b004298a42d1fesi6882750qty.661.2024.01.22.17.19.21
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:19:21 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34484-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=ShOf69Of;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34484-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34484-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1855F1C26D0C
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:19:21 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 206C715AAA4;
	Tue, 23 Jan 2024 00:29:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="ShOf69Of"
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com
 [209.85.210.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 874DC15957D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969745; cv=none;
 b=lGNE2g3jzUiyp0UI0kOY9tGdicJ87AJ1EcjdDhwPM+O7cKgX9rfKYYP91PDjJM0NsFzVv8xQbV4uotlVC5H09hU8UA6g5bjfON43+2OwYV3OrTSAkU82SxTaMKGRS2BCVsMnt8zi8+ZRgqoQxncnjBJNJzhiZUNlxsO/XweoMDU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969745; c=relaxed/simple;
	bh=XAQoOIkQjY0zMk+dHWbybC5ZKFK8/5G+noOqaOKWewg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=nx/ShDgcBAzM0nbh2DFcsey9dyyuzXr7GPl00pW6o0RDKKD88+C59ePbKEWREXoDICoHFFunZFnHlU4XTe7F0xeERsTGfxBHcXjTv3hDDiQhAnyZv8ctoD2UxkAsCSpyn7x4yDhMwanw/oxpW8O7TDVp/LIiGD1uSUg4DBq0UHE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=ShOf69Of; arc=none smtp.client-ip=209.85.210.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-ot1-f42.google.com with SMTP id
 46e09a7af769-6ddef319fabso2473576a34.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969742; x=1706574542;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WNxK54+O9qfEZ1Gy1nh3zm9qMlmtWIma8ubsBMOVD0k=;
        b=ShOf69OfcQK3MJYztlKLI877DhjdHbYi2/Zlsm5AsMg0GHX+tT8m+ngD2wgLIfA4O0
         nImvmLjDw8BfkXweYJdy/WQp3ZDCBwwd2CVSc1lwHu0d55H1E8//sPa4Sp/ZJt8V4qXA
         Pc64VhF9OovKn0bzIoEVJnVrHv7NN4hJyelkE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969742; x=1706574542;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WNxK54+O9qfEZ1Gy1nh3zm9qMlmtWIma8ubsBMOVD0k=;
        b=w8lNXfkJzUKyAex2SPvLpGK5TV+gNRIYLl++1eBQkbU9yetfc0fgBD/V5w6oTZOkYG
         yTSisc11WgVoSgpCohXB44c5877zaxd98J34C56s9xw6+5QWFBNnjYnHOeqSqUq5H3ih
         V1BgFYXJyupEoGGuUBKuaQMXseKydDZBTNMzkANWZg0B4RldcxGzZqRj4G7QDCEXcoTB
         5n8lpWpOqj84dYTxIMpR6BxaiTO+xndqYCTJGIW+cJqbTtyidB5TsObPYNagFnSj8bVd
         5zz4jupQ2aMSTL3g2CD0usmwfIcVnbw9HbSd2GVZRVggid6AE9TSTxgYFUjG3kiwoSo1
         K4LA==
X-Gm-Message-State: AOJu0YwD6oGDZjgMk36i0YFhHrs130gTv+I7rN62Spn68owD6UNT/D/X
	3XAVI8NfRJ/o5YuA5enLwLin4gOwcmT6Nbn3Mq7wBgOogi9mh8MaAGkBY1bKAA==
X-Received: by 2002:a05:6358:9999:b0:175:cfa7:953d with SMTP id
 j25-20020a056358999900b00175cfa7953dmr2519120rwb.2.1705969742666;
        Mon, 22 Jan 2024 16:29:02 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 p42-20020a056a000a2a00b006d9b345092dsm10156378pfh.156.2024.01.22.16.28.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:52 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	x86@kernel.org,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-sgx@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 22/82] x86/sgx: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:57 -0800
Message-Id: <20240123002814.1396804-22-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2369; i=keescook@chromium.org;
 h=from:subject; bh=XAQoOIkQjY0zMk+dHWbybC5ZKFK8/5G+noOqaOKWewg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGQbHPFRGmKfOSqdiDbC4Thjjraj19mraOw
 mYJ6/1asvmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JsV0EACtnE13DJYW39J+GQUGo6U7VyUEWVQUS49LQ2SDzwdXizpn2bSM1TD02w8fnZIg0T6dkIk
 v/uDGtBM5IvLYD9W/W0jEpmhzAdG3rCoxz5P/IaK0izr0ev2nRnLEAnRjls5Y+sr7+uYnxPBkLx
 vgOaQ8DpjPOITXiVEVX05AMXq7EyJqcY9Ezs0MOXXetGTp7Om02ibPyP1ZZeJRDDn7vudS2CvSj
 /021pIzhlYeQdy6yp36Tb06pZaWpA0yM4BpfbJydZsqbLhJvVfb4I9kxAITxQ2hQkCr+k+KJQ7f
 7DbxPtmjFxbBeI2Nr4HHzaBnAcC2jSKos5rOoDtFlmQbqPvvoCdECsT29X1GpVHcsdVbLSqCkye
 YG+mBHrck+3CbY98P8Wowb0X5QYxLYOzFAUvdayNvpPrjp7kXjS+WubEuciOESOQrR5XymxwtfT
 tgm2igGs6tSKzMwxgihy+EnugBGZvADHPfykwok5xs70n1j7Py7ft4hm4dc7bF0J9rp9FcHZLPO
 VXKlESGWh24+cIwXYytA7Bhr/MeIdG6E1eJabICXAoqT+G2UbB0fsoheVYNp1dxVCXNEUe4Duwp
 uaRSmri6nG+++OLuEcJ19Cr7UmHD0KInl/LFpj1P8CQVt+gP6yXr1JJVkzo0gtKh6N0o+9ONWa+
 RloYCNoTLChVTjw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842094064812370
X-GMAIL-MSGID: 1788842094064812370

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: linux-sgx@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
---
 arch/x86/kernel/cpu/sgx/ioctl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index b65ab214bdf5..4b8f6c9f8ef5 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -350,16 +350,18 @@ static int sgx_validate_offset_length(struct sgx_encl *encl,
 				      unsigned long offset,
 				      unsigned long length)
 {
+	unsigned long sum;
+
 	if (!IS_ALIGNED(offset, PAGE_SIZE))
 		return -EINVAL;
 
 	if (!length || !IS_ALIGNED(length, PAGE_SIZE))
 		return -EINVAL;
 
-	if (offset + length < offset)
+	if (check_add_overflow(offset, length, &sum))
 		return -EINVAL;
 
-	if (offset + length - PAGE_SIZE >= encl->size)
+	if (sum - PAGE_SIZE >= encl->size)
 		return -EINVAL;
 
 	return 0;

From patchwork Tue Jan 23 00:26:58 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190664
Return-Path: <linux-kernel+bounces-34541-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp71071dyi;
        Mon, 22 Jan 2024 17:58:20 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE+aYYFFtARiJtLs/n9OcyQQkrSZ3GDYWlPlPIB3tT5GjI54FUz0Y9Ox48oFASwvqMwrX6L
X-Received: by 2002:a17:902:f80d:b0:1d4:cc36:e47 with SMTP id
 ix13-20020a170902f80d00b001d4cc360e47mr2368105plb.52.1705975100319;
        Mon, 22 Jan 2024 17:58:20 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975100; cv=pass;
        d=google.com; s=arc-20160816;
        b=JdugiCk8kWZ12vpDEwzAkw7mG6P0L1ZUIZJWoM2g9PsngEtZEJPtvt6fnO9uxq5NbO
         oltKTIoOSnwwC9zQ/ubEN5p1em8ChCLx3RCUX6SFN26UniabsHIez8ju4y/vDS62JnnO
         dd0lZDlQ/ObrVOb1Q1w03zpb8H5UgseZkqQg2antXdRE+aNJlKtiWy3OlFX9zPjX0VMi
         QPflEx5dOyGVtb0YM5OmNTnqvULPrmje751yP7+XkowpFIeHCTCgqCuzJGaIUlGrGb8o
         +PvUVvUG01n8ElMbur6iVz6PexBAnyx0x75InjN2EOVC8qs5/03fKAhZ24UAL7J2nH55
         ytnA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=iBzwhtxHV7+0pkueVEdOMj16Ew6MX43q2RtCRgBYnfE=;
        fh=SvkQi+5vagOYKyXAVlpTCLO4XfzJZAkra3B1KXoxhBE=;
        b=W0TsAu4gxhpuz0fQktr+/RBgIuCILXrfKdhgu4L8XuYCqV/30BD1i8tBDo5x9h6FPf
         gqsKZJcFouVT995WDq4nvupPEhqk/DJJSuU5bkkWpGDh2wwlWfWmVt6xXwNl5GMRFSIj
         z6pDcgKQeF0Qjm9prNE+SCR999GtJvVMnxYZ/5MtgxPIt49zo4BTZhaBHNHxqytTOaVi
         lHkOEXV66ygfICT8TACbvIpA6KXH83SmaOJYBS5V4ou+/vY6LmKwtrZrgBbmlNhKqxkC
         ZFgJptGBKK4svjcloKdJ4dDH/xR0lC/UAeeI3pV7Fd9zswobWhBSGhn9Opiqrg1lTcei
         n+nA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=NdcyDFzU;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34541-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34541-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 i6-20020a1709026ac600b001d4cea91cedsi8942324plt.285.2024.01.22.17.58.20
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:58:20 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34541-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=NdcyDFzU;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34541-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34541-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 48F58297FED
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:43:49 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id D58C913B79B;
	Tue, 23 Jan 2024 00:46:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="NdcyDFzU"
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A57F6167A
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970759; cv=none;
 b=f67fzJu0QQs6WuuzGDa37HUOVKdpVBRRPEQRswUQxKP4WGJxz2ESq745o/elzj2K0QNxyhp6BpeQhUEOfCpDdKbWloUlg16iJJX7/dqqyJlZ6QJAAtltbMhdb4Ec7cVavrdD8/h8VeqFp9rh2S6cx8gt++X8WwjVIRh8GscW6kA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970759; c=relaxed/simple;
	bh=7SK+CeaptbBP/v+CP2JEux9OatqqjJKzGmyq2Voqx04=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=RoxGkoKvrkbjTU0M/kq9K+c0awSphaK5DJc7+9d0M3SwdyMaQV2tEQ5wvf4b98W7XaRaXvJ4E8LZaKs1UbiI4C+UvB8htC8CEuOXw3u8bPAEqbI9338q5EyAF6zL2aYC48/3zv1BS9d1j23KrDv/kwudItoDeiHSfroopryw/hc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=NdcyDFzU; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1d7393de183so8820275ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970757; x=1706575557;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iBzwhtxHV7+0pkueVEdOMj16Ew6MX43q2RtCRgBYnfE=;
        b=NdcyDFzUhvzwX4yoUH4hoUPRRbxPVswsvgSrjYNQ54x5uzW9pV54KelUvXlN97GcLf
         LKSb1v1TQQEQ1HC134EB+87lJrhokCugQ1IC/LJwPjt0ndO4rBR7kCnNeaKMXfItHDYK
         HyNNFIBlgVVW+LRphKpcKBrr6QAdLpoZz+XIs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970757; x=1706575557;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=iBzwhtxHV7+0pkueVEdOMj16Ew6MX43q2RtCRgBYnfE=;
        b=IUM3Lu51opXi6gMryu0w18wXqQR0Gy40nzh51TNi2uLxLU8Fu7MM62gxUWMobgQvAi
         84LDbXv/A45PSP1V2bLc3+SiVQakPFL8oJyweVUwLJQret6lddtHcnmpwQo+HDaPDFOu
         UXdRE1A1VhL7NJd6x55ICGkafBi3Yp84QE2JC9nvgxyjAANt6zEkImk9C8HWU9gpVuPr
         Ir+8z13pERoiKDmVelET+Tc3ANZa8zqwtGwivthyn+A9OHCn6fnLA3MChFM957nhJglG
         LTynprqiiS/pk9S+uy0sYDv5zu/g8v7hU7fKCuFBBwmhJ67Vc+6CLlSkYsBaUUFXZDtE
         fWew==
X-Gm-Message-State: AOJu0YwUeaM+iBys9wa28nWs3EgNrBoJpZSFvV4+aRSPtviU6AO+2JJa
	gjveh2iecBx89+7eOfK98M9qmgPcPmd08pMW7WEo2JwCoOhioDIBgMTTgPcsLw==
X-Received: by 2002:a17:903:249:b0:1d7:4f6:931b with SMTP id
 j9-20020a170903024900b001d704f6931bmr2578303plh.18.1705970757393;
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e6-20020a170902784600b001d66b134f53sm8013882pln.233.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	kvm@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 23/82] KVM: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:58 -0800
Message-Id: <20240123002814.1396804-23-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2091; i=keescook@chromium.org;
 h=from:subject; bh=7SK+CeaptbBP/v+CP2JEux9OatqqjJKzGmyq2Voqx04=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGMUghWI+PGsPguK5zp1jJTO9Udx8kDt3JM
 m98iBkuTfCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JsIxEACt5a2RN2oZ+4JYd2ymbmpv5B6nOsrUIqOPauBUQY+OHeVN8nMnsBdASH58oAT8jCD9WVQ
 7HAb+2ANB08IYc8/R0h6xkBqa2lCZk/3c5dpFUtpIlCTzY+hAfPnj3l7atArhXefRspVNbsJft8
 hYD5qHs7sMR4xnQPCwbKLBjLn46735BXMxnSYAn9JYVGEL740vCDkxpqmQgFiSX23MaRZDi2p8U
 v1qhycBB3BSMK6Lo8r85YYSK2XJ9x47dytKFlfuqi371X3bi2J4T1Zmf1zmU0ALDy4G3/NJIlX2
 JhbQiOfH98N9+MtqcBMq3RWtHRqVRJsqM4nPVlbzO4D0Z5EKX7HzxzAg+wZOWXOJqZBUflBMu00
 jbo8OBTZLfp9yRmymYTGlNNuanwYU4YZpdO9MQx9rvC1YQM+HdtO9YWpu+++sAgjyvdln94rlUO
 sMJ9ZmFXRxInaysdaafEyQBh06ugVvFdamYsCf6FILZP9XmKMUKSGcyiRVCG0f2brI9Fuyw3SRn
 cbpJzb9ATyxDFZyuhMI/7g3fuPMKee7yNNoMul1dOGNFcLCtwSAgsgOVJEGFdCgdgXj7MmvUulL
 ZBQpjnBa8JFB3UeWkmEc5ex6AaaLMKyDaTl9rbXMZXXt2w178+78kcYV5TBWH9Pt2AyakcqiqaQ
 C0S0f0g8Orqog+w==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844546706805083
X-GMAIL-MSGID: 1788844546706805083

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notable, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed, unsigned, or
pointer types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/27 [2]
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 virt/kvm/coalesced_mmio.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
index 1b90acb6e3fe..0a3b706fbf4c 100644
--- a/virt/kvm/coalesced_mmio.c
+++ b/virt/kvm/coalesced_mmio.c
@@ -25,17 +25,19 @@ static inline struct kvm_coalesced_mmio_dev *to_mmio(struct kvm_io_device *dev)
 static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev,
 				   gpa_t addr, int len)
 {
+	gpa_t sum;
+
 	/* is it in a batchable area ?
 	 * (addr,len) is fully included in
 	 * (zone->addr, zone->size)
 	 */
 	if (len < 0)
 		return 0;
-	if (addr + len < addr)
+	if (check_add_overflow(addr, len, &sum))
 		return 0;
 	if (addr < dev->zone.addr)
 		return 0;
-	if (addr + len > dev->zone.addr + dev->zone.size)
+	if (sum > dev->zone.addr + dev->zone.size)
 		return 0;
 	return 1;
 }

From patchwork Tue Jan 23 00:26:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190649
Return-Path: <linux-kernel+bounces-34553-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp68051dyi;
        Mon, 22 Jan 2024 17:48:13 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHLJgPgaoQnwuBHG+n5QWeXncMQcsZ2M0CdajORYEpt5j2wWB0id1eS7WOZhkbbsOyWkwyp
X-Received: by 2002:ad4:5b85:0:b0:686:956f:4448 with SMTP id
 5-20020ad45b85000000b00686956f4448mr193990qvp.10.1705974493341;
        Mon, 22 Jan 2024 17:48:13 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974493; cv=pass;
        d=google.com; s=arc-20160816;
        b=Cj36kLl8ifk4k36RpUhY9WQe1XyCVHs3aJFeOBz9zhb0LwtKJmJo2ju8NyO+TwU5ck
         5CMPz8/+0kIpk9r/Fb62Bt0HwOKMf0KKfU/mqiK68pQZ7RcT4PnMcsuDZFN/1FpHpvUN
         u0u7sImZ2joyMiQxVZT1eiBccK35KQSB9uA3Q7UQ1nIrKPdTBMHIM2tLZ358E/QaVyco
         rzeLNKnV1a3Fe61wOAydBTpnt/S4fpWkjfEzjQA0YsESu3gACoNpLuLmfru84MGMjL51
         YsFbK8uRNCg8ptPPDfLWGcVJ8qzQ0ld4HCEoknHDjwpqbgJZKt4VaAU0M14zQ9fChwi8
         yItQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=F9VeAC0n6GMx4wPi40NMz4SGPTTQe2yHzPs1JgVwamw=;
        fh=n5jlNdzq5S5js2u5RrXmOuyYqwjlNkStgFKgBh7mL4s=;
        b=c6RWBRIUgTXqYXQgsc21tP5ibxyb7bl5c0qQuK4ap4czBbIAetquwWB1nCNgL5UXOR
         og50XWNmNHJPEcDZotvOgnp3ax6gn2oXtL3Uk3B2eCTpvUMGwLy0alvCxjVuZ/6T4lW2
         kVv0/qIF71O6CEiMd5njAmWOjbfy4csHYuJcfcTyqHv7zJ26bjc+WUjWK/ZX4XRd0JrO
         htATUSWgzgQh1aKTverYhlo59bJ/I832Hrls5m0q7+7oPYibgv0HlDuKEepECor0vD26
         NUzmdVssfHPcMp9GfpeHQENEAmUwmH59X+cz7tmsa67SvIGstzCwVKJdImrG7LgUu+i9
         am/Q==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=jP8trZ5U;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34553-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34553-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 t3-20020a0cde03000000b006818638771asi7093721qvk.200.2024.01.22.17.48.13
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:48:13 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34553-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=jP8trZ5U;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34553-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34553-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1803C1C252E9
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:48:13 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 158A11657D2;
	Tue, 23 Jan 2024 00:46:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="jP8trZ5U"
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FF0B163A92
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970771; cv=none;
 b=VJwwQcClrrgFv5MEL/sLDogI22joyZw7jXQCQ2CwfwQjvW5IRaB/ibAfmMXm8HDjhIGU0GCsa2iHSkS5qjlOMW0fu0pDFclPE7pych7fy21nXNRbgcXmFcKhrSP1Xzo/W13oZsMjQXS9kADUfFi2cLTUl3YSoSc9vazgmJ5JCN4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970771; c=relaxed/simple;
	bh=GddXUjJuZ+2bGLFR1fNATJcBu0uRqs+B42yjt68FCHs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DSIJETVMMuyRBXHvS4p13p9eYUwLJ8NKPCe7g7ZoduVDRoCDYOI4xHpiAfV3LwsY7aD7Ehdbku7EY0obeoIepSCJBkwhXq8aqHWVQG7jM06ASTtIyTECAHROXu+7E95XZoMOyntlD+EKIZZpE6xCaCDGhU2IoFgW71R7QhAZGMc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=jP8trZ5U; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1d6fbaaec91so30439035ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970768; x=1706575568;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=F9VeAC0n6GMx4wPi40NMz4SGPTTQe2yHzPs1JgVwamw=;
        b=jP8trZ5Ux+surP57gcV9Qyxvx1cm3ehCLnwyPfzBh2K4bFN9S8sokZw3r9k97AcmkV
         g4DPgW3nd1dl2JWmvtq1SlyODXfbLIQitNsVCH4kWzomz1OzQuriYTYT7J1prHGARub2
         cu1YO2TejonQI2uWYkBZ0ON7ury4q/z4b2j1w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970768; x=1706575568;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=F9VeAC0n6GMx4wPi40NMz4SGPTTQe2yHzPs1JgVwamw=;
        b=LEcZ4yiNKO6OHe6zPAyow8oM7sjKwcNRO8zMu8p05tmpodIcPwuq4vEB+J2psTAM7M
         CO5B56lTG8S5qsCH41F+zJi+FzIRATUj5Tz2RwTWfUvs8Yl8qxP64d6jnu7ca8Eu6MRz
         DAY4o/d8pCGKUgoJ3CLrbeaxSamiPZMLDM14TrbtRjW/bC0yJXxHvmg6FgrPonyOy561
         ky4aJSOGD3GunTRDiZ92/Fh25u6O+PQGFrjumUDO4jLWKY7Byqp9bdUdpxBEdsTaP242
         +0BpQOB9qEZH8cxFCTNLR1c+lOmxxqM/cQ/QXUKaWUuMSa+jQ0u1lE3i/+zBjSwyQ9GV
         HKeQ==
X-Gm-Message-State: AOJu0YxFrnscwQRZ3gt4pffWDSsT1ekaI909mutclvF1wGAzBhnNDrXn
	+3ye9wtj/qMD+jJAJX3p9qyaRE9luzwmF48Z70/YUMO00enh9j/pyLBRT3HO/Q==
X-Received: by 2002:a17:903:2348:b0:1d7:6060:c1fd with SMTP id
 c8-20020a170903234800b001d76060c1fdmr1485888plh.83.1705970768081;
        Mon, 22 Jan 2024 16:46:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mj11-20020a1709032b8b00b001d73a2acc2bsm3598712plb.142.2024.01.22.16.45.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:05 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Marc Zyngier <maz@kernel.org>,
	Oliver Upton <oliver.upton@linux.dev>,
	James Morse <james.morse@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Zenghui Yu <yuzenghui@huawei.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Reiji Watanabe <reijiw@google.com>,
	Eric Auger <eric.auger@redhat.com>,
	Ricardo Koller <ricarkol@google.com>,
	Raghavendra Rao Ananta <rananta@google.com>,
	Quentin Perret <qperret@google.com>,
	Jean-Philippe Brucker <jean-philippe@linaro.org>,
	linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 24/82] KVM: arm64: vgic: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:26:59 -0800
Message-Id: <20240123002814.1396804-24-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3802; i=keescook@chromium.org;
 h=from:subject; bh=GddXUjJuZ+2bGLFR1fNATJcBu0uRqs+B42yjt68FCHs=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGWO9y3Y/zEJG45Jiuj5PhDwKbjJDqkH4IS
 kNGsePCJRqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JqBCD/9v7CKsi/Hp5MouKCy7vLngZngkzYEdtOtxvOJgkUFMmGHIkK2gyz3sJe4U7qqfIEZ0SIH
 byjwpGGQ+Wkbvqgus0jhOeC7XosIpO5nK83FNGAUV+4MfxCBW9saxE0quwl3Ie+gR1zNXAXEqta
 HtaMpPyFf4WXUs4KsfbCtnxQHKhYiU+B/tB6lN1SBzRm60x/3cVJuQ20JZ/i/kmandUheqFP0bj
 A3H9hdaRlfvsDgWjIHJ8Eo1A6vVgRhkgrXPhd4/FenNP/Jz2IdwVDxNxU1ConcuKOt/aA8eavFW
 5rnNaKwaIgWZpM9B34AoDY07DSYmMlbC5jIIcFQCG22pmVItHkejUwE8DpLPrBjJWqpd75CkQvm
 VYPa4oC24OVpGUmyN6LyxhIjaVDqr5Y8WP2GqhwhOFLeq4ndz3iUyyeo+NCs9kbLiCIn+i/8UQd
 aTUuW4NzKzChhyeYxkQ3DSQ1oglFaVSoG+DZVG9LGK3pG2aGtPMupHfwxlyuGXB/0reNaDiCV4O
 th9KxB/tcrzhzWw7YGwOeUyw6UHIF8CUu/ecKm8CE8HiwxAxveX29SzicfeLz45rTrGItmaz6Zb
 19dbQNQyeeGBES1P35IUEbY7CsxIA6muFz7htulmypE1jgwHu2k/Dv0H0r5e4CdMI5J9gkBbRHw
 +10i2uWcrpKRsjg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843910199111965
X-GMAIL-MSGID: 1788843910199111965

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: James Morse <james.morse@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Zenghui Yu <yuzenghui@huawei.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Reiji Watanabe <reijiw@google.com>
Cc: Eric Auger <eric.auger@redhat.com>
Cc: Ricardo Koller <ricarkol@google.com>
Cc: Raghavendra Rao Ananta <rananta@google.com>
Cc: Quentin Perret <qperret@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: kvmarm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
---
 arch/arm64/kvm/vgic/vgic-kvm-device.c |  6 ++++--
 arch/arm64/kvm/vgic/vgic-v2.c         | 10 ++++++----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/arch/arm64/kvm/vgic/vgic-kvm-device.c b/arch/arm64/kvm/vgic/vgic-kvm-device.c
index f48b8dab8b3d..0eec5344d203 100644
--- a/arch/arm64/kvm/vgic/vgic-kvm-device.c
+++ b/arch/arm64/kvm/vgic/vgic-kvm-device.c
@@ -18,17 +18,19 @@ int vgic_check_iorange(struct kvm *kvm, phys_addr_t ioaddr,
 		       phys_addr_t addr, phys_addr_t alignment,
 		       phys_addr_t size)
 {
+	phys_addr_t sum;
+
 	if (!IS_VGIC_ADDR_UNDEF(ioaddr))
 		return -EEXIST;
 
 	if (!IS_ALIGNED(addr, alignment) || !IS_ALIGNED(size, alignment))
 		return -EINVAL;
 
-	if (addr + size < addr)
+	if (check_add_overflow(addr, size, &sum))
 		return -EINVAL;
 
 	if (addr & ~kvm_phys_mask(&kvm->arch.mmu) ||
-	    (addr + size) > kvm_phys_size(&kvm->arch.mmu))
+	    sum > kvm_phys_size(&kvm->arch.mmu))
 		return -E2BIG;
 
 	return 0;
diff --git a/arch/arm64/kvm/vgic/vgic-v2.c b/arch/arm64/kvm/vgic/vgic-v2.c
index 7e9cdb78f7ce..c8d1e965d3b7 100644
--- a/arch/arm64/kvm/vgic/vgic-v2.c
+++ b/arch/arm64/kvm/vgic/vgic-v2.c
@@ -273,14 +273,16 @@ void vgic_v2_enable(struct kvm_vcpu *vcpu)
 /* check for overlapping regions and for regions crossing the end of memory */
 static bool vgic_v2_check_base(gpa_t dist_base, gpa_t cpu_base)
 {
-	if (dist_base + KVM_VGIC_V2_DIST_SIZE < dist_base)
+	gpa_t dist_sum, cpu_sum;
+
+	if (check_add_overflow(dist_base, KVM_VGIC_V2_DIST_SIZE, &dist_sum))
 		return false;
-	if (cpu_base + KVM_VGIC_V2_CPU_SIZE < cpu_base)
+	if (check_add_overflow(cpu_base, KVM_VGIC_V2_CPU_SIZE, &cpu_sum))
 		return false;
 
-	if (dist_base + KVM_VGIC_V2_DIST_SIZE <= cpu_base)
+	if (dist_sum <= cpu_base)
 		return true;
-	if (cpu_base + KVM_VGIC_V2_CPU_SIZE <= dist_base)
+	if (cpu_sum <= dist_base)
 		return true;
 
 	return false;

From patchwork Tue Jan 23 00:27:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190644
Return-Path: <linux-kernel+bounces-34548-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp67632dyi;
        Mon, 22 Jan 2024 17:46:58 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEcVb+8FGMExfOPmb6aTfz1Gj2pmszVhxT33B+z7ZY4qptpzYC16ylOGMj4ExqAzGYnzw6d
X-Received: by 2002:a05:6214:f0d:b0:681:7773:2f27 with SMTP id
 gw13-20020a0562140f0d00b0068177732f27mr185427qvb.9.1705974418463;
        Mon, 22 Jan 2024 17:46:58 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974418; cv=pass;
        d=google.com; s=arc-20160816;
        b=sty5njOnkrdq1LLUkCLMui8jf0hJCgzsVDeJRPw8AWivIPxQoxZ6MW+MhrhGz51kV5
         U86hM1jsfVUXN9B+Zp/Qa082GVJ5oQIspD+70vI4RdZU37OE5IQlfQJaOKVWoW8qNPbt
         uSYjCZsITTtnt2b3qBSxNZY1/tG/BdkFXVv4AWOFJqYQx1/Axilg0haOAcWCdEU32rzi
         aewfJDC9Fu1vknOAcw5da0nnLFIbsWG0b4PeEfsn5vrnaFqbP39/6vVxhQ3Jsmua9n4W
         1kv96r750zFCZIRDd06d0OcawhSMnAjn77lBrt1Gab9aCN8yFB4p6xr5s5dk08sCNDOy
         a6kg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=QjQQp3oKjiEkOLCQDWessloRW+CFQ/3ZLbNW3sGQwoY=;
        fh=xPOuN/9Uf21D3S7zr28vYVdVQkPikofv8Lkw85wUgQ4=;
        b=b6fMr5Ir+nWVlm8UFHwjstrjg5v6YliDTwfIJcExBz1cSCoP53P7jPw8WzsYLvYde2
         ZsUw+d3gtCRk84F0JXSJTrQixhNa9GrkMUyxXHj6r5Fs52sUbAiWGEI8O/AwX1R7X+xn
         qpU7nFt3EviVhdzs4HKfYjb2Ih6FN2cq6veCphZ1Qbq/485bMhu+oBs3yRrPwZ8DOwea
         jSZFiQMZC8eimO/EaUnGfhRZkQqz4K5xlt/Af/HX/xDYrcxZRDx0gYB6EhuwlY5u5n9m
         kyB73HC+iVu5jgqqtKAmnb5xhiVnRDu/cQRIPQsCfQY/BiteFHYUcUKYFYRcRRD0Tydn
         RJ9g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=jW92VdGh;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34548-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34548-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 p7-20020a0ce187000000b00680684164a6si6918363qvl.304.2024.01.22.17.46.58
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:46:58 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34548-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=jW92VdGh;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34548-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34548-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 36CE61C26303
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:46:58 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 39AB213DB8F;
	Tue, 23 Jan 2024 00:46:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="jW92VdGh"
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E0F013D4E6
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970767; cv=none;
 b=RTt2qV3ExOPDmd7Qv00lSXe9z7e2hjFU6GHoduIx+Nua80wcCNN/OWkCQ56a7Ue0C/msMoOVDpcMZWufxitqpdxnvaYend06Jqi1KIud+9XtY2fYjm95CphwaQrZ4/k+ARQKzMI16XrpEfDeyZXxtEELCZ0lovUHoKeITB+77PQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970767; c=relaxed/simple;
	bh=afM5LZaCnX07Bbe5JWJGuHF/X6uWMNRJXTDiQd0kjMs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=vAPOg1fq1jxPkWPvxxW30ZzJF9fxGe1BHOzCJPN3iVidipPtjX7HxnCyyfEAFbyxeBqwbcHdAcmelpVUzPm9d59XqLOvh+WpByM+jWPKPawlQzyRu//w+56vroI2iLp8WZRJGxAno8MTcOITMmP8RRNWtEkb+I2vQ+74fYHZAZg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=jW92VdGh; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1d5f252411aso19715905ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970765; x=1706575565;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=QjQQp3oKjiEkOLCQDWessloRW+CFQ/3ZLbNW3sGQwoY=;
        b=jW92VdGhT4caKnDMyIhsaxucrNHYt9LjcAw/8KVrjruAHX65uI6ruijP6uJyHPQsUe
         b6Rsq2lDl/nN8XvHu9FcgLUH5T8BLKnMLPiuwrJl8HPIVdn/hORWx4ZDIQe7vp7In31b
         O0AGDMLqbzknsMA8pyezUvOqy2P/hYTF4KQSE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970765; x=1706575565;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=QjQQp3oKjiEkOLCQDWessloRW+CFQ/3ZLbNW3sGQwoY=;
        b=BMZBK6rxeVefGJVvcmXTSRz59Es57b5sokyeDTVWCHhYy/A+V8HX7WexUzGrA7e0Ib
         uK+HAM0R3Q7R0Wfsd0dyqcI4NzDmeMMwRpXug/0rqRrAElS78ECZdjnNy11zm9BGiylx
         lxsMWZgCB7nPG/TxC35JJ7lOQTazs/7E6CsLbyVHb2kcSxTxtIba1OwfFlWMwcl4BywZ
         u5NPWc2MV02/fmj5EDsyk3iG9HSYjJfwbJmUBFqXxSTzG1isNPyOopV5y/i4yGsrHi4t
         Xfnn5i1jei65iP2luHBxwDRhmRgfDh28t3Tl76njGEoIqs2z7oY7c10vdJaij/+X1os3
         XrYw==
X-Gm-Message-State: AOJu0YyzkY06MAF2ryCDgVo8wlN4nHjIBLgzEQ6xC1mCDMed+4Ps0A4z
	gggoPhK2JvW5JiqZ79OuPRnGiq1t4qLN+pWGweIZP6CmQKzgtDQWOlmebzpsrQ==
X-Received: by 2002:a17:902:e5d2:b0:1d7:3238:b2bb with SMTP id
 u18-20020a170902e5d200b001d73238b2bbmr2471371plf.75.1705970765640;
        Mon, 22 Jan 2024 16:46:05 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 ji14-20020a170903324e00b001d72d3f9f3fsm4430426plb.104.2024.01.22.16.45.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Sean Christopherson <seanjc@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org,
	"H. Peter Anvin" <hpa@zytor.com>,
	kvm@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 25/82] KVM: SVM: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:00 -0800
Message-Id: <20240123002814.1396804-25-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2478; i=keescook@chromium.org;
 h=from:subject; bh=afM5LZaCnX07Bbe5JWJGuHF/X6uWMNRJXTDiQd0kjMs=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGUJoQyo2htNqioa5FWNemKH9GelxjiONaI
 nFBVYcw2o6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JqgLEACGR9pBif5bfE/Fp9APHiLwK4tCsaxVu9HuOM4LqZcBVK9RT4sWkLw1sa7ZA399NQJ7xqO
 qNf67b0E3MBPRFRC0wFggz5dAloMTDb19z7jhsHWDnefmrxf3KKjsEqVe6xhhWIAvfAzGdgi+nc
 FzQZ1niID+l1yb9LaTvZZHot9lrk5PajrODBYmdYRrMq77eQP5Pb4BHFIZyOHp2UtegxLXzbUC6
 0y4bH6GFEO917ps0m47gmJOfX4BMZyrhuzuA11o+q7yKJMTDTgO1aKwWRiTUw+wBGHUExa56zVU
 CtdNUJy7igPhmA4odmyr620vUPAoSbAf6iIQKgBlro1AWkWuNO02eBJh4nYzFZ+8Ppm8iI+ofqf
 MIOuQIr6O4nLXLcO9zTWJF/7c3IWPeH1GQF1DcYdSRrmvlpw7k2Yun3kJg4Al6otIViYBTb3Yp8
 q8qYZwfcAIjOV3blL0+F494sbI1QpB8KsAaawy2q9I036/tRKMiLFIVnOkUyj838HE6oxhuFgvN
 njQcjbhVq11/o+7hWYjpCYp7Tk16HpJDJ+BTxbC/RQc/ZTpIHfC6DiItv4snrcHLLzrMKdNGEST
 uYlkr5Nsq0zN5LBNZDWgRjFbaz2Vq3+EIoxmRJrLfBXZkOXXu0pt15SZhxscXnE7+qDusGqsliB
 rmYY5X++4rNj3Sw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843832239841584
X-GMAIL-MSGID: 1788843832239841584

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: kvm@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/kvm/svm/sev.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index f760106c31f8..12a6a2b1ac81 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -400,16 +400,17 @@ static struct page **sev_pin_memory(struct kvm *kvm, unsigned long uaddr,
 	unsigned long locked, lock_limit;
 	struct page **pages;
 	unsigned long first, last;
+	unsigned long sum;
 	int ret;
 
 	lockdep_assert_held(&kvm->lock);
 
-	if (ulen == 0 || uaddr + ulen < uaddr)
+	if (ulen == 0 || check_add_overflow(uaddr, ulen, &sum))
 		return ERR_PTR(-EINVAL);
 
 	/* Calculate number of pages. */
 	first = (uaddr & PAGE_MASK) >> PAGE_SHIFT;
-	last = ((uaddr + ulen - 1) & PAGE_MASK) >> PAGE_SHIFT;
+	last = ((sum - 1) & PAGE_MASK) >> PAGE_SHIFT;
 	npages = (last - first + 1);
 
 	locked = sev->pages_locked + npages;

From patchwork Tue Jan 23 00:27:01 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190616
Return-Path: <linux-kernel+bounces-34502-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp61287dyi;
        Mon, 22 Jan 2024 17:28:14 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFMyoOfu4sy6bYZGp3G5bwkzsyNCdf9/5prXiUMvnhKC8LM7r2gZTy3PjNIhF8jLLWxY/j9
X-Received: by 2002:a17:907:160b:b0:a2f:d615:b615 with SMTP id
 cw11-20020a170907160b00b00a2fd615b615mr3102652ejd.143.1705973293952;
        Mon, 22 Jan 2024 17:28:13 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973293; cv=pass;
        d=google.com; s=arc-20160816;
        b=HnTR7kGLgfZIF67davg1WE0sULwCI+0spQDkaiW4y4TgR5Rf4SyO+4EfzdjHYGiRa3
         J5n+uLnJHfM1WHXvoVTWQx8ky1N+taCthWSNwqyXaJM9lw62isjIS6oq+udZmm1udE4Z
         lnbaO08Nm5Calk9mTeRNNj4tUqjrFOe5LisigeR/EPZv3XhnNwiB9M0nbiNteMklASLL
         20VX51i9xKLM4aZG1N48zAk/JUBZreKz1yxs68cRBBhA3odAqc3T07+RuE7khPIbvk++
         i6L9GtnEuEbEC0+YCgn4VEU8aAT3YWUsVFSNilW6v0e6UUzkJGvZcW39aqXeF3IK/91C
         /0QQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=WfrGPV0IGkD+5oY5bzUA1O2ZP/m+4NsFlK0DOdMmkOA=;
        fh=oZWbXJ+r4/gGX+ggcJy6B6S0yZTEZxP9AzSzMIhOkPU=;
        b=0pbSxWong0MV6/bQ0COKZywZzlxK1D2WV9oHRNANm3p4KlgCcb1hdurVxKxcnq1RvN
         iwgOLNGA45Obs2sqvuMicgL9bpkEs3wezSoKWQOPc5ImglbqrtcQOKdOoV9O+XIedZdT
         fo/30j2TxfqYzWTkpqnFgjtNVOeDg5VNjZI6O2/9w9W0GVnhb18ipdDl+VMqksFNMCAm
         Ufd2iMypK+R98AdcyCWxH7w+wdAkS2422KQ/Y1o4AQUDlxhM3cqxTSLSMV9xsGe63PpG
         ym4xRnFbV6TJ3fqs4dnvHRNzJi661hYYunGfY8KixMPsc5X6cJaYV1ct8tTS0QUT5YJe
         uRuw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=G90jh2L+;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34502-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34502-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 h6-20020a17090619c600b00a3058e35d07si1291835ejd.418.2024.01.22.17.28.13
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:28:13 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34502-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=G90jh2L+;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34502-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34502-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 6711B1F26500
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:28:13 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3C0215D912;
	Tue, 23 Jan 2024 00:36:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="G90jh2L+"
Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com
 [209.85.167.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B163856468
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970158; cv=none;
 b=LE8svYVeI8oZ4Ooj64crc585kyVgXAbEc+i4dud8g2GsYwYMRd4T0H+3UJdIAlfDGWLwbPKORZabe4klAbC0Ou+fw0mspXaOJWtVhV+2vCUqaGmUnzvxWXcWWyW2AnrSlVm9FgmBZVreUrAotob+2ESIZIZVlERT0+7lb+amAvg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970158; c=relaxed/simple;
	bh=KmdQOHR2wQwwvdbCWLH5gPumh1btink3RoAuAjMZ63I=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=TS7/LvrcPF5t1GiJ1Fnz7ll1UAx6dsriisbqHvGhZadHGwNpBGkS0QdWypFKcCWxf/Cg553tNGx/J6Di5+roz4azNkK9ZO3SyNQG9DrowTUD9ROY75uttCWTaRhh6+1kCEazzXHkQDfOC7JrcqgfzlNO1FBETr5StizyQwx6uoI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=G90jh2L+; arc=none smtp.client-ip=209.85.167.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oi1-f177.google.com with SMTP id
 5614622812f47-3bd6581bc62so2721845b6e.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970156; x=1706574956;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WfrGPV0IGkD+5oY5bzUA1O2ZP/m+4NsFlK0DOdMmkOA=;
        b=G90jh2L+n9IhjBKBpZf0pPfzVXtpSh1dWGVHPuGIZl04FHqrvqkSlesk/0TLOecojH
         MKGt8WfdHofrlcrhJPaXLwrfxHKhlujiOVf3A2bMQJj6wxBFrSEw9k9gu3IFWPslJa0i
         o+3Ya/WsJmeer1l2r52ZlX79PVUPTngoMjuzQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970156; x=1706574956;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WfrGPV0IGkD+5oY5bzUA1O2ZP/m+4NsFlK0DOdMmkOA=;
        b=kK+TSqRnEdt7jWgu7mQJrq0hIyjm9dDHvJqYC7KQiQLDPT8XEvEqDE3D8wNd6STBXz
         LzD3IKk40tgsyE5tHxgdX8rjl8TsPDUrdKHUHMnVEDUH71RRpRcA7IByzWB3nk7P5q4A
         exmHFr/KdhlI1z29n/RrWOmkFobGsD+WPEtohNaCkZj9F60i7iZWuZKRyMmFaESMAZ89
         U2sSNpAult/gz/uTKHK3vGBUwp35N7xQwWIU3T6Vc0Cn0SZuuNlBbFsKwYH3QgPSeMZP
         KyEJtPn6xPHGjaitTZ5WMzStmgjScZcwDu5nE1p3SnNC4fhE7cUtSNzo+QWS7u1oSkqC
         flpg==
X-Gm-Message-State: AOJu0Ywh+4kO6A5/ON6NXWA5nWPV6VQ0IN3J1oEKrXPy9L89LIZP2KqQ
	WEGWlgm4K+bN+jnmka6B8CNzM2Io01zfbwMyOzbyuWne0Hu16whnEjGIpwcieg==
X-Received: by 2002:a05:6808:1211:b0:3bd:a8b3:f5f5 with SMTP id
 a17-20020a056808121100b003bda8b3f5f5mr7279920oil.75.1705970155779;
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 p24-20020a62ab18000000b006d9b31f670esm10499254pff.143.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 26/82] buildid: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:01 -0800
Message-Id: <20240123002814.1396804-26-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2106; i=keescook@chromium.org;
 h=from:subject; bh=KmdQOHR2wQwwvdbCWLH5gPumh1btink3RoAuAjMZ63I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGUCr427Bvhdd+DlIEQSmFuOB0zAlGUaRHx
 sXqW6qzQiiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JqMUEACIPH6rM6cY2SMBwnodw1rMMjn1JdKktj9Iu6aGJquJ2fqWV4hXH3eOfqqDWhhLtRIx10m
 MBgFqDepBiW1bwcx3qy8doC7ieSHcOvFKOfj6KMywgUGVwFHQpkhWF/fz5lrUTSYFdaxZVCa+lr
 e3yfwjXsiGYJcB8O2lAqBoC6T5Oig7vnfqNw+lVTcicTSmEapNfiAbtUZb55sB7NxPG7D6nUH1c
 ZRLU4Ed2XedDT7eOfND6jgaGtqlz56GVi0q1U0XnAgqXTUSRm0+4M6NuQGAjxKba0EwMU9l5aJI
 8csxMMzpzLOtrQra/ANMvMry6yeTEIoX2ldbH8axmAnuD520xWjWuYemFLjrYagKmZvZqDe82yy
 cLA7vG0VaL2NfXpAY7mfSztcg+9pzQkXvPF7pzzTMp/vt10UubjGIRs65XTH+eDOO0+hSJwJ8sG
 /gM1k9uOf4WaHXlTYZMn73i0DMxquh80d7Y9FlpKCRlv9dJO3bPjk6P8rev6K/2fwda9vjRmFL0
 0nKVXJz/WtxTMgx0sDxb2a5++FGHN2HZSJUgTSvLynOCZmjqhh87r2gUM933h7Jd65s8MuV++rw
 ZS3P74wcMAOQPOljxC0JL6wdM5IGMy1pCA5rTTJpa+IG0h/fhYHD+aQ7rCOa9E34+wvfmdTPWGL
 PMoqRQ3lq/unYNg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842652405855423
X-GMAIL-MSGID: 1788842652405855423

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded pointer wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/buildid.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/buildid.c b/lib/buildid.c
index e3a7acdeef0e..d0a310cb9b57 100644
--- a/lib/buildid.c
+++ b/lib/buildid.c
@@ -54,12 +54,14 @@ static inline int parse_build_id(const void *page_addr,
 				 const void *note_start,
 				 Elf32_Word note_size)
 {
+	const void *sum;
+
 	/* check for overflow */
-	if (note_start < page_addr || note_start + note_size < note_start)
+	if (note_start < page_addr || check_add_overflow(note_start, note_size, &sum))
 		return -EINVAL;
 
 	/* only supports note that fits in the first page */
-	if (note_start + note_size > page_addr + PAGE_SIZE)
+	if (sum > page_addr + PAGE_SIZE)
 		return -EINVAL;
 
 	return parse_build_id_buf(build_id, size, note_start, note_size);

From patchwork Tue Jan 23 00:27:02 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190638
Return-Path: <linux-kernel+bounces-34501-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp64429dyi;
        Mon, 22 Jan 2024 17:37:04 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEDeK8zTYOYlrWwUD96CanxUGJ/9AUvakTtdHlwwNkwj3SboMkMTvUUZSRwdSD3sTLgFypQ
X-Received: by 2002:a05:6a21:2d0c:b0:19c:5392:5916 with SMTP id
 tw12-20020a056a212d0c00b0019c53925916mr1166594pzb.33.1705973824512;
        Mon, 22 Jan 2024 17:37:04 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973824; cv=pass;
        d=google.com; s=arc-20160816;
        b=dR+XS08LbkHTQewvAnNDQgKvHRIfsbKNI/O1HsjZ39ODxAaHeYz/pLNHFFj9wzuUpA
         sCk3QPXR7r87xjw35qFlDdEObf5RXwGy9IlYKjepD8SPgD9fqAuTp2F94yfslsR5rlJc
         ScOqxsh+bdEVyGEGjp4g9SPMnoEwT1fM8JUbst+EcnFpLouh5aLApR9UCJHXk5KSWhTw
         H/HwID6dhQeh1P1p/1CRLKlk0G+jbylQR+4DXkNJlsfILxbRhBJO23Kiv5zh24z5L8Sw
         asiAMWukM+VoA5smsPH9pR6diEOHfN9QOCP3u78DYBQmr/e6QpTBAszlrjRVurdf6Wwz
         1v6w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=yjn3WA13frGFh/So+bkUR88Se/B2ZjAIsqCTRdISoWQ=;
        fh=sPmZW5SYcBCInoKWS374dDJN0soAQMbG3fkv9FnAyGE=;
        b=PqjdRoAqDBQgEYOkJN6ACiqlaE48MvTaZzhe+8zai/JCZ5kKGB5wVJ3iVrGHVAVZ6y
         OupGC9rpvrlGLyTrNKTFI5N7we6tYZj7TfE88BAG7+NS+c3sj3ds/55D4YLSZHlzosnu
         5NjNh2suwF+yQqv7QREccDryZsVdNiImwrF7osSTTGcCuEhmbKWcDu17fwyExpkxHzDO
         oCifBrwBFnowTlhUsMnTDMhHNDMw8KsxA+bquvxAisnaGHXCVirR7FJBlARS6eNxXHTM
         OjFw++tiwWkTpyy7D26loFbJELTx66QE7yrvoyawGTue2UPAUoge0tr1O3GNmncML4+L
         FDag==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=lOwaZOn2;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34501-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34501-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 br4-20020a056a00440400b006dbe42bbfdasi2224916pfb.377.2024.01.22.17.37.04
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:37:04 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34501-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=lOwaZOn2;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34501-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34501-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 4DEC628BA10
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:28:13 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 408365D914;
	Tue, 23 Jan 2024 00:36:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="lOwaZOn2"
Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com
 [209.85.216.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FF5456464
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.53
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970158; cv=none;
 b=Zt8eBnjmtcnkRHbGN7eEFSrdCAvf7oJb3jM5eWyF5O9dvrP8yxwDO85fcqlOJDi0uKs0aasZ76kcy/bPde4jYJlV+aBeejoTI90fnL8M6ZqKxtHU+XPUHivQqO2XVTyly/tEx/qAJVJE32UjL2M60YQ2ixDNXXbgtyxJ/+7l5ME=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970158; c=relaxed/simple;
	bh=X+8lYZfwausQ7ppEEJSi8ujVkOr46HTxCp5e8PDYgLw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=eBN9sNGQryE0IHiHpL8s2gskH3kKDA2crUz9MJNwZC+JlLsD2wK2bGc51bJPn2PwUXwfjKBOLCdDayXlq1HeAoCTaSSsE5fTmIh7eYExEkLzgW4SAlBnULRQ2OxupH98oYi5iv+F01AI1ZeW++WiTQ7DzShTApkBs3Wcr1Xn04M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=lOwaZOn2; arc=none smtp.client-ip=209.85.216.53
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pj1-f53.google.com with SMTP id
 98e67ed59e1d1-2901ceb0d33so3331138a91.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970156; x=1706574956;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yjn3WA13frGFh/So+bkUR88Se/B2ZjAIsqCTRdISoWQ=;
        b=lOwaZOn20gj5kSl4RrIPb1yD6KxGoafGt4iY7aYFicxNRh08Poj5519WodLNdQiZ3F
         gLv9FkDc7Q/lLkogJhaihWUVmKe+EQwHxPX2A3rP6y47OWkbqMNaYWqKC2kY38juSMoo
         KtF5naYTw5aUPgF8V5h1x/1cEJcRnkq+2xRtk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970156; x=1706574956;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=yjn3WA13frGFh/So+bkUR88Se/B2ZjAIsqCTRdISoWQ=;
        b=EeuDFZewe6MFWz3VvEGcbN0iMj5nxT2TpStOfR0GKL8JxbK4uW6r5bGP3gJGdqzPPj
         xhrGf4q5Ih5j/I5gTKu0b5prWUAa3s7P9ZP8tLb8x88SGigotvYzt8z8gYUWfJfT4UuG
         fp4sEsXnBbDdjUp5m5TVIUc1eRL1OQ4/lnfEzyuW8/bScfsHo5czyqAFGpV4iW/vZCQY
         6Iq2UBS7j0qvEOFp1TbJloIKl0+9wDIWjMpqI6H+3A/3upqZkRoVt+zX2zR3b12pCw4l
         zPpPm2dXBUlTmqC0x0yVdKmLiuFUdCE57mU2Xo3BBE8I6aaH6yUWRWOMo3VXvo54yUXZ
         H3VQ==
X-Gm-Message-State: AOJu0Yz1MNKS8GhL2dyhN9e+/yky4L/tCW8jn6ST51aaD45OT9jOKrZ8
	CA4m5I1+SQZvq3QnuQdCnRaiW40IYc8yAdCvjLC25RH50Det9I2EfDJ55C9sfkvh3xfu/z74aec
	=
X-Received: by 2002:a17:90a:88b:b0:290:a33c:e6d2 with SMTP id
 v11-20020a17090a088b00b00290a33ce6d2mr2368564pjc.49.1705970156038;
        Mon, 22 Jan 2024 16:35:56 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 gb22-20020a17090b061600b0028ae9cb6ce0sm10407877pjb.6.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Geert Uytterhoeven <geert@linux-m68k.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Liam Howlett <liam.howlett@oracle.com>,
	"Matthew Wilcox (Oracle)" <willy@infradead.org>,
	Hugh Dickins <hughd@google.com>,
	linux-m68k@lists.linux-m68k.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 27/82] m68k: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:02 -0800
Message-Id: <20240123002814.1396804-27-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2444; i=keescook@chromium.org;
 h=from:subject; bh=X+8lYZfwausQ7ppEEJSi8ujVkOr46HTxCp5e8PDYgLw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGCBOFjblHeST3/ZilwfcWPfGLaZV7X8YPW
 C79tN/SYeiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JrLrD/9imhNacUFtEeErviKwZFpQOrHjRz9qfDPETHNojaoiOgYqepLMlRb2Ro9DVU0O/SNoauJ
 XDvSMCA29L49m19UUqfBC98mMaq6pMQyS1NYL3dNN2wfigmBHbgxSG6nokdw68ERa4QFn92dDwy
 bQwrdR1ku7ltobTrb9kWZP81HzorXQ53yz5cPLqMXn5u4vNUjxoZ6WlRUSJ/tEDJ085Y0o5sge1
 LBmfMY3FImhVAZxGzzY3zyjplajEiXwl2vKYZk6BCTy8gXY+veeoOEVDOnnIN2a4KvDEPyaaxot
 HR2z07RN8UtX6TH5kmJTHOWFe84EDKOCqi2aWFqGYAyRDkFpP0wty9kY6+0AC3gehj5w1ti2iiO
 NAD8yNoNlLtKKkMtjrfR6XrpsyZ0rROiAJov2mqM1I/OL4pV/aRK6BJYWmZNDTosqLgl+L80IWY
 p8KuezBrvoHfw0WGYNrhqdeJVZbU2Wdu0pHD+Yt4QzANL7JatZjIrCkplcEqXEtd88+vkizAwgN
 GMtPKAqJ8N2iL3FYauZ/MtkWupQDFcsJCs+zJtK0/ubZyvgDoPrepWguwDHZl8EiGA060zaJtRc
 AgqRGJkK2LmpBTJ9DPQPYtCnuBZcfKAOHGS6bIVCqHi0QsU+3CTeDiscqO9J3/m/SF/x7U/Q5xH
 NVY94wexVhKaRdg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843208810599634
X-GMAIL-MSGID: 1788843208810599634

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: linux-m68k@lists.linux-m68k.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
---
 arch/m68k/kernel/sys_m68k.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/m68k/kernel/sys_m68k.c b/arch/m68k/kernel/sys_m68k.c
index 1af5e6082467..b2b9248f2566 100644
--- a/arch/m68k/kernel/sys_m68k.c
+++ b/arch/m68k/kernel/sys_m68k.c
@@ -391,10 +391,11 @@ sys_cacheflush (unsigned long addr, int scope, int cache, unsigned long len)
 
 		mmap_read_lock(current->mm);
 	} else {
+		unsigned long sum;
 		struct vm_area_struct *vma;
 
 		/* Check for overflow.  */
-		if (addr + len < addr)
+		if (check_add_overflow(addr, len, &sum))
 			goto out;
 
 		/*
@@ -403,7 +404,7 @@ sys_cacheflush (unsigned long addr, int scope, int cache, unsigned long len)
 		 */
 		mmap_read_lock(current->mm);
 		vma = vma_lookup(current->mm, addr);
-		if (!vma || addr + len > vma->vm_end)
+		if (!vma || sum > vma->vm_end)
 			goto out_unlock;
 	}
 

From patchwork Tue Jan 23 00:27:03 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190648
Return-Path: <linux-kernel+bounces-34552-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp68016dyi;
        Mon, 22 Jan 2024 17:48:07 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFcTrNbDYW2thmkmQMumcmJdRKEOCFVa/sUhOEWNFuxrt48FfRiJ3UxDcBkaAMX5HMFrgwP
X-Received: by 2002:a05:620a:7e1:b0:783:3004:831 with SMTP id
 k1-20020a05620a07e100b0078330040831mr6122113qkk.72.1705974487525;
        Mon, 22 Jan 2024 17:48:07 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974487; cv=pass;
        d=google.com; s=arc-20160816;
        b=Nr2R/HgtHoc8RqFCOZR2xxL5ynQ5C2ZqAT99F593ssE4WGbkokK9xS4dFEadGvSRJr
         eKSh6N8KD4CNPk6c7nUgbUcO+AbRHpuOKj6GM5yBKxF+BqdWm8TB0U9iNLWb6zIkjSSq
         iMH3EWF+v9d2Li3br2psjbNeSNfAld9DaP+83vJ7994xxkP6pzD2pc1B8m01kqs8xgzC
         2vpC/Jr1DJgW1qIu3OQqZWSDxEfoBm+j35edhLqOEt7DcL/tvnkw0waKHD/dA77YYT6m
         OhWJ3n1jBTQdoAfOaoIeqx4r/2853h6vMvQj4MMDh5MgaPGAOCTSpoIjjoWPX5wh6ZBI
         Kxdw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=Sy3Mn0T2j/xVq+cywviUlH77t9Sq4eXs+6SMvLbadC8=;
        fh=3uOKkwBLGbj3ffPpErl3py5hKl16E5FU7U+ha3z5WUQ=;
        b=MXmU2HEkVZxCKm0F+VAGv+gLE/WHL4wb3Y601LwAj8Pe02ErcFZHUBcjPyc66CbmX/
         2buc7yr2mtRh49/f8TZrs36dMTkilUNKefbnJDbQGUhkmnyHHuI1MZE/WUwj/OtFtYMo
         TMVO1I1rKJkCMZKpEvhmB82V60T/tZhasy+643XrYGUwToeyjW8+90GporKrZVbe+AbV
         yNyyEyetAhbmmkPqe9EkJALXEVyG91KzVlvugl5PV13WO5dpQSGrqBhuP/patQ9p3pc0
         8cVZXau8fZo2lvhelKXWWsPVyJh7IIw3Dzx+DDj1DFe5YD8CBms5K7W3xdsUoLyjOwC+
         5khQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=kqm0YraK;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34552-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34552-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 h8-20020a05620a284800b0078322b61e8csi7367719qkp.465.2024.01.22.17.48.07
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:48:07 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34552-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=kqm0YraK;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34552-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34552-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 4633D1C270DC
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:48:07 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7D4A31657CD;
	Tue, 23 Jan 2024 00:46:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="kqm0YraK"
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2169164187
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970771; cv=none;
 b=ZD6XwNXMjX3Tu/oMUMxeHlKraleihXijIiWJVX1YYRx4l6xTuR40jfu1v3lQfHaqUAu/kb3tUUUqclcldX21D3XpChghevB4LqFfNWaYrA8mqAisiHX40lU0ilZlx02s9mFMka2aGvoHo4qiLafs7u07pSzlUc69rBPe0nUoKBc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970771; c=relaxed/simple;
	bh=4HPvynPR3Ko1dXfNMJBApuVlt9+5UyaMefuvQ347bXs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=imcK4SF6P6FgjtxlR212J1VjQ9qYnuJRVg9wSTSQyxWetUzypmsPLgFUD+lwJJSgH3L8a25H1FQ2l1MgRUF8kK5khIoEWR5NI6pRrSZqCWjWG0qOU0IXl/9+xkjI9pSMMkdf3ixHYneGpOo7PDbckz2z8I1bIHAUnNaN8yKYR5o=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=kqm0YraK; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6dbd65d3db6so1289099b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970769; x=1706575569;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Sy3Mn0T2j/xVq+cywviUlH77t9Sq4eXs+6SMvLbadC8=;
        b=kqm0YraKJjzpYJ0YwLvcUV9muskZYih0/OWTiUjwU0iTPpX4+z/HD1HqdE0ll8XXQo
         3alVEQPZs49egUMpsaZItiIygz+MgfGy/mQ5mVJQ0Kopo82IFuX0A3Y47OOL/n4iAo5u
         opxu+BKRp50NVXte6m2zV2mcumq2XjSUDKdBs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970769; x=1706575569;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Sy3Mn0T2j/xVq+cywviUlH77t9Sq4eXs+6SMvLbadC8=;
        b=IYDgMZuaTgAneK/zithh2a/JrAUx2WhWnyy7nnYID3TVgBVbF9LOA9abXr8frQNzag
         fa75xcpnA41LiNEk/8RTKTbhPyTBoqfzVYkkQZqYojV1RFN3Ar0+tfIyXD7sBbTwvDpm
         3OCS0PF5Bfq0e0wuU0BgIq2acBmq1cFfa2Uq/f94IqoJYPj/JN7Xcl1BFiHB8c3MwlSL
         YrZCaUsVm/y1ihcViQHyJEqG8l74RFp4IhP9Tl08SFoWwFHZRAXQhrN5Bpy830Yh5Zbj
         kINsZVpSg7+kLwHgnTfzAGrM0BbH2FtrbiKFqEFzN6XESxvv6ipJ5541iQ8FNDT0YYPF
         j/aA==
X-Gm-Message-State: AOJu0YwWWD+t5HWAifK+a7KGOY+1pn9hJu6tOwGxwEDnVnn0lhzN7bbu
	Kbq/SJz6ZsEhAkqhXI8z756QKalE3WP7l7v3qtldno7oGG1A0yr/rEpSrVPM8w==
X-Received: by 2002:a62:d444:0:b0:6da:63a5:3f32 with SMTP id
 u4-20020a62d444000000b006da63a53f32mr2087437pfl.66.1705970768640;
        Mon, 22 Jan 2024 16:46:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 y4-20020a62ce04000000b006dbd9fd2bebsm3352305pfg.163.2024.01.22.16.46.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:05 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Du Cheng <ducheng2@gmail.com>,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 28/82] niu: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:03 -0800
Message-Id: <20240123002814.1396804-28-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2297; i=keescook@chromium.org;
 h=from:subject; bh=4HPvynPR3Ko1dXfNMJBApuVlt9+5UyaMefuvQ347bXs=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGajy61mavJLiiKlUcTrC+GpKwlQS32yLps
 eqkOZGrbz6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JjxnD/wLi8HDy6bvcWJHrheHwblvygg/rt1qDMgmueTdsD10P2P5hSQT9cDWcxBgYmPx3QSgkoN
 DI0zgPvjfV2y+4HKJvovXZDLUygnMhtUsoRYA/UNHeRo3fxPyLYLjfrT2mt9AgGEuctdamOfJfN
 Nyhy8b3RuJcDOH2afROIUlXeKQW8YrioLMJjJ0wJ/IcOJ96RyjCKSL3bkl5xvm5M44pX1p1msMI
 VeP+/9xS/uFDWzWbIxGAMyJmSE3mvm/7oqHlESxAcrq95OyuSOQELRAZh8vKFCW/rqedozh4HdH
 sVJlLxUPr3Yn2lJrlHD6tPKkVqGzcoeWyHjT+l5gX7BV+4bdXdkPJWwtqzIqi2rDJbgdC0K3nel
 nWwtV2xdyauZ1lhOAg26PgxW9+keBeEYI+M5ce14tRu5NjyjSKkqzT1oC3bjhXpmHDTXuyC5ncX
 z1CeOGSLxClD7kcLVWxPWNO37GNJpnVjy8Pbb0Ee7csz9cJOwmCKgjZeyqwkLvq5RHTlC4u0veZ
 DTaVGQArMh2rZAOiKSyag3NbemYIb6c2JHe451VJ8Pt0UjaPUxF3vXUs5NGPRXIcDYxNemUTxCv
 2Lsl/k243rDBq1Z/j3U8smcznTLGYwtCbkuYBOQGSX52s6/i5Xih21gZ/wq1SKE9OyNhm+9EgFl
 xjTJBfyCGFJiWDA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843904175666879
X-GMAIL-MSGID: 1788843904175666879

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>
Cc: Du Cheng <ducheng2@gmail.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/ethernet/sun/niu.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
index 21431f43e4c2..a4de07c6e618 100644
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
@@ -6877,15 +6877,16 @@ static int niu_get_eeprom(struct net_device *dev,
 {
 	struct niu *np = netdev_priv(dev);
 	u32 offset, len, val;
+	u32 sum;
 
 	offset = eeprom->offset;
 	len = eeprom->len;
 
-	if (offset + len < offset)
+	if (check_add_overflow(offset, len, &sum))
 		return -EINVAL;
 	if (offset >= np->eeprom_len)
 		return -EINVAL;
-	if (offset + len > np->eeprom_len)
+	if (sum > np->eeprom_len)
 		len = eeprom->len = np->eeprom_len - offset;
 
 	if (offset & 3) {

From patchwork Tue Jan 23 00:27:04 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190667
Return-Path: <linux-kernel+bounces-34544-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp71583dyi;
        Mon, 22 Jan 2024 18:00:03 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGjIVdM7BecLNqA+D6ygJqHCl0ryboKAE795B1TyZWN3c0aTxvk8AyV+9hV/L7KVSg3nB9g
X-Received: by 2002:a17:90a:d48b:b0:290:3b83:8892 with SMTP id
 s11-20020a17090ad48b00b002903b838892mr7462127pju.46.1705975202824;
        Mon, 22 Jan 2024 18:00:02 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975202; cv=pass;
        d=google.com; s=arc-20160816;
        b=pdKVogSAV+qH/Uo8pt5UWUgWqKHBnuT6apQqZOyicM5QQE80FdR7dcG/GyJEKoLLD9
         K416SPM/T8woE0V4NxRZOVHIMU+rA2MW1FfOnY1S238/Nt6rBukwyXuCYdG8W05pR507
         QyTPi+5Wi597uP9Y25XiymamPOK7PPb9KKf1bvRQ4YjljwTDD7e4v5Yzr9y1KZDr8vfR
         b0QfmobIp1l/wSRUmlAEXcHB+N1lNvU4LjzOAw90eIK/Ha1dmIR5FI/DIESXfgrYx5uH
         Lp6RezfpSO0sgTnXZ9rg3EAUWmYb4fGP6OEqOqgRmO1/U+PI2DuUV3AVWIZ7+F1dj0Ad
         QvQA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=koLuWwEc6R93KvA47iKWZn4p87NyejoVGKhwRpq6uhs=;
        fh=0jXxa6WWoeMhjvC0rFyvGMF5bKdUllh6L5Qws2TCyNE=;
        b=l1XQHOe5yH5PzQUQkdrCybiy87WGEJm2jo6vcryyA/jZI4kXZ8mNYpoFYviePda+KF
         Imz05eDoCNbyNG239YQ6mUc/KcGe+QQRsaMvkTv1gd8wuHzgsyS8jxLq/RAVXYkZz8yW
         fYy/I3gGoMUzcONSBrTkkF2mHSEyLYK52LSTCEd1GYIS6hdMHWO9mWzujfWilC3OZjag
         3UOwpCJGxDKNup8lx8E2+J7g0V4xYrXU5vK7yGRCqqaQg3HiQMCkLIkwXKwhuGSxS/O+
         5pOzZhSSGIom8U4k957JoMPIozVvnZiNEjru5QgWka/Lic1lOxpib21+eVcsvL/R/afn
         aA8w==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=j8KUJJgt;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34544-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34544-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 k15-20020a63560f000000b005cf1b38c7cesi9087718pgb.732.2024.01.22.18.00.02
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:00:02 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34544-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=j8KUJJgt;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34544-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34544-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 8747829948F
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:45:23 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9B1D513D517;
	Tue, 23 Jan 2024 00:46:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="j8KUJJgt"
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A7F1E13B795
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970764; cv=none;
 b=sQW3k3XxSXPkyQL4j3b68SNQA2cxgoA7WP4Yx7ygWDD+KvMTUQ85RNH+nRV/+AzMuRRNqXiLMSBLWhz3hy8slbUM8clBm2YV1FOh3JgDDR0VywBoSkrbbUp9geVyz3UQRl+IfLOPs4HraOJykwlSYjEtgHkYo3vv/IBz5QiZW30=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970764; c=relaxed/simple;
	bh=rhiNkfwcsBY8pN0Aj3OX3M7epOQG7vcAhg9hdXLwAek=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=f3TuJ66tW2b8kFepQCzMsTN738jHOcurAco8WLqWUd5k3KVbVrrK/LKW7Z7/dd6VulL8FUC2mD93Tor2K1IDgEcWRKUPBzq8Ap4krtQdcisCNTbhDtNHbea7TAIhi7VsTtJAR684QYQZlHpnrTYY6zqRAF3JKQyLyL26GtzmeCk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=j8KUJJgt; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6dc1f02090fso454403b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970762; x=1706575562;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=koLuWwEc6R93KvA47iKWZn4p87NyejoVGKhwRpq6uhs=;
        b=j8KUJJgt1OC46MRP1rTSCjb3ikE3ot4TXw9Tukg8wx7H+83b6ohP4LHJ9UNddjKRl2
         fSHxXLpJPJivZGL1FttjKFG88OY1GIfXdbJmN3+4oYrwPx/KuMNiKYcL0usJSbXDhAA/
         pNz4tVDi9c8HBow8e9NE5hiv1GNBnowyNm78Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970762; x=1706575562;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=koLuWwEc6R93KvA47iKWZn4p87NyejoVGKhwRpq6uhs=;
        b=nH4Dzre987V+3928LlL46RUiQisZAI+gfZI7yd7STp0lKp0wDoMswklzAgqJw3wJjE
         fCOX22reNw+mAypaLcm0bjeGMmmI9y36lCDIGWkkRsmrVGRVtkCIHh3849SBw0mbxBMk
         vVAvFyX9VAtIs0cNkGRNy08tXBF2/HSZquGyhaPoyV5mBv2+XtGQ0GpusAQzVCJkK/hM
         +BHP9CwQviVifDAgxQvLDPlkiPcrsJSKxnbmn8P+W7+rrW7hS5H77I8jGvB/mp++9FQU
         sHfFEk+MR53hxX3XR2rN4xJK9f97ociJXY1Wfk3nPVH8mDlFFbXhsUUPzRBmm7fpeZfD
         JJHA==
X-Gm-Message-State: AOJu0Yy52FtyxS7Q88B0Zcaazx8sgzipDw+RqgdJjlysUeyVWvpv/JFw
	YzP7rM3+gG0NSxEps8Xr9h9M4iJ5B6s37zlGsdX+P4mCUKfMdYV+sRUONzmrjA==
X-Received: by 2002:a05:6a00:1385:b0:6d9:bf50:196e with SMTP id
 t5-20020a056a00138500b006d9bf50196emr7531070pfg.19.1705970761998;
        Mon, 22 Jan 2024 16:46:01 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 r5-20020aa78b85000000b006dbca81cc36sm5095359pfd.188.2024.01.22.16.45.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Santosh Shilimkar <santosh.shilimkar@oracle.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	rds-devel@oss.oracle.com,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 29/82] rds: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:04 -0800
Message-Id: <20240123002814.1396804-29-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2769; i=keescook@chromium.org;
 h=from:subject; bh=rhiNkfwcsBY8pN0Aj3OX3M7epOQG7vcAhg9hdXLwAek=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHOI22byaB9aq3JAA27hbl1bc2MNGKba4Qk
 /4yGoiLhCWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JrEqD/9OlGCVGN2v0bgu7DOOkBDw0dRbBn44WXpE64TTI2iaigc2NjR7rlxLD88o/toMj5HP2e8
 +KNhHHhwpn/78Xvy5Fu7OSRDC9Srz2FSdC3GIXCLEy3jHqWqKwpl8s89sAkiyFxj+oaSSd2hp1Z
 yyDFk5tnp4WFMby/w16JX9RJaUhf0Pac+SlpfX6LIhCtEDu16Ym3Zfy8+niKDzyKzgFnik3iBMB
 VlX0qsJgWtq/F5TyYJsdRkzQJiC6uqDjRDOmIrgGbtONP4N3x7eTO2RPGiq6W6sD6wqCCTfno+I
 TOyJBsebkoEC/gOponWRkhVaYuIKk76Rd+mpLbYKMeJ9sXs4c3jKafZerrydOpptCgnp1tAjfY0
 ubJ/wJ50cALOah3qX7E1BFVlS8g/8Cqst3G86qmJ+jErESB4X+ju8cl4kzQJrDdmKNVd/8RAdsb
 wNPuvNZwa3p4pqL+xtVz52yuC0AAOm1Ac9cbprphOD3okeaOY4R3ObpX9GV0e/990fYjXWl4bXk
 aTpyUseDCo88l0yQhgdSuHpJyQLFga2P8uROjArZRuSEBD9HUQ3LrxEC/e8Ns++bdkQ4Yu2PgDo
 Dty8RA9kx6885engKkChV3U1u51xbiNowBg4oJDE5G4q+gYIHu+fcsm6+5uoTqYHDGNdkR/t2tx
 b/RZj59k1eBK/EQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844654055129009
X-GMAIL-MSGID: 1788844654055129009

