When the check_[op]_overflow() helpers were introduced, all arguments were
required to be the same type to make the fallback macros simpler. However,
once the fallback macros were removed[1], it is fine to allow mixed
types, which makes using the helpers much more useful, as they can be
used to test for type-based overflows (e.g. adding two large ints but
storing into a u8), as would be handy in the drm core[2].
Remove the restriction, and add additional self-tests that exercise some
of the mixed-type overflow cases.
[1] https://git.kernel.org/linus/4eb6bd55cfb22ffc20652732340c4962f3ac9a91
[2] https://lore.kernel.org/lkml/[email protected]
Cc: Rasmus Villemoes <[email protected]>
Cc: Gwan-gyeong Mun <[email protected]>
Cc: Andrzej Hajda <[email protected]>
Cc: "Gustavo A. R. Silva" <[email protected]>
Cc: Nick Desaulniers <[email protected]>
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
---
include/linux/overflow.h | 6 ----
lib/overflow_kunit.c | 77 +++++++++++++++++++++++++++++-----------
2 files changed, 57 insertions(+), 26 deletions(-)
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 0eb3b192f07a..ad692fb11bf3 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -63,8 +63,6 @@ static inline bool __must_check __must_check_overflow(bool overflow)
typeof(a) __a = (a); \
typeof(b) __b = (b); \
typeof(d) __d = (d); \
- (void) (&__a == &__b); \
- (void) (&__a == __d); \
__builtin_add_overflow(__a, __b, __d); \
}))
@@ -72,8 +70,6 @@ static inline bool __must_check __must_check_overflow(bool overflow)
typeof(a) __a = (a); \
typeof(b) __b = (b); \
typeof(d) __d = (d); \
- (void) (&__a == &__b); \
- (void) (&__a == __d); \
__builtin_sub_overflow(__a, __b, __d); \
}))
@@ -81,8 +77,6 @@ static inline bool __must_check __must_check_overflow(bool overflow)
typeof(a) __a = (a); \
typeof(b) __b = (b); \
typeof(d) __d = (d); \
- (void) (&__a == &__b); \
- (void) (&__a == __d); \
__builtin_mul_overflow(__a, __b, __d); \
}))
diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
index 7e3e43679b73..ac771fe7e276 100644
--- a/lib/overflow_kunit.c
+++ b/lib/overflow_kunit.c
@@ -16,12 +16,15 @@
#include <linux/types.h>
#include <linux/vmalloc.h>
-#define DEFINE_TEST_ARRAY(t) \
- static const struct test_ ## t { \
- t a, b; \
- t sum, diff, prod; \
- bool s_of, d_of, p_of; \
- } t ## _tests[]
+#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \
+ static const struct test_ ## t1 ## t2 ## t { \
+ t1 a; \
+ t2 b; \
+ t sum, diff, prod; \
+ bool s_of, d_of, p_of; \
+ } t1 ## t2 ## t ## _tests[]
+
+#define DEFINE_TEST_ARRAY(t) DEFINE_TEST_ARRAY_TYPED(t, t, t)
DEFINE_TEST_ARRAY(u8) = {
{0, 0, 0, 0, 0, false, false, false},
@@ -235,8 +238,8 @@ DEFINE_TEST_ARRAY(s64) = {
a, b, r, _r, #t); \
} while (0)
-#define DEFINE_TEST_FUNC(t, fmt) \
-static void do_test_ ## t(struct kunit *test, const struct test_ ## t *p) \
+#define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \
+static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
{ \
check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \
check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \
@@ -245,15 +248,18 @@ static void do_test_ ## t(struct kunit *test, const struct test_ ## t *p) \
check_one_op(t, fmt, mul, "*", p->b, p->a, p->prod, p->p_of); \
