From patchwork Tue Jan 30 22:06:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 194342 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1524051dyb; Tue, 30 Jan 2024 14:08:22 -0800 (PST) X-Google-Smtp-Source: AGHT+IGxU4eWzhCKJatMrBSTMjgrA6jB6qyNBIAMWC/xGYjUNEvFQmZ7VMaFtvChYxKMbtqruhv6 X-Received: by 2002:a05:6870:6109:b0:218:470a:e053 with SMTP id s9-20020a056870610900b00218470ae053mr5848262oae.8.1706652502090; Tue, 30 Jan 2024 14:08:22 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706652502; cv=pass; d=google.com; s=arc-20160816; b=Kzrv+y9DOFv9ciZpgzK+9gfagLjfc6zG1M2HesVNHenfzMnO72y4VyvNkNANP4n1Tg ZzjuyVZnVlLS6HIvPW/iGDv5Ci0+Kt1lxo8EPu/bbA1yt/G7qXHuzD1Pjq3Mpq+1rI5V CkKvmNNYIVNFFS5rZDC7DKRdDNDhIaNf26JHJD7XOsKgB8yQrbETdkjNx54QaLIdUQPf SbhCOBiC0o2m+Vsv11k4WZslCYIivRvm4DGxFRq7XkN2fApapu7ZNYQmBSEW6gZDAPoN PHj6yChrqkr90aE0G6+UanosfsWy/J3b+/kY1N3BFD0LXCiYFM4kZDQ1DzFd+GOxfh4u QKQA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=TXEWZ+ijn2Mktyo3GgFFo1opylml2uwjVnLpw+L5S/k=; fh=vuK/cNm1J+xDY8eBdRZZ00Oi6XMYQysn5BO4MCYg3cs=; b=q1NsHwklldi6HXmokau5Z4rVQP1N+8N6BFz5GVMo20DNesX2BgMudsXSs7yPDj9TtR U51JmlT+8GSU4KWDRyc0z92BpBEoua4mp0F8JLvDu1YgUkEe1R5YXFMWd48f255umkYr KG46LNr0pFMUyEMwnqqJknOdiQkHwPn6bzvr7jzBlAVM6kwdutmiKn25g57P3IwqJARY BV1CBrh1Q23tr1OzMMOfUY0LU1RgV30rdc0uiutp4rwQs7IDpiBeT8TqbDcuQ2yqmbP/ 1I2Spl1tv8/qXrw+vj1aOYrobwJ72GH3EfdsAsp0zw5bVHhi40+lxj3zq/FFCLNzU8+6 O0LA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=MhAo+yD3; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id t16-20020a639550000000b005ce087e0049si8108213pgn.696.2024.01.30.14.08.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:08:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=MhAo+yD3; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45365-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 5B5F0B23AD4 for ; Tue, 30 Jan 2024 22:07:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DBF977AE74; Tue, 30 Jan 2024 22:06:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="MhAo+yD3" Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E384F762EB for ; Tue, 30 Jan 2024 22:06:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652380; cv=none; b=FTtWD5PhFAckqmK+BAODPiVdUbSCr09+UmEq45WtPy4NtvECUnz6yJQYWZrpoGXkOs0F9e8OqIqipSoEhqEcTeh7Nbvp/YJPcd6p4IG8m8mpm4DyOtLn1eQSnpVFQ9JxdjpUWF9L4gHGKtKNpx2jmTdMN+wXC/fJ/WIJg/IwPg8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652380; c=relaxed/simple; bh=mjbhQQsJHZNHQElAJyka1am+OsaRRifuj4xn9QRfLGM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=l8NEfrPsLCYQ03ewSKnsw0SBjao/+ylHCXhcrw93ahnBCA6hDitEWPwI7FVkagnW5FJW9hlWyFjiNnb3MZgFDGz+FxsO0PPDvZXARN740AhDL4dExYWdBmIdJVbijb9K/+U9SPWiQyEVNDhCsYxLymw0kgDm5eACOD5dmFT20/I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=MhAo+yD3; arc=none smtp.client-ip=209.85.210.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-6d9f94b9186so3400251b3a.0 for ; Tue, 30 Jan 2024 14:06:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706652378; x=1707257178; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TXEWZ+ijn2Mktyo3GgFFo1opylml2uwjVnLpw+L5S/k=; b=MhAo+yD3yaTWH8UHw3ebbIh/luRgWzh6Pnhtrm+K8yG7sVe892qUaYABmE4jmoPlOd 5m02QtNfy57NU8uQEFV1sR8TTIC1NK66Z0jtp3DFcHk0JZF17PnnVS3mzE4x74Ll8b7A 4OrIp5OlKlVWa9UOSjcLknmAlb9tvlz48jvK4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706652378; x=1707257178; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TXEWZ+ijn2Mktyo3GgFFo1opylml2uwjVnLpw+L5S/k=; b=p7BcVUNKXU4dDS0+AcZGN91kRQ6tXfuTVtOufupUahKaQski6gruITpGtx7+O+Tgsk oXcrO77tUlLvZaIy2/Mwen06NJzTJm1JxnSIcUQLewXvyg28Kpo8QrpTY+MroedyLAS7 prsNoD5/mxfCcn2wm8VbQquyEANYvLZlm9BFNILJAPlCz8BlVnn/CooQfkJGAW0w0Wuk SspF1KTTnroWFN6Df40Xwdp4pV855GkHb/Vf7YI/U5aYQ+ZB6Gz6pJ6BeqnBELYZC/SI yAR8a/Kfqb/uVn4LtiQnsfRPm2CKaDBw4QsOTXm0g78kNtCTRKC2FFFBvPBpaumJU1Ub bRww== X-Gm-Message-State: AOJu0YyUuTVwY+UJ1Gv4/NBFVQxjyNHIEHDPgJOY0S2w90SSecHcVLLa LCoL+BqYoIyEjoAl9raYc4GX/pd/N61jaMgpacJ8JRpkwJYDQH9eT2RxetLAVQ== X-Received: by 2002:a05:6a20:c411:b0:19a:360c:75d8 with SMTP id en17-20020a056a20c41100b0019a360c75d8mr8249397pzb.14.1706652378406; Tue, 30 Jan 2024 14:06:18 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id r11-20020a170903014b00b001d8dedeb0casm4331642plc.180.2024.01.30.14.06.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:06:17 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A. R. Silva" , Justin Stitt , linux-hardening@vger.kernel.org, Andrew Morton , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Mark Rutland , Miguel Ojeda , Marco Elver , Jakub Kicinski , Przemek Kitszel , Masahiro Yamada , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v2 1/5] overflow: Adjust check_*_overflow() kern-doc to reflect results Date: Tue, 30 Jan 2024 14:06:06 -0800 Message-Id: <20240130220614.1154497-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240130220218.it.154-kees@kernel.org> References: <20240130220218.it.154-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2716; i=keescook@chromium.org; h=from:subject; bh=mjbhQQsJHZNHQElAJyka1am+OsaRRifuj4xn9QRfLGM=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBluXLRXPWpxbxWBABUSnq7LV3ZR63LVVosG/CRP 5ZzpJGG3mKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbly0QAKCRCJcvTf3G3A JsZ3D/47FGhmdQqxJrZ9wW+IfjOj5Z+/JJdT4A88xjMViD8m2y+sZ66ET8cpz0UxvZb8wc5ydbm kKGJkwmx2MxOImy/n06QpmWo+Jj6Hcb2x4MhjJrvG7QbIC8no338Da90doAljPBJQardE1fF7BX TAwaqrSw+31TcmCP/J6CJ3Zy1M7SMmYp0HdBNg7mIDikbW2FYa3oKBphdZXiLt38fjJJQf2jUFd CBKnBPtpk2Q42oSJwkvv0+WZj3zuvoFhIgRyLYf0i9QuXdQFK8IfVBZQi3UUcyJRTHJDYshhaTS yfLfrJ6F0nr8PdL9h2/IqewAUyNk+YiE0J1j+Ds70hYy9YypS/JaeNCvKq9n42FWNRatqLbtMEs HweyCRNsTPMccrf/ZSHVhW83m0QZP3tZ00lVm3rgNhL2Q/oa/pqerx8fp8YgQ/JgLeRgJt1eK2R ino8gJHkQp7HkP+owrvPQZBSFUjFFBc+7ZHhkOiOYDQ/1v7RZHuIH1CYRNyhzUdlSU+QrcgUX9F XfRFoAkuBd8qYpVccYsV+1/zKrZDgEW72okrPtTNzp1Rjo+eXk5QFw9bDTl/qo/CClNbY1F0PxT LKPYm7R9P1tk0jtAkCFen/ejWNEp8jvYos5ar8T5/53t/xYMN7kEw1Cj4gw2iJwJ5U7ELiklaKW B5/Vgg5InWPF4Aw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789554854366451984 X-GMAIL-MSGID: 1789554854366451984 The check_*_overflow() helpers will return results with potentially wrapped-around values. These values have always been checked by the selftests, so avoid the confusing language in the kern-doc. The idea of "safe for use" was relative to the expectation of whether or not the caller wants a wrapped value -- the calculation itself will always follow arithmetic wrapping rules. Cc: "Gustavo A. R. Silva" Cc: Justin Stitt Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 7b5cf4a5cd19..4e741ebb8005 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -57,11 +57,9 @@ static inline bool __must_check __must_check_overflow(bool overflow) * @b: second addend * @d: pointer to store sum * - * Returns 0 on