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Cc: linux-rdma@vger.kernel.org
Cc: rds-devel@oss.oracle.com
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 net/rds/info.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/rds/info.c b/net/rds/info.c
index b6b46a8214a0..87b35d07ce04 100644
--- a/net/rds/info.c
+++ b/net/rds/info.c
@@ -163,6 +163,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
 	unsigned long nr_pages = 0;
 	unsigned long start;
 	rds_info_func func;
+	unsigned long sum;
 	struct page **pages = NULL;
 	int ret;
 	int len;
@@ -175,7 +176,8 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
 
 	/* check for all kinds of wrapping and the like */
 	start = (unsigned long)optval;
-	if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) {
+	if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 ||
+	    check_add_overflow(start, len, &sum)) {
 		ret = -EINVAL;
 		goto out;
 	}
@@ -184,7 +186,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
 	if (len == 0)
 		goto call_func;
 
-	nr_pages = (PAGE_ALIGN(start + len) - (start & PAGE_MASK))
+	nr_pages = (PAGE_ALIGN(sum) - (start & PAGE_MASK))
 			>> PAGE_SHIFT;
 
 	pages = kmalloc_array(nr_pages, sizeof(struct page *), GFP_KERNEL);

From patchwork Tue Jan 23 00:27:05 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190663
Return-Path: <linux-kernel+bounces-34543-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp70896dyi;
        Mon, 22 Jan 2024 17:57:51 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IF2mRpxAIqu/SKnPGMRj1AyBfRPWlNZZrh62Gx0xDrzB6k1BnxrEBNyCiRuYn6BfD7Q5+wm
X-Received: by 2002:a05:6a00:2da4:b0:6db:e1a9:1dbb with SMTP id
 fb36-20020a056a002da400b006dbe1a91dbbmr3166923pfb.68.1705975071146;
        Mon, 22 Jan 2024 17:57:51 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975071; cv=pass;
        d=google.com; s=arc-20160816;
        b=dvFIkVzcJpwso9Z/FByi8Tx4N9YeowtFbnrXVeVQ1/Mwg82qsy45h4qP/rJftMrrGj
         rvyzHaz/+dx6TA+31sOdSv1rSKt9Lx4o4X7GICc2tDXBY6GHm9RkUvn1tSxe7rUa4pGV
         cISUaVbjH8xZtV6hmIoYEYdWyGjvP3Qiz+sOrZT70X/mrCp9iO+wScsdZ2+Z9ylGs1m9
         Uf00wnwSgUiYOnE4Y+wmVoHYy3tYG26bJ1UawNh2aWiD1EZmASI6PyGt/i3f9jf14Lhm
         8mIbVwkJ2eSiPjyQY4Y7IJCvjTzVqvIQfDgMyy3AT4MDwBehwhnE34Zf09Sdw6Acamc2
         BLnQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=Qw2b3tHeJEx9a76sk3FUumHURyBJJwj65NrMowk875Q=;
        fh=n/nYeShJTFW7mwjc7r2oVH6Ybv7MIjs1LffGwNhxkXk=;
        b=dHSeb4ya5elajel7upMK0F/RF609p/6Ylo/ktMWetvRmNCr3Rp2V6A/IrWE8/IlpO2
         hz5DHXhSBlOT+z8VkaKb/xwDn8KuWu2y1+9fDtlgjTxt4g7R/wTikDYDSfAp5Bb4mJtf
         xErXQ8m2+CNo5rQ0EoGChn8fXKwueGpn5JT6dW+dkFKRMjOo/J6CN7kVrD5CiDWxPfz0
         53K1Xu5Bm6EEkzjrC6wYxoUwCfb8jQjA8M8UbRl8dEfh5p2viEQZxH3WNq2k7RVFcb2g
         daBz6zBdfFnr8+2PlOBtwG1fnlncxuDZD18LQtGdisFCq6cTYbTFeOhNOFX7jDc5hE/0
         q1rA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=XGH8bbX5;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34543-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34543-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 g14-20020a056a0023ce00b006dbafbb1613si7848871pfc.193.2024.01.22.17.57.51
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:57:51 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34543-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=XGH8bbX5;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34543-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34543-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 227E0298D41
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:44:52 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1978113D4E3;
	Tue, 23 Jan 2024 00:46:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="XGH8bbX5"
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5B311272CC
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970762; cv=none;
 b=j5St2Y7usGnxy0JH5fgCAVxFeoaaISa8gKNSE7s6oAwPhi5X5FM2b+I5IcV+USFuezKhdNX/JRkYaOAF3YEa7Sx39itjjqeyuo8590wG//hpf+opWbWgnrRpmzS0l2kyr4dNQuKmIjtiByveTrMz8qPpPvbIpIQ71EoAuyyBYvc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970762; c=relaxed/simple;
	bh=cmItHHDJ2/yorzOokW4wLWtGAZ57hv5idzTs6y53l8w=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=tup38QUXfNJUY8CCT4BqIaRQ1dznjiToJPXUgQqEQPPB7FSPhis/xK2JXhvecDxMcvVvh7HuCmXZ84pY0lGiGEYoB2kLKr81M/NgaAT5OzU3geETu2h7/smCY+is7jZTsRwf1INvYN2C+M6GYyycz9ZGPgM93Ce5uBMnBa5BBfk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=XGH8bbX5; arc=none smtp.client-ip=209.85.210.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-6dbb26ec1deso3894338b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970760; x=1706575560;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Qw2b3tHeJEx9a76sk3FUumHURyBJJwj65NrMowk875Q=;
        b=XGH8bbX50dKD/LNZcdxj+jrFHSVD8nYifl2SGv+MYAtVxPyjHYryStFOrD767hbrUe
         GtskbhS/uzdFqJ5rcTltcvGpsMf9p6fZxMuEPowXsvPGIjMGA2aBS8PwVMKN/y8W/9mK
         Ju26un/oZVQPE9C29V0+Parje4ArmGhLc9dcQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970760; x=1706575560;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Qw2b3tHeJEx9a76sk3FUumHURyBJJwj65NrMowk875Q=;
        b=leuMaxkDIQ0WLMrXvMLDPg7Xke/snFR+Ax7clPRdm8iM+PDozTTRwM6ZMfZ+7QtrY2
         SF/shILrpJycGTIXBoAUV43WmtZ2YRUVy2kOFyRVx+SPEqGo57mwG83yo0sRk3G1F9Ir
         sbNHVZihEI0jHn30Djlepco6b2vKEuUI9fSdLXHbPjJrIdfgB0C8yErt6s9KRVjNJf0U
         YZ+HEo8mvFG9wujmKnuijMVBY8KIwQ8PAxkzbMkWFPPYbDNYbeaJJTe12UnCz/ibJKJi
         SXiz9526MHYFwKjHagQnaDbRxkzh5SNV8wr0Z504CcKLZVDNkKD70/5HKfFLGB2zjQGC
         ri5Q==
X-Gm-Message-State: AOJu0YwsOQirkrUfEzuPk0OqRiEVDKWlA3g6rcUQb5ChD1boYI8/z4cd
	PNXaICvroLsrEFaA5w2+UlozYvf/M9R1TDn3Hk/aFvdr3FECrr9aPIbiY1lL8w==
X-Received: by 2002:a05:6a20:354d:b0:199:e237:1497 with SMTP id
 f13-20020a056a20354d00b00199e2371497mr4858984pze.65.1705970760341;
        Mon, 22 Jan 2024 16:46:00 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e9-20020aa78249000000b006dae568baedsm10164690pfn.24.2024.01.22.16.45.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>,
	Christian Borntraeger <borntraeger@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	Nico Boehr <nrb@linux.ibm.com>,
	Philipp Rudo <prudo@redhat.com>,
	Baoquan He <bhe@redhat.com>,
	Tao Liu <ltao@redhat.com>,
	Alexander Egorenkov <egorenar@linux.ibm.com>,
	linux-s390@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 30/82] s390/kexec_file: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:27:05 -0800
Message-Id: <20240123002814.1396804-30-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3531; i=keescook@chromium.org;
 h=from:subject; bh=cmItHHDJ2/yorzOokW4wLWtGAZ57hv5idzTs6y53l8w=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHS1qljwX0OBc821aP1oPgrqcP/CIrbF9OK
 s6Ar47XlguJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JmY8D/4lOAfDyZzxJuod1mr8o99HqUKS7ycJ2w+BmUnwdIT7FhMHPjXYoOdI4ma1NGPbJghRMX1
 KQh4FV76MnS1guDFLwXwYDsJKWpS3LyA+nT73MbsxUuacxblqt5Hh3MLWsexvC3I5rq8UnyZ8Rz
 OxP9Q7+HCEtVVq95HnnbN4NH0ssyF02BVeyeP3cg1KVo7MMrKpR3oRkKY5uQ4ANfxACiQP8ERkC
 45YM4DwsS1FmhsgCHCGraTPD7DYb2sV5bhvL21RPfNaXig08zMT/5ZUQ9ZjYwxIoSByFzm7Il77
 JwwfaVVgTNG7P3Rs9WKhVNOmxa3xDsgK9dTuvm72SLUQI+Zwb8997/d7vjECwWEeGWfRUiMrguP
 vBRHMDpNBBg5NNXV7zCvcPmyv++hO8F98tw3mLfrc3I/zJJ5p1F3Df0LKZ2x/4WL2WDIcolRjFz
 +AOJQe6vXf62QuIPIf5w7zvk0yyUTLqdvT3OWqxqmCnvHsze82MBf8A+ZYHr3YxF6u3exhea9t8
 b0oMGLlaiEtp+HYdg27KcvRIktdQeyqQj1+pUWLNuoSWK4xIpaTmoHwpNyigdAUI/I6sw+LKfKe
 L0szrDlREhEFJ1ygZbsZfF5wnN2NSu6FsohS1ZFZt+JaQP/V4vq/nnABS/LJxgLyTU9lzo+nMcu
 NTXqQzK2ZrdRSTg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844515825463633
X-GMAIL-MSGID: 1788844515825463633

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Nico Boehr <nrb@linux.ibm.com>
Cc: Philipp Rudo <prudo@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Tao Liu <ltao@redhat.com>
Cc: Alexander Egorenkov <egorenar@linux.ibm.com>
Cc: linux-s390@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/s390/include/asm/stacktrace.h    | 6 ++++--
 arch/s390/kernel/machine_kexec_file.c | 5 +++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/arch/s390/include/asm/stacktrace.h b/arch/s390/include/asm/stacktrace.h
index 31ec4f545e03..3ce08d32a8ad 100644
--- a/arch/s390/include/asm/stacktrace.h
+++ b/arch/s390/include/asm/stacktrace.h
@@ -34,11 +34,13 @@ int get_stack_info(unsigned long sp, struct task_struct *task,
 static inline bool on_stack(struct stack_info *info,
 			    unsigned long addr, size_t len)
 {
+	unsigned long sum;
+
 	if (info->type == STACK_TYPE_UNKNOWN)
 		return false;
-	if (addr + len < addr)
+	if (check_add_overflow(addr, len, &sum))
 		return false;
-	return addr >= info->begin && addr + len <= info->end;
+	return addr >= info->begin && sum <= info->end;
 }
 
 /*
diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index 8d207b82d9fe..e5e925423061 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -238,6 +238,7 @@ void *kexec_file_add_components(struct kimage *image,
 	unsigned long max_command_line_size = LEGACY_COMMAND_LINE_SIZE;
 	struct s390_load_data data = {0};
 	unsigned long minsize;
+	unsigned long sum;
 	int ret;
 
 	data.report = ipl_report_init(&ipl_block);
@@ -256,10 +257,10 @@ void *kexec_file_add_components(struct kimage *image,
 	if (data.parm->max_command_line_size)
 		max_command_line_size = data.parm->max_command_line_size;
 
-	if (minsize + max_command_line_size < minsize)
+	if (check_add_overflow(minsize, max_command_line_size, &sum))
 		goto out;
 
-	if (image->kernel_buf_len < minsize + max_command_line_size)
+	if (image->kernel_buf_len < sum)
 		goto out;
 
 	if (image->cmdline_buf_len >= max_command_line_size)

From patchwork Tue Jan 23 00:27:06 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190621
Return-Path: <linux-kernel+bounces-34508-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp61882dyi;
        Mon, 22 Jan 2024 17:29:58 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHJlH76zKR3pvD5m8fykjLEalvmeXd4IZLkxEWLRUiBl8pXDSimdS0OJmozwMHeZ2YBDB56
X-Received: by 2002:ac8:5742:0:b0:42a:379c:3634 with SMTP id
 2-20020ac85742000000b0042a379c3634mr187161qtx.51.1705973398380;
        Mon, 22 Jan 2024 17:29:58 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973398; cv=pass;
        d=google.com; s=arc-20160816;
        b=X8K03XFXBAecOW05QZKE4aL0Hv6+ZVbPyeDHENLBvQ0R6HUNTHMfgDhNIpxqOKCgeP
         +j5JazLSav3m4cV0NEtSklnr/Z+tLVXBkuLqK+SmSBmRlReFV0S8YvW9OWqagXsJkJxf
         8Zu90VDEblyEwzoKvozrfryQujrsu2d3NnBzWfGH1fqFXX/9w+14GH3k7sOMP5vNl+na
         GRle9xz8tDQfIfuRwM2p0nLByX4kmV0X4Z7M28TpyBpF891sl0lMWMZFkv9aIiCSMfX8
         ixugEW4hjKYKXkALZHyeapXKIwQeGEoyIg0a+n6mZqcEA3rBGuTfZ0TbKBjKd2iKVIo5
         bR2g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=oR81ltEJY1+adfuk1StzztmzyEgwb5jSI4QB5TV+ifU=;
        fh=EklAwqKAHmfr9Il5s2rZWjNMFvbITnirCFkoMJrJeHI=;
        b=vCBib/taiZ13urPj4foZ1Uw+GPPn0zAt8mHurs1Xtix+T6yegee8Y+QvxRuCoZZ2iE
         I2FJ+puQemaMy169BlTEUD1VhQRHk58mNMcDyaD/YgTwOhd5u1HByldwqDGjSm7aZv4g
         kNQ5hEPY1M++6m2avIAyw24ImP7ErmUMCVGZMoWeWdiaHpreHP+Zov9zTjQSTQwrS7M0
         qXawFgVWpaAxKkmh3H+CNloYT+Or276pEuqPv93g0JH38zS0iNEh6ipQ14mKm2cdyGV/
         Gx2+Az5soM/jpMfm6j6VT6vvp8F9Z+1mgGsbxpUNvbJMga+Ub34mdVipFFRM+tURYAHt
         CG4g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=CmEqp64l;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34508-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34508-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 s18-20020a05622a179200b00429bcc06f6asi7142159qtk.352.2024.01.22.17.29.58
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:29:58 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34508-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=CmEqp64l;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34508-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34508-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 216D91C28BE6
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:29:58 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id EB71D1386A0;
	Tue, 23 Jan 2024 00:36:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="CmEqp64l"
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4FD875C91D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970166; cv=none;
 b=pPUzfqW90fXfNbet9PbMhqiwSGKAM6M0J5nVVcHOQipZ6DBUEPFoqyZOwJlIJpcZcjl0F3AeYqgXyT0LSVXHaVPkjBVnxK+IpPr8Ot0AqtGuUC/jaKIz0YalrMejfeipvXaZ/O8o6VA/21YK76RyoNWfOI+fL1jU02JE2u7p3v0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970166; c=relaxed/simple;
	bh=MKnCIiYxMUg6EMcU4GoE7nb0L53EnELIMYzEtk5B3VI=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=m6PLuMMskEnLH5L18uwAVRBI5EDcBwfJpUDMu/0ta0GnnJjSonosCSIv/mJlYtuLN/uCSH2aTx4gt323kg9GZnvAtW3sO97jDuU/KBshKnFjt/WnnyCfgzjJKHXeL6gV94JI07o14a5T7LCiWLmI7F8O4kyEIH11xKVJc5QkNso=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=CmEqp64l; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6db599d5cb8so2838871b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970164; x=1706574964;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=oR81ltEJY1+adfuk1StzztmzyEgwb5jSI4QB5TV+ifU=;
        b=CmEqp64lzaU8ccRUlsbzVUt4PNkbi/BLgNiMcTfa72d+yWt5hBonV3jVtTHuCSvLVI
         0KXZ8nE9/612vqa13GHZw+0HEop5Zg1S/VaX6RMGqLELIN0TLWEmHmMlozM2mqEEFCxr
         sbULU9ipB0Oxz3g7e0w7yjLYkljoqpxJ4A1qg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970164; x=1706574964;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=oR81ltEJY1+adfuk1StzztmzyEgwb5jSI4QB5TV+ifU=;
        b=A/HK1IkjhatKAtCBJ9B8pNUBsc22Ik90C8YgTliH9J8jV2SpOm4ff+q9oYqc5u3P66
         JAta77CvtPPEpBj6f+DeX/D35siTebRWzaWzltrisYI/xjIK+hQT/iGUd+fiXYE8T6+u
         nHyW9QSIGVlbIXRPRGmZqqGpk+UfAsaiTGWKsDmIXfKkkwLNe4/an5WwP//3dqqchKoe
         ZRWpJ1MPDPQzRTR4HCryMfsoqVctfSwmg/If65s0//UqAgWbwACJIJqLuWydvlnoAxWl
         MdrE2VVBq/F9H9FMqJ0Ov2+eg1UqkFHVghi5WVg1GyBxTPDfWTORF5746d2qWZhBwi5M
         Y3Aw==
X-Gm-Message-State: AOJu0YwGmEAndqd/NxkU69UB2sPo4p6ZzOnmGauuwjZ70wnS6cBq/sab
	Y8a6LTFh/DKb0JdqfbBH3QIyzdmiV2tHo6UUSSxN1XVcXXsNtrj+Z5G2wZK+hA==
X-Received: by 2002:a05:6a00:3d08:b0:6db:d3ae:c000 with SMTP id
 lo8-20020a056a003d0800b006dbd3aec000mr2323879pfb.58.1705970164470;
        Mon, 22 Jan 2024 16:36:04 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 fa20-20020a056a002d1400b006dbdfb7624bsm2604635pfb.170.2024.01.22.16.35.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Vineet Gupta <vgupta@kernel.org>,
	Luis Chamberlain <mcgrof@kernel.org>,
	Song Liu <song@kernel.org>,
	Yihao Han <hanyihao@vivo.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	"dean.yang_cp" <yangdianqing@yulong.com>,
	Jinchao Wang <wjc@cdjrlc.com>,
	linux-snps-arc@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 31/82] ARC: dw2 unwind: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:27:06 -0800
Message-Id: <20240123002814.1396804-31-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2495; i=keescook@chromium.org;
 h=from:subject; bh=MKnCIiYxMUg6EMcU4GoE7nb0L53EnELIMYzEtk5B3VI=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHizE4jMkQP4lVaRSlAN3nsXgRBmjv5Yv2Y
 jUxJ6mHsSKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JmQYD/98DgXrMI+bVIn8YEHNHDNyYFr5nzpnwmbjD3Sz8E9MWTiYwicpEwQnGO0Q/EEzKTOvBS1
 4Hrkrn3ocbughedFtxfFOlwivI79gd1rpJeBTQfjE6Py7r2/Y+5ESY7vktL0eRN9NBt4TvZl4Ja
 BJEGqffrG4McZdVzS59Cs0V6bCR+ihTOANdUe5VnZxVI3T/yT2UMfU7oWks2nWbulsUBccyMyaA
 cTvuGVwjKhkOZ9GLFj4CSu8RRzdKqCIeV4Eo9xnX02e7J77HX6UA8x3vLGyiWkvjOc7su6kypgd
 HOXyYTssc0iCHLUP8pVZE7n0YY6/clIuUL3Zu9934A8kkqPAaGkWp8JOWXZq1DnWiMrf8Ko6g8A
 w/SqcWooHJjVJiCWn2yrzhLzOYrCvBZ1266Y5Gi4uXt0nnNU4tPTM6HGXBhBzzKuIzRFEuxvwpK
 lzDMBUArU4Wc5iU8hESGejpfFvph+s6wkXFTOr9m0Zmt/3V50IO7OIv4z3iQyKjPExWQN+8ziw7
 xu2jcMJPbiHfLSLeLG7nr8rS6FFeYHwxbtX+hVwlYoY8+FWuoHvVgBtffkKaVAs7jrO4Qc9zOrz
 tLMrL5nM0Nox/WHEyYVc0R9XtIdpSXrz8wODRMyNbYJWdGbjPCsBw7iksSGfPcmy58Ox3u8RP0h
 BsHK0ekMlxhrX9g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842761930687396
X-GMAIL-MSGID: 1788842761930687396

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded pointer wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which
removes the redundant open-coded addition). This paves the way to enabling
the unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Vineet Gupta <vgupta@kernel.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Song Liu <song@kernel.org>
Cc: Yihao Han <hanyihao@vivo.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "dean.yang_cp" <yangdianqing@yulong.com>
Cc: Jinchao Wang <wjc@cdjrlc.com>
Cc: linux-snps-arc@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arc/kernel/unwind.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/arc/kernel/unwind.c b/arch/arc/kernel/unwind.c
index 9270d0a713c3..8924fa2a8f29 100644
--- a/arch/arc/kernel/unwind.c
+++ b/arch/arc/kernel/unwind.c
@@ -612,6 +612,7 @@ static signed fde_pointer_type(const u32 *cie)
 		const char *aug;
 		const u8 *end = (const u8 *)(cie + 1) + *cie;
 		uleb128_t len;
+		const u8 *sum;
 
 		/* check if augmentation size is first (and thus present) */
 		if (*ptr != 'z')
@@ -630,10 +631,10 @@ static signed fde_pointer_type(const u32 *cie)
 		version <= 1 ? (void) ++ptr : (void)get_uleb128(&ptr, end);
 		len = get_uleb128(&ptr, end);	/* augmentation length */
 
-		if (ptr + len < ptr || ptr + len > end)
+		if (check_add_overflow(ptr, len, &sum) || sum > end)
 			return -1;
 
-		end = ptr + len;
+		end = sum;
 		while (*++aug) {
 			if (ptr >= end)
 				return -1;

From patchwork Tue Jan 23 00:27:07 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190642
Return-Path: <linux-kernel+bounces-34537-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp66378dyi;
        Mon, 22 Jan 2024 17:43:09 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGRIiIvP+AObcYsRuE/ryQNwA11TuGzbXYdAMpf+Zr+urPrpusrTBMUlAo+/SLN3WbtgYGI
X-Received: by 2002:ac8:5b86:0:b0:42a:439c:b98d with SMTP id
 a6-20020ac85b86000000b0042a439cb98dmr136269qta.122.1705974188859;
        Mon, 22 Jan 2024 17:43:08 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974188; cv=pass;
        d=google.com; s=arc-20160816;
        b=WdlUegks8PocFwxy3+W9mTVHr8/XrkDK2XhXR9bXPcqAudblNNyzcWj+tzJpmmwXj6
         YdafDmR0mKA5VO/awcA8QA7idbvAHYCrE73ZBovP581lzWs+g/vYPCBcslzPMqXYfuVe
         BeL/xrBcLa2GlsCG0XuYE94VALsfxgJogdPsd8kV+ZyZ+poEAhInJVet8NGDWGhRvF1M
         3vqfuJfdEdrd+34JPvBCIdMv7thYD3UPfK2ee0kkRmL1WtfkRUnMBlci9+zJnOHAF1Nu
         FpEqN8zf2iyjijcjjPwX4F1azIoyAhbXr09TnKCDOiTTOcmHG/Souza5KV1gr8Btt9PV
         4M2Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=dOtaS8Q/PpRJgiodelWT3IFfX/962bDrzicKtXvnvo8=;
        fh=+5Weh2+FfOD/KWPpPF0vX7uHj6Zw5QwaL2q8R75KCXQ=;
        b=I7136t6Zcc8hodWLZP6kLnPQdb5L9QIbOK+li/UjFww7nxgUxov5dwlrd9vdIass56
         SJE04TqIJ6couVr1HucJrPS07rFeYeWRjD4S4EsOss5X5uMFV8uT69Xstv5Q0CK1kOmZ
         g1imXwwGAKYNgZIOkBkUucf8kR9JfaiF3lcJb03MpTfc8EQTRcqTzdOTPBT8WADCWIi+
         KmWLZLvT8MUXg5SjZN0AtgD0BgL3S9anIcJw+Q+EYD6Q95KQwy6gUcxOZeP18NG3+QOj
         LvXX1q2yd5OPju8qzYRn0mML1rVBFepzIwkpDy0OA9jolaxz4n91UE82ilG9qNlYvaxt
         d9Uw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=G3Lo3qW7;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34537-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34537-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 r19-20020a05622a035300b0042a2b545905si7074144qtw.8.2024.01.22.17.43.08
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:43:08 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34537-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=G3Lo3qW7;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34537-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34537-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 944151C26ECB
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:43:08 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 077B51272DA;
	Tue, 23 Jan 2024 00:46:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="G3Lo3qW7"
Received: from mail-oo1-f45.google.com (mail-oo1-f45.google.com
 [209.85.161.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 17777612C6
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970757; cv=none;
 b=IF4osI6KRXfFP9PA5a9vlDBdRCMlY4eGG3OlHP/PIRNJz3jYUO3K5LIMV+St9YagObSikMOUd+9e02BXgKCpanCM27S1n2/L5X7tsh+Z225FN/SY9yq8C/l4PRYni66EEUcMx7SlT5Jgrr/HeQylHBiOVyFT1YOx7T6WW+aFBGQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970757; c=relaxed/simple;
	bh=wEJz6ncP+qRtXKX7k2D+joSrafVF4O5OSdQFr3cojK4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=oLBLCXQDu/zxeKe11MnT+LmuI/1qiIHdDRr+z7KqwQ4n3V87KpZ2Y5m1HA48ZIVHiUlAONILUR99LpE9MxeWYDkScDailtBXmOxLiBlrzV2oNbwYTGETN03maGGL00AV2Xar0iXN27FTL3XLieGiQvf1p+QE4uqLtIy5OLfJ1hE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=G3Lo3qW7; arc=none smtp.client-ip=209.85.161.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oo1-f45.google.com with SMTP id
 006d021491bc7-599a5266066so54702eaf.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970755; x=1706575555;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dOtaS8Q/PpRJgiodelWT3IFfX/962bDrzicKtXvnvo8=;
        b=G3Lo3qW7qs+sdo6ikHuS/j4yt/01dQGAj9Ib1ApRTJyVwP3IEiI4DgknpJ89s7oXCh
         aVFUzX2sLjVajlDTA9YmvkTVVJVylqhmBNcZV7VzqZKuSA4tWuWouW9/FkvqsoGjpREQ
         w6k9tubHuLfMzKDj5I3iOuYTQh5vxAE8WY+q0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970755; x=1706575555;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dOtaS8Q/PpRJgiodelWT3IFfX/962bDrzicKtXvnvo8=;
        b=gR2sT/doWx9+cSWVrAAY5cNmyeTO5hCMeP/3OoyhVKmTSCXSyN1HQANTd+I2U8eMQF
         bQLXIIJ3l1aXu+shxPKOI00Y8TpoBeFfTpecsOBA/82LFXuzWihCTrGKA1w8NX5wsgGh
         XonJ7FJbq4LBPKEmo0QjTcG/JkeEWkcD1cNppMTwYGU9HJxcQuHd9kffC1Sg/hqM1PMB
         kosQCCpj51242hoyOYRpAa6TVd0CDUtUi1UXZn0fA47QMhjRbMjr8Z9DmW/Cu0e2MxsW
         cNb7Ym7pJpqD4AgMnOeAjCsWS3JLDTdE3l9zKaBBX07jKyQDfi/RijhpKE3xZzd4nQKG
         SU8Q==
X-Gm-Message-State: AOJu0YwkSCP06NMXr+Eq2ibmQqBfQ4hrMSGQi3i1j1g8GVSZ8oHDT75h
	cabhnF73cHrqezUgWttNZc+xFO5IZF6pf39j/v4KYMFT+cSPwakCmv6SolAXnA==
X-Received: by 2002:a05:6358:99a0:b0:176:3e0d:9910 with SMTP id
 j32-20020a05635899a000b001763e0d9910mr4500624rwb.0.1705970755199;
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 g4-20020aa78744000000b006d9bb4400f0sm10234582pfo.88.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:54 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Jason Wang <jasowang@redhat.com>,
	kvm@vger.kernel.org,
	virtualization@lists.linux.dev,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 32/82] vringh: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:07 -0800
Message-Id: <20240123002814.1396804-32-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2682; i=keescook@chromium.org;
 h=from:subject; bh=wEJz6ncP+qRtXKX7k2D+joSrafVF4O5OSdQFr3cojK4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHD0u3YhpYy/8Dc5chh0+01JehokeF1vpzI
 BT65uKVfgWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JpFyEACdChSCT4Y0X47ea6T+PsrgS42Vou9eXn9FDMWCPIbD1kW1gHAFP1FAqkYnEij+0625LYZ
 2RtZVv0zZFrtRaGdtFZFQFDJTSr6QNj3uxivVtsmwb1pLXXDnFTFWikADuH5v60qkgSrb2bTZMY
 knyNpBo6L+ItzkaxgMhFX1rtdBM2iTj2HOYKmNkYIwvxCNExT4h+7TKnDNipWpdd5EwB3nV3F2p
 1pExl5eEqmY2Ma6oIf7cypf/bIKRIjUW1Ilre5bbCngLzeYZMqOG35bUlr3WC3w88nu6tYBXolx
 Erl0eGsiamN+wyuoxNKoT/h+WyXer3JpoxEq/sl38I39B23XaYVff/d+6Suvc+F3tV6jNdbyaem
 JxwjjNG4ksbLc5PdSetTuaRGyP3xwIiVRJmS3tlng0ghnRbKVS/FFw+qU64g1HMXFJ/qj6Ldypv
 ORamulyXPJU2FWA/g8/Ld+OnSQn41XCT6619haypc24tpwo9TMSlKhckwkeIgqTxMWBfiha0co8
 ANuXzPXBosDOYCZNhGhwsT9JNpMKS9otU4fcb4uoJ2RtASuAmGm82JgroIBM/MhrLeYmlZOwIk4
 jIzar8S+YFZz03aIUIiOxVH9cIhd+DZLz1UZb5Pc9SBnZc4u8HlyhSQOPf8eOZtvyR3Q+n8534w
 TxS3x9dEXm4+h9g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843590766191178
X-GMAIL-MSGID: 1788843590766191178

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: kvm@vger.kernel.org
Cc: virtualization@lists.linux.dev
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
---
 drivers/vhost/vringh.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
index 7b8fd977f71c..07442f0a52bd 100644
--- a/drivers/vhost/vringh.c
+++ b/drivers/vhost/vringh.c
@@ -145,6 +145,8 @@ static inline bool range_check(struct vringh *vrh, u64 addr, size_t *len,
 			       bool (*getrange)(struct vringh *,
 						u64, struct vringh_range *))
 {
+	u64 sum;
+
 	if (addr < range->start || addr > range->end_incl) {
 		if (!getrange(vrh, addr, range))
 			return false;
@@ -152,20 +154,20 @@ static inline bool range_check(struct vringh *vrh, u64 addr, size_t *len,
 	BUG_ON(addr < range->start || addr > range->end_incl);
 
 	/* To end of memory? */
-	if (unlikely(addr + *len == 0)) {
+	if (unlikely(U64_MAX - addr == *len)) {
 		if (range->end_incl == -1ULL)
 			return true;
 		goto truncate;
 	}
 
 	/* Otherwise, don't wrap. */
-	if (addr + *len < addr) {
+	if (check_add_overflow(addr, *len, &sum)) {
 		vringh_bad("Wrapping descriptor %zu@0x%llx",
 			   *len, (unsigned long long)addr);
 		return false;
 	}
 
-	if (unlikely(addr + *len - 1 > range->end_incl))
+	if (unlikely(sum - 1 > range->end_incl))
 		goto truncate;
 	return true;
 

From patchwork Tue Jan 23 00:27:08 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190641
Return-Path: <linux-kernel+bounces-34521-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp66077dyi;
        Mon, 22 Jan 2024 17:42:17 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGuxJG9d/51X9z50BsMbdgOUxoWWOMgAkgoSRfexllkroW8TZmbojc4xlGp/mRG3gQhsiv0
X-Received: by 2002:a17:903:5cd:b0:1d5:59eb:bae7 with SMTP id
 kf13-20020a17090305cd00b001d559ebbae7mr2501317plb.19.1705974137683;
        Mon, 22 Jan 2024 17:42:17 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974137; cv=pass;
        d=google.com; s=arc-20160816;
        b=t+DlBDHgpJpTmuvY0ZoTD1TPh8rlx5B05gyc4IBREqA5WedEuJx2p7kHIoNphxwNj1
         l5GY+vP/U4gqyPD932SvOiG6Vwf2RyHWebJ1hov9Hxj+cSE+cw+7M+aeKpbLzhUWK6/U
         SH+5ymLJfz3Kl1FoOGtrGK22UYltT5khz/JD7GPDVWvWFtgw8rNJO1eL59Vsc7DzAYh8
         jmni6QwbpAxIyeweuEM+IA+7FwBgzhHHY4hMOxDtZB3+Tjz+sQzvL0re6D4L0vely2Hc
         r4HaFhAfCXwazsnIsh8FKqlHmNoyoB9O2Tz8ErhjQjMt5UEH0LZNMf0JGVzVBVSmtPzC
         WXhQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=0NeuRUk433ZNKdRiqKX8mhaA8jznwDCQBGOUrYcR3Zw=;
        fh=0gwHxd3LwaK5chSaPggjOMpW6VFZ8AVVudUk3I/3f8o=;
        b=ZMQ5+VnzPDO2iAhRq94relovgqpNsv4EJPwGvxcQBNSrCw4ygPb64lmkdrGAyYxjGg
         3DqaJ2y8Kxe75kCVI5M4oI5FCGRB2MGxo5b8M0kQOmT6It1RhcwM1+SrRvU3NPd0UD/C
         7RlZqI3YHuiYBSwmNKZ98nLrznremI8N1801mlH6EgJ/J50UrgL+bZs24uTaj1Ez9f22
         0a7g8UAtr0xXrM6KaZvGQAY9n+yH0DmohgUv04iEa2rQywo/Cnw2R+YNPerXQNlZI9j3
         ZaV+OQ1EkiESXX7qz/5L/IgW9biLy22SZOU2uHdSkrjogqUZzkfnayNfFK+p/ozvNhtV
         CpJg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=iTHcGwC+;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34521-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34521-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 x15-20020a170902ec8f00b001d40bfdc2c6si9192511plg.63.2024.01.22.17.42.17
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:42:17 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34521-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=iTHcGwC+;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34521-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34521-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id B57A1290A4A
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:32:57 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id A4987161B4A;
	Tue, 23 Jan 2024 00:36:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="iTHcGwC+"
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0A69115FB34
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970179; cv=none;
 b=Lmo8i4B3MNo+82QTcDwpdlQA27vEQUuClSNgATSI/eVeJlvEiREUFgWHYnO+Ov30HzuOkGVpMTWW3qrgSg66ckw1r2Mui8HzCUItmF2LwFme8rcJPX37UX2uTS/yLsQWo+2e9d0nGk2Ue61iCaOHnIvOlDxRZSHSi2uGrpIv9oI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970179; c=relaxed/simple;
	bh=38q5dA08W/MDhiiAfLHBMjgxLmUPPANEZSbZB460/eg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=pt2SXoFImS1X8TpDuYKx0O5NRVZw23GNLCU6DOLX/3+nsloyzz+TLBeN+PbPlk+lohYpvJxQw3BoZULbLdTW1nOH4gmIrsc+JrWfkNJNfX8OJ97z41KZQP4CFlsFN7qh8pOnjink/Zs5y4X9CCJIYhChDeS8tsp8RZ1lhfknrgM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=iTHcGwC+; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-1d71cb97937so21191365ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970177; x=1706574977;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=0NeuRUk433ZNKdRiqKX8mhaA8jznwDCQBGOUrYcR3Zw=;
        b=iTHcGwC+TxdH8wNfXLwBDKEVQDF89Cssi7u45AB0zh+smdib7LGaXLygjz0Z8mTWG/
         xRou3eED4hvdmVeqOqGy1nyGA4SBGp2UfP0bpElZBo3tQSpUS+r8V8Udkjmh40t2MBQg
         DRCb4cf28W5gBhnGrM0j6SDfw6XZlDl1w5QKg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970177; x=1706574977;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=0NeuRUk433ZNKdRiqKX8mhaA8jznwDCQBGOUrYcR3Zw=;
        b=Ywcw7JkvxGwrp9qFGmXZXvX7YLVCa44GhL+Zw5O8u7az7FL/bSBfujkDsh1fwGujXj
         NoWjW6XPk24MWBFcXT91oWa8GX7Zs4pzCYsuK5xog8fK0y8hRlkSH9+xslnah/suoJGz
         kqDXBc288C0DaK/gOpvrBLOXFGdkFN/eZ3sFF2Wg53N1BcQs+aAOMcKVwWWWy9fzuKo9
         v6k4CFAhQ28epUNaeIfrb2GgL45X5tJ3a944IRe3lmni3L7pXSlrs4jzpgyXD/fPFCfl
         qvVE4zyRgKP0sev5vYm9WCa28mU9sk9Quqf1VpZ9LTf5bUClPA1Eaf4qAsKU7OuWqPu5
         YT7A==
X-Gm-Message-State: AOJu0Yyym0hxjmX30i1FWHRJgVpmr7/lMlQ7qtVMfdcjs+Xd8w3eBq7n
	yc382I1URIw6P7lCOItWeEqO7gq4qqmb1yu9acGXpUFSPj5AuhUvGkS180eAvQ==
X-Received: by 2002:a17:902:e882:b0:1d7:600c:cc33 with SMTP id
 w2-20020a170902e88200b001d7600ccc33mr1403863plg.3.1705970177668;
        Mon, 22 Jan 2024 16:36:17 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 ky11-20020a170902f98b00b001d76ced199esm143464plb.31.2024.01.22.16.36.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:10 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Uladzislau Rezki <urezki@gmail.com>,
	Christoph Hellwig <hch@infradead.org>,
	Lorenzo Stoakes <lstoakes@gmail.com>,
	linux-mm@kvack.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 33/82] mm/vmalloc: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:27:08 -0800
Message-Id: <20240123002814.1396804-33-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2352; i=keescook@chromium.org;
 h=from:subject; bh=38q5dA08W/MDhiiAfLHBMjgxLmUPPANEZSbZB460/eg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHVlKrqE6Nde4ZbwV5OP6txkBJRZom0feq8
 p5yVXsvnAKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JmDjD/45jgwtrPqGoB+jlF1mDgiUg9Ze61xsHyqXZi5GyOp0rRLZfu6w2qW/aeqxQOzjPHho3hN
 L2/snj7oP3CEPVZ0AsZx5pNEw4AdCtJLMAqBMw8/yxliXAWWX8mdo3JSCpQSuGT0wNY3HEJ6m3l
 767XUkSfXo0VMs7+zd9DD+QTPMbV8GiSHrIfuaQMWoFDTr2PGGuOkEJfKLkVm8xcx68Q3gXonHh
 HOulIEvVuQ1wZ/971AY053i6TtPwkVQwttgTrT2I7qKM1rpF4801pZ6otFPevs/V20afhyDicxd
 MYf8bStbkOH8rXCaMRPbidxMQjMXvYBiFsbP+mWpuT0JkM6pBI2LDqDlh8wSwQZgl8lebVhoHsE
 XK0CCEBLvbN+lIUob2oN9JnImaQHOqI3vVnVdhxbYb1UfWeyb+9l7M52MDTY2cu+v7FIrIQxQaT
 Fp3QVNpjmkPKha2+jQyIAdAzfh6eFs21bZ92fq1gfnflXD1g5DYntbs9alZUEupfryc0jVwHArb
 5cG743scfNC8Ph2+PXR6mQ/CI27ccqmUA2og/teJ1KqdKi31qS5E4P+XgGkowzLSabVuBBnq6t5
 T8sabUmzoJL8AOtQMe0b06WPwGDOieCgh/OR6kZEHeys+Dj/7McgMk4ZPYPsu1HFh7LgL0n/nRL
 JTk2zIhWKJNoPYA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843537265646908
X-GMAIL-MSGID: 1788843537265646908

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Uladzislau Rezki <urezki@gmail.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 mm/vmalloc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index d12a17fc0c17..7932ac99e9d3 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1223,6 +1223,7 @@ is_within_this_va(struct vmap_area *va, unsigned long size,
 	unsigned long align, unsigned long vstart)
 {
 	unsigned long nva_start_addr;
+	unsigned long sum;
 
 	if (va->va_start > vstart)
 		nva_start_addr = ALIGN(va->va_start, align);
@@ -1230,11 +1231,11 @@ is_within_this_va(struct vmap_area *va, unsigned long size,
 		nva_start_addr = ALIGN(vstart, align);
 
 	/* Can be overflowed due to big size or alignment. */
-	if (nva_start_addr + size < nva_start_addr ||
+	if (check_add_overflow(nva_start_addr, size, &sum) ||
 			nva_start_addr < vstart)
 		return false;
 
-	return (nva_start_addr + size <= va->va_end);
+	return (sum <= va->va_end);
 }
 
 /*

From patchwork Tue Jan 23 00:27:09 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190646
Return-Path: <linux-kernel+bounces-34550-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp67830dyi;
        Mon, 22 Jan 2024 17:47:36 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHN761qHzq5CmfN+liJELY/t4OqbBBLICMMItRNY3XdJylsEewSERTWJhEgcIh44k3pWXGH
X-Received: by 2002:aa7:cfd2:0:b0:55a:9212:33d2 with SMTP id
 r18-20020aa7cfd2000000b0055a921233d2mr445047edy.26.1705974456524;
        Mon, 22 Jan 2024 17:47:36 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974456; cv=pass;
        d=google.com; s=arc-20160816;
        b=jF2/fHreqO9dEMDVhYTVSOXLSHp2x97L5aHY39exD4pJiOtMlywiSa4CGfBfF7wKJ3
         ytPE4X69y2Yyx2QoF6LhCCWC1OraGiohLbZ4S8kJzBgHpIXvIrs4QQ0kN9m7GusrwUWE
         wrq/iO31Z0VUGB+0m3ttDx5qPAARlrGeVX+uE3WlLXMDvFsa6TdbKe3XWpSpnwWe1FO9
         xPMgINdpWSLNkEa37LVsvhO590O1Ei/T3RUNIjlaQdYFeW/FaoMWOOclgmIntHUtScOs
         ocAMuQ5kY75sxu/jkkVL0+u3aKIzwmH5poUP/ZFiCzjPgP19agFlRmW6NfmNj4Blbgzk
         UCnw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=GeFy9ObsKdupjGxJomayoIpMA4DTjdZekNe8mU5qwlA=;
        fh=ZYjklBBTqN/go8bbYq2Mi55xk9aVd6LW2XPelVUqefA=;
        b=y2ZPXx/Zy1yC3uyt82UIEH4o+skTeTAemIbcsytCkMZ5ba8Q+tesz2Fmtm7v7iXNFK
         g76vlUYyJ5qg5g+uGAzDuWZvQPTcG7rpS7/CogtFsOOKxuyzSqYhgzqLc1SVtr5XAgum
         QVx35OlJESNNIuhkgN6Zdh2GytfW71DzP17crN4/U8JKwU+d4eZhBMjUkxug3fmByoOh
         GCTMWQzwLIBvdAcZkvL5pTSyDy/b1YnGrt5xXs1PMdjMkvsIQkSf4WbdOJNC2OcIJBEF
         ZgCvIsez1Wh3TJSN543UIDVYOqMX2crZ2BbA1CiQMUPQqFca89UD47PiMQ61mVNGKkuw
         jC3g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=WNPSVRLb;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34550-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34550-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 16-20020a508750000000b0055a8d5e0f98si3173403edv.473.2024.01.22.17.47.36
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:47:36 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34550-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=WNPSVRLb;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34550-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34550-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id DC58F1F2B7F5
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:47:35 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9B3351649C4;
	Tue, 23 Jan 2024 00:46:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="WNPSVRLb"
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D78913D519
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970769; cv=none;
 b=irUMP+eLmIxp7Qj/a4Y4fMi5b85KcdTy54YpPtm+eelPT4xQE8SrepkiTPZnFkn0oaXIESv0aJRv/zdp+RR7pt/+xYRz/6sEkkhZ1IWA5agnaGo+6iAonstiHagMN/YBFfyA6bRru6GJYm1Mu55AY+tWje7jnVWr/+Ayq9JIwFg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970769; c=relaxed/simple;
	bh=fB/vJlhvA9krznQ56xe/F9UTpDDJWr+0HII6dSIL9Rk=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=OklEQIUVCdDj3Fh1ged+MAgbT8Fv/8KiIQD3pXD4u8w7GpQNcDShctsVkuC/FO59uuVbSixi7BW4/iUW4xgCJgalZLXW/FipZ0bQCo7oDIpADVo5AChCz5m52LjJfDC9V7fNbKDFhqetZoqQ7Fu4cAtZEwaTTurJ8zOftxcyTG4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=WNPSVRLb; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6dd6c9cb6a8so19354b3a.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970767; x=1706575567;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=GeFy9ObsKdupjGxJomayoIpMA4DTjdZekNe8mU5qwlA=;
        b=WNPSVRLbGoHiG5MgcqmT7CzbjdHAV2zjOA+nWVjqgOy85P/xFgoCHnnsZXTEzfIqjT
         xcq1Z+6hWeI+wc5ciYo9azrmeOXzJBsf10DrCSINXf84tc5LFkP3kZ79ajLuTVYfkDGt
         LDuy1osU5QpLdRvIUJ257HMNwOgdC2lqVKjmM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970767; x=1706575567;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=GeFy9ObsKdupjGxJomayoIpMA4DTjdZekNe8mU5qwlA=;
        b=KEhb3PNbwwReobRoO0Fk0MWFJyN8Jyvxhz/LA/UhFr7fZPbXNos32ROUCEL1tYkXRC
         54UoY6kCSEUnNZs+OTSjCbzVxnNJ2Sy7H9qmAp8F/apztSkEwZQT2USVNzKfWPREM+1H
         TCGi7B664XPEr+GLAyUMJRc5RLc9fxsyDOYnWaetz4lH5TzqPr6gXpVK3chg0JQKFoNJ
         wTQg2dF6CjBzrY1JIN3pYVuWyxCOvbWUMTwMZi7hFORSrUZm72bR2mJVvWh7lWPl9CUM
         3j6y82XlboQzQqooScFoXNUgEPSSfZdaIcWnvI2G/mHW+F4DF2h4tkgmZDHtnEkicHSy
         IE5g==
X-Gm-Message-State: AOJu0YwoBot7JmlqlUsGe1dicEMJ3ym6Ds7mfF6ab4rcclMXoh3CMRkQ
	OWdeQ/5dItcGztefpuyfpOtnVPIMZrZdZelLVOLo6h3VIAXmliEVX2bXKIx+VQ==
X-Received: by 2002:a05:6a20:e116:b0:19a:f6f1:c643 with SMTP id
 kr22-20020a056a20e11600b0019af6f1c643mr2625807pzb.26.1705970767073;
        Mon, 22 Jan 2024 16:46:07 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 kt6-20020a170903088600b001d755acec64sm2112193plb.189.2024.01.22.16.45.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	Mark Brown <broonie@kernel.org>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Vasily Averin <vasily.averin@linux.dev>,
	Alexander Mikhalitsyn <alexander@mihalicyn.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 34/82] ipc: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:09 -0800
Message-Id: <20240123002814.1396804-34-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2179; i=keescook@chromium.org;
 h=from:subject; bh=fB/vJlhvA9krznQ56xe/F9UTpDDJWr+0HII6dSIL9Rk=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHUrb+Pn30CFNG/PpuZxRTSyun9OKDLc811
 y0OFWm3o9WJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JkMAD/4l1He8Fl/Q5+UzintLb5ZAHreICrIvS38FaRAsRYin9PCIVE7R4QNAOgkUyOHy6/e82p4
 /LIzbTFYbGFCrcSkmQDoUut5ugYgmTsp5Zqy/pXkVLc+mbPkf9gcurcEQosUKumAxCNc2trCrFw
 okS0qbY8OC4HEYRVGgt+l2ylO1/KJ9sOziIDJIrwB3lHcSycnJiSmpHVanMkwQfKH0yF9btCWjO
 01oWUd4v52bx4ifqCleVxV8fbE8xrJxHjhMn0yqt7ONgPfySTR1ReOoVIaTK4SfgtQY9JkVN28C
 g2sOOOKzFYfPLr53vbfINFNulEl9mgIHMXiCo/yKFVxSnYyT9oCtEVd38MF1FhjY5+dOYug7fF3
 6Ne60lEOpmqIU/SgsY9pEt/YhlzFczZR9TMkn9OzBToVC7/tRx5rcdaa9QSiiJU5A+im9lLphn5
 khTkun6IVSlXKgX86MlCBGpJjD/kH1X6j3ND/vLePIgaJrTZFOpiZsa6oEfibcx9D1J8IkJahQx
 xKdWe7MM28oJ4stfbWkOIV/jOaQDjvhV1PnFn7pyz2jOqL0RrMOrQaPSsmSkz1ApWVL7aAPcqy1
 AdmQPabeL/NacbRL1LzSDCOm6CP/GMNam0Qie6oUUiWEiupKHafsqBVhAlIp+rwMElFlAmtrajF
 5Vc8hYcSaLxYkJA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843871539560709
X-GMAIL-MSGID: 1788843871539560709

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Vasily Averin <vasily.averin@linux.dev>
Cc: Alexander Mikhalitsyn <alexander@mihalicyn.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 ipc/shm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index a89f001a8bf0..227a1610628a 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1650,11 +1650,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
 	}
 
 	if (addr && !(shmflg & SHM_REMAP)) {
+		unsigned long sum;
+
 		err = -EINVAL;
-		if (addr + size < addr)
+		if (check_add_overflow(addr, size, &sum))
 			goto invalid;
 
-		if (find_vma_intersection(current->mm, addr, addr + size))
+		if (find_vma_intersection(current->mm, addr, sum))
 			goto invalid;
 	}
 

From patchwork Tue Jan 23 00:27:10 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190671
Return-Path: <linux-kernel+bounces-34562-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp73262dyi;
        Mon, 22 Jan 2024 18:03:25 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE9ZFxnuS/+IK+LUWnmExbn1epkrWSAhe8Eg7+Om4iq5iwKcN7WB255JD19uhUKYpTKuaPL
X-Received: by 2002:a05:6402:518b:b0:55c:77e0:7004 with SMTP id
 q11-20020a056402518b00b0055c77e07004mr314409edd.63.1705975405345;
        Mon, 22 Jan 2024 18:03:25 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975405; cv=pass;
        d=google.com; s=arc-20160816;
        b=xOyU5FmPPK2sI2piYSWlgnl4Nii7Jo7tDiHvOQgBYBmZOA1SIA2ItKWHr5bE0SPV3Q
         zSwSFV/kxExKRZjXR3j6H5kMbn5tiaoGF2Kc5447rX6QRyBzFHlzS0t1NdiOMuUX9iun
         Iqc0zoqy0Gjviws8B7dCvBKI4Px1kTt1geCbCWScCJi/voru0vC+9GCSJzAk2j/xKjgq
         O+E8DmqtRsw7EVum/jcN1SeeTY/0mOA8PCZCoJ+ljDXpdaI63KZHUMFiv/0+ZguN2CWQ
         cTArq5m1qibrUu5lDOZWtFjjgbthdRGvmAEucRjs+ULkLBqNpeDhi0SPJgauIfBg2ot5
         FbHg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=vLd7hWEOoj/WL0ILJU9a6Kds4Kj9qjcWAXBu30bMrQE=;
        fh=T8ZbVaKvymyIqwkSifMGuTYnJ9x69obc7zoAnIV4PTU=;
        b=AK4d7X1WhkzIIsEU1X6NZqI0x8jfZ0GMc80h1Om7/0nMWae7t19mJ6Vs7fwqhyTPRO
         bjwFfIFU4p4Qo4JV+S0/3pP+wghcpIH81r42VM3cuDS9dR6vlPBFK7NpxH6107fwzdov
         4ePdKB48Ke/u6mCd8x7yIRifC23X+6YE3GzaLRYR/4axKPSF2OBDy/PLjVBTdbU+45nN
         TB/ZYgB5x2QTd5Hetx97N3tE23AkjwxDjFzqUSAzFFvNoXGEli1CnhqKsw2NiRKmQL8K
         uBnRXIV/6ZSK1vDLRxy04vnFbmAaVi/bOa9YiM4gP3qFmJJhRsCtrNKUrTZgo33TDyHc
         zK0w==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=DBLWUALz;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34562-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34562-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 p9-20020a05640243c900b0055b74675fbasi2922656edc.85.2024.01.22.18.03.25
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:03:25 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34562-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=DBLWUALz;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34562-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34562-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 29D0D1F23B92
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 02:01:09 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id BB79A131E39;
	Tue, 23 Jan 2024 01:03:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="DBLWUALz"
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 623B9130E39
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971821; cv=none;
 b=rX2oFTa4BYPqbWaWI7vvE0Qf5DCbZUhh4DkhqYmu4ZVMkQchSinbtneUkxdySvILiGVNLljTht3BABQ+fynjrt42KdhhoCx4qI8m3OL5QO1j/RMayd5xlQzvkyQ7O5jIEyNRia8A8Xyp1BSSriAqlIagdMFPXaKLVJlRqG44ork=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971821; c=relaxed/simple;
	bh=EmH/DZbTBXxe0dWdplwnDgyJ2eUGGILv5amEUByys6s=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=bQkF+BhDaibjsF+o/eHmuHj9ZqOEKBc7MixH9JH5JqJDeFmoRr6c8orJVCbBOsOBeu7UFhrZTz0vAsKXc0k6bF/2W7Grtlu8oVtmutOOgapZcVLTanUwxTKdkSLpZXZ99//e9Q9bNYUQYDcPlgGcwvGTWnUPdL1uMrXCLDWSoYA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=DBLWUALz; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6dbd146c76cso1200075b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971820; x=1706576620;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=vLd7hWEOoj/WL0ILJU9a6Kds4Kj9qjcWAXBu30bMrQE=;
        b=DBLWUALzzzduLFTN9Qj5HhHrhKB6NqKSzJmGUF8k6LU7y2W/VG57qYtKJNAhnNoTUo
         SLQ3IWKJeXUsfKHdev3s3J+xKxj+RZ/1yny9A6rApVQBUpc6FlCrzeG1FiaHNu5WX+qj
         6XfdllcTbkPJbuSo+7EBC38YQu8iTtbCBkHo8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971820; x=1706576620;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=vLd7hWEOoj/WL0ILJU9a6Kds4Kj9qjcWAXBu30bMrQE=;
        b=QZsv/yWAWMwIfr2GC1jNfLUtXoMpSr/wkVbNOu+EF2Gdaq20IfKbeA//yqfRGBZCaX
         uPmvHMBsqFrxv2z32fWKvouy+pZ2+ntEyGOY8CvLI4ke+URfBQNVociotrIyydOoOTC6
         Mq4zfKECbIA7EkaJgz3kkXO13JNuNaF3h5ZyqlNgUFdPg1/uVuUnrlJjl2HIlX6jq1E+
         8KhJ7IjutIUCK/quu+mwHtLEbJsIttGF6l/4SVtuX2IJkwqVLGHN0t53SnteHea89Wth
         7WJl/RTcefoym3edd29/6WUFYMJj2q2JToNwQ5Ct2/Zwvd0DQ1MBxT7nvaCPhFNEMnR8
         J6iw==
X-Gm-Message-State: AOJu0Yz1Vcq+YZu01erN5bblJl3VEL9zxzxrFu/sNH+jx5cgObvBysM8
	8Az3SSoaGlIVFyMYsY8hk3DdlWN67FkcXfrhHa6cJLkEnvZTpH1VShoOK1gfGA==
X-Received: by 2002:a05:6a00:21c9:b0:6db:9e9f:6a55 with SMTP id
 t9-20020a056a0021c900b006db9e9f6a55mr3113822pfj.25.1705971819741;
        Mon, 22 Jan 2024 17:03:39 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 z6-20020a62d106000000b006d9b0336a27sm10655197pfg.125.2024.01.22.17.03.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Rafael J. Wysocki" <rafael@kernel.org>,
	Len Brown <lenb@kernel.org>,
	linux-acpi@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 35/82] ACPI: custom_method: Refactor intentional wrap-around
 test
Date: Mon, 22 Jan 2024 16:27:10 -0800
Message-Id: <20240123002814.1396804-35-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1829; i=keescook@chromium.org;
 h=from:subject; bh=EmH/DZbTBXxe0dWdplwnDgyJ2eUGGILv5amEUByys6s=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHHHr/VKg/KAlcqjdcF5SYPKo1cfb9YxYbN
 Ub5YAXr20iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 Jm9OD/42OVFSF2SZuj2/Xm3blXVzWso1EIjDFteNwkRAzj/OhbsOveDY28YTwAprTxSc4mfzKh2
 r7wc8fydFpA5Y8yVoR5Jq17o3YOw7xu8gZiX8GUHzRZRLiI88Bn0jOqyO96m5KRz/Oku4J9OJ1n
 lmgM7ubTGbc02BXB8oXJyNpBdVzqIOlNwD/ECpnxos42xDCcYITE6BC+/JUaUTVtU3usc2e03+B
 TwiHzcwD6iRnWxRxmVXnPXQPaaRaHWhyeGbhoWy30SFcvTY0EFAKqcwzZ/HggSCogQiktvuo4jw
 yKlwoj8AIcEquL/jcpRDgr1y8ZIO9gbut1BiyYhWI4QNFcP+uDl6R36CWESOrfqtgF2FhHrxI8w
 +YNsJz1cVkXUm4++MjtKT1gQym/CI6Yo6CEatJSvLwV7UE+LvUU9Q03t27lqUKhe9zCK5IRhOKm
 n5j9sTlJJJdJJTul3h3jXlEbP6Incxf0zT/TPVJuwAVlmJPtH1PyZ+c0TIzPgU4F+n6SL8Pho79
 r8x2Q0FTlvu5RWYgG4P4HsGROu/rEfLajxdjnTbMLliKam77rFXZcJohT4UHLycRLcvT+2wuTrL
 1Iesm634rNZPYYLnMax9FyEZwv0Q2Y1lQEFiSybEDKXGM4pheL3Dba5LCqYt2434cbDGUg0vfpk
 77kzj9tRg0KuJ7Q==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844866756257544
X-GMAIL-MSGID: 1788844866756257544

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Len Brown <lenb@kernel.org>
Cc: linux-acpi@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/acpi/custom_method.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index d39a9b474727..0789317f4a1a 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -54,7 +54,7 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
 
 	if ((*ppos > max_size) ||
 	    (*ppos + count > max_size) ||
-	    (*ppos + count < count) ||
+	    (add_would_overflow(count, *ppos)) ||
 	    (count > uncopied_bytes)) {
 		kfree(buf);
 		buf = NULL;

From patchwork Tue Jan 23 00:27:11 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190676
Return-Path: <linux-kernel+bounces-34526-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp75367dyi;
        Mon, 22 Jan 2024 18:09:13 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEwRf9QLtsNGJMppaI6J5WexwpFM1TrUIp5/3PiZiUtBNZQcEaE/ChYXkmbMGfeUi+1o2bi
X-Received: by 2002:a05:6358:d594:b0:176:55d1:575 with SMTP id
 ms20-20020a056358d59400b0017655d10575mr2624670rwb.0.1705975753389;
        Mon, 22 Jan 2024 18:09:13 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975753; cv=pass;
        d=google.com; s=arc-20160816;
        b=jURkuDq4cALbQT/Nw4Fv77Ft15YzgoMkKTHDtVo1RaSv8xP2Lly7rpXkMe0V/5EnFT
         xg0SuS+uBoKnhmteAO/uhcUweElXksrIGO2K7qttcBuAjNLZN0IeJ6aFLWD49jVydqZw
         piBxBzw5OzTxyXkCk7Hnb3PjQGdm6+SC8i1X+piuqTCRP/ZX5lD3B23EzCapH/xbdYmQ
         VyUlMzBkHjXI2BvAvMQfhifIOObFjslaQwpR41Qy7atnyHQt6v3/AoV/xX7Qiix5a28x
         lYbmNEegNv/RgNpl3EBt3TIO/z3k/GRQlrZ+52HxYTyn0ePCIlnP91bztZM14JH1kKny
         QOOw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=uuAginudDA34iqBrsX+BzE2nEMittQE6YVsuxv2qKnM=;
        fh=AXZ+HMow4f/XQH9APtKpotkV4nJHBjLOqNw9ckIR5Ow=;
        b=Y921nBTlUEgdvJEqsZJKJsLlPx+l24K+To59ye1GuaPpGJK5j6pGhhUfthyG05YXE1
         +b9+wp9URZgIUaYfStWwM1QWQ2JDhxjMxzu9x6kb4Ce9/f+2lRAoXU91uii8WApXgCal
         MDc7t0gjOlWGBBLIrKxABqSc50DEY3lmlrmLGoGwgZQ1DtQpbGGXoyt5YqBjdDfcZExD
         IjprmdVfg6ZBbVC2+zhOpvm5TKaiulEhXE2ShiN3icffCE2u625189Y3dwk2kZAB6gw+
         JndY1/oLoTy9lSJDxV5tUhQMc2o71Q6MkmpEuqGc+Q5hxTefcVh85KjdonYPrkYvsRYc
         zQiw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=OPh7dFco;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34526-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34526-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 fc27-20020a056a002e1b00b006da2ee05030si11601679pfb.222.2024.01.22.18.09.13
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:09:13 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34526-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=OPh7dFco;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34526-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34526-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id C8421291449
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:34:24 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 0E172162E48;
	Tue, 23 Jan 2024 00:36:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="OPh7dFco"
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8ED21161B66
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970185; cv=none;
 b=R3b2ajgUoSxL1d/czXVZJoJV1ACaSfodr0y5tbq9I7ZiIUOuaA4+xIE1ckm3andF3geKJHkjeT8Pf6U69IPs2twuqeCSIuANZY+ilVHY7//EoQwOt4aI//hMKv3U/zyyZ3Z32JY8gZWa+YVwnkRuwb+tENS/Y7n/EtkdG+9hfHc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970185; c=relaxed/simple;
	bh=TtGEKwfEht79ULnpSVJcOtpH1GzIiQlRdhb7ZdKErag=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=mRie3ijnLmChFojNEXyFwENULSIl8KV5J/r2vT0ex0/LdhM5ElKxf9ArOjerJ4YAaoJkJNEoRahwUjst0kRCVL777NabOZ5NgBvn3q2QBbVyEZvkh3H6VFGnUXxNfAbz0qqMeMmO66Oz/32Y/84zWFgPn6yAzhnw8TqczDbwMaw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=OPh7dFco; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-1d73066880eso18990505ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970183; x=1706574983;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=uuAginudDA34iqBrsX+BzE2nEMittQE6YVsuxv2qKnM=;
        b=OPh7dFcot4hsOkOMu9O6mJSAyTClh286gsa/W+PyfBaIdKcbw+VVCpwJj7yN3euPlO
         Y2LQjVKa/eRV5AtIcJutHCKE2fLswheYhQrP7Z+ebdF02qSWsiU8RC+O++iqa6+3N/or
         k2PPeSA0wE8D0skn2PNUtT0d+W32zUqrFdLl0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970183; x=1706574983;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=uuAginudDA34iqBrsX+BzE2nEMittQE6YVsuxv2qKnM=;
        b=X2grrb2a7fbGwV0GjsA3M1eEgSlc2czFRzPUkXTxQX7sC7WGDX5jICZMx0GoRX/6SZ
         7GwaSw8WbT3TZUXCbeQAr43CDAwIKjjeIyy+wKhqMHDmYUJGr7ODB619fTL/p7Lh6Px6
         Qu8GgVJfeLM4EPCHXlQdBD2XDkMEkADPDHj6Joi+HxT8ZOcD3NWzK72zMZciVPWjUXL1
         VdlSMCaNiY8aUDdJLBYklP2S+9ZIZ3QpJHWYfiEJ09Zd93BQ6ZIr6J+KZHPFf+WwaNA1
         gzF9lze8v3+dxLhtJIvJFwUX5T+wjeCFGuKUkjtzoNmbTdjG33AEU8pxkFUL6H780JcU
         XTgA==
X-Gm-Message-State: AOJu0Ywve2Is98o/9NyqfI+2YXFkvJirWFfKF8z6LiIFYXrP9vfT92jK
	FagHVBgvYn04cVMxrOnEixo2hEGrgqvNf+mXMyNPx4gjJte77eq39beQMUkKkQ==
X-Received: by 2002:a17:902:8216:b0:1d6:c8e3:c3dd with SMTP id
 x22-20020a170902821600b001d6c8e3c3ddmr4942676pln.54.1705970183007;
        Mon, 22 Jan 2024 16:36:23 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 l12-20020a170902e2cc00b001d70af5be17sm7341961plc.229.2024.01.22.16.36.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:18 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	David Airlie <airlied@redhat.com>,
	dri-devel@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 36/82] agp: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:11 -0800
Message-Id: <20240123002814.1396804-36-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1899; i=keescook@chromium.org;
 h=from:subject; bh=TtGEKwfEht79ULnpSVJcOtpH1GzIiQlRdhb7ZdKErag=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgH4FFulwi6BUqjbAU5ENVQabX98Dt2rrVoU
 8g3IEj955KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JnjyEACxi6nRzG/TeUzgA19psicAHgLDAObP0xBS4txCdCyuwD6vql4dHmloNCeJb8mV6QVHM+X
 qtG2DBYHCOfOAx2qlY4HvaVOj3PS5bcfXi6Ekv9oHApUiv9VATvsHzJMWgozbnrtd+ct/kzn1a8
 fdEqTsjCD1glzm7trq2UhSUjq7L9mf0ALUL92dfVjQVOuW3SJ9kkPuGgKtP6JPssetdPnVNENjg
 XGHgUvZbr7FjFWIbhVzk+QWvKkDn9x87RdguxM3yRMNuIU1rIPChiFeHt65F/fM9e/r6JWSqDYJ
 28GyQyB9g35uGguB023JwJmsj9WljHMy92O0442XwofQsjSwDoKiP6XK1wSn7N+Ko+xF+yXuo8D
 aGTAXPJpuMFj3tqUwX0bCJ2y/hZb9LGM68ygSkbs93I9XePUe38ehnUMIKTYBoC/PaH9cZiUO6O
 WpdtUG+wfYRGfiUetrFcgMqg7lc0bO2mieV7z8f1+ggx/2d+E2Yn9c//8JCWB6dDf3AOuNluFkl
 TPJTxjpslLZOCOHw60ZZVUW2p1qaNmoLXFmR7hSnVJuahaP/u15jWcSK2aizZflJKuj9uo7I/Jr
 iZ5+yDhNuVtMJrnevFhrq9ZhFajoLgGALCe41lhJERcPe3APaldrX8Abs0cIpjFwV5xN1XNAYND
 z2z1RVstb0xjjDA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788845231407806140
X-GMAIL-MSGID: 1788845231407806140

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: David Airlie <airlied@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/char/agp/generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index 3ffbb1c80c5c..fc2d07654154 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -228,7 +228,7 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
 
 	cur_memory = atomic_read(&bridge->current_memory_agp);
 	if ((cur_memory + page_count > bridge->max_memory_agp) ||
-	    (cur_memory + page_count < page_count))
+	    (add_would_overflow(page_count, cur_memory)))
 		return NULL;
 
 	if (type >= AGP_USER_TYPES) {

From patchwork Tue Jan 23 00:27:12 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190684
Return-Path: <linux-kernel+bounces-34565-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp80661dyi;
        Mon, 22 Jan 2024 18:26:19 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEvQoc3RH/S03oqX9QUMGbDG5UMJvVL9lFvtLe79M4jEAKXhXGAOnyC37LnPl1Fv76KKG+t
X-Received: by 2002:a05:6808:1491:b0:3bd:4392:4cc1 with SMTP id
 e17-20020a056808149100b003bd43924cc1mr7393370oiw.45.1705976779129;
        Mon, 22 Jan 2024 18:26:19 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705976779; cv=pass;
        d=google.com; s=arc-20160816;
        b=fKCPgotLXPZ3AqS1Q2QKr7K455YQFZ/gyV6RvLk4Fr9Qs+Vq5ZyTmO9DbxQBbqEyJf
         lkdSuxREZ6JDGH4d3K/Uyq6SFyb4Jem84yLKNwLar8uHPiW4H0zaJ8mZuUrreOxbV+Ea
         CWsYVbSgmQW5qNwzjLyNaE0/4ohs94W/PMdd+su/WDleLHmO7G3xgIb7oncxBvvqrBCz
         6rwpHzU6DE1ZbH4NfbE//2LehFgNMSQD3jF3Ri+hOs55UUsCTSlkmXSJDj3FZhojnlyU
         REC5+TtIi+zSddBTJK2rcsUzETYRNhXpTneH1fzUyqVumtPaVHp4bg7GfUxdvOeED3NH
         g6IQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=X0d2UaZGLqhx8u565YivlSqF+Wqiy035MOx60/jiYzQ=;
        fh=XymD1RA8irmeZWdpeQbkN95S09hQXzBf93QntwBFmF0=;
        b=OczpyqK4F5d6GWnwN2oUr+54zrkgX2cE74sPMDue+eiXL3F5c0YZGKLR51DDDgyZpZ
         bjPCkzG6IXVSDVO30R2JtveTchmcnj7fViB5WKsGflyj3HVHPPoo3vclv0JxC6DlYHQT
         7DvHYPFVxy9eeQ934NkEfc0cTEetdmock77SLt3IPvjzkkKZPTgaRw2v9z1EW4vZCHr8
         t5ywTnZkCA3lsgQGuxrLY1Rc5AqbM3zmc7MCmt2wjesD7bFnU89ZZTBfpOfeTm0pIaD/
         kIYXft1EE1chB/nQM8BmQXFZi6l4pf3dIh0b69Iz+3eHnjLafU+fsYNjdXYYYajb2E6A
         Yk3A==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=l9fXPBfn;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34565-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34565-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id
 k7-20020a632407000000b005cd9243c104si8865601pgk.295.2024.01.22.18.26.18
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:26:19 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34565-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=l9fXPBfn;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34565-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34565-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id BF747B22A82
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 02:02:05 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 00259132C31;
	Tue, 23 Jan 2024 01:03:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="l9fXPBfn"
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
 [209.85.214.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4097C130E59
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971825; cv=none;
 b=Hb8Jq428Azx01/l+FH5o+hwGXrkqtmVzPuc9WoDI8NMLR70C7Q0IY9I1Z2OdLijUf6cjX9FtHUzshkEIyBCYWnJPrmEOCPZ99N9AO6njPXxm2mA1qrDur9OzQClk8FS1cGv2f9QeZPDzGwOdqqqzcpYF2+WECOGlAJVEhhDpui8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971825; c=relaxed/simple;
	bh=IB2lfGkRCBtaWjh4efF33fJJqpbLbcQ8iv2Ec/oLFcg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=sK74cSZW5PwWQpOCL1lufHg4zdm3DlUg0vj3L62sUSsGT5jgjnDRLvqEBPfT1FcmOd8jD+N/501DGBB/vSQ6YoZ+XFAnerLtEgbOhjHyMO7TgiBH07PiiqkcjNcX5j4s0e2kpYjHEbFpQNElDANk0tTb5zfXu4G6qivGBitzwMs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=l9fXPBfn; arc=none smtp.client-ip=209.85.214.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f177.google.com with SMTP id
 d9443c01a7336-1d71e184695so13647745ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971821; x=1706576621;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=X0d2UaZGLqhx8u565YivlSqF+Wqiy035MOx60/jiYzQ=;
        b=l9fXPBfnUqu56eaKYrQLJp2b6t5jO7o4VFSr0IhM5u54VaAqvyOLNQlJdySAnchxbj
         j/hTsyTkxD/fg3o/ioOnBmokyHL8aLKhHD/njv3BOI4otixka1sAKq2t0N17sU+NShKI
         1JYFkxEoplYM3YpzRRldxq+tabf6v4KNCiB8o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971821; x=1706576621;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=X0d2UaZGLqhx8u565YivlSqF+Wqiy035MOx60/jiYzQ=;
        b=J+G7KeLl1+xqGb91FpCHgAh8jwUc0rSDnCAjML6G3/PCoG/X+JR/HyP2/c6e1BGL+Y
         ernvayfcYwGe3HbHaAolj1TIX+h7Pwkt2HvVQM2Fmdp4LTQbhbyto/qxKUtH1U/4/chv
         m68RAiAIZ861Qm/t2f8Z9WL/F4BCBB1FSmfqB5eqlGYOVvNlMesygndYvVIQz8jIebs+
         V8UWdo6n9/nxTGxNXqRpaOp2jdb+abbbRFEG9pMVNMHJsARLLOtd34jTQbZkWBxl6/Z6
         NBaedRlPmmft7RGerIQZHk/YW5saOSq7+gmdcQMfxZyVYuliSSJOGyagxuduLQVvC+Ow
         Ry2w==
X-Gm-Message-State: AOJu0Yw2x/g7w4ivqaSUtBNQ79QQm/gNQrwiA+GMLCUsjRmtmBQ+XuHW
	u9GxfHx9H+/StEwOx50s+5i3f0ojt9Uelq88/+046J7so1Sb09M1m6FrIOklxw==
X-Received: by 2002:a17:902:c952:b0:1d7:5ff8:ca07 with SMTP id
 i18-20020a170902c95200b001d75ff8ca07mr1511463pla.0.1705971821597;
        Mon, 22 Jan 2024 17:03:41 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 s2-20020a17090302c200b001d707987ce3sm7538451plk.194.2024.01.22.17.03.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Benjamin LaHaise <bcrl@kvack.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	linux-aio@kvack.org,
	linux-fsdevel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 37/82] aio: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:12 -0800
Message-Id: <20240123002814.1396804-37-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1888; i=keescook@chromium.org;
 h=from:subject; bh=IB2lfGkRCBtaWjh4efF33fJJqpbLbcQ8iv2Ec/oLFcg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgH+XJvl/2u5/B92EhxeYdENMTRs1wnkh1xr
 9hUH/VuXyeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 Jtg8D/9Kz/EW1ykUt81CF9pL76dSizLWvhro5VLsT0USPihaAkiPFGlwrR5ADLawemjbfsHCbL0
 y2ajirjz/gpH+F9soxesI7UTKaOtXNfrDeLFYYBxCuKefSRjlhkjBdN240HgsAMOJQrh+pe04NH
 rTO/yRaleiNL0aZYSoZIvvEuMd1fzbVOXjXOgUh0vu+Hsv16H/4kN3dIXYmPovEduhXyTJgSGH7
 ZGIslfnnmesh92mCEWrYn3rhjzLPCv7bWGujt9QQB96dWFdoz0ZN/EfR4AFYJhm/imLkEdIXduQ
 MUxFoV0gzuwMa87PuOG2dpH+U9DcliEY4H3Mq5RBdZs6wlbGVibNjbvVFxT4IoxpoLZLqlqQjch
 ZtxRmzdY8tMH/ZVW/mgikzYQifvrHq68kXRbwuglv+ZT81x8yxOlYRrQkY7XksLYSZAGda4eq73
 L/JYedm444TLva1eDV9R9UubQ2witsDaqTjZE/59j4zQeKdcoRakQBVcJlqhLmv44lrrPDC66Iy
 hv89rogp1k5rLt4h3Ud8wIFgTl2Lz/z9UcUpYgMp9QRJgeWoBzQi1ZAOByDnDHwWLA7hx85V//T
 3h+sL/yM7HR9K0A8NbZnruLp3tTkSoBzDEfB/XuJZvBkjRz6hG2z4ymvzYJ99psA2daJt9WCF+a
 APviVXHgDVSXNAg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788846306929390453
X-GMAIL-MSGID: 1788846306929390453

