From patchwork Mon Jan 29 18:34:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 193664 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp757393dyb; Mon, 29 Jan 2024 10:35:16 -0800 (PST) X-Google-Smtp-Source: AGHT+IFyYeI3+dyqszntImWF+hfPbT/3i0Rtr8WLKlgjTMgDoWphKGggrzluPlaFZtbA9mrbbJ/W X-Received: by 2002:a05:6a00:26eb:b0:6d9:bbac:a34b with SMTP id p43-20020a056a0026eb00b006d9bbaca34bmr4285671pfw.14.1706553316483; Mon, 29 Jan 2024 10:35:16 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706553316; cv=pass; d=google.com; s=arc-20160816; b=UzWIkgXPVKPgUUdup4m7Ez+bNh+FSpeVLv+h0Gw3VIgTkeFcffF9bu0TsFrekCgwIY Md0RyDWJHJHJUIrTy9TELV17dk8iEJQeV8H7GtTQxdbGS0a5YF6dQwPyd2P8cRDqZG8f rU650Br1PyrlDymxUM6nsOGjSJsitLPq8yHCvCBPCXojQzqBQ8ofuMjtZ/i1qOzBtIzG M4TPui09NARXTustiWbMYYm/P7mV58gel4jmXdtHPRlsKlM302CuZcUpS1/OxdbdF15u sJHCjcXqd1l+AJOfYs/bx1G52v5FG74bnw8q9e/LcWGii5N7ZZYkVj6HwUWtCNcnZ5VD O7IQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=QphZTJ2YkJ63c2lk2h3jm8PAaMKsJdXhMlN0zVjn/Jc=; fh=8k957uRbaKiG5A4XFzmO4TuJr6lfOHvyqkf9kA4o+HA=; b=dRf6AtvtxY4I/wqYTPDpIpaHxQF1PmjmAyzun7uKoMPVk/irxaRuStsdcVPyh4LNoJ EgOeel/TUc1bf+HFqL0vifl4Rydg+Z1zSadcHZlAuA7ATgu0li18OpqXFvRF6qUXriG/ 5WQeVzJIPRwdscDmSM0addXR7RJQLlch0ifjQfGnkHuKoOZa1H/UyOaGlKBqwBfd4nJN mxFrUKrt/QpKz2fF1GKW08TwfMiiPMa36EiBtONXJujtOHeWHZ/GYqZgUeSCfow6GlO4 PiA4xZQ9aPYtCN/HOnfTkyky0Gs3gezv3rnNvYHLgoUoIQOG/iPBhqo6HxtrOvpoR3ZP CAnw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JiRiCnCg; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43314-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43314-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id ff20-20020a056a002f5400b006dbdcd07423si5996809pfb.211.2024.01.29.10.35.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:35:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-43314-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JiRiCnCg; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43314-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43314-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 4757528B80B for ; Mon, 29 Jan 2024 18:35:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 485B728DDC; Mon, 29 Jan 2024 18:34:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="JiRiCnCg" Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F11C4C63D for ; Mon, 29 Jan 2024 18:34:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553254; cv=none; b=sW7Mei3T7UO+EY0XM7om8SEu/pUZWQ3HRZXA6xOSfrx6DQNuEGYydlyxK3eP8cQFVAwc4UrPP9SO0prf7divdOkFAfFQc8cK5MLkn4Yy6gT2SzAxOwezGQWdFxl7pMf6i6eAFugmc0bG4ttTHfnlgfvJffoeTBe9K8ayyjsjSpQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553254; c=relaxed/simple; bh=6Jgp3vxxK3Vk/XDvje4qMUZMER6LkaJQhb8c5Sf9IQw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=o4rydBorLdm5kdT9nqSb9g7WMngUO3QYj2OMwCGKCu3vaN7BoAxM0205cEOHaM2gPvvuWfWiMWMRXE2vhO2ANmwiyuwg+h0u1jNjcZBy+MA0TtVzEBGJegnMswZwSUCpzHXKDWgL7qKjrDruZfiX6+RbVX97NrqusGLXuPrbMYE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=JiRiCnCg; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1d7354ba334so22838835ad.1 for ; Mon, 29 Jan 2024 10:34:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706553252; x=1707158052; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QphZTJ2YkJ63c2lk2h3jm8PAaMKsJdXhMlN0zVjn/Jc=; b=JiRiCnCgFNHNKSHI7rBgINafeANMqHnlJrUAVU8xsnfqZ6O3ZSDN3pir0FA1IaptZ+ 83FwJJifXOSMfIdOopIJJbK1VUBMBU5qWy0L2FVZdm5wgNLnGDi+a0Fmx5/N1cxGc4tJ B8KCNW0GGx4EnyeXj/diwFXTC4FPkxtRZryl4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706553252; x=1707158052; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QphZTJ2YkJ63c2lk2h3jm8PAaMKsJdXhMlN0zVjn/Jc=; b=e8ZbzJ7Ev1Qbhb7rRCnDU4lN+4+82ljIFb64mC/Z6n1oGIJ4mq8liEocc8050uIioT aIVGbU+pxRYbXw/wjN/ZtH2zlaUvyD+mfGKqNR8kTFhF54T/u6Q5So9o/NKqUKQio/Ou O5hHDgSZaXi7MlRzI2HDEPE+v7ZHrDOZ84JVKy9mPpfyN/huYqJ26yU8zn5TI8mfloX/ Rf2ETcXmvkZC0HLF8VjdBK1LPkR7sJMIK+szvt3VMu8Wd5uT6uVQrznmtENUVOOvmRBE vZ9ZALWRhKov49UtREQYt7eIDqAoUuEuXS/pgdvzBJ8RP5vbV9StXbxBHhswgagCwXNa OfZQ== X-Gm-Message-State: AOJu0Yzw8f5vY1zi0lvfXa9mcF3awt7IBAvIf21c/NZSMgn/xC9TFYCL Vc+E6ldZV0jXhKbUGHWqzb/PPgMWla9PnVVxtBtaY41Yl8JvcxWcWT66N3XwVw== X-Received: by 2002:a17:902:7ed6:b0:1d6:ff27:7627 with SMTP id p22-20020a1709027ed600b001d6ff277627mr5287552plb.50.1706553252431; Mon, 29 Jan 2024 10:34:12 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id mn6-20020a1709030a4600b001d903829914sm56692plb.67.2024.01.29.10.34.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:34:11 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A. R. Silva" , linux-hardening@vger.kernel.org, Nathan Chancellor , Bill Wendling , Justin Stitt , Mark Rutland , Miguel Ojeda , Marco Elver , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 1/5] overflow: Adjust check_*_overflow() kern-doc to reflect results Date: Mon, 29 Jan 2024 10:34:05 -0800 Message-Id: <20240129183411.3791340-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129182845.work.694-kees@kernel.org> References: <20240129182845.work.694-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2673; i=keescook@chromium.org; h=from:subject; bh=6Jgp3vxxK3Vk/XDvje4qMUZMER6LkaJQhb8c5Sf9IQw=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt++hMG0B/D0l8I3Zre9ccIWewGWghw7fRDA6+ Ex6geHfWP6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfvoQAKCRCJcvTf3G3A JkMjEACtkoX03lg3Jmy8Ga4tceMh604TeIOz1HEh3I69tq8Ys3CbrzL/72xjZYFPFtNrjVEuPkq Ko72xDDJEiA+rrI6jKN8OcajxkR53j0QUaDrysbuaPbgqeHWAU+I3oNkuw3r46yz7P3BhP1ZKEJ 9Wvvqjth3mecY2sWN2fMh86iUzj5nGAy+9kKZW+9tiIINMTw2t+ycv7GS/H4wNepTBuH1K+Kj7Z ExU9e3YnRKP4idKPGdT6gRPf1NJUqyG6bNk1pMdb/v7JmTvtDdqlKeO0pc599KZhDhgy8bVDhW0 IfwPdvIzfnEJgxq+RxVewguOQTDNziuVGyfODemvoPt3h/NIKw1t//OIVxnHIGm3hDDGZqeWSuW izcDaPZsRcPpCMCnqAaqXLjJkLdcr4/EU+W0P4U5BRhzAAnZvNP0WxVKF0tjcpJyQFf5W4kbRMC rum7N6/CzfjM08+AidymYkLNo2ukkEdvKkqHZlB9dHn5/vd25df4RX5jqkeVw8nZazkrlnungs2 a8Upd5wyDchHP0vkUssROiao31lOk2FEcbS4JhjBVRRIrEEakRBjFIyBkNsuQy1g/eOgRIi4g9U MjqKDDKA1xKUq7wsYf3joaSEsbUuIj5dYlnGUayFL2reQSrt3gPSXqnYr3J6qEU7BosjW1PwyZd