} \
\
-static void t ## _overflow_test(struct kunit *test) { \
+static void n ## _overflow_test(struct kunit *test) { \
unsigned i; \
\
- for (i = 0; i < ARRAY_SIZE(t ## _tests); ++i) \
- do_test_ ## t(test, &t ## _tests[i]); \
+ for (i = 0; i < ARRAY_SIZE(n ## _tests); ++i) \
+ do_test_ ## n(test, &n ## _tests[i]); \
kunit_info(test, "%zu %s arithmetic tests finished\n", \
- ARRAY_SIZE(t ## _tests), #t); \
+ ARRAY_SIZE(n ## _tests), #n); \
}
+#define DEFINE_TEST_FUNC(t, fmt) \
+ DEFINE_TEST_FUNC_TYPED(t ## t ## t, t, fmt)
+
DEFINE_TEST_FUNC(u8, "%d");
DEFINE_TEST_FUNC(s8, "%d");
DEFINE_TEST_FUNC(u16, "%d");
@@ -265,6 +271,33 @@ DEFINE_TEST_FUNC(u64, "%llu");
DEFINE_TEST_FUNC(s64, "%lld");
#endif
+DEFINE_TEST_ARRAY_TYPED(u32, u32, u8) = {
+ {0, 0, 0, 0, 0, false, false, false},
+ {U8_MAX, 2, 1, U8_MAX - 2, U8_MAX - 1, true, false, true},
+ {U8_MAX + 1, 0, 0, 0, 0, true, true, false},
+};
+DEFINE_TEST_FUNC_TYPED(u32u32u8, u8, "%d");
+
+DEFINE_TEST_ARRAY_TYPED(u32, u32, int) = {
+ {0, 0, 0, 0, 0, false, false, false},
+ {U32_MAX, 0, -1, -1, 0, true, true, false},
+};
+DEFINE_TEST_FUNC_TYPED(u32u32int, int, "%d");
+
+DEFINE_TEST_ARRAY_TYPED(u8, u8, int) = {
+ {0, 0, 0, 0, 0, false, false, false},
+ {U8_MAX, U8_MAX, 2 * U8_MAX, 0, U8_MAX * U8_MAX, false, false, false},
+ {1, 2, 3, -1, 2, false, false, false},
+};
+DEFINE_TEST_FUNC_TYPED(u8u8int, int, "%d");
+
+DEFINE_TEST_ARRAY_TYPED(int, int, u8) = {
+ {0, 0, 0, 0, 0, false, false, false},
+ {1, 2, 3, U8_MAX, 2, false, true, false},
+ {-1, 0, U8_MAX, U8_MAX, 0, true, true, false},
+};
+DEFINE_TEST_FUNC_TYPED(intintu8, u8, "%d");
+
static void overflow_shift_test(struct kunit *test)
{
int count = 0;
@@ -649,17 +682,21 @@ static void overflow_size_helpers_test(struct kunit *test)
}
static struct kunit_case overflow_test_cases[] = {
- KUNIT_CASE(u8_overflow_test),
- KUNIT_CASE(s8_overflow_test),
- KUNIT_CASE(u16_overflow_test),
- KUNIT_CASE(s16_overflow_test),
- KUNIT_CASE(u32_overflow_test),
- KUNIT_CASE(s32_overflow_test),
+ KUNIT_CASE(u8u8u8_overflow_test),
+ KUNIT_CASE(s8s8s8_overflow_test),
+ KUNIT_CASE(u16u16u16_overflow_test),
+ KUNIT_CASE(s16s16s16_overflow_test),
+ KUNIT_CASE(u32u32u32_overflow_test),
+ KUNIT_CASE(s32s32s32_overflow_test),
/* Clang 13 and earlier generate unwanted libcalls on 32-bit. */
#if BITS_PER_LONG == 64
- KUNIT_CASE(u64_overflow_test),
- KUNIT_CASE(s64_overflow_test),
+ KUNIT_CASE(u64u64u64_overflow_test),
+ KUNIT_CASE(s64s64s64_overflow_test),
#endif
+ KUNIT_CASE(u32u32u8_overflow_test),
+ KUNIT_CASE(u32u32int_overflow_test),
+ KUNIT_CASE(u8u8int_overflow_test),
+ KUNIT_CASE(intintu8_overflow_test),
KUNIT_CASE(overflow_shift_test),
KUNIT_CASE(overflow_allocation_test),
KUNIT_CASE(overflow_size_helpers_test),
--
2.34.1
On 29/08/2022 22.47, Kees Cook wrote:
> When the check_[op]_overflow() helpers were introduced, all arguments were
> required to be the same type to make the fallback macros simpler. However,
> once the fallback macros were removed[1], it is fine to allow mixed
> types, which makes using the helpers much more useful, as they can be
> used to test for type-based overflows (e.g. adding two large ints but
> storing into a u8), as would be handy in the drm core[2].