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Benjamin LaHaise <bcrl@kvack.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: linux-aio@kvack.org
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/aio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/aio.c b/fs/aio.c
index bb2ff48991f3..edd19be3f4b1 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -796,7 +796,7 @@ static struct kioctx *ioctx_alloc(unsigned nr_events)
 	/* limit the number of system wide aios */
 	spin_lock(&aio_nr_lock);
 	if (aio_nr + ctx->max_reqs > aio_max_nr ||
-	    aio_nr + ctx->max_reqs < aio_nr) {
+	    add_would_overflow(aio_nr, ctx->max_reqs)) {
 		spin_unlock(&aio_nr_lock);
 		err = -EAGAIN;
 		goto err_ctx;

From patchwork Tue Jan 23 00:27:13 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190624
Return-Path: <linux-kernel+bounces-34511-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp62183dyi;
        Mon, 22 Jan 2024 17:30:41 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFZS4f0PwQHA7PlNqJXFFDmiENDxLOtWWtaMNptnvuQLLVARMKOziejwIz5BTldVcJec4KM
X-Received: by 2002:a25:d0ce:0:b0:dc2:344b:957b with SMTP id
 h197-20020a25d0ce000000b00dc2344b957bmr3265805ybg.64.1705973441083;
        Mon, 22 Jan 2024 17:30:41 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973441; cv=pass;
        d=google.com; s=arc-20160816;
        b=L9i/2PkVUGuoyKmGDvq7QzXW7YIq77YMyjKYCEz4nlU1eSDYGnKXQSV8m0TXeYCVMj
         GOlTa5JPXxLC78H4DMFnm1gvQpmmj4T8R2UT4MpSQPThyGiLf8r+SX0opo7bSAuN3FBe
         ZEtDNWc0kTC1PxMxK9IjpbY6LLv2CnIamHc0/tpAF4Rpx1r4+ImQH7uEGzKZGvmFjwcw
         +73nP7itJ4jcqJt0n59bhdWu0mlasa6b7OzkFrSLlryzs7zYpMOVm7DxbBAxbqZPvEwz
         T9Bfl/ygtRITaSGIHYW4+bSlgWqDqdusjpSITirJxNOi9MjXIsIYmpYD/3NG7l8RDfmt
         fGMw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=U7ZTM5SgKNIL4BhjlzbkN6VUe2+U+pKLPfyRCBZRraY=;
        fh=f1/KIQ24D5AidrtpomDrwFceIzTeGMxaBaUc4hSTJAk=;
        b=Qjs6XKb5nT4+E2c5s3+9NCulcEgT5ReNjpaS2jBUY9P0dchtgbbgfwXKd/7TGvM0jg
         zYMkqNHDfqofUD4Tod4ZKP/wzv3crFJtQm8eliG1Fpmcg0IZIXg8HpeGjA3bcR//dzrf
         84Nw7fXH4Rn6q2V5hfVVVhzS55ArQk/8Bln8kp/syklJJlrQ6WX+fnfu+qupcrJmH0BF
         KpNMsFbfarIoE5g5Gzk5o0Bss88uUX8M87l7RdSc7Ath8WPLhUBY4DZTEitX2J0Nk5UT
         qxZSFr7ODXZMgXPQqduWYkvTmzv58FwMuFFqaAFBznognOeg7bX+gGMOkPyqgQAOeEw7
         82vQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=RAxgGIe7;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34511-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34511-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 p19-20020a0cf553000000b0067f02b93d86si6799201qvm.35.2024.01.22.17.30.40
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:30:41 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34511-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=RAxgGIe7;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34511-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34511-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 03EE01C256E4
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:30:35 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3A20E15EA95;
	Tue, 23 Jan 2024 00:36:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="RAxgGIe7"
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D50A1137C40
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970170; cv=none;
 b=IuUc+bKZ8MFm4+Ctiiln6b23ZBjSVc7P9NgMt5rcFr84DYyj8AvE2aZY2G1dW/jbCS6dP5whVsNisrXsy/XAhK7baf/m4oG5sG10URRN6Kb4qIOK3UuusomrNgK/6rGz3LB8v22MnzP2EUntbKIgG2TUirMVbPg+HtbUGhnPt9k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970170; c=relaxed/simple;
	bh=t5NjTIyb78Owo8zdIrnO+cNPZQCmas8okHDaZcCW+8I=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=rIuzpxNqSDfbp3DJI0PVg5ppP2Db0ihLxs97K/k1AuxmWXbi/FHw+d5dFi+7JTy+ClrpGdaCe0ac/gd6Gr4yymoqLMI82aB2w9RsmPfAu6b+2SbylCJfcypO0qXrK9R9FFx/Y+L7vIV5KONGPs75I0M5IMpFNRKBVjSVErdrxzA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=RAxgGIe7; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-1d7431e702dso10719335ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970168; x=1706574968;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=U7ZTM5SgKNIL4BhjlzbkN6VUe2+U+pKLPfyRCBZRraY=;
        b=RAxgGIe7WpZkyy1/QIFTkVXwi6QA8CPIs5r29T/otOrJZOPxH21Qa5Tj8m3RlYy0bs
         3LN+MybCVhxFdCBWuEQyLGQZ/VVkh0+mpkQn2+Zf2avlmGyhq/G1RjywwWg7kgyv/4Km
         RMGLGV/nM5b4HYjpBLnA9FUGjnX4+z+2w4Ni8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970168; x=1706574968;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=U7ZTM5SgKNIL4BhjlzbkN6VUe2+U+pKLPfyRCBZRraY=;
        b=h9EAfD+2naB0SbBkKS1i2F1sls+1J8GJKLxxrELXHenGGqqqcMH4dogbzrmGXJy6TN
         77uEMp4lXfEO8zkaVnftqVyFNq9EftFDgujwABIxaeTarlpF9j+6QbwU7a8FM5GA1bCu
         8n9hH/p98HZZkX6Cog3gtUy4OQvxbrCZaa6UoT1C4PuBpq5exUQv9q0VHqwe/o8aK21P
         vy9iQK6FJ5WefPxohCpOooIEv9hBiycQ3exVZm/kBw97BaBHvmbUP239qq9cpjuq648k
         31YsM1k4nHf6ycVuixTi7g3M6ynvuo2w9bKe5lOpdmVG6sBp6T7K6fFmWsfyUn0dV0Cy
         oPTw==
X-Gm-Message-State: AOJu0YyLLMz2FrQSLjlUPjdmv2jCt/opKGi6Ja6yXY+NFlonwoLQGRt0
	PgYvJHW3vgOGEbFOXgGQFsq+0y0tdFRTLwoU0IvBK2GAu27e8eHLNF/q73Wotg==
X-Received: by 2002:a17:902:f80d:b0:1d7:1df6:4511 with SMTP id
 ix13-20020a170902f80d00b001d71df64511mr2230166plb.136.1705970168258;
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 bc1-20020a170902930100b001d6f33c6541sm7744955plb.285.2024.01.22.16.35.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Russell King <linux@armlinux.org.uk>,
	linux-arm-kernel@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 38/82] arm: 3117/1: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:13 -0800
Message-Id: <20240123002814.1396804-38-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1869; i=keescook@chromium.org;
 h=from:subject; bh=t5NjTIyb78Owo8zdIrnO+cNPZQCmas8okHDaZcCW+8I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIgNjftYd6KqWOKIJFbI/lZsVWsVXrAIYuR
 7MY5dEcPb6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JsJMEACd02wCA8LfA0u8syRk4/Rp0JpgNpsiW+94NxRf9Xb/Oa1P5P/23a62lAN63yHc33ODE4L
 M3ih112Dkk/GdYQYFQoseAYyd9wEwaRrK6OoELlJ0Ze4FwF5E9bPBzZBN+AToRmXDARPSePbk6Q
 HZi6hgbD4OnzpQBqRmCSRJL0lJyo2ziVbh5BXwDaxazgKG1QvTQQhuL4CBsH8QymXeO1WoobbQk
 26Lf+jshILYsRLrtCn0FlcZsh6mlBSxO0KJ4CUeMdPyXb/n97DlDo9ZRsMvL5zEVKBIg+JxLLAB
 eiERpGMH5u8wbAPvM68kknVE/5x/EhJxjD/72ZmB8fLPsBwqyfIi9/nCtDWqnxR+s8y62/FagId
 vKwupeZJckFZhlj3FplDpT5AgCdjiYDr04S5TE2z7ZeLF88go9lfifcAgNHiaMV2wVUow1AxKoR
 zhpXpqgauLnNTNDDvyIpLRyEB2bYOzXIbRViZ4g9pC6cZ61woUKFcXLKdlAzNydxV8+S0EGFsPY
 LlHwmd9SZ6ywdnnVcm7iVBZb85cRIWlqIuvHSZrpSZPbpuYmgm1uUl3D6tLwHejiVVkF8Aj/osn
 muUmAXMDNq1t61UekRGqmWwWEgZp9DdjcwBm/v9dRMK2z0ksyJYYhrFC7XUBmm6XVbRptGwp9ZQ
 Cpx0SvAPk2bRjTg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842807243217310
X-GMAIL-MSGID: 1788842807243217310

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Russell King <linux@armlinux.org.uk>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm/nwfpe/softfloat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/nwfpe/softfloat.c b/arch/arm/nwfpe/softfloat.c
index ffa6b438786b..0635b1eda1d3 100644
--- a/arch/arm/nwfpe/softfloat.c
+++ b/arch/arm/nwfpe/softfloat.c
@@ -603,7 +603,7 @@ static floatx80
     roundBits = zSig0 & roundMask;
     if ( 0x7FFD <= (bits32) ( zExp - 1 ) ) {
         if (    ( 0x7FFE < zExp )
-             || ( ( zExp == 0x7FFE ) && ( zSig0 + roundIncrement < zSig0 ) )
+             || ( ( zExp == 0x7FFE ) && (add_would_overflow(zSig0, roundIncrement)) )
            ) {
             goto overflow;
         }

From patchwork Tue Jan 23 00:27:14 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190623
Return-Path: <linux-kernel+bounces-34510-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp62018dyi;
        Mon, 22 Jan 2024 17:30:18 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGyPx1UrxbNVAhdnGalfQl6X+yy8co/Mc/OLYqNsu0vXeoCQVm9kYH2UWBP9tqj5lh0Wqkb
X-Received: by 2002:a2e:b954:0:b0:2cf:113b:d846 with SMTP id
 20-20020a2eb954000000b002cf113bd846mr78517ljs.55.1705973418661;
        Mon, 22 Jan 2024 17:30:18 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973418; cv=pass;
        d=google.com; s=arc-20160816;
        b=cdVFkGruesP91ILAjPKcpbPhBkV0gwnL/sb2aS4L4K5W7dtoT59gMOb4VufYtPWVfm
         LHWPypaGmqBuc7PejAFFTDtHjDbwLEEdliblO5HYHwhxfh7qseaLVlMSrmEg/J3Q+Ou9
         xq0hsknGZooeCtns/lIibLtMjMuKUzf8mCJo02T442jQm0iPvZkWpMerOfeE2pAQMBH2
         XN56M5XdPyGgd0jMtiWyjayZARr49sseVm4KSNODTDixJQS+bQFm0G2OCcILvCIDTBVS
         m4STXQJIPQYJ64/MtIBghedhI/i76GHTL8M2JNdcXj+5ukweve36aO6fTkdDFA6Rt3Iu
         L/mA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=C0IWBalbPa7nBe+7qRPGByHWNgNICkmEQCfSed9PR50=;
        fh=EfnJVhO6Av1ef75kZfl43a5qouYFZulCnYK7xVGMeL4=;
        b=rsFabnHV5n4RWTU6M7wVVL844MB85AYR+uF9OVHSxSgzxa1WRaqrmQpJszlAu0anpI
         ecsj0CW/+bvSBMO6auQd/pdHFOrDI03UShbiTcKid/JZF+OwjJQVkhZtLfIXMzW8VrnD
         HkimANWocnt6bDLlpvrtNuVG4HKeiAd+5TMvB3UuX/AIqmlMZhx4Adr7haFBcRnlBctx
         mOYGn9kx9M2bzAKU3lK93fuURBwfKK9T9ztM8WC2c60QFOPmvAi21zbDG1OozKGeyGIj
         8INEGrPAenJ6kfh+uNEvu3jvMT+JnpoV/xkOHwxhYgbnK/OFV2x6f2fODcOftzmZonNt
         ctXg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=fRT0qu1b;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34510-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34510-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 g25-20020a056402321900b0055a3abbbfaesi4913716eda.323.2024.01.22.17.30.18
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:30:18 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34510-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=fRT0qu1b;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34510-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34510-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 1BBA21F297B0
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:30:18 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 925A01386CF;
	Tue, 23 Jan 2024 00:36:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="fRT0qu1b"
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
 [209.85.214.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F34C5FF06
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970168; cv=none;
 b=UL/xlaJR812Vb9a/qWiMjus+qOT9oEd2W/uxhsyQklw13KDGSn2mS1JGtgyS1BZmDbSlMsiVZ6yZOKo29m8W71N05yYGfO0rLmwQ621Ac8vJaMU9Q0z91W6CqJIKT2RrYLPhxeyMnUQ5IQpqbTv3yfH6oL0co1+v5CjJekmjSz0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970168; c=relaxed/simple;
	bh=08gzPVNqKaIThrka0PRUXmbx8gcHwrKCAMm1CuCF8P8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=p9s5P26sa9O9POCmeqBQWflJzqGM7AAQ8y8FiWOkANmCML+90dlMytDjFJsEQLvlOs4i+5Qfg2/2edySYEykVTHUk/0Wef5cMofTxY3Vbj06u7Cdv854xQpnYibvYZC0WlPgRb1abtDsU1jhNh8jXmtW9LVtuts2ndnXwGEuVWo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=fRT0qu1b; arc=none smtp.client-ip=209.85.214.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f177.google.com with SMTP id
 d9443c01a7336-1d73066880eso18989015ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970166; x=1706574966;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=C0IWBalbPa7nBe+7qRPGByHWNgNICkmEQCfSed9PR50=;
        b=fRT0qu1bXS9ZtGZoXpSXONIkIFh7UtLb2IsyepAXfL2Ah8wh6fmE1Rw/ORb449ACUy
         l+r4Qk61/jFFe+d7sn6aEOzHuwc1rlvgXkxYKqu0ue9qh1HG3yPOQbdHILED/U1EvK8a
         eVemySHgabNAisfyG01oG9nwc9qNLUogv+eAw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970166; x=1706574966;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=C0IWBalbPa7nBe+7qRPGByHWNgNICkmEQCfSed9PR50=;
        b=pd2Z+l9OTMfyzt/ikDFOADdWxA0VqlPeiQj8yW7da4nk9GX8KdytNdxeMbjPpyv/Vx
         wJfRqnc9BhFWpyRiQzbCWDRQwIWv9f741sdjj4NZn2CoGR/Z++i+gg4ZTtjogGgE1noh
         u9dAEUfkRKa3JzP/A4YDCOHy5rgYzPuc90oCxbLkinh5JxEj+n4C5ja1Mt0+xECjyv82
         9Ozx09hM8nlJCJIbNEAYCP/9ElyHUiYPs65gPn/mRWWAbV7p6PpuL5MuHx4YrX7Seo76
         hnfDObekY+ce25fi/yYQJ8aJvMivupWmBejup2lm7OhsCogAf9JiRgVCjJ3OFJ0XJ6I0
         oFYA==
X-Gm-Message-State: AOJu0YzasmZpQsZKzUp6i3RExrbMG4DI0YIzOMXRoSAHHmwbaut76L+u
	EEiMsmWEj8QrMRfyvtQSXmC4yKiAPwCv6DccEXT/Oxy/O4ZmJ6N2CyLJ2FBScQ==
X-Received: by 2002:a17:903:482:b0:1d4:79b6:101a with SMTP id
 jj2-20020a170903048200b001d479b6101amr4643124plb.41.1705970166511;
        Mon, 22 Jan 2024 16:36:06 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 k17-20020a170902f29100b001d707a14316sm7490995plc.75.2024.01.22.16.35.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jesper Nilsson <jesper.nilsson@axis.com>,
	Lars Persson <lars.persson@axis.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	linux-arm-kernel@axis.com,
	linux-crypto@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 39/82] crypto: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:14 -0800
Message-Id: <20240123002814.1396804-39-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2049; i=keescook@chromium.org;
 h=from:subject; bh=08gzPVNqKaIThrka0PRUXmbx8gcHwrKCAMm1CuCF8P8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIRQrU4z+xZKgZEZXKAJfo17xdTxqMyiWe6
 GGw7oiVmY2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JtNlD/0d9ZXpSr+O/WY+Z8RnA0WFcmb8q8dHDR+pV9DASBchjSH3T7j/DJE7/4sN+voKM6jipuP
 +b4X/XvukaDPGcJID6ZCEETKBPkMpdxZthLJ9z3AD+pID8v8vvqxW+pRFzY4po/kjeOset6zPFO
 7YxbAUWVwSXk7QDgV3gYX/lK9QILRqXGRAhvOcubjgDREfAc2MbuJk4ItNqk2WcMnk53cEFtYji
 lJKFR1cHbwVPaSk2x/UmWTY9FIg9orR7rjJtFSCaZPayWmA4lNONN5MKTyl9QbNbB6LkGju5DJM
 Hd0T890SCjvldjd2bfSaiG9wW3fOFHydZMzdTnzla2TMofjeNAsC6odLW9rM59EO6ovdpQJ1M0y
 4TeZl+acwIvrGJuRvXNx0Nokuls+m/qhpft8nMxOcVOmd3BVu+jgvguImnYNwmX/2gdr1tHBEEq
 uBNgF0pN3/zlUJqLU6Jaa55akZsk3vMrVRP+A2Tr00GdajqCWKlEYuwX7N2mQ+PojwYVoKRfsnA
 wgQYhoKfgkZAFdaSlsNJcKY6N951w+i8ooSo5xvTH/8LATZEBNEZ30239h/apCk/ho5GUZ/fXJM
 RLglccDfc4V+1WVhsOdPVy53he2MDI39X+mro/t056xBMjwT3L1D9ZvHF5GnpW4GVJs19uUshk+
 ZHeju5Fy9h8Zijw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842783352700249
X-GMAIL-MSGID: 1788842783352700249

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: Lars Persson <lars.persson@axis.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-arm-kernel@axis.com
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/crypto/axis/artpec6_crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/axis/artpec6_crypto.c b/drivers/crypto/axis/artpec6_crypto.c
index dbc1d483f2af..cbec539f0e20 100644
--- a/drivers/crypto/axis/artpec6_crypto.c
+++ b/drivers/crypto/axis/artpec6_crypto.c
@@ -1190,7 +1190,7 @@ artpec6_crypto_ctr_crypt(struct skcipher_request *req, bool encrypt)
 	 * the whole IV is a counter.  So fallback if the counter is going to
 	 * overlow.
 	 */
-	if (counter + nblks < counter) {
+	if (add_would_overflow(counter, nblks)) {
 		int ret;
 
 		pr_debug("counter %x will overflow (nblks %u), falling back\n",

From patchwork Tue Jan 23 00:27:15 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190617
Return-Path: <linux-kernel+bounces-34503-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp61475dyi;
        Mon, 22 Jan 2024 17:28:51 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEDdX1lpc/yGur8Hm6EJxMsba8F9PRmLdN8W1+K+Ej87aEpE0QzR7idTUk1Gn0beTku5PHq
X-Received: by 2002:a17:907:7f86:b0:a27:e264:e114 with SMTP id
 qk6-20020a1709077f8600b00a27e264e114mr3252539ejc.120.1705973331438;
        Mon, 22 Jan 2024 17:28:51 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973331; cv=pass;
        d=google.com; s=arc-20160816;
        b=gezTMpZkWJ7gA5nIx3N2rZvbcGZB7hKeS7wDlhcn3S8wjV9YPXlp+sktFoExqKn95u
         r+KoyHk+j09NdvgLsAVdRNH8ejdtehMpEKsof2om6WJ8dkn2dle9ETqdoyMr/Pb179CB
         W2IgaG/w01PyszPFjO8pDI1OKjlZDNtaku62TunSLGXh9kAYYjWiGLEZZLHVJSwOf592
         pTTHr+6Na0F7KLeJo6roAmA70NxpUI0bZL1VCwoIeAihyPNaxA0g9gEHgujHBi+scFGV
         mB+NJeEbSEraaHDAOmNR8Ukab55A2+Jt1f8CRdTMw4lowCXWu/L7Bz3h9Xm5oh9sImob
         NKug==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=wG9hLC1Y8Qz4XIU+37knJUuWpfkMo15LFrj6UcsKSzg=;
        fh=SMN/3LrdR7mn/TalJ0/LxqgNFdwlpzK9Z97aPMapc54=;
        b=gPDMSlxMAb39cod1+QICiNjaJfPnpbAS+xkGtrw8n5qxKG2Ht1cdQ6nsFvtWor8Tfm
         35TDP0JJs4C37DdQUET8gTdxUtd+kr6TQBE0qk8y748GgW9+PrgGHKHq4zpS3u9G9wx9
         r4YTmpvysu4LPNLFSNmItK35zYuKTfcZx8GyD7fS80EWdRk1Y1N36c/EBgDGlWcyMUXK
         eetN96j5vKpZJQMHulaQ2hpdWhxNmqfyyYNcFime+ZAnlAun8RyVin9/ZSeCqPxHyHrI
         lpONBLf7LS6X+7xuamNeR6+DUDGVAYcUbQfCBuQrYZAX44NtzDF3F+AxoN3bqE4qPJYa
         oLqg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=elAG1CCq;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34503-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34503-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 j5-20020a170906050500b00a3064ce6062si1132296eja.388.2024.01.22.17.28.51
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:28:51 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34503-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=elAG1CCq;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34503-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34503-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id DCE521F265A8
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:28:50 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id DC5655F85C;
	Tue, 23 Jan 2024 00:36:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="elAG1CCq"
Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com
 [209.85.210.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4564956B6E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970160; cv=none;
 b=h59B8g+ZmE+zow1bSyMKYHiIuDQnrFmpOUEBYN3zEqWFQx+6vxTJ4QbFhaYRZ4DINhBWnkiM1/sag9Djdws6Yf8tc9RJ6LzyaP6K+1H+ehSXl6Ob+IarGIW5CM370XRkaJE2/tvpgiJPjUstr//VR9vSD54EDni55Wxy1OJcn/8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970160; c=relaxed/simple;
	bh=uCq9BZALf0j9/ETUS3uuALuSJ7AAwOFns9U/7aqT71s=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=lPeH6fvYIbG53pW/sKNWuLIzUmx8Rezs7v+3uBzDEeQ8aAJO4ulag6dpfnSSOfoU/CsEhIECDAgdxCbhbm4ZOJoIYtJaJiDdfym2YmZ9ZbeOhVB2q6QqV4lA8I1MTGyANcOXqVbJzbmSIMiXq54SqJNlY4Q1zOGip9FRA6BYGFM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=elAG1CCq; arc=none smtp.client-ip=209.85.210.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-ot1-f50.google.com with SMTP id
 46e09a7af769-6de83f5a004so2577043a34.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970157; x=1706574957;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wG9hLC1Y8Qz4XIU+37knJUuWpfkMo15LFrj6UcsKSzg=;
        b=elAG1CCqmiezPmZ1Yi8gmmxLq6vfzRQXyLvOsjBxatFVACT/cZT6uSlbKKSwRha3H2
         fUcW+SacpLLXbMKfAi/fAzXceA2s6bzqhAh7miE9xONWIoZ+CnzPLsbamIErdyFI11GJ
         oogrMqkGzct8WVZmPTI8hltWwS6MYXM2RyYDo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970157; x=1706574957;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wG9hLC1Y8Qz4XIU+37knJUuWpfkMo15LFrj6UcsKSzg=;
        b=iA9zQgqKCQuXjB6wGSgLuc7yjaNBYGwOJhp8FOOYuR6seK0KsRC16Aov+PopJgimj/
         p+yeqDNRs3CyfkqTNf0EHQrXoliaoaZ5MFdc6zZc5XKqk20v6uASXGavsN1aiTKqj0Ha
         1yj6K0PZTeYqXgBfnk9d54VYDlakNVLleRKZU3kTzlJ9IP6ZYc5NMS0GmEmx7Rr8gS+i
         rsVkzdduM1x/aNxL+npso6mq1Q+rGaLzkI8vV5Rv3VOa5sSizVzB/rYTzw2tdBD1uy6d
         Bp1pCl6yjw7ekq9KovqE45ESvkpAoPSXqUSjfNfl7F734+r36AbXuAwmSkH0OEKTCG1/
         JG3A==
X-Gm-Message-State: AOJu0YwEbWSSbdsupiNrBN7TxLyFvvsJMgUUhHARhXLljNhj3M3X8a/G
	+lXAWrxZKoAnJQ30r/SNGvW25QX1ZQUcsbaiWF8U0UytFQ+PcggpQzMN4/G7vA==
X-Received: by 2002:a05:6358:3a1b:b0:176:49e6:d1be with SMTP id
 g27-20020a0563583a1b00b0017649e6d1bemr2746628rwe.7.1705970157322;
        Mon, 22 Jan 2024 16:35:57 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 cz4-20020a17090ad44400b0028ddfb484bfsm10223874pjb.49.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Kalesh Singh <kaleshsingh@google.com>,
	Fuad Tabba <tabba@google.com>,
	Mark Brown <broonie@kernel.org>,
	"Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>,
	Marc Zyngier <maz@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	linux-arm-kernel@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 40/82] arm64: stacktrace: Refactor intentional wrap-around
 test
Date: Mon, 22 Jan 2024 16:27:15 -0800
Message-Id: <20240123002814.1396804-40-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2174; i=keescook@chromium.org;
 h=from:subject; bh=uCq9BZALf0j9/ETUS3uuALuSJ7AAwOFns9U/7aqT71s=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIWLuyCnEjUOpchm9ZW7j82YoUv1l18xa4s
 B46n9dQEkGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JuwlD/9oy+jGtAZ3FCSqVsESv3Dn6Ts4xfGimKqQuQt33Bce9y47K5whT43UwUX/FxTZH/tqTgB
 TW3eKjRzRffUEDvN7ZT3GaQZJdk/dhoJFA5OwB26dEaeTJJ87F2CEIcM/XPxpKfWWV8laKhxXPW
 Azdz8NmHKXvqukygGhhgSEkQ2kpnbOFr/4IlSgZyItDfY4qACe9CngG6WRi14g/HSCU9Gywjg69
 ZJ4iAQu4qte9m5QXTwr49Fk4KN/ToizWcH4VTLjQyoJ5q/FZ71Xgw4QOa1223/YsX+bcqYMH4bu
 wrszgLp+AmxgO/JkCu2LfeuzW/PA81WplhvzGnpP0ARDAU9f1b3mGW4MnOu7+xSVcXxEPNBdHUd
 3qHBNykVoYEpQLXhzHp3489ya3gM8EnFQsefLnWYwE5at2WX4AB+AugITjOHRUKIKxVcMw/Yj5L
 vgdwRoSoXJjDDET92k/xcXhH34opUBHZT54vAmgUzK7pw3pfz8gKLwhZviN2r+BHKkBnSdMYFsM
 WjXNz1X2Tyl2wSrR4TmFPmaN+5owOGL0Rtmy9lrY6g0VnA1Ef5oRUD2D3FpyEPLXRpyKfY+/dY9
 jSlhYv7D+Rklx7QQ6QyLp0T/HQfyi460ttQUAt1JSZq2cjQhlrAimUKh31uhzT1WykiwMZzlyPc
 hxrjR+5ut598BkQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842691606916611
X-GMAIL-MSGID: 1788842691606916611

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Kalesh Singh <kaleshsingh@google.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: "Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm64/include/asm/stacktrace/common.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/include/asm/stacktrace/common.h b/arch/arm64/include/asm/stacktrace/common.h
index f63dc654e545..6e0cb84961f8 100644
--- a/arch/arm64/include/asm/stacktrace/common.h
+++ b/arch/arm64/include/asm/stacktrace/common.h
@@ -49,7 +49,7 @@ static inline bool stackinfo_on_stack(const struct stack_info *info,
 	if (!info->low)
 		return false;
 
-	if (sp < info->low || sp + size < sp || sp + size > info->high)
+	if (sp < info->low || add_would_overflow(sp, size) || sp + size > info->high)
 		return false;
 
 	return true;

From patchwork Tue Jan 23 00:27:16 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190658
Return-Path: <linux-kernel+bounces-34487-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp69505dyi;
        Mon, 22 Jan 2024 17:52:51 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IG0Bq0k2Z4+0FIGMssWlRnpVVZ1x979cVRxQLJXyBbfchFJnYPtEPVlOsCZ9MmVDOS+hkaH
X-Received: by 2002:a92:ce85:0:b0:361:a9a1:e067 with SMTP id
 r5-20020a92ce85000000b00361a9a1e067mr6562516ilo.127.1705974771481;
        Mon, 22 Jan 2024 17:52:51 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974771; cv=pass;
        d=google.com; s=arc-20160816;
        b=GF3asBnDXm0CWAyziprmvQghB4w3Q0cuKk3BFyiOQZjYC0uHznYF1pMDXUXvckRzji
         IQBBzTd0z8bdFdQ90l8piR0OLqizCz89GxKd2zedzenxPMfXsKyNiijIuitfvirie4DL
         8Zo34Zyb4NJlViREb1wYrhDC+f+/XAaOcL5ejSKRNW8Ggq1MO+tnKp4dW3sCG4/4W6hA
         cY04yfdw3hqBQaO6VzKORt7wx7imX48qlIBp8ozPb1B7GMj09hilf9zQpy0ggS6mpCTO
         /+2eEMFlT9Vl0YKyqO7Nnh3oOdYTuuicpNgYlzQ4Yw6sEQMc6VF6rU/AV2nbQ0DtrUN0
         0gZw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=2VCA4MiUm4hxtqb/2/ihwHQ4ffY15Cbnf0o55fNjhH8=;
        fh=l/IXm4JcCeNjAAJbf1HOVTMHI/6UDZvv6SqO5mNytA8=;
        b=Z17ECq3T+RSsFllEujFMJ8TFkrUx/4smhdCtpdB5be5Y61cvHwaGMJuOTytIRp8YqY
         UwCQ7sJqulL40ndNfnV6a+UCgarSeTdigkILhqlndXtAwUQgBZpK80BuYuk8kA8cH+5R
         5zLl/5pkKmI8V0GiDQW8i1+KQJoxE5PnWal8VVGhE1AVR2N/DBBcTH4ZPWZQpvj4avuN
         XD0UIQNbSQRfYb2JNy8ZgY6zWnIA3GM6DKI0RQmULLFxBHhhXI7UsGR+teCqBFSTizIk
         0FihhVFzlDHY/ex6GKAhqct/p06A51m7qg467XwpO949FKODRhm0PQKnTS9yMxFj/lwH
         MLqA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=BNfM3xs+;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34487-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34487-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org.
 [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id
 y2-20020a63de42000000b005ce04177ad2si8853929pgi.386.2024.01.22.17.52.51
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:52:51 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34487-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=BNfM3xs+;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34487-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34487-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id BFDADB268C4
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:20:28 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 32B1415B119;
	Tue, 23 Jan 2024 00:29:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="BNfM3xs+"
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com
 [209.85.214.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12BA3159594
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969750; cv=none;
 b=tOm7NiRIsaQbcppOgTVfNq9I5+9A3S6eFArdynp+gCGcTG1s1Cg0P388IVb1VXGlCahtYBvkaXvBiQHRLvgo+tWfbSoyo59ACb5ghvgN4khwM+vNxXLLj/MbPbosOI4wDzDnTNiaoGiAPEDDwLPQCEMA+MXVYwh71fHP/scYzKw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969750; c=relaxed/simple;
	bh=e7A6lhz1YTrc42RiVqJvDHkNtpFxlmtLyS2WOTvLsQ0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=k8J2zeziCKf64iztdn7qR5LOqmPVzfdNW0xPXj/ffz/XmCDiBWVzHkdlqM78JRrQSHi24NgrvW5ZFS45ejHbHXt+gcslYrH+b9eYYj+q5SAAwa1rQWMFp6aZWriM4dnXkUvBE+C7YcvC5WHuUQLd3W+VSCCwGn5/eKQE6yqDKGY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=BNfM3xs+; arc=none smtp.client-ip=209.85.214.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f181.google.com with SMTP id
 d9443c01a7336-1d41bb4da91so19667575ad.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969744; x=1706574544;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2VCA4MiUm4hxtqb/2/ihwHQ4ffY15Cbnf0o55fNjhH8=;
        b=BNfM3xs+1yPOeKCdNABC7X502Zx3m74aSHmWYKpm3ntrrpPT4KTb9LShxaMCkOcBTZ
         jmP22vkgP4+b07DIGsPuBbyc7f04j2J1mo86pltd4yljNThSlMQVeTfiW7uwVm/iEHt0
         iN8mbVXnOJzqfqBVXlG5SFAi4/p2eW1zCYS1I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969744; x=1706574544;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=2VCA4MiUm4hxtqb/2/ihwHQ4ffY15Cbnf0o55fNjhH8=;
        b=XfaPwk7QYvqocHia3S0rl7TfgFoh47BYWdtNAIK0rpAWIrdLo9j8Ba4evQRgdJM7S1
         ZRW3b4AzoDP5OYia7JyBLVVx01TqWXj74VmHuwMQsEeeWbQy3jHF1k5xlHggmOAO2UCL
         8j18Ymq/Gmyhe9uefLSYmLafq9vOpwbgt5dQMeMPkxPwTxtx6+BC8yRUW3I2IBZujERV
         LxL5Yt3gArpC6+w2x1Fm0Wh8lKhBWUyY2V/HDrIe7965HjZX8a7ALncRCigQpCtpuw0n
         w1NeZ1lNxQ4+MD8la7QPoHBeYFIc1uzOyOglTk2BUcrGcHLw95oKsintUevxSB6bh+iy
         rJ4A==
X-Gm-Message-State: AOJu0YyX+iED5wGjGWTc67kpHHERF8vn47cjj1iqN5HuWKF3adeQgabF
	rEcNOZWV0r8nkhvbe4ThmOzCBBDN1F94N6/VMRgxwiyMl6LgkIiPIwQ21WYatw==
X-Received: by 2002:a17:903:22c4:b0:1d7:601f:a093 with SMTP id
 y4-20020a17090322c400b001d7601fa093mr1304472plg.96.1705969744416;
        Mon, 22 Jan 2024 16:29:04 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 l17-20020a170902d05100b001d5e34b3285sm7806408pll.16.2024.01.22.16.28.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:52 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Kalle Valo <kvalo@kernel.org>,
	Johannes Berg <johannes.berg@intel.com>,
	Max Chen <mxchen@codeaurora.org>,
	Yang Shen <shenyang39@huawei.com>,
	linux-wireless@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 41/82] wil6210: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:16 -0800
Message-Id: <20240123002814.1396804-41-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2027; i=keescook@chromium.org;
 h=from:subject; bh=e7A6lhz1YTrc42RiVqJvDHkNtpFxlmtLyS2WOTvLsQ0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIQmyCTrW1bahod8KxHdvoHy58y6yL+ETvY
 BiEiuMJbS6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JiRmD/9zhsD2mE1miG7SGjJBAYcdyMqu0B11enBzCr3b8d5xqV58q4aN1ZngsnmNjttQaMFFr1T
 9Gh/s9u56ltYlqudIxPMUSZSrUHU2C35m4gtJ4TVkt8qtfF3folCHfMmbV4i9KMdE1IgEESn2G3
 ogHxJ2XbUbwxx78z6StXZHHDfv5VPBwzr9kupbCeVGteX2t9bmMldyxqif+YKl45puapBWNQ8Ib
 cMeONqZ1xuDyp0U/qIu9iXWQJJuzn/IvIutdDznavIBE1ZLOPgsHof0dVXEQjpsQ5oSNU05iKIy
 RCwhvKkR8cxQTqAQX5If0192u8p1TEX99NSo9gLaza1jNIdOd3aMy1J1x2Opk8hxzJLbpIOuzj1
 CTLFFWDkPJHVyQi+TjyQoxZYjoi4jpnAv3piOF3Qyc/Ftx+LToOJ5NZQIgUKQCEtNf33XjtQa6a
 UhBSAs1HZAXgKJZmFa+Pj8Pa78PFbLKWQSpTG4JE6qcecARMPZCyokWGe0WhhJzVf/hUAC2ogd8
 RJhNW+Yolg1sqIWb4Ywf08WqhPZzOgqnSxV7Wm1OaMy0cDOWgX/20YYlkZJXEe3jj840ChWrQDt
 6bAIZMUBgi1USCdj4y617A+WtpZFjXDgWs9Q7XoNPEbOQ9ovO/3v9cThNhMGw/rkG372enD2SYp
 VY+mP6vYO8kr7tw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844202119217879
X-GMAIL-MSGID: 1788844202119217879

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Kalle Valo <kvalo@kernel.org>
Cc: Johannes Berg <johannes.berg@intel.com>
Cc: Max Chen <mxchen@codeaurora.org>
Cc: Yang Shen <shenyang39@huawei.com>
Cc: linux-wireless@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Kalle Valo <kvalo@kernel.org>
---
 drivers/net/wireless/ath/wil6210/wmi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
index 6fdb77d4c59e..3b3c991f77e9 100644
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
@@ -286,7 +286,7 @@ void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr_, u32 size)
 	off = HOSTADDR(ptr);
 	if (off > wil->bar_size - 4)
 		return NULL;
-	if (size && ((off + size > wil->bar_size) || (off + size < off)))
+	if (size && ((off + size > wil->bar_size) || (add_would_overflow(off, size))))
 		return NULL;
 
 	return wil->csr + off;

From patchwork Tue Jan 23 00:27:17 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190637
Return-Path: <linux-kernel+bounces-34527-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp63632dyi;
        Mon, 22 Jan 2024 17:34:39 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEkZK0UvLi7YhdC8i8NBa3Hzag1PZp+zjXFbSsXbkKfzjAD4592wVePU521fM/pcoaXyCdv
X-Received: by 2002:a05:6402:b6e:b0:55a:5ecc:79ed with SMTP id
 cb14-20020a0564020b6e00b0055a5ecc79edmr392427edb.79.1705973679245;
        Mon, 22 Jan 2024 17:34:39 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973679; cv=pass;
        d=google.com; s=arc-20160816;
        b=D5Cwv+aKKgcJLn5NsdZe/dTfiGToRs5Szirqfp+2jbfYvDV5qomdscAwu8NQGeQZAN
         EMwS5lSjiiNPh3IQbeGL9mw9w2KLuHZDPec8sXeOg9GItBPhhBVaxrLa8682n+Ykbcs3
         Z58Bl94+c/EEcfydEoTRuj0HGodjtuHNM9dDg5CZcKXj6cBH+GJGxqBvVlLzVVgr52O9
         3zeAyXYHImp3SEVn5qQQCNmq0FEdZnW6BI+hbnF1yat0RGmZDezX9MUcBH7sj5mFtdVt
         Z7+Uf8h1qcav3Lyc1/grD9tTmHutilz6uINco/2hm789C+STXYPbpNKTIGIluRiqWLIK
         6rtQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=Gu7JD83IcutVIpR+vN3JS6ozq09X5iWFwWB5AcENu1U=;
        fh=G7tGD37sXlF9agQ3m40ng6kQhUuYzviZTefCiUNF7GE=;
        b=ZAYgukKDA8/HbgWLce16P7CACX6QRbQ+WBAHZhxQRtfSwrBpknOSzz+a+bo0iI1c2/
         NUdgenlsCMtGfsrKMAHDYSjj831xUHbFmCB8ODMDI8SH8VW7J2Em63jA5I8E43armWMT
         KAyTkwc0CvI/OkqqkBtprWVv91an4viy+clI1+PU3F4BAGT4+Z/PM6P5FFqYcCVcRleG
         YljpSdNOTMCi5iA3sTt75ycifsIzMMasGcxEgZWbo7qnggiclRUdNGEjbXiY3Woa6Gnb
         g5yWEVqv1d/Ne/56i3RMMHK5QPVqKCtkKfnk55faNn+RlYdCDYVVudCwTAjZVuTn2Gwl
         86RQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=D717a4+h;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34527-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34527-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id
 s5-20020a50ab05000000b00553a472e61esi11659186edc.404.2024.01.22.17.34.39
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:34:39 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34527-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=D717a4+h;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34527-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34527-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id AD8521F29BA5
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:34:38 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 66946161B66;
	Tue, 23 Jan 2024 00:36:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="D717a4+h"
Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com
 [209.85.215.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D72F516274B
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970186; cv=none;
 b=BAQRtWoWk3fYOaqm/smL+Vvr09fq1FJ6xEBncRmcc9tcOe0vFawbri9r9sxpXRbMZKDbUD3ZDfllyLOgyx6u75UQWh8gaDsSws2jgByEG5S19fV5q9+f+TY2YAjvl+uwo4TAV2MqW88ve3wSNua2BTvoZJAxG9s9lOtApIPZ4wQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970186; c=relaxed/simple;
	bh=ep/lIptA9L4lr+f06tjVEEoLQ4MXnnp5iyNA3nOOpBE=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=RTFCyCag5o5n7YMF8IZGZRaiQbsIjcLHgXkyabcCqdseKmJ7AGCeerB7k9ymfeoEv730RxFUG+PcruYCAA5N1sXzUOSb8+EWcNWXpQkYyyZt6i7++x3Pjrr+ztuuJJNDCcU11z95yOJyCkNLOjrQFHMJpEEtrmw0fxk7h5k1VD0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=D717a4+h; arc=none smtp.client-ip=209.85.215.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pg1-f173.google.com with SMTP id
 41be03b00d2f7-53fa455cd94so1775821a12.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970184; x=1706574984;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Gu7JD83IcutVIpR+vN3JS6ozq09X5iWFwWB5AcENu1U=;
        b=D717a4+hchIOaKmqCVEbuWLkT6x4LFiOyOsg9820QbdtTjnxtBvHUX6v4s6sZAbgvD
         D4akV6dkP7oQx+px2xduOIbAhE/yLcXvQFa9oQhjhlsoZtyGFvpTPXrv6LxqsYGwZgtO
         dX9BlM60yl+1W5Ip70JgQgCk7MGQ1OsMud9/0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970184; x=1706574984;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Gu7JD83IcutVIpR+vN3JS6ozq09X5iWFwWB5AcENu1U=;
        b=FNkH5eMguHVczx0tmGA4YGE4aybz0dDRMnFmApAzEwvwdYKTMaIVTtenWwKuqpIWAD
         lDu0Ztz2pxNuq4B49eaQoPWaXAmfNmR4p+gynHC20adf6c/bNRB1b0vxkRLT/o2MDakI
         Dnz+j7VaFh8fPO7dP/0uhjJnN6PqPULY8zGMTVGggB9IMcbCyix3pNZxV2fDDtws9EC0
         TZ0yMmRR6XI5Qth0PsLTxN4P0KDKGX9D5ZNWiPcspCG3wAWTbmHWy10qj5qOZmUvB8qO
         0CK595BJ9Wh7hIN5czLqL6bi8S5e6ofbVcCtBvzhwuNbWZZRnvXs5bA7e7LmNGUyzatu
         vvkA==
X-Gm-Message-State: AOJu0Yy/862tNedv6H5qc1OELhexZqSUQ2Fj5K2T7ZfKPIiVw8/c2hv/
	afonzCpCPkot1R/4QGxCeNre+NgQm+w1bwpWPRT1T2R/rhYQ0gKnCE3ZuWQiTA==
X-Received: by 2002:a17:90b:3443:b0:290:20:2e7d with SMTP id
 lj3-20020a17090b344300b0029000202e7dmr2129175pjb.47.1705970184314;
        Mon, 22 Jan 2024 16:36:24 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sx7-20020a17090b2cc700b0029072c64439sm5247062pjb.5.2024.01.22.16.36.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:18 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Kent Overstreet <kent.overstreet@linux.dev>,
	Brian Foster <bfoster@redhat.com>,
	linux-bcachefs@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 42/82] bcachefs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:17 -0800
Message-Id: <20240123002814.1396804-42-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3557; i=keescook@chromium.org;
 h=from:subject; bh=ep/lIptA9L4lr+f06tjVEEoLQ4MXnnp5iyNA3nOOpBE=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgI2+Elt1IhHtkv5xgC3b3FRvTtskbiERH9l
 1ZNTeeF/b2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JjCLD/9xtD8moVS+50gZifAJkdU1ZG18tKRem8TQm9iujCTKM7k0RA9Gt8uWtXoWJI2iqcmr7so
 6wDWNya25DwDHnA6i6cJcDCSKOUIWj9scqgsnc/vc4ITbCC36C8LufYn9hTR2C8dxojAdmv+oWg
 AbBeJl5BpJ/nNaasEJCbPtG/FaEqLUr1cVCXz1f4t/JfMlxIvR3A1axBfLBZIMGjQDtJYXHkL9p
 LFdbnw42F7LQAZdMegEC8ocQU04rYslKCLVrwhOjQCcsv6Ws6kE9vl7RJy+m+9uPUWC0Sl3Du+I
 kaPcZbyCi8S96+rC+3Sqkn8nxgB0Ji3KlCWYiom6XD/SCas2mJlZV/Fsgw4ZogGoScMiYHeDVxA
 3uTAn740ytyh0GrA0mTeQCmVpWEEgRgl8yAEEFpN/x5prVl7B7OWBB3fLqipeDFvn+08dE6MQ44
 bK5og4830KAx7t1L/91syH794xNxDXyBfKMXgc8jHBAoPFLHV3Z11nzBQfhMFaLNyc3nKMCbkiP
 HgAKEE2E/rqRQZXoovbv2UsHH9qCg3D+20pG3URgwo9T1LgXTwOm94X59lEyn4fM80SQYA4kwUq
 lecpfKL9uzLXFqhGSnccEE+zNNjAHSFYJQxxeCm4t8TK3hf2xjDUryQOdhwdB+FESFtDBAzIc48
 oZI7aHBEQ8bWKPQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843056761599802
X-GMAIL-MSGID: 1788843056761599802

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Kent Overstreet <kent.overstreet@linux.dev>
Cc: Brian Foster <bfoster@redhat.com>
Cc: linux-bcachefs@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Kent Overstreet <kent.overstreet@linux.dev>
---
 fs/bcachefs/bkey.c  | 4 ++--
 fs/bcachefs/fs.c    | 2 +-
 fs/bcachefs/quota.c | 2 +-
 fs/bcachefs/util.c  | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/fs/bcachefs/bkey.c b/fs/bcachefs/bkey.c
index 76e79a15ba08..c68f1cfd579e 100644
--- a/fs/bcachefs/bkey.c
+++ b/fs/bcachefs/bkey.c
@@ -448,7 +448,7 @@ static bool bkey_format_has_too_big_fields(const struct bkey_format *f)
 			: 0;
 		u64 field_offset = le64_to_cpu(f->field_offset[i]);
 
-		if (packed_max + field_offset < packed_max ||
+		if (add_would_overflow(packed_max, field_offset) ||
 		    packed_max + field_offset > unpacked_max)
 			return true;
 	}
@@ -664,7 +664,7 @@ int bch2_bkey_format_invalid(struct bch_fs *c,
 				: 0;
 			u64 field_offset = le64_to_cpu(f->field_offset[i]);
 
-			if (packed_max + field_offset < packed_max ||
+			if (add_would_overflow(packed_max, field_offset) ||
 			    packed_max + field_offset > unpacked_max) {
 				prt_printf(err, "field %u too large: %llu + %llu > %llu",
 					   i, packed_max, field_offset, unpacked_max);
diff --git a/fs/bcachefs/fs.c b/fs/bcachefs/fs.c
index ec419b8e2c43..00a606171656 100644
--- a/fs/bcachefs/fs.c
+++ b/fs/bcachefs/fs.c
@@ -901,7 +901,7 @@ static int bch2_fiemap(struct inode *vinode, struct fiemap_extent_info *info,
 	if (ret)
 		return ret;
 
-	if (start + len < start)
+	if (add_would_overflow(start, len))
 		return -EINVAL;
 
 	start >>= 9;
diff --git a/fs/bcachefs/quota.c b/fs/bcachefs/quota.c
index e68b34eab90a..1738b1fc1c75 100644
--- a/fs/bcachefs/quota.c
+++ b/fs/bcachefs/quota.c
@@ -392,7 +392,7 @@ static void __bch2_quota_transfer(struct bch_memquota *src_q,
 				  enum quota_counters counter, s64 v)
 {
 	BUG_ON(v > src_q->c[counter].v);
-	BUG_ON(v + dst_q->c[counter].v < v);
+	BUG_ON(add_would_overflow(v, dst_q->c[counter].v));
 
 	src_q->c[counter].v -= v;
 	dst_q->c[counter].v += v;
diff --git a/fs/bcachefs/util.c b/fs/bcachefs/util.c
index a135136adeee..2200c81edbd2 100644
--- a/fs/bcachefs/util.c
+++ b/fs/bcachefs/util.c
@@ -148,7 +148,7 @@ static int __bch2_strtou64_h(const char *cp, u64 *res)
 		return -ERANGE;
 
 	f_n = div_u64(f_n * b, f_d);
-	if (v + f_n < v)
+	if (add_would_overflow(v, f_n))
 		return -ERANGE;
 	v += f_n;
 

From patchwork Tue Jan 23 00:27:18 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190683
Return-Path: <linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp79826dyi;
        Mon, 22 Jan 2024 18:23:30 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE5cJp+QM1eI4IFXXAdzDuwtbvJN5yCU5nMe5GDm01vpqWc91MMynPQzsucjpALe62iaip2
X-Received: by 2002:a05:6a20:3b2a:b0:19a:4b93:250c with SMTP id
 c42-20020a056a203b2a00b0019a4b93250cmr2267908pzh.51.1705976610352;
        Mon, 22 Jan 2024 18:23:30 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705976610; cv=pass;
        d=google.com; s=arc-20160816;
        b=IFoNlv6NUl31EZ98WbgrnDlXvnXYn5gVXUimnd9cCT4wAQ33I6juAGZSnu76JJ7Zmz
         tbccwozcBV4rRQdMPCedRRLMeC/cuLwaD0n3ink47EXEU4KliyuUap6UieL8Itg1T7Ut
         WGoOwWb5gU6j5Fl+gTBvy7JAXDj6kp+SbvAs1IYyk0Gs1asZr+sKAwD+2l13v1dtKZpX
         hb/dxknpbbg1RTl43FUxnVj0koTuwkrKvXrhlwEk7GN7m9MvheBkS2z6RRANp1KFkHSL
         RfFCZBysdy5B6xdLTA0yIiF4VvOO/D4jXJtp4qE4lHlfnmTdFvLk6x14ctmI2pUfG/jM
         kcQQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=PzCem6cup4TdiKSfzyjJWNqgMtspOXnXOALwscH4Wdk=;
        fh=olk3Vwo6flXNlhTR3+grEaNqvvzXozWB2Jd8QK1jV14=;
        b=dNaOWJfWHZ0SN7xMigeSIIwZFjP7D3dhIXLC6krqj27NaDpyBodSye0w1JNRGmSJ7b
         CwA0X5l4v+I7+/O8hCqGfJ2jaLZ7xMdyrpbCwb7M3Wct2FXJQQZ6J7PQB3G/tXiBlAn7
         FDa0GB01I9ifsDstvo3I/Q0DJinQG58bEouiN9tSU5oJa7TTLG22gNJb4jA883VUpfw/
         y576wPH5GQ2E0JeIjzFmCogpAguNOc6Wy3NPKvJHXLzFeJji9Y53315+ygYo66jRq1hf
         u2tT9KGIK4AHp5YjUAqOr+e/5vT+KNzT5g7qFlBbr+20NR+/M8y/ztc11AYbKi2p4mdj
         dPjg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="a2Idl6M/";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org.
 [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id
 h22-20020a170902f7d600b001d73192de39si4782478plw.36.2024.01.22.18.23.29
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:23:30 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="a2Idl6M/";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34566-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id B8926B227D0
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 02:02:15 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id BB47A133405;
	Tue, 23 Jan 2024 01:03:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="a2Idl6M/"
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 935CF130E3C
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971825; cv=none;
 b=tu9ZmFJx4duh/v/ezX+SRq+zqShyGOtAqHQe0a7uVZsU64K1ZbS9d7usQoK2TbiapjwGbwyYIM4USRqy9AY6B1ajRW5KQLf+aybsekA8zR9qbeCFBl9uPm2sSZNQKnz732mGtGaCczVlys/aUnhIyxryeueELEggx8m6vPMWwOk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971825; c=relaxed/simple;
	bh=2D/1q+K5ofLS3QNrb17mBia21R1L5nS1NTJwK1+Jywo=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DINcgAdNRFH20zUtBhvdY9rnqUlGnq2t7gKrJ3hkqY/TnkkEuGSfVbzAOQA+uL+uokxVZv5zR5bEXoUAOrjVmT1mFi7ldAlScSn3d3h8B8kdLr7W24nMIJRAUVwUnrTKyUsNpEL2QklGyF5Wypd9hKzAaWizAbe9EXKYG4dTXGo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=a2Idl6M/; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-1d7393de183so8875065ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971822; x=1706576622;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PzCem6cup4TdiKSfzyjJWNqgMtspOXnXOALwscH4Wdk=;
        b=a2Idl6M/nB7uU5CS8xxzI/5QidtiR6E4Q3sFDrKD1RsiwxD4SvHlSntigxg2OfCWvP
         c8rfPE7nnYFHY2q1SxwpkUVxKwA5u1ZiZCJSyFpIRafFLbOAjEGK8VLDKHK1f0EPZK9c
         DfyzEhjlT9cFFPR3DAiY0bQeHB4rNqJhDAha4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971822; x=1706576622;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PzCem6cup4TdiKSfzyjJWNqgMtspOXnXOALwscH4Wdk=;
        b=PpiWUg535BXXYnf1azCdpM+1kcal3j/zxCNJunJKqRAgeXyx1cCaZRkJI3RD9b9jmS
         nmShTBV7q3+c0XPLvasQYFuq0yHD8x5qaIpdDLjMvKM9UjQGZXlZxcshZjtzfSOwDdyC
         jNEclNRmH7lvOOunwE+HUkQi942mXOfdq7ZO5EDwp8YlaCEn1bmRSgDiiLfuho6eeMcZ
         /vMtDFtMlvD0XoUFJqalICRDKB316z9zU3dohCcEcHSuWAww9RwweIRn4cRQuL3ezciZ
         Hmyf7REfiIrUgBt5/CA5tEfnGylCFlHbIteQQLOdmnLhV2sJm6wEEi+gAIUa0SrfbuKs
         o7nQ==
X-Gm-Message-State: AOJu0YwbtX9NhcnFw9rQDvvdkYoX66RHCudC0BBqMUqiDwAR8FdH7TaS
	ua0tQKkRCpAcOo+j8YG5Tld6E4haSlomhlcRgnz81cyHciPb2J/gKcGNk5ppdg==
X-Received: by 2002:a17:902:8e8a:b0:1d4:2ebf:66e9 with SMTP id
 bg10-20020a1709028e8a00b001d42ebf66e9mr2195121plb.66.1705971822051;
        Mon, 22 Jan 2024 17:03:42 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 k17-20020a170902f29100b001d707a14316sm7510636plc.75.2024.01.22.17.03.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@google.com>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	bpf@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 43/82] bpf: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:18 -0800
Message-Id: <20240123002814.1396804-43-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3267; i=keescook@chromium.org;
 h=from:subject; bh=2D/1q+K5ofLS3QNrb17mBia21R1L5nS1NTJwK1+Jywo=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIT/Z3KUQ2veJhvQyEt4ONL7c5mrClKFuYO
 X8phZz1OWKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JkHTD/4qgBnK24plRIXO+yoz2iQ+LnLu7ceo46R+EFzo/2zE4dZ+2u1CDIt1eEMllnG7GdIK+rx
 pbMn643YxLdpkcs5J68KMVdKkniWV1XXHwbVnmqxCo4f3HtuQS09iFdsyX5XJs2halhjXZuW75R
 y811Tm0ilp4N9T2dCDFe9xf02ruR51njy47egnuRN0VU3wH5eVAM2v+jk3FCeD3rlPEUpSpDQ6P
 IbHZAs1mjAVXG/iORESIdH1l+V5XRdrAhwLvmouMutwbyBdRSeemCsROlWgyRUEMAyCYANg0N2J
 iFtFwycRzbLWW6oOtS9lcxUUXATx7bjcDODVDigeUo9lnVhJgT4k3Eox4y7Xsl6jC7/Wo6rdWDk
 tWxp2TXKIwFm7GrPKQ9G6WCadosfMVqMKU9XxyQU+LGrgXVuV2vtDworRcNS4cTWKdWH32fhgnm
 PbPrx493hufpiEUxiHBg5a0Cx3Vp0nGNmEUyLl0IICmlG8MJJSdrh6iubiBRHOgFdZZIN0MGO0D
 jipUiaIzyLiQ0IoPELof8qAAkUP239U2GzBeV6tfZDmRwot08eR3a1n4Ghqvp72J6PkxFLB94r9
 /D9CqYn4moMTyD6tGRDSqYZ7623ETbGfVy32TpB8S7loBlaOQTbv+FJCb2GqADyXmCvziiN3rOI
 GVEF4TSjuaYfhyw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788846130613116996
X-GMAIL-MSGID: 1788846130613116996

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Song Liu <song@kernel.org>
Cc: Yonghong Song <yonghong.song@linux.dev>
Cc: KP Singh <kpsingh@kernel.org>
Cc: Stanislav Fomichev <sdf@google.com>
Cc: Hao Luo <haoluo@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: bpf@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
---
 kernel/bpf/verifier.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 65f598694d55..21e3f30c8757 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12901,8 +12901,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
 			dst_reg->smin_value = smin_ptr + smin_val;
 			dst_reg->smax_value = smax_ptr + smax_val;
 		}
-		if (umin_ptr + umin_val < umin_ptr ||
-		    umax_ptr + umax_val < umax_ptr) {
+		if (add_would_overflow(umin_ptr, umin_val) ||
+		    add_would_overflow(umax_ptr, umax_val)) {
 			dst_reg->umin_value = 0;
 			dst_reg->umax_value = U64_MAX;
 		} else {
@@ -13023,8 +13023,8 @@ static void scalar32_min_max_add(struct bpf_reg_state *dst_reg,
 		dst_reg->s32_min_value += smin_val;
 		dst_reg->s32_max_value += smax_val;
 	}
-	if (dst_reg->u32_min_value + umin_val < umin_val ||
-	    dst_reg->u32_max_value + umax_val < umax_val) {
+	if (add_would_overflow(umin_val, dst_reg->u32_min_value) ||
+	    add_would_overflow(umax_val, dst_reg->u32_max_value)) {
 		dst_reg->u32_min_value = 0;
 		dst_reg->u32_max_value = U32_MAX;
 	} else {
@@ -13049,8 +13049,8 @@ static void scalar_min_max_add(struct bpf_reg_state *dst_reg,
 		dst_reg->smin_value += smin_val;
 		dst_reg->smax_value += smax_val;
 	}
-	if (dst_reg->umin_value + umin_val < umin_val ||
-	    dst_reg->umax_value + umax_val < umax_val) {
+	if (add_would_overflow(umin_val, dst_reg->umin_value) ||
+	    add_would_overflow(umax_val, dst_reg->umax_value)) {
 		dst_reg->umin_value = 0;
 		dst_reg->umax_value = U64_MAX;
 	} else {

From patchwork Tue Jan 23 00:27:19 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190669
Return-Path: <linux-kernel+bounces-34563-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp72220dyi;
        Mon, 22 Jan 2024 18:01:12 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE5jr+CPFtvEGY4nW6sFOJlf8EiKCxPCiAP9kmydAhsVdsbUiFVoctYzsMQzItTDqIYE6vs
X-Received: by 2002:ae9:e413:0:b0:783:5750:dc91 with SMTP id
 q19-20020ae9e413000000b007835750dc91mr6234730qkc.141.1705975272773;
        Mon, 22 Jan 2024 18:01:12 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975272; cv=pass;
        d=google.com; s=arc-20160816;
        b=UacMXpc4BnpKexl/5k5+uq1Rx3dvZGXeB/scucpYjO5LKDsANO000HUeesON77Gu06
         nvmmw0YrejiHs75ztpsO2+djTEjM9rvknK6vJNlH9UD37TjypbpkhFb9jABhIyUTBiVW
         fx0AVminqtvOHJ5uYt5257CN5L0ICeKXyYwOaKgOR6Yqjl5TH/ShPoFNEMAtVxPJeWiU
         tfigsoT9UCV/HSpnVCAG3tCQ2UXlCKkLJRYqoeHf+Jlj1jGt3XfHRlctSYqNWEN4t4on
         GX75ELh/Dz2iRBiMBMXVL72ESW0w4V08ysw1OyOvRD8WKEVy2PSn+IUazN0nkuR8JIp+
         SgZQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=F152weUja9q4FQGMmlJGHPEDrqtjtzarPMH5qP0DvDA=;
        fh=5z9qtbyGZZcz/XQmEf6Wl/38JzMcsA3W2Z1hp5egQ0k=;
        b=rl7peXCMHMIMVCPpuwJKYm05qIrLugkTJ2nN1vKkt6CpSMHpFItQVvwfweeAg2YT/s
         m+kehqUgie0o7IiwF8iAOBspzF376YgflM84ocVh0PKrRQKdhdUgdCwU/SkKGL3WnBbX
         NPwkt1v1cyKNm0qIDF/t3iZBYw3kY3I1LYhoXADi+5BhqAdGRi25oE8+x86ojs6KBQ4r
         RwLkLCO1RDIcbWXQfWK4N4tXW4A34bRNErJLjtKJb7HQni4EUFHH7t21p5yuOy5OLD5h
         xm0z2Pqv4nUL1Ucd/dC5Z3ZKhLunKc3JfkNiFSpExyXJk8kmdzydzCAyR6wmLZSwn7m0
         Mi6Q==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=liWP+5dR;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34563-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34563-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
 [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id
 b2-20020a05620a0f8200b0077f017ae9fesi6553104qkn.529.2024.01.22.18.01.12
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:01:12 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34563-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=liWP+5dR;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34563-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45d1:ec00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34563-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 8EEA51C218B3
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 02:01:12 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1F4D1131E3F;
	Tue, 23 Jan 2024 01:03:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="liWP+5dR"
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BF61130E38
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971822; cv=none;
 b=c1XGQyzT6NLxJ2/VJKjQKSqYN3YMdPef/1Dohzpkmo/1K/qo5BJkMO/cML/KiJgxnEn5O/KfZamSrAbDLxCuttfdmUjgNuW6RtzGMJ+XqyEETKv/NW1eviQvBD/770evCV9O/27gaDdZmfS9SQOliLKjL+RYI3gY09npC3K3m80=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971822; c=relaxed/simple;
	bh=rpDQeHt+rynn8n8QexVW4diSx8zR3w05Bt9ydWpzlak=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=NNbukgUWPmnAYYQahhlpgfNNsFehjjpiBtWsVfSyDAIIFl4ymaeWurEOEqULJNWTFfFoeLQFiM4clyPdClZ7Gx2qiywaEtrAUviu0fQcbca+hYuh+0U8NRrL1K593annx41purIcDL8uBQsAq5Bihqs/FZhWMPcTmR67NJkobtE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=liWP+5dR; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-1d71e184695so13647555ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971819; x=1706576619;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=F152weUja9q4FQGMmlJGHPEDrqtjtzarPMH5qP0DvDA=;
        b=liWP+5dRu8mO1SL29LCzZQQncVwPybA2VRxCtasMgDIqtS3s99IzA/Okw5U2YKq7kC
         PY4UFynIz+BHDFIGmdFfJIhIfmHSo1HTZhIXt08DkEySulhZyNahwJTamAdYzfbVTE5q
         TyF08JsUXY4JEBkn7Ee603UteVcnHqceGadYo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971819; x=1706576619;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=F152weUja9q4FQGMmlJGHPEDrqtjtzarPMH5qP0DvDA=;
        b=iWQ2gJ6GAngnI+vNbi9sQ3KuDjZGS6wlXQ0K/vfh0Fv/O2d5NpwhifETMN4zBCf1hZ
         0ObxsBAnQE/Wiilz7a5wXIv6WQVvb3O1j/PIL2nmSammrOeijckt+lolu3jTnURian38
         SwGkC9x8g7DmifeBNJcPxZ2uTlnyFhyhu3leQvjQxeXGkAk6tbumQnNn+053bjGi2Ltr
         qhxFFmYu74A8A80Zc0q3P0ruPik0uT5j9XbgVXxTo4ruRylp2FVJex65dPykcdkSeGV1
         NEIozXuKLi4yyKIaUMKTP2+k0+TnIkpm9r7XTHgslZEJa3AC1DGGnMnNccw+rcip992L
         RSdg==
X-Gm-Message-State: AOJu0YySYlgVFnzNws6Rjw6Rc/Fgk9SjfUncST/y2vUIT5WqZPChpTdz
	hyDXbeyh23uFjF1bi/kjrATuJdYdYoyp6OICuzQWTpS0u62/9kNqeEBOKpmITQ==
X-Received: by 2002:a17:902:e5c8:b0:1d7:3563:88ef with SMTP id
 u8-20020a170902e5c800b001d7356388efmr2226123plf.99.1705971819267;
        Mon, 22 Jan 2024 17:03:39 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 kq5-20020a170903284500b001d72df6edbfsm4407615plb.64.2024.01.22.17.03.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Chris Mason <clm@fb.com>,
	Josef Bacik <josef@toxicpanda.com>,
	David Sterba <dsterba@suse.com>,
	linux-btrfs@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 44/82] btrfs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:19 -0800
Message-Id: <20240123002814.1396804-44-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1822; i=keescook@chromium.org;
 h=from:subject; bh=rpDQeHt+rynn8n8QexVW4diSx8zR3w05Bt9ydWpzlak=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIF3SUyZAUAUFUZymlnGYgNXvads8gEltU4
 lCweHT05OmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JoRpD/0eSwV1znH/V5v1Xfpt67/pUkb05v3F8q48Cf6//F/42CAYj23Ytdmx0cfwpXGt+VFMkbv
 zRJF9MjrXB4r3591E/RSQF1lHCS+Hg5gB4UJwMDNntlDeXgFlFBsmC1rh4swgRH1/63HU+ULvzH
 jSPbL4G7LX1fk61Q43I3EIuXOD9Pu3VTpjS9QKMYmjLOHCNMh+dLBAjFtDo9PISK//9+QDI8ma9
 WNPaqwXfJ5bafdFGZaZgTzI8xS92+4JUqWjATHQULDm64yY8UbnxuKuQtVOvsIiDo5wQ6/+C81c
 0iaGWTKKgc1eJAvfA1QfbHkPe2FTXEzeAkKyY5RStYZfIAczyJQMjLaJH0knv/gui/jE34zSVoi
 wNO1h5mqbLoJJo3heDU6/5GReq+QbCewLgC/TicVoUvq0F/1uXFmkZgKPjVN3P+bK9g9GQ6x4q0
 82Uii7IGzmSz74kvoe8Oi2vE7fOB51tWmLYEm3oRWqmq/pUEbeHIJstu0kLu3YDdlPLtfKPk4DJ
 Wsa8K7Ucf0phEF3e2luJDa6weV0X19JU2oZ0EVZJGAB/ouAN9fpbnYbwmUk91t09dWJUEsfeOr2
 +UH+Z12FhF4TJEvTo6pP+fKalx2yPK29Ew7Y7Vj+8DoPN4gftBuehK8yKjQa6SSNNVdIRzGBc8H
 5wXugAOFGwhDEmw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844727620499207
X-GMAIL-MSGID: 1788844727620499207

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Chris Mason <clm@fb.com>
Cc: Josef Bacik <josef@toxicpanda.com>
Cc: David Sterba <dsterba@suse.com>
Cc: linux-btrfs@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/ordered-data.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c
index 59850dc17b22..2e0865693cee 100644
--- a/fs/btrfs/ordered-data.c
+++ b/fs/btrfs/ordered-data.c
@@ -813,7 +813,7 @@ int btrfs_wait_ordered_range(struct inode *inode, u64 start, u64 len)
 	u64 orig_end;
 	struct btrfs_ordered_extent *ordered;
 
-	if (start + len < start) {
+	if (add_would_overflow(start, len)) {
 		orig_end = OFFSET_MAX;
 	} else {
 		orig_end = start + len - 1;