success. + * Returns 0 on success, 1 on wrap-around. * - * *@d holds the results of the attempted addition, but is not considered - * "safe for use" on a non-zero return value, which indicates that the - * sum has overflowed or been truncated. + * *@d holds the results of the attempted addition, which may wrap-around. */ #define check_add_overflow(a, b, d) \ __must_check_overflow(__builtin_add_overflow(a, b, d)) @@ -72,11 +70,9 @@ static inline bool __must_check __must_check_overflow(bool overflow) * @b: subtrahend; value to subtract from @a * @d: pointer to store difference * - * Returns 0 on success. + * Returns 0 on success, 1 on wrap-around. * - * *@d holds the results of the attempted subtraction, but is not considered - * "safe for use" on a non-zero return value, which indicates that the - * difference has underflowed or been truncated. + * *@d holds the results of the attempted subtraction, which may wrap-around. */ #define check_sub_overflow(a, b, d) \ __must_check_overflow(__builtin_sub_overflow(a, b, d)) @@ -87,11 +83,9 @@ static inline bool __must_check __must_check_overflow(bool overflow) * @b: second factor * @d: pointer to store product * - * Returns 0 on success. + * Returns 0 on success, 1 on wrap-around. * - * *@d holds the results of the attempted multiplication, but is not - * considered "safe for use" on a non-zero return value, which indicates - * that the product has overflowed or been truncated. + * *@d holds the results of the attempted multiplication, which may wrap-around. */ #define check_mul_overflow(a, b, d) \ __must_check_overflow(__builtin_mul_overflow(a, b, d)) From patchwork Tue Jan 30 22:06:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 194339 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1523615dyb; Tue, 30 Jan 2024 14:07:51 -0800 (PST) X-Google-Smtp-Source: AGHT+IESszZfyrzI7qsourdIHovpsk5q9R3Ovxuo+Eo3m3ZqmhcJUewMD0mjw421SgpvGVao2cBJ X-Received: by 2002:a05:6402:228b:b0:55f:2876:4411 with SMTP id cw11-20020a056402228b00b0055f28764411mr3241005edb.35.1706652471759; Tue, 30 Jan 2024 14:07:51 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706652471; cv=pass; d=google.com; s=arc-20160816; b=nWkE80QB2MRFRjUaVsJBa3uUJUZ+f4Agxfo5DyA3oOre02+0hArlcweDW62UFOEdtE 7Pgt6M0Zw7Vp0wWxmKyLzm5mhWLrXrJ8Ewny8GbafK0U71MyYVpq6NsphS9w/dFeOEBb D8tGy3SSrOVMv01T6qT3Z/yutFLTMrq4ODV7NTY6xT6D8gzU16YmIvt6w7XyJ5BhVSlE IZksUQumN4xKBQs/azVRzd9FNtPDnvU3Fa/Uf9K7U1kSuiuNdbQKN64YvmdoXO2vSZjK SY9g+gdk0sfvLgl/FmGFBiYtSJ/MNAmbXmG7x7NV8U7/oGkSFUB8ssJS8biOguHDhEx2 shig== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=kLoyWv8OtbHjtjHwspyJBOM+KJjmRvPEg1tZQlUAAzg=; fh=Pa7rlYTeCY3c+y5can+lf1m6RolFlDz7Lp6xbTZXf4E=; b=CwIp9ISnwvpeVtBqQos/6hWiUPEn6POaVTmdfjVla3VPyLXm4hFhEx8+r3jb8gjJcd Z7yQeKxyhDqQ+1tEvKKYFWhhIxTfVVOIeA+wiT6ZX4Y1CorcQcjT1HFiAP7FKjFnDLgV pfqJfgCXhoqE3kqotrEQqqZk55FtUZMHlRX41yh9jhDZ/h5hJ3w2ap0Vva1fg2dJlqv3 byW6U+FIfbQmqDG5yxTKy2nz0qfn+tHeVjO/vvtmYucdPo1Bg6YuLIMJRhu4qlOhpYhF OE/tRowcquEJaYljSvnZI3aJGVBhPTuq9e/B3EdTC4gkf5CJVIzuzLaWLrZovqtMSseX IHEg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=kfOHYvuP; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45363-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45363-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id fe1-20020a056402390100b0055a85f51cf9si4983371edb.334.2024.01.30.14.07.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:07:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45363-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=kfOHYvuP; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45363-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45363-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 375CD1F24985 for ; Tue, 30 Jan 2024 22:07:51 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4E1D87AE5E; Tue, 30 Jan 2024 22:06:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="kfOHYvuP" Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E72BF7D3FA for ; Tue, 30 Jan 2024 22:06:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652377; cv=none; b=DWZxOLQvwSVMpU+Jk6X4r7I3Pq+9KCPB9Ch6MuIBtXPGrrILVJhis88AQULk51h/ompzl2l7na6hTULZfCMqNFoKbbARv4VOleQP3CYM/KHzP0OfLNRy9nIuXF2Ixp1a/utIAu/fbl2rOQL6XFu6T1a26js3Yniv7ehY+b3mas4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652377; c=relaxed/simple; bh=wU5wiWooVyd2eqSdpoTBHd90qKwM9wZ/F9mLDiaQmqs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=raE3R28UVkQHsQ6V0JIcgjWeWfRyeM7p0I7Wd0mj9bBHWpwDjNq/Qez+5BchrbvvVUD1oqyTL71wVTLDfDogIfRP5m24h+B/b7GDd92KQ731HRVq8F2ha6WpYf4AmBNfEfpCOzFMo5Pi8Ncs1FoFrxsv0DUoeWjGPNi2d/wOaKc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=kfOHYvuP; arc=none smtp.client-ip=209.85.215.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-5d3912c9a83so2283487a12.3 for ; Tue, 30 Jan 2024 14:06:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706652375; x=1707257175; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kLoyWv8OtbHjtjHwspyJBOM+KJjmRvPEg1tZQlUAAzg=; b=kfOHYvuPK1IX9lQxpDuAMMkdrFbyN8cno0Ha9ci8dVkRYiASuC8nvrCc8rRKtx6IQQ jTPlb0LNX2b6M/6lKDIxvHsD4qWoJCdZv6SoM9gdN3vhLldAUmsNOKlmGMBdPcu3AIFU SVex/IriVcrHh7+OuSHKCikqRoynHK1d/Wr7M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706652375; x=1707257175; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kLoyWv8OtbHjtjHwspyJBOM+KJjmRvPEg1tZQlUAAzg=; b=twVm6hKh9Vml5PPMlD5OMG6lD4KWUpxitBHfUrHFq12Rd9S9wPxH1rpmC6n9Kzp8si ky9OLfn+FHQZrjImrmEvxpeBlceeYcByZIf1OYy81AHmI+xX3ccNSuo0hc20KcFTSQAL yIzUE2nJX+vLHaIyrzHqvjrw+TK/u9aLih0SMuRArzjAyyqG+UYMoBQrysQjd3n/KLdE 6zxDNOVygGDFlCHTQDu8Z88AIQ9xPzkgJO47212JWXLxLJPU7zGtxsPxdWiMrDY7Iz/w YsDOQO3twxd5GH++GElxCgSsM0qTJ3TFI0JNCmprvFDrrKIE3kP61shKTmmQ6KXCtqLN ZJ8g== X-Gm-Message-State: AOJu0Ywbg8/Pk1GU4FGz36p/j8ubeWBnk0P5FOFah6UH37t6CaDbp2wG 1DzdG2UkFSE6owDM5aaMgZdBHSJ7P/eInKubnEgQ7QPR1ZW4MmPRMEUg+zfM3w== X-Received: by 2002:a05:6a20:b9a7:b0:19c:7bc4:6b0 with SMTP id ff39-20020a056a20b9a700b0019c7bc406b0mr4716562pzb.42.1706652375177; Tue, 30 Jan 2024 14:06:15 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id p12-20020a170902eacc00b001d72f6ba383sm3691421pld.224.2024.01.30.14.06.