wObgyekVlKgl2hQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789450850699189753 X-GMAIL-MSGID: 1789450850699189753 The check_*_overflow() helpers will return results with potentially wrapped-around values. These values have always been checked by the selftests, so avoid the confusing language in the kern-doc. The idea of "safe for use" was relative to the expectation of whether or not the caller wants a wrapped value -- the calculation itself will always follow arithmetic wrapping rules. Cc: "Gustavo A. R. Silva" Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 7b5cf4a5cd19..4e741ebb8005 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -57,11 +57,9 @@ static inline bool __must_check __must_check_overflow(bool overflow) * @b: second addend * @d: pointer to store sum * - * Returns 0 on success. + * Returns 0 on success, 1 on wrap-around. * - * *@d holds the results of the attempted addition, but is not considered - * "safe for use" on a non-zero return value, which indicates that the - * sum has overflowed or been truncated. + * *@d holds the results of the attempted addition, which may wrap-around. */ #define check_add_overflow(a, b, d) \ __must_check_overflow(__builtin_add_overflow(a, b, d)) @@ -72,11 +70,9 @@ static inline bool __must_check __must_check_overflow(bool overflow) * @b: subtrahend; value to subtract from @a * @d: pointer to store difference * - * Returns 0 on success. + * Returns 0 on success, 1 on wrap-around. * - * *@d holds the results of the attempted subtraction, but is not considered - * "safe for use" on a non-zero return value, which indicates that the - * difference has underflowed or been truncated. + * *@d holds the results of the attempted subtraction, which may wrap-around. */ #define check_sub_overflow(a, b, d) \ __must_check_overflow(__builtin_sub_overflow(a, b, d)) @@ -87,11 +83,9 @@ static inline bool __must_check __must_check_overflow(bool overflow) * @b: second factor * @d: pointer to store product * - * Returns 0 on success. + * Returns 0 on success, 1 on wrap-around. * - * *@d holds the results of the attempted multiplication, but is not - * considered "safe for use" on a non-zero return value, which indicates - * that the product has overflowed or been truncated. + * *@d holds the results of the attempted multiplication, which may wrap-around. */ #define check_mul_overflow(a, b, d) \ __must_check_overflow(__builtin_mul_overflow(a, b, d)) From patchwork Mon Jan 29 18:34:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 193668 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp757869dyb; Mon, 29 Jan 2024 10:36:14 -0800 (PST) X-Google-Smtp-Source: AGHT+IEjHwOuCIKqtpvb+361HE9WxtU87fmC3Invj1yD95WxBoz3eFz8MRFccHu37A8R6//dcyB/ X-Received: by 2002:ac8:7d41:0:b0:42a:8655:c12a with SMTP id h1-20020ac87d41000000b0042a8655c12amr7670548qtb.5.1706553373674; Mon, 29 Jan 2024 10:36:13 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706553373; cv=pass; d=google.com; s=arc-20160816; b=kwXeETB6cncem1+CTk9Xd//8X0qsgkDMauGRnDw85sjmRss/nenNXCm6VjTt53Tbtz SN3GqmuFHzU+vgz/9zWJuPdPpeNPOCyz9rVz9DlZwXmh6AjwThxqmj7PO+5jlp1QXIqz lUGMCPmXdZPUkVQzboC8U6BHb4M33xXSC9p1shDVTsDlmAHG9MY0i6JWySGuM3QHsVce IAyBLnQ9YNRT6iP2yVItxdKyKAzhzei5HNTt1lXe/V7BAR+aadII6Berpu22SkF5ETA+ YdnAN9JOijv+x+2xIeGsrGfKZL7jqqM7ighPv+UPpeuxiY3gqi9ZqWUcsEjMNgkhqCk0 Wdzg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=kLoyWv8OtbHjtjHwspyJBOM+KJjmRvPEg1tZQlUAAzg=; fh=cJH5RLSknPpiKOcL9FR4KNyUAwYn3mCZ3uXvVi+MviQ=; b=amI7OMwXCKXrKiaXYkEfemG75Ovs8Yv1Rm83AUAkuFsAfvTEhMFvuNPUl78+SU7dL+ Lcgq91NC4G/mk7zMST8PlU54q5JwFD38zPH36HiJ7RZEpSnZZi52ea3GLpgIAyho1v+C LSBR0BSnYMHcHyvIMxLtGInA6z1cac/Dp8b582GRe6mf7sKse+02lKhDTCKZ/6NnYROf 2WO33mzlCVT5TjUKnobAwsM7eTpIjQcGnH40begI6vcGupwV79veomcIG04g//jPuCyc Fe7pjIGzufi9j3Nj+NY8rV/K1OsSSbiw3zypOv+mPIFTDFMvpAYRzLXOLS2HYAa3eJBP RRqg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=nKpRiEVI; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43316-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43316-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id j10-20020a05622a038a00b0042a84d97f6asi7113009qtx.297.2024.01.29.10.36.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:36:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-43316-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=nKpRiEVI; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43316-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43316-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 6A22A1C22BD9 for ; Mon, 29 Jan 2024 18:36:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4B7B2157048; Mon, 29 Jan 2024 18:34:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="nKpRiEVI" Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E9961429F for ; Mon, 29 Jan 2024 18:34:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553257; cv=none; b=oRw/CKoAEQp4svdghjZAkTD0kvSRzzkC23AcbFTziSZUdOvgARNuudOZNv1sbriU3EixvRQz+etX3aDOYTpVgYeiKrOtxOI1JrvU08RVikpX7Me3/ylB1tLaOFoMb8YQHnB92UNDi6o91nQA3zpZYZ01RSEdc/ON6UCwJjYqWyo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553257; c=relaxed/simple; bh=wU5wiWooVyd2eqSdpoTBHd90qKwM9wZ/F9mLDiaQmqs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=H7fiOCs14MK/f3RIe+Rx7arYp0xs5V4KR74tfUr8ykqIH1ntWLRwOOd/ZX1NhJ6aTkgiASuBnltiXR4uOOBc3qkFWm2QxfK+nWp57TenA6zaBw8asFtOCUVw1yQqRIk7l+yTbAQg12XaqHf8ce/h0wTINZGohU4QftpImPTiAQQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=nKpRiEVI; arc=none smtp.client-ip=209.85.216.