From patchwork Tue Jan 23 00:27:20 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190656
Return-Path: <linux-kernel+bounces-34546-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp69222dyi;
        Mon, 22 Jan 2024 17:51:56 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFo4aXsOaKvrZ9wVeTtKROI+8WdC4uh30b5h9j1Jmmah0G8GQQgaANjHa1NA5PM8Y6U2KmG
X-Received: by 2002:a17:907:c207:b0:a2f:e50b:ab15 with SMTP id
 ti7-20020a170907c20700b00a2fe50bab15mr2484571ejc.91.1705974716732;
        Mon, 22 Jan 2024 17:51:56 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974716; cv=pass;
        d=google.com; s=arc-20160816;
        b=qMcFE6Msv6SgrouBl7zvTiVSAbuye0/INP4GVd+I34djftrOIw1v2lxmgFOYOoXHzz
         HAMkahWaUOHTuFQZi5xbf7kLqxRr38eayZymStbFR/V+t4I2N4yiP7JGzLhikZmATrgL
         vD+goXqyA+CzASD2DjBYJmV/wQFR2bdecHfWhoo4wmXgnLDe+fIQFUsJspYl86Azu/1S
         +SmqsaPTJBXtoebGEQ1yROmWUxI8IrW3GsISPnqnkBkMiB9KP6Q9WA3vPrgIkicfPGdF
         s19eHHzVCdnxklCb1f1rj05gUKYj6moRZcVGtvkGEFiD73477msmnKVpVidg8RRLK0Ca
         IJIg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=Sf0op9UA6jGtVwywOsAePMFRok3+ELaOdVPcTfD4XW0=;
        fh=NyPVitXt7IyLGuSycd4f9pWvm/UkqeBqmhBqD4PIveM=;
        b=CTNIb7p5CSuyFsnMqP1msD/xaNIGrZMho/4jwwgueIgzLk+6Zz2qNd0Zz/qUzKv8UQ
         z8DFj4rPWODtVexsfAzmFx6bYmh3mBTb7U7qSWd7j6Gwk+EsehAAsTSgpNuNpUCfp9gr
         PVJYvUhxEbW0M5bi1Wnyv2Qd4Qp5RWqPfftqOBtkLg5YkVRZPI+tuOw2sEIz7HC68i8C
         2vt841j6Dg4rpUsmsG9pDtZc4yFLzoYve4p1UlXO55o9gyzzuUxShV1BTRWcxBRy0Qw7
         jO6TTmJtZQdN9hIsGeY5RHapD8ZhpB8RDwz3YY/QEdDL6/6SOckn4YMEFJZVFwI0cn2d
         NtFw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=MRjAVZJb;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34546-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34546-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 u19-20020a170906b11300b00a303325696dsi1823911ejy.83.2024.01.22.17.51.56
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:51:56 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34546-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=MRjAVZJb;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34546-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34546-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 4E7C61F2B57F
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:45:59 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 0B9197E562;
	Tue, 23 Jan 2024 00:46:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="MRjAVZJb"
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38EF4612E2
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970765; cv=none;
 b=NT65EqOpv0zAx8AiUKVUZMcbqnG5ORwLX1ZB2rHyXh9Pxe0oHrrbUaHPTtaqiZxVrjti+94GjclURyHLOCpDckDat+918LKCrqMbCNSshEQYM/iJwF9wbBV2LvPpF0FONAyQf+c6iU7S//izRD67A/YTf5iDRZxzfTIDuCYQ6ec=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970765; c=relaxed/simple;
	bh=xNoy2DEKxPexmysOm1XEIuiIvV0tGdJOvp+eDp29H/0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=UC9yCPtzoV1kQyqW2GlR31fnayjtC6rFtjn0eBb6SdXG+esjJm7Ggzk3ZNJopCdXmv0s1KNV/Y4iEkaLXiREO51RQyWTmea2mYOESa6CDHWti9iG479IyNrFZC2KDEHkG79GkVynrE/QM33hIJKK7t4b4EyObnmgTMnkhe6NzS4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=MRjAVZJb; arc=none smtp.client-ip=209.85.214.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-1d748d43186so10872275ad.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970763; x=1706575563;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Sf0op9UA6jGtVwywOsAePMFRok3+ELaOdVPcTfD4XW0=;
        b=MRjAVZJbe42rSHmoOvvFIwJvZNVonvQg/oqutEfbNGF0UTgPcHbZ93GkDEbE+u8vAq
         qkZ4bWljeIcLpy8gcfFJOHNKPUb6+Z8M0WTNUbnoAyAnq+B6egwKtnudItlaJiTl3KYz
         ff+8RMc43P1FAS7qpz3hkvSn+NmpWDsWEtPfI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970763; x=1706575563;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Sf0op9UA6jGtVwywOsAePMFRok3+ELaOdVPcTfD4XW0=;
        b=pFP+g7aflBEPOG+siK1WQJJCKhQ9jUM1g58n4+Xh9fH4Fj8bHAu3n65Ywq0zZ8rFN0
         EGW8UEz8jyy8z5mRGN6foXptqLehH+OXNkL4cpouZXRAZzw/eu5CbxCT4bcqcEgCHY+q
         G5vsVKiMSRjMHYKTcL7KWhTlafiCYfBtuU5vdEMtKoYzs9r/KL6atf3CaZFrI3LlTU/W
         KvkxeRU744O3LI+HQUQ/BpAD+dDOnv4eNWb+XpWJyPVdIs+o2m7DM/sUYQYJaTVWeepK
         InNPf1PP1vCqoK1ASDmY49tvbuTUKHrujJbl8Tjm8/FMcf+LIIN6USSKtymi1iAueYti
         NhSw==
X-Gm-Message-State: AOJu0YyZo73aaGXGfV0Afs1gS/rnn4mZNp2PTDWw5JaeJPfn9Cz6z2Ik
	S0sw7OEySOl/3PATpFlOUbGZiUs4madaR2CjEcxaD2vsEugGB0ryIp7W7wZ8hQ==
X-Received: by 2002:a17:903:2348:b0:1d7:617f:6dea with SMTP id
 c8-20020a170903234800b001d7617f6deamr1290475plh.59.1705970763650;
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 r9-20020a170903014900b001d7211cd3f7sm5853984plc.265.2024.01.22.16.45.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Steve French <sfrench@samba.org>,
	Paulo Alcantara <pc@manguebit.com>,
	Ronnie Sahlberg <lsahlber@redhat.com>,
	Shyam Prasad N <sprasad@microsoft.com>,
	Tom Talpey <tom@talpey.com>,
	linux-cifs@vger.kernel.org,
	samba-technical@lists.samba.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 45/82] cifs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:20 -0800
Message-Id: <20240123002814.1396804-45-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2484; i=keescook@chromium.org;
 h=from:subject; bh=xNoy2DEKxPexmysOm1XEIuiIvV0tGdJOvp+eDp29H/0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIC9jJ8iaLQLpMHm2oaP/gJFWo6z16pwWIH
 frFA2mk5NyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JidPD/43jyw+n24wTT1kk3hrH8GaVm1jhQv0Peatn4T8EGaS6EeAlVVxyaPfgjyRlynINUrXvsK
 HaEtBB4FIngOHcdhwrcU6rjQ6dR1uIlyMg4E72yb8tVbdliP6qwkiT2ecDroeGiBrW1oaJGvoBV
 +BW2xWnKw/xUWkEuY5/gOAg70JYqLdhrj1+O/sBKrVG3Z//+lHssd0Gua1rN5yLWCexaUbs98/P
 fUwsGsPV3XXcpZRHQm6gxLzlUxUl2QRmAZpbc6yHf+iQqeQJNvMF+U9LjgVvk+FancFxNeVl71s
 1kNlAm/+gBZou1Mk97HK49dTT5BMklB1S9hoNjZWRMtCnuCxRyYOuMS6RpQxRkCQnU0BUBHuE2K
 h/F4dHaFnL67EdIG87Kkpl9QtRSQWBwr4BNIYF0jfEo/cM19ltK1b6Rs8D4X/OFvNYs0IABel5w
 znOAKXPr7JmH6UW2Sld9YPHUedVxOCMuk/i9PgzIUxJkF3D3W1yv/A0YaN/j0jNvdSkE3qalwbg
 QSWUHXbJtPytx7L+XPKl1zACMCU0Ul5NQUl11Vk2NbjuxayThC1Y0A1TayLxVq1gtmBUyO09nsS
 dH3jGnzw/kZTzoU6P0S5pw7QDLI6CVNv3Hho4jhx+k2DERI0biLRv+dl2VEtnMsVph/T9izC/Va
 gR1KNJ/P1/j+s7Q==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844144678609807
X-GMAIL-MSGID: 1788844144678609807

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Steve French <sfrench@samba.org>
Cc: Paulo Alcantara <pc@manguebit.com>
Cc: Ronnie Sahlberg <lsahlber@redhat.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/smb/client/smb2pdu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 288199f0b987..85399525f0a7 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5007,7 +5007,7 @@ num_entries(int infotype, char *bufstart, char *end_of_buf, char **lastentry,
 	entryptr = bufstart;
 
 	while (1) {
-		if (entryptr + next_offset < entryptr ||
+		if (add_would_overflow(entryptr, next_offset) ||
 		    entryptr + next_offset > end_of_buf ||
 		    entryptr + next_offset + size > end_of_buf) {
 			cifs_dbg(VFS, "malformed search entry would overflow\n");
@@ -5023,7 +5023,7 @@ num_entries(int infotype, char *bufstart, char *end_of_buf, char **lastentry,
 			len = le32_to_cpu(dir_info->FileNameLength);
 
 		if (len < 0 ||
-		    entryptr + len < entryptr ||
+		    add_would_overflow(entryptr, len) ||
 		    entryptr + len > end_of_buf ||
 		    entryptr + len + size > end_of_buf) {
 			cifs_dbg(VFS, "directory entry name would overflow frame end of buf %p\n",

From patchwork Tue Jan 23 00:27:21 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190673
Return-Path: <linux-kernel+bounces-34547-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp74523dyi;
        Mon, 22 Jan 2024 18:06:33 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE3PXq10M4f8Ixc29UHdUy6EiCoL4um+oLhmau8S3b8E7YmcdiS0vMHZjEZisCv+V+si1iu
X-Received: by 2002:a17:907:76ca:b0:a2c:2185:6dfe with SMTP id
 kf10-20020a17090776ca00b00a2c21856dfemr2577948ejc.105.1705975593047;
        Mon, 22 Jan 2024 18:06:33 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975593; cv=pass;
        d=google.com; s=arc-20160816;
        b=eYJb++mjoLjwtIk7iSAwvom8rjWO1OZCAiXaRLK1iWktceNp4Q1/Pc/6UJObbrnJdz
         2HeiC8J7d5LbsHfD0gxMoucrxrNYpL6k0VH0UJjBxjvh99Z+ueDld9NB1OX/rTTkB6XW
         PS96eiA9mm6wD1jZ8PDm/iXyFIgAGZC4nyhz9eZL0kiTegjNfbKDXfx5VrF8+p55K6aF
         fLovCqKDu0NwTzwKaG85jPQc5aSEbyo6tIbabGl84lRHqSedce3qZLwH7/E3zDyJ8SnY
         +oyseVcEzzhUSnXul/AhWn3sRvjTZdE4FYqkmSFYUJXisqxPQ8mCP0CJ2d3ERRjEvx9G
         iYEw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=MA2z3IWjgPLju653GpnPneuk8sSXMYIY7MDwgOrEeUA=;
        fh=rLlkQDNkSmc4X0q3XRSB0ELWbQDE7N50nfWmMCv2SSI=;
        b=SnbgpX5mkU2lHU1rGvZe9ZY4+lwKfkfwqJz0iDjMFXCydhUH/y8pZ3BOBiNv0A8k64
         pjcj8A78Glnk/Whyn6yFD4y1xIlCGwSdLWghnXQI12hWxm8pNylB6BMHwz2824l4gY1Y
         4Xz5wyinrLnwtJLu7kA4RuhiUcl1Lkp06J/3a6rLtibLlZpwjlgSbRDsIUOnNnQKy5In
         t+S9FJgBypOM8eIVO1I41TINXS/eWUCg/MgWtqq3JHrd8Ts7abU6Yxro7ISSV5rWfPps
         BF8wCAilSqQH5X+L4gDR9uwNCJcEeHm9hgEnnyCqFSRU2HPZi30oob4Foecm3dUE1HS/
         Jmag==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=h0bylp0f;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34547-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34547-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 u8-20020a170906654800b00a2c4c4831e2si7100041ejn.421.2024.01.22.18.06.32
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:06:33 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34547-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=h0bylp0f;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34547-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34547-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 687561F28001
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:46:20 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E034E164186;
	Tue, 23 Jan 2024 00:46:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="h0bylp0f"
Received: from mail-oi1-f172.google.com (mail-oi1-f172.google.com
 [209.85.167.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B542C13B79D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970766; cv=none;
 b=uk6K9QIMewlabmdT23Bb/vnFfib42pz36lz2lCmfPcmKIKs926GLRpSNvCEz2ib1lyYREl/gB6pdtz5TVON+tcNDuaDW3Dsf9ACFGiNK+D59ozEZoiY9ZtO8Ohej7fiVw1OaNGJxWOiilOi+7eg3FYa5RPGxZBKcQea9ixwum34=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970766; c=relaxed/simple;
	bh=S3lE7Ai2Kf7cSpp8TfXi2drtS9rqiWeq8QqsQWJ+YHQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=XxJpo2skReAC73/ByslZMXI6aMBflc+NN37UdDDH0mydUjsmDUOJmddvBzHUZrYOklrwnAArDcSzDhZPLKjGDFXRaIzQ9JVAjJixattDu0mZM8anvPWqC81hSqlqy3E3Ll6YgwTgurBT7SsAwnfPWlret9xEbACV73s6ry53jl0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=h0bylp0f; arc=none smtp.client-ip=209.85.167.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oi1-f172.google.com with SMTP id
 5614622812f47-3bb9d54575cso2649785b6e.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970764; x=1706575564;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MA2z3IWjgPLju653GpnPneuk8sSXMYIY7MDwgOrEeUA=;
        b=h0bylp0fFqwPx5/BKMBfmW9USISNvvpat7KoDOX5suv4LUlXw9P7Q3Sxv3EjiwwCTE
         cdMxROs0Fyiallp3UyEZVE5/2Sb+yBk2Ec64nZq1M4Cz5J/W14VmMQETuvQtAkPgxVvl
         F6uD1ygL6z4fkZcaIzqI//b2tj7OGwZcVOFaA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970764; x=1706575564;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MA2z3IWjgPLju653GpnPneuk8sSXMYIY7MDwgOrEeUA=;
        b=l5sKtT7swwLh5Trr1UtiYUA1SkDsfIiOCBejgaL/uWLpC+UxVW6T+broo5UcM/ORQk
         XAE819u2RCmgPs3yEa1QWbYWzHMyc9kU98X//QroYOrmiOs2KLtztXUIXyzGR1XBSfyw
         UeLYLb7LbdtHmYB6UGeLAlpJJuH8NdWswZ/Xw9goZrnpf5d+0BVl9GWUPNho/qYNkI03
         F3oHajoeIs1SqUlMj43WLnssPNL/wRie7XsIw0nkYXi8ADYAc973nDEbGvkWVUMckwVn
         +UE3O1MHdSS/anYu2JtacKzQCnqKK3bc6QVLLQBcWHTZ3uhXflrbxTCBDvA0BlSZjV+A
         W7RQ==
X-Gm-Message-State: AOJu0YxG6HqrI1YWz795YBWd+oEjN/BL3NVkhYk7uQOJi+RTDIDuQHLA
	VFclCc0dOykPMGQPCGdpI/bJ2vqBLfDOBZ52KN0oxwm6vvSSJYnySzLK4RHkBg==
X-Received: by 2002:a05:6808:2129:b0:3bd:bc0b:c87f with SMTP id
 r41-20020a056808212900b003bdbc0bc87fmr1947843oiw.4.1705970763993;
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 fm27-20020a056a002f9b00b006d9af7f09easm10145496pfb.29.2024.01.22.16.45.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Aditya Srivastava <yashsri421@gmail.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	linux-crypto@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 46/82] crypto: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:21 -0800
Message-Id: <20240123002814.1396804-46-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2489; i=keescook@chromium.org;
 h=from:subject; bh=S3lE7Ai2Kf7cSpp8TfXi2drtS9rqiWeq8QqsQWJ+YHQ=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIFrBJhDm8/jRsFp5KXXGFXlyQFO17YIpWk
 HrPa3eVKkyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 Jv49D/46BDju32aQxhOHgZ6jc2ZxPYAa53gwYTEJs+crMQPxDAN2g9jCf9nyc2aDOCuLyDxZWKv
 rBrW3Ld9k2n7w4TWBQjl2B89slARHYYcfCgy71yrkGMpZhP+AVm/9C/sLAH69LUI9ODAmK1q12F
 LkTNTAnPMY6dinzgDjQ+tllqpakQz2Ah6/lrR3H3r7Re7yOd3Xe48z9tLhWRDb2kjaYYw+t+yE8
 SWyHOWVvBt9a8zReyFGDuTVfk7XOf95taKBrnX+O0UonyU7lyjzXWBNobIV1c66tELuOSswIo/i
 1kTJjl33xCiawkV/3eVMtvKZSUrQtFkckdg97HTQGJLKfLRzsfuWCEk4D7kgZ34+moGOI552zpo
 JTeh90ye5RwpqdtGoFBHCcs8+SfYFKRqtWwXtfj+iT5bvKGS318taLFS8/8ewnoI6V5dfbIxPwS
 FKj0LY8yDtgFnuDBJc+KqgeeCLIbsUeaYVQGccyMg+wbILzGUqTSbFLhtOLuBaPRT/hAcSexQ0Y
 /zji0LX72YqpF4NiRVweeuBbx2CTHDIuhko3l5ci0fTQhzvn+0kcjMjikO8YqQPgE/0IfdQ4o7V
 KPl6sJgP/PwfUOy6JiC5Xva6wJJ7Zh3AmgEWDbmyjPyAX4iD9JbKa+gndk+Wkk1RABXlj1qz+UT
 3sDol/meOz7ZHoQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842783352700249
X-GMAIL-MSGID: 1788845063797897604

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Aditya Srivastava <yashsri421@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 crypto/adiantum.c                   | 2 +-
 drivers/crypto/amcc/crypto4xx_alg.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/adiantum.c b/crypto/adiantum.c
index 60f3883b736a..c2f62ca455af 100644
--- a/crypto/adiantum.c
+++ b/crypto/adiantum.c
@@ -190,7 +190,7 @@ static inline void le128_add(le128 *r, const le128 *v1, const le128 *v2)
 
 	r->b = cpu_to_le64(x + y);
 	r->a = cpu_to_le64(le64_to_cpu(v1->a) + le64_to_cpu(v2->a) +
-			   (x + y < x));
+			   (add_would_overflow(x, y)));
 }
 
 /* Subtraction in Z/(2^{128}Z) */
diff --git a/drivers/crypto/amcc/crypto4xx_alg.c b/drivers/crypto/amcc/crypto4xx_alg.c
index e0af611a95d8..33f73234ddd9 100644
--- a/drivers/crypto/amcc/crypto4xx_alg.c
+++ b/drivers/crypto/amcc/crypto4xx_alg.c
@@ -251,7 +251,7 @@ crypto4xx_ctr_crypt(struct skcipher_request *req, bool encrypt)
 	 * the whole IV is a counter.  So fallback if the counter is going to
 	 * overlow.
 	 */
-	if (counter + nblks < counter) {
+	if (add_would_overflow(counter, nblks)) {
 		SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, ctx->sw_cipher.cipher);
 		int ret;
 

From patchwork Tue Jan 23 00:27:22 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190633
Return-Path: <linux-kernel+bounces-34520-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp63055dyi;
        Mon, 22 Jan 2024 17:32:57 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFgnyp2U8opiACY6WAVC3adhT+QTdOFoGBDIqLTZdpfkHKz+ATfRSn+UjeIqXJPKY+CHHjb
X-Received: by 2002:a05:620a:1a03:b0:783:2497:1534 with SMTP id
 bk3-20020a05620a1a0300b0078324971534mr7801478qkb.28.1705973577659;
        Mon, 22 Jan 2024 17:32:57 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973577; cv=pass;
        d=google.com; s=arc-20160816;
        b=ZV+ISQDI578UpU0iDMDv/l2soj94GSwIIwwUaNoFkT4GMvTTEkmwU8mKCA9078IL6T
         lJlsQandoQRzcFk2AWAWeFtAGmAMkMu+BCl7YM6wPle+9k8Y+3iOwOIPdFTuA1BK8ZvJ
         aea6N5YR+AX6JsbLcKBPpLUTz1YFZlmJ0zNm1i+7UpTl3m6I+Pr4WRH8PGSSs4o11ZDA
         /aKvj228wMwtfha7qhnQg6TBoC+JxFB5+UyeOoL4FrIDBHK1vRnH6SqSTosX4x57lgC/
         7bFG+klp3NZ3lLALUmn/2UGt8aR2DO8uU2yKoXcFVrW1I30VnEBm08fbdEsWhDlUk0ro
         Ns0A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=MJHm0DC5rLzBB/eoWG0LMkWC0jMm/6XONFH952XC3EE=;
        fh=LVb9PU5DMy77TiljF07+oYddiAeCVOfYgx3fBM+ukEY=;
        b=IK2gpzh8KYS7wvn4ieqYonsHgxEq6klMl5d7utUCujbXzfbrQWyr1rOZQDI0nPuWjq
         8M3J3Tg/g/gP7rL7W9KHeXKqVMy9d+Czq7xXdMlc0nnvuGO7yHAZQ3w+DZ55UwYauvzs
         1aw02AhQbPMdNtkdNCGULGJhY8/u3xXBaS22PGpE0QH4zRbzZwk4D0NIJz9A2L4lwTCx
         sAi8r/RNxR49wI78Hk6W4XUjLYS2YGFml3NOFtRfXkkL6pfR6lod74rAu17023R/0OVB
         K7lxpmnFY+WoSyId0D9vINL2HekhunwxMQLC8wzikAZ2suz8ap5EJfotrbEoTEYDv5R2
         bz/g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=LArPicDy;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34520-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34520-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 g17-20020a05620a219100b00783a93ab524si750142qka.15.2024.01.22.17.32.57
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:32:57 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34520-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=LArPicDy;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34520-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34520-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 66ADB1C26F2B
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:32:57 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9E36C161B49;
	Tue, 23 Jan 2024 00:36:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="LArPicDy"
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com
 [209.85.210.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6B7315FB2D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970179; cv=none;
 b=KNn1KWLQFvjLWNr7OEMuZGkum5kVQGEwyvfC3q2NUjqI5tI1cOplGnMW+vvLC79oaqvAVheP3ROpXHLNVLysGh4i06aPbwBfyUv7QLwRCiy53xV85EVpFcrAh3Y1n4QAjdyJxZwLO6ECuWBWxj4G0yCQKHt6fEt9HG8gNxZqaDY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970179; c=relaxed/simple;
	bh=u012BkgUEdp0Yfa+JP9ayO0CuZmd0xQIxgTb0lW/0m0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ifj68nXXjWlHFxPXjCuoIbtNLPoN4nzZweE3cHq9Z2CePJfmzqftxBf6tZXV2d7Fr4S8vht5ZJqwPWpur9iOwTHDqHcqh3Vy74DCOBrngedicnOQtgquY67B0Im+JRb3bGNeJcOsqLlV6RcmPE1OXwuMv6fF3Cq28rZjJCOGHVg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=LArPicDy; arc=none smtp.client-ip=209.85.210.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f171.google.com with SMTP id
 d2e1a72fcca58-6dbd65d3db6so1285455b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970177; x=1706574977;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MJHm0DC5rLzBB/eoWG0LMkWC0jMm/6XONFH952XC3EE=;
        b=LArPicDyQhwwdWiK/B97sN/mCpmSi+kj7GgoQmLbwy+tvV3gCVURsxmdVU/80RnjRb
         qoXG17CDmFrIPIbD7Czh6RhlN2ZUrNCfwwG9nA6detde4UND/PLOwvD46sw8ruw82XY8
         bUybefWqTKq52Yz2tScwSKBf5C6FHFh14C5kY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970177; x=1706574977;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MJHm0DC5rLzBB/eoWG0LMkWC0jMm/6XONFH952XC3EE=;
        b=IPmAOisSKl4OvdXGfEKYbBGtxC1l4RDSvCDG0y3ftywEQhTHddCwPnGpXPbPoWciw2
         oLukwfHHqTGO7VbeA1XYiqdlGYhy6y3XTyxK29ft62dTATq7gR/+Ae0if2pGacgs6AhU
         kMXykvqY/HhdyDvuodKMfKEL3Jqkg12efoT0DwtE694qsrmKI16UhRNVH5hWtXJLLwq5
         jouA5s6Ui8HgacFzco9K9RO4VmXKS7ncNt/+Lo3KM6fzteT4Anhmw7NBGqfLLG8fDbZ6
         OxxFroCQ5bi1vovAzMvlrjsLqWDehnD9nPhk2+4N1EWj/eH3tm+7dT8dlpWxxUrEGuNL
         WSDw==
X-Gm-Message-State: AOJu0YyNRiVYZ+qZ1+XbpKgvXcZRojTSGY2Qv643O7XIUBIz71CWVI4Z
	G2qSHRHDkCEnsj+ewYNPi+cGOpxmAe0rKfhQf1qW6+CyfvE5jaUF7E3Tg0TzdQ==
X-Received: by 2002:a05:6a00:1942:b0:6db:cd50:a579 with SMTP id
 s2-20020a056a00194200b006dbcd50a579mr2606158pfk.5.1705970177108;
        Mon, 22 Jan 2024 16:36:17 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 c32-20020a631c20000000b005c259cef481sm8967545pgc.59.2024.01.22.16.36.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:09 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alasdair Kergon <agk@redhat.com>,
	Mike Snitzer <snitzer@kernel.org>,
	Mikulas Patocka <mpatocka@redhat.com>,
	dm-devel@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 47/82] dm verity: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:22 -0800
Message-Id: <20240123002814.1396804-47-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3422; i=keescook@chromium.org;
 h=from:subject; bh=u012BkgUEdp0Yfa+JP9ayO0CuZmd0xQIxgTb0lW/0m0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIOH/C9Swkckzh3c++V1FoaT4oWWLnIKzVK
 4ltn8zkF5aJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JmvnD/0b+Rlt+XJZK9q9byfYiA6awzBQkEEBdvuff5J9TBXpg3VgQqKvmwtxq0KAQ9l//zFEftq
 hIPzxFKu1d1NMiA9nNDx+HJTCSyH1/m6o1ipRM1kFQXmsc8kAnaTredMX/k7i+O/yDU5zs8Yrwm
 N7WW1ES8SIb5ANGi0jjOb0JGh9skCpUIOrxFbdYxWZIXFcGqFCzk57dT+ht74zNglySj8BttvgK
 XmZOnsrrgWyLqk7ssmfOEI92EsPIW21myf06U7/lm4hWRpna+zKlcZKj75+u+0rlIzY28aKGYKW
 YWJbXs/QCIFQFggWFD9fYNWKihQV1A3L/SSiMr7A1rQkQN3CevDh915CdIBiZT1/qjWkPVZGNca
 aFG8RuC9Z1b5/yyqFbSyqCHoheLU787NI9N+GEWF7LAdDjrRgus7+LULlmWpthe4XQY6o8tM2yQ
 HnoYeb2w162/qgvyXNQtgW/EEfb5nFybzcjE86jAPwk7aIghD2qVVkrYEzfJTxxIXTAT5qZ8e64
 /iVq6X5Ha8bMhMmO7r0gtwUMnTUbhz0zf19cYNJhkS/DY9vZphO38oEdVHuNLb/3vr7uLXNPJPj
 GF3+/usmLgU4WSakssSLDGLybbl0j6oIUPgLtkWAuGxWgp6aTN6i1i6GIOnaySjbgvmOtm4wisg
 TnZZ4zy5rEgGyMA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842949838810277
X-GMAIL-MSGID: 1788842949838810277

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alasdair Kergon <agk@redhat.com>
Cc: Mike Snitzer <snitzer@kernel.org>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: dm-devel@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Mike Snitzer <snitzer@kernel.org>
---
 drivers/md/dm-switch.c        | 2 +-
 drivers/md/dm-verity-target.c | 2 +-
 drivers/md/dm-writecache.c    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/md/dm-switch.c b/drivers/md/dm-switch.c
index dfd9fb52a6f3..9053d7e65603 100644
--- a/drivers/md/dm-switch.c
+++ b/drivers/md/dm-switch.c
@@ -410,7 +410,7 @@ static int process_set_region_mappings(struct switch_ctx *sctx,
 				       cycle_length - 1, region_index);
 				return -EINVAL;
 			}
-			if (unlikely(region_index + num_write < region_index) ||
+			if (unlikely(add_would_overflow(region_index, num_write)) ||
 			    unlikely(region_index + num_write >= sctx->nr_regions)) {
 				DMWARN("invalid set_region_mappings region number: %lu + %lu >= %lu",
 				       region_index, num_write, sctx->nr_regions);
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 14e58ae70521..f2676c8c83c0 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -1392,7 +1392,7 @@ static int verity_ctr(struct dm_target *ti, unsigned int argc, char **argv)
 		v->hash_level_block[i] = hash_position;
 		s = (v->data_blocks + ((sector_t)1 << ((i + 1) * v->hash_per_block_bits)) - 1)
 					>> ((i + 1) * v->hash_per_block_bits);
-		if (hash_position + s < hash_position) {
+		if (add_would_overflow(hash_position, s)) {
 			ti->error = "Hash device offset overflow";
 			r = -E2BIG;
 			goto bad;
diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c
index 074cb785eafc..45e54edd24aa 100644
--- a/drivers/md/dm-writecache.c
+++ b/drivers/md/dm-writecache.c
@@ -2631,7 +2631,7 @@ static int writecache_ctr(struct dm_target *ti, unsigned int argc, char **argv)
 	offset = (offset + wc->block_size - 1) & ~(size_t)(wc->block_size - 1);
 	data_size = wc->n_blocks * (size_t)wc->block_size;
 	if (!offset || (data_size / wc->block_size != wc->n_blocks) ||
-	    (offset + data_size < offset))
+	    (add_would_overflow(offset, data_size)))
 		goto overflow;
 	if (offset + data_size > wc->memory_map_size) {
 		ti->error = "Memory area is too small";

From patchwork Tue Jan 23 00:27:23 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190659
Return-Path: <linux-kernel+bounces-34488-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp69663dyi;
        Mon, 22 Jan 2024 17:53:30 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IG2SWRqlUZI/jj6biz6KdtWYIsHbT9oMSOiak6YEikrxrcak74OSyTcrtZXPcgqpHVWvJkX
X-Received: by 2002:a05:6e02:1b0e:b0:35f:b29c:d2ab with SMTP id
 i14-20020a056e021b0e00b0035fb29cd2abmr8896871ilv.34.1705974810213;
        Mon, 22 Jan 2024 17:53:30 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974810; cv=pass;
        d=google.com; s=arc-20160816;
        b=JfKGIPLJTqnkFfdE0l5VV1h4COKjDunYTz1AGwet4i6DKLg7I2q6YJ1aaSY2CUVDI5
         ct29DxZyeSQrqbsFGKSxVQKY4/hWcGkM0c9zjQZriRHiHBb4rjGS6VWlbNyqkQpJ0Ci+
         uUblr0higXwy/UCLnqH4fP7VzNtlj/tQB9a5s3lD2frQmFK+9L5oIXIKosp2naUq2d0J
         1xF+XsXzkL9Pm84LWO+AThkNKbF2iIxWHvOi4wTS3OrvVAeQQfJ7dDdDm9Nw7bfQAsAD
         VnXfhEDnveLYv+YzcuZsraAABuDPErfdc2yXeiIVBrZk8/zh7MGWP4XqzF93xKN7/jup
         ScdA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=HbagvK/BQHg13GLlZBGhyNRG5sgL74HVCqkvwUtdz7s=;
        fh=pbOq61/rQaVQwB8iiFFmm1GosivxYWg0da1f4IbVgDU=;
        b=l3+f7lNqh8UURl0pQBzbjdeOxPyMupfuLBYF2CLAlVXQ81Ml1m0YQ2x+Ia7sqRyiU5
         fiQbBcNfxHxHhtpdnkv/XvqvStpog7Th3OhYAS0jVjgYGuH1DYoRzsKwIQpLClzTkmJH
         vqxz+0UDUcw3JINXzMor4zALdxsnKsLvOlkYKFqCwzNLMQRYr5mNiuzK8moeGlfLnG4g
         HXmIsvT71ADRVEFdAfB1qUCNgX1WK8+zCJyaHZ3jsGxolBCEepAM97YHK17cc9558OS4
         6PQvDv8tOX0UCDc6kdQfRmFYjrlOAxBp6z1jxjVX6JnAOa9KhQJsry8391nTnikreBFG
         yymA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=HTDd9vmf;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34488-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34488-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id
 bx2-20020a056a02050200b005cdc2bdc091si9104763pgb.436.2024.01.22.17.53.29
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:53:30 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34488-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=HTDd9vmf;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34488-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34488-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 4913AB2B5BB
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:20:56 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7558E15B30A;
	Tue, 23 Jan 2024 00:29:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="HTDd9vmf"
Received: from mail-oo1-f51.google.com (mail-oo1-f51.google.com
 [209.85.161.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B654715AAC0
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969751; cv=none;
 b=AiR4SRpTIvSIB09TzVtnAeffvn45d1/NNqUazpz+p5X9C1ucMAmJVOev/YvbRQIsmRHIzyAgk/iN4rGD0AK5dtiUIOJRJ0REoFq57QyvGPjnOIiHvS7+9wPUOKjLszLp8Ne1PJYVDOsMrQIw20o1z6ZtmcebFr27OdpQ9y4dlP4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969751; c=relaxed/simple;
	bh=uRCkCvFsyXVpf/RtG8GCWMvVuyi59RVZ9Ft/3XBajpQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=unQ4ZL9cfU/2npho6WL0zapkjLlxOCwmmDmLOouG2HdF1MYqYiym57xj3noQe/659+iHBR0dJEn61PjuuMwNqb56OJHKvBOUGljeXZ2RIip69hrdCHdzvDqqnPeOlyaU5LvR0cSbJHnEdXJFEeKLMA9DVZ7dPuEUI/M5WmYRMho=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=HTDd9vmf; arc=none smtp.client-ip=209.85.161.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oo1-f51.google.com with SMTP id
 006d021491bc7-5989d8decbfso2467126eaf.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969749; x=1706574549;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=HbagvK/BQHg13GLlZBGhyNRG5sgL74HVCqkvwUtdz7s=;
        b=HTDd9vmfMxS46oacnYCdJMd1aK63IRP3LlrUUFqEmg03ZV/vGdiTTd7LvPfz8BBW/L
         qr9ZquIFSeKht3Xb4VOrKDkGjfVkrir3csOYYaTazijM+1pWg0U4va6TBbNZoC5aksvs
         g15ZsvMVBstvuzMjdMpI+7xwTdA22rqtWlqQ0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969749; x=1706574549;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=HbagvK/BQHg13GLlZBGhyNRG5sgL74HVCqkvwUtdz7s=;
        b=BiLhR+h91sQgYpI7S2OtKqrQgvCuN/iKN1zmIIMvbl6+Xm8HGdSuALDyvs1sSaOjTg
         C+m9klNGyVHZF0Rv4hrPwm0C+FChKZS0dwQwxUD4w6WFSKCQwZOdCNy04CDIqTntUgHW
         aQH4TRo7OrT5mrpLbkN6Kl1qApQ1G+LkA6jSAx3f1hqGQeZRf4VoVUVoT5V5+QJrhFll
         yc1tX61uSfnIur4hJHU+9nN7oNAxR72Vyqh8uxNMyWQkyhx/qw/2VcBdR4MFV7H02234
         3qkn2FjiTeyzyyj3eapOSuP05vkHqjg8UsH3t6wP+fPrXIPjceaLIAHiF/cJVIBuhm91
         68Sw==
X-Gm-Message-State: AOJu0Yw+MeC130dhCjsArSzi8O275m3RjGHdRtV9cOVub72AIOp3TnrH
	ZT8yueqn5OuHTHIXKIB3gaMRkBASUrsnhm2LKKUTMhxdMUZqcqyCp3ffhgxsbQ==
X-Received: by 2002:a05:6358:916:b0:176:5d73:376f with SMTP id
 r22-20020a056358091600b001765d73376fmr1694130rwi.48.1705969748687;
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 h3-20020a056a00218300b006dbd341379dsm4094216pfi.68.2024.01.22.16.28.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:53 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Karol Herbst <kherbst@redhat.com>,
	Lyude Paul <lyude@redhat.com>,
	Danilo Krummrich <dakr@redhat.com>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	Dave Airlie <airlied@redhat.com>,
	Ben Skeggs <bskeggs@redhat.com>,
	dri-devel@lists.freedesktop.org,
	nouveau@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 48/82] drm/nouveau/mmu: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:23 -0800
Message-Id: <20240123002814.1396804-48-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2285; i=keescook@chromium.org;
 h=from:subject; bh=uRCkCvFsyXVpf/RtG8GCWMvVuyi59RVZ9Ft/3XBajpQ=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJXxmYjo3BZJuP6sKHQxKb/M3OqOpXccNUZ
 qhhlaPYu4iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 Jh/nD/91bB80GL2rgD2Qu9VZOfFU0YicaQRtXMeoaSbnOb9C6bplAraUcHoNvH0F/nzlJcxXU25
 tdFLoL0nVtuTpAc0QwLgnxaobRa9aNgWmW3DUkrO812C5TjVwlXYjliSrA5pLSd1FCOwfEGcLUB
 OasKeE6baUkZj6ytjNign6jV35ncfvu3y/C2MxtKBkts8n1Zwzi540pe8I5UtlySd6rBQjtelTV
 w6SFBV5r1npI2fEZqGplZzZO7EajApmc7jJz1thGgwOaC77JZl1JuklmvrMC4ret/lDs/ycUAAk
 D8MK5b6uevWOPdEY7obK82UJzkJkmcTaxAOtZlX95h01L7rkYBfeFsMYiZxSkbcDNRIQoWxack0
 kuRc0oFbZDU4aaCtjbvKo6CHFYuBsv1B3qzy/dUdlEfz7Q8x7GSiUp1v2zZMHdUUy9zFSFFvHoE
 kZoHAeuRu/Gh7kJhCX7dMPQXqmh1IyQcF7QoTRKQyay+Kirq8rSRKVyOK6qdr+F/8jCxx92g3nD
 2liBspnno23rcfzBqyJV5XbpEehmcvR0R30g5ubq4aeUy2+NIh26YpvJYBT9PIeuAR6WWh7/jm3
 dRFK6//1Q7sP6hjFLcugQJcs/LAqMyL9p1u+btGAthR59AQsdV1I6mj3Cqxb1SXG6UXNsaiPyRb
 lV4UD0ZObcOgDAQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844242998988150
X-GMAIL-MSGID: 1788844242998988150

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Karol Herbst <kherbst@redhat.com>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Danilo Krummrich <dakr@redhat.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Cc: nouveau@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
index 6ca1a82ccbc1..87c0903be9a7 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
@@ -1291,7 +1291,7 @@ nvkm_vmm_pfn_map(struct nvkm_vmm *vmm, u8 shift, u64 addr, u64 size, u64 *pfn)
 
 	if (!page->shift || !IS_ALIGNED(addr, 1ULL << shift) ||
 			    !IS_ALIGNED(size, 1ULL << shift) ||
-	    addr + size < addr || addr + size > vmm->limit) {
+	    add_would_overflow(addr, size) || addr + size > vmm->limit) {
 		VMM_DEBUG(vmm, "paged map %d %d %016llx %016llx\n",
 			  shift, page->shift, addr, size);
 		return -EINVAL;

From patchwork Tue Jan 23 00:27:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190628
Return-Path: <linux-kernel+bounces-34515-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp62568dyi;
        Mon, 22 Jan 2024 17:31:35 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGHlRdhCeG4rUUJDV3B4YBHOy6LIJdB4Zk/KeZMwCoX2IF66sanVYOe7klP6BgZoHISj7LV
X-Received: by 2002:a05:6808:b03:b0:3ba:1042:aee2 with SMTP id
 s3-20020a0568080b0300b003ba1042aee2mr5050652oij.72.1705973495588;
        Mon, 22 Jan 2024 17:31:35 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973495; cv=pass;
        d=google.com; s=arc-20160816;
        b=PdyjaMoye6oeVX/nXrpmlGd9msLD7k7+1kmCNxm1/4exX4xgvo13/C+pH0XzNu0+mF
         hIVt7AtC65loNC0d/52M+Z7nQftWKEKDc6I+5iB9G6E0E1fqwTW3HbXVfpsFks09Cw4c
         q0EbvMR3aRAQnp8yN2vMYsYwNpdWzdWWXTReohFHlCzjSAqx7yC9DcvA0GJrE6ySwfI/
         toAzY7kCLTiHnSIXbw0BbyQXeY+M407H3X4IskrqbfZEgXkxDxMqHYON+hxDPfrPmo9M
         h1Rr5gTOZbnSpaJhyi/mTbAD4WA4yhymRhbKHNY8tsCJc9sw/bOLDuybvfQ9rUn6HO2H
         wd+A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=ci14tXfoLWF8H9KP6TbhVJPvd4jolXPuWJ+qfgosDMI=;
        fh=0A2Rf2iiBFC3dKsPYPfafE8f2cTrXNK8YOTZIx21dsk=;
        b=0eIyBSFJpveFMCg7OWXsH4+y6KSk257oWDX0L/3sGDnZSLHePXlDu64EyOhvY+tLKN
         ukp4SuNYYyNtf34a95+X7YfDZnbI8/svIMbKdWupVw+LeQVMPV4Rng1bkOS/JzH796jJ
         8QfAV0R0Nk9u7qewBbfJJOcnoJm3ixTXwgcdFnagPJBTQIfERJNFUT9nCQ2HyBh6xDwk
         89nuTfenQ/HrXJX2pcQ/MOXzqV/50FFogFKLr/OPG3gymleCwD1BDOrRLGu1VIemOycM
         nP0gmB7AQYdASWxwKueLY4Zf5Lo3dx2lJFML2jBvcYhtqHZC1TRE7LXpPhq44h9fciTN
         peVQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=CHYfJeVP;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34515-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34515-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 u4-20020a05620a022400b007833e7c3f7bsi6747120qkm.580.2024.01.22.17.31.35
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:31:35 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34515-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=CHYfJeVP;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34515-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34515-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 5258B1C23538
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:31:35 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3EFA015FB1D;
	Tue, 23 Jan 2024 00:36:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="CHYfJeVP"
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com
 [209.85.216.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6CB5613A244
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970173; cv=none;
 b=S7+fzpbi0VFcDpxS+AqD8ackPpNKqyzKWMKJ4qMguiWt2EQLZH0puxJqWoOcJYZ1rZZ99mvbP4OXZozSXdpfoKNk2gTQKgn0ogPfAVQN3J/SdqAz5usLLjc4M2IC9vYSJiEetX9t/QSgaftjDctfU0CFh819rJQTjZlekBWv36A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970173; c=relaxed/simple;
	bh=oiG+TsWcxpCmRd1+V7WC6Rzkst0Tmp3FWPUBfyk7tD0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Ixs5qwNefq4gK+s+mWXjSYDchaDyRao9+u0nJcwMBMxkhqlw0v1kb14oYDqqg97p0JN03jllHo4INXX07+BEAA9gnNzjoayQuGk6tru9djUXM2Rs/GuvPxC4ZWlkxj5yJQ/tHQOw+UNB47OiYMzmwMoYik1w3aw+16AtNQj4nCQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=CHYfJeVP; arc=none smtp.client-ip=209.85.216.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pj1-f49.google.com with SMTP id
 98e67ed59e1d1-29065efa06fso1930038a91.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970172; x=1706574972;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ci14tXfoLWF8H9KP6TbhVJPvd4jolXPuWJ+qfgosDMI=;
        b=CHYfJeVP3CDJgqZED57usa0B0HVtYgLBTeIVkTP6tODa6HF9ZA/OjW1ZjRThClqANA
         uYKEXU2u8YY1xIEa2v4Uy/1Z+/gXT+sF6juVV69vtEV1hoz7cH76f91WIbFEsdICTgxY
         tWc5mHyxSHtXxTzycef0ILzaVGFD4rHgRKHaQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970172; x=1706574972;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ci14tXfoLWF8H9KP6TbhVJPvd4jolXPuWJ+qfgosDMI=;
        b=LnUJazdBIONKWEoEGUfTf8XJw9K52DUryKOPK8JhppDyl5YQhMI9zocrC2tw8Zgh6I
         08Bp0yE/w80pv1u2he8psSpgPn8pISlY/vFzwyUdwr4AbOVueKFyVvFskHYAbs97hNhj
         4uDIHGg8QsJaXvoXg2HhsHwBKJDZ4bIh0uXYEHf0IKl1UKKBUIs3XJHA3JDwgTgjT9gn
         BR1w/a4+LJKv7Z7ixSruuZ8ceUr3BWIa/sdUyxr7+vXsP/R9vNLqSxfIe22SqqtqU3uR
         HNK3gH7PtJNF8ZY30CtfCCdV22XL5YQdO+qx9uHv3FH6V7luMmlh84Rmqns4uh7bQVla
         DvTQ==
X-Gm-Message-State: AOJu0YxcHoWnvtSEOtnHCA8oU9z6GAW0uszysc0LMw8Zn9z5aN4u2M8p
	YWM8ODimxg8FQVojDS5b0/DxR5f0hxW+mmXAKvYexqzoqL1o7/Hda5gfQAeJGQ==
X-Received: by 2002:a17:90a:62c7:b0:28f:ef2b:e0ed with SMTP id
 k7-20020a17090a62c700b0028fef2be0edmr2421887pjs.5.1705970171811;
        Mon, 22 Jan 2024 16:36:11 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sd14-20020a17090b514e00b0028d9fc97c29sm10365268pjb.14.2024.01.22.16.36.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
	Maxime Ripard <mripard@kernel.org>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	Jani Nikula <jani.nikula@linux.intel.com>,
	Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
	Rodrigo Vivi <rodrigo.vivi@intel.com>,
	Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	intel-gfx@lists.freedesktop.org,
	dri-devel@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 49/82] drm/i915: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:24 -0800
Message-Id: <20240123002814.1396804-49-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2342; i=keescook@chromium.org;
 h=from:subject; bh=oiG+TsWcxpCmRd1+V7WC6Rzkst0Tmp3FWPUBfyk7tD0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJM8j5gj77tQNAWNgLrGW9Rf152U5LzsLsJ
 LLY7jY3zQCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JlTyD/9tInsgMQJNhzXLV4lkjEdwrZuxy10l8+2Dh6eeSAQbaL+DgNMujkfU/ewIc6vsc6zeZLn
 3ACm3O16LQN/0j5S0RYKIeVgjfXSZAYGJuwYmW3jBM3o8s9hNPi/SXXGp0toQyaZ73L3hcRB4AO
 2C01S7JnD87/2LBgN5VfyCDAUOfgYSqdE4ibXD+3+uyUSrbM8B+GimE4cH4ORUxm7YMLto9zpu+
 oxqd7qMyF6AyMavkv5ySlinqmiOVJ83f+YZ+oRowh0q5fTfSibio56QvEqpQZCtefn09GEz+IoC
 Tnb8E/IS3JJOLLdskrUiX3bNAd51XjStK5+qpc0F35indv1uLzV53YFhU5912hmIDcxwPmmtHTi
 OXiRWa2TWfKEgQKSVyJmGL9esA3rmPtERr7goeI8/nFMWEb4Qy+cpevxG1qft33h0Z7enHXDTBT
 JHJYXrmewrWmRrBpNFH54MHVPInL6YqLuU56FYnU3go2zz3tsoo8VutSaww+foZj6VUcti/X6fF
 PHZBFPajfhvY94xWQMXnk+iHmY7GJNwyVxOdnF8YsTZv23cXzWc9GXdAMMp6lw4By2hz73i3BNZ
 JSnAMxGSHmwnz/DNjaVSvjUSE5b/U82hIxtLLj6mKkDb5Osg8f47u2KWYVVd868CRAaVvfeVUVJ
 1IBIdYvVvwQ4wvw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842864008973388
X-GMAIL-MSGID: 1788842864008973388

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: intel-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/i915/i915_vma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers/gpu/drm/i915/i915_vma.c
index d09aad34ba37..1a4f048a5df9 100644
--- a/drivers/gpu/drm/i915/i915_vma.c
+++ b/drivers/gpu/drm/i915/i915_vma.c
@@ -1535,7 +1535,7 @@ int i915_vma_pin_ww(struct i915_vma *vma, struct i915_gem_ww_ctx *ww,
 		goto err_remove;
 
 	/* There should only be at most 2 active bindings (user, global) */
-	GEM_BUG_ON(bound + I915_VMA_PAGES_ACTIVE < bound);
+	GEM_BUG_ON(add_would_overflow(bound, I915_VMA_PAGES_ACTIVE));
 	atomic_add(I915_VMA_PAGES_ACTIVE, &vma->pages_count);
 	list_move_tail(&vma->vm_link, &vma->vm->bound_list);
 

From patchwork Tue Jan 23 00:27:25 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190639
Return-Path: <linux-kernel+bounces-34516-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp65760dyi;
        Mon, 22 Jan 2024 17:41:16 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGyARKHjj/I4ik/9Upcjdm+PSOVhsz4IRevvZkQMZoK19mVARwx01Noj6CHF/IwdZO8aFEx
X-Received: by 2002:a17:902:e547:b0:1d7:4048:8b0f with SMTP id
 n7-20020a170902e54700b001d740488b0fmr2502307plf.113.1705974076063;
        Mon, 22 Jan 2024 17:41:16 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974076; cv=pass;
        d=google.com; s=arc-20160816;
        b=y+CqValL+SYXunXLew8eBZf1IeN5rOgatC6FKJUDcYEhoU3HtzBMWgwiIfpzth5e24
         C2n6q4u/fIuwPEO7dqeOD6WS/T8CYdhz1T/HDGI5vKXN3YKOGYJZkP8vQpeWPmxWibST
         5lossUwXelkWejk6mvrhZj6MdPZj4WTmaKI/xUOYEQD7osQUpYD7DKJPqp9ZqYUBPg8A
         G6kdPryVLcRFQAH3kUmzGsCpVF4hJn1SAYMyFpB3P1YQ5UwcdeDuE3N1K/lEwKUlYXqp
         /p+nAhlpAHZJ9SHq7As007lmtCln6/4Mvm6xRnA0t9vzkSnBJ/WSf+qqIP9O5/WDSbEC
         mq8Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=j2GMW5d6UiU7LajKCHttmnW2RyiQyBOWeh+blbgnn98=;
        fh=y9/jwU0dPaK6SZ5tvGhLblUX2myjfqJf6lK6h/y0v2Q=;
        b=aYQ/wgID65m+Phm3kFVA4ocCy6kMAr+IlLe7WQfpEirMjcL9YgwxBia61k5QvZIy1f
         zrC4gQkNjc2WU5gELGAHa7Heds2o0QrA/JvqibOBDhWUyjKyD7y87UvM/gCCkPbRWWb6
         vSu+jEM+4QL4GsrLlYrv3EuEMqQnzUZuNW4u3Ab2nOP72NkXfq76GRSCrdznTYdXOxAL
         O1BqlnfZYy6omMHMtbZkaFX7kVRiKtj8yhSaDaRxvOmvvtgpKymHDIXOtqgQEWRJhIVO
         v3+G0my+u/3JZV2dcfziYwIcT541GGkRUrfj6uimOxVVvNBicSIJT0O/nFapJ3oyBjL5
         Y3KQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=MScpaeHa;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34516-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34516-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 iz5-20020a170902ef8500b001d723a0f48dsi6356004plb.136.2024.01.22.17.41.15
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:41:16 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34516-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=MScpaeHa;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34516-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34516-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id EDB2728BC01
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:32:01 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1BC6B160876;
	Tue, 23 Jan 2024 00:36:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="MScpaeHa"
Received: from mail-oi1-f169.google.com (mail-oi1-f169.google.com
 [209.85.167.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C59F15EAB4
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970175; cv=none;
 b=jU8nxPkbV5YHf8QdtdaN3XDfo2lSqgbstNzRG5lA3lCDhZCAELruJDkP8cizyQ/dOkKajYMc4YHG7VKe1Dc66jAVLGnKFT9eQ4L+MzC1BOru1k3cgemrDGUC2LJwwbZHvEwBFVWYeBQAUQ3TXivmBBlZA8frrCfPBfVBfXLUlf8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970175; c=relaxed/simple;
	bh=KcdFfpjp2tEyCmOpl25iW2AS7m4+B6NStR38DJl8ObE=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DVogzDaY6B5cvaoAZ6VHZw7QVbEtisFoVnQeduQnj/m/XEQiwLg6WMh3Kz1LNe0NKW8t0n/0Sj+J5FCocwRO/oWAfB1A/pXMBbQCinQ4KZbxORj0rEMCx6ic1DfeARyizNITqNXme30pBV/+Jxpr52JEHbDrlJ/pinRTZ6mgE+k=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=MScpaeHa; arc=none smtp.client-ip=209.85.167.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oi1-f169.google.com with SMTP id
 5614622812f47-3bb53e20a43so2822020b6e.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970173; x=1706574973;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=j2GMW5d6UiU7LajKCHttmnW2RyiQyBOWeh+blbgnn98=;
        b=MScpaeHaTiAmixwiYozj+sN+zLpInBsf3akPMG0Ro45d9vU9zyoP4qnLVBrq2xrlWO
         ta+0SM/69oOaRPPCM4JL3zGpZQEwbMuJQmOhsY47Ka9+mY+nkBum1z9iWNrPJ3lVMfRZ
         5Oa0FcARnk/MTCYObP1soS7PTDSQsqNNpRouA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970173; x=1706574973;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=j2GMW5d6UiU7LajKCHttmnW2RyiQyBOWeh+blbgnn98=;
        b=dyrFcDWHCn5hu7kUxxOxD2Os84UQkbYivjiQw2K3Wi2deG7h+YVEDeyGiIAdnq/IFK
         T+ghgy6V6WQOVGKwqRTptbqpKPH7XsdReSJO/wgw5L8zZbUg6GMaOEYkqiIv2oCgLqnk
         IpEMURqV69D/AJLipGHk1IoL2f0j5S4CDQcDbeuAnScUh+UI8+tjkGeKtmjGKUpOV7jQ
         7rhHprSuqY4QGHSNkEPW9om/Hgi8xyW+g7z/i7AoSNzgQuppBrHY3FxGTMepKqCV8mCW
         kWq4X97LCQWzpuAZzpJc19L10U0GpUr55rhzaz0d1XJk4L4rkm9DTcsj9ipZbmlja8W4
         qhtw==
X-Gm-Message-State: AOJu0Yw2/ScMRVOQFd0AD1sTK5t6gWxZxW+S4n/b91UHPv+m0xkVAnbz
	s4zRZA1buh+9AGgUVvAMkaJvuiHiZqtP6vxAQw48uiyMq2gc+YP80WrNrwtKJg==
X-Received: by 2002:a05:6808:2383:b0:3bd:bff5:e2c with SMTP id
 bp3-20020a056808238300b003bdbff50e2cmr1442385oib.42.1705970173539;
        Mon, 22 Jan 2024 16:36:13 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 h5-20020aa786c5000000b006dbd2fb0451sm4174214pfo.166.2024.01.22.16.36.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Maxime Ripard <mripard@kernel.org>,
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	dri-devel@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 50/82] drm/vc4: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:25 -0800
Message-Id: <20240123002814.1396804-50-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2077; i=keescook@chromium.org;
 h=from:subject; bh=KcdFfpjp2tEyCmOpl25iW2AS7m4+B6NStR38DJl8ObE=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJ2AMyzRsa5sDxZ4YRjmUqmbVj5uaz9YlbJ
 skuXbMaqBeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JlUcEACJwN1o8p9j5S/8sYa2gf2nY09bRSaqimJyQqXt58XWmacC7yhhCy8/YoRrWd4rtTKGNJO
 2pyhqZo0AjchZUD2eT/92rshpJ7BoxmmmipARVGs8rGccRxnL+NfA7KluKUS2arbEJZWAxsye1u
 7y9mIZmz0Rl2OEUDiZmLsRUn+x+avkj9t/3WyQhf6z4yB9UeAjExcIzx4ut7naUZQMOs4+nqkhO
 Zxzlk3pu3vEqZBDOzDzLUdhBPeX8m4ZfghTd9cnirA7bkdk+2o6zogqBJN3U6xN7BheU/BKOa1/
 z2viLhR6pAfqpCI5yqOPvSv1Vm+BuvP4sPKwJGV2Odq05P3+Crxq80AgR9KuL3Zuj0RUdDuPRr7
 CK2iELzMBzCaI6HGeRTGu1TcgkQK/Cc1GB5flX/hQ1gepvIzeDSxkg2zzksciW3yRdCdzK1R8vU
 Tp8TEvuJU2S75RSbpxkNPABsnumVvC61dAYZkurqkiHcZRtQWX2ycPQRm0/NVXUiHLtL5aNGijN
 xy3P5YOafRtNbo7sqqxpsgSvJHA6bW0Kp2/QMZetVh+TBxjwl1em23ZSqK8EVnA/Cpcn2GaT6N6
 eyYfB3sBKYHuJ6cigOdu7aG2tBuyJ9LI/IVLUrXbg5xH4fWbZdA2Dm/CSSYEZ4S40USso8DNtmk
 W8/+QxpbrEQYWUg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843472793088495
X-GMAIL-MSGID: 1788843472793088495

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/vc4/vc4_validate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vc4/vc4_validate.c b/drivers/gpu/drm/vc4/vc4_validate.c
index 9affba9c58b3..677d9975f888 100644
--- a/drivers/gpu/drm/vc4/vc4_validate.c
+++ b/drivers/gpu/drm/vc4/vc4_validate.c
@@ -206,7 +206,7 @@ vc4_check_tex_size(struct vc4_exec_info *exec, struct drm_gem_dma_object *fbo,
 	stride = aligned_width * cpp;
 	size = stride * aligned_height;
 
-	if (size + offset < size ||
+	if (add_would_overflow(size, offset) ||
 	    size + offset > fbo->base.size) {
 		DRM_DEBUG("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %zd)\n",
 			  width, height,

From patchwork Tue Jan 23 00:27:26 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190626
Return-Path: <linux-kernel+bounces-34513-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp62453dyi;
        Mon, 22 Jan 2024 17:31:17 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IH881jNaS/l25b8cnCF7/hYcpP6LCfBvZPhzxZj2oU1pxeaTRstHQ+Ti7lFkYmoF+0Sk+O2
X-Received: by 2002:a0c:e049:0:b0:685:3e97:295b with SMTP id
 y9-20020a0ce049000000b006853e97295bmr97081qvk.99.1705973477510;
        Mon, 22 Jan 2024 17:31:17 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973477; cv=pass;
        d=google.com; s=arc-20160816;
        b=pRZ6i9wHmrOGalpDsFst4kwdFuMxXNZo8NdWn+nqYsBWa7XHFqBX19zwSG1iTHN5Oo
         VvPCbphtGTdjh4gKd1xiNVuSHC5BhDjq522htfAXK/JKysTUfXv7UWIK4jpuozYwQ3yr
         6IiqDo0MinfubStfT3GVfdUEhj3N7vsODuIRfSgwW0R7p+wmkfk8wzphklA/m364XOhV
         frIxu3wycx6TYERv2uIaOAue8ESjOwB9qtQ8wyEHzvMql4QgFFX2EHs6W8pPCJO5RkZA
         DQY/ODqVqPgYAkPReo2k1AFlLTnZ4hCUo3TcTc9hFVh6XcqcmpCQds8o2zyWy1GsXvP7
         zj6g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=7puUcGGiErwlKQZQ/SVSg/vEPPE1AYFaDc22KRy1Uww=;
        fh=ebDSL27HtzwY3/qsqV93sskhqWH9dhs0p+Rr1fuQhOw=;
        b=owFIkbziBD1ISG0qP5Zv9SxNIDyMk+qbiDQUwixltNhMd8gKPZYo8pjKmbPc2B6nkQ
         cYMzFBaeq+k4fR0dUms4gykoWBV0M4eFtjoxxZFVBfFXbbkbkDRV9NbRSoAjZz9HZS0Z
         ARTfxYRE2l9UJCCmdf5EHDTUDgoo7Jk0Ie2BYBQJE5p3YqqMnYdNHx87wxvSb7aZDwTb
         og/cjgfqzzU54zihb06NmoDG5IbvmNR6uytL6EO7lFhJEGG2xh9yETDRRTs81uKauCRZ
         fNQxfGeKziPzd3a4XL+iDJ+8E1pOtll0iJSkqDN+sNWoN6On78FAbh0aK5Q2YrWYiKfh
         mU5g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=iQ77wHzx;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34513-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34513-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 b11-20020a0cf04b000000b0068198688e2asi6895439qvl.41.2024.01.22.17.31.17
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:31:17 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34513-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=iQ77wHzx;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34513-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34513-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 40BC81C21BB7
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:31:17 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 2845E15F339;
	Tue, 23 Jan 2024 00:36:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="iQ77wHzx"
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81D661386CE
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970172; cv=none;
 b=LNv/8o1nJNnNd3bixAhxenU/Sj1CgICsPNHqk0nIj2gL/D0Dq3u7kYM85t6ih5yo+jcFsjO3Eea5rSelFw9uKpQU4TJba6YIuzidKfqd02ve6sb14glKc8htthgPE2uA7bRbfskmCSL04Qyhg1CuuitmY9dTlIYWueyfjXeEU3w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970172; c=relaxed/simple;
	bh=XxURT38No80Bn/RVyeHb/5pbIxR90+R/SV2DoW19O2Y=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=MZrLDPTEUbJesTgPQuZFRO661WzxpXtY/1AjCveLpYOY8Tpkz7of67OLLMAeWFPJsobxnBPQtE2KL6dL5uZCHu7aDyCnr16yV8poR4Hi3DfQoEsO/CIaV+QK2RCwzq6OkobTnKGrsl7N11uko0gXWH8aw87mZso0VgpodTODskE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=iQ77wHzx; arc=none smtp.client-ip=209.85.216.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-2907a17fa34so1544496a91.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970170; x=1706574970;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7puUcGGiErwlKQZQ/SVSg/vEPPE1AYFaDc22KRy1Uww=;
        b=iQ77wHzxsFB+ydAFWfKd+S/XZ+LypsaJmGoppSMp2hAGydQMfRxG31/YagWh0byQsk
         QvLJk/9wZtwQEIGbq+lNocPiC5KcilJyOv7zSifiXQapjk1jwIDfy44Zxrlwh0cOn1nn
         xaHbG76YcTadqtXDhFk3LcavzP+Oy0xWFTP9g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970170; x=1706574970;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=7puUcGGiErwlKQZQ/SVSg/vEPPE1AYFaDc22KRy1Uww=;
        b=cA7CyqJOcc6yP8t0cf7sGXcXquRbXu3lWdvwz01QD8WWxELMBJQAPiNfBA4TZIsIHh
         nhMlPQTAMdhuYZoEJif0+PaVq5dtmG5VsAw0dVjIpqHa0WPXaVQa9Ml2InY9dd02KkwQ
         1kqMICOCPQQ4RHyuBj1ucW55XvMX8s033QwZcjPz9sHm+LAHHUpABDiMJuavQLYOhI2U
         nPEQymSUtHIQOSVLVxbZOwU78oq8CwJ1pAxaqgipqw/GqsWdg64m2hTqE0t65e+qUBOx
         Csb/xYWAhRaxsiNer+Z9fBPPbNLUkVfVbJmYxZeWkLJLWXap+0zr36+Wv/hWZ2ipLj+Q
         jWJA==
X-Gm-Message-State: AOJu0YywJNUe9NFGanUXf5QurmHRym3t9NR4ssnqWQGNtfBScG99AwnG
	e9WC4kHeo9mprYvT4WCOX6zyjE/jN5EyT/4BOyGfCYCXkgk0grDOdMJReRJOcaXG2a7SGvXfgXs
	=
X-Received: by 2002:a17:90b:1e02:b0:28b:2f4f:75e7 with SMTP id
 pg2-20020a17090b1e0200b0028b2f4f75e7mr2446852pjb.13.1705970170501;
        Mon, 22 Jan 2024 16:36:10 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sj5-20020a17090b2d8500b0029082d10fc4sm4349054pjb.39.2024.01.22.16.36.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	linux-ext4@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 51/82] ext4: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:26 -0800
Message-Id: <20240123002814.1396804-51-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2346; i=keescook@chromium.org;
 h=from:subject; bh=XxURT38No80Bn/RVyeHb/5pbIxR90+R/SV2DoW19O2Y=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJfc3EWrPnb832ItIHNOA2HJqk4KZ1EF6QZ
 nAnjsOI3MeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JgWoD/9yEuahhVuo6Oq9sxAGltEMRA9drZZ1a23BuUOmM7ZvlwVgfKpVuNfm3t/eJQl4ncEuQWj
 /HVpMwC1YBVZdX3w0/rGWglZt+M2kJmIQWeCqGLXHaDMwz5Dxh3Jc7TmXo8q74TLfC2Fjf2th2h
 c7ecJV6IDXQxgEsLqxa3PQ8hWO3PGhD+zM7MQVHjSE6wWqjehc0rmCDcqbTkP74PN3qe7E96VG1
 qI7uzGwGMQNd4NnM+y5A1YjqyBGP04ronv0Xc2RWiXgf28HIHWVpBHlJ+Ub35w3g7AP59giTyep
 TXWgeIzbP5hGlyCDaXms0dm6WsyDOENCHhdxBD4R3awzAkqy8QQGtF8uHNf/O/G8nj4xvMQ+to2
 HTntW8Ue/514yiE0+zj0QO6VWfaP5pj0PEu3Dg19w1eKMGM87Ca2ryqLsKVqPpRBesMm5+IAqHQ
 FT/38xjgNzw+NWo7TTxCHqxToHhwugtPYvTbfAy5G5Qfv6GqTz7+JL/+oJMqeKUfiiyWM7luO+v
 n4YU5karM6VqIQUMmKaXViotzQTQgqY4Fw0GtJtbK6H5HjtDcgMpsncMxAA0hMW1s8XS7G5VbCH
 L5cxsS8UZV0aduIr5pTDUMnRucJipPEdSCwDo/32479Rz+mXzFbaQFky+7aLi1ZY/xczgF1WZ+e
 m5L/I7exNH7Sh5g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842845311539041
X-GMAIL-MSGID: 1788842845311539041

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Cc: linux-ext4@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/ext4/block_validity.c | 2 +-
 fs/ext4/resize.c         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
index 6fe3c941b565..85f859979d2f 100644
--- a/fs/ext4/block_validity.c
+++ b/fs/ext4/block_validity.c
@@ -302,7 +302,7 @@ int ext4_sb_block_valid(struct super_block *sb, struct inode *inode,
 	int ret = 1;
 
 	if ((start_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
-	    (start_blk + count < start_blk) ||
+	    (add_would_overflow(start_blk, count)) ||
 	    (start_blk + count > ext4_blocks_count(sbi->s_es)))
 		return 0;
 
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index 4d4a5a32e310..fb8d3745d031 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1871,7 +1871,7 @@ int ext4_group_extend(struct super_block *sb, struct ext4_super_block *es,
 
 	add = EXT4_BLOCKS_PER_GROUP(sb) - last;
 
-	if (o_blocks_count + add < o_blocks_count) {
+	if (add_would_overflow(o_blocks_count, add)) {
 		ext4_warning(sb, "blocks_count overflow");
 		return -EINVAL;
 	}

From patchwork Tue Jan 23 00:27:27 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190655
Return-Path: <linux-kernel+bounces-34483-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp69136dyi;
        Mon, 22 Jan 2024 17:51:40 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHWZzbLzP7qJidjO+rP3Jcg2rKgEA1nx+Hexhy2HWmxoCb1sOaTDUrHXY8bzcYVDHzhlP25
X-Received: by 2002:a17:90a:7e8b:b0:290:c61f:987f with SMTP id
 j11-20020a17090a7e8b00b00290c61f987fmr839043pjl.13.1705974699895;
        Mon, 22 Jan 2024 17:51:39 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974699; cv=pass;
        d=google.com; s=arc-20160816;
        b=WXoiTeOFu9WL2EGwQCvB0F7PVcOnWSII3FBXFU2Zg9p4JdRBIeHCqUV9ex3jg0lAWK
         Pdbt1pNfYnpA1O1ksTQHUPfGL/Ygr4suGML96sDHll9qY5tIDiSgJ4QK1zMtwL0c3XD7
         gQWOgltY9TxvS7phMHY8uxEUMaMiuwG2yKLVRu0j4gqKsrFG7SqoUpmSudcTQIhMBSPA
         0WYdxiW29wurO7Jh22zQoFE8ZUMbwOZSoE8z3Qm2AaqduKQp4vkgyuL/jqYcGpo6r8/m
         1xoqiuArSsG0Qh6O/vj9CsJYXjtw9ay/WIM3peW51Iz3+HWlX8MS5X7Www4KXMF8/DyG
         vdCg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=CVxLR6f7iEMo7TAEPfaWn9vwjcL8lBg/KdBkMw33Rxo=;
        fh=FYrGbBLZ05Zi+9XQTgv/Z3zJ7JLqJ8PK0TzYB+AI4Fo=;
        b=0rUjBy944Wjx1Fx3OGt95tcjBwx5fnzdD5+7ypizFl4cs4Clb3e6hNZqmzdQ0Byd28
         H9DNzCPhToQ0LEwvXFStwevsC+A6Z1ngOeLA9/lfzh07VZmcSE2Jh+JXSDr2oH9C/u4Y
         TbAq1otP27eRNCkj02mzLCV42pmo9Yuu9nsPW347CHHSJ/QrUwohI2IxLHyVdc/get0E
         y80vRnMJ4aKDCbDfjs5hKqugMeAOhN0N9+iFMVYgxlJ+Lj9XGF7yo3EwsWEFvKJvTcxc
         vMtemoT7SrW659IFR+DLWjKpzBMRnwOoBsZOKW+RKtEOvmWVYJfERd05JFw40ZXuQByc
         xnew==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="gbjQENA/";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34483-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34483-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org.
 [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id
 gb5-20020a17090b060500b002900ee516bdsi8918078pjb.24.2024.01.22.17.51.39
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:51:39 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34483-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="gbjQENA/";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34483-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:40f1:3f00::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34483-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 149C2B26384
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:19:06 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1E6AF15A4AB;
	Tue, 23 Jan 2024 00:29:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="gbjQENA/"
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE4FA159569
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969744; cv=none;
 b=QelEBXC3+6Z4FvGncuAF/KOAWHMMQlnpuIlq3VPh9GhY0mGZfhDMmxrltTH0xRldDW15/b3v0WIRViQn6J1JPAapntdprlAxZBf0GV4PgDMLO7jOYKJUEmtnSbcmsjSE23YGj97HlVLTBF2KuZry65guoOypYu/R6YFF6Lg6CYA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969744; c=relaxed/simple;
	bh=wdQCpDFkq2XNuS6vp7VN0jrvsBX8D7+SnBrIJMJ3N+Q=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=hs5KR8/H9NiODKumsA/v6CWZ1BNrOT4YbIiyJyoBmEj/TiDyyAMt4OG4BA4YtVxdn+orjK4eiZFjq6hiS9uzGKWgfndxJS/TtbbFBWepRqTR0xozoBh7Fq+6ITO5vgepePPTzOmcDYhUVR2YyF6LXYm3Semv1zg8zjMdnh/tugc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=gbjQENA/; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-1d72f71f222so9661345ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969742; x=1706574542;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=CVxLR6f7iEMo7TAEPfaWn9vwjcL8lBg/KdBkMw33Rxo=;
        b=gbjQENA/8g5meX6QjWQL1VbfGuh0/U5pkhiX9v6A0uBKibyG7MkLhMXLsJXz89Jj3+
         8VPauqfi6YbErj6VO/sc8GwmGZj0Xi7nP9/QxKC9ZGJZ6JOY6TqQeAjJE+GE7zV2G9b9
         5UAv7JlyxKoFunZIQ77vQG0GtOxRKfYNjLFJA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969742; x=1706574542;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=CVxLR6f7iEMo7TAEPfaWn9vwjcL8lBg/KdBkMw33Rxo=;
        b=T2BwbbJqlwT/trD1NLy3gM4R1FLsPqVY9ZSrzbgQwvsjmSWuCgHInZO5ti6xWIbReo
         MH67m7VN3I6TeXLZNVC+SIKYjKtZ1AmXuDKS9rV9hRB20EKCMR7bULAN1cbp9iRhvxgx
         rzdPtHmiZsKavMbckjpDXvzcjH12u4p5Wr4LDgdhURBQsEjEbRvRrI9x9kVS+8v4Vy2b
         MqeIaTT9oqWKmikkzsNIDFNmAoNbTscqdVcyVyL7dlSQXw+pDUsiQ/2rTFob5Zvamh/2
         Xg4k45/VuDA353rClIv8QzU8HU5dkcd6vWrrHEILBOVSVxaWOs0QP6eYkh7X6UKiR8Ht
         Yc1g==
X-Gm-Message-State: AOJu0YztxcudnGbZ0z3q3hIx05vip/wNMt3D9BXjoHJH4tqZOVKrYOq+
	crMUQRW/Boizo88zKiV1cm0dGEZyUIALs1rPuAlYuZuIxj8h+464RHd9d5r1BFncz14gYN9rOl0
	=
X-Received: by 2002:a17:902:f54e:b0:1d7:1e0c:f994 with SMTP id
 h14-20020a170902f54e00b001d71e0cf994mr3335214plf.45.1705969742100;
        Mon, 22 Jan 2024 16:29:02 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mp11-20020a170902fd0b00b001d75ea44323sm1403673plb.21.2024.01.22.16.28.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:52 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jaegeuk Kim <jaegeuk@kernel.org>,
	Chao Yu <chao@kernel.org>,
	linux-f2fs-devel@lists.sourceforge.net,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 52/82] f2fs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:27 -0800
Message-Id: <20240123002814.1396804-52-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2415; i=keescook@chromium.org;
 h=from:subject; bh=wdQCpDFkq2XNuS6vp7VN0jrvsBX8D7+SnBrIJMJ3N+Q=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJyxtpoS8kJtZtyqL6hKLCRushNAde9dDbx
 HeAgwOgglaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JqIBEAChZM9m9U2HlElYvUdy9F0F0UgsceQedYYNLYx0L54ESBSelfc98YP9tUZ1jkRspBdT1nC
 kijkb49E/qqF4YrjskPndLLLfvxjkzUksvg4xoaV5zyEKUTWNlk+oQ/70241cKc8IGAhpPwQl3j
 IP8LyEb8hrqYd1Gwv05+R/n7XJtH322XuuaSm+VUm++KmFC8YDRf3YRRQE65fPEC2kqrYnLank5
 +wDA7XxfBHYZ5VFHofOMUuKsBwQfmE9o8FtseQm0z4Bo1FQS3oSxQvE673WVKQhVmEwmbOR9ivC
 R5t6LF2QsZrbGDhITRyjy42nBPee5QFqI09uFA+RqI1xhZr+sXi7cXkvN9jzsy4GbJhquMIvoaG
 3y4wcyaqW0M1xPODI0RUOvqlK8vgezTN7sWCM6fcp3eFDI10YvIpiRlsN806ofvtT9OS4OdKak+
 ANIM9E3Ui3D5E/mxLwKbgarX5fgYxrdlwUSwgNaF75JxNETK7fusGPTtlmfq8XYfUeQu9bRajgR
 +XeU5K2axNZCgiE9Kza8K/h1REqqfniSyTWXH5qJS4mqpQk9QgxZgIowNKo/wodiPFN53Bo4WJB
 U5AlyxuOYHJ5rJtrcYirdcrjdv8FILsJ1P8owWZ3SVw0FjZ+qasWTxpHjLsDEI64mmy7fuXj1wv
 UMcFg1tT7pui2bw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844127002282589
X-GMAIL-MSGID: 1788844127002282589