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:06:14 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A. R. Silva" , Andrew Morton , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , llvm@lists.linux.dev, linux-hardening@vger.kernel.org, Mark Rutland , Miguel Ojeda , Marco Elver , Jakub Kicinski , Przemek Kitszel , Masahiro Yamada , linux-kernel@vger.kernel.org Subject: [PATCH v2 2/5] overflow: Expand check_add_overflow() for pointer addition Date: Tue, 30 Jan 2024 14:06:07 -0800 Message-Id: <20240130220614.1154497-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240130220218.it.154-kees@kernel.org> References: <20240130220218.it.154-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=10664; i=keescook@chromium.org; h=from:subject; bh=wU5wiWooVyd2eqSdpoTBHd90qKwM9wZ/F9mLDiaQmqs=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBluXLROmJWNChP5gjc4TpxLGURO5jKzEEgWMbHO GpeBzggvUWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbly0QAKCRCJcvTf3G3A JldrD/9TuUJyp3YsW0TEykPmrvgH9vU+VjqFQEapybkawwEcPT72Aav3rQMCiud+MIQNu6QDnza CziIeADD0D81cGp5ZDuEDQY/HMptU+dssftL2CzDrVhdYspifI9JTq7EzqvgPqZeSo4t9US+kdE VtNO3CQVdcCYyUkHY3/CaLNUTJXMbMIK8swjlCViq1GtWE6lINsWzXLvW73bdzXOIB87YTivK4h hUGpD80CMy+07kiguOKKqrZ1ZPg2Y3XRx4vKNyzho0Kg4J2FcPZ7Oz79L97PUwcvaFTavvGrxHd fiKI1LEhE6WcBZqugHyqNgTpWPGDxJzpNanmeVmDy9E0hoL4A1svI5VEmHAI+Ut4JVqCxfkM7iS sDmgJPatT0uJuTcqofzQ+awJUUlzRRUgE3GTHAcwKUJzC882pEk2y6JXA60mef01JINAyLuHV2f /dNrGRT5kg9DEak+3v3pvUdtF8p99GKUDb4fZDzhvPBPYfU0gWyNNpCYY3LruDTcwSzcFa/MeRH TwoZ3TqKgHYYg2sC1FrZNgYWC8oAtVXxLOXBHDPkmxvrwLggAs3Qu4Erms4l20o00Wbyk7G6MLO BqxhPRQG0RZHMXBZ2LriEnaX1mA6uS6p5PRqI6v/hLMX5bYBFzkkCBGwbO+VCZF/vAyQuQ4bnUT 3lM/omqZkKwDXgg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789554822100424420 X-GMAIL-MSGID: 1789554822100424420 The check_add_overflow() helper is mostly a wrapper around __builtin_add_overflow(), but GCC and Clang refuse to operate on pointer arguments that would normally be allowed if the addition were open-coded. For example, we have many places where pointer overflow is tested: struct foo *ptr; ... /* Check for overflow */ if (ptr + count < ptr) ... And in order to avoid running into the overflow sanitizers in the future, we need to rewrite these "intended" overflow checks: if (check_add_overflow(ptr, count, &result)) ... Frustratingly the argument type validation for __builtin_add_overflow() is done before evaluating __builtin_choose_expr(), so for arguments to be valid simultaneously for sizeof(*p) (when p may not be a pointer), and __builtin_add_overflow(a, ...) (when a may be a pointer), we must introduce wrappers that always produce a specific type (but they are only used in the places where the bogus arguments will be ignored). To test whether a variable is a pointer or not, introduce the __is_ptr() helper, which uses __builtin_classify_type() to find arrays and pointers (via the new __is_ptr_or_array() helper), and then decays arrays into pointers (via the new __decay() helper), to distinguish pointers from arrays. Additionally update the unit tests to cover pointer addition. Cc: Rasmus Villemoes Cc: "Gustavo A. R. Silva" Cc: Andrew Morton Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Bill Wendling Cc: Justin Stitt Cc: llvm@lists.linux.dev Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/compiler_types.h | 10 +++++ include/linux/overflow.h | 44 ++++++++++++++++++- lib/overflow_kunit.c | 77 ++++++++++++++++++++++++++++++---- 3 files changed, 120 insertions(+), 11 deletions(-) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index 6f1ca49306d2..d27b58fddfaa 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -375,6 +375,16 @@ struct ftrace_likely_data { /* Are two types/vars the same type (ignoring qualifiers)? */ #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b)) +/* Is variable addressable? */ +#define __is_ptr_or_array(p) (__builtin_classify_type(p) == 5) + +/* Return an array decayed to a pointer. */ +#define __decay(p) \ + (&*__builtin_choose_expr(__is_ptr_or_array(p), p, NULL)) + +/* Report if variable is a pointer type. */ +#define __is_ptr(p) __same_type(p, __decay(p)) + /* * __unqual_scalar_typeof(x) - Declare an unqualified scalar type, leaving * non-scalar types unchanged. diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 4e741ebb8005..210e5602e89b 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -51,6 +51,43 @@ static inline bool __must_check __must_check_overflow(bool overflow) return unlikely(overflow); } +/* Always produce an integral variable expression. */ +#define __filter_integral(x) \ + __builtin_choose_expr(!__is_ptr(x), (x), 0) + +/* Always produce a pointer value. */ +#define __filter_ptr(x) \ + __builtin_choose_expr(__is_ptr(x), (x), NULL) + +/* Always produce a pointer to an integral value. */ +#define __filter_ptrint(x) \ + __builtin_choose_expr(!__is_ptr(*(x)), x, &(int){ 0 }) + +/** + * __check_ptr_add_overflow() - Calculate pointer addition with overflow checking + * @a: pointer addend + * @b: numeric addend + * @d: pointer to store sum + * + * Returns 0 on success, 1 on wrap-around. + * + * Do not use this function directly, use check_add_overflow() instead. + * + * *@d holds the results of the attempted addition, which may wrap-around. + */ +#define __check_ptr_add_overflow(a, b, d) \ + ({ \ + typeof(a) __a = (a); \ + typeof(b) __b = (b); \ + size_t __bytes; \ + bool __overflow; \ + \ + /* we want to perform the wrap-around, but retain the result */ \ + __overflow = __builtin_mul_overflow(sizeof(*(__a)), __b, &__bytes); \ + __builtin_add_overflow((unsigned long)(__a), __bytes, (unsigned long *)(d)) || \ + __overflow; \ + }) + /** * check_add_overflow() - Calculate addition with overflow checking * @a: first addend @@ -61,8 +98,11 @@ static inline bool __must_check __must_check_overflow(bool overflow) * * *@d holds the results of the attempted addition, which may wrap-around. */ -#define check_add_overflow(a, b, d) \ - __must_check_overflow(__builtin_add_overflow(a, b, d)) +#define check_add_overflow(a, b, d) \ + __must_check_overflow(__builtin_choose_expr(__is_ptr(a), \ + __check_ptr_add_overflow(__filter_ptr(a), b, d), \ + __builtin_add_overflow(__filter_integral(a), b, \ + __filter_ptrint(d)))) /** * check_sub_overflow() - Calculate subtraction with overflow checking diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c index c527f6b75789..2d106e880956 100644 --- a/lib/overflow_kunit.c +++ b/lib/overflow_kunit.c @@ -45,13 +45,18 @@ # define SKIP_64_ON_32(t) do { } while (0) #endif -#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \ - static const struct test_ ## t1 ## _ ## t2 ## __ ## t { \ +#define DEFINE_TEST_ARRAY_NAMED_TYPED(n1, n2, n, t1, t2, t) \ + static const struct test_ ## n1 ## _ ## n2 ## __ ## n { \ t1 a; \ t2 b; \ - t sum, diff, prod; \ + t sum; \ + t diff; \ + t prod; \ bool s_of, d_of, p_of; \ - } t1 ## _ ## t2 ## __ ## t ## _tests[] + } n1 ## _ ## n2 ## __ ## n ## _tests[] + +#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \ + DEFINE_TEST_ARRAY_NAMED_TYPED(t1, t2, t, t1, t2, t) #define DEFINE_TEST_ARRAY(t) DEFINE_TEST_ARRAY_TYPED(t, t, t) @@ -251,8 +256,10 @@ DEFINE_TEST_ARRAY(s64) = { }; #define check_one_op(t, fmt, op, sym, a, b, r, of) do { \ - int _a_orig = a, _a_bump = a + 1; \ - int _b_orig = b, _b_bump = b + 1; \ + typeof(a + 0) _a_orig = a; \ + typeof(a + 0) _a_bump = a + 1; \ + typeof(b + 0) _b_orig = b; \ + typeof(b + 0) _b_bump = b + 1; \ bool _of; \ t _r; \ \ @@ -260,13 +267,13 @@ DEFINE_TEST_ARRAY(s64) = { KUNIT_EXPECT_EQ_MSG(test, _of, of, \ "expected "fmt" "sym" "fmt" to%s overflow (type %s)\n", \ a, b, of ? "" : " not", #t); \ - KUNIT_EXPECT_EQ_MSG(test, _r, r, \ + KUNIT_EXPECT_TRUE_MSG(test, _r == r, \ "expected "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \ a, b, r, _r, #t); \ /* Check for internal macro side-effects. */ \ _of = check_ ## op ## _overflow(_a_orig++, _b_orig++, &_r); \ - KUNIT_EXPECT_EQ_MSG(test, _a_orig, _a_bump, "Unexpected " #op " macro side-effect!