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-2901ceb0d33so3088215a91.1 for ; Mon, 29 Jan 2024 10:34:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706553253; x=1707158053; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kLoyWv8OtbHjtjHwspyJBOM+KJjmRvPEg1tZQlUAAzg=; b=nKpRiEVImw6NMmMvz63DF5v/sZ9K1rE1huSEYQgzv6J9ej7sIFp2Gg82PHrr3w/NkA S66fQlq3A+hd0HnslqpX+pqNOyXY///cRCkNvHCQmhlT/nLk3wSVWOBijaSSMkI8HWav SRICVkL87LBGjUYyZKz06PpOkgR7w6nP7T11Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706553253; x=1707158053; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kLoyWv8OtbHjtjHwspyJBOM+KJjmRvPEg1tZQlUAAzg=; b=qKUfo5N08UKag8yMhQtPZwB6gS6gFvsHRcHQC3cpKF+k3ov+JQK5xDykizrfQvUBRp 4bb2DLe01RCg2ry7wcNytic23137vO7spss5piADy8si9CjSZFsxvbK3Pzulii4aRZ6K 2onjtruMA9qVtGXcNAv7APDPsIjtMDetKWap3dBqG3FH3u9S/XHrPezDYCCLWkSKJnG9 aQ7KUz25FRhRtWtRL3tw5je4gGbRAUSiUhbwFIO1hho2qnVBYkqyyHxhh0MIBx0HI3rn sSz8EYxffhazo26Nv37UipY5KKkShuv0zVc99qQBYK4S88xgg++8aJN2ou7mRJmpKaAV pVpQ== X-Gm-Message-State: AOJu0YwAbk4rImsrPHd6n0U96fwKgy6mLG7usl4WcOJyYhC1IjG44JkX S1ewN7OdTlp1+0tcWOVn4uLPHrZGfcspfNVwf2Jv+7Hhp8x0wtZKr1BpZyxALg== X-Received: by 2002:a17:90a:c593:b0:290:8eb8:aca8 with SMTP id l19-20020a17090ac59300b002908eb8aca8mr6012937pjt.21.1706553253540; Mon, 29 Jan 2024 10:34:13 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id v15-20020a17090a088f00b002902076c395sm8502122pjc.34.2024.01.29.10.34.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:34:11 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A. R. Silva" , Andrew Morton , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , llvm@lists.linux.dev, linux-hardening@vger.kernel.org, Mark Rutland , Miguel Ojeda , Marco Elver , linux-kernel@vger.kernel.org Subject: [PATCH 2/5] overflow: Expand check_add_overflow() for pointer addition Date: Mon, 29 Jan 2024 10:34:06 -0800 Message-Id: <20240129183411.3791340-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129182845.work.694-kees@kernel.org> References: <20240129182845.work.694-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=10664; i=keescook@chromium.org; h=from:subject; bh=wU5wiWooVyd2eqSdpoTBHd90qKwM9wZ/F9mLDiaQmqs=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt++hOmJWNChP5gjc4TpxLGURO5jKzEEgWMbHO GpeBzggvUWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfvoQAKCRCJcvTf3G3A JshUD/4mfIxZHN04yZHdDDv+6B1mABxoQcm8MH8k5+dd+1Cg2mWb2V4dyLaHGOAXy0VSNJfF/EP O+vimDvJMsIZdST6MlKaXVJlZf+eFfG6AafkEtRLoBtBpXCj+FXSXt+dDhCCaW/iLHhdEDk3KYa DmmGSN8Adg1hdRFmVDiUXRefTS62WOY/jaZVomk9moOg8doMlKC3812t7dtp3qoeaWIRBIr/bMM wV43sD2nLqxSItSJD61I5sBZVOENslq1ibBg8BEQNkGV2VlR1mW57dYhFqIki2dZzU8cyPTi5bo 1lkHC9FI/xA6xEZ/xk/X2FM1Z7/QY1Cnt3C3HcjsEuq9v/XkP4bJRzyybEHSHRUfDS7AYD3QodD pH53rdjtqpYXmCXu77+XnR3e1r06vIWqhEHC+OCfhUruHhRUnh80seJbjLf9JT0vBBy/pYKNj2d Si0NuZy4FAN5ZtqOOSMV0FBWt3trfnSrfdg08H8FnJZ4ArlNcxD4+8DteNXDLYShnJCUN0tIfKr PBnqZGcPOGapoFOOA2GY+lSZPS3tKYH6hsfAfm4Y9e1XxIT3AG/9bv6GBhLRDm4Fh84ksGdEXVK 1wOrPvVNg2y8tgCPDXr41Tzuces9sa6QPztqCxgKFVZ1OL+o98SdArPyOeP+aQt2aRXa/wk0KQI jSPhzQFtz2fupRQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789450910142225584 X-GMAIL-MSGID: 1789450910142225584 The check_add_overflow() helper is mostly a wrapper around __builtin_add_overflow(), but GCC and Clang refuse to operate on pointer arguments that would normally be allowed if the addition were open-coded. For example, we have many places where pointer overflow is tested: struct foo *ptr; ... /* Check for overflow */ if (ptr + count < ptr) ... And in order to avoid running into the overflow sanitizers in the future, we need to rewrite these "intended" overflow checks: if (check_add_overflow(ptr, count, &result)) ... Frustratingly the argument type validation for __builtin_add_overflow() is done before evaluating __builtin_choose_expr(), so for arguments to be valid simultaneously for sizeof(*p) (when p may not be a pointer), and __builtin_add_overflow(a, ...) (when a may be a pointer), we must introduce wrappers that always produce a specific type (but they are only used in the places where the bogus arguments will be ignored). To test whether a variable is a pointer or not, introduce the __is_ptr() helper, which uses __builtin_classify_type() to find arrays and pointers (via the new __is_ptr_or_array() helper), and then decays arrays into pointers (via the new __decay() helper), to distinguish pointers from arrays. Additionally update the unit tests to cover pointer addition. Cc: Rasmus Villemoes Cc: "Gustavo A. R. Silva" Cc: Andrew Morton Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Bill Wendling Cc: Justin Stitt Cc: llvm@lists.linux.dev Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/compiler_types.h | 10 +++++ include/linux/overflow.h | 44 ++++++++++++++++++- lib/overflow_kunit.c | 77 ++++++++++++++++++++++++++++++---- 3 files changed, 120 insertions(+), 11 deletions(-) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index 6f1ca49306d2..d27b58fddfaa 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -375,6 +375,16 @@ struct ftrace_likely_data { /* Are two types/vars the same type (ignoring qualifiers)? */ #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b)) +/* Is variable addressable? */ +#define __is_ptr_or_array(p) (__builtin_classify_type(p) == 5) + +/* Return an array decayed to a pointer. */ +#define __decay(p) \ + (&*__builtin_choose_expr(__is_ptr_or_array(p), p, NULL)) + +/* Report if variable is a pointer type. */ +#define __is_ptr(p) __same_type(p, __decay(p)) + /* * __unqual_scalar_typeof(x) - Declare an unqualified scalar type, leaving * non-scalar types unchanged. diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 4e741ebb8005..210e5602e89b 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -51,6 +51,43 @@ static inline bool __must_check __must_check_overflow(bool overflow) return unlikely(overflow); } +/* Always produce an integral variable expression. */ +#define __filter_integral(x) \ + __builtin_choose_expr(!__is_ptr(x), (x), 0) + +/* Always produce a pointer value. */ +#define __filter_ptr(x) \ + __builtin_choose_expr(__is_ptr(x), (x), NULL) + +/* Always produce a pointer to an integral value. */ +#define __filter_ptrint(x) \ + __builtin_choose_expr(!