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Cc: Chao Yu <chao@kernel.org>
Cc: linux-f2fs-devel@lists.sourceforge.net
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/f2fs/file.c   | 2 +-
 fs/f2fs/verity.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index b58ab1157b7e..6360efb98f64 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2819,7 +2819,7 @@ static int f2fs_move_file_range(struct file *file_in, loff_t pos_in,
 	}
 
 	ret = -EINVAL;
-	if (pos_in + len > src->i_size || pos_in + len < pos_in)
+	if (pos_in + len > src->i_size || add_would_overflow(pos_in, len))
 		goto out_unlock;
 	if (len == 0)
 		olen = len = src->i_size - pos_in;
diff --git a/fs/f2fs/verity.c b/fs/f2fs/verity.c
index 4fc95f353a7a..b641cb8d75e8 100644
--- a/fs/f2fs/verity.c
+++ b/fs/f2fs/verity.c
@@ -237,7 +237,7 @@ static int f2fs_get_verity_descriptor(struct inode *inode, void *buf,
 	pos = le64_to_cpu(dloc.pos);
 
 	/* Get the descriptor */
-	if (pos + size < pos || pos + size > inode->i_sb->s_maxbytes ||
+	if (add_would_overflow(pos, size) || pos + size > inode->i_sb->s_maxbytes ||
 	    pos < f2fs_verity_metadata_pos(inode) || size > INT_MAX) {
 		f2fs_warn(F2FS_I_SB(inode), "invalid verity xattr");
 		f2fs_handle_error(F2FS_I_SB(inode),

From patchwork Tue Jan 23 00:27:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190660
Return-Path: <linux-kernel+bounces-34486-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp69680dyi;
        Mon, 22 Jan 2024 17:53:33 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFP+cgG2URXBNqZUmKu9R0E6enWOh2gpNwCXjwNB2zuhiPKqkWAELwK6W69AwIWawvZWWLA
X-Received: by 2002:a05:6a20:7292:b0:195:3163:671 with SMTP id
 o18-20020a056a20729200b0019531630671mr3048796pzk.99.1705974813250;
        Mon, 22 Jan 2024 17:53:33 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974813; cv=pass;
        d=google.com; s=arc-20160816;
        b=yVYSZWv86z/bWv/mnHYK+VVfXKpEz3MepBxB+GgXbT4+AEpnD6gSRcw27N0e9j8Ez3
         8I+w5Dvdb6usyM+sE4gFyAGUSJPQUzqE0cxZg4qxoXQyuRssbBb9aPzkkbrtjfU0kRVf
         SlxkpZ/n4V0eQoRV9c2aVy49APasL0TIqDFdThv70YYz9hmBeo8C3dw+KD4wfIOR8dIC
         FhqNll6t3oHUA8VXBMHWbEvDwONS0cJKJnLel7EdSzLI/DnunY+pEtj/bedy4O7H/Vzo
         BQCnu/aK+rs7gjsPt3TH9COy7kxGSYBhTw862kKqCqYEGMkpYsGrk3F9Qt+fO+zo3KH7
         0aTA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=bqOzYThsddRc/TP1ywPfEse4mdjcUMW6abmNPQSgVtA=;
        fh=d5rNQ23pB2Zlmqvw18xq2m24RVe2VavKGSy6OTlUJ6I=;
        b=vuwDQVNESsJc5m2MAIrI7NRNcGjDX4c+cRsRPeXn3cyuo76RBFnbceM8icU9N5tkjt
         CT9QjXNICQ9rqkn5JxOzcGINUPyTD5V81p/Q0mtTCfmolNPZcqKr41iS8Z0iFLFhRAcW
         7q5B8QK1Dvr5tgPWq5IDyrDTnaO0AkV6wcgAKfKXFpBF/aj7spuaAwUwIW3iG1zaeLq7
         B1AJuWLXLJXKtnBkpCl7NZqF/2RFogLved5opfQUnd6P37q1V7FFsbzHIJAy78lRvRsy
         XpT1hRxHutBvfr9GhO/K0WG6ykZs6Iz1D1PjPzH0hs1mSYAm/6fiXU4OSEYIgPToiKYD
         F7BQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=fwYvh+of;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34486-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34486-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id
 gj23-20020a17090b109700b0028ba37adbfasi8836287pjb.55.2024.01.22.17.53.32
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:53:33 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34486-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=fwYvh+of;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34486-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34486-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 72ECEB25987
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:20:07 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 004C515B0F4;
	Tue, 23 Jan 2024 00:29:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="fwYvh+of"
Received: from mail-oi1-f170.google.com (mail-oi1-f170.google.com
 [209.85.167.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A932C15A4BD
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969749; cv=none;
 b=XZs20F0KXYmSoDe58sxlUSWS7vsn3ipj5S2psqYaaCZMchjdwEaV0LlttsxGHXysJpKuAMf8gzGVKRzInKvDhY+cBOr9SCp4d81pUvh8lju8OTGpDA8HDiCfwIIzdZfIkldz2Las36PSCY34wDbsoa/dyG73oUuHGraFwWJKlXU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969749; c=relaxed/simple;
	bh=nfo7Pn+Yi1zHl6gAcNSHg7VhEroNaouSkiXnEe5ME0I=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=IP8Rpu7z6hsUndpzPpT7SfrAlRXxosmVl3dpi2IFOxYUUQ2xrcZu3/Fk3+XE2Mij4FBEn8Wg7vQZjNwij991vHPocygVNX2R3v1gCR0CLY1XfeU+K0IdbhrsTI52+fhQJwdHpzC/Tb8+XqgDmi25nWULfttXMrmfAISsEbA3ZCE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=fwYvh+of; arc=none smtp.client-ip=209.85.167.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oi1-f170.google.com with SMTP id
 5614622812f47-3bd884146e9so3101834b6e.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969747; x=1706574547;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bqOzYThsddRc/TP1ywPfEse4mdjcUMW6abmNPQSgVtA=;
        b=fwYvh+ofGDhJHVAXDPoztSdcYdb/g5pTbPhWug/P5ohZEGmUPv6kMUjzqQUbm3e5GC
         6e+yxFc2cXyo/JVStGJUQ5UjOJZfMjc7kFV/1aW/WPSSAvbgu5iOoSw1llPsvHe9AaGf
         s/3rl6A6JqT13f1NSBu4SQ3qt21dGP/xinBtE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969747; x=1706574547;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=bqOzYThsddRc/TP1ywPfEse4mdjcUMW6abmNPQSgVtA=;
        b=w+9nn3t3RRhcXAdf40DhKB65XT+5Hzv2diAjfJR3sPF+0cnF9bzy6CE5AHgPoHYoER
         VSfOXZp6L0gNd5RMYk0fB7f9YJhpJDlr7vwkgoHgbMocX/uBFAWaMfq1NFVT2iNogv7Y
         2Gyaent9+y2nNdhwbWt03hzYKoMY6BMACeoJt3jiuOv5iJJsKK5Ib2afEtu5QoFlv2CL
         xuNCfrjs6Wyb0hXr6wjhr1TyplcwLsd7qR5ZR3fRTby0HNyJRqzp+m2Uz91BSNTl6+/x
         wJNjP45jNh4Hl9hy0dYfXKTEiR4NMYFV0cojjyYtqhmBxFUs6PMPknpthZNi0bnHCIAX
         3LBQ==
X-Gm-Message-State: AOJu0YxsFHftCd+TK6HIpjUX+ZURfwD4qeEQqJ4V008LlG3MT/8Ylrr7
	zQqjFMvuvRMNTDFwbt6BOB7nc27oxcvvhiTj6PyQOWHm2cwqzfIAaUoJ+KaloA==
X-Received: by 2002:a05:6808:1916:b0:3bd:8201:f5de with SMTP id
 bf22-20020a056808191600b003bd8201f5demr5861585oib.33.1705969746846;
        Mon, 22 Jan 2024 16:29:06 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 y18-20020aa79e12000000b006d9ac45206bsm10198867pfq.206.2024.01.22.16.28.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:00 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	linux-fsdevel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 53/82] fs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:28 -0800
Message-Id: <20240123002814.1396804-53-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1854; i=keescook@chromium.org;
 h=from:subject; bh=nfo7Pn+Yi1zHl6gAcNSHg7VhEroNaouSkiXnEe5ME0I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJNnJ/s6Wgv/6AhsrzLX4ud+nwKsZVT6phE
 9TF2kTHZzqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JqgLD/9/8tepsjDo0cRyL40X6tIYA+MlThX9khW3Oe3bkhpOGQukol41PQ55NX8DKADGKtJeVXE
 zid5B46i5QDXe4vObMddWL03qTDHEu+NBMnj6IS1gcFy+ACV8M9LiMAjU+pEhRxIO7/NpMLI68u
 +AvCayzHQGjHq1qTfG2nYMi4TLZ9cRFbeZIun8kIm1YGDXWBctkqy3INiE/sR5MPcNpkAmIFxNz
 1dKrxf1i211L4BkQyoO/InMUKRrYVDF78PVzluyJTqSgLEc9D5qCcI+Vo0VaBO0R75DEIiOHfY5
 EViF1CVo/kpW4J3j3IS4RJlVmPbxL2UClAa7Vg9/z5dkuosRHRTVxdcPB4z3SjJCBZ7dUo3GpAq
 74GHlOV9yNPXB5VjDSPKEds9yYRy9c+44VGtmKxNAUBhCBJxwQPcb6wIcNvO27WVOZpYvbzamLc
 30PjGfsUiWxGN5uukY0/ckbaiG4dAIAPEo/KMSr/hNLub8qeGb/aSDQeu6CE+XPZqzPl1xtqHj9
 L7vkoaCthNao7p9MqU/e6qIIXd8gDyd4llaE0p2GQBBzc+FTEiugOeUj8qUCemSX2UK9Ykiy0Rt
 1tlwqyKloM/PgeSniTn79DIp3Uli7PmcwSwFFwomCXODyt8mGRBPw94d4JOAshi4fsjy+LsFTua
 Zx1eyKoK6bRm++A==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844246239504770
X-GMAIL-MSGID: 1788844246239504770

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/remap_range.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/remap_range.c b/fs/remap_range.c
index f8c1120b8311..15e91bf2c5e3 100644
--- a/fs/remap_range.c
+++ b/fs/remap_range.c
@@ -45,7 +45,7 @@ static int generic_remap_checks(struct file *file_in, loff_t pos_in,
 		return -EINVAL;
 
 	/* Ensure offsets don't wrap. */
-	if (pos_in + count < pos_in || pos_out + count < pos_out)
+	if (add_would_overflow(pos_in, count) || add_would_overflow(pos_out, count))
 		return -EINVAL;
 
 	size_in = i_size_read(inode_in);

From patchwork Tue Jan 23 00:27:29 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190601
Return-Path: <linux-kernel+bounces-34485-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp58561dyi;
        Mon, 22 Jan 2024 17:19:40 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHQh9Yce+truEqSmNI/njT6iH5ps7M7n4rdFCKwZp0P41GNJOtdiBRvUxla9hUKe38sqyRW
X-Received: by 2002:a50:870c:0:b0:55a:aec:5558 with SMTP id
 i12-20020a50870c000000b0055a0aec5558mr479652edb.67.1705972780630;
        Mon, 22 Jan 2024 17:19:40 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972780; cv=pass;
        d=google.com; s=arc-20160816;
        b=wewSWJeCfpmU0pnKW0Oa8rlk7zdpcL4bZtOQdashWz7Qpz+yID+CQ2GVLi5Xl8wkKB
         PHcoKQqf9BtaMebn1oc7Z8uty+c/hMr3CHbcAyg5BKgkjSD8X9hgfxn+WCm/Rnp9qfwv
         DuBzBAicz5gSZV6zm62tMgtGB1SIGJ/nz2GTptWEudiY+vAG+aytQrmnpbBkb5sdhaNL
         oh6jmDc22Iwh7a2jdXMRfh7xeJ2cw527LOgnKiDVEI86CsEExPUhJMt/t/tL51614i6b
         SrckrJ71wt4HadWFE+1l2kiycFmxj+gzG4RQNdrP/H9zMmR9vNxTMQjQoueB+VRg4OmI
         LT1g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=L2wmo1vvNOov2EEiIOf/RbN5b/05Srikd0wbYgbK+ps=;
        fh=p8dv67ra4gDbxC83yfnFn52ilR6oUL4Mht19jXpO4ZY=;
        b=gShGrqVpSRVR09MfPIuWMZItSFFuV+IybvME7iAGvBd4qZGpAxsy+M+yOInAc011nG
         hr+XjHWGNfalz1yoNiWtYyKyY1xbLahPX1uSr+JqMYg/uD/rGOkYDUsizshPYBpsuP/K
         WonWf+FsPN+Au2DLyeWDspn8fzvYG2I0oXB5Gq8Lk0/ZdWuoY6KKvlYYxr6Iv75fJ7/q
         wmnz3/oQQFtMToWwMDQ2R6Tv+85ygVpmoJzc/X+CFCw/GcFmvhYa28oKarNscme2JF00
         r/TRxoM9/PlLSzqHMpMTJRsIMYB2xJVrD9dDVGhwYfpQbIzuHlSxgYhKE/aNpyEYK1RM
         Lv9w==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="Dv/4wML5";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34485-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34485-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id
 w26-20020a50d79a000000b00559f0d2200fsi4128789edi.447.2024.01.22.17.19.40
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:19:40 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34485-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="Dv/4wML5";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34485-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34485-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 434871F2720C
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:19:40 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C0C3215AAC2;
	Tue, 23 Jan 2024 00:29:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Dv/4wML5"
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63D0215A483
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969746; cv=none;
 b=Nw+P8+tLRq61ydbvY1QRYPLr9nhcyhUapIPTUtzEcuql4nDoYKZoTnhIlFpnKP/uVltkH0O2k5RvSKXKQjWg6Z4R9b7+DZwQuOz8PsOvOCi4710pVfFVC8hy4ZdqClbNzkypRrg/rYyT8jQSV/2IxkQZ1s0IK9TwLR158A5ABTw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969746; c=relaxed/simple;
	bh=56np0SyxUjCTgMP+9tKKP1D3ChYs2w37QiPXxMh01j8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=sVBRRbjpbP9ME6GnaC/f+CvcMq+hkYYXcM4Fgv4QSMfRRl6wrG58adUiNbMjCqyiGjic0ZE6DtSd/cZ1YdnZE9fvk969Pdx0aWeEZzPp7KWrCHZA9L6nlIih1Ubn5588bsrlIxceNZLpLM9lbNf5d3NL5vhqGkAZw6JdLRAG3qI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Dv/4wML5; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-1d6fbaaec91so30354655ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969745; x=1706574545;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=L2wmo1vvNOov2EEiIOf/RbN5b/05Srikd0wbYgbK+ps=;
        b=Dv/4wML54fGsUrh04Xt3iEoknuhKBC6fH6haRIX2fKe/t5ZbZFDwU+8XRA7G6/OvAo
         yqIwZpF3+LdUvGMd7Us7ujFWJ3Xnend+uO3brm/dKyuTycwYSE0k++pRtrT+yyPp1BjO
         ggL0oxwaBdQxOW36+eZzIA2//ssI/XXI9UDeg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969745; x=1706574545;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=L2wmo1vvNOov2EEiIOf/RbN5b/05Srikd0wbYgbK+ps=;
        b=eVthnMY4UdlXTrLxgjWdtm7TUJVxvYJXqVAFNHE8dfvBHIBlFV9vLZqTxb7zFf+vqE
         cQkrwJDGgxww1UWr2wu1cpfMGLsep0Sguck4EFdLH0mrd/a2no/fdpOubKeMdJOsEdDL
         nOjRhNlJjg6kCxHM4SmfkWSyAXBWFHSPAnboY2FPOKPsVUPio1tymgynd2Luy+zupwMk
         BokjP5mXMQUun9qCojwRMH+iT/7twvgbiEb1qdwvR2X3DgtDZLctk0BJ19xdqw0ade0c
         q8qcHAF8fKG6eqodsN+Led6dlXFU2Q1CGbWmKDGprKwztqKJWZcZdbGpwZnWEuwdELAz
         L0sQ==
X-Gm-Message-State: AOJu0YxYIOAmNCoEdkSlmKzrYowe1EXKR6huesMdzTPSuxCVi/6KWCWv
	uPekQkz0z3Guf+HSvcjXTBOwTTlZ0dYHvCWi/Q9pS4uHW6SRvsk9WcBSojX5Gw==
X-Received: by 2002:a17:903:24d:b0:1d7:ae7:854 with SMTP id
 j13-20020a170903024d00b001d70ae70854mr6142733plh.127.1705969744870;
        Mon, 22 Jan 2024 16:29:04 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 w4-20020a170902d3c400b001d6f29c12f7sm7780642plb.135.2024.01.22.16.28.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:00 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 54/82] hpfs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:29 -0800
Message-Id: <20240123002814.1396804-54-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1821; i=keescook@chromium.org;
 h=from:subject; bh=56np0SyxUjCTgMP+9tKKP1D3ChYs2w37QiPXxMh01j8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJNeBYHmccG3P4Um7r7rC1q7zY4IG1ilwQC
 7i8d6Fb8H6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JnqxD/4jJwT6D13eg4925zRy0AvUOgOehBe9WOd2FtYf+6bVVSdyEMjk90RP6WW4WsjI4hht0Ol
 BdSWyL3oTgr2ZAXh5YwVa82/Y+sf4kuijkik4GAbUTqi1BLIHtWDkSd4qF69MbAL6gqMtyV15lu
 wFL4M5BLZHqglughQKr7/pADyG2O1WB2zUNNlEYkJDrMip8nw5zPPfsOXV4ym75dff4zjiJT91U
 0vud2HVt+gkr5Qly4EosO5ixEPfR/r6cYZjqvai4nGnq40/Ob97pVDcA4+mzBrAVag2NMlHLnVQ
 Jgkkx1V/1PGHUEC7Qk8ax5o/8lCH92qV1AHbM4EVTtWBZgFWE/bi0Dp9I2lqIPNrvpjKkq45qq/
 Qn9ixqv3ShkNNVEUOEdRVc0mHG80mjA1KaPcFSjE3DZyGteYRvUJbCDAoqwVk47P5ruf8ZXZVmY
 lKiybeBY0mxvE4Hq2y/Ozd3u7ZRlrdiaGwUtrCv4tA9LpdCO4eqAQ6TFfdAb1JCMPdeWbt98xeZ
 fMqY48reU5uEP7W4SvEHEadhdzEnG+rNP3eXWpwK8SQFkwelNC2te384HJnc9B9/jP/U0m9JWBD
 KhDIRXBSMYc1RbWug7wZRLrFutl9+bDk84ozLU4+oD7wAs88uRWLLYXn2jqr5zx3PTCQg9/SDtv
 78aI/3WraN+2U4A==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842114478624452
X-GMAIL-MSGID: 1788842114478624452

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/hpfs/alloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/hpfs/alloc.c b/fs/hpfs/alloc.c
index 66617b1557c6..e9c7cc6033b5 100644
--- a/fs/hpfs/alloc.c
+++ b/fs/hpfs/alloc.c
@@ -99,7 +99,7 @@ static int chk_if_allocated(struct super_block *s, secno sec, char *msg)
 	
 int hpfs_chk_sectors(struct super_block *s, secno start, int len, char *msg)
 {
-	if (start + len < start || start < 0x12 ||
+	if (add_would_overflow(start, len) || start < 0x12 ||
 	    start + len > hpfs_sb(s)->sb_fs_size) {
 	    	hpfs_error(s, "sector(s) '%s' badly placed at %08x", msg, start);
 		return 1;

From patchwork Tue Jan 23 00:27:30 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190607
Return-Path: <linux-kernel+bounces-34493-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp59586dyi;
        Mon, 22 Jan 2024 17:22:34 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGMwtG/9xdx7OEsDGGtO9a/3OIxjzallFi4BxUZh3367mhgyj9QZRH3//zr7NLsme32PDB3
X-Received: by 2002:a05:6214:19e9:b0:681:8cca:d2f4 with SMTP id
 q9-20020a05621419e900b006818ccad2f4mr191744qvc.25.1705972954552;
        Mon, 22 Jan 2024 17:22:34 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972954; cv=pass;
        d=google.com; s=arc-20160816;
        b=fodopuw9J0kMuG5r8vbfGehNB6j7cUTx+bydF21W4yjYFt17JEEnPKLy3oh/oh6I2L
         RlqoyNAlCw/YPWoEk8wiZtDMCKzBbSrGzrVOjQV1UG/seTiPnGxrSJwyiJoWqInZNtEn
         aUgmbe2M4wFd0LuWslcsdLdoraYcH0GiPQFT2BNWYEt89GvDvskn/dKusRtHFJG5m1cO
         PN/kZ+D0GQA+oaCxtjgJU0FUiNOg4PdfzzYUS89NiTnOGyVErV4Kpt/Da08KLj/csFO+
         EFVSal5IAMCyE0LcUmnY5cKviEP413Ztwblo4uOrWuyr73Vp6+ubgCliO9rxxRA3URhM
         zQ6Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=tNWz3k2XvGRlF46qJEs9zgm+bcxMnCT9t6UFjEF9Av0=;
        fh=exLHg1h0eYU2MHAZaFzjrfWqp+NFsmL6zpHEechfWyI=;
        b=Gp4TX5cmgfmHkMutz8NNhKFk98d+6zspdLwVO27xSTX4A0IJDa/mqSAwCVvFGJLEVX
         wNVRrEQ4iBHc+uD+cL78oWveMwcZboWQdq6v3aSj26RHPPPcwveYHQzPvYg14C8GtqNb
         xXm2vxrp75ccnG4ZAcYvdy4qENR6WFY9SqPVxIq9ZYwqAKXWjv8MOtwDJMnFR3AexjT0
         OCYHAnwtmbosv+m1ilIenUMFF7I7TlHRGfvH2ZdQ30p+Fyya/rGYHQUFZdjXgEkXGrV7
         7ivhUCl4iTgtZ1YEZgovVWE9Q5qzJE2TXpW2dpILPxfceu5KU2tNs/LGXKQOtz+9giTO
         t1XA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Lf8yIIY7;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34493-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34493-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 w2-20020a0cdf82000000b0068176c14516si6935565qvl.188.2024.01.22.17.22.34
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:22:34 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34493-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Lf8yIIY7;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34493-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34493-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 587D51C256C9
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:22:34 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9931715CD5D;
	Tue, 23 Jan 2024 00:29:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Lf8yIIY7"
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC26B15B31C
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969756; cv=none;
 b=Rbp/UVqdvVaHfjeeVGJikZds+xjN/pdIrTC8v1SeZEBHcNeDSyr2FAR4y3RuxHA2BQGoPY6Q9DqsovznIlFFuUlV2OVorklxvsy/GtkQ5q3COuDpIvFo+qmNEow+fM3yj5d+REhVRrACtk82wTuxl4FebrbCttqy7uAitLVJyME=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969756; c=relaxed/simple;
	bh=6qOMhh3G8d7Y+vBH+FchTOnAwDno8ofs9WTRkK8e+v0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=mOHIOr9DeYplsbpowvofocHc/uf5cYB8Z3+8RoFYdkD/sHClfhRaNJ6FWvDh9kSLFMQgpw3f4G0LdauSE2JvDEebfcNzz1dMA4I5QJekoo1QZ1r7Py3g65dNpLGXpY4HdKFMelfOBrmuuBuyCBne4r+eIkhFF27DpMFJXsQewRQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Lf8yIIY7; arc=none smtp.client-ip=209.85.214.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-1d75c97ea6aso8724385ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969754; x=1706574554;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=tNWz3k2XvGRlF46qJEs9zgm+bcxMnCT9t6UFjEF9Av0=;
        b=Lf8yIIY7UiKA8mjS+9c1rETlaPqJOr0a7m4eiX7x9aENpkNdmL6Mdmq/6c13fzphO9
         oHyRJjy6djzQ/ucVuY1+opqOoRIRvZVTXVznvdMEvDq6hdlNuucuBOvJ/hzcj0oVgEzc
         c56yKPFVG893PTC/qbEJGxDbq0NCt1KHdE2Go=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969754; x=1706574554;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=tNWz3k2XvGRlF46qJEs9zgm+bcxMnCT9t6UFjEF9Av0=;
        b=SCu8h2qNxBG9WXvYblFhmSdV0t+iKgFJW9A/JS5T7a3L3Txb0acGZ1k1HhzBymyDQL
         cc1PNl1Ypdameunlp5WSDxbimIjiIjPBwAq1BUg82k5gNjE8NYizV8JHumnYXdRTY/ZI
         QU2yMLBx8RhHES+CwjxByQoVG9ZXON21C+b9/D57t7ILW4P1Yalc311NcWOAA+lkmpHR
         2KEBLEhXY/imD8nv7HvVsKtb0qxCuA+vECrlCnqLH3RmOwym0iGRf1XKU9Ptbc60e15+
         ktYMpjAi0Bi4x0ywrTi3+sxiIki4CjPfJbymBsO1xuZKT2CLalpJRKLTc86twG38cLPv
         BrIA==
X-Gm-Message-State: AOJu0YwUmOQua29RTSeYfJRFwQRHt6oWBZe4eRDONEpUMkAiobUgViFe
	ZUnYQQ15Rte2SkutV08Rq6edSU9CP1AlwJkbZ77f2W3POpZTPaIPYbO6+UTcOw==
X-Received: by 2002:a17:902:76c8:b0:1d4:52f6:e046 with SMTP id
 j8-20020a17090276c800b001d452f6e046mr4743580plt.58.1705969754414;
        Mon, 22 Jan 2024 16:29:14 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 m20-20020a170902f21400b001d74ca3a89asm2622159plc.293.2024.01.22.16.28.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrey Ryabinin <ryabinin.a.a@gmail.com>,
	Alexander Potapenko <glider@google.com>,
	Andrey Konovalov <andreyknvl@gmail.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Vincenzo Frascino <vincenzo.frascino@arm.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	kasan-dev@googlegroups.com,
	linux-mm@kvack.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 55/82] kasan: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:30 -0800
Message-Id: <20240123002814.1396804-55-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2504; i=keescook@chromium.org;
 h=from:subject; bh=6qOMhh3G8d7Y+vBH+FchTOnAwDno8ofs9WTRkK8e+v0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJb7T0nkCbfHMK37KL55oiDeDfmOiEx7q5q
 XThjlEKQk+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JoqqEACE/4PoGFKLHpVkenKHgiwQeIuxCim9QWJGC+MdId7RYwearFTzkOQl8zglCUIZNl7fW9d
 KYyBu2j590qTJ3ins8G5kTpojs3DwiSG7NIjlDCuYemtfGOEDj4muFXpG5DpNNB/SXKfge3xXDy
 5WYmb/fU/J7+bo64TYtiSNKLR2K8Gp8i7ImUFx3yHYAWZufYCVg181wkAjQdVE9QDYyvZ7sGJoD
 mZvg2FSl8NJ5gNh6/n8lFHjoebiowaqz9rHfRIb9H0ruQMkeqFkKXhx4aTH16qMPf0eWME+Y+7J
 ogiYkcB141OqPEDQ2iR46G4NeG4lrsoMCZKzlBhmUT7RxPtYuZcvsCqZSAzAa3UF1RWmwdNOHWT
 QKCM3+s+mU5c7hXehiPzTXpwMMhUbnuW9WVWuFQzVH5K8RvofBCN7bnZZCKdDAoEN9Cc/sKYxEr
 q/BRzB2azJPyZ7AETk4B2xCLsuXEYrgz4hMVtO0QV6idTMpfIjNn4IgVm1nNoQUli5kyJqdcnf8
 gpz7+LeZbIwoIm4heS/k35pUDdcJOIRgPHC9zHqEIgxOE5/Jcu/+iMwplKoCiC7xP29btiDDmns
 OugXywD0SNhQjOaJt1krhL+j3HJZvwk7kx1o6FV+/GJoBK7sRO3WFjkmaJ8winj+Z4BPzvkMYuJ
 +inWzkA20S9t7Pg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842296362215283
X-GMAIL-MSGID: 1788842296362215283

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: kasan-dev@googlegroups.com
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 mm/kasan/generic.c | 2 +-
 mm/kasan/sw_tags.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c
index df6627f62402..f9bc29ae09bd 100644
--- a/mm/kasan/generic.c
+++ b/mm/kasan/generic.c
@@ -171,7 +171,7 @@ static __always_inline bool check_region_inline(const void *addr,
 	if (unlikely(size == 0))
 		return true;
 
-	if (unlikely(addr + size < addr))
+	if (unlikely(add_would_overflow(addr, size)))
 		return !kasan_report(addr, size, write, ret_ip);
 
 	if (unlikely(!addr_has_metadata(addr)))
diff --git a/mm/kasan/sw_tags.c b/mm/kasan/sw_tags.c
index 220b5d4c6876..79a3bbd66c32 100644
--- a/mm/kasan/sw_tags.c
+++ b/mm/kasan/sw_tags.c
@@ -80,7 +80,7 @@ bool kasan_check_range(const void *addr, size_t size, bool write,
 	if (unlikely(size == 0))
 		return true;
 
-	if (unlikely(addr + size < addr))
+	if (unlikely(add_would_overflow(addr, size)))
 		return !kasan_report(addr, size, write, ret_ip);
 
 	tag = get_tag((const void *)addr);

From patchwork Tue Jan 23 00:27:31 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190606
Return-Path: <linux-kernel+bounces-34492-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp59434dyi;
        Mon, 22 Jan 2024 17:22:09 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEbH9vnKR1o9yt+bw95wzGGJSdMKTenJcfHRz9fjtN2z0+TIOTI+URtB5T8oW58/o9Q5yHc
X-Received: by 2002:a05:6402:2916:b0:559:d310:e37c with SMTP id
 ee22-20020a056402291600b00559d310e37cmr373200edb.22.1705972929537;
        Mon, 22 Jan 2024 17:22:09 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972929; cv=pass;
        d=google.com; s=arc-20160816;
        b=qJ5bTV5rHEIe8D1JmgtMzHTiRkBSI6nJorUGcb/R2FKiZ0JXRvLG0gDfCwjoWfMWns
         o57wqJUZqJdY1cHaCwN2y28xfDgynCqnX3W9xdbR/M2QPfkRL/64NVy2wBRX2XGqsaxf
         UX7ulZh2mSEDA/gTr1sDufyvQ/L0HRGvNxJxlX9PxpwuwvPPycruWXO+hJmzFrWO90Mj
         XEata1vKodj1PDsdKGqY3u51KEJsinlaDxyQwh14+2ILLRI6myekIyuG6UZLXoHvpTxN
         ulFqgZe4bmR4wxYvq4XWnCEN2a4Y1IrLJU8CfIwWzAoWSAgoB/TXu5kb24EngLejC3Vs
         vYHA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=4kSZcErhkvLURXFhEcykitt7q+k1IsSKXy6VMnrbEx4=;
        fh=XeQHOH/sas5Sj6zviSAXrCB+uE33HktvZW4ptihRDpc=;
        b=wsp4WOo7NprQpclLcDQWGhe0HPaOLmFcgOsbjKE9ljF1STIXJdQOh7PvRi7fjtADKt
         oUiLUHA8wLWgZSrM8e9KsnhUfNhCvf8PDLxwvoXQmD1EnAy9xmB2+yek+GgnqEO+wq96
         r4z0kdP5vLXz2fXTD2tobUjvy2jUZndYjCocyr4OjIaLGW5nkv1qbiejn+UWA3hLRiVR
         smrffQ5YRjdu+z7WWxosTNHjRVpbXSoTFE5PJUWv2uj322lI1rkE45SZAeSsmjJIBpXc
         hsNvO8knhktbO4GnsQ6bdVNb8PR/g9GtbtM7U0qvMi9tx3rULRO1Dmts0xWXZuzjUJbh
         vQQw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=dei4nlrQ;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34492-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34492-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 c9-20020a0564021f8900b005588037a93bsi11766638edc.29.2024.01.22.17.22.09
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:22:09 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34492-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=dei4nlrQ;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34492-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34492-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 037CD1F25827
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:22:09 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 06D4D15CD66;
	Tue, 23 Jan 2024 00:29:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="dei4nlrQ"
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80BF015B2E7
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969754; cv=none;
 b=gC3YxrvmAzisY1m1+BqPiVZ57Osqtp9vxgVfZlMSaNKI4t/BH19UPeAqwHoRRLHRJwLF0zp2Gxn/lBB65EPAtMav8CwYvA/n/n5OQD9g29fllz4WBbt315TL1qrb3Wni9rCu9fSSyxGgdQOvIoeyYFby8YP37H9OjtzhXi39pTU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969754; c=relaxed/simple;
	bh=Le2cw8/EMeZDvyWiTZfIKGAqobpbeo1xxbxe1eKIEog=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=OAW+1XK4vOvBPNetVFTFsNdZKD90+PfvnJddzXammGLLZ7K/RyvNZwaQhCxiobQgplOFeLOE80spbI5FHSzuICSAMyiQZeLZ6lmfvNejTDQpr6zELgXGXwOh3cvYF8IUZiZpCtEXN4Nux5BP2zzcUzv6swFvZHbclpGFd+WgQfA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=dei4nlrQ; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1d7431e702dso10690305ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969753; x=1706574553;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4kSZcErhkvLURXFhEcykitt7q+k1IsSKXy6VMnrbEx4=;
        b=dei4nlrQVSmZaRc7i9w34s2JHXoCLSllCDEuYyKgw7v/ZalCE32trcheV5afy+MkG4
         PJDijwomQl32hvpaX7i9vlIpJPROylLEcbAWBZlgsmhlVnMbt0Azr1BHJcpwp31KpjSR
         Jl+FV2Cok0fJt1RRiwZNQxM+Jm6CWWrYE87H8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969753; x=1706574553;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=4kSZcErhkvLURXFhEcykitt7q+k1IsSKXy6VMnrbEx4=;
        b=QTkk7IULCJYoHe12affgaQw0oPLQ+nNm+Isf9eXIyiGBLfuUKs+BGo3JJnr5JQLyx/
         B7+b82c43QCs1iYKrqwJcM007nSNojTY8AQ2h/QJsHng90Q/ebkcaWZLHKl4LmrQJsWw
         OTKawEpTHfTonLGDI++ak555TbC8la0oH8pDob9YgqtxURukuMm0AT2rUY4kS+gBlh4m
         Pt7ZE3RNGq1f/JvGlDgAHqZnjQKN2AYYS6YZg222pJ9smsjrEllMqMkkIskmApGd6Ydq
         dVm3XYjgeGJr53pw9RWU1OxGtyTZE4VYee+GkGQwPwgiWZHvtHQks4cxEWGKX7D6Avzf
         8rZA==
X-Gm-Message-State: AOJu0Ywh25ddgMNTG87ZpMIfFxLNXv7s3A+5J4ep4UrSl4+L9jouHFt9
	6GrvwglX7og9WUtO1kw+VLTiR3zVa8T1df9k0LK+voJN5BNYZA2o/ZfgyBh1UQ==
X-Received: by 2002:a17:902:c946:b0:1d7:ad4:7d9 with SMTP id
 i6-20020a170902c94600b001d70ad407d9mr2794072pla.60.1705969752949;
        Mon, 22 Jan 2024 16:29:12 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 b4-20020a170902a9c400b001d74b1ef56fsm2652747plr.271.2024.01.22.16.28.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-mm@kvack.org,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 56/82] usercopy: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:31 -0800
Message-Id: <20240123002814.1396804-56-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1952; i=keescook@chromium.org;
 h=from:subject; bh=Le2cw8/EMeZDvyWiTZfIKGAqobpbeo1xxbxe1eKIEog=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJFBcLI030OvWlIdf+JlEl9ZpGqp2xZrVGc
 OF5/tb3LLKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JlAfD/4hK8oQxeilJy5M1BswN23KROlrOk+00GSMbycYwZKmxQcAxh0DnW23pgXbeUgj2xRlH7k
 /F+1z4vu9eaAj8Y/Y9hBh2STz4jydgyEv7WtfzL7Jw1BNKRrtbBNLwAwKJ0huo8jHVSKWwPVexP
 H0dsQTMPDxMkMaS77DgFrqDnf83+cga/jJS5LHAev1F3Rt7Vzx4KZTVfeW2Dto3dvVvaDA7Mr1W
 zclIJH/mqpfAZHnTuBX0Lc9+8RKLG4qO+2/IUsGeLKMWwR1WVPmDTM2bkl/aMTUuS9zUOBkJ+kz
 KOHdKKXC1Rs12cJXs6FaDHdaa14Rs0A4hpkuD5hOdyzaS307IhV5depO3u68Tj2Uik5iOAg0Sd+
 mbpV425cNRUyFHClpds5aX3e702vMEC0hgaOLiRwlk5K3u6RQW1N7GluN4un20Sn6BhkHSH4U+N
 YixLEE2YDQcd7gaZZwk6n5ylkZBndaXc6h2B9qpnebQVrz7cHnXCvjJ523k41Bmm1MZTcW9H7Np
 ST8joAjzTwXfRq5dJvhigwFDMdUGFtxsZ2soh6RZ/+fTiuyYL+m8B2frhQ33eS/G9AbMn6WFBxK
 EFYGaKAJmKlp3x8HgzZyfaTqO4BFToZOSpxteo584SQH5dsfYvS3kwiZW/3iIX05kIzLTWTZTqU
 IgI+hkYy5CRcMww==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842270393688850
X-GMAIL-MSGID: 1788842270393688850

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Kees Cook <keescook@chromium.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-hardening@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 mm/usercopy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/usercopy.c b/mm/usercopy.c
index 83c164aba6e0..5141c4402903 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -151,7 +151,7 @@ static inline void check_bogus_address(const unsigned long ptr, unsigned long n,
 				       bool to_user)
 {
 	/* Reject if object wraps past end of memory. */
-	if (ptr + (n - 1) < ptr)
+	if (add_would_overflow(ptr, (n - 1)))
 		usercopy_abort("wrapped address", NULL, to_user, 0, ptr + n);
 
 	/* Reject if NULL or ZERO-allocation. */

From patchwork Tue Jan 23 00:27:32 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190661
Return-Path: <linux-kernel+bounces-34539-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp69742dyi;
        Mon, 22 Jan 2024 17:53:48 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEq1ZaA6jay5Y+vHQmsOwSaXKlmC8y+JD+ZVPA5ch/7vDGXQm/ba6x+r9S+J4Bavci343SM
X-Received: by 2002:a9d:7853:0:b0:6dd:ef70:50ff with SMTP id
 c19-20020a9d7853000000b006ddef7050ffmr5747264otm.9.1705974827848;
        Mon, 22 Jan 2024 17:53:47 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974827; cv=pass;
        d=google.com; s=arc-20160816;
        b=vzRX0xlPrgQKgklJtEP5yq1/tKshl+xcGhZQ4LiJ2+Lu6UxKUgvnDHhReiH19mDKkF
         HJUe5hTg/6qdEq3D1Rt0TrarMnNpjTHWhHUCiIrmkLhce//WRttNeUs22OTEwXpMtF7b
         ly437zLXmKSdi3TC/f5vIlivqywP9dejIHpqAZGDvT0vHUKHtn2C9uRpYv89eLu71yYs
         MWpx3E5pyJzOBkiNawMZ3BN6KJO9P2zFj2g+TD24SYsP07Lek8g7Q8e3Eu/fALl7Rgkr
         jdvxbVWi6KS0b6K/CqxNgULV4YBwaOHi4WLUs3jTEw32vTf/GkL6Rna2AyEDRVn6Be1I
         nYQQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=E9D2RhyYqAg2d9K0ImTDYoiLNMME5NOa6lhB+xLPfvo=;
        fh=5MXFEIgwQEUbf8vsC5SEHkzEA6GsuDtzZ9RkPlKR0eY=;
        b=bGO7GYu4MgmrG07RXkYRLwOOESuVH2Ay7oqHODmcILhylgwYByGDF0tePfaSH0G41R
         8n3vnt/EiUl5SGKRsOwwCkpu/EUy7t5UsE2RLCkmUgydMbVANMNfK6vAIZiHQUIru4IQ
         kZiEtJnzISSvMMaOJoSwRkMSjN45NTMnpiLTQaMb3ZLBvI5FHW7pLkH9rVaBNXa0kHRw
         EoiLH6JcMcTrRawOyznBLaNujipOuvxE0+1vG0XokAfeWHwZZEGpKMVCuJFZorkzhmWI
         De5tI8fGbLSTvET8KGUhQkmEuwzIAPmFywaKrOS4nFyoBwImAbBymueEocTBv2/PKZu6
         j28A==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=dqR1af5m;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34539-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34539-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 b5-20020a056a000a8500b006d9e6a33523si11393060pfl.296.2024.01.22.17.53.47
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:53:47 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34539-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=dqR1af5m;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34539-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34539-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 59837295467
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:43:23 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id AA880128371;
	Tue, 23 Jan 2024 00:46:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="dqR1af5m"
Received: from mail-oo1-f47.google.com (mail-oo1-f47.google.com
 [209.85.161.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F16A612F8
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970758; cv=none;
 b=i4NwLmnhPuiCSYwBD851co/qgVZH9VTde33lIZHFI8MAEGy6LTiL3+IeFNCVJa2GBeYwBtnuARGxPPmakYSoW2kbsoFMN3Scbmg32fW+Quf/4mEq8xc81a4Uj7VGXCbVy0/j1zQ4qE9VaqEbSuHqh/7Z1+GztSudm+kO0w1EsnI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970758; c=relaxed/simple;
	bh=jUfBRygKEob0pYY7t7xuNdNYLn6sNoLNNiaAx8Qo6NY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=hVl+m3cfBTHfm/GZNZccsjbg64Y0Med3S4bcwi0SDTi2q3aRHUNauZGWmw54QKFpZi4Tq6vy2NQXmNYqvNKgFZUNKcYpqqkp1iHAJZb4F+viHDrVQOSKbnXtptvtAmVcxkcvh6cqmIAYn1lno8RcKcQFEqv78lvNgu1V5jywV+Q=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=dqR1af5m; arc=none smtp.client-ip=209.85.161.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oo1-f47.google.com with SMTP id
 006d021491bc7-58e256505f7so1920899eaf.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970756; x=1706575556;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=E9D2RhyYqAg2d9K0ImTDYoiLNMME5NOa6lhB+xLPfvo=;
        b=dqR1af5mzPyfLO9xXiIoQvQM+PeTnpbvEBte9mASZeEiRoM7xDXs/nRAry/7bw/30j
         IaFSuFO1FL8njrxoNPXgL++CVOtxMga93y4Orfww3oHsJsVmrWE6oMUd1Gh5c1qLn6m7
         R9RpQwICkmY0cJYT7WIYtId5T0TirdTRUdzjo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970756; x=1706575556;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=E9D2RhyYqAg2d9K0ImTDYoiLNMME5NOa6lhB+xLPfvo=;
        b=Sjfn2Ez7wO4R1s1WqbErKqO/9BFF63Ms8xjsYphnclHIg+j4ZLB+0vgBz/tFc7Tzhq
         GDzUyGfjtzTPBxt9wMmjqV+XENzsSpxbcA0fEiI97mixnU8DnBIUya2ynbAvwsFuaVhQ
         QE28rvktjxCJ8B58GNbEl7J/TfeJW+3KuXLRhC2NtJHk0NO8cIMqu7siLFZ2ZzSYZF+K
         mludYXYAZrPiNFN9uL/tF0XucTK7tjjjQVvjW2quG3dNv1E7UM8FZAGvttbpYFWCBIHD
         /giPjxxYqJoQrS8C9Kt9i/2R1Rg6cdCECnFn2BZXBpmEOjmB+cBftMQK1oTk/Os4dOz3
         3tjQ==
X-Gm-Message-State: AOJu0YzzBuN0FqVN+yRHnL3OHuKPmszUjvBOllUcvZv/xGbPeX4jg9AR
	XTQhMQyiOe6724iZoztnuqrbD1QJ9pqWrX+6ss9JupifIK+C8xQsasb6edS9Pw==
X-Received: by 2002:a05:6358:9044:b0:171:4aa4:51 with SMTP id
 f4-20020a056358904400b001714aa40051mr2836525rwf.54.1705970755743;
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 q24-20020aa79838000000b006dba11edc7csm9613217pfl.218.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:54 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Marc Zyngier <maz@kernel.org>,
	Oliver Upton <oliver.upton@linux.dev>,
	James Morse <james.morse@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Zenghui Yu <yuzenghui@huawei.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Eric Auger <eric.auger@redhat.com>,
	linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 57/82] KVM: arm64: vgic-v3: Refactor intentional wrap-around
 test
Date: Mon, 22 Jan 2024 16:27:32 -0800
Message-Id: <20240123002814.1396804-57-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2103; i=keescook@chromium.org;
 h=from:subject; bh=jUfBRygKEob0pYY7t7xuNdNYLn6sNoLNNiaAx8Qo6NY=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgK6p/l1eSrerQhSuQAXGj4NB7+sc1cNpXou
 bSA7eeLunuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JvcVEACO/+PPMjBquDJGhsJWwJDHC0YCgObRXdZAVFrFSsIROk0VLyG5+vouD43LP2qVe5ORA5j
 bl5cVYkqVOrsAC8uQaB+9i/mDFxTvj5VHQm1TUR2xuP827NRLV0VGb2f9Fj/FPIjyevrbu0PcMA
 UcER3p5QpR/cuOZBj3R/vah7DqHmaIne4dZAW9p54Oi514wjbLYhIfwOSVCQL6DDgGIxtnATzDD
 rAetbVwGi503y+FO6LYOjI422f/21hmyOca1/u/ISsjjrgZO428LuNq+QUdmIip/pVhEsXw8ww/
 p6vIlHQPoGVgnE7c+USyPLwZ3CV0VXxY5SD2sAnDH2sBy1akaJOFxzQW/An8acwegGir2tjE+9z
 hio1KXTg8hgdaASg3zurlSyzb/NdXrjdSN6i2SO3oMHjyswNoYDG6syzHtssPhYvXSMwoORpOb6
 Nx1W3AP8puZxaKMMtXwuTZ4hJP34sZZEphdi9Zjxm+/Mp+OOxcREehtCCqhGGuy1nli8/sDthQ7
 aoQzWOoHL5ZpbGHMN/SLiNoUgBhdBSRoZmgD+1JJk9d7k+fOkPqwiHE0BWvftclmj303mH/PUoN
 2BvnsyIvYnasZFwaeKFsyyhJujnG5CgR4qWeDlnraQiHQ9dpiPFRn6D3DgZwjPb7plAU6AHtvog
 iYvmKmaokbzYFnQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844260834648852
X-GMAIL-MSGID: 1788844260834648852

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: James Morse <james.morse@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Zenghui Yu <yuzenghui@huawei.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Eric Auger <eric.auger@redhat.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: kvmarm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
---
 arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
index c15ee1df036a..860b774c0c13 100644
--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c
+++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
@@ -863,7 +863,7 @@ static int vgic_v3_alloc_redist_region(struct kvm *kvm, uint32_t index,
 	int ret;
 
 	/* cross the end of memory ? */
-	if (base + size < base)
+	if (add_would_overflow(base, size))
 		return -EINVAL;
 
 	if (list_empty(rd_regions)) {

From patchwork Tue Jan 23 00:27:33 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190605
Return-Path: <linux-kernel+bounces-34491-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp59420dyi;
        Mon, 22 Jan 2024 17:22:07 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEgOBoTMbO3lGHRebyMyfuO3CFp09UZqrWiGfWKza8P/n++WHZqgkWSzAu5mk1gabZL0bEm
X-Received: by 2002:a17:907:11d1:b0:a2e:d29d:8997 with SMTP id
 va17-20020a17090711d100b00a2ed29d8997mr1344934ejb.58.1705972927555;
        Mon, 22 Jan 2024 17:22:07 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972927; cv=pass;
        d=google.com; s=arc-20160816;
        b=XBxaFHZo+E6rsSrEgvS9C7NzZJXSNUmjASTio0970HHsZOO37PPt+oP1lYcyirtkCX
         8XdLx/5o6n1VRQ60qJM91OyUlDqkd9Di6qdbpoF0bJcDrCVbS27b7q1oXEpfcxLn7j5s
         QQNcAGr8huz+WkPdqaK0Q+n18itWsVm+vdTU+N1BfHwkD8B/JtONoIrDW4wO7TtNLC9V
         BYqEA7Zhg+PVzjEqEq0dkvEyDhaJHiZsY0++eNp2lLKMzDCQmwAZi4ukXIrFsj3RWYdE
         FfKmFeAtxphFCITpsuNmyhoePxdOiqhfQLo5Mwv2SKYDC9kwQDkTW6XXrvcm6c3kFhxD
         xIog==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=TvywcYW77f9W0/EEawC9chQVSlmM/wYw9WuZ4ujpaBk=;
        fh=0Qmm0fmvFz/gQ8PbMM8E29QXx8Faf7u5RsffT5KRo50=;
        b=utDKiL62fekiGt6EeSwCjElGsT/cBaEs6+p4eVDLnbVo7T9v7qUbOqfPyj9BftC0Ex
         kY8FPlGrO+zdRPsK4PKfKRvDHMEcJOvB9ok18T5Ud7VPrA267S88fqkyBu2Q6X3/vrFQ
         X/cilrvXeBSi4PdnY1sk92lFs2j5Mn3MABRWASe7x/cyth8mfINzGGXhilpul24qTdmI
         wPRZ/Fbh0RxYKsxnex/AQHGUxB8zpnSg1ullDeA4s1bByEqLLrF7m6tSWPZzqLUnZYrU
         oUHgQSS+oOWwzYHIp8I4tBvRtE8ES7IaRtg/lhCzz4/a/beiSLs8h99DQu0MbUSm1+9d
         D5sA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=U+XngC5y;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34491-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34491-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 r11-20020a170906280b00b00a2d4062fbcesi9234651ejc.989.2024.01.22.17.22.07
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:22:07 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34491-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=U+XngC5y;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34491-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34491-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 3265E1F28FA1
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:22:07 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id D6EA415CD5F;
	Tue, 23 Jan 2024 00:29:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="U+XngC5y"
Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com
 [209.85.215.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B19415B113
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969754; cv=none;
 b=mXn4MFDyZtDPldFtlui21P4Th/NSjIT/swBwvTELxkvMXju+Zy/HSx/uZJQFecjvtm1FFrCVBeZVB3cGGFfbzgr5bze3B/9rgvm9mPF2k+YkrwiYpDqWrrgjLC6Xc/0ddvC9XfLNQhV3AFp+Cl46jhCWHUFtDaBeST5R1IuGx7g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969754; c=relaxed/simple;
	bh=DQU4joanXRgd1mS+gxXcm4BfbB4iNwIjQJ9FPFqx45U=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=NFUGVGxF8VDeV6Ykcyxx692z2g6AOu3NIrhm9YWRPWTSEc8k0AfglrRet8J18SstKBir6aqU4jCfYstC4g4Pbm4g/dzQIoWuZ1gTpg7aoMAsbqk0Y7gqYz8gB66EYHGwkxGLKundDjw4POk4ZDGSamuiTKW9kI16y/d/GZkd8Ck=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=U+XngC5y; arc=none smtp.client-ip=209.85.215.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pg1-f179.google.com with SMTP id
 41be03b00d2f7-5ce10b5ee01so2594736a12.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969752; x=1706574552;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TvywcYW77f9W0/EEawC9chQVSlmM/wYw9WuZ4ujpaBk=;
        b=U+XngC5yhwSHfcAeXyiKIAwlBnviRYdrjm9mQAGzkrE04I/qggNqJ7EXr6byRqOOHS
         RmbMa0p+/7TquRmbrl5UNm3nscRJCeaXDVPqkkNj2ZepvzB7PK7Fmg8preYvpKu/jeVU
         lB0rngG+suGF/wLnhpOTqz7mvo8OZO5rKUGSk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969752; x=1706574552;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=TvywcYW77f9W0/EEawC9chQVSlmM/wYw9WuZ4ujpaBk=;
        b=KoSXHpg1YfKGo3ynCFEe71Z/SrVw9Mwow51tc1HZq3vJRSF912d+A6itZE2gU95zPI
         ktslMceNFWB0tnwOO6rvoJtzelufq/yLdm60/AHbqgfRBDHMgYmAIlzM1n2sYJAM4RwL
         FAAxv8JnZGypZtBhUeUKEQzrHk5e4X1m6HNSQn0oolCmIj70lhymOqgCuUoXi8gHMKeE
         yjDE1lD3/eSHKSbXc4MWQ8i+3N9700x1aYjmrVFQ+Hs9NeMFf03wiJgnsfVZbX+4MADy
         TadTKpGac8Kbdx+VbN+XfCuXb0cQjycetOhFMCvuK139aAlpJ5oXN4HMPMpKB+rg51AB
         CtFw==
X-Gm-Message-State: AOJu0YwHOoRXTCGC0r3Tzy6QWZLdWJDa9CeRAJ0xdEVT5fS5woGn2Ei9
	tZGsMa9yStDYEqyE5tTDHnmq0gM4cjA/uI++lsARjWY2wEqErAOtyMlpeEE4cW9S3x0WpoCPh78
	=
X-Received: by 2002:a17:90b:607:b0:290:5246:beb3 with SMTP id
 gb7-20020a17090b060700b002905246beb3mr7402551pjb.37.1705969752595;
        Mon, 22 Jan 2024 16:29:12 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 4-20020a170902e9c400b001d706e373a9sm7559865plk.292.2024.01.22.16.28.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:02 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Christian Borntraeger <borntraeger@linux.ibm.com>,
	Janosch Frank <frankja@linux.ibm.com>,
	Claudio Imbrenda <imbrenda@linux.ibm.com>,
	David Hildenbrand <david@redhat.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>,
	Gerald Schaefer <gerald.schaefer@linux.ibm.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	kvm@vger.kernel.org,
	linux-s390@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 58/82] s390/mm: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:33 -0800
Message-Id: <20240123002814.1396804-58-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2557; i=keescook@chromium.org;
 h=from:subject; bh=DQU4joanXRgd1mS+gxXcm4BfbB4iNwIjQJ9FPFqx45U=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKR1fdbTlXCSNHaLsraY4kCN0NXjk4wrN/9
 ptrTecUkUCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 Juo/D/0Rijh7xs7t+z0k5sUC01Phuw7CfMgDm7ealxIpjEnqcPeKLdz3mD2xMlnLAWp8AQgMX7x
 UsVZepQBCW+mbZNcyaU8P17kkR/DVc7kuurh6A9/qg0Doo0FWrmPWygvxpM4QDhE0BWg+HnMgku
 n6+MLAW3qZ38qFK2TNKcR1VOhVuLWxTkckPN8Nec/7/x4EA/IrvviqK5ppVmcCCP1kkU6yqRS9V
 GLUxRZfvGVuFMMnb0GKhKAWo7DZdHEZR5LzYBFF10XJes46hmqVlAymMFxiN7EIxv0ywKkw+/jo
 nLiBSpXgpdEeNMvEbekQ9g18cBvZowM9RckCdGzvVuhqEE8wlYliS3Cl6xZFQKeDcLXNaS5Iddd
 l6LypkhXu8RsRGFMSTTeST3NLd2MV50Ak5N7MwlYwztrZhji/SUmMGdL6wI/FRsTLYy80nbrjy8
 fyZyR3PPt/w66FT/FbS1YpSxHVHI4lBm2rBauWi2Lt61XzIBNU5xedEqaQEl1dEb4INlRI7CV64
 nbqMv8Q+wAg8JFTpkVL0iRqSD8sKKxtAw4q49K9wuS9FmVtOcyDAcXkG7QMZPbW6fnyVYVPSPbY
 tEhStv2vcp7DGK/BOSTiwcIMprY0XAIyqKXaQ77rYBqq5JxZIOFNPSPAu/upxkCHl+TQQK0n5j7
 tszHYawERVCbBMA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842268499966094
X-GMAIL-MSGID: 1788842268499966094

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Janosch Frank <frankja@linux.ibm.com>
Cc: Claudio Imbrenda <imbrenda@linux.ibm.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: kvm@vger.kernel.org
Cc: linux-s390@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/s390/mm/gmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
index 6f96b5a71c63..977b61ab59f2 100644
--- a/arch/s390/mm/gmap.c
+++ b/arch/s390/mm/gmap.c
@@ -411,7 +411,7 @@ int gmap_unmap_segment(struct gmap *gmap, unsigned long to, unsigned long len)
 	BUG_ON(gmap_is_shadow(gmap));
 	if ((to | len) & (PMD_SIZE - 1))
 		return -EINVAL;
-	if (len == 0 || to + len < to)
+	if (len == 0 || add_would_overflow(to, len))
 		return -EINVAL;
 
 	flush = 0;
@@ -443,7 +443,7 @@ int gmap_map_segment(struct gmap *gmap, unsigned long from,
 	BUG_ON(gmap_is_shadow(gmap));
 	if ((from | to | len) & (PMD_SIZE - 1))
 		return -EINVAL;
-	if (len == 0 || from + len < from || to + len < to ||
+	if (len == 0 || add_would_overflow(from, len) || add_would_overflow(to, len) ||
 	    from + len - 1 > TASK_SIZE_MAX || to + len - 1 > gmap->asce_end)
 		return -EINVAL;
 

From patchwork Tue Jan 23 00:27:34 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190634
Return-Path: <linux-kernel+bounces-34522-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp63176dyi;
        Mon, 22 Jan 2024 17:33:19 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IF8RGQb3CUSKXQ0MpA7iB4Aeszyll4vskMrqrhxMorAptTjeYTTxbRP9smxZzlw4NusUfw8
X-Received: by 2002:a17:907:7810:b0:a2d:4383:78c7 with SMTP id
 la16-20020a170907781000b00a2d438378c7mr2585640ejc.132.1705973598895;
        Mon, 22 Jan 2024 17:33:18 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973598; cv=pass;
        d=google.com; s=arc-20160816;
        b=B6+iOl/fM2oNr4EEHX8XtOiNipDRwad0p/SNjsYiamDFLsmXkElZaUWvFW4Zz6EpBa
         CHSyhhwjHmSKQCJGaLocbEM21MwQfTqIOu/IlPvN2hnFPJpMIG/v4Vp36w92q8xaXQF8
         Qfop86E+xchG7sOFMedYK+gIz69L84wE++P6wZv6DLNHrj6LrLOTP6QZtkkXhGGLzfaa
         a6npzaZ09eelPx1A6VXUrhkH7EJGCbQKANdhdsA55JDDqG87gntXLyawIP7y1QtYkZwd
         H2Okk7I0D949v3KZdFUEB1kTyECyON7us8ZetaWOFkqb6zgi7QemvVRm/ZaPwowYRjZT
         MC7A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=aEc2d2rSfjhDoBoq9fLjQenSkCLNzDWcQ8adwJB0hG0=;
        fh=oZWbXJ+r4/gGX+ggcJy6B6S0yZTEZxP9AzSzMIhOkPU=;
        b=03S2hz07E4jYbScRVRgLhS1XDUmudfawqiPZHdYvN3DdCSLfzt14cHe0cPDemiNbZr
         23i/YccP2IhpL2VvTgA0tbdiYexL0a6sFQ/oU7H6QLbmqpIqV/HWhISDkOS8ugqUlbLX
         5kEb3PRtBpK3x1qKTwgXvK5JNpnaKnOF7TF4hZpTftSyoubk6N00xehLCu14qdkdHjbs
         a2BF0MZqhADWqtTxhNxjgZRpw3otOy0gMYHaqew8vrf6kLddJ9YRTVGblZwW1Qk8qusi
         kAtIL5z210nUtCYMQPHOjmIcfeoaqha5giXhVzKh3X7Yd6j6rFgHWWEONa2Yh8L1wnPE
         hbUw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=ftJiLXY9;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34522-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34522-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id
 y26-20020a170906471a00b00a28a963d3f8si11324955ejq.1049.2024.01.22.17.33.18
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:33:18 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34522-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=ftJiLXY9;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34522-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34522-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 8471A1F29956
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:33:18 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 4278F161B55;
	Tue, 23 Jan 2024 00:36:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="ftJiLXY9"
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBE5B160898
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970181; cv=none;
 b=pMeYZphWZeQ0hujx8eOxp3sRKGKyAddV08ZK5/IfvEDKCsXe0k+KAguzTHSaHEc5j6H6OT6z1mnvJrwA2F3XX2tbBk8DUmSeuRIaktoPcazV+7codOhzWn603LjrarJTYiAeHLlTwiCHo9oEIDcagnep1KmIdRiodyP5INcOkYE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970181; c=relaxed/simple;
	bh=X4KPC/UgpHzHjLm9oqtA3x4JymqJVZ0DUnLq+Paa7ds=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=PlPTtFUhsUnfh/mF82FzY+r/nolG1q/MLbDTpkZPQJa3nwWQlErtwB6U39GwpyvtqtVmoojbm4aQdc96qkGGFQ6eGV2wuPwCLkePqLybMJAur/PdidXajtpUEWbb9zGyIEjgyhz0/f6cFtFbVD9PLUnm0EhtHvDn4fEv9qN9ha4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=ftJiLXY9; arc=none smtp.client-ip=209.85.215.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-5c66b093b86so3417095a12.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970179; x=1706574979;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=aEc2d2rSfjhDoBoq9fLjQenSkCLNzDWcQ8adwJB0hG0=;
        b=ftJiLXY9mCM9agVXh7u5DCh6zmbHD90qFASbREWPWGQxFL9HD4aC15JYGrJDAgKAJa
         YFI8ZvEBfAV7Jwl9eIT3LEU5hhqdyUU2/3SsuCAk5JCYk6fNMSRXyKFERn7ikxpzUzdZ
         r9KM4Mx5HtpAYZwRWciPGHMr930UQsRuilDNc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970179; x=1706574979;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=aEc2d2rSfjhDoBoq9fLjQenSkCLNzDWcQ8adwJB0hG0=;
        b=Q0gal3cmIdz3rZqkvLPggNomuV4N6Wcx1bDvkXcsyUEOQo+uXuMrQETVGu32vigNhw
         sdoCb6YV3h7eVncimbTAJfAvxIhvrCjpbSzC1VDZhvBr+dX06X80rfKRNyDNYrcVjHCu
         57xSij91tTwF8GUg2NXXHj2H2xJqCAqs5bncTMJPGTPxpHBsp+ryOkP5qdjGKGwFobun
         WHfrP1OAqGXaIHFovCtTziAe4sDWqOWxYEinMdhFv/juoRFEvLxB/Qr9VZ+qHRV8+m53
         BUQMorlo81Dx5oLPb5i5O/Gr0LdVsz2r+0VkZZS1gWlz7laOkia0gJF5Fl9UFtLwJ5Ug
         wdRw==
X-Gm-Message-State: AOJu0YyvBL5tv4McIKpjamPT88SNHZT2yfKLz2msSVLh2xfoxa/ukjsy
	udeAw6E1undD1/fTmdIgtObkFDJPC2y2BmOBkPSmQictNnKiyEd3m2CjGW84qg==
X-Received: by 2002:a17:90a:ee42:b0:28f:fa9d:ebdf with SMTP id
 bu2-20020a17090aee4200b0028ffa9debdfmr6732264pjb.3.1705970179438;
        Mon, 22 Jan 2024 16:36:19 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 dj7-20020a17090ad2c700b0029065f70565sm5824388pjb.41.2024.01.22.16.36.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:17 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 59/82] lib/scatterlist: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:34 -0800
Message-Id: <20240123002814.1396804-59-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1669; i=keescook@chromium.org;
 h=from:subject; bh=X4KPC/UgpHzHjLm9oqtA3x4JymqJVZ0DUnLq+Paa7ds=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKl36vVZG1nmdlZHD5EeRVSkhvMUsUGq27H
 GGTsQQr0yKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 Jko4D/wLOSdJgcYUIEXEWyZ094Wxs/bc+vFZ1200/hCn8653ZUrA3GFBQlNpz2j4KN4SGZaAUwx
 XwJbrwaPYj5jQDHGgEpePQTxEQUZO3iNMJarAxDNOV8Jp4y7Z8D58Mf31v/9HugXKic4tf8wXbd
 2z7mUpcMaG2/zFyfcuVCd5nuP6SGOfw1qSMdqDdEgHAF4lJuOPMi3jORDXoKcY1016c01JbQFzG
 PyzDWakatUQn3fG/IurRu8FlgDWXY0nfhz/R+ZG5YLj0KJ+FIceKRbj+fdDgDXUfYsbPBiSn7Kv
 cyv4nHAzcFSeV6kggiiFvczA0o+iQctKOUObrv9u8LzDKPU/gg72Yy1yeHoItbt8faH08EQGpHN
 IOFLAykVxVuBAhxbaKjqC8CiMDLtjlf56mwXKZkI1dGqzB2t01l1K/M/NU52aiJsd+pjZcfOPHy
 TqFEHvtJhzsPQXZag5/nu6I1yqmaIhbwCFDIJ7BnFuJYgvqUctQJFuJipD3T7jKZhAEyjUdFvDZ
 GULJFLehEJ3dGgLpoBn8tpWS/rVuuHQ4JF3zdxUPpoy2rjXbWm7xoXLCiiey4bCZK21q+OHDJCH
 8dDMZazDyBgAiPwQCGHfaAHulyiW6eEJe7qpDt5dmJHGrR6kOEELOyqY78LX7F7ljWlSML1tfWH
 lPasxNIE4hn6XbA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842972594602222
X-GMAIL-MSGID: 1788842972594602222

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/scatterlist.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index 68b45c82c37a..121905119bbc 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -624,7 +624,7 @@ struct scatterlist *sgl_alloc_order(unsigned long long length,
 	nalloc = nent;
 	if (chainable) {
 		/* Check for integer overflow */
-		if (nalloc + 1 < nalloc)
+		if (add_would_overflow(nalloc, 1))
 			return NULL;
 		nalloc++;
 	}