\n"); \ - KUNIT_EXPECT_EQ_MSG(test, _b_orig, _b_bump, "Unexpected " #op " macro side-effect!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _a_orig == _a_bump, "Unexpected " #op " macro side-effect!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected " #op " macro side-effect!\n"); \ } while (0) #define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \ @@ -333,6 +340,55 @@ DEFINE_TEST_ARRAY_TYPED(int, int, u8) = { }; DEFINE_TEST_FUNC_TYPED(int_int__u8, u8, "%d"); +#define DEFINE_TEST_PTR_FUNC_TYPED(n, t, fmt) \ +static void do_ptr_test_ ## n(struct kunit *test, const struct test_ ## n *p) \ +{ \ + /* we're only doing single-direction sums, no product or division */ \ + check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of);\ +} \ + \ +static void n ## _overflow_test(struct kunit *test) { \ + unsigned i; \ + \ + for (i = 0; i < ARRAY_SIZE(n ## _tests); ++i) \ + do_ptr_test_ ## n(test, &n ## _tests[i]); \ + kunit_info(test, "%zu %s arithmetic tests finished\n", \ + ARRAY_SIZE(n ## _tests), #n); \ +} + +DEFINE_TEST_ARRAY_NAMED_TYPED(void, int, void, void *, int, void *) = { + {NULL, 0, NULL, NULL, NULL, false, false, false}, + {(void *)0x30, 0x10, (void *)0x40, NULL, NULL, false, false, false}, + {(void *)ULONG_MAX, 0, (void *)ULONG_MAX, NULL, NULL, false, false, false}, + {(void *)ULONG_MAX, 1, NULL, NULL, NULL, true, false, false}, + {(void *)ULONG_MAX, INT_MAX, (void *)(INT_MAX - 1), NULL, NULL, true, false, false}, +}; +DEFINE_TEST_PTR_FUNC_TYPED(void_int__void, void *, "%lx"); + +struct _sized { + int a; + char b; +}; + +DEFINE_TEST_ARRAY_NAMED_TYPED(sized, int, sized, struct _sized *, int, struct _sized *) = { + {NULL, 0, NULL, NULL, NULL, false, false, false}, + {NULL, 1, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, false, false, false}, + {NULL, 0x10, (struct _sized *)(sizeof(struct _sized) * 0x10), NULL, NULL, false, false, false}, + {(void *)(ULONG_MAX - sizeof(struct _sized)), 1, (struct _sized *)ULONG_MAX, NULL, NULL, false, false, false}, + {(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 1, NULL, NULL, NULL, true, false, false}, + {(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 2, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, true, false, false}, + {(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 3, (struct _sized *)(sizeof(struct _sized) * 2), NULL, NULL, true, false, false}, +}; +DEFINE_TEST_PTR_FUNC_TYPED(sized_int__sized, struct _sized *, "%lx"); + +DEFINE_TEST_ARRAY_NAMED_TYPED(sized, size_t, sized, struct _sized *, size_t, struct _sized *) = { + {NULL, 0, NULL, NULL, NULL, false, false, false}, + {NULL, 1, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, false, false, false}, + {NULL, 0x10, (struct _sized *)(sizeof(struct _sized) * 0x10), NULL, NULL, false, false, false}, + {NULL, SIZE_MAX - 10, (struct _sized *)18446744073709551528UL, NULL, NULL, true, false, false}, +}; +DEFINE_TEST_PTR_FUNC_TYPED(sized_size_t__sized, struct _sized *, "%zu"); + /* Args are: value, shift, type, expected result, overflow expected */ #define TEST_ONE_SHIFT(a, s, t, expect, of) do { \ typeof(a) __a = (a); \ @@ -1122,6 +1178,9 @@ static struct kunit_case overflow_test_cases[] = { KUNIT_CASE(s32_s32__s32_overflow_test), KUNIT_CASE(u64_u64__u64_overflow_test), KUNIT_CASE(s64_s64__s64_overflow_test), + KUNIT_CASE(void_int__void_overflow_test), + KUNIT_CASE(sized_int__sized_overflow_test), + KUNIT_CASE(sized_size_t__sized_overflow_test), KUNIT_CASE(u32_u32__int_overflow_test), KUNIT_CASE(u32_u32__u8_overflow_test), KUNIT_CASE(u8_u8__int_overflow_test), From patchwork Tue Jan 30 22:06:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 194338 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1523492dyb; Tue, 30 Jan 2024 14:07:43 -0800 (PST) X-Google-Smtp-Source: AGHT+IEvGA9tWC8t7tC5f0eApl7eC+vfxeTxpB4NuifERQgB4MYgrkgay4JwCzcy2YDq8pDbyOyw X-Received: by 2002:a05:6402:274b:b0:55e:f866:30dd with SMTP id z11-20020a056402274b00b0055ef86630ddmr5660331edd.12.1706652463274; Tue, 30 Jan 2024 14:07:43 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706652463; cv=pass; d=google.com; s=arc-20160816; b=sbKW/qLvtz8HH1JaAltwk8HCkr64LLnsTS7l8sxrpyu1pWFZ75iOLUE6KejI1nvdh9 elbXiUM7Ck+Xs84+qx6C+Znwyyc4PV7MAydgd+TWtpjfQmwJKtJsaJKriW7WUt8XZpY+ OyWXnioC/wPb8mBWIS3EqRqwBeJzl7qIdHrr6phJ0FSBadxCsBY7Bn7zYL9O/eyLBCh9 HIdkq5I7VpN+D7P1wQUGqbIV2WAHHUu6wO9MsEgcMr+x4vxlXTvrAbB2i6rZFtf6rubz 3i4NT7VmMOm/CKJNHaIXumqlV/p5AhRYyu/t9AmaCxhrDfmtg+2z7IKltmoUeQWuXk0V qKcA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=0NouAp6ATROls5AjgSHn6FMH+dDN0Afdv78yAag0W0U=; fh=vuK/cNm1J+xDY8eBdRZZ00Oi6XMYQysn5BO4MCYg3cs=; b=v16kZ325aZ3vv2RXsko9MDlsW+8DQiM5Y2dC5j2QfrCPatqMU/63l4zWR/kX+mhmq8 hsiBMt25MiJYs9mxp2yxL5s9Tl7ILRottRq8RolIowgjnzHsvR4attoPkMA+wMy0qeLJ oVapTG12rrEl5+ukc7+E+nEx5a3EbqmKpNcROSa58KAFmCLzf3YNp3S9ay2qUmds5mx9 zjKFnaDqgQ/zsT10vlu1pISdw15juEvLzxnFRIZT+tqEwDptbwL6QehQRUGq7+V6DFmC MWKnGMg9bf1KhjtPUgUpubGJXQ0EtaHnxtXEsmuS4I/VtTC3Op8j+Kl5qXjqatYcWQyD 9hLg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZQonWnMl; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45364-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45364-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id t13-20020a50ab4d000000b0055d095ffc36si5013435edc.156.2024.01.30.14.07.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:07:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45364-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZQonWnMl; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45364-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45364-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id E01F71F221A2 for ; Tue, 30 Jan 2024 22:07:42 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F2E957AE46; Tue, 30 Jan 2024 22:06:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="ZQonWnMl" Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com [209.85.210.