__is_ptr(*(x)), x, &(int){ 0 }) + +/** + * __check_ptr_add_overflow() - Calculate pointer addition with overflow checking + * @a: pointer addend + * @b: numeric addend + * @d: pointer to store sum + * + * Returns 0 on success, 1 on wrap-around. + * + * Do not use this function directly, use check_add_overflow() instead. + * + * *@d holds the results of the attempted addition, which may wrap-around. + */ +#define __check_ptr_add_overflow(a, b, d) \ + ({ \ + typeof(a) __a = (a); \ + typeof(b) __b = (b); \ + size_t __bytes; \ + bool __overflow; \ + \ + /* we want to perform the wrap-around, but retain the result */ \ + __overflow = __builtin_mul_overflow(sizeof(*(__a)), __b, &__bytes); \ + __builtin_add_overflow((unsigned long)(__a), __bytes, (unsigned long *)(d)) || \ + __overflow; \ + }) + /** * check_add_overflow() - Calculate addition with overflow checking * @a: first addend @@ -61,8 +98,11 @@ static inline bool __must_check __must_check_overflow(bool overflow) * * *@d holds the results of the attempted addition, which may wrap-around. */ -#define check_add_overflow(a, b, d) \ - __must_check_overflow(__builtin_add_overflow(a, b, d)) +#define check_add_overflow(a, b, d) \ + __must_check_overflow(__builtin_choose_expr(__is_ptr(a), \ + __check_ptr_add_overflow(__filter_ptr(a), b, d), \ + __builtin_add_overflow(__filter_integral(a), b, \ + __filter_ptrint(d)))) /** * check_sub_overflow() - Calculate subtraction with overflow checking diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c index c527f6b75789..2d106e880956 100644 --- a/lib/overflow_kunit.c +++ b/lib/overflow_kunit.c @@ -45,13 +45,18 @@ # define SKIP_64_ON_32(t) do { } while (0) #endif -#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \ - static const struct test_ ## t1 ## _ ## t2 ## __ ## t { \ +#define DEFINE_TEST_ARRAY_NAMED_TYPED(n1, n2, n, t1, t2, t) \ + static const struct test_ ## n1 ## _ ## n2 ## __ ## n { \ t1 a; \ t2 b; \ - t sum, diff, prod; \ + t sum; \ + t diff; \ + t prod; \ bool s_of, d_of, p_of; \ - } t1 ## _ ## t2 ## __ ## t ## _tests[] + } n1 ## _ ## n2 ## __ ## n ## _tests[] + +#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \ + DEFINE_TEST_ARRAY_NAMED_TYPED(t1, t2, t, t1, t2, t) #define DEFINE_TEST_ARRAY(t) DEFINE_TEST_ARRAY_TYPED(t, t, t) @@ -251,8 +256,10 @@ DEFINE_TEST_ARRAY(s64) = { }; #define check_one_op(t, fmt, op, sym, a, b, r, of) do { \ - int _a_orig = a, _a_bump = a + 1; \ - int _b_orig = b, _b_bump = b + 1; \ + typeof(a + 0) _a_orig = a; \ + typeof(a + 0) _a_bump = a + 1; \ + typeof(b + 0) _b_orig = b; \ + typeof(b + 0) _b_bump = b + 1; \ bool _of; \ t _r; \ \ @@ -260,13 +267,13 @@ DEFINE_TEST_ARRAY(s64) = { KUNIT_EXPECT_EQ_MSG(test, _of, of, \ "expected "fmt" "sym" "fmt" to%s overflow (type %s)\n", \ a, b, of ? "" : " not", #t); \ - KUNIT_EXPECT_EQ_MSG(test, _r, r, \ + KUNIT_EXPECT_TRUE_MSG(test, _r == r, \ "expected "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \ a, b, r, _r, #t); \ /* Check for internal macro side-effects. */ \ _of = check_ ## op ## _overflow(_a_orig++, _b_orig++, &_r); \ - KUNIT_EXPECT_EQ_MSG(test, _a_orig, _a_bump, "Unexpected " #op " macro side-effect!\n"); \ - KUNIT_EXPECT_EQ_MSG(test, _b_orig, _b_bump, "Unexpected " #op " macro side-effect!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _a_orig == _a_bump, "Unexpected " #op " macro side-effect!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected " #op " macro side-effect!\n"); \ } while (0) #define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \ @@ -333,6 +340,55 @@ DEFINE_TEST_ARRAY_TYPED(int, int, u8) = { }; DEFINE_TEST_FUNC_TYPED(int_int__u8, u8, "%d"); +#define DEFINE_TEST_PTR_FUNC_TYPED(n, t, fmt) \ +static void do_ptr_test_ ## n(struct kunit *test, const struct test_ ## n *p) \ +{ \ + /* we're only doing single-direction sums, no product or division */ \ + check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of);\ +} \ + \ +static void n ## _overflow_test(struct kunit *test) { \ + unsigned i; \ + \ + for (i = 0; i < ARRAY_SIZE(n ## _tests); ++i) \ + do_ptr_test_ ## n(test, &n ## _tests[i]); \ + kunit_info(test, "%zu %s arithmetic tests finished\n", \ + ARRAY_SIZE(n ## _tests), #n); \ +} + +DEFINE_TEST_ARRAY_NAMED_TYPED(void, int, void, void *, int, void *) = { + {NULL, 0, NULL, NULL, NULL, false, false, false}, + {(void *)0x30, 0x10, (void *)0x40, NULL, NULL, false, false, false}, + {(void *)ULONG_MAX, 0, (void *)ULONG_MAX, NULL, NULL, false, false, false}, + {(void *)ULONG_MAX, 1, NULL, NULL, NULL, true, false, false}, + {(void *)ULONG_MAX, INT_MAX, (void *)(INT_MAX - 1), NULL, NULL, true, false, false}, +}; +DEFINE_TEST_PTR_FUNC_TYPED(void_int__void, void *, "%lx"); + +struct _sized { + int a; + char b; +}; + +DEFINE_TEST_ARRAY_NAMED_TYPED(sized, int, sized, struct _sized *, int, struct _sized *) = { + {NULL, 0, NULL, NULL, NULL, false, false, false}, + {NULL, 1, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, false, false, false}, + {NULL, 0x10, (struct _sized *)(sizeof(struct _sized) * 0x10), NULL, NULL, false, false, false}, + {(void *)(ULONG_MAX - sizeof(struct _sized)), 1, (struct _sized *)ULONG_MAX, NULL, NULL, false, false, false}, + {(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 1, NULL, NULL, NULL, true, false, false}, + {(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 2, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, true, false, false}, + {(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 3, (struct _sized *)(sizeof(struct _sized) * 2), NULL, NULL, true, false, false}, +}; +DEFINE_TEST_PTR_FUNC_TYPED(sized_int__sized, struct _sized *, "%lx"); + +DEFINE_TEST_ARRAY_NAMED_TYPED(sized, size_t, sized, struct _sized *, size_t, struct _sized *) = { + {NULL, 0, NULL, NULL, NULL, false, false, false}, + {NULL, 1, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, false, false, false}, + {NULL, 0x10, (struct _sized *)(sizeof(struct _sized) * 0x10), NULL, NULL, false, false, false}, + {NULL, SIZE_MAX - 10, (struct _sized *)18446744073709551528UL, NULL, NULL, true, false, false}, +}; +DEFINE_TEST_PTR_FUNC_TYPED(sized_size_t__sized, struct _sized *, "%zu"); + /* Args are: value, shift, type, expected result, overflow expected */ #define TEST_ONE_SHIFT(a, s, t, expect, of) do { \ typeof(a) __a = (a); \ @@ -1122,6 +1178,9 @@ static struct kunit_case