From patchwork Tue Jan 23 00:27:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190635
Return-Path: <linux-kernel+bounces-34523-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp63421dyi;
        Mon, 22 Jan 2024 17:34:01 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHKWq5UhyGtQcR+SrRrzGxzuWSDoecUWIacXe6wtUECNjw1/Ln0kBb0jcMUMhZwlw+xQ/Zm
X-Received: by 2002:ad4:5dcb:0:b0:681:19a0:c421 with SMTP id
 m11-20020ad45dcb000000b0068119a0c421mr201793qvh.16.1705973640807;
        Mon, 22 Jan 2024 17:34:00 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973640; cv=pass;
        d=google.com; s=arc-20160816;
        b=wsO8ZSL8hNnoXzo3wwnKGR26/36Ayub/K5BAvhBufNsMAwRK+lP6Et3sll8Wi/66YB
         ZakCwMTK+9aGtpBYdj//5AP/YrYHAXKrZaOMtmhTnAPxecT+zyRJQ9yznvR0I54KmBb9
         WpMJ5pmFnMhQFXSWDKrWlFeikr3s8f+2FrEDuYlDKGbRKzUclrEGkWdOxs+y+OVH6mrM
         kZdeVR590euXYBKxJ1iNGNX8Kv7zUnL27Df5b/gKf1zJyUdPx4FNSfI2QWF6v5hgm1g0
         wHuJDG7V1EQkRx6Yeq6b04Ig92IfgWljsO1V11hVmIBIQtUIXlBY56QRc8PTBq6jvZwn
         upww==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=YjTv0JWp2wh4DoATrj62+gp6F7EFeXqYtPy6neelVk8=;
        fh=41gH1xoQKn47R9aLdsUNwMzYpaoZN45xHGdndyabtl0=;
        b=Vh4NI/wBNo4j/ncJp9h7kQ3IabEKz2IwQf640Ic51Qmqq5VCqYQ6HU9+a4Nu45qbTO
         lqkTZ0bwfCTnf1WK72AlJ6Eaxc1jEHyw1EBZ7d9QcGo4TM7dWjprvalmzEgCgWlC+uGy
         6ONJo2Zi2W661UAbQZQ5m6ZGs2MXEYpjuNZgqTo2dBQb8hXYHJly36yXZ7nQa9wQxEbu
         lSUZJ1G4TtUk/y3ZeZHMnVHFKGz6I+SUJ+emtHUKqaxvjhMz4CGpKOiEHfK2voe5XrTS
         g56DxIYjS/ZL675LDSG7XtR3TULi79p0WUrzef3WIW/+aZ1hbrlrtu1oONr8gJeP68Hc
         xAZw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=LSpKdMVT;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34523-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34523-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 y6-20020a0ce046000000b0068096de9f54si6680238qvk.348.2024.01.22.17.34.00
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:34:00 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34523-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=LSpKdMVT;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34523-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34523-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 8A1B81C288E2
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:34:00 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 867C2162E20;
	Tue, 23 Jan 2024 00:36:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="LSpKdMVT"
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 93F011615AB
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970183; cv=none;
 b=H8xXS2qIs6r9C4uQxPZ81Gypjlz5k33I0cpFB83Syc6TnlALXI3oL8jlxqPGP6c3SASl7TpTK/Ge6fxe3qeGfSnsM0VA6BBl7oSeezaQI6VqBTG5QDja09E+w1sMK13rZJ2HHw+FICsRPD5J1UwMbZM/G960gbp6rKBfJpExul8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970183; c=relaxed/simple;
	bh=gGIR1+eHbOSAQms308Zk1nT40iClIFMbQz6VhnPDbi8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=R0x7I36F1RHnMVYheM7msp5O39HGrpzYyhQLjynUkMKBLGVbodNVltCLV2hQ5hFYCuBsmOEwQXpFFD7tPw5ak8Nya/qNfVZxJ3j5hhubPjf3SbnhyV3+sMb7Yd0mSDP7A7CRGGfTNtkyZU6f3WSlpWkL7EabFMiyHmxKuYsRH14=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=LSpKdMVT; arc=none smtp.client-ip=209.85.210.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-6d9344f30caso2312081b3a.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970181; x=1706574981;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=YjTv0JWp2wh4DoATrj62+gp6F7EFeXqYtPy6neelVk8=;
        b=LSpKdMVTgnaJngWZZM9cZACINZhuUWpsBOaJC4R2h/mzYdw2bD/VjReb/rDUXf1i+M
         y5uIk6CUGtLsjZ7/Q69R/859sv11u2pwsQAWM96NYyH2lFyvfG1fpzhn6ah78DR5QKlN
         Q0xy6dDDQ75nHiN1SbySf9Elp6WYAMABNUNjI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970181; x=1706574981;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=YjTv0JWp2wh4DoATrj62+gp6F7EFeXqYtPy6neelVk8=;
        b=lSWZ2hS7lDuiiMjQk7YoJNftTdty1BnPsN0/X3Ph2lHkZDCa03L3afaevKJ3WDNY4g
         RCE+zRuSqqyDBUQ73NTN8yp5W1+xmcQmoeLlXr9tWF9GoPFQZty16XNwqhzsXerrDlM4
         +7uHWW+XWzXCb6sBxweKs7pTOqsvm1rmM4RJYO0qWTt3e/QI8ivx2qM0GsvsuzFS+ipC
         xSrbUpjV1BFI9fs3FNSmgjRFDYrfB38Joi7AOChXkJxJ5t1H41INXNbdTT8DYkzYqwy0
         gvHZJgqGxBalTiYevrPH+K4lPhefUkhEkkx3ztWcMZxiYWOhWLzX769kOUuI39ern9Vn
         4PCw==
X-Gm-Message-State: AOJu0YwkwTP7MpGjI8UOR5kjkgSuHI5qiXO05ZownYFP3UJkpFJHZYTN
	6IMQLupsGRJrQtNuZfdKaa7bQlPt65Jr4w8Zyvh1CkvnPoRyvgHHr4h4qBIYvQ==
X-Received: by 2002:a05:6a00:88a:b0:6d9:c0a4:67eb with SMTP id
 q10-20020a056a00088a00b006d9c0a467ebmr7154515pfj.35.1705970181078;
        Mon, 22 Jan 2024 16:36:21 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 r11-20020a056a00216b00b006dbce4a2136sm4727845pff.142.2024.01.22.16.36.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:17 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Michael Ellerman <mpe@ellerman.id.au>,
	Nicholas Piggin <npiggin@gmail.com>,
	Christophe Leroy <christophe.leroy@csgroup.eu>,
	"Aneesh Kumar K.V" <aneesh.kumar@kernel.org>,
	"Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
	Mahesh Salgaonkar <mahesh@linux.ibm.com>,
	Vasant Hegde <hegdevasant@linux.vnet.ibm.com>,
	dingsenjie <dingsenjie@yulong.com>,
	linuxppc-dev@lists.ozlabs.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 60/82] powerpc: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:35 -0800
Message-Id: <20240123002814.1396804-60-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2692; i=keescook@chromium.org;
 h=from:subject; bh=gGIR1+eHbOSAQms308Zk1nT40iClIFMbQz6VhnPDbi8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKZlRqKBNSnPKaV9Q+qNDqro5fLhpWmnwga
 Q7YzUH80IiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JrbeEACw9Qm/wbTPg4Z6IKIJQxXVouLRzxfnSHgzNiD276XXnPVJrJiBcSCvmSL7fpJ9SDej5TV
 9PYH7UGkT6J3bCE8PLoBp5JqS24+wSC9f6aqnuqpGLfoi5P3MxHPufDB9EbUyasJgVcGybCxci6
 sMhNpj+acmdoPvOc6m5jx5a7RAAA/ym1iJPdj0+2ccaR5cIeImnNF30sRViNQzozLcnn4DA1H8p
 XENTLdbPf/j0h+wTxLu70B2HUAAQUyBzLfpb9waKCwX03HXJ0lwpxUXvZgA99nbb0tmF717h1lV
 mh1AktyNwBxm0tJEUEWQcHUqY2a19p5L9QI5ZPhhISQsaZIBGWdlB6vjLPvnUgSTZ57SpVnQ+8g
 vENCyDxuI3pWKiz9shHbiKHxOL67K4hYdaQNF9iB3J7KpvCE6JfKuIeBURpd1JrU9S+z3MGRo8V
 Hkk6J4qgEhi5rzMO9I2yhzZGMl2+5U1RhdSdwRY0ol+lsIsKnCKDNTXAbw07S9zoYa4lmNyPvwM
 HT3G5UCgsab2bqAvSQ9I63Fr+lt7BaHqGREuxYKUun/1NWDIQhhH1CFpy8K2kKFqJjqxWDH6wj5
 Yzpr1wcFOCzLytejNRGkB2uIRgzQqhzzbhg+XbUgDUjc/mkGvnLvsVMVLP96m+FIehjUX0J6mJU
 BDk7KOdYQY3UuXQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843016467142835
X-GMAIL-MSGID: 1788843016467142835

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@kernel.org>
Cc: "Naveen N. Rao" <naveen.n.rao@linux.ibm.com>
Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Cc: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Cc: dingsenjie <dingsenjie@yulong.com>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Aneesh Kumar K.V <aneesh.kumar@kernel.org>
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
---
 arch/powerpc/platforms/powernv/opal-prd.c | 2 +-
 arch/powerpc/xmon/xmon.c                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/platforms/powernv/opal-prd.c b/arch/powerpc/platforms/powernv/opal-prd.c
index b66b06efcef1..eaf95dc82925 100644
--- a/arch/powerpc/platforms/powernv/opal-prd.c
+++ b/arch/powerpc/platforms/powernv/opal-prd.c
@@ -51,7 +51,7 @@ static bool opal_prd_range_is_valid(uint64_t addr, uint64_t size)
 	struct device_node *parent, *node;
 	bool found;
 
-	if (addr + size < addr)
+	if (add_would_overflow(addr, size))
 		return false;
 
 	parent = of_find_node_by_path("/reserved-memory");
diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
index b3b94cd37713..b91fdda49434 100644
--- a/arch/powerpc/xmon/xmon.c
+++ b/arch/powerpc/xmon/xmon.c
@@ -3252,7 +3252,7 @@ memzcan(void)
 		} else if (!ok && ook)
 			printf("%.8lx\n", a - mskip);
 		ook = ok;
-		if (a + mskip < a)
+		if (add_would_overflow(a, mskip))
 			break;
 	}
 	if (ook)

From patchwork Tue Jan 23 00:27:36 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190619
Return-Path: <linux-kernel+bounces-34504-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp61530dyi;
        Mon, 22 Jan 2024 17:29:00 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEVB5KQCgTD/eEu0lFn0sZXFDHv5J4h6STLYa0LYVN7JZpmUImFMywdF1VobbiZHIqjyXBS
X-Received: by 2002:a05:600c:b94:b0:40e:5137:95f0 with SMTP id
 fl20-20020a05600c0b9400b0040e513795f0mr37615wmb.132.1705973340076;
        Mon, 22 Jan 2024 17:29:00 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973340; cv=pass;
        d=google.com; s=arc-20160816;
        b=A0g/2uRycrB1mZVK7aoCpAKwOEUX0SHDgSZSnKy8bZmksQ/FyfiKZUY2/V++yPVThE
         ZaS3/tWYccAjc+kQAfBHO8KZQrBlot4Gn6/VYqMii2/I+wPcldyiRLKPNXiLPNw5hJXK
         mlF2IskuCi4D4J/d4AVjsrldLeP5QJNYQz4t5FnLtUt3giXuNRuc5WSgHEOAqHN2ENqz
         ahebsBXDz6+/4JC6SmhWN3LVBlol4f8XIZzOiRn3wIVv17i7Qn6kfFhmhkIehnQfKxxU
         LPdFYa3d7h1W9Z3MpDBq1ApAZTbJQm3crqO8Gkr571B2uncA9FvuEeqwNweuB7xGlO0C
         Jm5Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=iIWUdIrQWRkhOO5TDXuKcaUsLitTbGyLlklsAfWCzWo=;
        fh=W89Vd5rh6NV01nahSC3zL/CYeeB0vzZoP3uHyRUdiU4=;
        b=pFT7H7+HftjpzEhNIkYuDYlkeBBYwp72ZOtEfDpxIS70cgrtMjJvilH8yLVCFiY+0K
         OYPzs3VQjzJuX7z+jkW5X5YgASRbTRhVjuXPeUF3zdFrr/RuDONVetwIEfcXOBdriCrV
         VCMgCYCOECzRyxXavGHenah8xOcBWxSY64or4r/jmIOpuGBOpUBR/2fGe3dKJDieBMAE
         8laGg6nQCBFihO1Wq23KeD9sqM37yZiCqlua7eRSfvTdU0lmbd07KNiHG4sQtLEgGDng
         yMAyd24IdksBWLhfb994TTw59sD/WRgdnYVErfHC4bsONHh7exADm32suTAG10gCLgSq
         caIA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=UvKOomai;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34504-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34504-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 h6-20020a17090619c600b00a3058e35d07si1291835ejd.418.2024.01.22.17.28.59
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:29:00 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34504-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=UvKOomai;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34504-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34504-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 6EABE1F26AC0
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:28:59 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5AC355FB86;
	Tue, 23 Jan 2024 00:36:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="UvKOomai"
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B510D5BAEA
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970161; cv=none;
 b=nNgLUOZaMahJChCccVhvUmKn705gJxDR6Dv2poyGjqdzopK55RXqYu+a+98pfOot6nqaQSeQI9eydt0O8bLMXEB8f/zzizr4Vc9BLNb6ivvwtbGXAIWlDhPlMST340/1/QflJJ3nfmwWAgTljhKUJt3JKVkpzTkhRZf+zJWwm74=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970161; c=relaxed/simple;
	bh=JaJ2RzkYot/4sV3jiZLTi+/y/zDvkmsfkl8XZ+sAZv8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=GFb1jhfOtv6s7oZ58fykE5Hp8zj4RiaJIkR4P1Xr8wwQeMvME/RknutvDI8YsCRgtRaUthxmWCthXgVh6RLTfHhcC5A+mirYafNFrhhY4/E2GYTjPk56wdBTff9MDlotC+vmzYwygHUgWJpYFa2tBiJTDUZ/hsPdiiA1F1ZywSM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=UvKOomai; arc=none smtp.client-ip=209.85.214.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-1d71e184695so13585375ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970159; x=1706574959;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iIWUdIrQWRkhOO5TDXuKcaUsLitTbGyLlklsAfWCzWo=;
        b=UvKOomaiN2VhtkDv5+8QNC+MtjXQx/iwGzTtFLEcj5s1VSKPBHwN2l2gwIDJh4mjBL
         zFvy+2Ct3bGei9Mw5MsNWsE/Djk5CfXLRWpyVexzj5Wml53eHNq93AIxm5GsGJ/wZx+w
         dVai29oFleneBo8Y+z3PkQ2GT9BFfJa0FDSaM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970159; x=1706574959;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=iIWUdIrQWRkhOO5TDXuKcaUsLitTbGyLlklsAfWCzWo=;
        b=O4DUCeRZjXlHVOaVUDudmSMNhbHyaWl/3uERsbWa2/iZ7i/9SsXqsIA/E1Ur6lNWOv
         pzBXTtXWcQ6bRmWqY2XtgsfJYjNAsNP9+iKpI4LovyDFPAuAHiQbhY+aP4CerRzbwbmE
         O7PpSyYVobUAex5gvpp2A8Dk3v0HV6w1OWtYWFq7D9VKH6F5AMB1UB7BXARpzEyToyE0
         8V2v8e1wXpZARy0cohK/S3DaFy66dLeIDMMjwWvGFdL91pSyWFJ3jhsIyS21h1/25pdB
         BMF0F6ovLF7BvV+3lDOoytMVE1HG1wd+/r5HxpQicVcsheN4tmjWYADHld+vocu0emg0
         d9EQ==
X-Gm-Message-State: AOJu0YxFJC13KN8K1/63f9JTl3+HkSQo/lgTJj3QjXKPCp/YC1OI++EA
	QKVUOGAKXJyB8Ot8E9FvFpEv8CF7enYE7NPrQ6T4h+sbkrbsocDSLVYyma2+1Q==
X-Received: by 2002:a17:902:e5c8:b0:1d7:3563:88ef with SMTP id
 u8-20020a170902e5c800b001d7356388efmr2199690plf.99.1705970159024;
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e2-20020a170902744200b001d5f5887ae8sm7708987plt.10.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Sathya Prakash <sathya.prakash@broadcom.com>,
	Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
	Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>,
	"James E.J. Bottomley" <jejb@linux.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	MPT-FusionLinux.pdl@broadcom.com,
	linux-scsi@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 61/82] scsi: mpt3sas: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:36 -0800
Message-Id: <20240123002814.1396804-61-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2218; i=keescook@chromium.org;
 h=from:subject; bh=JaJ2RzkYot/4sV3jiZLTi+/y/zDvkmsfkl8XZ+sAZv8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKR/y0c/t8XBxk6HBTKTo2onZffQ1Swuzxk
 YruIIw+tTCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JsGHD/wO+1S4S3MYfwC+Xgo0UsnlP4RNEo76XTqku6Gtqo7+RgF/OJErJi+PSvELd675QOu9xdC
 EMr1YFfvIBEMrbHHvwJWkaErziO0Y3hRKhrFQr02QIrOnXeDwnIPzHDCv18K0d3Q+q041p/sRyj
 YB7tjSXSsTcFhvkEQ9dY+VylEL1PLD4Ozx1qB10yg6+pNkm/uCWrmiLvfSgSXIluY++aIRb26NL
 VaSRkVOonQ4P4lvoMg00EP5cCn0zHYNyG1e6Ea4+cIaFLUKcV46uB4xzGTwfw+vtbMdtn3jZaly
 hU/RxpkvU2oW1VIYwSeakNHq76noGBszsSTs6meNnd62v/yEdmDyqyTfqFKcm5jwd4LupJnffRl
 PaKJclzIEUwHDQGYtmTMzzYksMJ7+emnQ4pgS08Dr4frBXv3Kw20xwphAev7CU3j6ei4ghTajDd
 xxiU8Oq8sW9mW5SwmfrVaIgLmJe+Uwy7bC1EHgFeqFpqK/AbTNh+FplhncR9+E+Gonpq3iKfGC8
 46fX7SBvoMASJQFlZP+ErSYOfIkvdt5fDwy3899f5cTVxe+NtVeUWwbBhp0I/BMoiXbh/N4Wz/m
 1JLczsOR6Y1t0bzwiFfJd2zNYEyI8gvNaAak6MrluQfkHLAx0zAGsyXDQta1R52iYGD2+9KjtmB
 cB9P/HPcsvjdiPA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842700725244133
X-GMAIL-MSGID: 1788842700725244133

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Sathya Prakash <sathya.prakash@broadcom.com>
Cc: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
Cc: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: MPT-FusionLinux.pdl@broadcom.com
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index 147cb7088d55..b36a9188720f 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -2382,7 +2382,7 @@ _ctl_diag_read_buffer(struct MPT3SAS_ADAPTER *ioc, void __user *arg)
 			    karg.bytes_to_read));
 
 	/* Truncate data on requests that are too large */
-	if ((diag_data + karg.bytes_to_read < diag_data) ||
+	if ((add_would_overflow(diag_data, karg.bytes_to_read)) ||
 	    (diag_data + karg.bytes_to_read > request_data + request_size))
 		copy_size = request_size - karg.starting_offset;
 	else

From patchwork Tue Jan 23 00:27:37 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190604
Return-Path: <linux-kernel+bounces-34490-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp59390dyi;
        Mon, 22 Jan 2024 17:22:03 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFcpYvkh0+ZFTJe7w+SM5Tp4KFpPJjFNEvOJN34M91tLES9DFSKL+jhlBcNX7aBgR4Tnv5B
X-Received: by 2002:aa7:d153:0:b0:559:ccc4:157e with SMTP id
 r19-20020aa7d153000000b00559ccc4157emr447848edo.30.1705972922878;
        Mon, 22 Jan 2024 17:22:02 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972922; cv=pass;
        d=google.com; s=arc-20160816;
        b=NczaILhuYY0bPAYiX3F4mUrPD/WtQVzB3cxunRkNmmc6H+ykBr4DB/O6qWkMC6BQN+
         qifYNm1k9vQZO3VwJpHwUGYrY10HPEpdNKqNIiRB8TbGFWfB7FXH8uD29cOBDJHjYjvt
         y6fv+CovZWk4GCMnOcZnQSTIJZgaSkOuyqWZRTeNa6S6Yzz8s5g8S868ERFjOg/hZCdY
         VSd3tUNXIlHMb04xUZKsijU+1gJExtFElx+GFbn09AhebsPceRCVUkbJiqzZIU3tOQiA
         cNpooEZQOKBDJ4/il2rzW909BQ5YWN4JZ7fsBfEwTXIp7dmcxxVF1hBH1BVitdaS8u3Z
         GQ7g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=Ie3OTr5sznD5HalHa+6zn+LnARRkCye1/EzAPt6ehMc=;
        fh=02wvYfVoEmVNmgLtUxXAiVMsfDuV7E/jerPT9BMJSXY=;
        b=DOlE0kBFM5NRegrnEi2bdRVVn4ain2Osh7TTzYLQthHQGAbulHUZvUubxbGGj4b60x
         LoFRngRjVfGIfJpLa90N3RvD2AZkwipnVDesdkG2OtG20cegU1qIfYe2xpP1X1hfrLuI
         IsCDaykwp8iXKKu/vuE3HJ4yzRixR3VoXajz6M5sKDBya2FUVVq9Q4+DC2/CXPJ09FKy
         +n7cCrHopRlVtPXtuGl87OcBG5VPMqIccZA3yE6gosk6pizUHkgcGjZRE0vyAuHF6We0
         5ZtOr45l3y7xboQyocW1Vq4nkC9YKRZGDHwncp46x38dJJEKmPVdl0nIjhLmEZ0k1853
         qgfQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Z7EUVBVk;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34490-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34490-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 d3-20020a50ea83000000b0055af917d3e6si2915933edo.413.2024.01.22.17.22.02
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:22:02 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34490-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Z7EUVBVk;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34490-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34490-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 507651F25B9E
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:22:02 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id AB50415CD59;
	Tue, 23 Jan 2024 00:29:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Z7EUVBVk"
Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com
 [209.85.210.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D17DC15B0EE
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969754; cv=none;
 b=UAd2jwAIuXx4QGIwQ1s94JTlQ+A3d5Da6evVhwGJKiETNIiNLrLMYbTnIh1N4dBSaL0Zscfoae/VRn3VUKCqEhA3SuZl9t9B6sD45ZMTB1qX172xNYg1Slt9YYC6VHtu90uGe1eEg993TP4vu+4b7fCA4ipLuKGNWDezvktoZfk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969754; c=relaxed/simple;
	bh=7JUW6Se3ttck3u03IUn6h22SlYY5f4wzvv59fMMlk7U=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=T3PCjvZAZdupwN9dIAefAQkYNqd6nZKpkLQP4qLnPss09vr3NCWOYQUSqT29y1fGhJPYFy8lsMnfeavw9UVjOFBKnd9OfSesphD5/9B6Al9KnZLqR4L+9vrAYlugcQ+fZrk4NRqgZ4GmmIFagntnRUQIguPzsSAm/pOS5XPU1/A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Z7EUVBVk; arc=none smtp.client-ip=209.85.210.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-ot1-f54.google.com with SMTP id
 46e09a7af769-6e0a64d9449so2432903a34.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969751; x=1706574551;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Ie3OTr5sznD5HalHa+6zn+LnARRkCye1/EzAPt6ehMc=;
        b=Z7EUVBVkONDMsQtdqm0Q343HbVNgU8Ys/Z1cwQJbcFaj/ZUQG6Oz2Ld0TAwsIhtuU0
         foBw3rYg05H3K9uYPSn7jWhi6AlCFucQAR1dmLqUUITT1cCGz0/sPecGal2vu62vlSge
         EZHiPWRMVfxkD1BgS1wGMVtLzX16pAcvvYxDw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969751; x=1706574551;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Ie3OTr5sznD5HalHa+6zn+LnARRkCye1/EzAPt6ehMc=;
        b=wfWnmqh3MX6L2fKhjvBIZNBHbspcFBi9tFxO/5cfAQDOYAiq+q36sqJnk7NMLRZAm5
         QjBRAK6bPXzDS2x3tcvKWvQjtR5XnZEBkBeXUOmh9T2jJ9sgzX+LuTA9yL7eQ42kLhuA
         O76nvh8aGIyen80UAdA9/kuiUFBaM58Cn1znaQ76Ltb46LhEr+XCtDB6Ks19gvKYobVv
         VmTWiqgQLClGlU6LCNzRBeJdJNQzw5TDzdIX8dxXQWcn4vZbcKWkHcHotfXNSjUMnJMI
         iUjDZmQYF7HYbNTtLb2KEyWJFmPCwk6c0RZa2txakdXwW0htjdVR0ScEnLGc5G1077l9
         FWqA==
X-Gm-Message-State: AOJu0YyDptG/sY2vLtEYfqqawsjTfqyO68kDc/NcPEWwMtqqfj4v1AzE
	e8Um8O6JJ3I+aP3c4FbG+qSXVrOnxCcuvS+a1tm1puj+HKiLOK+I/QYv9rca7g==
X-Received: by 2002:a05:6358:1804:b0:176:5d73:3778 with SMTP id
 u4-20020a056358180400b001765d733778mr1791008rwm.36.1705969750988;
        Mon, 22 Jan 2024 16:29:10 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 v6-20020aa78086000000b006dbda1b19f7sm3156587pff.159.2024.01.22.16.28.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:06 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
 Brian Norris <briannorris@chromium.org>, Kalle Valo <kvalo@kernel.org>,
	=?utf-8?q?Jonas_Dre=C3=9Fler?= <verdre@v0yd.nl>,
 Dmitry Antipov <dmantipov@yandex.ru>, Tsuchiya Yuto <kitakar@gmail.com>,
 linux-wireless@vger.kernel.org,
 "Gustavo A. R. Silva" <gustavoars@kernel.org>,
 Bill Wendling <morbo@google.com>, Justin Stitt <justinstitt@google.com>,
 linux-kernel@vger.kernel.org
Subject: [PATCH 62/82] mwifiex: pcie: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:37 -0800
Message-Id: <20240123002814.1396804-62-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2776; i=keescook@chromium.org;
 h=from:subject; bh=7JUW6Se3ttck3u03IUn6h22SlYY5f4wzvv59fMMlk7U=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKEfuOUm8gdUPZ8vO/KuClWsfQ2f3pzbTem
 aIxnbAM+fGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JonQD/9WVyaa9kGcf/DTeFmgfzqdX7xnM18yRtPWxEh32TPyVUA9IygNLB2Mzz7Mzf/1z1oLx5q
 y6Uf/vyz4gMUfg0RBu4V8FJXTNaL+fZtfonFGhqdJJClaBBDFVd+vTLW4YjC2SBU3KoLfkXXOq2
 7bkrtOFIv7f20UQSh0t9WqD3TpID+zmHpIZvvP9d1x9ZqTkzcibWw0o5ZMuGl0KUOlFccvvXP+o
 t5jfiwQoOn9vESyzTRCcdLFh+EvH3+0EqK2qvNuTBuuHD2rKuFauD7WFvMSJHXrvqzrig23cJRh
 2zz4ePXncay641mG9MIX2AghTvd0BXeUoNdMT2XoIc/G4FPNL62a0r04JF25hoDFE9uYhE7HOUr
 py+wlbBwWORaTtcW5nC4dkTB8JgNhmBvm17GrHAPIu6mqlZHRb7dzU/INOEZaMNSwDAhXjjrRjO
 NSmZSSPrUmkcJLxcAk3hFfbiT62Ad8EBnkaTXnMfLammAc/mmAlnOtABI64GIfFYBXc359RDmbq
 T/ikhjpd19tZo9mFB6ePKrrqeXpNz6UJO8M1WUi7y+9calE0yGanCbvnXGPAgnq51BkvTXMU44k
 iFtizJzAsxk+HlRrziOXDHeWih6lFTrScEFVxBGE/7wFBi4xSw5Te7dWdKwU8Olt009JASnOl+g
 iafvZ3vYcSNfmBw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842263075620095
X-GMAIL-MSGID: 1788842263075620095

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Brian Norris <briannorris@chromium.org>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "Jonas Dreßler" <verdre@v0yd.nl>
Cc: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Tsuchiya Yuto <kitakar@gmail.com>
Cc: linux-wireless@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Kalle Valo <kvalo@kernel.org>
---
 drivers/net/wireless/marvell/mwifiex/pcie.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c
index 5f997becdbaa..e69347e65f0e 100644
--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
+++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
@@ -2086,7 +2086,7 @@ static int mwifiex_extract_wifi_fw(struct mwifiex_adapter *adapter,
 
 		switch (dnld_cmd) {
 		case MWIFIEX_FW_DNLD_CMD_1:
-			if (offset + data_len < data_len) {
+			if (add_would_overflow(data_len, offset)) {
 				mwifiex_dbg(adapter, ERROR, "bad FW parse\n");
 				ret = -1;
 				goto done;
@@ -2110,7 +2110,7 @@ static int mwifiex_extract_wifi_fw(struct mwifiex_adapter *adapter,
 		case MWIFIEX_FW_DNLD_CMD_5:
 			first_cmd = true;
 			/* Check for integer overflow */
-			if (offset + data_len < data_len) {
+			if (add_would_overflow(data_len, offset)) {
 				mwifiex_dbg(adapter, ERROR, "bad FW parse\n");
 				ret = -1;
 				goto done;
@@ -2120,7 +2120,7 @@ static int mwifiex_extract_wifi_fw(struct mwifiex_adapter *adapter,
 		case MWIFIEX_FW_DNLD_CMD_6:
 			first_cmd = true;
 			/* Check for integer overflow */
-			if (offset + data_len < data_len) {
+			if (add_would_overflow(data_len, offset)) {
 				mwifiex_dbg(adapter, ERROR, "bad FW parse\n");
 				ret = -1;
 				goto done;

From patchwork Tue Jan 23 00:27:38 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190650
Return-Path: <linux-kernel+bounces-34494-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp68702dyi;
        Mon, 22 Jan 2024 17:50:17 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHiNSGluU6G88Sn1pcgXN6Im+AYBGJvSyaFse3qQuKzVjDmOPgq96X6PoWcNzvw9WIgMbY1
X-Received: by 2002:a05:6830:1088:b0:6dd:f0a6:dfea with SMTP id
 y8-20020a056830108800b006ddf0a6dfeamr5049730oto.26.1705974617507;
        Mon, 22 Jan 2024 17:50:17 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974617; cv=pass;
        d=google.com; s=arc-20160816;
        b=E8OoKuQP9WmmgcG39J7xM++FrM2iXH8hfN9YR8E6sDsbWLunoQZHyt8esW0/3VFmdr
         Zn4sqeMz1WYX9mdP4gLEqDZiBmgUCNs5EuBzrKyPY5MzavpJWHAXDE5TOg/k7651FUyj
         gSZVCnMeZeZ/2HtWRNQrCBwJD/oAgHZFQTBUEA+zCy0qv5ERtWKveWOCBsCVSGXxtT/g
         9YKIpMXCjw4Y8w7Ysk+TXRuqAzf5DEtdlAIPrP826LQAtNQ6hP9qKoHnwdBBbd692aTj
         yJOXr38CnlVLiLOIFw2U83RpvawOBhSgQZsePdhQs4vFJ8Y8dgPazrvW7yFB/j/aF/aD
         DbLw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=4R+UH41sqIFBEg2yHgSz9fASiwRmxO8UrEbFS39w0BY=;
        fh=EuJrdXBU16czjMsNWN+8aWTe/xoBorV6fmISfdaZx40=;
        b=uxHWG8kigzJtzOWwIBQhZHNy2Yb6DM++5mySy31sJANmknP0UZgPXW2moO1iFX2NPv
         WZQd3OBzW/78RVzdTKeLTQE2U65Loz7wQVPZ/goUPTyEOJB2FJYUJn1RotP2TPphQjng
         SDJXzh2E3vguI9OUBMnjVCaUhVOd+UkFFtmVw/M4IF37zxCEwf3a3mRLm8IXkIYbXMjj
         5MzNE0oZVoK6VERoOb0rDYDNrH7+FuqH2jAuNM5DGcYRQAaL+cek1WN3KnDORsUUiPmc
         t+Oxbw7Nq+4YzA8iN9NsXHlMU7hqNG2A0Udkaq6CCEWkrhl4lPQJktQB3rohmDJm7TVZ
         AWNQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=SJQaGBFy;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34494-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34494-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id
 n1-20020a634d41000000b005ce07907cb2si8843251pgl.422.2024.01.22.17.50.17
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:50:17 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34494-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=SJQaGBFy;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34494-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34494-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id E8BD5B278C6
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:23:02 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B757B15DBA6;
	Tue, 23 Jan 2024 00:29:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="SJQaGBFy"
Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com
 [209.85.215.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9753415B995
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969758; cv=none;
 b=lMcw+evUHpIPFb/qeGOkAjeDmLhsemvPGQ0k2yjiFEdpKsaAekY9PgCfxVEg4jJrenAhnHVOq5Ru/L7YXdeDv9+rHRYQ/bSY7OfjYO7M87YaFzCsv0qfnKZmfz9eM+Fa+awT1tKS6dtER3uHiIPC418ky6Y4VeaUKhmiXrlOIwQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969758; c=relaxed/simple;
	bh=IXC9gHJS+Pnry0+OD6RifuKC5iruziQtcHdroYUu0NY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=GyMSXWnvPXvWwkkWn8e6vDJABi/Tmhc+WVV5TYQiGiIM7jebx013UILFoUrw8BebiHajvGIxZYBC8TxPoR68BDJqQ4i4PMZxnJdVJ3L2m91VSy6k4vaUdBmeQr8s6CDWSKs2FQvdTSg1+POLWmSdnm4dccHvZHVfK6jvXi3CrOM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=SJQaGBFy; arc=none smtp.client-ip=209.85.215.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pg1-f177.google.com with SMTP id
 41be03b00d2f7-5cddfe0cb64so1786534a12.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969756; x=1706574556;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4R+UH41sqIFBEg2yHgSz9fASiwRmxO8UrEbFS39w0BY=;
        b=SJQaGBFyaHQfX8ipErQPchtmgreagwEZD2Ajm7xOsT53ZYHhkdP+g1QHTIkxLJgiGo
         2c7zlIAoka+I4U6gIDnQCLVsPEgnzUlxaHCCjq+S0sX8Ya4h9UDEd/NGrTAgqv2/cCYt
         p6o1/RBfIP+SRbcyntIEYmRXiptwsFa5E1AoE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969756; x=1706574556;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=4R+UH41sqIFBEg2yHgSz9fASiwRmxO8UrEbFS39w0BY=;
        b=mbLDaQItpjxy9hmgVP6ICcMk6NTDDhxzAcuKq7R+S8k+fj3EtRfM62xs3EtNJLaMuI
         yedFdhkSSWXJa02pXnVulhVY1c3O/s2gjHdaWC+4hT4Bm0xR1mLegp8XxVygMZuTKnKm
         5N8wfqBAKvE7QOeHCwGDjSXQs/esk61Hi0SlXlaGtzp+qR2RxMtqM1N0Fcyb+VP7qI2b
         11lb8Ul8ylp1B7AD2P6EDT84TaYBe1Uo4Mt73lFMmqNDRZbxCaor7DDEhShIoUTRv1Bz
         Wtb6+59QEMOCBClbr+wAtVeavOAhU+g5O5BUkkz8n68zWtI1IFhPqUeZ1a4FyUHt7bQG
         8uiA==
X-Gm-Message-State: AOJu0Yy8yDVlgCiJT7gKD/7t4Ww+JLZ1B8G/b0yytNOUBv7h+atD4/0r
	5/z82U5toKDWYBxItlgNH/QvYmH/5hiaFUg/+kxZKfOHOxKPEZtJ9ClPJ7O+Uw==
X-Received: by 2002:a05:6a20:1446:b0:19c:5821:1d6b with SMTP id
 a6-20020a056a20144600b0019c58211d6bmr373911pzi.71.1705969756091;
        Mon, 22 Jan 2024 16:29:16 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 s2-20020a17090302c200b001d707987ce3sm7513949plk.194.2024.01.22.16.29.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Shuah Khan <shuah@kernel.org>,
	linux-mm@kvack.org,
	linux-kselftest@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 63/82] mm: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:38 -0800
Message-Id: <20240123002814.1396804-63-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4403; i=keescook@chromium.org;
 h=from:subject; bh=IXC9gHJS+Pnry0+OD6RifuKC5iruziQtcHdroYUu0NY=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKGl7sIklkp9DpywnYDLBMy17rUJMlBDpuZ
 IF1ZnQBhjmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JiG2D/9PRn4Y/k1W4IyELDW0vMaP8RPiiJfMCcL4ThXwWsfGmaqGLqfV1zQEvJXDHSGEjV3qA6f
 1QWoI9IwuKjfA6OfO0JlksQZDvV/d4C1mTWzdQrRY2/LthSJBzsCK5VbReL0TpTAcFMajuY0JUk
 y79Nm7lQVGIPVT5kz9GE4HegEGGPsCk202fOQjGOid1P2FXfyctaxE7AC8A1oTmzBr7B6go6pES
 ZTzR/Z2fyNRTV4EbHBr9C3U447jLgO+uGVXj5FYunn/XaHZoFkbicu5CWTluotmM8My6vrUQc+R
 OVe3VQn2KHnuQsPPgENWLrMitHmaACD3nc3KGOQ5Nq6c9iVKKDGGSDopVfAm0cnC4JZNZssedWq
 QpeBszRZxgPbM6k0GMuCe73qgQg1GJuz4XqNNsDbrPNFJfH5ZXInUZt7+xx3wQ05371PA60Z8t0
 tmCrWOgNSP9F1389si16h87Pzo/PvgvSF70Hbml6OUR4kU8xvA5OMHvggCQlwJG4zIykjLq9Ggu
 inHAl1IReCphEG4kev2pugmVlUlmGGkFAeg2uA4m/PbIKGl61suJep0mr5S3biRpHUZh/FVpWS0
 dBLSKvx/lkw1jpHcmaLhj8srWr/oF+71hPZ7pLlb7R43ZReS0qw78SWDbOAttKIb6nPhBw9l//1
 jTPSgii2rrZymlQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844040344303780
X-GMAIL-MSGID: 1788844040344303780

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-mm@kvack.org
Cc: linux-kselftest@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 mm/memory.c | 4 ++--
 mm/mmap.c   | 2 +-
 mm/mremap.c | 2 +-
 mm/nommu.c  | 4 ++--
 mm/util.c   | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/mm/memory.c b/mm/memory.c
index 7e1f4849463a..d47acdff7af3 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2559,7 +2559,7 @@ int vm_iomap_memory(struct vm_area_struct *vma, phys_addr_t start, unsigned long
 	unsigned long vm_len, pfn, pages;
 
 	/* Check that the physical memory area passed in looks valid */
-	if (start + len < start)
+	if (add_would_overflow(start, len))
 		return -EINVAL;
 	/*
 	 * You *really* shouldn't map things that aren't page-aligned,
@@ -2569,7 +2569,7 @@ int vm_iomap_memory(struct vm_area_struct *vma, phys_addr_t start, unsigned long
 	len += start & ~PAGE_MASK;
 	pfn = start >> PAGE_SHIFT;
 	pages = (len + ~PAGE_MASK) >> PAGE_SHIFT;
-	if (pfn + pages < pfn)
+	if (add_would_overflow(pfn, pages))
 		return -EINVAL;
 
 	/* We start the mapping 'vm_pgoff' pages into the area */
diff --git a/mm/mmap.c b/mm/mmap.c
index b78e83d351d2..16501fcaf511 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -3023,7 +3023,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
 		return ret;
 
 	/* Does pgoff wrap? */
-	if (pgoff + (size >> PAGE_SHIFT) < pgoff)
+	if (add_would_overflow(pgoff, (size >> PAGE_SHIFT)))
 		return ret;
 
 	if (mmap_write_lock_killable(mm))
diff --git a/mm/mremap.c b/mm/mremap.c
index 38d98465f3d8..efa27019a05d 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -848,7 +848,7 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
 	/* Need to be careful about a growing mapping */
 	pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
 	pgoff += vma->vm_pgoff;
-	if (pgoff + (new_len >> PAGE_SHIFT) < pgoff)
+	if (add_would_overflow(pgoff, (new_len >> PAGE_SHIFT)))
 		return ERR_PTR(-EINVAL);
 
 	if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
diff --git a/mm/nommu.c b/mm/nommu.c
index b6dc558d3144..299bcfe19eed 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -202,7 +202,7 @@ EXPORT_SYMBOL(vmalloc_to_pfn);
 long vread_iter(struct iov_iter *iter, const char *addr, size_t count)
 {
 	/* Don't allow overflow */
-	if ((unsigned long) addr + count < count)
+	if (add_would_overflow(count, (unsigned long)addr))
 		count = -(unsigned long) addr;
 
 	return copy_to_iter(addr, count, iter);
@@ -1705,7 +1705,7 @@ int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, in
 {
 	struct mm_struct *mm;
 
-	if (addr + len < addr)
+	if (add_would_overflow(addr, len))
 		return 0;
 
 	mm = get_task_mm(tsk);
diff --git a/mm/util.c b/mm/util.c
index 5a6a9802583b..e6beeb23b48b 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -567,7 +567,7 @@ unsigned long vm_mmap(struct file *file, unsigned long addr,
 	unsigned long len, unsigned long prot,
 	unsigned long flag, unsigned long offset)
 {
-	if (unlikely(offset + PAGE_ALIGN(len) < offset))
+	if (unlikely(add_would_overflow(offset, PAGE_ALIGN(len))))
 		return -EINVAL;
 	if (unlikely(offset_in_page(offset)))
 		return -EINVAL;

From patchwork Tue Jan 23 00:27:39 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190603
Return-Path: <linux-kernel+bounces-34489-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp59150dyi;
        Mon, 22 Jan 2024 17:21:22 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHQ1+QvjKXMW2/WDG83j4CQzFPZYMNttCtkLbqnAcdK2WhMef9Imeb0myQ5y5+8URFf4pO1
X-Received: by 2002:a05:600c:2b0f:b0:40e:9fb1:6e5c with SMTP id
 y15-20020a05600c2b0f00b0040e9fb16e5cmr53601wme.82.1705972881927;
        Mon, 22 Jan 2024 17:21:21 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972881; cv=pass;
        d=google.com; s=arc-20160816;
        b=RmMEQl3C6AuKnvVvhtKq5F3iA/ids+5cpayLxHpSJJX8aHDMlpKFJN3mUnmuMQ5mMF
         mWLJuOQMhgluNLvZJD+Qm7eaQE5JGKC4Ipge35yyE/u5+ZfaaE9ZTeQfEsWzwmAWVHXz
         fGQvARAOdnXICGNwbKxCM948HhYViMTvor790CY1rYkdeSkYYWXjBszl+9qhPO8j+Qnq
         syNbAZr+VAQ30ct14Vzl9fRouNU1BAplnVf6NDujV/rRE/N1v5NCkTZnUU8C5r1ywpzT
         riSN6fQXQmmsgyHPqzwCXkl1PqKDvBGp5NR+pC6hJaX/ExnFghsbjIoenJ99X0xpUvW8
         7P+Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=+mLSKitlZEHkOhHFi0dPXu2bMCmR94CcgGqjj67vCaY=;
        fh=7C5V9NqQ0fmK7PF7ogEJh78CsexX3gQkqUXAlsRsgUA=;
        b=Liq/WkNwBrPI2ePitjSmbZsUUhbY4sInPRPdiECh55aITk7E2aXsJ6foq3qAW+ioil
         jUqJk9TPK/lzR5xQ3ETt86Z8Qk+YtspthZVfgBa0vwvHSQ09OJ4GaEkc0osZRWm4v6aH
         bsc9+tpl7rPwh8NdSNwFy+AFJudj65WritJRVV//3uELiEI/LR5ipLNgtJ/tf1rtbX9K
         cQNx0hZSGzI7OggRLgMDVPpUlCiXhWLGlIe4H26z4X+SLonXvYsItafILXo8psFc1QfO
         afdWkEhbVOSI7oChgwQl8FNix4TX1lgH/WcPN9gpywVBmQVQu9ZP6U1flBqCIyuNQyLz
         ICoA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="LXDP5Rb/";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34489-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34489-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id
 k5-20020aa7c385000000b00559daef8608si4509564edq.465.2024.01.22.17.21.21
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:21:21 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34489-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="LXDP5Rb/";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34489-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.80.249 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34489-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 646281F25610
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:21:21 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7B94F15B973;
	Tue, 23 Jan 2024 00:29:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="LXDP5Rb/"
Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com
 [209.85.215.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0F0F15AADA
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969752; cv=none;
 b=L3uoUBzFI9iGYAU2Tc8PGx5IZKWV++zmXxE0lmSCn4eiNGcPlu4kZw8rxbMx0MkDJ2vKYOwSf4WT4kSFvgv9N0rT2+aCVu61sG2BZc6hMsVdgB919zIEXz75mC0BU4z442nDCdv7HR7QKfsCB7+0OXrZL73q+m0aXC1edQ3h16k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969752; c=relaxed/simple;
	bh=sfFm968ER0g+7mpUBiy9zsTjSD8V36BGzdg8Ckdsgr4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=R2Qwt8VOlDv0BktF5aFvSdEK8+vMEsmMqr7QnrTtnKb7us+WXaAkT0B4H8IzbV0WwzBgC1+dVPWyyHtcE2lzCGoXbpSRMcqfGgnQZR7KKvRw8JVLmme0oQ4fr5ePCxb1CMOozWc/PInPmdTzHoNBiVdfKsbt1Wg9qOESJ/C8vCU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=LXDP5Rb/; arc=none smtp.client-ip=209.85.215.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pg1-f177.google.com with SMTP id
 41be03b00d2f7-5ceb3fe708eso1718952a12.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969750; x=1706574550;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+mLSKitlZEHkOhHFi0dPXu2bMCmR94CcgGqjj67vCaY=;
        b=LXDP5Rb/nU/4aB5TMuWOFdFA2o4C64ikbJw3TuTi7RptJKH4zfl3RJ/OR31Vgy6uKv
         ny7OrYLKlFNheIZqyEHQcj5u4uE36ChnU1gK1WdxNj6Q0mnvgw2y9oM62WGuEP/o3ZdX
         NpzMGzV7/O9BRvleucSJywBcIDGPxUjhW21SY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969750; x=1706574550;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+mLSKitlZEHkOhHFi0dPXu2bMCmR94CcgGqjj67vCaY=;
        b=wjutT3GBQppx49m5Dn8NpBoabugRKe5z0GtuLDLu++NTesxan/zj3QCrIitRsegEI+
         hoxOZE3kionIWaz1zI4TZ8bk0ByPQZe9f7vxY02BehcTcHWkaA16WrX4ktgHnIZ41rEI
         u/yceoP8EF/CX9cuB+k3ZYY7S2KVwnA1AIRskqbPnVACKIoHnooadd2wcukQMaSBDiL+
         BIBbwjoPMtNSCr32TNpJFjQFYp+xX/IA9U2DMEEJ2mPIUhU6OvMfwy40VPXXyxvMm2DG
         gQ12nb+Nubjms0GWpsSh0oPSwqgcirERQDFe2XfO8otvPhsXDTFqlyBbGJpiJj4cmOtl
         5ABA==
X-Gm-Message-State: AOJu0YwMjGbMEXmkXLV/lGZtp7pEh9PcO2ZrSRmOUGy+VdiCpXCTpxKX
	txgot6uIlxXHf1v/MLoBuM2EFYMOLQJsnvoIL/mMsSlD6NRRRN2EgRkHEiWrqg==
X-Received: by 2002:a17:902:b112:b0:1d7:56c3:75f1 with SMTP id
 q18-20020a170902b11200b001d756c375f1mr1421910plr.122.1705969750268;
        Mon, 22 Jan 2024 16:29:10 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e2-20020a170902f1c200b001d7313140b1sm4196654plc.202.2024.01.22.16.29.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 64/82] netfilter: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:39 -0800
Message-Id: <20240123002814.1396804-64-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2183; i=keescook@chromium.org;
 h=from:subject; bh=sfFm968ER0g+7mpUBiy9zsTjSD8V36BGzdg8Ckdsgr4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKYkU8DxU6eHYCBe6vz1zpyDMyVzXW4j2c/
 6DTcxcBaQmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 Jp+AD/46wcCh8Srst3UxH7Lyw5MG3LkRtUVrmbc4rNc6HLYVkN5hxDPTfR5v6ZnbYvrcY3DfFpt
 9WMJVlg/jp44Mqk4QAkWuEYAizZjTv5lwBrLJOeC0uq3FiRv7sFMT0ulGhCS+VYVkHlA7XB7vR1
 MmG7M2/24UnH0N9fZ+7JPMVUY+pYnS9hlrpgB4se6e1XatYdKRe2/iEGCIksdXmXkaoRwEhS4OD
 7E6W9aO9/1ZcsdkripFuDU6Y3ZnXOZs6n6L5M3IJPMlx9UyB8ALK41BlHPkbDbifHKGXVNmhOwb
 HmzFCqfvx56BB+0Wh3YImRj5SPxxhVIOXJLg2SL9AnxsfGlenBYt4PsP/nINeqRoK4SriXQ1ZVx
 A8F9g7q/0fYbNlWOGnAaB+L070tVt1AO03SkXcHssyCHMj67illZ5F11k6WXyTTH/TBv56WLUbL
 sqDjoJJaIFkU07SIQBRNMf/0pn2aDjru0143ldKfWm6UgeWUDGzBPLBuB7yCSzZTpYK7QjmIOux
 jZNgE79r+yrBg6Cn7T5tXCBAkoRDVLME8tHidPdZGNKe0EAfi4WXXvVEwHeYboA8DPbIal0fKFl
 48oFeI2TLeS8cWHi576qMGc07tAXDixqU5ocHqyWj62iBwljid0v9hV7SpV2DTd13zjC96ftjzq
 sT9zNmIYvbNtyUg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842220539039988
X-GMAIL-MSGID: 1788842220539039988

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/xt_u32.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 117d4615d668..8623fe2d97e9 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -58,11 +58,11 @@ static bool u32_match_it(const struct xt_u32 *data,
 				val >>= number;
 				break;
 			case XT_U32_AT:
-				if (at + val < at)
+				if (add_would_overflow(at, val))
 					return false;
 				at += val;
 				pos = number;
-				if (at + 4 < at || skb->len < at + 4 ||
+				if (add_would_overflow(at, 4) || skb->len < at + 4 ||
 				    pos > skb->len - at - 4)
 					return false;
 

From patchwork Tue Jan 23 00:27:40 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190610
Return-Path: <linux-kernel+bounces-34497-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp59879dyi;
        Mon, 22 Jan 2024 17:23:34 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHcbRDKEZ8CxKlCzGliU5CP/y5YGzAdMAgnAdLPMZuPnz5n++uQ9LmN7Ry1CRvIgZQw44kV
X-Received: by 2002:a05:6402:391:b0:55c:4541:2408 with SMTP id
 o17-20020a056402039100b0055c45412408mr231058edv.98.1705973014532;
        Mon, 22 Jan 2024 17:23:34 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973014; cv=pass;
        d=google.com; s=arc-20160816;
        b=jIKhUvqKRHJMrVe3bo2swQrjHEokYlDyHb+RJHd7q/1T2+61/0I5K44lUOb1OF9B25
         mEZJO/pC+LwDHFd5u3r3q8lZQnl4fNt0LMeMBeVLw4y9TjrvzS0L2vmX1GEnbttg7OmK
         efILlQjNg+EdH3lLWuGvJXCa7S6Uae/6740WLWEi4siH6pj5UTg2vLxjgPs6ufaug6+C
         2YrNbfhc1sNF1ZYD4a+IKpNIz7d7yX646/YGloaxSYYZqLMzkzZao/diC6yOAbbMZGYz
         fNFOhoy5oCBXcl4oxm7DEPYT8kQ5cC1MLtDXOYCtxvobSwtFbnMlgBg7ziuIfg2T5SOr
         k1zw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=aQMc6LYHhhvfAhiKIOUC5BbUkraaT6seSDCXTI3gkRA=;
        fh=wuKsLFGFHm8bF2R1CVlIZ/8FwLmDjnFII0CBBeqNeyc=;
        b=xxuSQQ+AozR46P5wGU8RpK3YWkO+H3HPlItQ7PGqrE8m07lbGUfzCuXwA/3OXHHz5f
         VR9a/wJCW8NAFd14JylgNa65dzA5+cpiaAo+/IF1OK3dDVIYex3uDBV1hYy1jTt/Qy1Q
         sCSGxteK1WL4SCK/opLY7jdaPGr5Ym2yu/ZVuyyN46vgT00f1lKQK8vrjtkatmhLUHRQ
         a912CSseN+8UjxIzrmeqxXrxtbxq6yCwecPYdLTDnP3wCpAA1BIR6n3CtP4UibzvyvO/
         ga5RZxrmrMammjHM/jWny2Wc60ByIYmILz9uisoGo2UWpy3wH9xxVaIPzNQByM2TPmkt
         pLVg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=VUAKwByd;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34497-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34497-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 r6-20020a056402234600b0055c44dbd072si1385016eda.210.2024.01.22.17.23.34
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:23:34 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34497-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=VUAKwByd;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34497-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34497-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id F420E1F2929B
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:23:33 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3596115E264;
	Tue, 23 Jan 2024 00:29:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="VUAKwByd"
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com
 [209.85.215.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 01E8615CD7E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969761; cv=none;
 b=KLcQ9dc6Nl8UCys0zj2//SKDfIhYQcXShtibR0Vzkb/GTpSERb+88L0GhMqTkTuqI5tKOjHvFFg0oSefr6wuyNlw8Si69QIwIWEMWxV8ipqYnAscvFmOEbB0RQy6kSrvdFNgxCtKZyVnP85Vm61f7wKm2SbW5dJJ0hVy7XgSITU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969761; c=relaxed/simple;
	bh=IYGzuP/zbxp+fClF7wd/omCSj0Nxp5Np0wtMoITSwGs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Qdyivr44Rc7SQx9MsUM/FXxB8QvxzSRVvtZ/2fW9xaQ3IbfSEkswkhIgO5p0O8dd8gJ/A2GMGxWPpv1b4ua3B9chLvjytuUa5xjlj5FxCTDP3T7oLzh+o4oloDNUug3yVcLbDoGEwpy48f4n3JzicH7LKG6xhAQaSZXFGodTdd8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=VUAKwByd; arc=none smtp.client-ip=209.85.215.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pg1-f174.google.com with SMTP id
 41be03b00d2f7-5cedfc32250so1873118a12.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969758; x=1706574558;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=aQMc6LYHhhvfAhiKIOUC5BbUkraaT6seSDCXTI3gkRA=;
        b=VUAKwBydeDXMX+0O3f3aF3wB1K9OSDyO+3tWQEoOHa2ptgPUdjLlnE2dVMyMj4HnaM
         yFO1rW1srrLz1uIYntxbWZc1HUP+ACkeDLJiw8id/HZKHiJwL2pJ6daHJA53KDlgjET1
         VoADxHxQokHgfmTMZZJZVVGecN4aRm7XqO18o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969758; x=1706574558;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=aQMc6LYHhhvfAhiKIOUC5BbUkraaT6seSDCXTI3gkRA=;
        b=LV7bz0utoFyOta+r5M31U0WrNjD4eRkjs/csFuCeei2IhnbNWuAYoqs39sT4cMLX/G
         79F5gb21Rh0FzaT410CmzhVbV+r++3MPfNdiHkbtvqZsWJxyul9ThfPSr0R8XTbp114u
         7Fj5p3YB3fH0XXOW7lDYQ+81Twh0+PhWGyAeX7GQYYa/0urId/xEzcUK4rXA/kYBnNDh
         1zfv6apz75LvuGXYkdta9P8IGz3DZouc/io5wm7sg4qiVL0wKN4Nv9YLMebF5hj+3av7
         gTHXDOHUnj92k+2UHmZ8rEAbxXleiX3wF0MxvXW4GFqd2jBzO9PYwBoVTdzNS5TKi7us
         LMsA==
X-Gm-Message-State: AOJu0YwlbucC39DGP9jXZO23xFkoOjqcwp6w/Wr6hYUqnRPquz8thGgp
	qgcd4e7G/t1kcfgTtpDOm9uMt7KZAfLpIgnF6Dd7VOIJlaSYQwcIaTyL7dKHBQ==
X-Received: by 2002:a05:6a20:d38e:b0:19b:5c69:cfef with SMTP id
 iq14-20020a056a20d38e00b0019b5c69cfefmr3286788pzb.12.1705969758648;
        Mon, 22 Jan 2024 16:29:18 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mp11-20020a170902fd0b00b001d75ea44323sm1403806plb.21.2024.01.22.16.29.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:14 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Dinh Nguyen <dinguyen@kernel.org>,
	Jann Horn <jannh@google.com>,
	Ley Foon Tan <ley.foon.tan@intel.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 65/82] nios2: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:40 -0800
Message-Id: <20240123002814.1396804-65-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1796; i=keescook@chromium.org;
 h=from:subject; bh=IYGzuP/zbxp+fClF7wd/omCSj0Nxp5Np0wtMoITSwGs=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKMiALMxRVyvOwDduElZdyTxYkqj4GeVA+a
 y3wk6N3AgyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JhCUD/wIVTUQiqiCpHFrR06gPF8QmgTtiayCbewZJyiRbeVMW9KWTSVqZeeS/W4FujOI+kuefUl
 c1iRvHycbTJB+ZegE3DX5fbkBfC6gtwdiSKMuU749fbJ0MEvMeb9mJsjJGWVuyOtRO6EY8034cz
 xXpbMjqbgS9a9IxRFrBpuWh/LwZjHC8Cvoytga/Gh6anYLfvSXRkShgbRdyqy6UJD5dg4yZUz/C
 lgYYsrVhnk7oGPlrHJwfzMRHKTi64faA4BBGAf83/FOkcHMJJXgFJXJoTSsuuvw0nsNGwZR09Kw
 gHNjbedjRX1SFnP11Zy859gKsdZGWFLpVdxgd+10v8Ply5UzSe8jr8boGKRBXAv4001kBg2iD+f
 9GQ/2oqlQ36bbYPJTCCbf3d5oeOB7ZhQYgrJPbKEA9n5IShs+fLviPgmTrszr94BVxrab/1txf7
 QDmlS4I+0dnZTGaX5mPPMkOJNmfVrUt6SiCuTwV+jNjz9mirPTlKWt7RHBXvWg+MBWfr3foA2Jm
 wIwx3GImSqoaVALimD4EI9/xINZY52KGFz/wNuANU/5LFBOr3rp7QZWpYVzH3lHPhvEFjD1kU1F
 xrWkywBh3VHMXGHRTB4XgqsiwnpgoAlN5FNbsJPFpuGIQeReKd5FMPdrTu79eZQ31jpqmDGxlxt
 WMYUiNesncupVEA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842359584939004
X-GMAIL-MSGID: 1788842359584939004

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Dinh Nguyen <dinguyen@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Ley Foon Tan <ley.foon.tan@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Dinh Nguyen <dinguyen@kernel.org>
---
 arch/nios2/kernel/sys_nios2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/nios2/kernel/sys_nios2.c b/arch/nios2/kernel/sys_nios2.c
index b1ca85699952..df53efdc96e3 100644
--- a/arch/nios2/kernel/sys_nios2.c
+++ b/arch/nios2/kernel/sys_nios2.c
@@ -32,7 +32,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len,
 		return -EINVAL;
 
 	/* Check for overflow */
-	if (addr + len < addr)
+	if (add_would_overflow(addr, len))
 		return -EFAULT;
 
 	if (mmap_read_lock_killable(mm))

From patchwork Tue Jan 23 00:27:41 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190611
Return-Path: <linux-kernel+bounces-34498-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp59941dyi;
        Mon, 22 Jan 2024 17:23:43 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IH25GRf0ksUzD3Dd+/pp53nsY59sGWiektjFx5aoY+6NF2R1hNmRm7+S47Xy/oZ+raO7Pq1
X-Received: by 2002:a17:906:b0c6:b0:a2c:cf35:e5a0 with SMTP id
 bk6-20020a170906b0c600b00a2ccf35e5a0mr2706339ejb.153.1705973023489;
        Mon, 22 Jan 2024 17:23:43 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973023; cv=pass;
        d=google.com; s=arc-20160816;
        b=HwcWTNEydCo5NxknJfVa5iF8PSkpd1XGckDb3F6o7HTOpSGCMsd1VS6GnMEEjtukau
         xZpLO2fRn0pPv3q6O0A4fOWcZBbcB9XUMj73EPWG9X3YzwH1enOi7YiDmPU2fZQ5iVWi
         pj1JebxLtxC3PKRrssopfKBB7YBKIkUnnUgw4S1yhHc/xEYx27NZtw1ZILzNS0ovkPAp
         DmX0qxDJRaI0x1Hdxjj+rygJo8JM6RXxP2ADn5Fb53Ph7KznZT9OD/iXMGt6UlCs7YhD
         OLVLCm/DHUjPmFaW51+vi+E/5vmRTZ27exaidaPxZtLU79kZmkMdl1+/rZHMOUXbYS+/
         ABEQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=jj6O26KYu1fAV2IWaDbvOkUC3P2XNQ8BTcng3nNITcI=;
        fh=S8I1bcC5+JXvwnpZbTysC7MLYLyQQ3SIFV2pL6dPY3E=;
        b=v4WfzuenAa8Zq9KI6jBhevRPYtJK5BnVzUcM59xQXq9fZcaGIHPY73bxSXtv4RrQdJ
         9Kww/lWWsqYftnWR5iBeocZKC53ciVi6mGIQatNheZDG6V5fCMCGVDTyqxXXu19jvvAl
         /ALdbDQGBvjLI5m0fGdSJ8k3POHChGs+FpSqkMJB/v1tumxXWPb9hJxvMqQRwkQRwzlJ
         tzoe98h7/qC3iJ80VGjiRTeQnaQIsbfiFsgupFr9pGDKDHIKf0GK+wrACqDKkKGS8qjD
         aoPKJ+rJJ1zNvmZQPdmmbjubSMV2Sbg3wow/x2RyQDBwBtB5t6wBWcygwxGcUEMnzrlm
         tTdw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=lsGrQNAQ;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34498-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34498-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 hg25-20020a170906f35900b00a2be917d756si11139431ejb.1037.2024.01.22.17.23.43
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:23:43 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34498-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=lsGrQNAQ;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34498-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34498-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id ECFC61F292E7
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:23:42 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 579F815E279;
	Tue, 23 Jan 2024 00:29:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="lsGrQNAQ"
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com
 [209.85.210.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A56B15D5BE
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969762; cv=none;
 b=PF7S9n5XbOWX3Fw8rRNWm7YQMKJ+Jsu5wvSo5/S7ebwMBGPj6lWWdc76Ptqb+J+t22dwVWO2vtJwe1og/Jel+etnbXfoq/f9iUQ/nIP8uxQKw+JPTQyUF8wmxeBM7Hu7Gpvh/Gds6/6/qPMQN+aFLH0u13muQwzalvo4gzCJ7tg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969762; c=relaxed/simple;
	bh=8qeORySSyeeOFCvn5wyOgST7nKcIWdoDreQsWgVCbpw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=diY0yL6fUT0+MUnz16QYoh8x3AS0CQa0/XNf9FrHRha8BjRY/V+kcDjx4JQVg00ii+s1SDHafwS6cph19/evhnIFWq9CyvVDiLJopkv1uf9/r5FpH7eDyhltlY9lUbjSaxli2uzWmY6kUxpZ13PdOivdLOs3Pmj3uf2oKlVfuIM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=lsGrQNAQ; arc=none smtp.client-ip=209.85.210.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f171.google.com with SMTP id
 d2e1a72fcca58-6dd6c3c8a0eso25751b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969760; x=1706574560;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jj6O26KYu1fAV2IWaDbvOkUC3P2XNQ8BTcng3nNITcI=;
        b=lsGrQNAQmADn5qRVD1lLMgRKwIgeB61jxoLB6TiTzQtwHE25WItR6I6facgZOKK30G
         /NYBIPmCVRn1sIANNImk8Fwrr4LYMCPttFukLDEzYS8XbwIvLPhLc5QDMTQzvO6wBJRc
         Cry0adtAJTSI1Li4ECWo3sE++EfAKZrTaOiHQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969760; x=1706574560;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jj6O26KYu1fAV2IWaDbvOkUC3P2XNQ8BTcng3nNITcI=;
        b=MHkV111Wr4Sqyr0Nh75dFWVmlOr5IBLPMmF09g26WJiTajtTeDxDH34AzQeJNALDdy
         inPI1TMFnkBS9l+c+Aqd+TlMfRzUiA63WPjpBUChub7dv5A2w8SOcvyskq935bbTs3Ls
         zF2KB7eYQ/HTjBnmdI8MiWP8kg39mrX0DwsO/YAUtdLVD84BXQJihHtSuZNuZ7jrwFs2
         kHEqly+Gamct9pMIH3hQjW/WdK06fmcISmc0Z27Y8Fd+hwQ/qEp02Ft2HWGrTLANxHPo
         mrh55w5ZGcAmwR55IjBN8olmSYZAKhtjmqIkkxRIdrjTQWOq/hULJUNioVYoBtCO5dsT
         d6Iw==
X-Gm-Message-State: AOJu0YzIaVfAMqb8qwcsj65VeNsPKmHjBG6F15Yx0XdYSyld4Q++tR5/
	BurXsK6+jxmJ9+u2oz6W5AAkVtN+32nZU26xNPt/9Yt4ph1h2PvE6Sa4PMyWrWD5XxdBMuOpAZM
	=
X-Received: by 2002:a05:6a00:85:b0:6db:cfd7:956d with SMTP id
 c5-20020a056a00008500b006dbcfd7956dmr1855388pfj.31.1705969760561;
        Mon, 22 Jan 2024 16:29:20 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 fa20-20020a056a002d1400b006dbdfb7624bsm2598975pfb.170.2024.01.22.16.29.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:15 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
	ntfs3@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 66/82] fs/ntfs3: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:41 -0800
Message-Id: <20240123002814.1396804-66-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2025; i=keescook@chromium.org;
 h=from:subject; bh=8qeORySSyeeOFCvn5wyOgST7nKcIWdoDreQsWgVCbpw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLYI6HJPlV99UDk+QdjoC7axWmLKoVJvfrA
 yjhVrtzy/eJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JlSvEACT09RyU2KoE3Zx24RyCPuIOZDDteFSvGfF2qQqodQJh5m+7FyYk21boUYR5X6kbtJH31j
 qGxql0FY+H1zojgKB0eVDOYVZegBlrJh5hYoIyl6xHKAHTjxblXQ4pwBtfFuF2LgLLHM1AVNuw5
 bDF2vNEPSeLk0QsAh+h563cxPosIEeFPEZ2j29FlkDvzvehudmsvOH/DE7ZewkH+gwkEKB8J/da
 nCKiXsFoJCcPtn+MAef4L5CCLTTYsb/TAIgEyyacfc5PGITpPXTEfPzgfsoMYykbtGzFGxI7iRp
 Kwczfqg81OIypvkDfnSXc7S3aRu/0piZoZAuDKJrvh41IGWk4+cQlraNxBwIr+5wid3dVct7vRa
 A6RnI7gi0TC+ccHq0ByecHe4oOiSKhI/L9fu2F4P/FnhOQ1b7q7Z3hZpsR9DFUEadjtBEX4XUrt
 nrRLvENYt6roKvpFwo6NURFWfw2AX9EdLQw+pjv+HdA4Xejxobwh23hRVmfLTMetGyxhT2QjAbc
 h9kXTwFpEkrvzmcxDROc89dIt9KB5uMIaz4esBi6HhXFmlwWxCIY7VfqPnNApp6FbzT863SJsK8
 iWlg8vi2F3zQOzatwoqImnx5OhCud313Yi/+J4TPb41HJMWPYa5nhGq9GcIaGk0kViuK4kMpls0
 thVhlNnm5s2FwrQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842369142693327
X-GMAIL-MSGID: 1788842369142693327

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Cc: ntfs3@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/ntfs3/record.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c
index 53629b1f65e9..8cd738c1dbe6 100644
--- a/fs/ntfs3/record.c
+++ b/fs/ntfs3/record.c
@@ -235,7 +235,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)
 		}
 
 		/* Overflow check. */
-		if (off + asize < off)
+		if (add_would_overflow(off, asize))
 			return NULL;
 
 		prev_type = le32_to_cpu(attr->type);
@@ -266,7 +266,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)
 		return NULL;
 
 	/* Check overflow and boundary. */
-	if (off + asize < off || off + asize > used)
+	if (add_would_overflow(off, asize) || off + asize > used)
 		return NULL;
 
 	/* Check size of attribute. */

From patchwork Tue Jan 23 00:27:42 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190627
Return-Path: <linux-kernel+bounces-34514-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp62522dyi;
        Mon, 22 Jan 2024 17:31:27 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGpcXb90PZKJ5/PMG06w9uv/o0Yzc9wVFeNIhH89y9c8ykYtHa+n7/GPJoYqK+VJ/SGTGum
X-Received: by 2002:a25:2685:0:b0:d9a:42ec:e59d with SMTP id
 m127-20020a252685000000b00d9a42ece59dmr3109966ybm.47.1705973487216;
        Mon, 22 Jan 2024 17:31:27 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973487; cv=pass;
        d=google.com; s=arc-20160816;
        b=ZbrS7FbCpLb6xXRW76bj2Pi07o04/lfQJuA1nisFl1MvLDUR70JB0dDPPqRAqY8GpM
         hfy01XnfrFZdJHtTA2nSZtJv4a1NYEZOi4/+ABAfdtKIuZobtRcvWm34tfXP+7tHu/nZ
         VztrgGEilBQq/TfYnN7491kFUKRD0I6MyDIwnTXNJ1b92akGalrxsWJUsJoI3q10EG6B
         YAyFg5j2tzdIYf9SlHe2Xlv413YP7A4aRSokxyuQ5MsSD7fK3PqoYGF+JM77H76TQiGp
         d4645T5mqdKJOxjW1QnFpL4w0em3LEFMfNPChGrkqYRMv/ibjSWeeTq0wpvdziFvt3fe
         68wA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=TPUcAg1VyxpFmMGL66jrEY5u/DzPqgMzFU1ubmNn7CA=;
        fh=vezKvI4mHO8p64eQHqoC3Q5mxSHz2AU8BoBgXx1OpbU=;
        b=JtN2CxGXWwC53tfImZ1oANYXh8Yi7RLyh84+el6zsPByVYa5/oBBy7ML337+u9rmZ2
         GfAaYoHMcncp95CE8JSQXSd+hvQ0c04uJjswXtFD2yeUY6RI3GEiOoWjbqqNwogT3/Vq
         p90zKQxn88r6AzLopRVno82WdYesl6O0P7+jpvgRkQNSrohMTSXS5wyZHWOTa+STIHPy
         kF5WvnbwVz3ZwN9V2lRxx5F81F/P5H9MjKb+LYLyO4MkB0YgPl5WHGv6gZ+O0+bYjT0d
         +xBeN2RrdnDEmbz1kHuf9t/J2GrmlKBUSQRE28w71aqYM4U+ZNbJM/2v4ujgx/IMWFDS
         kRrw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=cxdAv+WQ;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34514-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34514-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 t25-20020a0cb399000000b0067f9f28533asi7265222qve.505.2024.01.22.17.31.27
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:31:27 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34514-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=cxdAv+WQ;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34514-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34514-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id E9CFC1C21FCD
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:31:26 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C9FCC15FB0B;
	Tue, 23 Jan 2024 00:36:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="cxdAv+WQ"
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com
 [209.85.167.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC22B1386BD
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970173; cv=none;
 b=G9vi8jktlY76XnQOj6gQsCkZGAQkVWbJe0rVbZpL8ih+FUa1d7EbA3uBl+PIJD/3hwC9YpNqMWB9DWiCIqk6yWTnRHTF7Cv2ni04+VlniLp6/hpF1C/8Jgl+wGktetHuHSBZcuCIZQC6cGaVwEJiwCkRNbRfvDBk/Q0wRbyVk5c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970173; c=relaxed/simple;
	bh=ZKqw9ply6ZG+LFAC1qtZzJrjBMrrtfDNMuKnfctsPv4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ec4cQEof6nJ9ggQUqi7R/QShnbR8nQ62+I4YwGLWSA85RvkjHFlBCNe30U6x8zeL7FOsrgKyK8+rQ/b4Uyj+oAcfyR18/vgyRYG7O4rTXXv4pI6060HbDSY9F1aivChA3kqXrdG1vPnuU469fbYK+HwjonIUdYahZVszAvKlFY4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=cxdAv+WQ; arc=none smtp.client-ip=209.85.167.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oi1-f173.google.com with SMTP id
 5614622812f47-3bb53e20a43so2821996b6e.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970170; x=1706574970;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TPUcAg1VyxpFmMGL66jrEY5u/DzPqgMzFU1ubmNn7CA=;
        b=cxdAv+WQcx3PMhzG8IdqPe0dP0fqy9Rn5074ahQiGydvFgkOOrpsPV7iQHRNi4hhTC
         ztJRRGAi90fVKwquefOsv15j9bLPme9B/3dqPgzSEOUY3z/WFucWi8MrhL1Hbu6E16Dy
         IPHwPU424x0oC2qeH0ECD+h3ZVyoKv8qJGQJY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970170; x=1706574970;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=TPUcAg1VyxpFmMGL66jrEY5u/DzPqgMzFU1ubmNn7CA=;
        b=WZxe6njmshRVIadmNknzBTMivxRwBMpazRCDnUxPFRHdgERvxp41UrAJKErlnMCaSu
         lhXT/hBytxCuQrUMmDuqpD+kFgvSwrKPz1ktbqXh50BwZ91iAQust/XfK2Q0SE9oap00
         Y7lV6zaxGwkpGWjrjeYdyaiyHytFv93mREeTFf6MS2jA3OPkTqEIDta7j9LKs5RRPCsI
         YrOT6hcuWV+UxVuu0vGv6Rr13T+0Q6GSgk29/MYxBk5QaDNUlrSplevS6Rv24KQa/oE2
         M/OBgKxEW3q0TTmMifKC35UDy2P54Omez2L2mm9gqjLC6OlzhTjqLBC69P94zZd5oB2D
         QFkA==
X-Gm-Message-State: AOJu0Yz1Eb384vKbTFoS6y/KnH+WHu1Exn70BW64aSSi1+LEnxWYjPnV
	JoaPodlC2xOrxx+SyDFgeQoJoVBApZCPNz3rQqzr6zezeOG1n39DwG/7zGzSFw==
X-Received: by 2002:a05:6808:14ce:b0:3bd:bb13:7614 with SMTP id
 f14-20020a05680814ce00b003bdbb137614mr2240442oiw.4.1705970170029;
        Mon, 22 Jan 2024 16:36:10 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 i18-20020aa79092000000b006d9a7a48bbesm10140754pfa.116.2024.01.22.16.35.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:04 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Mark Fasheh <mark@fasheh.com>,
	Joel Becker <jlbec@evilplan.org>,
	Joseph Qi <joseph.qi@linux.alibaba.com>,
	ocfs2-devel@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 67/82] ocfs2: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:42 -0800
Message-Id: <20240123002814.1396804-67-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2026; i=keescook@chromium.org;
 h=from:subject; bh=ZKqw9ply6ZG+LFAC1qtZzJrjBMrrtfDNMuKnfctsPv4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLsowbEEQcK318jVpYmHDG0BYXC4F28Daev
 cikbLcIvweJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JncHD/9hJH61vumulCHUP2PnVK997OwzaOOMiiasi/2S5ooDGTgqr1QWT796eZEq0RfrdB3aIP4
 6urDWpWWfpvFMyU9ZMvh+kpv5VGpTTlbV4qjGbd8q+kVRXcf0vkDMwI+9Wukhjf/UtL6k2voweX
 1RQGU4IOK/VUJnhGikPRvMCutiyYARG6TpPQL7EiUYygx2dLd/Ek+kww5PjlWOoyUZD+6ppywAf
 ITX/wVFy96nq+9JmsjEx1wZMsEUQADOeonRWlJb54RJDqLDgLZmrW895mVTNEUyLr3JqGQRXLtj
 32obnvG46VpYu24pgWMb+hOLwXiIdPI4I5Dijfcxbs3Js7fP3G1uSH9xXyD5VtWfnKokabPZwAs
 W0odHp7HVM0/ENU6TRX6J7wLQ7ErFSp6GMsojV4vzWbjYbwHWSl6cqB55KqzT60l861ZbJHLTGd
 gY59JBeiiijfcgl6MZtxE20l0Vp1dq+47Wftp2wzSD2ZzD2iVLA9X4yhTmTziLuPr6ywRHoUtMX
 mfEhqrsklSZJ34IygHfPTmQofap7J3BPgx3oTG6pSNB0ZVswsX7TSZ2DPxbmv7ZGZiIJ7AnPTnP
 SJp1B7jAa6Qci1eJBOWFNfcLlRSn1Btu4+k+9vwoOcXMh1zORuYKVHS1OhWbrKZS/eaUHbypPis
 JBkFsVbGbKamkXg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842855288102600
X-GMAIL-MSGID: 1788842855288102600