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B54017D40F for ; Tue, 30 Jan 2024 22:06:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652379; cv=none; b=GS7agVTM6woajWPa6nboUvf2tBYYLBGbHs75I7foW4VJhT11TTjuGs0woumA4Jxo+LYsEg21YQm4EH1BVEV+Fi+c5cTxK4Q/BXPF9rEqWzodTBJEBauTIMj/rAJ0/tus/hLMHRH8H1H1LvC46bOjj1Gr3MMJ0eVDtXEaq9IVmFg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652379; c=relaxed/simple; bh=WUwqmJoFZQeyqmuC4k6x7kK2L9hMV5zmyghrfRiNqjc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=j2WNKwMYoP/NnQSqvL+HZiH7ai+4jrwHY3yPKYFqnxNtaE+BlXDPhIj9aOWWbN3tI5jAEu/FDChXRWK5iAfuiYkMFG9OaeSEkU6eTw1MzAWRf5qVFKFHrZ8DGzbSVuEA6gokPVKyKxkyzspbUkkZoBsxWy8lXvSZSXBKhVRjuH0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=ZQonWnMl; arc=none smtp.client-ip=209.85.210.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-ot1-f46.google.com with SMTP id 46e09a7af769-6e141ee9c14so396647a34.3 for ; Tue, 30 Jan 2024 14:06:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706652377; x=1707257177; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0NouAp6ATROls5AjgSHn6FMH+dDN0Afdv78yAag0W0U=; b=ZQonWnMl0aC168QCaVQM8PAMVAq8b+Ruf4hbCJRwMHFvTR/UbyNpIr+wL8rBSxVrTs ucN+sdVB8sW5jhhUKshT9KwfwLydFuNAJ56NeU/hzATn30TKvKmKYJCFBf8k7lWHgQSh aPMh2Q2p9GBI0uYwHrxPdqB+KhTUo1veFen1Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706652377; x=1707257177; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0NouAp6ATROls5AjgSHn6FMH+dDN0Afdv78yAag0W0U=; b=qQrSlu6egjDah/E4IYlGfS7bWYv/xr+E4Hz3J1bZVzi+Yt7MLS7Yp5bUv+wJjBPQon vPtlZB7r60uZYi3bo2iDjfPIIsW7Y7p9E+oRpZ4v4UqSQe0g6k29YAKfA++bqRO0P4Q9 2LTLD3YfwRazDjcNEYe7DrxGb0pqnuuu/ltLnKBAEmZUKgERaHyM7dXNAh/52p+5R6FP Qt/0zb8S9I2tKMEuDtfflmKVW+ttysPw5v5E0+zyw6NcekpINalB/Ye2N0v01OSYjMHZ p8Cy71p1rHZAeiy6UNfE06x2NXw3unm/vqa/JpA/HFjKR7DuJMbca9aUpBxxpG3yup95 tXBA== X-Gm-Message-State: AOJu0Yw8JGVwmvCfGI2zcwWhiLrQt4XTTmOW23e9a2YKdv9URojT//3C t5bVp8Ym8vzLwgpFVaGEEHo/9Z69pMrY+PWRvgKEJpU5JJ9tbeRUi67BUNMoaA== X-Received: by 2002:a05:6358:4318:b0:178:8ab7:e338 with SMTP id r24-20020a056358431800b001788ab7e338mr3080332rwc.22.1706652376816; Tue, 30 Jan 2024 14:06:16 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id e20-20020a633714000000b005d8e280c879sm2373723pga.84.2024.01.30.14.06.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:06:14 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A. R. Silva" , Justin Stitt , linux-hardening@vger.kernel.org, Andrew Morton , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Mark Rutland , Miguel Ojeda , Marco Elver , Jakub Kicinski , Przemek Kitszel , Masahiro Yamada , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v2 3/5] overflow: Introduce add_would_overflow() Date: Tue, 30 Jan 2024 14:06:08 -0800 Message-Id: <20240130220614.1154497-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240130220218.it.154-kees@kernel.org> References: <20240130220218.it.154-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1484; i=keescook@chromium.org; h=from:subject; bh=WUwqmJoFZQeyqmuC4k6x7kK2L9hMV5zmyghrfRiNqjc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBluXLSKrOGOdtE6GxGZsc08FzWIhOaMnOeNq/p8 lHKmLHU8x2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbly0gAKCRCJcvTf3G3A JsybD/9hil900CeIkSDVu7dEhGUU7Eh3jgkpN4uvXxQKhpz1xxwIYnxerdxt4kUhSZ3PU7Wn+a8 y2tMl38HSeHfTMijx0VTRIz766tSzidw/km095DK7xlLqc1C7p0bOe1fXmjDJjZMo/h+B4iYAUP 786UqO4ZLOPpSWWjbEoirC1DSpvbcZbf9v7z1W8wRV1v25gyUBQOvYrUMm1YCOaMm0RQGLfuLPC 9VVUdvY4jETXBTpUlKQ7apR4LH+2R5ioDpI9ZaCEuIoZfny7BG9mJBkmXZuvWSrXUzwoqvhEQOi d/JwwmkQ97OSBCj3vYl/eYqvSADKpwdPKlHA1/LuyVDmqtbvEF5Zpvy/BxkFgcPvwProrebcWtj 4Kc0aWfaId1UDIVNhDIbt2cGolemw66t7obWCVe59lXAAxjT5g1SQpAbVmnvDU0Pq88Ty4chzEN a5B1zUIWzfXejwU/U02FFfpn6jzIxuavta2dAkaqF57YIfzdaiKfCqE6G78qg7/EIUwJ1qsKJlD NtnqoqDMkGYOdmKSvMerFSc6HJuJAPskCMyoatyDAXt3Lors/XN0qMiAFiPxyW1JE7Q/EvtUcer 2tuf3HJSurwaeE4R4tAEbTLHd0N57a495U5UbSpkLEwag6gPdKC/6sH5j119nzxFUVW0AxTv/+S YGphMUzZKOqjzuw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789554813415501629 X-GMAIL-MSGID: 1789554813415501629 For instances where only the overflow needs to be checked (and the sum isn't used), provide the new helper add_would_overflow(), which is a wrapper for check_add_overflow(). Cc: Rasmus Villemoes Cc: "Gustavo A. R. Silva" Cc: Justin Stitt Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 210e5602e89b..3c46c648d2e8 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -104,6 +104,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) __builtin_add_overflow(__filter_integral(a), b, \ __filter_ptrint(d)))) +/** + * add_would_overflow() - Check if an addition would overflow + * @var: variable to add to that is checked for overflow + * @offset: value to add + * + * Returns true if the sum would overflow. + * + * To keep a copy of the sum when the addition doesn't overflow, use + * check_add_overflow() instead. + */ +#define add_would_overflow(var, offset) \ + __must_check_overflow(({ \ + typeof(var) __result; \ + check_add_overflow(var, offset, &__result); \ + })) + /** * check_sub_overflow() - Calculate subtraction with overflow checking * @a: minuend; value to subtract from From patchwork Tue Jan 30 22:06:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 194340 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1523850dyb; Tue, 30 Jan 2024 14:08:07 -0800 (PST) X-Google-Smtp-Source: AGHT+IFstc8hHiiYOaretor6LXsV3Eina93d2pCfLS61+5Uf787mHnG+YPiNtDPYiig8jr7rLuph X-Received: by 2002:a17:906:f90b:b0:a36:133c:ad2a with SMTP id lc11-20020a170906f90b00b00a36133cad2amr2566533ejb.21.1706652487663; Tue, 30 Jan 2024 14:08:07 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706652487; cv=pass; d=google.com; s=arc-20160816; b=ZD4DiFBq2xphNZITIyvY5+ZAY26MM++dhDy+WBIjeORMlzQKKNJsSCs1r7xxv+GBzC BDNSC25nTW8UcF191Bj6qokFDf1RzOrL0PrPhAKK6KLMxOUVaHdqVvbJXFjBm7Gou0T+ G+1hmpmaHOtwvXXQ+sQp/hmk7H5ZxBZrWSRi9+xBugikC0xS2rf4KPOPNueSAj9kvguT Ja5eR+rwVRze5cEQ5BuY+SIhEevQ3w036p1/JUSesCIVgb0qSet/maBIweky76wvAUET AXqCdOtdvGYmIJPGgf5BUf0n+hnUi4OltEB8bxbhvT4zc0tOXdtAU0XEsczdRHe+nqBY MAOQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=WcwNGWRjXs5hTgiaUtk2cifYdvfoOCz6Y06w4rb2tvo=; fh=aUQ4UudHxylo1I38WmfqfukXdMLq6jxjmpSHu862aNc=; b=JYCroK9GuNUR9rEO1AIYyUpe66zgNekOHXR+fM5NGfgbU3Vw6u+MdpJWtgMUZ/nXUw DuAHo7yP3B8PIpXVn6SWszBu692KAq/LuMcQKiReOOIH4YB67/eVEUWvcC6wQF0eGC3i JiPgjQc5q38XORuUViK9Ohg9ssLfqm29SomC1Xz5y6QAKmV+LOWam0XRG76Vd6+PGWbo kY494P07ZzpaXpOCHMKnQDRugGNXM7e3IOK5dTok72PkvC1owLEvmRGFxhXeL290LMRI GZo2YzBzBIpe0lihY1dLTdL900DxOqVVBA0yOKs65CWSwhCvxhlvFYC6LUoOhXrTQ9QN 2p8Q== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KqbwGoet; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45366-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45366-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id i25-20020a1709064ed900b00a35c56ab311si2134279ejv.63.2024.01.30.14.08.