overflow_test_cases[] = { KUNIT_CASE(s32_s32__s32_overflow_test), KUNIT_CASE(u64_u64__u64_overflow_test), KUNIT_CASE(s64_s64__s64_overflow_test), + KUNIT_CASE(void_int__void_overflow_test), + KUNIT_CASE(sized_int__sized_overflow_test), + KUNIT_CASE(sized_size_t__sized_overflow_test), KUNIT_CASE(u32_u32__int_overflow_test), KUNIT_CASE(u32_u32__u8_overflow_test), KUNIT_CASE(u8_u8__int_overflow_test), From patchwork Mon Jan 29 18:34:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 193665 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp757460dyb; Mon, 29 Jan 2024 10:35:24 -0800 (PST) X-Google-Smtp-Source: AGHT+IEFEMZYAdJceCqxEy1b59ip67OEoeLY2JoAXNQCB8xUu227pMnyRo2qtBNllQiWs7Uy2Xxu X-Received: by 2002:a05:6122:2330:b0:4bd:5743:5b7f with SMTP id bq48-20020a056122233000b004bd57435b7fmr2180891vkb.13.1706553324039; Mon, 29 Jan 2024 10:35:24 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706553324; cv=pass; d=google.com; s=arc-20160816; b=m+/sGEB2TDYeRmIh6A5c5ARzrErQXJ90hwMA1isQ3m/1yzgpVXg/tDTOCDGW7k61Nj DbiB2/zm+oWLHWScKCDTMfB2mwJnO2drkSjAGeOIDywJuqoZ+/erlN0oT0ZGPO5Ydv7/ 8YtXdMm3zXZ+6bHu8oaLK9K/+pqP4wZTJzxjECgaLNcB2gvqopDoKbhHqK2tVtUqPAQR +2QwxRPWWP7ksht/hNuRUKFZ9H1fX6/8xoygBb00zu8QNp2GroV118/LpZxWelp6aQ9s 46R2NKxaV5RQ1d6mY4xJ8mqoEj8UpA8RFxYjksgInKDo3kCCMavBDxwj6ZdS+WruH8mL 24tw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=LOC5Nw8kgCRPY/TogcFWVqqwyFHXk9SdP+vcbO78i74=; fh=8k957uRbaKiG5A4XFzmO4TuJr6lfOHvyqkf9kA4o+HA=; b=zmAz8EtuHtkkPa8M7qbDVdXsX/HC3VNzHzBaeKRBFK34vLS2ccyVEWSr6Y94CaYmdE CmZZ16xp34v3AIfkAKFX3uWIVrgnVcSQ9+2F7yiECXXtRdgXWlR2tEZsjRPOC1mV5zeG bJBJuk77uhlhfks609FC8TKk9G4nI1IXbP57RDVHoU4ypCEmTBC5DwwFSxkhaRqmydI/ +/Exrsd73tkO4R6Ky3uzFbLzPI1qiRXQUmDU2PHJP/tVLtocD3z3dRgsD9WoJMq6P58g qNZ0zauILRbGxWAxDaZiDJTMZ4JV/FLISrY72gGJGKYlC7x3rhMBNjxtOXajHhe3pFn/ nSnQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=NPsXFw2f; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43315-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43315-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id gh1-20020a05621429c100b006889961da29si7939582qvb.491.2024.01.29.10.35.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:35:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-43315-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=NPsXFw2f; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43315-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43315-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id CEE2B1C20EF2 for ; Mon, 29 Jan 2024 18:35:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B66877603B; Mon, 29 Jan 2024 18:34:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="NPsXFw2f" Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C7BFB4C631 for ; Mon, 29 Jan 2024 18:34:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553255; cv=none; b=hDiYND2ULGdSKOZIAawKVuWlGu5okkJAEFtp7hE80yYumrZzI1s7zM8gbm/VzMOdk/w1Gz8wp6qdRPulkkrGO37HZsZWflnU042LEn4fwYALkdUwe1vlBNgs7gwiEK4DnA4N22XhuZwEaS2JyYBEvBL3tNsAnM1fmwkcFiHxPWM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553255; c=relaxed/simple; bh=bPuN//AdVknGbgllRjlIvn/Clq0xqhyiE00zUL59Fq8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=eKsEwXpWj3cmj8KnHDlLaMMWwVp/QDFELq59mzjc6K6C42R4oIbQUNOC4H23GuJQC3WPQ+SdnHuh0oP9hHg4M7YKkQaD2awQYM+1zVCx864vWKzmeF63UhXVGisJpRz1xO3iGYHCQlnPZY8pNn11mALvQn7TzcHSq+Zz+wdIkPg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=NPsXFw2f; arc=none smtp.client-ip=209.85.216.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-2901f9ea918so1371203a91.3 for ; Mon, 29 Jan 2024 10:34:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706553252; x=1707158052; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LOC5Nw8kgCRPY/TogcFWVqqwyFHXk9SdP+vcbO78i74=; b=NPsXFw2fPXTOshQRm1YEGETUwVYV2QlfccKBMZ/aAqpKciuwc7B3ERQ4UQKZVfZ2P5 LYZLbAl2Naj5qM8CGR95y5O3QR3d3FYTT7PcfLrQmcdOP4MVp9dSLw79iIXz10L8SbDB i2lPivOuGLLMWUrWQJCjJC5b4wK1ueT+WILT0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706553252; x=1707158052; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LOC5Nw8kgCRPY/TogcFWVqqwyFHXk9SdP+vcbO78i74=; b=RvmSVjCa7mKmgNeCoRLkt7ArRaDp1fR15RV+6hBp5W3hzc8bcJu+LwDelAbw3c8Y3q jefKiWFA0waFBfEHkyqmhJb2s/h72Omg3Iu53GnS8wbZtzyNwcfmgO96u1ryunk79NlY 9FdRZMF/8I0dXtL/Pe/sPPfWggBErRDJKCY8Jp1Z8TJgVPnY8+CLTMVt12Mn+MYLhWvP 2FyDImKfrI4zL1Ve1ePSebiQ02fGZmPwR1fcMvQ7tZHmVbqSLzZysBJLt+GX24YaggWg 8t5IDEP5j+moq0uaUP42x4UNdSpwK/LTUikmystkdUZJWzG1myMkflWbGDwZQKtD+eic +uPw== X-Gm-Message-State: AOJu0YxhTHMAoQ4EQbizPAknV+zRmiNefK5/jEzsbQpkrGv7x/VpHTV9 EVbcu0HCm+YdClXFTWeeU+k9YJ+fhbpmjc97pdXOSHPl6qSkFpKI7pQfJ5jIAA== X-Received: by 2002:a17:90b:3cd:b0:294:f682:b349 with SMTP id go13-20020a17090b03cd00b00294f682b349mr2609635pjb.1.1706553252119; Mon, 29 Jan 2024 10:34:12 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id gj16-20020a17090b109000b0029072c64439sm8930803pjb.5.2024.01.29.10.34.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:34:11 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A. R. Silva" , linux-hardening@vger.kernel.org, Nathan Chancellor , Bill Wendling , Justin Stitt , Mark Rutland , Miguel Ojeda , Marco Elver , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 3/5] overflow: Introduce add_would_overflow() Date: Mon, 29 Jan 2024 10:34:07 -0800 Message-Id: <20240129183411.3791340-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129182845.work.694-kees@kernel.org> References: <20240129182845.work.694-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1441; i=keescook@chromium.org; h=from:subject; bh=bPuN//AdVknGbgllRjlIvn/Clq0xqhyiE00zUL59Fq8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt++h2FKZ64lhvgMVubeJc2zcQ8AiATcuXgzT3 N2+Ojy6lfmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfvoQAKCRCJcvTf3G3A JsB1EACiRI4ou3Zupww8pxGpDJGKw0Mzmo0sXE1H89oQSQhBTuWnITC0KCLQ0+7gJlrdiPNk/qs trLpEQhdhR4HM3mQzWWlinUrzp/Q9sWMbwGycyA6FYjVmj2rHqjUkxVTWwTZfUP11KhNFzZaDl8 m7EFhbTKe2FXbxWXhIvqjEB3w8H5KIODSEdIZvogFq4zMfOOo95nQNqRKAPDlAWU/Mwp3yIm4WY Rr5MBfXvkqB0GhtP1yudXc1H5Zt+aoNTUxgkVc8H0Gsi1hZtgkqfY92HjqMiBDD4f4+cd+YOz7G ZFlytqR6CA7U+HqGI83MolTXQi5O7MLs6tcRlG+fngeL1XONXC9XBfaB6sivScBLMAcPtN4wE4u