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: ocfs2-devel@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/ocfs2/resize.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c
index d65d43c61857..5cc83e1d54a7 100644
--- a/fs/ocfs2/resize.c
+++ b/fs/ocfs2/resize.c
@@ -423,7 +423,7 @@ static int ocfs2_verify_group_and_input(struct inode *inode,
 	else if (next_free != cl_count && next_free != input->chain)
 		mlog(ML_ERROR,
 		     "the add group should be in chain %u\n", next_free);
-	else if (total_clusters + input->clusters < total_clusters)
+	else if (add_would_overflow(total_clusters, input->clusters))
 		mlog(ML_ERROR, "add group's clusters overflow.\n");
 	else if (input->clusters > cl_cpg)
 		mlog(ML_ERROR, "the cluster exceeds the maximum of a group\n");

From patchwork Tue Jan 23 00:27:43 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190662
Return-Path: <linux-kernel+bounces-34506-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp70524dyi;
        Mon, 22 Jan 2024 17:56:33 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHrnP+hlbX1WsyCIFsf185W7/7nUTXG/8TSWkfzp0Kzv1QSTxwPmqmjZR1x8HMa1eVHylT1
X-Received: by 2002:a05:6808:3089:b0:3bd:c46c:30f0 with SMTP id
 bl9-20020a056808308900b003bdc46c30f0mr380215oib.10.1705974993545;
        Mon, 22 Jan 2024 17:56:33 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974993; cv=pass;
        d=google.com; s=arc-20160816;
        b=UpQMYSsyhhqxsUURtDDHqpn8i1xDLVxv1CZ5yODH/JfqPwWTncZXIOTaFeLU84Roe+
         hA/KPhKN7L7lC1d8sEeufmPPqrj1SPp7xoekaSk6tvb+rvVfK5jUXMCmJqtt3+0HuhCg
         kagwJPpDD9vAmiEGd6rpgeOgj/z17n/8bo5hmxMzYAQXHKok1RXaqNYqfWrNWoX4R7M7
         OZJXNh4UgT++ATesdoKJGK1P4bWni+2I0pJfpd+jhDYqGIkyff6JS7GoYszPDojwHAiI
         +3kJT9rZGH3xrhG0TEIpHPPPc4BMt9iIBbcUbvrR0+tfSZ9rIwCQmfEwozey34Qtb2YB
         OsJA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=dDa9oNn6F2ovUjbcqpVWupPtvSG3Yc95imKuqvbvgJs=;
        fh=A4qvNJGV67bscDCx7XSeO0lqxGtm5v/o3nNM8ZyupCg=;
        b=eWeaPoBNWjOu1+yl5bnXE+baoR+icluP/Msq+fGDsCuHX5Knqt/+g3upP/f/crSSvw
         xm1tSNAhReJ7E9w35upKbenjvLCgXeQxMuJRMjqMh1obHoSUJmqrUwJBGrigqED17b0V
         a3stWOI5Ww1zm+AkJjZZpfCzIq8m6GdMXAeOAWtUG7oRgRxyWZqRMDweA8uFisWgMHuc
         7G85mc4yKjaup6i5B+Ah134NsAOKDY7mq60vuh5KEuOKC18HuG46q4/oB/sk1c2MTs+8
         M0gEF3veXYcvC0h969e001anSQTiggwxBiiHKZThXjv+ucwXxJKwOU/6Uel0rHZIQ4pN
         3q5g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=XUanmnYs;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34506-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34506-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id
 z13-20020aa7990d000000b006dad8e8b209si11110533pff.246.2024.01.22.17.56.33
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:56:33 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34506-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=XUanmnYs;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34506-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.48.161 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34506-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 06F50B25FF5
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:29:19 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 90C0A5C91F;
	Tue, 23 Jan 2024 00:36:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="XUanmnYs"
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E80E5EE88
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970163; cv=none;
 b=Hl4pqPjlJrHlX5sue/Du31stjrO/EXA41G+NsuLrd+vYV4A/JDgujy4gIteoJ1oNVR2NLSPHnoohz8IcxexS2DcqjjDtIjg1on8iADypEm2cEG6lUksDZViWbmkiRhUqljOEmfnIrWAnHipFOor0e0duAaany9mIehsGxeUZG+g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970163; c=relaxed/simple;
	bh=nGybLOIsuTz/Gb9B1iN3NLpbKPO1DsQM9K1PTfrNPdM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=iqv4akYektQqpEF5mv5ivSdCvwq9FDwrmohCPnsZZYtgLMBaStFxORnuyyWqJVqZ6PML0UI5pM9HjS+kvUtxea9otYwecgsijWefyqhHICulnXTV1M3ChseQC4Thq+wpAV9PjHFY0Kzix2BdjxJKTG7LNi999IEwvTcWZkszgKw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=XUanmnYs; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6daa89a6452so2375709b3a.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970161; x=1706574961;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dDa9oNn6F2ovUjbcqpVWupPtvSG3Yc95imKuqvbvgJs=;
        b=XUanmnYsPUxr2gTvzGVYaMzZL9E9AcU3GUA52Gz9cz66xR/dpNoDbA4kCJpY5GEAzb
         WU6dTn0ZwSxqqCNHu3v4br4nJPLpNwvukbM8xY3FM08wejMl/RHBgp1CmId2JPM0hivM
         5eA84oUg2lG083FsEyz7ga8BhzqiSjFEi1L1k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970161; x=1706574961;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dDa9oNn6F2ovUjbcqpVWupPtvSG3Yc95imKuqvbvgJs=;
        b=HijBJnPPCK18I4Zbw2EnmRxmDu8/5lA0x9RZEcwEM4SGstaBIP5LaR3I4BRix78WCr
         p5IWwJqhm2Gs7IZfU6Bb2gS6SuIdvPe/0gq0Ue36F2aqSeXqqVyBXgH2dkaf6F6DnLTa
         9gluOMl/1XH407Vnor76pAovsB6AX9rkVwkCOqiT09dhCDlqffJOB7+kQQqS6sXklPdt
         54kikDbFuJASdITqYOgABQiD0BSKUQMuyeOtVNTnV5e03KJtZ3PXpOlncw5TNuIkMU7a
         6p5u8Ae6U+pkH7BmaKQZrVv3hXGVku+XRKSWGs5Zkr4j1vd5lHWeVJgFigPzUw5EFgP2
         6UWQ==
X-Gm-Message-State: AOJu0YxTyREnqX6Q3VEpTog7A3myLEa/7wU9yNVAO6T/kIJAODyjJBdI
	SoUhm+Hp6p3BrPlKoNPpp0dAfJRmWFOU0A/kugoQ/DakIawlmZuLQ8Md1+QaUg==
X-Received: by 2002:a05:6a20:c420:b0:19b:1e87:5a6c with SMTP id
 en32-20020a056a20c42000b0019b1e875a6cmr2159488pzb.79.1705970161063;
        Mon, 22 Jan 2024 16:36:01 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 w20-20020a170902d11400b001d717e64f0esm6400820plw.87.2024.01.22.16.35.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Bjorn Helgaas <bhelgaas@google.com>,
	linux-pci@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 68/82] PCI: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:43 -0800
Message-Id: <20240123002814.1396804-68-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1740; i=keescook@chromium.org;
 h=from:subject; bh=nGybLOIsuTz/Gb9B1iN3NLpbKPO1DsQM9K1PTfrNPdM=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLXzUyFv8ROCBAkarbyBq08JOy1Jiw/R0yL
 UURfO04CTOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JuF8EACyGcPp93JqF5tp2S7pbgmh+m2YVe5oYzmcs4GyaCIJEg5zXT/fdkd6tu2LWmWPsIg40Fr
 SbKeYY5YJaOP/yC8bfFrSsUOCoCQFIOLM4SkZgOC3hAJtNPv+NG31XNwAmBQ3ogTFje0YjRk7qX
 OYSeEqoBDlAMmU4ce5qwEHM06VtNVtQCVNp5oulK1zW8BMSBgHMTXzBijtO/DtiBVki8i41z0wI
 5ErrZ+PQQvnc9zRdALPpt5gb/S8dIR7TKzb2KvbM6frT9lAgHflHE9pO5u1EhFtAejTqdWrGrN6
 pz7/2Fv4SETQBDdstfnc15QJJZCgPscQjsL9qw7dy5mLg+E40l1MBYJXivSBEyHPeiVE6vgl8xb
 9P5WqEdq1qfxNLckOqUq9TrZNeGxgxaio+1lM+9xtkKqRSW145a7mRn0Drc9DMHh0KKsUX5TNLk
 xCrBbdKnNhC+Jeqa6I6f6WQW9MgVjNkA17fQdWf/jxsjsf+JGxlVE1livqEEMJbpn66rbvl8iW4
 ypcRIykksrriHbd1C2Aq0g4i9QdSGL/ol0MeuQ2Q92JZUf05lKqbOyhUGChwz26XkLS4M9lRwh5
 usd0VpO9+Y4iU3JXhrCoN2j8ab6+8PU3rZesVh+i68xSHd06pfjnsC0JJQjMi9vWmUHq7sCOINd
 cznG4a3YV1rp9VQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844434867796479
X-GMAIL-MSGID: 1788844434867796479

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: linux-pci@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/pci/pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index d8f11a078924..ebf6d9064a59 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -4251,7 +4251,7 @@ int pci_register_io_range(struct fwnode_handle *fwnode, phys_addr_t addr,
 #ifdef PCI_IOBASE
 	struct logic_pio_hwaddr *range;
 
-	if (!size || addr + size < addr)
+	if (!size || add_would_overflow(addr, size))
 		return -EINVAL;
 
 	range = kzalloc(sizeof(*range), GFP_ATOMIC);

From patchwork Tue Jan 23 00:27:44 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190631
Return-Path: <linux-kernel+bounces-34519-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp62978dyi;
        Mon, 22 Jan 2024 17:32:43 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IF1mkAQmHRdUglVISHQp1cI3btWpTU3GJSZTvcgFr5a8m7+n9M16QSVdtZjgghwWEdD5LnV
X-Received: by 2002:a05:6871:7981:b0:214:2a99:80b9 with SMTP id
 pb1-20020a056871798100b002142a9980b9mr833699oac.22.1705973563086;
        Mon, 22 Jan 2024 17:32:43 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973563; cv=pass;
        d=google.com; s=arc-20160816;
        b=FgSyEPrEY8UlJjjPrYq8eU6GOe7oj2vkeqJuH/bY7iY2kRR9pyE6VAxDliP6KfBspA
         81/x3xfCmtXpH0BUrt/fYl00ZwT1vrcbFThn3SWwdxeALqUf350xrZ5IwowwbhtGJVGz
         91Q69SyXOof9ByZts2Jr2vpu04niMqfvMJuOx05Cv3pim4+Pkev9trqt/EP4/CmR1MUE
         Pp2AzJ7cl66MClCbV23hTIhh9XXtVx2J1Mldq8sCRhkp3MtELdKrz2US2OrIQsJLMqRt
         kK8+BiTxt4vdzmmU2rESEmZ8zl9aRBiiJzXW5OX9zdZOxXIYVkjiSJU4ScCHcb+EeqfK
         nC2A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=MXaD2uRSXjbWvCISCAsK9PvXAhuUUaV/f9FkaBUIbgc=;
        fh=WAt+nptr24pk3Pc5CZvXFJWsKRX3DmvoOFR//XU7w4Q=;
        b=aGecRPzyhSvTtGQwEv0D/Umw9Z+D0mYjReHp4o5GtqmFuHKuHR4decXX5RbOTF8YNn
         Mw8SuUDHkkXTeanaXuB7c52XT1ObJtZqqVhFREfbYn0OUl8+ddNcAXyeVTq0GQ5ZD7ab
         eJ5MlHbjK5i5IWVERC9YpEOtI9BvfMPJQqMcszUEId5rENOHpDk2/LcGkAOAkN4X32ZE
         kKMriSjxXVHRq9Txzcr2SMR85XJ1hQtmVxJscmOX31gGHNtDiPE/daACeEvtx842AfGb
         Xkbwo7zglk+JIi26oMX7OxIXorsR9hPi4WmbRvz5j9Ey6XZjd1hbONEeC/nmRpmP7tkD
         oyzQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=hpL79Dbq;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34519-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34519-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 p19-20020a0cf553000000b0067f02b93d86si6799201qvm.35.2024.01.22.17.32.42
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:32:43 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34519-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=hpL79Dbq;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34519-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34519-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id C9CA51C22ED6
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:32:42 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7D4E91615A7;
	Tue, 23 Jan 2024 00:36:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="hpL79Dbq"
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 588EC15F31A
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970178; cv=none;
 b=s/BaA+VSOZswn6Asc4zQc3eU9W+WFRdmA13iYbUVRTke5ROpOdce89QLs69Al05tsI6R/mzDumkSCJVfjUJoRuZG80OP3wVhbx1c9pNso5qPmvz9qe0RzVdFvz2qKLVzBT8rOJ0gTZq6FGPtjzK/+mRUIvcpiet3n7GKZFQw70M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970178; c=relaxed/simple;
	bh=ISxb0EX289Hm6r/C1D5v5yNh7MxoLH57ssbQ8ckbm+8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Shd9PLc7b6H2X+54xOz4FtXvHOCZK/uBA8vO2iyNwYpPvm3eAUZeXu0R56cF42gZySpP3/vxfy+xTFUOzFXkfH5sHAAIRraoewQgqAJR/ETaBh0x+HqsGGbYkbnoxufG4zHBAM4CRYQMDRMqy9SPJwwMq3Q5alp+XYsGtEudMZo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=hpL79Dbq; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-1d76671e5a4so6012245ad.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970175; x=1706574975;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MXaD2uRSXjbWvCISCAsK9PvXAhuUUaV/f9FkaBUIbgc=;
        b=hpL79Dbq0yRyAO4E5UL+btj2Huh/LAHlMiAwcSNUwaoSyDXeipYNy0ryyPoJeYJrXn
         CQjE3PRMgh5J9Xsbl54XIbwycSdoOAbXIl+A9fzkPrza4Fa031Wy/2RNToGMeCDszRzv
         0Mrg2fFGgkgBkbHCl+6AmNd79YCeySXI0n8YU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970175; x=1706574975;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MXaD2uRSXjbWvCISCAsK9PvXAhuUUaV/f9FkaBUIbgc=;
        b=n15mcZvGkLCwSPhMqadOLufyRMSWBkkNDDq05l4r32zVzAmGREWxhf67oJVDPdr9u4
         qA+lPooRaurxD8WF2/o71jaoDnrxPUwQmyFPjMR3ZjushxFVPR/B519Qcfs1CB6o8TYq
         /QoZPLhVD0/pLLJQEZguh5lWhGcR8G02aSWU3anBhAVk6ctPXzIaHu2fZMBIBKa8x1cH
         ZlYrmxnOIf3FvkVrSaPUrjaiuwpiRDf7shN59K1dUhXpGOy3f7EUehLhbYVvUo7P7aBU
         U8EUMU47gxYcuLb7ED8tAaOtAeDTFfiyLm8Y5n1NJvkRvs7XmeP9n+Tsi3no36ZCUyJ6
         q7pg==
X-Gm-Message-State: AOJu0YxGyMNktu7+pfWJv67tpAvPSpFIdBMv4yDBqTMQAo9Ce8gRved6
	82UYX4vsKxhQs9Y/vgle7AU2+IvKpUY2B2Qc5P3/67GZQS4T5lynEh79GJh4cA==
X-Received: by 2002:a17:903:1cf:b0:1d7:2b14:2af6 with SMTP id
 e15-20020a17090301cf00b001d72b142af6mr6463789plh.123.1705970174843;
        Mon, 22 Jan 2024 16:36:14 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 13-20020a170902e9cd00b001d403f114d2sm7788749plk.303.2024.01.22.16.36.08
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:09 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Namhyung Kim <namhyung@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	John Garry <john.garry@huawei.com>,
	Fangrui Song <maskray@google.com>,
	linux-perf-users@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 69/82] perf tools: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:44 -0800
Message-Id: <20240123002814.1396804-69-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3386; i=keescook@chromium.org;
 h=from:subject; bh=ISxb0EX289Hm6r/C1D5v5yNh7MxoLH57ssbQ8ckbm+8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLpFNG1APqWmXvdolDfH8+mocaXwk0HgcGM
 VNIE3sBBkiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JqWsD/4gHfuTTgS+0XmICb2SSlqKOGKBXK1LMgEpx9me/IY6PVtyCZIG+VUohcpdnaICiQtsFUU
 mImtzAjxoLI2Irht7ZKE6PZszQWlu//xBiu4J2tjYEiRBxzNLndGImZ9xkpLWcf+MOQ2fJ6CtXT
 x0EzQFGUiWY+pSAmxMzmbG/F43IXjMBKDpCrc4Kl2LgtSOf+vRh/hXGXy1G5U2LxXag7qpxaPYe
 GX30l9A5JiqF1VckkWguaIT/rLugkXZAV9gEAqKhMDgsuCYm56vVEHX3Sze++BjQwZntch3wQ03
 JI2FYzS++gQePJNhK7jY5Rfld2a2JIMlegBz+Hu3QqB0n2qt536h7AVvtInr9/Rwo9vxfb2mRkS
 DNeNvD0hpJMJaT+nnq60lc5TJcP7Iv/YakS8XosoMNvu13dzSu0LrOe5YWv6kkK8VEoBA5gHcfj
 tf+mG2bFptvj7Z6sCjfkONfPSe3FDMT8Pzcu2qTHVKl0WmmcQ1rXFGuYFlkIb0L+aExtRwUzzo4
 UOLOdmnPsOyKWxDwTG7NxbT7ryzP5PdjYN02A8pg+p5fPVExzAMKqaJR74bicaMbNL+yLAUzeeJ
 Qdvf1XAOObDb6ftvw5Bh0jKlLorh6wRY7+sJnokpHlgswERulKf6CcNyMY3q7BkoW4MUjYHoC2M
 X7XHeWzYBiFCDZQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842935021656601
X-GMAIL-MSGID: 1788842935021656601

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: John Garry <john.garry@huawei.com>
Cc: Fangrui Song <maskray@google.com>
Cc: linux-perf-users@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 tools/perf/util/dso.c                    | 2 +-
 tools/perf/util/unwind-libdw.c           | 2 +-
 tools/perf/util/unwind-libunwind-local.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
index 22fd5fa806ed..470a86f1cdfd 100644
--- a/tools/perf/util/dso.c
+++ b/tools/perf/util/dso.c
@@ -1122,7 +1122,7 @@ static ssize_t data_read_write_offset(struct dso *dso, struct machine *machine,
 	if (offset > dso->data.file_size)
 		return -1;
 
-	if (offset + size < offset)
+	if (add_would_overflow(offset, size))
 		return -1;
 
 	return cached_io(dso, machine, offset, data, size, out);
diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c
index 6013335a8dae..45a89cbb2c8d 100644
--- a/tools/perf/util/unwind-libdw.c
+++ b/tools/perf/util/unwind-libdw.c
@@ -198,7 +198,7 @@ static bool memory_read(Dwfl *dwfl __maybe_unused, Dwarf_Addr addr, Dwarf_Word *
 	end = start + stack->size;
 
 	/* Check overflow. */
-	if (addr + sizeof(Dwarf_Word) < addr)
+	if (add_would_overflow(addr, sizeof(Dwarf_Word)))
 		return false;
 
 	if (addr < start || addr + sizeof(Dwarf_Word) > end) {
diff --git a/tools/perf/util/unwind-libunwind-local.c b/tools/perf/util/unwind-libunwind-local.c
index dac536e28360..ac71cc7f53b9 100644
--- a/tools/perf/util/unwind-libunwind-local.c
+++ b/tools/perf/util/unwind-libunwind-local.c
@@ -587,7 +587,7 @@ static int access_mem(unw_addr_space_t __maybe_unused as,
 	end = start + stack->size;
 
 	/* Check overflow. */
-	if (addr + sizeof(unw_word_t) < addr)
+	if (add_would_overflow(addr, sizeof(unw_word_t)))
 		return -EINVAL;
 
 	if (addr < start || addr + sizeof(unw_word_t) >= end) {

From patchwork Tue Jan 23 00:27:45 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190609
Return-Path: <linux-kernel+bounces-34495-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp59769dyi;
        Mon, 22 Jan 2024 17:23:07 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGktsM8YoRBAHqn6ToT5cDKjiy7dKiZZ7RvVYGlhmpnb6pPTQrRU1oCulZG7FEJXjBaODjA
X-Received: by 2002:a17:906:bf46:b0:a30:74da:41a0 with SMTP id
 ps6-20020a170906bf4600b00a3074da41a0mr2150996ejb.71.1705972987154;
        Mon, 22 Jan 2024 17:23:07 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705972987; cv=pass;
        d=google.com; s=arc-20160816;
        b=wURfO+yQPWupv4U35lGLum3RI9ij4sgcaqwbq63FD7f9wIbeC07KIYPKiptXazbLVu
         tFzH4Zi1SRCLei3WjV42Wam+ZZOX0rUgnvmWK9E3iyfHaCY5Li4fJR1xj75aB2kGzeqi
         Jd7QO26ZTSaIsWKhfBXH5NtBGhMGldTomJTw0//j0QD82lqoHfbc4VeqvkXDXMkGxl+z
         e+o2HGfBBGuRHc3y4wzkp4fpo2YJiHqqYMUSqJ8Jt/Oc+bqOfafGcCOQCJGizgxLOewf
         gRUyZsGIJU6ZC82Rs/Q3RWNeil1HqwG0mLp7fpd08WO5ON+B6IXO1vdq412zP0kxTk/9
         d2Kw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=Ozg2hLXb4DmKd1HybaSf4vbbssFf/awskMowmtEYutc=;
        fh=C84saADriN6b0Lio6je/D9VJ6BzJrZWoQ9HZkZzybu8=;
        b=W0PdvQxjHEDf4VM4IpOC9Vxu2hcvy9sAfx2y89ROLqtaFQTolOi4qzCQE/AsDj8PBz
         T0rNUo0i38nmrrBYSNP0Tk5ZYr6h70tOI/XLmVVtEsiC0+lBDmQhJdckcisQ7WDjHAYE
         wysYK0CIutrIbv4LvMzPcypEhsQ98tleoiVg8jqFkGdtvL/p/c9EBCw93kkTKR4eoAsy
         /UH66lcKXvHU4EpEjYfw4ZTn0DiT1X+gT0ePeLVdv4Tg5lAT++UZUAAkLmC15VoyzBfD
         QMGRsnVffQq3c2H6wpn3F2ohLokUBBv3mP8Y2Ud1a+o9uwoG4bxOvcAz8Xf4qc/NpCB6
         zBeQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=OEYgJ61F;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34495-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34495-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 r11-20020a170906280b00b00a2d4062fbcesi9234651ejc.989.2024.01.22.17.23.06
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:23:07 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34495-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=OEYgJ61F;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34495-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34495-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 9A5DF1F29256
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:23:06 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 00DA115DBAF;
	Tue, 23 Jan 2024 00:29:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="OEYgJ61F"
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BF0F15CD49
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969758; cv=none;
 b=fi+WRa+tj79/yLEvRxskTL+sBbQvD6ZcaEQk+y/9RjpffZYY7bmx7uFQUkshZneCLEBzWtvxQTUyIQrdKu7a0nrhD8Ods+ptBi6snxmAyAB295BpkXvSIY/9CnmpEldbO2U5HYKZP80sKlQ8YQCCwnYlRPmy3aEIkkhGN5PJ2V4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969758; c=relaxed/simple;
	bh=E4fnTWRdYYjzKyqD4/S7hWZrsgLHeDrGLLUjsAQr6BY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DeWFqCjTKrn79MigbpyajGy5Cqsl3i4ts+8xlLlL0RXCPy8BCL7qnA6kZo4QYew9oM22qgNq+lunQNlWY3OHD43CzZYUstOz+xuP5QwqDMpQX24o41xk4IupKhCADdAyRXvT6lyT9SFJZyHyyAJW0UfGTXPjtGStyLBgn506Z5A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=OEYgJ61F; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-1d7431e702dso10690425ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969756; x=1706574556;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Ozg2hLXb4DmKd1HybaSf4vbbssFf/awskMowmtEYutc=;
        b=OEYgJ61F8Nx+mz3V87A33fYK0ZzNj/GNdOOR490W+79OtdBN/Ee1TsRyeT2wWPzImY
         T3fosuo6LOH1/fbvbzr20xqwCnTT4Rfzk05nvoOsiRDKMdD56x+zF0j4dMY0J6NG7KBq
         +rLBWd04918N9pUYUPA10pNHGTIM+hy9wv1Bo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969756; x=1706574556;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Ozg2hLXb4DmKd1HybaSf4vbbssFf/awskMowmtEYutc=;
        b=wY+n116wFQebgvEqn8m1HyAmJb9d2jBu8bhJOBOudIWaBEzGs1H97c3Cgz+C5/maKH
         MaF2fKLnRsn+6xqbSZDr5LpefbC2FljT+xDjfGhTbyqvLasN55/N7HVEpUiHjKKvkOLg
         puev1ay7H7jdWfsUsD2xXGjOyvaf/VnSLGyiWgkQVAN9jiocV/9ZQWX/PQx65+Qa7ECj
         xv6LdEbtpjGx06FqyOW9z/G1mqUwco1xTKcpCdp01HLWraqmUF2z75ILfffGwX0422d0
         WSg5/iK4EV5xkcR6YvYtEobjQP7GW4nxngPsm4yD2FagcxLUPLduzWuyL8u6WRVdJ9Mn
         n4IQ==
X-Gm-Message-State: AOJu0Yxkc1KbLUhzeC0huPRh+Ofz43T/TZrlcic3WJH1/Kka3QRhZnko
	MGUysiBxdsx8EPrD5gcrI4aOIyMbCf6ok24OXxfjYdYUjfukMDHtysEn67quLQ==
X-Received: by 2002:a17:902:da86:b0:1d7:510d:745 with SMTP id
 j6-20020a170902da8600b001d7510d0745mr1963425plx.86.1705969756440;
        Mon, 22 Jan 2024 16:29:16 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 j2-20020a17090276c200b001d5d736d1b2sm7671556plt.261.2024.01.22.16.29.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Bjorn Andersson <andersson@kernel.org>,
	Mathieu Poirier <mathieu.poirier@linaro.org>,
	linux-remoteproc@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 70/82] remoteproc: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:45 -0800
Message-Id: <20240123002814.1396804-70-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3781; i=keescook@chromium.org;
 h=from:subject; bh=E4fnTWRdYYjzKyqD4/S7hWZrsgLHeDrGLLUjsAQr6BY=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgL5LhyO8lbwwC9JZQAOOgJrqb3OX0EPvh6l
 8bugQLiKQ2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JnhyD/47D3dgLuSjvUBevHVUX8m0J9aMINDwyLe8YOJ3pS9h4ozZClTAxPECjJJWHjtLg7OJyvy
 xNz1BO/Z4axDLuZsrUujG5UW3sD8uYFJRWwGx0xeNzp5hLbUeLi/yJMah9zRJg9w038a3N6o53/
 /TmiV68eAjsRlBFm3aX7XiefhKVMLDKZhTNEf6CiWF9QfNPS69ktWpDj0ZUa6ui+cDBddo9V61U
 8nBaGbyQHfqJtg9gJaY8hkjJB+D2yT9PKxX1Ty/L50mjkHJAMd5po+wwYKl7tkgjizogRGvsMuT
 +vuIsRfaIQ6rcBLHGTf5vVH7rHZq1pd4CY5zUbo9L9n3uoizF0G1V60SZbG5aMW/E8CMonLRtnI
 knnFGL334iuQo0Gw2CVpMttL4qByUtAQB6n4N1tzT5RPMdiB3T+Ra2gPKRHWQ0pvbCSF9ZdBMR/
 CYnaCLhY5+gqCUlDxOH1w4FxQ1jT++o/5/tS3mDwe3Y4q4/SOskxXFy/lY7mXvF0mCsFY2gkdfF
 royUCOjy+Zt4PH8x+B6LXlzHbZIk7JT57rxoZ/T1VSCghRZmXE1qagz+W1f3UvBUiuTvi4gxm/Z
 MlAZvNbQSQN5ReZV+4nUMvwmaZhJzoKqPsXcgil6mWAuL6mKyS8mAC9pWH4z3nLENV5pftqUiJl
 XHm7uY9FF7gVkZw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842330898675078
X-GMAIL-MSGID: 1788842330898675078

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Bjorn Andersson <andersson@kernel.org>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: linux-remoteproc@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Bjorn Andersson <andersson@kernel.org>
---
 drivers/remoteproc/pru_rproc.c             | 2 +-
 drivers/remoteproc/remoteproc_elf_loader.c | 2 +-
 drivers/remoteproc/remoteproc_virtio.c     | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/remoteproc/pru_rproc.c b/drivers/remoteproc/pru_rproc.c
index 327f0c7ee3d6..834249ee3dd3 100644
--- a/drivers/remoteproc/pru_rproc.c
+++ b/drivers/remoteproc/pru_rproc.c
@@ -893,7 +893,7 @@ pru_rproc_find_interrupt_map(struct device *dev, const struct firmware *fw)
 			continue;
 
 		/* make sure we have the entire irq map */
-		if (offset + size > fw->size || offset + size < size) {
+		if (offset + size > fw->size || add_would_overflow(size, offset)) {
 			dev_err(dev, ".pru_irq_map section truncated\n");
 			return ERR_PTR(-EINVAL);
 		}
diff --git a/drivers/remoteproc/remoteproc_elf_loader.c b/drivers/remoteproc/remoteproc_elf_loader.c
index 94177e416047..b9231cf46d68 100644
--- a/drivers/remoteproc/remoteproc_elf_loader.c
+++ b/drivers/remoteproc/remoteproc_elf_loader.c
@@ -278,7 +278,7 @@ find_table(struct device *dev, const struct firmware *fw)
 		table = (struct resource_table *)(elf_data + offset);
 
 		/* make sure we have the entire table */
-		if (offset + size > fw_size || offset + size < size) {
+		if (offset + size > fw_size || add_would_overflow(size, offset)) {
 			dev_err(dev, "resource table truncated\n");
 			return NULL;
 		}
diff --git a/drivers/remoteproc/remoteproc_virtio.c b/drivers/remoteproc/remoteproc_virtio.c
index 83d76915a6ad..58742c666e35 100644
--- a/drivers/remoteproc/remoteproc_virtio.c
+++ b/drivers/remoteproc/remoteproc_virtio.c
@@ -298,7 +298,7 @@ static void rproc_virtio_get(struct virtio_device *vdev, unsigned int offset,
 	rsc = (void *)rvdev->rproc->table_ptr + rvdev->rsc_offset;
 	cfg = &rsc->vring[rsc->num_of_vrings];
 
-	if (offset + len > rsc->config_len || offset + len < len) {
+	if (offset + len > rsc->config_len || add_would_overflow(len, offset)) {
 		dev_err(&vdev->dev, "rproc_virtio_get: access out of bounds\n");
 		return;
 	}
@@ -316,7 +316,7 @@ static void rproc_virtio_set(struct virtio_device *vdev, unsigned int offset,
 	rsc = (void *)rvdev->rproc->table_ptr + rvdev->rsc_offset;
 	cfg = &rsc->vring[rsc->num_of_vrings];
 
-	if (offset + len > rsc->config_len || offset + len < len) {
+	if (offset + len > rsc->config_len || add_would_overflow(len, offset)) {
 		dev_err(&vdev->dev, "rproc_virtio_set: access out of bounds\n");
 		return;
 	}

From patchwork Tue Jan 23 00:27:46 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190672
Return-Path: <linux-kernel+bounces-34567-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp73438dyi;
        Mon, 22 Jan 2024 18:03:47 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEWGnX8Cs1/1YcEnqBkywMHxCWUfFjSoUS8s9vMRnNFcVzVjmNfS5UNVpTuXecMU6CXfYJR
X-Received: by 2002:a2e:9e08:0:b0:2cd:9e6c:7f3f with SMTP id
 e8-20020a2e9e08000000b002cd9e6c7f3fmr1925806ljk.71.1705975427424;
        Mon, 22 Jan 2024 18:03:47 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975427; cv=pass;
        d=google.com; s=arc-20160816;
        b=qlLqGR6UCw7yNXF88DQHM03or0mgvG/jIDYHElNoMQolbMF4tBhAhNwHg8dbKIBKP7
         uu4j8eJUNMeIZG8H7sfXb9GOLFBjeppwVN26RBe5ggvO+DxioYN1YPepIJ4BK1HlhiUW
         cRigg+hpLUi9mr2Z/1iNxfXCd6r0/pavdfRt0I/aXxNIFr/gGDaWL1JgwHc7xQR0t9ll
         /KkAsOwrDbwLAfCNYliC7Rmp5mfrSP/beNwi9MdnhISLVQQnw0SRPjUBbmxVLRwK+lvc
         7G3Mpfk2XEM/d3caC65IlYaV0KEvoj0S2xr5pYRtWIDkIQL213m4ND7ASieb/WZ/dCLt
         Xk/A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=PHzaAgF/BvT1ydL5OjrG2T32BsfjtHiswnni+cftQZw=;
        fh=qFKcORehTmNH7lQ7kX6+LIWckCwr9FMGHqVhlVnO+84=;
        b=HJ/5ElXVf0YWubURwAyIyvXRf0I2K65Bh5ICgQNuBIe2jIk0r1vYUsQJ7GM7VEcHIp
         Sef3ogXBSBMN44+HMfOGC+GD58ALe9cYyPQYEwqzz9IwFugDQ82dNx5J88Yn28LMpI2N
         nnSeYEK8p7UF2ELNhA2CeXn3x2ZZt/dkhA9biyg2z5EC9tA8y431ssIYwSKxNhihmsfZ
         NFacndxWC/74byRHlriwR+loAq4Pf0de2oiQhAFyvH0gsOF7/thOyiohnXzmi/SduCFl
         dsBSlneKEZUHZ1SPdv0ClC5Vwazi2RoEAMg/g9PxCoZ4QK5uF/C4EiWnqhTI/Bagq3+K
         7YFw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KIdjwNrN;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34567-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34567-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 v29-20020a50d59d000000b0055a5319d4f4si4287542edi.411.2024.01.22.18.03.47
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:03:47 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34567-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KIdjwNrN;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34567-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34567-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 8FB781F29BDB
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 02:02:17 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id F0FA9133406;
	Tue, 23 Jan 2024 01:03:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="KIdjwNrN"
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85170131E31
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971826; cv=none;
 b=gpoR+QtR93WpoL2MccliQDhk3Hp7r5l7LP+zBuyCDjt1mNzn7fvih8SUA+W7vAqYzT2hkcWs9Witt2kUTlT7E2FazphZiyQyT9f5uFsBQ5pPElYM0bZi/v0ZsdRloqYCKG3C0mmRFHJsLSDz91bnt58Nzh418lxuDi7kxfOgWWk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971826; c=relaxed/simple;
	bh=0h5G2tRq27FIpo4Q7qModudkA+HmHi/wgWR1Q2jDdRM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=uLfyF3r1S9GiFG99RM2PH15eNBa5+2et0SFVKs316EwOByrC3WsTyX0NKputPQcsIBqhHLu2HcNh+Pa1g7GReq9fkYIvizVe7GpPbQhpdfMGCrcfbmWBYjUhmh/OCAAo2u0VvMtMRqzbCQdEPu4xMygy378RpEpA0myxHgeQOmo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=KIdjwNrN; arc=none smtp.client-ip=209.85.210.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-6dbebe4938bso819178b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971824; x=1706576624;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PHzaAgF/BvT1ydL5OjrG2T32BsfjtHiswnni+cftQZw=;
        b=KIdjwNrNfztB+9sApXU8+AmNq+1j3EAk0XGIsme3K/4b7xQMf/NvAZhahQnHguW2ds
         BrgujlKCAjUi72g25ttj2EftG+At1FNxAq9H5pCNQeZWvRgSwNJmgNadDLhmCeYmKRCw
         Ai2hltH3QbJWENzjPeMwPJdan61Q6jpHmGgGU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971824; x=1706576624;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PHzaAgF/BvT1ydL5OjrG2T32BsfjtHiswnni+cftQZw=;
        b=QROn1GCP7u3vvkGeprYfrO0wgTi8CyX21vc0oOMp2zHvBziUddId4F9IuyBOwIX9Kt
         TGRL0Swk38k4JtqJuHkZJUqbL/+TzDAQzy7x5wr4gkWWW48g8qKkZeBnU1SNNfaG6Fo9
         748UyY+BCdcaWLM/7Z6g3p29JPL6n7oxgYDP/hD274Sar/dS5BWx6EDcrK6S4YbuJLhf
         gUuQusCufBseaoDWQkbrjt2nCNOtd4mns7CwAs8qC8BHQD48eP8zgn/TcBVgsJY3KBLA
         LBFq+iCXpq8yEVZUnp8Ur/wcGZnXi+iWMR7rVk2OfyaBu2+gYSm6PnCHbZGJ88cudoi6
         PFvQ==
X-Gm-Message-State: AOJu0YwnL1YCagigkHiBy+uKIdBxpvrEfAfYO+Kdk9KHper2kJWrfrMG
	76YTiAV3dzmERSrRYNYCrMNkAfqa0JWPUpdEIaY4RuKS9wtNvmT32gdWQQtVMVy05+P672G10Ch
	HSQ==
X-Received: by 2002:a05:6a20:1587:b0:19c:5643:faee with SMTP id
 h7-20020a056a20158700b0019c5643faeemr678799pzj.19.1705971824060;
        Mon, 22 Jan 2024 17:03:44 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mm3-20020a1709030a0300b001d740d195e0sm3193684plb.93.2024.01.22.17.03.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:42 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Gordeev <agordeev@linux.ibm.com>,
	Gerald Schaefer <gerald.schaefer@linux.ibm.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Christian Borntraeger <borntraeger@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	linux-s390@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 71/82] s390/mm: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:46 -0800
Message-Id: <20240123002814.1396804-71-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1951; i=keescook@chromium.org;
 h=from:subject; bh=0h5G2tRq27FIpo4Q7qModudkA+HmHi/wgWR1Q2jDdRM=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLpMT9noDscy8y7zO/F2OVlDacpSoottbqW
 UQWgBJTZW6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JnnYEACr61LHBTRgtHLdcMb2Y/zEYEf9fNAgAUuvvxO5kW/+qOG1DgGldVNv/XDAOoTlvFck4ak
 FIYHx3fNLtAD8BeeK5FOheewr9wuzYSB2sgKs8XYqaq4sSAAXBqcUVwzQIYDgLycXM91gBv6XWk
 TeOK+U3cPpE1u8dG2uO+vai6gmjkM7zS0Lj3DSFl+yAomYD2D3zqqmmJ1Qib47sgyy5CQPLbYwq
 8hQXgWNrKwuC55t2HcHW7NaosV0nPz8gyjVVzEIOMqB66z9DJ3S2/XGk+rN+hzjOpGhO3LNgIoE
 0JLif7W0eA5mpxrskfe/zXJl7nPYZw2fwH3JgQ/rsfxRvTv9FrGq6Q4WJGpTyXoopYaPLotcPNQ
 frGK+B1yd5iZMGtbAaN5bq8DiNvFU3q3H3QJIQ4StPWYLeUFyLZxZpOsvYOKUO/G+LYtFyMisV3
 1EhF6Eg+Mb9MOAF0D/l0yE6tyCJqLC6jgcWaK1APTpgKOfeLbel2oOBr/QNOy6USDpmVnd10rui
 j6e1h1sC5OpJF7ML0bu+pIvfu57zLAyPFc1RW3fZbOpExWdOhgnkfMjvf1sqq67wTBn+Bw1urz3
 T/U0rOzWsOjUlMKwey8HgpQb1NBONSo8NXBrAEgZK0bKLp2E1JOdlZi6mD9rOPfnew+b8F/eOtO
 vrl+6rhRn/aFP4w==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842268499966094
X-GMAIL-MSGID: 1788844889739338659

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: linux-s390@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/s390/mm/vmem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/s390/mm/vmem.c b/arch/s390/mm/vmem.c
index 186a020857cf..98a7f08141f0 100644
--- a/arch/s390/mm/vmem.c
+++ b/arch/s390/mm/vmem.c
@@ -538,7 +538,7 @@ int vmem_add_mapping(unsigned long start, unsigned long size)
 
 	if (start < range.start ||
 	    start + size > range.end + 1 ||
-	    start + size < start)
+	    add_would_overflow(start, size))
 		return -ERANGE;
 
 	mutex_lock(&vmem_mutex);

From patchwork Tue Jan 23 00:27:47 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190674
Return-Path: <linux-kernel+bounces-34524-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp74673dyi;
        Mon, 22 Jan 2024 18:07:01 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHcnFA3h64hqbZROoOPr8vlzD6qAMiWypKrP/SqK3WBSN0NWQjvzXA4EMlz7Qwmr53s/RUO
X-Received: by 2002:a17:90a:55cf:b0:28c:fa2a:bc75 with SMTP id
 o15-20020a17090a55cf00b0028cfa2abc75mr2531252pjm.88.1705975620931;
        Mon, 22 Jan 2024 18:07:00 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975620; cv=pass;
        d=google.com; s=arc-20160816;
        b=mJuaANGlRWe8BQ0dn7iQh+ukAoSiNGotg3W4LsLV8vFH7QXQmPUtI8GP1tDM7mdY25
         awDSuN5Vny5JPZr8JHp79Va+gdmcE1h6fKSBoskNw5jJb/VCVzjG1i7dJZDDqiQ282Mi
         tFMauHyLp0BUYg04KKqC+/uZGZyppAqy40HLMfCudALBL5aAD42cYOsQSM3zBgMXpeWG
         dzg+bC0AWKCUTHSO+qN84D5pr/1gS52Y0D/n4Qt2IFlH1/SCd5ny55/csgelPOMh4//g
         KgRbn3OEEabflwspVYA99Sq73RPwMbi/LQhVc86AOtk1rAjiPvjFG+ogU21Fy6N5JgXX
         Pv4Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=XUCj35B+IoUqLMsvIqNWwmNsYz5bFEZJWHH794ML50A=;
        fh=Apm4bUOQovg4Eq9T3rzrCV06YjEI2XyEpOcXd6B+sOA=;
        b=RX+lLXguQEv08+2yqZrBmIU65fuDv1gFVby98DngIHZGPMbddcpRLE/5dwyrYMKrKx
         ECXWFd1myXNa/RmW7HJUCFL4T33XGv9y6RGyMnHChGwuhJ3ca0UfUmXA3lV/X4C3wDqv
         umMigLUY3dp7sTNcS8ciSWTEvxxaCWYp9+niQCnOd5sQmQBI5tOKqdKgDARzQYhgppFv
         7gJXesL84GMU3HD0JUROwWqpOysd/jt8QR1NPxFYjf2Za+cPzhF50JxqGQY7GciYMOGj
         jiF/YCI9nTcQhwFFqd9vYR6oimJGWSe0sgQioq0Bm1SuOkEKBqzBPeeMAf/sQ4f68oXw
         zHQg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=GCwh5Ys5;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34524-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34524-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 ga8-20020a17090b038800b0028d871d1281si9106859pjb.34.2024.01.22.18.07.00
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:07:00 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34524-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=GCwh5Ys5;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34524-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34524-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id D86AA2888F2
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:33:56 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 6543216277B;
	Tue, 23 Jan 2024 00:36:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="GCwh5Ys5"
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com
 [209.85.210.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7D5A1615B6
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970183; cv=none;
 b=IWepVfquKoTeDOtHKY0wQ70H9OblV1EghcK6rDENLlKGJ2k0HkcSgGxjog/oQkxGTl8W+w6STFTX1jGs+XQXkfU8g39AZJ4q28CWzZ7VHadSbOAy5SG25f0m2tcdQAyb3EZS9nZnMVPlcRiQXZUCV2ff3Q4CLCOXXnvGeYlA3xI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970183; c=relaxed/simple;
	bh=LBqk/a/7XxyM37MkXdksahXfcAh3M0YpOfyluKrlFV0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=OY2vElNJvRvdnoP9/xIVcEOiOLchkQDqxHKGeGWfWQdxU76j6mL4FE/9ssBO2Ib5KAXiBpJ24KKulqnj1QTem3cncge8tkSjGYYy3WxbiYq6bOtxHZaloSJ9VvOkhZf/1FiZkfo9QDwPwIOyVIANRTPEnehprz7y71sr/sACo18=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=GCwh5Ys5; arc=none smtp.client-ip=209.85.210.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f173.google.com with SMTP id
 d2e1a72fcca58-6dc6f47302bso620629b3a.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970181; x=1706574981;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=XUCj35B+IoUqLMsvIqNWwmNsYz5bFEZJWHH794ML50A=;
        b=GCwh5Ys5AreNGnJv/o5MlywdeWL+y/chxDSHj197Kcl65QXHWa/QrusK3ZOTD8lhq9
         AoucqwVyfC2267GBWyiT9UUNs0e4MK/Fm63YrIjOfzaz6VsyUcf4aCwCac/yAqDb2vyR
         PEKbRWcUWlhwUm7GcO+gaCdfhkCEWJy62yo5Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970181; x=1706574981;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=XUCj35B+IoUqLMsvIqNWwmNsYz5bFEZJWHH794ML50A=;
        b=uROMZ6pSQ9A9Lf8ZJWGFML+Vg5k+c4BRjzxbTvgQQkZITX1gpguk1CdNXIX/x/dXIn
         z+KF5qqpwoaurZw29AWA2cZWwGBX7u7t8FaiUU28oDui2zPAQ2JlkUPDuIDnADuyhTNf
         WqE6rCZpl1dLOjvkN/hu6gvU4ZdQZUtpZ42Tx3jPdfoKPwNI4Iz5U1As4d9fi4/bc2JQ
         a6P7G6vLrMinchCfH8ioXuBL4FDICWokOM5T/u4azvVl65G6GJSNh2DBIlYzVZRnqOZu
         AM575s02ddtHCfgNpkv2Dd2ZHu9Usfctcg3oUgIkyQtS7gGemy1r1vTH1rHiV/G98F53
         GhbA==
X-Gm-Message-State: AOJu0YxfULNUJTCMSzm+yG082PDl0OnHXwQ+IoaeQ98jQHs3Hla3lihr
	n2b0x9fveetSR53JE1VQaigSWZtjSW3SJvmwIoFz4qvv7Wfik9iyrrmiy8TRDQ==
X-Received: by 2002:a05:6a20:72a9:b0:19c:4dca:a86 with SMTP id
 o41-20020a056a2072a900b0019c4dca0a86mr1877300pzk.66.1705970181377;
        Mon, 22 Jan 2024 16:36:21 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 u20-20020aa78494000000b006dab0d09ef0sm10164283pfn.45.2024.01.22.16.36.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:18 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"James E.J. Bottomley" <jejb@linux.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	linux-scsi@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 72/82] scsi: sd_zbc: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:47 -0800
Message-Id: <20240123002814.1396804-72-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1962; i=keescook@chromium.org;
 h=from:subject; bh=LBqk/a/7XxyM37MkXdksahXfcAh3M0YpOfyluKrlFV0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLEf/Cz5+23/+enVsVIkLx8QMLFJ93FtDfb
 s/ses2igzyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JpEDD/9MrWjc6bOmLUNDTK8C65JpgDJf58ljxn97yBwSxMLQcWeG03LZ2GDDyQBTzP63WppqnI7
 ikfMG8tyk4rfJg5sDwA2nSAc0ZBsSwVQFMlPTIH7bAaKqsDDw4a8GBqBMXyJIqODCBt4pT4VDsF
 cYb3ksk+uVx42hbg+85EHCyBBDtW+UgTWsJnEKTG7SYN2rdS8mxVACStdqvaijZrgDeQucGZBV0
 5t3y06uoK9tzxx11ps0PiwZD1Eb30y/j1Puzv+wuIik8LpMUijX/QOF4spJeXn9Uf/kTrdiXrtD
 CAjxej0vsOSSdJgXMK1SdKvSfYjGaYdXkI8LiM/rUs5o0ZUUvZiZu53llRz5BRrqDAIFfUGeJP/
 bvu8LIIJHygXBw0InDKzOgSz7a9VcQOlWz7oHfbeZ8NUVwheYgIl+J4lUiBVKR7eXEg2Gi7L24O
 HyHMkzEePZv03dkGkLTu9NiV9a5Ncv4emMcauHel4wVwzEk/akthm0xu2LcJFkqvkcL/bN1ayT6
 yRwPu5VutSooWXVuKdM3Zq9Q/bn2TJJTuZAZo2zaMG6ugxX/03/6zTGuC0Mz5z17SedNM9c/6sv
 zA29mGYVnEl4G+dotIhrrvQ2UU2LJZEWJCtvONixSMW665U+C3gyac/J1KHzBgFDXuWD98EU+xD
 AiN7s4tQdaMO3kA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788845092480806102
X-GMAIL-MSGID: 1788845092480806102

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/sd_zbc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c
index 26af5ab7d7c1..2c377e4cdb2b 100644
--- a/drivers/scsi/sd_zbc.c
+++ b/drivers/scsi/sd_zbc.c
@@ -295,7 +295,7 @@ int sd_zbc_report_zones(struct gendisk *disk, sector_t sector,
 			    (lba < start_lba ||
 			     lba >= start_lba + zone_length)) ||
 			    (zone_idx > 0 && start_lba != lba) ||
-			    start_lba + zone_length < start_lba) {
+			    add_would_overflow(start_lba, zone_length)) {
 				sd_printk(KERN_ERR, sdkp,
 					  "Zone %d at LBA %llu is invalid: %llu + %llu\n",
 					  zone_idx, lba, start_lba, zone_length);

From patchwork Tue Jan 23 00:27:48 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190622
Return-Path: <linux-kernel+bounces-34509-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp61929dyi;
        Mon, 22 Jan 2024 17:30:07 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFuAofTtCtaYNmhw5sDZkQTw+UksRPAuKZFnNByAUr71ygNdxPJOLPVvuYl3ZLqV1RqDjoV
X-Received: by 2002:a05:600c:a386:b0:40e:6431:60b4 with SMTP id
 hn6-20020a05600ca38600b0040e643160b4mr68095wmb.27.1705973407006;
        Mon, 22 Jan 2024 17:30:07 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973406; cv=pass;
        d=google.com; s=arc-20160816;
        b=Cm2j+9IE7agQTuVI5UvcmLnRVeuSzRqR5ME3+bLxKcVxpzQkTxcGFwkUJ+3PIoexFy
         4Q1ARja/5nGaD5FGZAFkrQ09YR6xHVamuaxIAHAjkFMPzjlHCrHLSFSgCP+CIfdTZasD
         Q/25NvvPKbOZ1GWy8KZN6GZEoJ1UyQ4XmsSzARRtlzSP4WfrPucwp85rGXJOjx8a19v/
         GbL/N96NwGgxNJWUYTGRpPoQSJMKGaiLSewTBJC2JdTyIFfnkv9JO3ve5WIOi08Ykx1l
         WGxCcAC8W1EyKKaBIym8Zfr+SMdwg2WWliyXhMH3eyZnPjwLEELxV6yyGGXNKcisFLE/
         y15Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=k6q/05jnWeDl9wgQC0c2qm9hOe5mPaDwj5Q60EimLqQ=;
        fh=orT6DVaZIvmdlEooS4JCZt1VgmtdND5SRfYonhhqnjc=;
        b=0+DZfVvrmVKzkzt040qx2KUqKz0usgKJWgc4HQxQiFg0VEaQJ3FMjL8JlMT0K0cnX7
         SDOb0gdQ1akZnIaF/LEE0otTjRwVkSaJgaCHOh+9JefqwG7JIDm03RLTAH+xJiAorZWO
         beaAnxpOrTMJxwvKqUC1kcM3zVjbwJQT0+lPDqR/dTgbdQGkEdYrVVwRs+Qm8NSZA7B1
         Eb0NZkLjhpTZdaHvzJ7i19aMptTl5cQkqcaX95FnFO3YHyRvcmRqs/S14PuE9fYxjmF5
         ah09wXLF4RyaNTI2wy5BCEgie5E8uMsZ0QuohIaTP4CXSZniKNmoAzQaZvVdhfjX5eUx
         Ic2Q==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=kfSIlFZA;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34509-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34509-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 j5-20020a170906050500b00a3064ce6062si1132296eja.388.2024.01.22.17.30.06
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:30:06 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34509-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=kfSIlFZA;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34509-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34509-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 76E1F1F2913D
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:30:06 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 778975FF00;
	Tue, 23 Jan 2024 00:36:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="kfSIlFZA"
Received: from mail-oo1-f42.google.com (mail-oo1-f42.google.com
 [209.85.161.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE9F75FDBC
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970167; cv=none;
 b=MDxr3OXV9IEAZmQmPOoQQt9LdWHTDuUp6rWS4MbYetPWNowLebbQdpjxlH9e/hySVLULBoUl7CIxIRNp2FzE9r4utDsoDBPExwC7syeoUZ1t72Dwd7kxMUysvQcVCwOn6sez9O6KhwBkouz/ZHlAqHzyppXsuPoxUB/WYkpQrd0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970167; c=relaxed/simple;
	bh=ZK9PQLCXLKqeI6EmNJVF0wuj6cnB4GzhbTbrgojBZ9E=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=bTWU2Sjr5FVkZWlMvFLaeJkvK5l2HVUy25yGXDlBdfI8ODj4rjsOD4HMVmRJ4F+YWD37MIfGSQ8cLMJ3giYMcCcmeHVNfRW/mRKJAcbmlReDPOZwQWhwmxsXiV4aPtEfxVE4Lj1y3s5ZpHKiQofbRgwcl+lg6UZu7LBrGLNJeOQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=kfSIlFZA; arc=none smtp.client-ip=209.85.161.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oo1-f42.google.com with SMTP id
 006d021491bc7-59998b4db22so490411eaf.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970165; x=1706574965;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=k6q/05jnWeDl9wgQC0c2qm9hOe5mPaDwj5Q60EimLqQ=;
        b=kfSIlFZA6fnZU+ngo0vOwEzFDExHHTpN9Sow18ZXhBmwklUjezd2BJwZiMKy0piJTl
         4S/GC0HoUkS+YyL+Os4PbRA3MBBX89iR5oWnbdTnM7yJzHxrTZIRFmOU53gEIPpylooi
         prjdon2a1bSZf5Zp3sMoN16NHSNlQWhdqYDCk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970165; x=1706574965;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=k6q/05jnWeDl9wgQC0c2qm9hOe5mPaDwj5Q60EimLqQ=;
        b=nJqpH2V+l8I+31ujnjz+c+n+lYPMAZNJRruLam3SYa6nKKmRn1K6pU6K6lEKhUpAgt
         Ntoc1yZ/1zFwqBY+AjLHQ3z77kyHy5mj0cXGL1fUn6nZy68qkpK/MOr5bolsx3OiJjxb
         DyRRFfk5lTq9EDBneU6TiK4PGodsAqODuTzbw5+zFO28ts6YSxv/hFcdVPA2jAC/CegM
         Mqiu1D1lli26SKgJkOUYOY9O1eJuYLGh0QLSnC4d7GNP+ip3y+mYHxngmMOdPA1QRfvy
         foEQvd1L+m2Rc6fi6A+Un5drjbIdWI8eVb84woiQuOymbem9MtLWGn0q35VnSkkR5AXb
         AKTA==
X-Gm-Message-State: AOJu0Ywsl8gHkC6XmPEe83XMZMVe8QxBH1q4LzEtFa1R76TB6tsbeCJ7
	dfKuhUS0J2rrxkJU7spssv3lUJz44fJpRPtVjmANjkZH79ZP0pr4cSNkFqzoMA==
X-Received: by 2002:a05:6358:6f89:b0:170:c91a:b466 with SMTP id
 s9-20020a0563586f8900b00170c91ab466mr3835144rwn.23.1705970164998;
        Mon, 22 Jan 2024 16:36:04 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 8-20020a631648000000b005ccf10e73b8sm8711311pgw.91.2024.01.22.16.35.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Yoshinori Sato <ysato@users.sourceforge.jp>,
	Rich Felker <dalias@libc.org>,
	John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>,
	linux-sh@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 73/82] sh: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:48 -0800
Message-Id: <20240123002814.1396804-73-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1873; i=keescook@chromium.org;
 h=from:subject; bh=ZK9PQLCXLKqeI6EmNJVF0wuj6cnB4GzhbTbrgojBZ9E=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLPxEAqie9ltCp6SXpHxJz4a8frf9JpRCdW
 Ks3k+P95JSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JvckEACcdyYY2SIWpI3UA8mAOkYcOxPIionsaXUa6hl6QfIhatPHcfLoS0jDS13mORx6DesE8QR
 cEMphGUFZaW309UODp7aj2yCE0TFoSPXkaVTK17BfmoRQIwhtk0f8XfbAE5ingmsTuXMtAnJOsC
 TuJCmFXEgdPGKvUH3Xb36aFDcfbo+XCAUnEJNX2SZCgGukPkeLLLbjS8PvuLCJtMMEnECnnR1B1
 G/OOQHRWemIAHGZHOxhqiqTULKLtQDEb9ah+eWfzVXVhPlSrg2dTXOvPz6UzqYDBuoGKwF5BOIt
 eXzxRTA/iyaVaOWQawo8BpS7RbJQO6ZgXrwtWcTjjEheh7JWOgHGzCIKRfW2kG45QTP3evtFpIA
 kOvZdB51R6QuF6t47RBV550QbgsF80t2UmsPYjsToEE0nPBdZ26Iq3l2lQxqDG1fxHv71r2LzjW
 DH+rai0uNuRUpzJ7IMpon9RPoW2yuFaProOmaiX21mVY9baklpdewo53p9mh/6iRCJ/vuUq/xSi
 kmUDoE7kbNyXIda7pkfffdCgpbBKQDzjA8F8iTmT9Zrw/O0z3Om2bC/qlgXNnZQLwenVATU5Qrj
 1otM6joYjNE87mYWGpZ614abu55pynw/87WeqCPNKZuArSS6+IqDTjPVGcwDtTjK4KqNff/y6iO
 TlhNUzg3ntPt4Qw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842771342634691
X-GMAIL-MSGID: 1788842771342634691

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Cc: Rich Felker <dalias@libc.org>
Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Cc: linux-sh@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
---
 arch/sh/kernel/sys_sh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/sh/kernel/sys_sh.c b/arch/sh/kernel/sys_sh.c
index a5a7b33ed81a..e390caeb8c00 100644
--- a/arch/sh/kernel/sys_sh.c
+++ b/arch/sh/kernel/sys_sh.c
@@ -66,7 +66,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, int op)
 	 * Verify that the specified address region actually belongs
 	 * to this process.
 	 */
-	if (addr + len < addr)
+	if (add_would_overflow(addr, len))
 		return -EFAULT;
 
 	mmap_read_lock(current->mm);

From patchwork Tue Jan 23 00:27:49 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190620
Return-Path: <linux-kernel+bounces-34507-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp61703dyi;
        Mon, 22 Jan 2024 17:29:32 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGz4YMYQBmu4JmruQKR2bYdrwFtLkccrtaOsBHlfeBZx5qQNGD3dZLMwYQU6E2vUa3srdEl
X-Received: by 2002:a05:620a:c91:b0:781:153b:ae6 with SMTP id
 q17-20020a05620a0c9100b00781153b0ae6mr5199231qki.107.1705973372502;
        Mon, 22 Jan 2024 17:29:32 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973372; cv=pass;
        d=google.com; s=arc-20160816;
        b=ADgCla6qblVkh9hu8Bec9TtuL9AyNrwNbGQhRWjFUaTpx19wgYNXGyVf1q+B3SAZrX
         rOj07ZDnr9csYvBh7BEhftHhLau3CusQ2Fya6bt6lAUMz5kn8bye5W1V+96HX0ReOmLW
         5mrxORn44yv6mkVlGudcwdCCwV6nVePELWtzR8yzj2NNHSqfZjID/nvHEkSL4OKzaHUO
         BUs8QZcXla30u2aedNDZgY32l91pJdUURBueW7MyL6s3ZiQ6nPG5iRRleOQ9/ZCmuaYr
         /395Z/KfJj8Ft5ziLrxgf+8oZU3cRixmwLJJi3WGNmy6l0gGJXG0nNQNpobg7o0vGqby
         9HlQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=plGxjteRa5N+fIhm76KZZ2X9yyNuyI4/ZE1C443mi7c=;
        fh=K9AXiUXnXpbikPCsAXNedkUY9HRdY6UEW8YPHkBXf/w=;
        b=FG1cz68vMUldz5+TLPX2UhRTWJv7h3GS2MWJTTFbNQ+BK2zjzelDNi0TaWgydsx4j8
         doEmvvdGHSP7gxUeAcDaGBR5IW1zSnzICqHn4BbFKh42K1OqkGycUQ+hvWOIAh4lhzRN
         EstwjgAwmybKRXJfItusP6LqT9b0aXb2Kk99cNO80X11lUcOHdfazIZggpJKDHHa5nV0
         tfrB2+6OmIqMCbUd+pgdpiMrNQm1JsF6wADP51KnwC3wgWXl1Wzc6dLtz8VVb2dnGv3o
         3fIQlyxt0QjlE75ZAMlde8o38OhsS9Jl3/+szj44uWgWrDF2eFdEWIytraJhLetZBNrZ
         zhFA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="iol/av7l";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34507-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34507-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 ou35-20020a05620a622300b00783044d1e01si6802934qkn.8.2024.01.22.17.29.32
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:29:32 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34507-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="iol/av7l";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34507-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34507-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3F0821C28C29
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:29:32 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E1905137C26;
	Tue, 23 Jan 2024 00:36:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="iol/av7l"
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 59BA25F568
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970164; cv=none;
 b=K3cLS2BPhWkNb2bSDlWtYmBQhnJ7aWcz/sPLRvniy3Ef01YdrWbBnP40QuKGX8epjf0RpgnYgXMyNA6VRmqB65UW+g+/N6RI6VR4oB1mJkYib9RDB0ulOE6nOx5qJne0eYFJXS9CIPPG7V3A63X7Kqpi5YRMgkIZrdGfHI1We5M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970164; c=relaxed/simple;
	bh=8xMicWCCIGnY5GKvzZPD3ZX2aaa2K5PDmR+v+tHiKy4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=nffQwYeZzkmgjQOIhTIJ2AaiQ2J9m0YzWYUJ7dmume0W+gsSG0H2OyZWiT/M4fzbR7Hsg4evR7zAmbgNV9M0StailQ0cpMEGhmAtIUwGQAHWDyrVOtr5jlGy1qifTf6Ufe/LVH8bVt5f/oHbi9rKxgLqq9087n7VEguXW42DGW4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=iol/av7l; arc=none smtp.client-ip=209.85.214.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-1d74dce86f7so13027095ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970163; x=1706574963;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=plGxjteRa5N+fIhm76KZZ2X9yyNuyI4/ZE1C443mi7c=;
        b=iol/av7lTNSJjvBCqOOz0QA6pCamcIl1/RioLK+JF0rNm8+WSH/v5lLylOgfCScnqV
         tL5+juGrtfzTK+o2JruIp2ymCCCwISJRNB4Wy0Ocuej2H2ok1eu35of9YxOYNTViBqIR
         y/0H/1W6pLQ4ODlpnsa/TaOcq8NBoMwjjyW8U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970163; x=1706574963;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=plGxjteRa5N+fIhm76KZZ2X9yyNuyI4/ZE1C443mi7c=;
        b=SoImPb6AS8jTHru3nteOJQ7dSNAm4JWrCNEgoLx7zE4guX0p6lGjnyX8I9/PZ1Jhdp
         +iwTXvB2eeqH7bEAzuTaAvDMQGM3W/zetuoQH8mXM0JG+Hrah2uZSSM2BhwIJJiLplsO
         XLFS/XGxt6/pMhFj2J+mbb16QmYm/Sr22jbgvS4HJCa49wXtip8c8mVqU18H8W9UuLNY
         iLGsnx5o+3knQZco1Z/KhzdblCOk6wCS/IGbfdocTSd2Bt6sdM85y81KzJTliP45AfUH
         a4n+Y0+PImGsH36c0Vqbn1ZxJPun8WdIuqRuVA/tGYvZkG6cicguioKxBMuTbZRj+Ptm
         Tx7Q==
X-Gm-Message-State: AOJu0YwE8cnMl+QK8b2WA8fWn31PSGgH5Purx/Z5hpfWgAPa2GmtTnIz
	Nv/cs7vQeEOLUS4aWWR0JxBL0TpN5ovSOq9QYGWEcImM9nnPo0pk5wRGUJFZEQ==
X-Received: by 2002:a17:902:b10e:b0:1d7:244e:906e with SMTP id
 q14-20020a170902b10e00b001d7244e906emr4823001plr.68.1705970162892;
        Mon, 22 Jan 2024 16:36:02 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 u2-20020a17090341c200b001d4593a2e8fsm7733952ple.83.2024.01.22.16.35.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Vineet Gupta <vgupta@kernel.org>,
	Luis Chamberlain <mcgrof@kernel.org>,
	"dean.yang_cp" <yangdianqing@yulong.com>,
	Song Liu <song@kernel.org>,
	Yihao Han <hanyihao@vivo.com>,
	linux-snps-arc@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 74/82] ARC: dw2 unwind: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:49 -0800
Message-Id: <20240123002814.1396804-74-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1989; i=keescook@chromium.org;
 h=from:subject; bh=8xMicWCCIGnY5GKvzZPD3ZX2aaa2K5PDmR+v+tHiKy4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLa43MyLCbPnS7rIKEr6C5f+3w+xjELlHCV
 wb92b59i9WJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JrpAD/4xhn2HsV5zKKag0M7HS/9i28lHFY4IgZ7Sp/FXWqsjhJpe+6L8PIMzWEBAz92FxtyORdf
 VL+eitydi1OUF4wQn5MlkJ9CuYUuRkqygF2GNN2Yv1RxYn41vBvNCuYIauc6D5qu0qdxnnP6Md6
 84Wz30+PNpfqG+4iMSiroUyKG54Rs5mizS1WG6YfWtx3YbaH1cN9/tF3YP8GRKMwDUUaO0a+eAN
 KE4rFgsPGobQpzzmomeGjLNzFgA1quKNvV0vj4JNIex/9cb4WYPOVEYFoSmbC7GKjxW+Feoh6sk
 OvDSN1cF+uHp0J/HNlCu9234++OHS3O99H6uPHVYrJAff5v2Y8xQIZOHQexnwz+XpjOzwRTEaMg
 AaQwsD98zVWDntX4MOwBtxsAygM2tc6IF7b0qZdHQy3UdlFBRbUiOVa9hOnRJxYLVRxmfZofKAF
 FszP40YEw5lDzaprhTGytbpNvVCQmqppB3GhHMQrCBA6irAcVze8V7JWHb/QOfsXzW1dfZ+wm6b
 JqEyk+UA0/YDj29GWvTQ3Eyx1i2tZ6p1xL3sR0USkZszG+zbF2E1aaV1tNGWKi8AysZfjkgMMaP
 3hABbeKJFLwRLimh1GaqkDPDGG7vbdgQYbJVljd6TndE+Vys1auQJU6Hdc2dM0CmHHDf3UNBzRC
 hw1N/vlLdn0dvOw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842735173985901
X-GMAIL-MSGID: 1788842735173985901

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Vineet Gupta <vgupta@kernel.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: "dean.yang_cp" <yangdianqing@yulong.com>
Cc: Song Liu <song@kernel.org>
Cc: Yihao Han <hanyihao@vivo.com>
Cc: linux-snps-arc@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arc/kernel/unwind.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arc/kernel/unwind.c b/arch/arc/kernel/unwind.c
index 8924fa2a8f29..649b56204580 100644
--- a/arch/arc/kernel/unwind.c
+++ b/arch/arc/kernel/unwind.c
@@ -1278,7 +1278,7 @@ int arc_unwind(struct unwind_frame_info *frame)
 			if ((state.regs[i].value * state.dataAlign)
 			    % sizeof(unsigned long)
 			    || addr < startLoc
-			    || addr + sizeof(unsigned long) < addr
+			    || add_would_overflow(addr, sizeof(unsigned long))
 			    || addr + sizeof(unsigned long) > endLoc)
 					return -EIO;
 