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:08:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45366-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KqbwGoet; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45366-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45366-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 223701F25B52 for ; Tue, 30 Jan 2024 22:08:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6F1C67B3D1; Tue, 30 Jan 2024 22:06:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="KqbwGoet" Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9EF37D3FE for ; Tue, 30 Jan 2024 22:06:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652380; cv=none; b=CMF7/Pm2iL6xRQfAr+L7reRfey85pctBo42E8aArcXYtCNZ7vti0FdQudYa+J2F+zR9eIM5hRla2WgChdoICErFz1+4xGSMC7KRNz//zA27Nm8zmS29SkcDbFqFpfGxhGkBQKPt7DWuYw3HLV7ZVmCH8JBDQJUSQA/XnUIcl640= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652380; c=relaxed/simple; bh=Lsn3+N+1f8l6lRmtTSj3tYRTIPnbB1C3Ti+RJg8Mz0E=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=fXf0EgxDxBmTcXtt12t0eIiQbmK5ewJfHE4Dbj6d9w60IqNco9z3W+JGB0SAu+6mD73gQ0p0MwHssjpGLLRaF7ufLA9yWubeWrYUCxlbc5JHS/jlb19PD/b34hvCiENYcMe0vq4c/fevikjyyBNLTYDPdj1CzXcKuVmIZW6oHuA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=KqbwGoet; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1d7393de183so22408915ad.3 for ; Tue, 30 Jan 2024 14:06:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706652377; x=1707257177; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WcwNGWRjXs5hTgiaUtk2cifYdvfoOCz6Y06w4rb2tvo=; b=KqbwGoet4mGX7QMurDGZxHWw1ezcxtwReh/5pmt0luh4xdsvA0Nt9VdaZsdwuJaK1h B9PuKq++5wz7aGlXCSsYO3reBhzLYNMQAU78r9BNLWSb6zWhAuGEmrCtc1gCBuxqyRTL OyL6R0CRcF6PlBR20Kvw22n5TL02vNRLE7c/8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706652377; x=1707257177; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WcwNGWRjXs5hTgiaUtk2cifYdvfoOCz6Y06w4rb2tvo=; b=XQYKMMjiDnc9HWm/NGLIlvKLAxnYuz/MbcxUb4yA1Le+cqhHIEwkOvlYH/YuzqjO8p V65BUxRGc9d5TIyjjwa6RKAMEnW/gbYKgACr/HNLil9wmdTXpRHIZ3Z8vUooS8k4SiNs JjQzQRtY/8Hm3IulsSkoSQ2dqOJpXRkvvXdVvGlk9r6ZB67AoxsoTyQsWM1HXO5/wU8k hU9tUpTpdt3tTjflvyI/QhmGb0yF0UCDXQVq9LN+kmkNgz0RITctwkU4THA1T/OtV6/3 Z6pNXgYYTD2lAVDMpNYbjQAGwNa2Hl3lHiVMBy2MJAwMFnNu0p5o4Bi6r09nWjD0dwgs G6wQ== X-Gm-Message-State: AOJu0YxBX96ljO7RVAZzamOE8LVY4WHKRmFNUuMGp7OcNllTw2JFmJRy oWxUQ4qBbF4R6UKIBjBhglQtHEeQx00gTyHLXaX44c8lTo2vl3tVVpyiAe2ZcQ== X-Received: by 2002:a17:902:eb8a:b0:1d9:11dd:1443 with SMTP id q10-20020a170902eb8a00b001d911dd1443mr2343791plg.56.1706652377271; Tue, 30 Jan 2024 14:06:17 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id q2-20020a17090311c200b001d919be90fdsm1021511plh.42.2024.01.30.14.06.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:06:14 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , Mark Rutland , Justin Stitt , linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" , Andrew Morton , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Miguel Ojeda , Marco Elver , Jakub Kicinski , Przemek Kitszel , Masahiro Yamada , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v2 4/5] overflow: Introduce add_wrap(), sub_wrap(), and mul_wrap() Date: Tue, 30 Jan 2024 14:06:09 -0800 Message-Id: <20240130220614.1154497-4-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240130220218.it.154-kees@kernel.org> References: <20240130220218.it.154-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4387; i=keescook@chromium.org; h=from:subject; bh=Lsn3+N+1f8l6lRmtTSj3tYRTIPnbB1C3Ti+RJg8Mz0E=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBluXLSe19O6Hvhh0igqhBhzvh/k2nMh67arN8UO ViDdP3DCpCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbly0gAKCRCJcvTf3G3A Jl6SD/949IhkriFg68ZDIGgVjR+vt3zRnyJL3kmoeJ5EwTrfegqnwpEcSBAHuYt9EE5dphltzfG Xxju7AsQMKZy9Qi7who7pbzxSfOcx7AvjfSOpZrA2QUZfIvHtsKfkwel72z3/YEFmiVslEcd0LA h/w20GBNyE/QZD5xaEUGyY74qMuxV9rzeUFzaRQZtbEBuN578gGtjt+solHfAGj878JE5tjtfCa fYizb2R+/TIJ8c5txcNgiUThUvmlpYdpAZeugD3hdi3v/tCmIX+FZcDcYU/6bvj95r2WYS0MTh3 IHO63Tg8P7ySWnC6su/nGSuHYf2+6rHo/ZEit3wIkCNOXJ5NE/iAcM1UAAEfOtGyBELr9cIMHiW TSwh4cIN51YZTYFVwEpKwMxw0qi1pT7D70pgJRnDyA3VEwT09RzE5AyIfmJt0LSixzpdMyr2ro4 TuevDNqjiIZSSIe6jduIvJmt5AHiHl11YTXK92CQrWvCcGUXwEPVyCKiFxL1Sz8EjAmvEbQigE0 hIwsJEG09BwJNh6CaSQVMi+73ihg21dBrOyFNkNzrtlnWRf4UkoPTtg6yohpWwxhQTh2hhRRrFp KQ7zqDMuA13212l6WJ7ogVbceJxQ4taZI0ZiW2ogyZFE1oij+Dv94p0qVlwdVW8oVZQ1lxdl7wu Wnpi70NpXkvuPUQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789554838676229038 X-GMAIL-MSGID: 1789554838676229038 Provide helpers that will perform wrapping addition, subtraction, or multiplication without tripping the arithmetic wrap-around sanitizers. The first argument is the type under which the wrap-around should happen with. In other words, these two calls will get very different results: mul_wrap(int, 50, 50) == 2500 mul_wrap(u8, 50, 50) == 196 Add to the selftests to validate behavior and lack of side-effects. Cc: Rasmus Villemoes Cc: Mark Rutland Cc: Justin Stitt Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 54 ++++++++++++++++++++++++++++++++++++++++ lib/overflow_kunit.c | 11 ++++++++ 2 files changed, 65 insertions(+) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 3c46c648d2e8..c9139f88578b 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -120,6 +120,24 @@ static inline bool __must_check __must_check_overflow(bool overflow) check_add_overflow(var, offset, &__result); \ })) +/** + * add_wrap() - Intentionally perform a wrapping addition + * @type: type for result of calculation + * @a: first addend + * @b: second addend + * + * Return the potentially wrapped-around addition without + * tripping any wrap-around sanitizers that may be enabled. + */ +#define add_wrap(type, a, b) \ + ({ \ + type __val; \ + if (check_add_overflow(a, b, &__val)) { \ + /* do nothing */ \ + } \ + __val; \ + }) + /** * check_sub_overflow() - Calculate subtraction with overflow checking * @a: minuend; value to subtract from @@ -133,6 +151,24 @@ static inline bool __must_check __must_check_overflow(bool overflow) #define check_sub_overflow(a, b, d) \ __must_check_overflow(__builtin_sub_overflow(a, b, d)) +/** + * sub_wrap() - Intentionally perform a wrapping subtraction + * @type: type for result of calculation + * @a: minuend; value to subtract from + * @b: subtrahend; value to subtract from @a + * + * Return the potentially wrapped-around subtraction without + * tripping any wrap-around sanitizers that may be enabled. + */ +#define sub_wrap(type, a, b) \ + ({ \ + type __val; \ + if (check_sub_overflow(a, b, &__val)) { \ + /* do nothing */ \ + } \ + __val; \ + }) + /** * check_mul_overflow() - Calculate multiplication with overflow checking * @a: first factor @@ -146,6 +182,24 @@ static inline bool __must_check __must_check_overflow(bool