rvMHeNcgWDPBZJtAdB19kL2a6YjU5a+yXEuW2hMc3nkgODqT02HJxgPBYjGVwCVMzfbQs5LSrMn X/kFqaAODLc2TysaBWAipvjIEQbD+by3K1EXviNpmeH8j41LmdlDvRa/ps5E5IJxDs6fZUputvS QSu6YOoUvrS3pCl6N/TQ3N6kP+9zrENcBIl7O6kg0+uOjVCK6TerDtMy+rPBBIzfBKDhyEbDBiJ MAaR36vxCNu73DVFISrdoqkhNiU1IyLTm4OExzpjcyFm/ZcdQZGxvf6FWFPRsdpCLYmf8jisLW2 U74ZK2xMeH/Bbdw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789450857893139892 X-GMAIL-MSGID: 1789450857893139892 For instances where only the overflow needs to be checked (and the sum isn't used), provide the new helper add_would_overflow(), which is a wrapper for check_add_overflow(). Cc: Rasmus Villemoes Cc: "Gustavo A. R. Silva" Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 210e5602e89b..3c46c648d2e8 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -104,6 +104,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) __builtin_add_overflow(__filter_integral(a), b, \ __filter_ptrint(d)))) +/** + * add_would_overflow() - Check if an addition would overflow + * @var: variable to add to that is checked for overflow + * @offset: value to add + * + * Returns true if the sum would overflow. + * + * To keep a copy of the sum when the addition doesn't overflow, use + * check_add_overflow() instead. + */ +#define add_would_overflow(var, offset) \ + __must_check_overflow(({ \ + typeof(var) __result; \ + check_add_overflow(var, offset, &__result); \ + })) + /** * check_sub_overflow() - Calculate subtraction with overflow checking * @a: minuend; value to subtract from From patchwork Mon Jan 29 18:34:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 193666 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp757732dyb; Mon, 29 Jan 2024 10:35:59 -0800 (PST) X-Google-Smtp-Source: AGHT+IEUfyWFysqjSjtEI7pv8JlClxsrschtJ7dPXSYVSa9zPFJATb/qywPkZfKucDJK9EITMdEJ X-Received: by 2002:a17:902:e807:b0:1d8:fb17:a1f2 with SMTP id u7-20020a170902e80700b001d8fb17a1f2mr1317331plg.34.1706553359382; Mon, 29 Jan 2024 10:35:59 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706553359; cv=pass; d=google.com; s=arc-20160816; b=oUyK7qPYbpu0hlhfbRQJtzRMpMzBsQXnMsO47q/qCcFWalvIkMcsmv3Hko77doWKZw dem3ZPZ5cTltJ4FsHndDFG0l2yC+I4c9JScD6ZrXL3mYycFsRRCtxLJmOUoHUNkG5gLA K/7tEyzTRP6aGi8RwJLXDBSu6UewkUPlIgbaFLSXW8yNzUH7o30ihwzLfhvvmcGGqn2i UGU1ctb+MLzZ5VpaNP73zg4zoGGMh5HEzIYVHpBuIz6/JF4zycHhSXe/K+veZRjxJbwu WDYncGNxCHlRONlfGd99Oav82xLVIFCNEpLK0OmqmAIa8M/6d0Of0TKwR9lU7A0IyYds Uerg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=ut/mwzE7MYTcOhpnl2PC6RnNQ1hfCYsAwYLh2JA5Y4Y=; fh=rqvZ/5aIFWuuY6MdKtbdGgPJsIo04nh6D/q32UfXyGY=; b=nn5NjvYmTrXRTGVQW4ciSj517zn0ktKhikIzduZi3KwpT5seo1Y2GLBYA3YbV15MwY tdioTOahlfNHlaV+wwu58e0J+aFZd9/NhmjhokcXhEEHhTTEPQgup618uJwTiqupWA19 P9XfITmWnGGebGQHoMT9VxKnvK+xq++z1j6CzkUIPlWKFq3Y+S9JxzLyZQ0a+HFBbHV9 ZNp325B2Kd7xfqiTziHG/YmBC4UcBqZUEKAhZ/oqos3kEyek3LdAqwJ1e8qg5CfXShrK YNxXHgP6zR7GDRPj21lie73Myc83bLa+wnZ/1vA3y9rDSxigLT2dpQdn3PJ5xbRramnB 8VOw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Li922uON; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43317-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43317-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id i17-20020a17090332d100b001bb8c4279f5si6077958plr.148.2024.01.29.10.35.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:35:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-43317-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Li922uON; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43317-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43317-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 28CE928B83B for ; Mon, 29 Jan 2024 18:35:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 08024156967; Mon, 29 Jan 2024 18:34:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Li922uON" Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 98D562E3E3 for ; Mon, 29 Jan 2024 18:34:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553257; cv=none; b=TcD579+TvsH4Kgp4M/rOWqg2ni/nQTfwKtAG84+KPXU5+pcKOJsdV/UZiU5BtAc/TRaEXeSVQjCeG7WpP0FPJHholxQIBpv/HMb638GGAYH5pmP5tGFH7NzlAq0BBbqwHAGNdczB6NcgaVN5vhT5kDxZUC48MlE1TNHEoA8r/EA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553257; c=relaxed/simple; bh=TkGXzhmMsiMa1PWFTpBaFNkI1+hVlr4epZx1ZfDkHH8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=gueO2lKSoqjimIG2Bs5DHsvp5+uEWtXKkurqkRYXCAFY5dwKu43jJgzXo0w60lORXAEcIvbAuFvkBwZtNqIL/4dhrJVaYS+yw2JvD9f5mk6Dn6kv42I3G1SASk1jLZ5nEsTnGl0VldsDBN0hhx1zJp5F650KFlbVLSq/V7hc75A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=Li922uON; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1d73066880eso25097295ad.3 for ; Mon, 29 Jan 2024 10:34:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706553254; x=1707158054; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ut/mwzE7MYTcOhpnl2PC6RnNQ1hfCYsAwYLh2JA5Y4Y=; b=Li922uON9O8oMWgPEWQsvxKbFZLQwJEBrUG1yimGo4zEm4ZHtljzJ9/j3Y7CH5NZod vOpFQgbyAWCliGpW1U4vo88Ao9XuiGhqRqgkudge3pjaPs7nLe9TXj1Opv/yxhwCvVfP ZDfc1K88tDwFHaKyVcnQawC6GHE7wJAbdmWfU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706553254; x=1707158054; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ut/mwzE7MYTcOhpnl2PC6RnNQ1hfCYsAwYLh2JA5Y4Y=; b=lK/R6IvaEifV96U5K8ac83Kv7/HmRsuNzaHNZep10mRagLmUWSUHexu6a5XHgCpkjN oE1P74QYmuf0jfxW0Bg7xwwDug5pZeRR3YPsJoUzs9AyIrqH87QiIewBIz+kNc1TCp4w h5jDVds3k4HJaCiP+D/6YzIQaJ0/X+NTecMAv9X8HIpCked9f0xcXmuSD+kuwGDGsKKb j2yPKlOyDoeu+y3jjKFKb2TtvPKzJ5SRvZkqFfrhVjGSQMEXhRSt4R+N5EMwgmB7TpRu YBgfEoj5FZB87HYoa3eWfXLVaUFilZr2edgLZ7XJKWxarZc/nVuKsNPjV6Ygyrw0QFWS 1lDg== X-Gm-Message-State: AOJu0YxVhLBIMLDeWbfSEBMZ9E9cup6vaaB11YUtyYCI9BNK6pJ+jNzi cRhSFz5qS9OuW+hQd1IxBLVgg4HvalmcTGg5VUz1VSrc9CT0NtvkeR3UgC8TUg== X-Received: by 2002:a17:902:d2d2:b0:1d4:79b6:101a with SMTP id n18-20020a170902d2d200b001d479b6101amr7094150plc.41.1706553254040; Mon, 29 Jan 2024 10:34:14 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id l20-20020a170902e2d400b001d8d04a4fa8sm2901537plc.300.2024.01.29.10.34.