>
> Remove the restriction, and add additional self-tests that exercise some
> of the mixed-type overflow cases.
Makes sense. I'm a little worried about the implications for -stable
backports to kernels that can still be built with gcc < 5.1, but we
can't let that dictate what is done in mainline. And even people
building old kernels shouldn't be using ancient compilers.
>
> -#define DEFINE_TEST_ARRAY(t) \
> - static const struct test_ ## t { \
> - t a, b; \
> - t sum, diff, prod; \
> - bool s_of, d_of, p_of; \
> - } t ## _tests[]
> +#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \
> + static const struct test_ ## t1 ## t2 ## t { \
> + t1 a; \
> + t2 b; \
> + t sum, diff, prod; \
> + bool s_of, d_of, p_of; \
> + } t1 ## t2 ## t ## _tests[]
Can I get you to throw in some extra _, because this...
> +DEFINE_TEST_FUNC_TYPED(u32u32int, int, "%d");
...makes my eyes hurt a little. Maybe even make it u32_u32__int, so it's
emphasized that the order is [src op src -> tgt] and not [tgt = src op src].
Rasmus
On Mon, Aug 29, 2022 at 11:14:56PM +0200, Rasmus Villemoes wrote:
> On 29/08/2022 22.47, Kees Cook wrote:
> > When the check_[op]_overflow() helpers were introduced, all arguments were
> > required to be the same type to make the fallback macros simpler. However,
> > once the fallback macros were removed[1], it is fine to allow mixed
> > types, which makes using the helpers much more useful, as they can be
> > used to test for type-based overflows (e.g. adding two large ints but
> > storing into a u8), as would be handy in the drm core[2].
> >
> > Remove the restriction, and add additional self-tests that exercise some
> > of the mixed-type overflow cases.
>
> Makes sense. I'm a little worried about the implications for -stable
> backports to kernels that can still be built with gcc < 5.1, but we
> can't let that dictate what is done in mainline. And even people
> building old kernels shouldn't be using ancient compilers.
Right. I hope this will remain a theoretical problem, but if it really
comes up, the -stable patch can get some explicit type size checking or
something...
>
> >
> > -#define DEFINE_TEST_ARRAY(t) \
> > - static const struct test_ ## t { \
> > - t a, b; \
> > - t sum, diff, prod; \
> > - bool s_of, d_of, p_of; \
> > - } t ## _tests[]
> > +#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \
> > + static const struct test_ ## t1 ## t2 ## t { \
> > + t1 a; \
> > + t2 b; \
> > + t sum, diff, prod; \
> > + bool s_of, d_of, p_of; \
> > + } t1 ## t2 ## t ## _tests[]
>
> Can I get you to throw in some extra _, because this...
>
> > +DEFINE_TEST_FUNC_TYPED(u32u32int, int, "%d");
>
> ...makes my eyes hurt a little. Maybe even make it u32_u32__int, so it's
> emphasized that the order is [src op src -> tgt] and not [tgt = src op src].
Sure! Everything I tried hurt my eyes, so I opted for fewest characters.
;)
--
Kees Cook