overflow) #define check_mul_overflow(a, b, d) \ __must_check_overflow(__builtin_mul_overflow(a, b, d)) +/** + * mul_wrap() - Intentionally perform a wrapping multiplication + * @type: type for result of calculation + * @a: first factor + * @b: second factor + * + * Return the potentially wrapped-around multiplication without + * tripping any wrap-around sanitizers that may be enabled. + */ +#define mul_wrap(type, a, b) \ + ({ \ + type __val; \ + if (check_mul_overflow(a, b, &__val)) { \ + /* do nothing */ \ + } \ + __val; \ + }) + /** * check_shl_overflow() - Calculate a left-shifted value and check overflow * @a: Value to be shifted diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c index 2d106e880956..319f950872bd 100644 --- a/lib/overflow_kunit.c +++ b/lib/overflow_kunit.c @@ -273,6 +273,17 @@ DEFINE_TEST_ARRAY(s64) = { /* Check for internal macro side-effects. */ \ _of = check_ ## op ## _overflow(_a_orig++, _b_orig++, &_r); \ KUNIT_EXPECT_TRUE_MSG(test, _a_orig == _a_bump, "Unexpected " #op " macro side-effect!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected " #op " macro side-effect!\n"); \ + \ + _r = op ## _wrap(t, a, b); \ + KUNIT_EXPECT_TRUE_MSG(test, _r == r, \ + "expected "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \ + a, b, r, _r, #t); \ + /* Check for internal macro side-effects. */ \ + _a_orig = a; \ + _b_orig = b; \ + _r = op ## _wrap(t, _a_orig++, _b_orig++); \ + KUNIT_EXPECT_TRUE_MSG(test, _a_orig == _a_bump, "Unexpected " #op " macro side-effect!\n"); \ KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected " #op " macro side-effect!\n"); \ } while (0) From patchwork Tue Jan 30 22:06:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 194341 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1523943dyb; Tue, 30 Jan 2024 14:08:13 -0800 (PST) X-Google-Smtp-Source: AGHT+IFyI45eEp0L3Ki22t/21A++nUGQP3JWYGX7UxbWEwtwbB33S0HQzQtgKZbI8j/3y75+g1Ly X-Received: by 2002:a05:6102:c04:b0:46b:18d2:a01d with SMTP id x4-20020a0561020c0400b0046b18d2a01dmr965051vss.19.1706652493714; Tue, 30 Jan 2024 14:08:13 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706652493; cv=pass; d=google.com; s=arc-20160816; b=MG6hKs0yIgHY2eMys6b30KahyFVn6cpE/tHP7XO/OR4LEmFRI5xnT4hlS1oe/6vq+a OyZ8v+JoObnK2xzy7xBr+0OYGGBUpUww02PJHcB5xJTqtkgqqFt48dxui0VRluizUO5K 7HSXy/BV7RawFku13wn4HOyIftjdl1Ns/i0AEO/nw8TKiYMl8WTqLBseWcVf7I9WLwgl Z+JlbZvdjJnReovkNnd1p3UMAmFlYzXj0eGqf1tKyV0FDQeRs21aK48mdHiuQEz5u3aP dHwLkcT2m9NGP4KsldwxxprSP+PHWk7u87noKcm/+cNY4STTA/DOFtNT3R28VRtndMC/ 2Rrw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=lzQ7vFiYMTeVrAkzHMhY9QBXLQuQnHe/ph5NFW0GaXM=; fh=vLzIpJQRBV1a0C+BvDETkgPEmf8BVjayGThJvc8HPNY=; b=MjmnRKp1O2M2vJfD/xVwdJ9bJh10AlZqNoVEw6Kk5MVDonqQCtO0m/F9voRXUrEXWN gDDDzAWv5tyU5w1PpVqj42U979aeMQu4OCT+aNMZdZt+jGk6uOrZE/zcVwoSvzTlR8ET igvcjqm+E8vBYAa6GRXVX1cXScEi+qmHOaxAF30yKnLDCzWhUE+AI8An42pu8Gtf6mRs tvh/RejnzvWg79Gbe1W7kJjuRRiYRd0lzyAlZDKQLUR8MyDwAZeHtJMhCxvCFvmY9GKo SERTfc5y8Q4hY9D306RiXNVwjN4c4Zh9/K3WMx3QklGAt2B/eHRGKE9yUdoGv39dOWpt 2oRA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=kKoYfoDG; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45367-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45367-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id if7-20020a0562141c4700b0068c3c32c931si8727158qvb.451.2024.01.30.14.08.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:08:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45367-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=kKoYfoDG; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45367-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45367-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 6DCF91C221CF for ; Tue, 30 Jan 2024 22:08:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6328482D8C; Tue, 30 Jan 2024 22:06:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="kKoYfoDG" Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F0C47866F for ; Tue, 30 Jan 2024 22:06:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652381; cv=none; b=oaqqpsjinTD9FMDkqSUsh9/gse4klx3v0SL8GNWm8wawij8jJGccQni9TlfAmI4iizYMZX1KA1lS3r02ldh1RX6l/KJ5KkKUpCsdVTB1VX8vz72Sk/kx0R+CvAzTtHfMEBpdlrvSBidFB9oaafumLEwzfU9QICJR9u9aJg0sQmw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706652381; c=relaxed/simple; bh=yC6D2Eizr2psrnwwA4qhvvtdQ0LcAEcPaifv0qco7Dk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qA/59Db3DWJFE+q6r9WRZ/1fU0g6ZELrwBZV1vU03J7MfuSe7fjsuGNYOt40zuqhFIO0Ueh26N076OHhCOYAyGv1hJmCjWY28Kj/XvbGaN58dMIOOhyjzmeJLDItuH/nEExE0kIrF78UpVGPpd0ut86ar82r/1s0eGjVYservFw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=kKoYfoDG; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-1d91397bd22so7259285ad.0 for ; Tue, 30 Jan 2024 14:06:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706652378; x=1707257178; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lzQ7vFiYMTeVrAkzHMhY9QBXLQuQnHe/ph5NFW0GaXM=; b=kKoYfoDGuo1eyJQI8tlxF5tWUavzuAix9okxF0CE3AmOMgAT0GbU6k7PXMRDVL2RBj 0nnfeIfH6FgI8w6mpGioJEZDJ7e2uDkS/hXnvmoova2q1NqZ37JTWT3KYv9u7q/w1tds SuO/C2Anwepo5f248ibnFX5Dr/Wyi7ii8uUoQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706652378; x=1707257178; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lzQ7vFiYMTeVrAkzHMhY9QBXLQuQnHe/ph5NFW0GaXM=; b=hCrnKuv7H7RMAuKX4H44p5jAHJsq5yw1onLeJHKY01J7e6W2uDSYaVt06EOdS3VS/4 tLtpS83zBhsYlQe/nmaRw759Pj3GIUsXQmo0OisZvAhhNUDOtTSUZb9X/irelxF/PNVx 38oVwWrI9d9MnGTFq0jswuEsuB15cuFSfceEwcBNKPkwDEvfvAqcmwvpOXyNT1jZC/lY zUdAueMeeUj7qfUVUGSX6j+LMCYy7hx7Xu84Q3fnGhHZ317j0vzn7uv3yD+5Y9xodYVy grp6Gye/fEC+xuaASNbBXJWwQnYT/Ps05ekr4Wr2efosm8t2scpVa8NrqAuDGmy+oePG enVw== X-Gm-Message-State: AOJu0YxnAwuPc9hLDS9v1HO1xg8vk6WuXN3ZUDdy05eJatGsYLXxidOo zL5aIvTktzk585l3SfE95aE8SFugjr+dcs99AjGV986Y4zXNyaEz9zph/oaTxA== X-Received: by 2002:a17:902:64c8:b0:1d7:75a0:3c86 with SMTP id y8-20020a17090264c800b001d775a03c86mr775656pli.66.1706652378708; Tue, 30 Jan 2024 14:06:18 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id q6-20020a170902b10600b001d706912d1esm7690514plr.225.2024.01.30.14.06.