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:34:11 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , Mark Rutland , linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" , Nathan Chancellor , Bill Wendling , Justin Stitt , Miguel Ojeda , Marco Elver , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 4/5] overflow: Introduce add_wrap(), sub_wrap(), and mul_wrap() Date: Mon, 29 Jan 2024 10:34:08 -0800 Message-Id: <20240129183411.3791340-4-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129182845.work.694-kees@kernel.org> References: <20240129182845.work.694-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3158; i=keescook@chromium.org; h=from:subject; bh=TkGXzhmMsiMa1PWFTpBaFNkI1+hVlr4epZx1ZfDkHH8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt++hK9Jm3TCzbDDH51Jo2mzGgDpwMGUkOtuJU QUJDdD+M1OJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfvoQAKCRCJcvTf3G3A JpMnEACIDIfxlXxSvKgaovNDRo06Qwxv/Efu7gcMzMGToUs3My4Fpk+mvZKqS96GiEhsryzwUJz fUFJRo7d91i8UzwREV8/bUiDqlG8/AjBo223WzyXsEbFXP6AYFbQZ+u1/kJVGvADUSZQAmEdDwi cX1apJQ+L2+mTl3Ea1AjR7g+ZFLZ8L8JQU5roq4qtTbQ5fgNkQ1cZyJHPXszvCiaI6PyZGAhCdc xaDQHlk+BWZBu3RZzsFIjCqQmdwMq4ODa2CFPlU24l3ieSW5tLFteFxZ8aV7ROnIyHmCsBKZZwm l1aDRPo5Lpodt1XZYje7+Ro8yFC9vhz44EOmYt8KgdN8SrnTayNmB6DmPYIZ50QnJcU1Belr89g ya1k/PEjDJkhU9LwKcFaG1YVtwYgqVC/deldCnXjO15DQ/cn41/oklBcahAgX8G7JaPMdIk9o+P i8BXn/qNmBkTTEHk50Z508nRQDUON8MPqQACrykwGi4vx5oA1B7liScB/wStIMzvz3qxbEzgWCY HgVYns11WdvNW/dSWC+05VrABisC0qj2aZTG1CU+L0+DC6TtH0s2V6Gd1/KY9puh19HRBX274KQ jRIq3uBHr2/MuB31EAB3hSn5qmOpxCxgevF+aVX1Z36PGmr+fOGlgxCuUwR7b+wAiAWFayuqa6K x8dUvx838KCDL8A== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789450895512796203 X-GMAIL-MSGID: 1789450895512796203 Provide helpers that will perform wrapping addition, subtraction, or multiplication without tripping the arithmetic wrap-around sanitizers. The first argument is the type under which the wrap-around should happen with. In other words, these two calls will get very different results: add_wrap(int, 50, 50) == 2500 add_wrap(u8, 50, 50) == 196 Cc: Rasmus Villemoes Cc: Mark Rutland Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 54 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 3c46c648d2e8..4f945e9e7881 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -120,6 +120,24 @@ static inline bool __must_check __must_check_overflow(bool overflow) check_add_overflow(var, offset, &__result); \ })) +/** + * add_wrap() - Intentionally perform a wrapping addition + * @type: type to check overflow against + * @a: first addend + * @b: second addend + * + * Return the potentially wrapped-around addition without + * tripping any overflow sanitizers that may be enabled. + */ +#define add_wrap(type, a, b) \ + ({ \ + type __sum; \ + if (check_add_overflow(a, b, &__sum)) { \ + /* do nothing */ \ + } \ + __sum; \ + }) + /** * check_sub_overflow() - Calculate subtraction with overflow checking * @a: minuend; value to subtract from @@ -133,6 +151,24 @@ static inline bool __must_check __must_check_overflow(bool overflow) #define check_sub_overflow(a, b, d) \ __must_check_overflow(__builtin_sub_overflow(a, b, d)) +/** + * sub_wrap() - Intentionally perform a wrapping subtraction + * @type: type to check underflow against + * @a: minuend; value to subtract from + * @b: subtrahend; value to subtract from @a + * + * Return the potentially wrapped-around subtraction without + * tripping any overflow sanitizers that may be enabled. + */ +#define sub_wrap(type, a, b) \ + ({ \ + type __val; \ + if (check_sub_overflow(a, b, &__val)) { \ + /* do nothing */ \ + } \ + __val; \ + }) + /** * check_mul_overflow() - Calculate multiplication with overflow checking * @a: first factor @@ -146,6 +182,24 @@ static inline bool __must_check __must_check_overflow(bool overflow) #define check_mul_overflow(a, b, d) \ __must_check_overflow(__builtin_mul_overflow(a, b, d)) +/** + * mul_wrap() - Intentionally perform a wrapping multiplication + * @type: type to check underflow against + * @a: first factor + * @b: second factor + * + * Return the potentially wrapped-around multiplication without + * tripping any overflow sanitizers that may be enabled. + */ +#define mul_wrap(type, a, b) \ + ({ \ + type __val; \ + if (check_mul_overflow(a, b, &__val)) { \ + /* do nothing */ \ + } \ + __val; \ + }) + /** * check_shl_overflow() - Calculate a left-shifted value and check overflow * @a: Value to be shifted From patchwork Mon Jan 29 18:34:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 193667 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp757854dyb; Mon, 29 Jan 2024 10:36:12 -0800 (PST) X-Google-Smtp-Source: AGHT+IFZcDzuR7MpsBCfFS6LoohRF0Cz4gHV6engLGf1knBIj5s8CuBZdjIKvcfm+WSHNbjnuG5w X-Received: by 2002:a17:90a:9285:b0:290:4637:1808 with SMTP id n5-20020a17090a928500b0029046371808mr2670702pjo.26.1706553372834; Mon, 29 Jan 2024 10:36:12 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706553372; cv=pass; d=google.com; s=arc-20160816; b=mu+KD6dyzZI9yUDHwBSFw/+BCTIR760A15TxyuyTgnttaQxDp7o+KwSr+8N7EV5uol iryG9lxkoKG7oih0hsIuaRrIOWEb2WcOIaLiYnYa+NoaVxCUxl03PJywoACGOEiyymNI Q2VStEfXB7W4n1TJQK9ujqaZ4C0qyqKJfxFYnLwF8weKJuiTwlkF64Owrqsda91VNlvg fG5ztJCMV5Z1JABRgdRjcmz/UwtFrb4Xs2h846Wrd2wSwTmgNutcOLUZNqhvw8ekmBVJ uClRr4aUBzS6tzaX9uckixUseNSKYPjdNuZZ3RZ5eMQD5TzjbDmQkvhGzIssVcRooW02 9SPA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=vOi3qaLwpWcyO/WH2EIxnXUOlsjjGr/OsABWCZKoxrI=; fh=6cPYvMsUTfi+6qLHKtFvx+v5Pnj1BVPQ2Ivy1WjHDb0=; b=FhTRvrrZ9qGQfazRT8cZW6hh3QHj/6eD3DaKKAU/I1j4o1YPR/8mGJDJaDPuhHnlgV 0cNgsZJb+JuSaiBiWwWh5MXrzQCDKYFZ6Na/oV0WaRlkZqTrwtqqqJUiia9rHyNrgN93 P3yn/kd1KE5Vl8e/LjKzOZ3bjncl/UJ1TjeOEcSjYWosTCQxmLCUhIox5nDp2+5liALZ R8/yRkt0P0VvBlQjZWNZTrVm+peI2GziyRUA6YtfuU6WDU0VIYEUSm2HqCfBDkm6Nt+7 wmsWKNBC8xGacOPulX/6PMxzrWo9SyyJdqhpeKX03DRwGjCIM8IpfH/mK9tI0tSKQLw6 cYtQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Eub8a9ui; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43319-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43319-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id i12-20020a17090a974c00b00290cb6d12c5si6069398pjw.157.2024.01.29.10.36.