From patchwork Tue Jan 23 00:27:50 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190625
Return-Path: <linux-kernel+bounces-34512-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp62285dyi;
        Mon, 22 Jan 2024 17:30:54 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFjayWxtCLDcLg8PcoK1A6efiUc1UO2k6mO8XEAkuA1GFRCNFBWna8iGnbYz5hQSouIzZN6
X-Received: by 2002:a9d:5e87:0:b0:6dc:7fd8:3997 with SMTP id
 f7-20020a9d5e87000000b006dc7fd83997mr5219594otl.41.1705973454573;
        Mon, 22 Jan 2024 17:30:54 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973454; cv=pass;
        d=google.com; s=arc-20160816;
        b=B9pJUX7LQCZoqc5uOcQZJnr9LPDbDgye76X5R0NhIqx/2V2o2UiJZBvqf7xU6BcCgq
         ajaKyqHIInKTsNEJ1XFPPMuUdSwdsq4FkFzd76PSomCeGRYonvcg54Zu3n4stvdacfze
         +arWHvgqW9/LpqcMfoegaQlFzdVmMP4ECr8bdxm89kg8zN/uSLKdQlz/jHKR9Yx0y4Kh
         +kIiVpqzSg1Vs8Jdw+YoXiox6LGDe+hiWlXkaSx7SkfzCDxENbBqyDsCNCdAdtenOqkL
         I9oA/OrpYPj2XQTqlw8y3uiAfVH3q4C5YnsoA3/IN67UutjnqpAtUM74ewQX0wcw2tKv
         UkzQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=nWkbiiH3/fFBjXvcbT3aPuNGXGqy/rkl4yqgLah2PkQ=;
        fh=G0AWdfA2WuFjapIsG5KXG3KkLXbokaAyf5AFsSBAhC0=;
        b=cK4kYJCC2adeqMA6f0O98kChgml84EwVciT2Ys8pc/6eCowyGBNw4cf1MdHKakYRrw
         ktINm7Jq/GzFLu+LNmfqjBae+TdgAbDMQePcMCV2A+FUQgAVtGrkQd/URO/YwA6AfOfU
         M1PY7UQzL5ZJRYHNLV3LiWP/rCVRdaTI/MzHV+PAs1FdApRqCHuJEgdzpzYJhVSqkmTL
         6YkPuaai3Xds5m3/8fLcA2M88NJx4NlnKvc8Er7pXJD2Hpn9przueAqrSZE49Ln9rZkZ
         gz2Kg6fnmaIxaNP0mh8LRAUZfv6YnyKo/7PNXibE9wekZxtVjVgSEvA0ch6GwPJULpMx
         GCQQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=DsFGLxaT;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34512-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34512-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 a1-20020a05622a02c100b0042a415d4568si2865461qtx.451.2024.01.22.17.30.54
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:30:54 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34512-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=DsFGLxaT;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34512-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34512-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 4C7D31C2155D
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:30:54 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9232115F300;
	Tue, 23 Jan 2024 00:36:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="DsFGLxaT"
Received: from mail-oo1-f51.google.com (mail-oo1-f51.google.com
 [209.85.161.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6FB86137C50
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970171; cv=none;
 b=fF0bJCZlbe54YP8ZNbZuEHo2o4h6mNM2zjVNnrwXgAzBp+zFca3PDG9qGWDWKmoI/Jp6jSOzkfHhgiXYRAeHvkMrCAYc4scdDPrpmxwWU9C6rjOOJu9kK5DC41IFjryNlEM+87eoovF16kDL1pIwsnzFK9bCJz/e+2KC6RPSdv0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970171; c=relaxed/simple;
	bh=j3gjFFi89fE5hWuOH0xzr9hUX4P6fWiq/YFrtYI1j0Y=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=K6Bd3GELIlyOSibLNrU6l/MYE8V2UzB9DbYc4pkwVS8ZFjd3NBNpyg4RSgNYL109AgUkOQn1pmYA99FN6F7yjCO5r31H2uKk1HOHARGPHcXNZu0NuHaKiBrYKqm+9tS+BZ4GpABr+ZSDhQZ/wLYpMiL1ujxLLmd3X4O1BVRcFt0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=DsFGLxaT; arc=none smtp.client-ip=209.85.161.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-oo1-f51.google.com with SMTP id
 006d021491bc7-5955a4a9b23so2240587eaf.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970168; x=1706574968;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nWkbiiH3/fFBjXvcbT3aPuNGXGqy/rkl4yqgLah2PkQ=;
        b=DsFGLxaTrkEC18juVhDlERfHhwExSuj7q6WnJDWX+RXKC+nsuo2F7BzakjL8d3jQuK
         b2gzSlgoocgnPgGztGxMYrud13lL8R09bk3oSVPwuSEMIUrQplba3UjdSkL3Uk/Ec2Tw
         J/zJoMzsXW3Z9ditfU4i3/UrF1WqtOHzSDo6Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970168; x=1706574968;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=nWkbiiH3/fFBjXvcbT3aPuNGXGqy/rkl4yqgLah2PkQ=;
        b=gNYDU9UCUEUiEn0kXJAJOGBgLklyePAdigiWU7HlsX1K5RZTh3O9aFL/ZwaJFYJ0EN
         j7BrHKsRfjy80MdCIwkBY2lvXlhbsEaH/RofClT/QM49yJaa3UsTri/836+Mawieyq1Y
         nzYLFfJo8w8JIVFXBmQDq6dFchu5uPqLGjzj2TRIdLfAf3pq7/9cfHqbqE+nd6YHHbDE
         nVjk2YvcTvR/gS01Dwj6082CuRa+vVKjTKlrGCm8e0HrxBuJny0WF6MRwoFyuA0yQf0j
         NlwfqldPkmaOBrUXem+R8XNaTogxVGRazjQY4e7cFb2rq8Cd6WWOFJ0TY0BRUKegnTP2
         gMlA==
X-Gm-Message-State: AOJu0Yz5EeNDN/GDUnZODo6UfwdSpLRDtKdR17pKB5dwpFxvMatOfF1l
	jYwO8vcT8dp2qJ0hg5tqAi3SV4o2dHAO5GykMRtpqsm7Tw2OWDSGpJMPvqr4CQ==
X-Received: by 2002:a05:6358:6f97:b0:176:2c3d:fb35 with SMTP id
 s23-20020a0563586f9700b001762c3dfb35mr3682344rwn.20.1705970168652;
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e33-20020a631e21000000b005d0796e779bsm443952pge.12.2024.01.22.16.35.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	John Stultz <jstultz@google.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Stephen Boyd <sboyd@kernel.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 75/82] timekeeping: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:50 -0800
Message-Id: <20240123002814.1396804-75-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1918; i=keescook@chromium.org;
 h=from:subject; bh=j3gjFFi89fE5hWuOH0xzr9hUX4P6fWiq/YFrtYI1j0Y=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMYckjD86gf/4cfDfniKeSqD0L0XmJ51qsC
 Om3IcpSCEWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JhBOD/9e96QfLEjRR2+qhyB61fGhN/WxCMNySyJQM8sIeDxAo5K/ULqUmvt+L1RbQj6LFEsxhM4
 UJedG+p4JcnhH+R53J7/OuNQPRgCIS+tzlF/8uGd3mRLdB145zOQ9ukNMQCzfFQEZqtdfkpf/n4
 VdhGXTw/fOWZ57e+MMGyyWYDMm/ER8H0IWMflMlG1f4L7wAAzSuLgaZXr6h8I4jBY9knySyVuWh
 fDVPZod66S5Vyp3vqUrRnatGxHW/SbYv6odYSz21titb2F/Xzzr+yICMeW2pGzkMtrpohySkGBh
 FdJoQ/LY+nEMfaGLIQibr+dLnkqa3B0Qg7/Vi/XKbuTr395lI2LnCx1A4HpSwgKlktNV/2Ih2Ey
 JhZhiZhJeIhGtTmuqlLXyFpmzkVuvTUVwKLFQlfY5HekV7kZY0Zzgu4ZqR/4HtRCm+jqmaw5tX1
 MovwgIpbaHHXZiFPQyX0X5RZg8/xral+SZXA3NBwFOI8nutl0Nbghz7xEFHaluKv+1kIVBg3WSp
 9vM0UEXQ2adsZPgp2g71YeWak3Fac8p6QgFlGRZNextT3T0ZLYWoleTfjj74Ij3mj0DI6Tedbmi
 gikhr35jTk3wjvNCX+vdwRxeEJoKDbe2uO1Kj1JlhmkXnVS5cQUUOT+tgAaewBUK6bw48xlhXwm
 57RPQajdkj16fbw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842820997457670
X-GMAIL-MSGID: 1788842820997457670

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: John Stultz <jstultz@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Stultz <jstultz@google.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
---
 kernel/time/timekeeping.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 266d02809dbb..2fc7cf16584c 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -1984,7 +1984,7 @@ static __always_inline void timekeeping_apply_adjustment(struct timekeeper *tk,
 	 * Which simplifies to:
 	 *	xtime_nsec -= offset
 	 */
-	if ((mult_adj > 0) && (tk->tkr_mono.mult + mult_adj < mult_adj)) {
+	if ((mult_adj > 0) && (add_would_overflow(mult_adj, tk->tkr_mono.mult))) {
 		/* NTP adjustment caused clocksource mult overflow */
 		WARN_ON_ONCE(1);
 		return;

From patchwork Tue Jan 23 00:27:51 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190629
Return-Path: <linux-kernel+bounces-34496-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp62634dyi;
        Mon, 22 Jan 2024 17:31:48 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFoOtou5q1xyeYK8eEOS4mvCiGxlXA3bGRPQlwj7G1xz4Gq7NVGyfKtBBLwEsOjFzeTF6qP
X-Received: by 2002:a05:6871:2b16:b0:203:e64d:874c with SMTP id
 dr22-20020a0568712b1600b00203e64d874cmr733066oac.118.1705973507956;
        Mon, 22 Jan 2024 17:31:47 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973507; cv=pass;
        d=google.com; s=arc-20160816;
        b=cZHZZx3cs59SLqVCUA/7iPrza4QGbqRSkmKuQ3HEn8NYgjedLZ4W0uT/kSW88GhMOD
         c4+1SyViALPE+Er+zXOtACCP+Npl0XuxbNXOo0UrLWewAKyEweVabuolNIHWKEn+PYYY
         BujfDZf5VqS5IGLJrGkO6HTl9i7id6HqRCBhFwF7Tfj8VMd4N83FJyKUYnSoGBPhGn68
         kVFVkak89CaRMRYzMaMQ/920qzPYf7/54l3wNKe6w8fWR/TSOXza3l7Q5ZXrg13hsTtz
         1q4ORpgj9gJw11eAD5Rcel5h6k6VCgG00bGGfAZkcWP7KBXZpiDWH5bFdWk2BCj7KzPN
         mXyg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=Z1DxNdRHBflJbmbDYuxIbQcedkbFsBliolzYulMuTN0=;
        fh=zvVye5Am4Wt6rAzzlf+3sIX9t3rdr3Pt5GRh8p11F8Y=;
        b=hp5ClUc/HA7zmeGrqcCXQlgxZjMPwnHSTJ0pZmYsjlmEci7mV7foJELF1SKz5/Oj0F
         D1X/AA+J6FnoTERisuYwubTIDgm7x9ugE7H6qhra/Iy8pwuFUiWGBt28alUMxLR6dCqr
         TxWWWh5XJHWWINeuP5rjlu8QqIy0I9ROnQLsNSVfNXtN4JQCkYXmAhhhug/E8ild10jg
         3oukg+9WCJbqPwu5WbMAs3JT2QfGc++E5RFpd332pAnTBpPQG+LBBVP1Z1rF1TnBkv1O
         Xcpc7haWSUtbm1qp2RTcmfrYaGk5G95cJpQgenpXiCVGKqF+AoDz4iB3ao1KTLQY5SBO
         1egw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=E6nP5f4C;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34496-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34496-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 d3-20020a634f03000000b005cf94b8d9ddsi9135767pgb.869.2024.01.22.17.31.47
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:31:47 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34496-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=E6nP5f4C;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34496-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34496-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id D4AEA290866
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:23:23 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 50B7B15DBD2;
	Tue, 23 Jan 2024 00:29:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="E6nP5f4C"
Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com
 [209.85.210.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC1FA15D5A4
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969760; cv=none;
 b=pw3NYy/8nV5AJYlAHJM73Ia2mjvqZXL1U2DSZaudvRzKKyiUIY00uki1NIkHYXh4YaWmx5NSQM1sbcMoxY+caZYLj3N54cLj0O8L2vSJZMpDnErlgr2/U1GQDPH4ZoBgyMyatEYKO3kr8omRG7qehzNAhC9vrIY18QMvylUVsvc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969760; c=relaxed/simple;
	bh=NRYAFFjPwwQS7mIFvZnh2t0+iUmsnpaZsL63ZPTCQ6U=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=gNtEZgVxojHrKl4gHJ9Q9dnczm/cF+vCnIBqgk/EwODLe1T/SOFUO1ufvuWu3HYw7BPaXnv/Z9/MZ8o+HjrTtClUHVebILLljWrc1O7T8ifHPm1o/Ne3MQ+vhPUf5SIJDYiT6hCmUgZEw65+oMhJKGWW/vC9D01RKULsUkLY9oE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=E6nP5f4C; arc=none smtp.client-ip=209.85.210.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-ot1-f51.google.com with SMTP id
 46e09a7af769-6ddf05b1922so2839076a34.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969758; x=1706574558;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Z1DxNdRHBflJbmbDYuxIbQcedkbFsBliolzYulMuTN0=;
        b=E6nP5f4CcSoVdM6hp+465wgCFAfEpBoQ80HMEQwtTHIYc/r6ibKBjwJnGK4p7RHv/2
         7R2R7cVRu+XIOczvmdaxykFeyB4cXpwWL+obE00LcR7Y1gi95NeJGqYzNmjNGlMRwSzu
         QX6EJ8TJ8aYaZeFBU92XojjLeZxYDpD7i6aYU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969758; x=1706574558;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Z1DxNdRHBflJbmbDYuxIbQcedkbFsBliolzYulMuTN0=;
        b=vPg0WkzIIqo6jiBcUD1cYWPQ0tpjHNCKzNPVnBMWUln3oeuJdl45Ktorae3z5/IxQO
         oDhOySv8g+teD5xU23AxfeGLp91X8lvPvZapzpsIlPFihqWXO417tUetGQVNG5fFzhMJ
         lzq7sdzzPpIktZw9+Yq1pnLmu5qkE5DSSkGE48+qLPJGjVWVO30NvwPBrgezDuXlY93f
         PYlsgIurtWxVItCrh7sqWHDbxeqFmbPmV9U7vKUS2qaIJrH8gbcwD151djC6O0M5E9VF
         crdsa44lsYusB2+fm6hDt3Ay1GHNU6FTTOql4v3h8MW5Cq/7htHDleDIiAXzYa0Mh9/C
         R1FQ==
X-Gm-Message-State: AOJu0YwGs4q9wI923ShYxnJBdq1o3XUcdpqwLU3Sk1xpMTkiodg0t6UV
	KeeroFbkbH128gKjSuxRiIXmDXuJNSduR1gnih2Fb2hu+gHgQTfr7OAQNFiFRA==
X-Received: by 2002:a05:6358:2245:b0:175:cb7d:74ef with SMTP id
 i5-20020a056358224500b00175cb7d74efmr4887240rwc.25.1705969758150;
        Mon, 22 Jan 2024 16:29:18 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sv13-20020a17090b538d00b0028d8fa0171asm10226441pjb.35.2024.01.22.16.29.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:12 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jan Kara <jack@suse.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 76/82] udf: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:51 -0800
Message-Id: <20240123002814.1396804-76-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2243; i=keescook@chromium.org;
 h=from:subject; bh=NRYAFFjPwwQS7mIFvZnh2t0+iUmsnpaZsL63ZPTCQ6U=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMK3jte18rzddAc5u2oIbz/en8DIzVvj/9f
 tACbF2GE7mJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JltSEACOR1X2f4YzSTUWirLbiPo7iFpAcmKQQuWJudbXBybocaEGktZ91dSkGU1ret9HSOaDFZ5
 ML1P9w6bVsuc8lDdJdgDv2SVGqJRdj+2+xI3rUyDLnwWqbiLeD/s4deHEfwMTW65MWW5HY9X/ue
 zMThSZ0Sy6b4g1lkai1AInfLI+GK6Eo5X+08+mkr2CCh986mej8lVGAb7/5oGG4MYe/n+8JmwtR
 hDiFUnLLkEEcjrsyk7o4jl8BRomBfZ/PWkpLpt2D30aJJ0gW9Miqd1hed492/DJIsX1Z8hYQBoV
 E7q035WbqjiEFbhszJBHtt2UUrv1/2In9MJhAOkU8MK6O+yU/rp6shdMlh01IHq/pc01dIBXEzV
 njNDI2L3U5+bq9jetWc0yaz2qt8B12pZcQ68P8dPxxLQa8x6hjW+exF1ZwE+UAk4fgcgyr0CEc+
 XjQJcleZ2OGG2Z7XtnNz2EShFPtqKrZ5qrPfI48add5Zp7ePE0Wepk3CjYI70dVNia8Y8BgwLWz
 041z1qmkwOtO3nLDGlRFoBWDFluTPvDhRSygJ/u1EkOtEj4EhOPt12zQZcf0nBMORvbHMzYoZIt
 3fkcz/f9xISf7jsy8iEWlxCATRXXc9k4XnIfY3Vn0fKZb2qZ9jSuDILDsDVvsYEsbFC8tB/WVbU
 gaVCGgqwVJIgmnw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842876768740682
X-GMAIL-MSGID: 1788842876768740682

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jan Kara <jack@suse.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/udf/balloc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
index ab3ffc355949..5c88300c3de7 100644
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -139,7 +139,7 @@ static void udf_bitmap_free_blocks(struct super_block *sb,
 
 	mutex_lock(&sbi->s_alloc_mutex);
 	partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
-	if (bloc->logicalBlockNum + count < count ||
+	if (add_would_overflow(count, bloc->logicalBlockNum) ||
 	    (bloc->logicalBlockNum + count) > partmap->s_partition_len) {
 		udf_debug("%u < %d || %u + %u > %u\n",
 			  bloc->logicalBlockNum, 0,
@@ -390,7 +390,7 @@ static void udf_table_free_blocks(struct super_block *sb,
 
 	mutex_lock(&sbi->s_alloc_mutex);
 	partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
-	if (bloc->logicalBlockNum + count < count ||
+	if (add_would_overflow(count, bloc->logicalBlockNum) ||
 	    (bloc->logicalBlockNum + count) > partmap->s_partition_len) {
 		udf_debug("%u < %d || %u + %u > %u\n",
 			  bloc->logicalBlockNum, 0,

From patchwork Tue Jan 23 00:27:52 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190618
Return-Path: <linux-kernel+bounces-34505-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp61525dyi;
        Mon, 22 Jan 2024 17:28:59 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGDrr6Uszotyg5RoafnJo/vzrSON2EgcYYSHAxGyjiUtfdWqke/8h2tgLlbPjhBFIK+gFfD
X-Received: by 2002:a17:907:11ce:b0:a2b:2bdb:5a2a with SMTP id
 va14-20020a17090711ce00b00a2b2bdb5a2amr5415189ejb.49.1705973339273;
        Mon, 22 Jan 2024 17:28:59 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973339; cv=pass;
        d=google.com; s=arc-20160816;
        b=HaEogo7IiCB+YS9KvEuM+q80LrQAMn/D/dxaUrip9WhFlxP3BcEZ3RkS5Cbtpvbxnb
         xni7vkQ10+k25tBIzy263QZlxZk/WplNFujZqcOyd7/wzbHw0an5g+KNeKbazFHU51Vk
         SfhapJ2YwaE3wCCChGeKZNptbmL4i+s71JSKjduO1cmzFt4hU8aMXZhIaQHEzPMQELji
         7jKbeoC0iRjt8u/b1u3W6ibZt6rZjs6nHZEDoMeVnYvpgU/a+Gjz9K2/5llIzpoAmlgm
         xJF4nJH7S/sGEMLy9OfmwNRDJ5FiCYL04vmtgcHNo/9yfQOG0jrSQaBUvfC9FgsPNG0b
         nNGg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=ug/eJpZr5lllg7fGddUawSE71HAAShvEy2mnfZ3dSCI=;
        fh=SzCvFET+XGAvSzcBR/qmMNHY2ESukNvCSFEKWvVpuJ4=;
        b=F9SIDYMQB4tq5veeAtkbucVOhuAX3z0lLVQyEFCHL/Og/KOOcBP3Km0NbADA5/zSTB
         /jX+NDLM0aVKbFkq05yQRvvI4nZmpIANyFE6NbPI4MrocbfJRv0No+CnLhoPey2E5XHk
         OtIbJQJUfcqtIjaS2W9IRuFop2apxybeGBpSGYVFKn7BtzkRMdO4TWog9YLzb4Fn6C4W
         09vFvC3bfQb0B4FmVyWzuQ+xEOGzObBg8HMtXnN75paYFJ2UHpikkdRgMX6sahHA3oKy
         hd76AIWHHbPWcvVjNrqK9dlvQHm0T23P6kN7o8gGuMA7aRoeKI1O5nIkfT60VOaB+RYK
         p/9g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Q88LuU0a;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34505-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34505-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 r18-20020a1709062cd200b00a30400c2bebsi1630069ejr.574.2024.01.22.17.28.59
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:28:59 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34505-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Q88LuU0a;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34505-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34505-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 930801F23BA9
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:28:58 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 56E095FB81;
	Tue, 23 Jan 2024 00:36:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Q88LuU0a"
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 55B1A58228
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970161; cv=none;
 b=AJ0AUO/2EGFEe9H+2GVCfvZZ0AWs106pa7htbIcD9WKc/Vz41EL463EJ1K/aVJRc9aOI9DUD0KAmiB4dO0KW1Me6My8Vtgjw2OHq+CQ+uT4YY8ywmFuPGh+9UZNZHdZ0oHDcAKbwqWemdN2ppKDkcp4ekcMdne163LQnWkxKDsU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970161; c=relaxed/simple;
	bh=NqZesPGdhPMPIXo9vzbA31ktFf0tGVVn+vj19wjCjyg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=c3KTkPafIj/PIvMcZhlqZbW/5TyW6yawZ9Gckqnnikzv0uUFzUaiAf1NdzuxBGS3I/TnMbph2zMilT58oab66bAvcNCVJedeO2wknAk9tJyiaeJOtKxdoda8SM5AtkoTB/WcXlCY3+t8AYBKoIlQkq/FM5A/VZg2C8Rhc4j5m3c=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Q88LuU0a; arc=none smtp.client-ip=209.85.210.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-6db0fdd2b8fso1784036b3a.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970158; x=1706574958;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ug/eJpZr5lllg7fGddUawSE71HAAShvEy2mnfZ3dSCI=;
        b=Q88LuU0aCSdlMIjPCD+2vN4/TKC4zvp5U9k4fGRAOAl/oKS80yxBw8KPyg3uri24yx
         d+4zNimaNpDjwKiC9iqJUbdfelVkQl/AlM00ynYs9RIKVP0oLp/P+6w6UVHlPSQdg34w
         /SdaeMsd6/On8+6dUiUn9cmSOvrcLOHav46Nk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970158; x=1706574958;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ug/eJpZr5lllg7fGddUawSE71HAAShvEy2mnfZ3dSCI=;
        b=TMoFp5MaWgw88lHisNR9yiMM6Pcu1rUeIog0eDB7cYwXMrkJMhBqPirkenh7sXOGao
         t0VU1qyPF1q8umcQxiAa6XwsnLXI+GIDDXgvb37tNIjXYAhW69UqF15iaOAatTX4h4+a
         wrwquWFhCbUhvTc6383xEse/A53X9ibLw1T7GRHFgkv7f2oSub/wCWb79qiAZgB+HM4I
         XQ5lEzBwBQ8m6sve1HscTds87VVQqP8ROnFF0Dm+cIgR4HFLmFksHwpvi+kDTQzEzwS7
         7UGV144DGvbEOvVtR6zN0kmJ8fdqAhkKgio/Dscp4zHuP13+mylkSGHxp2lA0AKUVziC
         Bodg==
X-Gm-Message-State: AOJu0YwaI7+eIzBniYE0R74uXYMvv/85ujR2uQBYHtEjPAXaK08FMYeX
	QGWxDkht+kE1valOILHF8U8Zh8OR/zs3XZVyn61RCt+/4xoAHumqJlvM+E5wGQ==
X-Received: by 2002:a17:903:189:b0:1d5:c77c:1bad with SMTP id
 z9-20020a170903018900b001d5c77c1badmr3603424plg.111.1705970157756;
        Mon, 22 Jan 2024 16:35:57 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 ki12-20020a170903068c00b001d739667fc3sm3599795plb.207.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Jason Wang <jasowang@redhat.com>,
	Xuan Zhuo <xuanzhuo@linux.alibaba.com>,
	virtualization@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 77/82] virtio: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:52 -0800
Message-Id: <20240123002814.1396804-77-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2234; i=keescook@chromium.org;
 h=from:subject; bh=NqZesPGdhPMPIXo9vzbA31ktFf0tGVVn+vj19wjCjyg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMtLBZT/T1zFr3Pk7LIqHdfeKoLB+DZJ6nU
 eJpFhVGy+SJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 Jr4wD/wNabBI/0k3KRp2JIInEpH4vZHXxi+YXYN1Q6ldFb4lgheY70n+09zwS5YCFmaS7Phow0q
 sQ3NGqc/LMQu52WIyo9eugQ66X+NsHyvKquukfCdLtx9jSzToGbIYd3DB7x1EEPHipoH7lvtgRD
 nHtsh3kq/C+p70AybGlMydqgrrPNb1DfboeLRz6rxhIfDmWVI5kH+L5Z0ZNxYR3cZC1UOdz2GsH
 KtsEbUpmOKyh2q+iG4Y4H4OtA819vV908Jkbrzzo666no9Hz7D2Hjobm86ELfkhgFZa1vC6CEDk
 8U6VsHqeS46f14sFovFnBkEUS94+Z6gIjrvogisCPd9R3N9fV9/0WsPm5aNbWjXhHnCEkAV2gEB
 aEHMvQSF+FMpizGRzlqkGgFJMIN3SlKmVZH7t/ukK0Lc4kmSKkRYvqf8JMnlbdjnpruwRJf7K+J
 s2JFixwTZjankT9R4zLLM/lfaoqTW626q9FqA+biBMk7J+INeZZ8mXCYTmjch3KoF7TCRQW0Ix5
 cZXEgUMIySr4lY4yafH6qxLzcfXHPLJPd5D38PR+eEu8djg/Lnn9abNdmb3uTneMPskrwx2EaH4
 PL3NCneQumc5tifvlHneHC5q0YWKR5J4nwuLNsc3GN0YIAGrN2jiQuCqADn3NM/LbxnUwX7Jsxw
 lLlz7iPwOj69EMA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788842700411830289
X-GMAIL-MSGID: 1788842700411830289

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: virtualization@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
---
 drivers/virtio/virtio_pci_modern_dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/virtio/virtio_pci_modern_dev.c b/drivers/virtio/virtio_pci_modern_dev.c
index 0d3dbfaf4b23..710d3bd45b4f 100644
--- a/drivers/virtio/virtio_pci_modern_dev.c
+++ b/drivers/virtio/virtio_pci_modern_dev.c
@@ -59,7 +59,7 @@ vp_modern_map_capability(struct virtio_pci_modern_device *mdev, int off,
 
 	length -= start;
 
-	if (start + offset < offset) {
+	if (add_would_overflow(offset, start)) {
 		dev_err(&dev->dev,
 			"virtio_pci: map wrap-around %u+%u\n",
 			start, offset);
@@ -81,7 +81,7 @@ vp_modern_map_capability(struct virtio_pci_modern_device *mdev, int off,
 	if (len)
 		*len = length;
 
-	if (minlen + offset < minlen ||
+	if (add_would_overflow(minlen, offset) ||
 	    minlen + offset > pci_resource_len(dev, bar)) {
 		dev_err(&dev->dev,
 			"virtio_pci: map virtio %zu@%u "

From patchwork Tue Jan 23 00:27:53 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190670
Return-Path: <linux-kernel+bounces-34564-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp72367dyi;
        Mon, 22 Jan 2024 18:01:29 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHk5h51yMe1UH01F2VGIOH4ZGKskmVVCegZ0qPke0MAZLKU89ebXrwp7QsMqW35vZ2IqbRT
X-Received: by 2002:a05:6214:2a4a:b0:686:a20c:faf with SMTP id
 jf10-20020a0562142a4a00b00686a20c0fafmr66095qvb.12.1705975288874;
        Mon, 22 Jan 2024 18:01:28 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975288; cv=pass;
        d=google.com; s=arc-20160816;
        b=E8uRDGkaLy++4QacghMk9x5fjNPVOHo2ogY/RIyBOXKWhtgF/28nMLOujhKApbkBYH
         a+vtm1UOmrmxDT1M0yQ131kJAXHxNCgk9pNCL1CABBMS1P9hPFiR0jcCM+ku87fGG/HP
         Adu3asjLZYeNDGv8bWYCAZhq7TB/uwz3ZPt57+E5SJKT6lAE4v42CkM4stniWK/pM6od
         Lx4DVcYZkc0Ph0dM//nrZ1RQZTQ5dsbGrhz4XhockUh92gsXXkVXONf0BEIT0x0qKYYw
         pIlSL8XlUJlizI+kshfMmwsEn5UIvJEJ3YpJclb3CO6bL1VGSOMIHnYsJk6DLGfVy5Zj
         kJzw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=xnep1Nz3UUWk+A97sey3opJKdGJPhXQxINirZ47tsts=;
        fh=0gwHxd3LwaK5chSaPggjOMpW6VFZ8AVVudUk3I/3f8o=;
        b=GO+ymUsg4tNwxN/Y2KcE8u14eY09/GCnIB1AjYS3Y/TAoCjJga2R0aa36YBRS2jS88
         Wb3u4bnqt6Yi6/59MaP9U/KZPnl30sGkt3rW4c2c3a735TU5aSUkDTGHFlNAcwyrCWWs
         1+97Lfger4otaUTiw8TSOthRJCyHgLriF4S2ZfYwt1QmBQZ6eV92N8L38lh8cmoHciC1
         oMXgvb6aR8uuZT3kKZSBlKWuRgDqoTCkdHlQbk1KQRwVvHMarolJlZYsOWla+/UXesJ2
         BTLUT/qegjeYLGJ6yfQ0BqC7OljnnMWWPEn6tLNzjvDBaO/k/xfzaKDBX/72nf5fDTXT
         lLoA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=V5M+Mvm5;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34564-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34564-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 c10-20020a0ceb4a000000b0068561b36035si6705095qvq.26.2024.01.22.18.01.28
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 18:01:28 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34564-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=V5M+Mvm5;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34564-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34564-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 723A51C239C3
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 02:01:28 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id F03BC131E54;
	Tue, 23 Jan 2024 01:03:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="V5M+Mvm5"
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D3635130E3E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971822; cv=none;
 b=QSft30Nyz59HoS+cZgK6Ar/K+jF/DvSTpK/BkKgwrVWuqC1e56xgGCKzm0bEtxT/2NVyb8KPNpwaUJyyiKcy2cAwN04TjBDvlhhLtoYzkG05vQcICVOWAvQ/ZF2IEHjFNFHsLWek8mZ8Xs9O4Jxh2m/eBHXk3+I+IqM7mcVOG4c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971822; c=relaxed/simple;
	bh=nJ/Dbne7d4x17jpkuEGwBkY4HOJHaHOZVri7BDLojVU=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=h+kNQhsijcFh5rYTDXuIG24GJ4Ia2hDv6nuX3S74wRzgRaJ58kvXJBmS5Jla5hAO9FyH936TTe6UA71ofL7q564lcfguQFba4kVFgUduuXxxNcLwfbtqrKu7ZhPMtu0hyDiUEodE0OZQqbt/CI5ayIhxxbdGMKafQIMbD7EEbDQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=V5M+Mvm5; arc=none smtp.client-ip=209.85.216.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-290b37bb7deso888683a91.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971820; x=1706576620;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=xnep1Nz3UUWk+A97sey3opJKdGJPhXQxINirZ47tsts=;
        b=V5M+Mvm57yre8XBDEzda6xuGtZ6RGabnHELPj7SkTCt9SlOT1ifjf+c+4BGHy6XtFB
         WjRzq6Y9Y4hn9QdwJt8L7NjqqlOFfdoDik+QB5AuAyD9nx7itsBkYb1M7vA+DFKPV4gX
         G72HYf/sVMwxOSCIKhuhQORHU9uPNuJgBpP6c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971820; x=1706576620;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=xnep1Nz3UUWk+A97sey3opJKdGJPhXQxINirZ47tsts=;
        b=SCj24cCadZdXofOMaPAkfLL6yn3jJw4im6nf2KieRKpuozsl8FCqhIcZOy39jIy+Pa
         kBwZJs4SuMPKVd39bae7EzsZuZMF3Lfpajbrncke8dkNHfneJTn9Pl7ad6pRn+lC24OF
         UtqHQyY1eJfva+SeCEH1cfWxdiChgG5F60AdxhziisL09RAkeg5F5aTrWrMN40gixQFI
         HX6/phgvDVRdQ4OZw6WzBB4wvZy1hrhjGV/EOvzTewtNESp057AHhgkCltKK8jjMuE3A
         XnuyafnRUMd+qT7JL1r+KAXiXuk8eGZOmWNWacUdotmNun4rQCBDqqDgfUaIaVVwz1bH
         UKYA==
X-Gm-Message-State: AOJu0Ywi6ub8WC2qzXqo7ZPgOGDWDPCIx1Q7PPnNLFqZYrwJfASdiFDI
	CiHJHtu+tcx4tO+hWPmFwIRFXG8hTM0zCUT1hHzZYVoKYtIKUICv+IB+UTW/xA==
X-Received: by 2002:a17:90a:bb85:b0:290:2f93:610 with SMTP id
 v5-20020a17090abb8500b002902f930610mr2563687pjr.43.1705971820287;
        Mon, 22 Jan 2024 17:03:40 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 m1-20020a17090b068100b0028d53043053sm10363069pjz.50.2024.01.22.17.03.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Uladzislau Rezki <urezki@gmail.com>,
	Christoph Hellwig <hch@infradead.org>,
	Lorenzo Stoakes <lstoakes@gmail.com>,
	linux-mm@kvack.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 78/82] mm/vmalloc: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:53 -0800
Message-Id: <20240123002814.1396804-78-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1848; i=keescook@chromium.org;
 h=from:subject; bh=nJ/Dbne7d4x17jpkuEGwBkY4HOJHaHOZVri7BDLojVU=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMYqbiC9CfEEv7H4hKDed0Ckaf1Z1VbaYnE
 qoWkPaOgCiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JoAFEACV8xbsMUxa2NDUN1xXMDrXI740/x4qynm76Y5yHDXd8g4dDNlV6TgPgaKrMcZxegbZ2QU
 R5cRYG/J7JglC10FqOIhwD6AtUxi84C/xDwgUdTjMekuyQtf8oDx7YLLgAKw8bq0t4X3rpW6CvQ
 789Dm5r/bO09y037XiiADu+c0Kfca0kz4l4hsD3wqzySP4Ha6OvsDs8CBNbY6tRlGGUthfub7II
 tb1WtKY1ZinjdC4ghifbgFhlRrCOgj7biFA8ou8CciPsdg7rnA7965zlYbuVFdMDC7AsDA5W/0t
 iCmgY4z2UsX2FErJx60tBeyjU5boRyhss2AYcsWP/7W0bNE3DeDbwIi91im5pXaPnnnh++xW9ie
 viskQzEHVGCp9fzX5vKIf8jWzSJ7kshlSMNsQ0O4SzwcFPvVJk/escQgdR6K+1QBoVAorEWDOhx
 EsxeHB0NO1Ze8mw6jGQTqe83Ccv2wJrRp3YX2kRVqeK/+4OnQ/uXFWUnnKJD4RNds5YD7tAxgIQ
 3J2yAO+sh6kXYGC+2QQd0JG9eMTxuQbNeW3l6pbJpV4Ar0Hkhq3u7dOEqgZrnciBM9n0pEUPmza
 VmlL1fSQYFD2oTO8q5g9EePyBH83lEZSENHLTs6nrCpzpCdeFQQTfsTySvMG6AFuxAd+iNZc0Q8
 3j9NIiBzvjukfKw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844744728112217
X-GMAIL-MSGID: 1788844744728112217

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Uladzislau Rezki <urezki@gmail.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 mm/vmalloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 7932ac99e9d3..3d73f2ac6957 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -3750,7 +3750,7 @@ long vread_iter(struct iov_iter *iter, const char *addr, size_t count)
 	addr = kasan_reset_tag(addr);
 
 	/* Don't allow overflow */
-	if ((unsigned long) addr + count < count)
+	if (add_would_overflow(count, (unsigned long)addr))
 		count = -(unsigned long) addr;
 
 	remains = count;

From patchwork Tue Jan 23 00:27:54 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190636
Return-Path: <linux-kernel+bounces-34525-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp63536dyi;
        Mon, 22 Jan 2024 17:34:24 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFh7B1hTBQ624+r/ljAuAhSlNJIKCMSxTXrJeiaVFO2VvHmXptBPJ9m7qPJEpf0nZ15lDpm
X-Received: by 2002:a0c:cc05:0:b0:685:c41e:adbf with SMTP id
 r5-20020a0ccc05000000b00685c41eadbfmr147397qvk.33.1705973664656;
        Mon, 22 Jan 2024 17:34:24 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705973664; cv=pass;
        d=google.com; s=arc-20160816;
        b=kcM4FgFWQyGVOB9zP9g8YCNmYQTKkSh/ycb7qaOXzxjAnG6C/iLTHav7sScqNJVXnL
         jg0qrHa57FnXEB1eXNfLYsPV1NlWUTzIgUAZHImp1vADGKCXIu+Da0YV1YROBRJ6GXIe
         ibz96erZ8XzR4CN5Vytsm++0z1Q59uEaVDN1gsYcVOWEnLiUZz6bgPCTYdWbnzSMmq/a
         KdBkhEhDTKGI399jeb4ZwUrqIG0yFIawUIiZi0jEyjSx/4/M/0hsfo4FtTa6K9ECUswP
         7AdfCQXVkrwQx1VqjytFTtz8YdsxRKsPhGrVjb0LjJ7Ey04EMj2KE9Xj9/3kgeiAmGL9
         /kmw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=nfUPSLWLFR2aaFBB7T6PJOGyzs3EsvCpQit0VhIc77o=;
        fh=bZsAwRNEQKBOOew/V7V17RCvK6equikJWVMGn+xNH80=;
        b=BGu7P5bdYalwSGNTgvizYaugyd0OoF8vYW0NP53Ii257M/m8rB7ZVkclSspYv0fqAn
         TSyJvOKhMh/tHAviC+7So01KCxCwniIp7JS6eoRopiwfRT/Unkf+iBsZMwD3INnf2b7o
         MOCXkBUpQ8rDXoRElAFhPp7tCxlIntsXm+kH19nwHiXZNPoAy7iK54UCG6QPCYHUciyJ
         qTnvCRjXi579yub1C9HNpua6jV/SZPIntQ/F5Gm1kOCNV4BpWAoDVbMIrSkGjv/RFk5p
         4zxcW2nZrAd7Dhwq0qJ0d76yFQFfTi+c9jkvWlXVqZa5EQ0roK/jzd710Q/WcnLVmo9k
         5BSQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=U5w+TCj3;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34525-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34525-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 p19-20020a0cf553000000b0067f02b93d86si6799201qvm.35.2024.01.22.17.34.24
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:34:24 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34525-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=U5w+TCj3;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34525-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34525-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 652C91C28D28
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:34:24 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 08D68162E47;
	Tue, 23 Jan 2024 00:36:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="U5w+TCj3"
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com
 [209.85.210.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 810BD15FB2D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970185; cv=none;
 b=F4L3OjMLUDCblprnKjcvEHNtvzoQSR9hylaCDgNUqOmkssnPb2HJU7gsAT+E+Ri941TCMjskRu1LxO17pHD/QPC+1yLyIH88XJBVWRXkzuMhGgZ5PFLXePoHz1n8V4n2fxme59xcTndi2tzlGVerk8tlfGlgeiQ6wXHmTO4+gno=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970185; c=relaxed/simple;
	bh=GiWhP3MrtF/n6FOjCeTrtngKdYU/XXg3g36941RXt68=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=LlujD3eDvkSYTo5hMXlsXl+AygAHh6MSyOGLTOrgjCFJnZsqVdamHxtB1Ux0gre5jMPRmYhEFiL+pSO4qleMK7a+/64LGH6OrBLyc+yH5Cr9p8FtbEmWlqf8CvlF7KREaOBbCXgd/v7tPV1K7zR+CdGEiXxBpZuF+AvnJyhPVuM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=U5w+TCj3; arc=none smtp.client-ip=209.85.210.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-ot1-f42.google.com with SMTP id
 46e09a7af769-6e0e08c70f7so1619636a34.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970182; x=1706574982;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nfUPSLWLFR2aaFBB7T6PJOGyzs3EsvCpQit0VhIc77o=;
        b=U5w+TCj3OYdJ3nUk8pG+3r3BOkuYEfZpnYKA1Uejeu/YHAIFIcQ8bYLtI08jD8If63
         Vb70yGwIs8rkcQGNU6lMVrr4DGaPiRVtqcd5ZNExuaKhqOGX5eI/mJSseo+3fSQp4L4W
         4bO8IH9mJJUWix5a+5biqdITiQcQcgDGyN8ak=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970182; x=1706574982;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=nfUPSLWLFR2aaFBB7T6PJOGyzs3EsvCpQit0VhIc77o=;
        b=bPGSKva1mZfsTZJdMKeueLmvEs69JKcne2Rn23axMNfcpe3SEVk1vVfBwDHgyObyXR
         M6b2UrTM1oieHVc0njVe0OwsVojC8Zlf07mslzkXdwqCnRraeKECPP4H20Rw98aQtUhM
         gGxxIEXA8wevkbAeEvsklKaWzmovMX9MsMlBpMRpZJbrRuZ9jOnwMmsBl+5VfvaDWAhu
         gx1JilubBax6EetJGxOK2YQkrle9orCgNOqogJ9zp+aP6FzdSy+9IkaG/7dJEGcFKfiX
         wEQGZfwMYGVsKObVnc4oJnYVw5DjHM6Offksh2KkVT0r592UkbRUAVAFkuLnHbD6+wFv
         Kprg==
X-Gm-Message-State: AOJu0YxzARXCgU0dtCJ7NtWbf+52FiH9nJDXW7/jIuAdlXo4ZCh10u2w
	zhFQruCuAEvjUlBG0RacsBLiT9V6kby0f7Ntl9MHJoavUybas01EvFqT/dkW3Q==
X-Received: by 2002:a05:6358:4b4c:b0:176:5381:7508 with SMTP id
 ks12-20020a0563584b4c00b0017653817508mr1802125rwc.29.1705970182669;
        Mon, 22 Jan 2024 16:36:22 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 c2-20020a62e802000000b006da24e7c16dsm10181497pfi.186.2024.01.22.16.36.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:18 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Martyn Welch <martyn@welchs.me.uk>,
	Manohar Vanga <manohar.vanga@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Soumya Negi <soumya.negi97@gmail.com>,
	Alexon Oliveira <alexondunkan@gmail.com>,
	linux-staging@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 79/82] staging: vme_user: Refactor intentional wrap-around
 test
Date: Mon, 22 Jan 2024 16:27:54 -0800
Message-Id: <20240123002814.1396804-79-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1910; i=keescook@chromium.org;
 h=from:subject; bh=GiWhP3MrtF/n6FOjCeTrtngKdYU/XXg3g36941RXt68=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMOyPanh0a8qKmM4y2TAR3HGUyEXSwoxVEk
 MEgKnhG10iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JlyEEACa0F1lV4dIXFWgeCdkJHhSC7mnxnguEgyncSJiop+k0Bd7fCoJ6xCBI/VsrDDiOV5JO7h
 YlfkKkorKeHSwQ4eF7kA5ad0WAs43pP9aHx+fgnexAdyAv8q6kB4EV+m12jZXMkqpa1a2arGVBX
 vU/kVtSPYhonhrHCjR8yD/RJzZQCOq0Mv9L/oNW0TClnra68UXFMsMrx8r02ANI98S3Kkm/fePG
 YWRN7tYvnoXzmS1Mv+bd4pACK3H9sNQQa4gC3fsjOQTevRfKf/goaHyRRd6b7JoulGhmmzXXtZr
 OFWkOtLXFLah6ZOtxrTfcxSwwBuPTZeJrkLQlwBkjxPZoZU7IR5rhIfBgONwxTkOAmv0aR/cRis
 kfuHPvu7SaQ6xuRNFXVsgmqxwWDG19eC/B0UrD0D1lhkRNPRS2OqC813G9hba/iMw+CpRd/0P81
 hMVIoIAdLBsZO0VwmPrpH/1YTRMjHholnWqUb5fHwnaWIpK2vWGNWf/CrSgsmdKWdxFqGMHHWPL
 1ZqTf5JCBXXb+6xfg4LQdl07I2loTL6jVB6DMwFSRDXhu0ntLycT8xi4Q0NZlqBMJ9TBC+FJcPZ
 zHKyXn2zD48i8oZMzFdhMU19Crj+Kb4D8Ea+yCfWCOxvs/YIxPgxMOz0MPl54rpj/jcm60Kua5P
 WbhzXjTYboExRrw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843041308843786
X-GMAIL-MSGID: 1788843041308843786

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Martyn Welch <martyn@welchs.me.uk>
Cc: Manohar Vanga <manohar.vanga@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Soumya Negi <soumya.negi97@gmail.com>
Cc: Alexon Oliveira <alexondunkan@gmail.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/staging/vme_user/vme.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/vme_user/vme.c b/drivers/staging/vme_user/vme.c
index e9461a7a7ab8..a0acf2a295cd 100644
--- a/drivers/staging/vme_user/vme.c
+++ b/drivers/staging/vme_user/vme.c
@@ -165,7 +165,7 @@ int vme_check_window(struct vme_bridge *bridge, u32 aspace,
 {
 	int retval = 0;
 
-	if (vme_base + size < size)
+	if (add_would_overflow(size, vme_base))
 		return -EINVAL;
 
 	switch (aspace) {

From patchwork Tue Jan 23 00:27:55 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190647
Return-Path: <linux-kernel+bounces-34551-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp67910dyi;
        Mon, 22 Jan 2024 17:47:52 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGdvatddkZKP54a1jHWPgDLmonzi9cZTFBEoIHcGKoi51K0d5NfNC1mm4xJ5FcdbUt8hHhq
X-Received: by 2002:a05:620a:4708:b0:783:a1c6:6cf4 with SMTP id
 bs8-20020a05620a470800b00783a1c66cf4mr2403191qkb.22.1705974472702;
        Mon, 22 Jan 2024 17:47:52 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974472; cv=pass;
        d=google.com; s=arc-20160816;
        b=KToaB7gSVzIMTNDhY5UF3/cZYjJ+wROV28DC3IIsYMDI9LlxrlbxBQb0rcL5K1k2TV
         DuiLSmY/nTBbIgC8j9Ywj5jUplPcvuE+gpdLWXdlOfPkdEKd3+h9UBgJlHBI8qRVi2Bz
         5kXbHDEp8HIpZfh1rSxGFIjOlFspceLe55HPtwyyh+rahx6Jv80pTQHh+g+2Mf3wknP9
         uSckyLnJoqgAGQswns+T+A7P9ONN3cZTlzsoZt9Rh2GoekCJSkcgm0WyPZB0+B5FFmvS
         myRIoxXTgbfu0Bns8TxRJFFTHuoHjYjSeqInmhmQIpya/VkDThkiRGp5j1cjvB+1OdE5
         2RLQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=QL2EbelNfKplPRaLFa/5pxqZ1ShWs/qPJgvqE5R3xUI=;
        fh=TXrT4EnGafwHv42av1MIuG3lUmyjo1XvZhK/3KVNBBA=;
        b=C4a379iH9vlMEhLARCXD8wnQz21ah8OrA3sYwkgCSGiTt0ixoFMxzGtSblZk/z2t4Y
         psXd24K5jl/GiQ4o7f9z7VnBNpacFvDEnIDELybXyY494imxp25yyfVvh3nr1g1IgBUA
         mZDzY1YEJ9v+eSTU6pdfMJ0z3coRyA/tZ5Uv9V24Hgv6xzBQwoohJMFhZI8sGl4/dV5D
         2XMf4fkgGgPAccUlmDF1wD6DreBswUQqljUPScWUsjDVvFv7kYGk2yLgE0pInTS1RHA7
         yqAibxDBuoJ1J40zAWWSKIEHb+XxYhSEOVOdo1rmKrVPydOg1QXCt4WtVW1baxWdyriz
         HtEw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=EtTIlukh;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34551-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34551-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id
 i8-20020a05620a248800b00781706eb820si6191032qkn.196.2024.01.22.17.47.52
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:47:52 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34551-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=EtTIlukh;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34551-ouuuleilei=gmail.com@vger.kernel.org designates
 147.75.199.223 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34551-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 7EE771C26A8D
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:47:52 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8CDEA1272D1;
	Tue, 23 Jan 2024 00:46:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="EtTIlukh"
Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com
 [209.85.216.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1BC4B13DB93
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.41
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970770; cv=none;
 b=NpJGbWRJ+o9j419LgHQd9ZaLloRc9O5nxIEb1O27wCvkDMoCKN45aBg2PMRGp0f1Fe8OBa2G8vqHtLjsJc8ch50ayH5HmSx+GWLV2aLKTn7XOxtFxsYn7zpMZopt9NF4a9wZlJ8DOfsMwOkGfgllh7sp8Eu1uHC5mibMaK1mpRE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970770; c=relaxed/simple;
	bh=7EjHVZinq5vMXU1+hzn38DepLpa6iDayHYypzEUYJ8I=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=TNK90Zw1otWYJgW9no4k5kzMoCFtdUKrAKcvbdVDNcqwYP+8iMY8s/VnHxnhRboIbJl7Q1ytehSONhby3uoRyVsJwtib44bzBGXWnEbMklta1/EOjbGI5IWhYHnBEWlTnRfGfXAdjEzQYUeDlvmE39stro0nqGdtLjtPdB5B4jI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=EtTIlukh; arc=none smtp.client-ip=209.85.216.41
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pj1-f41.google.com with SMTP id
 98e67ed59e1d1-29041f26e28so1827406a91.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970767; x=1706575567;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=QL2EbelNfKplPRaLFa/5pxqZ1ShWs/qPJgvqE5R3xUI=;
        b=EtTIlukhFan/pNGUy5e9gjkv2ADBCOb8zjKv323DqiiPALFjM0EMgCLOQUEKib1nfv
         c+1jW7qdWU7miLssL8qiDsYTFzy4RLQflCD8hdFhKwktEHiC/QIVPu3UL50a1O8j+pXA
         p3YsKTEKT5bDRSHWx3bGOYqyDUo/rJz8Y/+iU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970767; x=1706575567;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=QL2EbelNfKplPRaLFa/5pxqZ1ShWs/qPJgvqE5R3xUI=;
        b=pNVkZOSrKUVcG7x5RCNm6iYt9YWswchpr1mZvySq5lgg6LnvULhRktQtuaU7eyGQ+l
         5ud/kUOwnlIaNAVPIg7cH1YNJBpuNDzLhV0Gplzc1fOnLpptHNXRpJzstFKIUeqLh07C
         Md8qQS/+pcmrQ9Pb5dPeRi81jz6bKyIZmO/YWkZGgRIqLBjWwMXEzM9svUCfp/UP9o7d
         zPARAxjjwlo7WCs3E13xH4iNar8l3ZKceBqFwpQn87RzwvcFFqJYb6HqDg7XtuWfo2Jk
         jtf1F7foRiTqx9kZF0bcHuHDz0Mk/U3HgFGm2ntCGbglQglSGrjgzuPqV5tI5EizWeFF
         BhFw==
X-Gm-Message-State: AOJu0YzI7/gEpV3gV82zkY/rmdbWvo4BhR2pyE56qEXafA2nZMAEnrdY
	usDd5zL3KoS/C8EQmadELc3AHtlmAxTi8lm+LgmH5+X8n8JpLmZN6djsJVQBIg==
X-Received: by 2002:a17:90a:d306:b0:290:5ccf:af0 with SMTP id
 p6-20020a17090ad30600b002905ccf0af0mr2174216pju.60.1705970767490;
        Mon, 22 Jan 2024 16:46:07 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 oe11-20020a17090b394b00b00290d0459e3bsm120871pjb.47.2024.01.22.16.45.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Wei Liu <wei.liu@kernel.org>,
	Paul Durrant <paul@xen.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	xen-devel@lists.xenproject.org,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 80/82] xen-netback: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:55 -0800
Message-Id: <20240123002814.1396804-80-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2080; i=keescook@chromium.org;
 h=from:subject; bh=7EjHVZinq5vMXU1+hzn38DepLpa6iDayHYypzEUYJ8I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMGbwjLdUBipRWV/86VXIdYYa28FnqDE8e3
 ji0sb3+qXmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JsN6D/9/9pZCcQMxkCKVjCzbTzXOAQTMNmntEY/KiITUeK8EZC1n44hzsCtSDO9z3x4VtvUW53Y
 pRmydxh3JiySpsfiK4OxljXZ/xvSG+v1GEOgkMGo2iye6zXeVeadXsRCP2MY/IsaXKyM0TKUH5i
 g4+ChtKvF7D9haRMeRaLK4ST+SPfUX52+Z0xW6LUaGrz824SDJhB6Gq9j70+OoNvQaUNHrgZjdR
 a67Kgz/3+HnspC4bx9lGFxCUiPdmTZOz2mgatPghMoE1oX04GIjku1UTthsh6180c00i2Sk/LJI
 1bRchLyEexiVH65VHvz3Ge37s/qRJosLl2xW1ds7SHJKd3qfVFTBa++CN+0tvpd22m7lAAYF7cU
 Rkfs/ZXcyHX1COeG62Bsp15wHODlwmJxEzU00q1Rl6ynr8uVniiXT4RIR9ZRxO5c25/mmUzGvmW
 3rnZGTP9QuvpKRY6GaVrOWKPiaKo3XhsasnsuFP3f6lkYw/WdOVxY2UUWqvlpj3eah/klmSKi1a
 lDJR8pC8b50zoXsumq3xtz1lKSL3iETbnda7hCBHkYCfEhGJi2WPdHrfeEaXwDkde5gZEwPCzZ3
 EJ9TGrYsYcED0KeZFlmbguqSvBeanX+PMcLQckWAXPEbi1WgzcVvFGckq6ZyPuUJHl0C9DAM8Dk
 2036V40Dg9GXNKw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843888593352700
X-GMAIL-MSGID: 1788843888593352700

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Wei Liu <wei.liu@kernel.org>
Cc: Paul Durrant <paul@xen.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: xen-devel@lists.xenproject.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/xen-netback/hash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
index ff96f22648ef..69b03b4feba9 100644
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -345,7 +345,7 @@ u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len,
 		.flags = GNTCOPY_source_gref
 	}};
 
-	if ((off + len < off) || (off + len > vif->hash.size) ||
+	if ((add_would_overflow(off, len)) || (off + len > vif->hash.size) ||
 	    len > XEN_PAGE_SIZE / sizeof(*mapping))
 		return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
 

From patchwork Tue Jan 23 00:27:56 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190645
Return-Path: <linux-kernel+bounces-34549-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp67659dyi;
        Mon, 22 Jan 2024 17:47:06 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFS8da6kAQk915qBBJhYeIrMHVGrGjcdbDHgnSNhDhObNRNp0NGB5JW64+d9XUXDJcxW6X1
X-Received: by 2002:a05:6512:1387:b0:50e:cbf9:682f with SMTP id
 fc7-20020a056512138700b0050ecbf9682fmr2384072lfb.89.1705974426354;
        Mon, 22 Jan 2024 17:47:06 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705974426; cv=pass;
        d=google.com; s=arc-20160816;
        b=dgEXDuYXMt/O19Dl3OUM3IeNw106Nc8myL+WB2EzrJCDiJnvqfM+txS+M3L0O3Wq1J
         WvL1kDFV5buWTkV+6GywL67gh3eGFRybfv/eRcfbcbUSqhGBiVVy6LBDYbgBKtycuZ8w
         1onyDb5t31QvQiAPbc9xCIkol7A5/3A8TY7Ui8KSO4GMKbeGEZ1oDU4y8B+79c9UBcFm
         SqY/rocODgrLu4+Rsi+ljhkIcy1QW+nYZEA7YUTE7hqnmVEkPZvWHH/K60OnkIfpzg96
         eO28QDU8KV7IoCYvm8F30vJHL8gJoKkwZCgx/uI7n8V1rYByAaL2/pgVgK5yMdv6U2Gq
         6yCw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=a3KJ5I/uilVKWIX5sZxDEWyboawAxb7T38/MRRy/AI8=;
        fh=csdBLuxIdDp62l3/wPLKq4tUx10rSDKaO3z/1jwWWcs=;
        b=GlYUnFTo41EawPkqtQh17jqoPvYoD271dLCPKwD4Km4Jx7x7Xyaf3FHUEqtCL0jX7n
         oVD8P9YIusb4cDzIcAYEuWPOEUbP4bRBYd8gux1h8YSkUNL/i6zt+TsAX9OUHRtkBCgN
         3E++Uu/9MN907zzD4u+2dwZWxd/FgXZdAWZWq86PIrDL4VRWlbmakCB0AOHsIMvK0Q4A
         rCGsHbi0D+p46zPkkn2umSeIUX31922z+PKEFp8fp0nVdE4YHg911P140GQhn1Rof5R6
         tU5HQTtfTZp6a1Hf7F8N2AoDdKyRp3vwjwh8rGL758VNrx58GV9tp5bWlb4k+bQrgYRn
         hI8w==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Nzdh+4ns;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34549-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34549-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
 [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id
 o11-20020a170906288b00b00a2c9438b936si10907269ejd.554.2024.01.22.17.47.06
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:47:06 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34549-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Nzdh+4ns;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34549-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:4601:e00::3 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34549-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id E6AB51F2B7AE
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:47:05 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8F0251641A5;
	Tue, 23 Jan 2024 00:46:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Nzdh+4ns"
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com
 [209.85.216.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 805A013D4F3
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970768; cv=none;
 b=AfZscc05avUMS1RkjDMxChopq5YfJYFYxZuLQK+GjnYeIglr57/OYXrls6bTGVpr1OpruaPrnEZTr/uF7wH0XUKMTheJG05e05JDZWxkJsjoar+rGdlf2GQuovavlAwQ/nHmIgE+H0y1uU0P3pzndaQt893f0miFEEYSsxKbA/k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970768; c=relaxed/simple;
	bh=WZR8DP53aWhUMhJpMj4CZ9RIOBxzp7ygRqxTQMoMeYo=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=t40SCODg0MPnWobMlc95YnSdekyzsECh4GeJEs6TuL5DXacrtaEhW51+v8/D+u7BQviwuvclfiKZ/pShihBku+tTuDNWidYWrmSlDqjE3D7NgnCN1DbRh59jLyr7/ObF4HFImT0srk7QoQ13iyVuWoujxAqjt1LU0LGYj19lQZA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Nzdh+4ns; arc=none smtp.client-ip=209.85.216.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pj1-f42.google.com with SMTP id
 98e67ed59e1d1-290b37bb7deso881612a91.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970766; x=1706575566;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=a3KJ5I/uilVKWIX5sZxDEWyboawAxb7T38/MRRy/AI8=;
        b=Nzdh+4nsqDJcPrq1QYN5wtrpF88u6NPRTZoi7JjhPsoJxsI+St1E/LSbZyp0/JfkzV
         GDUfq03xLuMtN7ZN06ceIoK4D4sGTvF2OEH/17UwTscl7Fzdn0I7IRN3p2a9NP121ADO
         lI3YBRVXq7a4mvbbjo+48Ri1UbO6CtdfZ9+w4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970766; x=1706575566;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=a3KJ5I/uilVKWIX5sZxDEWyboawAxb7T38/MRRy/AI8=;
        b=JXSS6HDIGAb8RzxJN6Ai1Ht4avMyTys8xyUsTUsy0RbYbBH1xIUp5Wo3zzui/WQSX/
         b3dXpZNX/oNnK1WNJNbHpR8EP99wAQ8BQgJBIxkGaL9pj1tCxzUoiKrNNtrG/6usoCpu
         taUs9YgKKQyEbFG96O+CthDPD5Gi13FqkL1EhetGHZB4Z9WvEMhSMAEYQ+8h95YgZGPE
         vTSMQ+hLmu8yQvcYKNW5l1Fjw4DKZ+8tKnWZMnj353inb9EOFGOzvdmpCIV9Ie9xOHZ5
         5W6Rre8ihHm5EhHJoQKJEoD5ekLPdMpf46TnBUoG/o2KQLaFSn9Vm4piGm6pV7lCKtLi
         1fSA==
X-Gm-Message-State: AOJu0YyWRFv5OfX/KmSF8ZRo38LzRV2vuJyKpeX+JmBR7OgyKiHZV9PH
	wNCQbkt4+WxJAWav1GyjbpV2XaAZsH4F846F5TMRKhh0UbjQmLpEonfomumAiA==
X-Received: by 2002:a17:90a:6b84:b0:28e:87a0:c05b with SMTP id
 w4-20020a17090a6b8400b0028e87a0c05bmr2374190pjj.40.1705970765941;
        Mon, 22 Jan 2024 16:46:05 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 px7-20020a17090b270700b0028ffc524086sm10568431pjb.24.2024.01.22.16.45.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Nick Terrell <terrelln@fb.com>,
	Paul Jones <paul@pauljones.id.au>,
	Sedat Dilek <sedat.dilek@gmail.com>,
	Oleksandr Natalenko <oleksandr@natalenko.name>,
	Xin Gao <gaoxin@cdjrlc.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 81/82] lib: zstd: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:56 -0800
Message-Id: <20240123002814.1396804-81-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2736; i=keescook@chromium.org;
 h=from:subject; bh=WZR8DP53aWhUMhJpMj4CZ9RIOBxzp7ygRqxTQMoMeYo=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgM0MuXKRXzKz6P9gaIByx6Ha+nvmKs3dQ0P
 O+8CgmFoqOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JniTD/9tZtlILMGEKY0ggQVVN96o3hW7HM6cQwEPtdhvKS+YVeZmzxX1tpzwl2nHL0FRBw8sp8/
 3n9O2a1CKGeE1qP1XFG5nLey1iciPLp4hQA4+gBQuGdjIuAbcnXjZVa8y4O6JwfU8fuKuMImcit
 v6bra8xrveAYBHncT3x7as9aDE+GG7LRKuSB3EiPX5enR6YKQ9AjAJPZkJRQSU7I7LUzePuF7pf
 px2nhKBQcIcDBbFr2aZrptPXCLJFPinvp3MnPsEg8S78lMxKj4m94tZtOrVuTqBhso31jS8Z5AW
 YcXmSCyvtjkiaD5pDPQWauQlAQi7TZh3PEOuYd3MU75BuK0LobPknTPxrp39QxKNQik13HlJXDd
 SW6Ox6jV5DifJjDi/MAXpCACEy9FGzO7thzQks3x4WVESY3ow4m0R7cJLKScih5ImK6rVyutqNx
 pWV2WKuzV7oGEcLDwOaxCX4U+b+IBNkpqW41qzClTrUjgeEi2/FTNBC/3W7InGTOKOpZ+aKdxg8
 LEbszRtpDs+vrnrTLyBC1Or1/+2iAhrGvI/fhvLmU7ElC3MlBZNgHFwJVeeo6a26t46MBsc6W7H
 KRSZepdY+RVK8DWkgkXNMtNJ5+scDPVieTGTCE5NQcC3kLEMkr4nlYSOZF7ktB8EMeEiUKHf8MZ
 JoCCcRgn1M6x75w==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788843839853954161
X-GMAIL-MSGID: 1788843839853954161

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Switch to a more regular type for a 64-bit value and refactor the
open-coded wrap-around addition test to use subtraction from the type max
(since add_would_overflow() may not be defined in early boot code). This
paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Nick Terrell <terrelln@fb.com>
Cc: Paul Jones <paul@pauljones.id.au>
Cc: Sedat Dilek <sedat.dilek@gmail.com>
Cc: Oleksandr Natalenko <oleksandr@natalenko.name>
Cc: Xin Gao <gaoxin@cdjrlc.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/zstd/decompress/zstd_decompress.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/zstd/decompress/zstd_decompress.c b/lib/zstd/decompress/zstd_decompress.c
index 6b3177c94711..2c87cf702ad6 100644
--- a/lib/zstd/decompress/zstd_decompress.c
+++ b/lib/zstd/decompress/zstd_decompress.c
@@ -585,7 +585,7 @@ ZSTDLIB_API size_t ZSTD_readSkippableFrame(void* dst, size_t dstCapacity, unsign
  *  @return : decompressed size of the frames contained */
 unsigned long long ZSTD_findDecompressedSize(const void* src, size_t srcSize)
 {
-    unsigned long long totalDstSize = 0;
+    U64 totalDstSize = 0;
 
     while (srcSize >= ZSTD_startingInputLength(ZSTD_f_zstd1)) {
         U32 const magicNumber = MEM_readLE32(src);
@@ -606,7 +606,7 @@ unsigned long long ZSTD_findDecompressedSize(const void* src, size_t srcSize)
             if (ret >= ZSTD_CONTENTSIZE_ERROR) return ret;
 
             /* check for overflow */
-            if (totalDstSize + ret < totalDstSize) return ZSTD_CONTENTSIZE_ERROR;
+            if (U64_MAX - totalDstSize < ret) return ZSTD_CONTENTSIZE_ERROR;
             totalDstSize += ret;
         }
         {   size_t const frameSrcSize = ZSTD_findFrameCompressedSize(src, srcSize);

From patchwork Tue Jan 23 00:27:57 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 190665
Return-Path: <linux-kernel+bounces-34542-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp71359dyi;
        Mon, 22 Jan 2024 17:59:20 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IECfoiFMJSfbaXMzp9ePVOMfpUmGGTqzBIIX8yr8TvNfQBmyAJB1iK6uQTxFqAFBw6qnkqr
X-Received: by 2002:a17:902:d2c8:b0:1d7:6cb5:1b71 with SMTP id
 n8-20020a170902d2c800b001d76cb51b71mr514079plc.77.1705975160678;
        Mon, 22 Jan 2024 17:59:20 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705975160; cv=pass;
        d=google.com; s=arc-20160816;
        b=AL6Dvg0fWwQdJXnrOeM9+1Y+AHy+KtZx2aF3FKZP6oekgODjO9LvalpqAPG2+QY8IX
         1HSpgsNmgJAi8eUybDw7UEk3sU7TNfjKz/he0C01JMo0V0AWxTWcN6jAF2oJEHPBb7yU
         xh+2jDb7gtrLhXteyirgHlvm2ymrnlf9l2ICjRwdQImYrS2+Xch3MaipZq+bo2M8lRb5
         uK1k81eM5ChMCjrT1eL6kZ3Z9UBD2BNkAh35jUsfJX2OkhoqlvjgypZ+XTHD+DOlk+SP
         leJ5e/e3U7BfQ9eF5aJDs9MSBm9C0/AcxgNzQ23jCnTlmbcbBQwxZr2WHW9QlnjNCfy/
         F0gg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=S7qeKC064ZzlHJa5msLrHHdCXg1stkKcC4+dJKmdneQ=;
        fh=LilPlOXcFcN4EmEhA3uRW89AoTvAr5XjAZAfXjAMRas=;
        b=W8KzIIntQFxxpLAr6cXCMZ16LBzjp6Y0919TCNN83biogKouMf/jnOr/skcqWnzImw
         TaE5kQ74DIJIzF/Eh9CNs/Pc0zuxpn9BuhJOoqh/BsynTQKPPrhlxNl3e5L7jZrl3Rpe
         9eHm4dv6DfcXFhOVf8hoci+Qipy+JZctphToOhP/tTlQzADM6Ohezlk43HNAPlZDhJks
         ArkBmElFgL/TzAU7msXBcYY+Bg0GALcKVnzSNVJY4zV0z2ZbLAX9jO13dBPgnAtAwlqy
         vJrQC6THbM+4b6hwij9anrmX2b8cK4fvAoJLGUJA9ReJhpFLmM87d+h48wDUOcNGWfiq
         iuGA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=eisSFIOg;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34542-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34542-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 g6-20020a1709026b4600b001d5f24c1792si8850077plt.367.2024.01.22.17.59.20
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:59:20 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-34542-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=eisSFIOg;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass
 dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of
 linux-kernel+bounces-34542-ouuuleilei=gmail.com@vger.kernel.org designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-34542-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id C5EA32987CE
	for <ouuuleilei@gmail.com>; Tue, 23 Jan 2024 01:44:26 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1446313BE98;
	Tue, 23 Jan 2024 00:46:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="eisSFIOg"
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BE187F7C8
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970761; cv=none;
 b=la9+RPEpxTY3psaQbIMQKTHiA84k6wF5E/qXgiOpYQbmFp9sNswKhUMdFfmPjdGiPKCbpZSLQy950vVBi29YxQChZ/9affwUN1xy5MfhCHTZF26Tlf2ZAh0AZWxDrEiAxQq6okenKSWK3xhZesSg6NS0zGgpaQVFtMlJk7CScoA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970761; c=relaxed/simple;
	bh=otrmpo4br5ciuWiM78a/Ceyb2KdAR01tXk9aBpC8wMw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Ue6Ael8mh12OQgVnNWVQSBR07G3A2rnrpVhPZ9Dhb1/2z2QQXwA/hn3VTbh4RMNy5hUENFfKVpqriyO8Pd285UEe1UwqWpWVc/exRg3FKejfa5mCKKB07uXy/75dE/HG38/vCVdaneC8y6u+HSR+szn2itXwP1OWskO+USCQ/vg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=eisSFIOg; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6da9c834646so3761176b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970759; x=1706575559;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=S7qeKC064ZzlHJa5msLrHHdCXg1stkKcC4+dJKmdneQ=;
        b=eisSFIOg4fJ3vz+bS/iu3KnkrgcvtlmfD/uWTb7T5vEdGsjqRSMe86hoDv4U/tNV+Y
         4Vj4tG2KD3+v7KuRhIlPs7aYoprJNO0SANxUOoVQPNyca6DmEvSB9eGQvrL3ij81cGQa
         r3jFVmpg6E4I3ga+Km1hyGgbM2j2k2pJdlKr8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970759; x=1706575559;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=S7qeKC064ZzlHJa5msLrHHdCXg1stkKcC4+dJKmdneQ=;
        b=b6vGJQHej9AO8uaR0i5vWzS7ngbdOKlwhXGnPGp3BNBhMWWxsBpg+n/R91mwWciJpF
         SODTJbmBrRiymQbd3LZOqJn/12DRVFnVFd1rlgGolC4LeEKnx4UHJheM2xrV8UyZ3r1Q
         adiTScq3ki5sAODIcc2dIEr+jj3eQSq9XYj9r74WJVJRK7DoqMgpvdIYBklvTXXh12Hk
         QjBMCqeLL9ZukC5EXsPnI9mqdYr8s541xb3qcgn/dP+UW1nm4ETfKJNxlpGdKuBXikIo
         646l1jC3VNor8/LlzLrBntyj6uMW3EVx/IguNJqq+Demhp5fOHKS23Xge7ohOszTzS0+
         fBHA==
X-Gm-Message-State: AOJu0Yw9ktbjWF1paXcYkqLDX50iDjkm0ZRfWICQG2kn8jQzeOOf4tnc
	TpCAwuRINfAHztIG9ol2EpTxWXs2ZCU9RIiZJxlmKSjzR6RVOYRa205xrz094w==
X-Received: by 2002:a05:6a21:32a2:b0:19c:30a5:5c54 with SMTP id
 yt34-20020a056a2132a200b0019c30a55c54mr4120604pzb.28.1705970758815;
        Mon, 22 Jan 2024 16:45:58 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 dj11-20020a17090ad2cb00b0029051dad730sm7733772pjb.26.2024.01.22.16.45.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Christian Brauner <brauner@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Dave Chinner <dchinner@redhat.com>,
	Alexey Gladkov <legion@kernel.org>,
	Jeff Layton <jlayton@kernel.org>,
	Waiman Long <longman@redhat.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 82/82] mqueue: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:57 -0800
Message-Id: <20240123002814.1396804-82-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2072; i=keescook@chromium.org;
 h=from:subject; bh=otrmpo4br5ciuWiM78a/Ceyb2KdAR01tXk9aBpC8wMw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMplzxY/SLj9+bxbGPriiBi7drTq3OXWSJm
 svPwIQ44g2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JkmCEACY37o5F1LgKmBQ/X+GY7t3DI3LwjJCZxndVTmZbmKfVSOia2DA4d7XI1UV1bLDavheiOD
 ZspAXfK1XmENeXellFyMfyPquNHRcsarUQ1eWVcWnrDOE0opNQOc0QFe+6R8uveX/n9ivxN6Wa1
 hOaIRaYdtaG0pl0/p61larNEe0AnWHy+RtEMHuE39N9gWCpwcPqHoA5mCo1dxrD2K2uh/qlF7ES
 OzWJchorCRsC5GNs9Ui0GFKsf6zpgZU/FyCbyLayRLUF4nfFP2LiO3h9b6WRp0vltQF54wKsTNu
 KqLuPuvIO0elWbihDwdLbI8EutfMxrfBmbbk7MzP7yL8iwl37lrpoXTKwF75rDVE1n9y0I33Z3e
 kbO+/3Rj0fjARWduA04Taqd3iu+/l1YaEl+sm0k+KsXXpau+AtqNR9KyrfyBDpM8DRtqXNx8mvs
 P4VT9g7ZVTJqargqoTFlGh5dcyq+u0cZGRvguOrlRuIGifiAE6HPv46NzI8V4HCRdFKqGQ/5XR3
 guih4Ak2DS4ygw8ba5mwnBdRsQiwDjfWRY9xwAc10W8T4ZikUx8/kDV0HnL2+ZQNa1zKFuQvnaK
 AnAki/aXhT0xQPUk4ZlJRdVZJ1v3xn7aOA4UscmWvvlFVA4Yj7/ScJZKtoGdQI2rcgZYM6BAU97
 FairA3wiIkm3Fdw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788844609890521616
X-GMAIL-MSGID: 1788844609890521616

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Christian Brauner <brauner@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Dave Chinner <dchinner@redhat.com>
Cc: Alexey Gladkov <legion@kernel.org>
Cc: Jeff Layton <jlayton@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 ipc/mqueue.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 5eea4dc0509e..7ef9d325183a 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -366,7 +366,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
 			min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
 			sizeof(struct posix_msg_tree_node);
 		mq_bytes = info->attr.mq_maxmsg * info->attr.mq_msgsize;
-		if (mq_bytes + mq_treesize < mq_bytes)
+		if (add_would_overflow(mq_bytes, mq_treesize))
 			goto out_inode;
 		mq_bytes += mq_treesize;
 		info->ucounts = get_ucounts(current_ucounts());