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 14:06:17 -0800 (PST) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , Mark Rutland , "Gustavo A. R. Silva" , Justin Stitt , linux-hardening@vger.kernel.org, Andrew Morton , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Miguel Ojeda , Marco Elver , Jakub Kicinski , Przemek Kitszel , Masahiro Yamada , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v2 5/5] overflow: Introduce inc_wrap() and dec_wrap() Date: Tue, 30 Jan 2024 14:06:10 -0800 Message-Id: <20240130220614.1154497-5-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240130220218.it.154-kees@kernel.org> References: <20240130220218.it.154-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6254; i=keescook@chromium.org; h=from:subject; bh=yC6D2Eizr2psrnwwA4qhvvtdQ0LcAEcPaifv0qco7Dk=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBluXLS0ATCJtp/qR8GBQF2YJ6xD8OeGPPuokIWa WIkyhk7RLiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbly0gAKCRCJcvTf3G3A Ju4sD/wPbmqbSBI0CmdEMVroSWLFzHvcrcDEKt92REO7h0y2x+p8Ca4j2Q+roGDd5raGg96jqha uUUIej0AkmF/snly5wLNBli+Db3jFjRA67sUQ6Bmk/sIWkKhsuI7LOn2qeUgzQNM3C8bUI8mjUs zriVdFG4FNDe6j2zCPIRciZpUbEKXiKYYAcXb4o38CipVxVmx9v8QuKTEV1Ep4V+jaepOvqbASc vWXwsS9d5vqwMRqcAkwr1/71PtmuWO/NlR/Bmcyf16r1TCVqaZX6+zDQg1hgI7f9ay/8JfPBpdz YEYFRKHlDEuHhvLH4wM3SbW4iN3AA5puuVJlak08kvigQ4kSsbZyEXYa3j5W8ol+PbC//WM9jYj d+6LkAbhQQJUyDuNjbhhBrz/pmAyeUNzMJPQCauRBVmprN7o0utPp5qFmoUBARR75kUQ2arbLL6 KrxysxBajTAF5gaWUtUYh5VYo4Ol1kYosQituWY9U5BodZvdefIPURNMJ81Kh9a9NXocoGsz9JV V6gFF9OuqhwF82rRcxCel2l13GrNj3Gl87FMQRv8T33XXWEGcP/OTtkfrOeTH8yRhlxuKcIPBOi 9cCVQhUhqdjZvceD+FzJ8l9ctO9Ytv7SNTkscbfHleVQhI0i33YRSpN+Bnuxi464yuHHqFTkcNw e51m/Es65BQzHOw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789554845360288438 X-GMAIL-MSGID: 1789554845360288438 This allows replacements of the idioms "var += offset" and "var -= offset" with the inc_wrap() and dec_wrap() helpers respectively. They will avoid wrap-around sanitizer instrumentation. Add to the selftests to validate behavior and lack of side-effects. Cc: Rasmus Villemoes Cc: Mark Rutland Cc: "Gustavo A. R. Silva" Cc: Justin Stitt Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 28 +++++++++++++++++++++ lib/overflow_kunit.c | 54 ++++++++++++++++++++++++++++++++++------ 2 files changed, 75 insertions(+), 7 deletions(-) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index c9139f88578b..075c30218145 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -138,6 +138,20 @@ static inline bool __must_check __must_check_overflow(bool overflow) __val; \ }) +/** + * inc_wrap() - Intentionally perform a wrapping increment + * @a: variable to be incremented + * @b: amount to add + * + * Increments @a by @b with wrap-around. Returns the resulting + * value of @a. Will not trip any wrap-around sanitizers. + */ +#define inc_wrap(var, offset) \ + ({ \ + typeof(var) *__ptr = &(var); \ + *__ptr = add_wrap(typeof(var), *__ptr, offset); \ + }) + /** * check_sub_overflow() - Calculate subtraction with overflow checking * @a: minuend; value to subtract from @@ -169,6 +183,20 @@ static inline bool __must_check __must_check_overflow(bool overflow) __val; \ }) +/** + * dec_wrap() - Intentionally perform a wrapping decrement + * @a: variable to be decremented + * @b: amount to subtract + * + * Decrements @a by @b with wrap-around. Returns the resulting + * value of @a. Will not trip any wrap-around sanitizers. + */ +#define dec_wrap(var, offset) \ + ({ \ + typeof(var) *__ptr = &(var); \ + *__ptr = sub_wrap(typeof(var), *__ptr, offset); \ + }) + /** * check_mul_overflow() - Calculate multiplication with overflow checking * @a: first factor diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c index 319f950872bd..46af7ccde0c6 100644 --- a/lib/overflow_kunit.c +++ b/lib/overflow_kunit.c @@ -265,36 +265,76 @@ DEFINE_TEST_ARRAY(s64) = { \ _of = check_ ## op ## _overflow(a, b, &_r); \ KUNIT_EXPECT_EQ_MSG(test, _of, of, \ - "expected "fmt" "sym" "fmt" to%s overflow (type %s)\n", \ + "expected check "fmt" "sym" "fmt" to%s overflow (type %s)\n", \ a, b, of ? "" : " not", #t); \ KUNIT_EXPECT_TRUE_MSG(test, _r == r, \ - "expected "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \ + "expected check "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \ a, b, r, _r, #t); \ /* Check for internal macro side-effects. */ \ _of = check_ ## op ## _overflow(_a_orig++, _b_orig++, &_r); \ - KUNIT_EXPECT_TRUE_MSG(test, _a_orig == _a_bump, "Unexpected " #op " macro side-effect!\n"); \ - KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected " #op " macro side-effect!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _a_orig == _a_bump, "Unexpected check " #op " macro side-effect!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected check " #op " macro side-effect!\n"); \ \ _r = op ## _wrap(t, a, b); \ KUNIT_EXPECT_TRUE_MSG(test, _r == r, \ - "expected "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \ + "expected wrap "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \ a, b, r, _r, #t); \ /* Check for internal macro side-effects. */ \ _a_orig = a; \ _b_orig = b; \ _r = op ## _wrap(t, _a_orig++, _b_orig++); \ - KUNIT_EXPECT_TRUE_MSG(test, _a_orig == _a_bump, "Unexpected " #op " macro side-effect!\n"); \ - KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected " #op " macro side-effect!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _a_orig == _a_bump, "Unexpected wrap " #op " macro side-effect!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected wrap " #op " macro side-effect!\n"); \ +} while (0) + +static int global_counter; +static void bump_counter(void) { + global_counter ++; +} + +static int get_index(void) { + volatile int index = 0; + bump_counter(); + return index; +} + +#define check_self_op(fmt, op, sym, a, b) do { \ + typeof(a + 0) _a = a; \ + typeof(b + 0) _b = b; \ + typeof(a + 0) _a_sym = a; \ + typeof(a + 0) _a_orig[1] = { a }; \ + typeof(b + 0) _b_orig = b; \ + typeof(b + 0) _b_bump = b + 1; \ + typeof(a + 0) _r; \ + \ + _a_sym sym _b; \ + _r = op ## _wrap(_a, _b); \ + KUNIT_EXPECT_TRUE_MSG(test, _r == _a_sym, \ + "expected "fmt" "#op" "fmt" == "fmt", got "fmt"\n", \ + a, b, _a_sym, _r); \ + KUNIT_EXPECT_TRUE_MSG(test, _a == _a_sym, \ + "expected "fmt" "#op" "fmt" == "fmt", got "fmt"\n", \ + a, b, _a_sym, _a); \ + /* Check for internal macro side-effects. */ \ + global_counter = 0; \ + op ## _wrap(_a_orig[get_index()], _b_orig++); \ + KUNIT_EXPECT_EQ_MSG(test, global_counter, 1, "Unexpected " #op "_wrap() macro side-effect on arg1!\n"); \ + KUNIT_EXPECT_TRUE_MSG(test, _b_orig == _b_bump, "Unexpected " #op "_wrap() macro side-effect on arg2!\n"); \ } while (0) #define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \ static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \ { \ + /* check_{add,sub,mul}_overflow() and {add,sub,mul}_wrap() */ \ check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \ check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \ check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \ check_one_op(t, fmt, mul, "*", p->a, p->b, p->prod, p->p_of); \ check_one_op(t, fmt, mul, "*", p->b, p->a, p->prod, p->p_of); \ + /* {inc,dec}_wrap() */ \ + check_self_op(fmt, inc, +=, p->a, p->b); \ + check_self_op(fmt, inc, +=, p->b, p->a); \ + check_self_op(fmt, dec, -=, p->a, p->b); \ } \ \ static void n ## _overflow_test(struct kunit *test) { \