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:36:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-43319-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Eub8a9ui; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43319-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43319-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 8DAAF28B7F6 for ; Mon, 29 Jan 2024 18:36:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4B3E2157041; Mon, 29 Jan 2024 18:34:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Eub8a9ui" Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 618A155E75 for ; Mon, 29 Jan 2024 18:34:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553257; cv=none; b=McwyRTCKOY3R3IU/1svd6Im78FMmRYHsS93LRt9fH+077zgJVOgdV+Ehy/l75ya6x1VidgsFNJnUCRAD3xUnR0/xT2alp4SUcu0gZwuQSlg5W2XCpEDlBUlTzybDcYDUKGYX/oVIrpHzGzog53Xn3BNxiMSgYtK/SQRmAgyyFDw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553257; c=relaxed/simple; bh=8qBo+r1o5uX8xwwRI2+8kwqWeOJfk0QZ5WpwUuylvAw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=mrysNOWopp5FABuKLixC/xqOBoLyTUJxNHSd4VoCNqnA2eGjdSoMOeMZ8jSNHoQTaOoXhgZhDVwpoD5AFePJJZ4jzP7MqnDuyKYmxrWprXodVV3Rdanu24anaMQP4TV5z22booQLRJVqpruuCTOEUHSLAUw/FF3QwCRT8IAQwNQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=Eub8a9ui; arc=none smtp.client-ip=209.85.215.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-5d835c7956bso1559086a12.2 for ; Mon, 29 Jan 2024 10:34:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706553255; x=1707158055; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vOi3qaLwpWcyO/WH2EIxnXUOlsjjGr/OsABWCZKoxrI=; b=Eub8a9ui/PD9+H2I/pc7bb4Nb3sbuiqED1cEn2I9VPVW35a6n4PLBQ2Hpvu+Ya8t9g JNyaYZ5kJNJd8CuX4NCvm5j3FwtJ1PGYx2qqLTRuNZo2Q97mIWYJ5ZhPXA81seL/pIgo PR2GRTOl5cIXxr+4gCyhc0muUbaANhoEyLwPM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706553255; x=1707158055; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vOi3qaLwpWcyO/WH2EIxnXUOlsjjGr/OsABWCZKoxrI=; b=jBxL93lotXdXS7CzyZ5K94PZTEtQjhug1FVQJddPKQptl/rxXR+on9kVIwSqtQgeAv KuTJbC9OupgHTRTm0uD2zJ2gq7OL9z85oF7TWKlMirBTrtFCTAfNlR5KOS4cr12Ltmx+ l2P3cQUlH8sJknzKjxHUjtfPmpNYcKwVHtFYU5IiXZ0lRWV88GW7n90nFBgwL/gkzpHZ tEi1i4y+NKEO9uig9SbJpZyQ+sx6mqjnuK4uWyQZCkgmyD6IEW16NEuPVBoiNJxFVE2X L9sg6B5Y/BjsEZGvNgM2t9CsVwwj3kNT2eWNivx8ICsh6IAFTP6r3WFqUxf/UaR1GYST MYuQ== X-Gm-Message-State: AOJu0YwRExfMiKO7TR47IPsWUsYfrBuS6vuXAOlYvtVadEmIWr0jlBPM 9+NXYndIXJI7yB8+Bblc3QwSLpjk8tdfiKblfswAuzxpS0MchfLzAeXvuWfE0g== X-Received: by 2002:a05:6a20:4f1a:b0:19c:8fcf:97ca with SMTP id gi26-20020a056a204f1a00b0019c8fcf97camr2530546pzb.60.1706553255720; Mon, 29 Jan 2024 10:34:15 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id g7-20020a170902f74700b001d71669a30fsm5722452plw.109.2024.01.29.10.34.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:34:14 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , Mark Rutland , "Gustavo A. R. Silva" , linux-hardening@vger.kernel.org, Nathan Chancellor , Bill Wendling , Justin Stitt , Miguel Ojeda , Marco Elver , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 5/5] overflow: Introduce inc_wrap() and dec_wrap() Date: Mon, 29 Jan 2024 10:34:09 -0800 Message-Id: <20240129183411.3791340-5-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129182845.work.694-kees@kernel.org> References: <20240129182845.work.694-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2034; i=keescook@chromium.org; h=from:subject; bh=8qBo+r1o5uX8xwwRI2+8kwqWeOJfk0QZ5WpwUuylvAw=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt++hTMcckwazpkGwN3co7nO6qqaui6d7qOFGo HqcZdYYMsCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfvoQAKCRCJcvTf3G3A JjLYD/41af8TH5vPKBme99k9V45iwAafnhobwzSpJqZkoF4aHZaUg8mvXE/PdM99iATMf4nPr/O ycsKDiuC7/euYHLEyODmb5I9L6hzlvWnzy42LxuTs2qIAFSxP5t9wx/DrAEDO3LAmhOQdFJlJMm 2Ya7/S7q9Qz68sLIZXcotFktkTo/X4bZvLP126YodD7eWqlUlcK2vrCtT8tuDe9Zkp6VAaHTVOm KsbmGdkOwxg+/TbsvkvFAsAwGF/fuL9/dZ5yM61GTA7QXOEPvth0Qn7dNxOZWI4eHPH1vQe7h5Z q3sB+SXjCesHuzwWrb5yTTJYOiOAwNKg49o/EbdiX2smvigUX7v1rxToz8wEsj8hk1DP4q3oFC6 Qo8klArnkKEr+dgnT2Efc1viiGfzP9mNWSKecF2xMm/WYmp3DSvP2BA708K+PGI8LBok2W/2Gt+ zz6DukdknEKikX0o6i1odluirCLQohzsIQ7nGemLeuxI23hqmTwS/axvt5RUexfKh9cLroTPRgf 3knmXQSDxlUrZIwyrhLjczoe36Hb0WgjSwMOounvBs2H1dF+67uD4HOd5Y6OkyVzf4W3EbHrA7R fpbNA1NoQ9sdcKeZQprybnCISRKc+FxGIQUWR99xo9Yu7mB6oaTidtLxM3vHjKPL2BMSZ6xdL5B 9K5/jDKen/0fwXA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789450909550951073 X-GMAIL-MSGID: 1789450909550951073 This allows replacements of the idioms "var += offset" and "var -= offset" with the inc_wrap() and dec_wrap() helpers respectively. They will avoid wrap-around sanitizer instrumentation. Cc: Rasmus Villemoes Cc: Mark Rutland Cc: "Gustavo A. R. Silva" Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 4f945e9e7881..080b18b84498 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -138,6 +138,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) __sum; \ }) +/** + * add_wrap() - Intentionally perform a wrapping increment + * @a: variable to be incremented + * @b: amount to add + * + * Increments @a by @b with wrap-around. Returns the resulting + * value of @a. Will not trip any wrap-around sanitizers. + */ +#define inc_wrap(var, offset) \ + ({ \ + if (check_add_overflow(var, offset, &var)) { \ + /* do nothing */ \ + } \ + var; \ + }) + /** * check_sub_overflow() - Calculate subtraction with overflow checking * @a: minuend; value to subtract from @@ -169,6 +185,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) __val; \ }) +/** + * dec_wrap() - Intentionally perform a wrapping decrement + * @a: variable to be decremented + * @b: amount to subtract + * + * Decrements @a by @b with wrap-around. Returns the resulting + * value of @a. Will not trip any wrap-around sanitizers. + */ +#define dec_wrap(var, offset) \ + ({ \ + if (check_sub_overflow(var, offset, &var)) { \ + /* do nothing */ \ + } \ + var; \ + }) + /** * check_mul_overflow() - Calculate multiplication with overflow checking * @a: first factor