Received: by 10.223.185.116 with SMTP id b49csp160697wrg;
        Thu, 8 Mar 2018 14:51:19 -0800 (PST)
X-Google-Smtp-Source: AG47ELsVFJMQjY48WAOKet/fRWyDhuroB2j0q4zKB+7XVD4b7WLCjMG2OMt9za6E+P035LvuvOCQ
X-Received: by 10.101.67.2 with SMTP id j2mr22340827pgq.147.1520549479580;
        Thu, 08 Mar 2018 14:51:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520549479; cv=none;
        d=google.com; s=arc-20160816;
        b=dBciEzzFBrxHsG4Ae7ym6QaDt0UcksfEcos/Q7U9e0FkFqosuCF1yviBsBtdDyyypV
         jlqfqhvEVxadeAq/Q4/OfHhuD717/65xhTfqAeYE/sVkoD4X2nPiU3LEgr3WvFX7KIel
         8wcDP3vGNkV0hXB/xOvGtJvR2vsFC68MF/gJopKolMlKzAMWp5vfHg7/s4v99F4zmDN6
         He59njtdVnsVs2AM+/RPti6VWAjCJiCKGZN0jRG3MbJwJvMp7NeWtfEG8OPe3DL/eQa8
         3GLSqziX+VD1lc9V4KICB2VrHJfZmvGdmANwYik+tbCaLyv8RsUNfjb5hnN5Ox7Kt/Ue
         f/HA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:references:in-reply-to:mime-version
         :dkim-signature:dkim-signature:arc-authentication-results;
        bh=E4ENlgG6mYzGwlHoaY8/bisfo0QgIQVy3gd9Zd+/LQ4=;
        b=u4skSN6gXp07cKAhqOjUZ0XjAhzcvpqMPXv5D+l/Fm0A6fB6DOG1+dTDMIYqt4Zfyk
         sHZmGLKd+8YT0Au5uSZb6PMq+NjEzg7J3p9EebUwHDe1HAFw7bOyEM6XSLvmM1quWoQe
         mmXZ7oKl8cIb1MhUlAXb38RA8cNDgkHpVs1ueyHLByob4yiDOFEuCFNcGEWzEClZKC6y
         L3S+QlIxJHX9iniPMTfHFlcZDI/XZcronRJw1KAG66t3AgwiitT3/jWCRt/FnNHravew
         /Dpwf9YN9NSdhGutv4G4EYTYrL0KqwDqgavLapAIC4llMDaIFXzi7LQmgT8KMwZN3Aqv
         ioNg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=R/Jhxlni;
       dkim=fail header.i=@chromium.org header.s=google header.b=HItpiFAs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c136si8038252pga.318.2018.03.08.14.51.04;
        Thu, 08 Mar 2018 14:51:19 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=R/Jhxlni;
       dkim=fail header.i=@chromium.org header.s=google header.b=HItpiFAs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751075AbeCHWuD (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Thu, 8 Mar 2018 17:50:03 -0500
Received: from mail-vk0-f65.google.com ([209.85.213.65]:33529 "EHLO
        mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750857AbeCHWuB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Mar 2018 17:50:01 -0500
Received: by mail-vk0-f65.google.com with SMTP id z130so986137vkd.0
        for <linux-kernel@vger.kernel.org>; Thu, 08 Mar 2018 14:50:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-transfer-encoding;
        bh=E4ENlgG6mYzGwlHoaY8/bisfo0QgIQVy3gd9Zd+/LQ4=;
        b=R/JhxlniNDK7HT+l+afHVSynSrV2kDHIo0LmZvfTSRyb8GTx8vgHYAV2NwhNC1VXwe
         3fta0xR35njVu9lS4loLuSEN4QRTHEY7Jgv5ydSgK11YamBL1Um1nTM8PWvUGm6aNCMQ
         j9WyWgAeUNG6s7d8jhUqJ5L5trAf0M1nqg5xyTbm9IBnvIazMnKiMAaALlrslnt3Rgby
         Ft/uO2yDYrd8gMESDmNxDu1ns6y9FfI4g8EkceS/Uz/TCvvWCJWrmVZ+0N+5DXFkcfga
         plcQPhuzrPKa5f3vgXRUKxobDlV9VlsSgLkupz4iE27EcWgsULXHxI4i+sK8QDd9Negv
         liOw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-transfer-encoding;
        bh=E4ENlgG6mYzGwlHoaY8/bisfo0QgIQVy3gd9Zd+/LQ4=;
        b=HItpiFAsCmr4j5F041dqp3Dh04qy6/tZ1joqcaWv4n+z6n2XbOMipbgQamGvWKqEYC
         xGtEPWwRMwmWjv52Ho+Trr91Xdc35ia9r4WR3nzp9Gw0X2oSWlSQJZF5WZe6o9MG1ntc
         cSyP6VF5VQWP2ylqepuF9EdJekp3q5eSMag8g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-transfer-encoding;
        bh=E4ENlgG6mYzGwlHoaY8/bisfo0QgIQVy3gd9Zd+/LQ4=;
        b=BdveXaXwDJ8an50rzzyc5lmyg1n1Y0x0Wm3cdI135MjMaUmareRGv0UzK0c00r27Dg
         Qp7DjiSU/BEUWFvXDicSlEOAB6nbgzJu5T9XyiY6tOgxlkojhOr+W9N57V2Ex2gV/rpz
         k3DBOKaoUFpHFx+doAG1dC3yHaaMIXg9y0nfoOKW1gVHS+Wg/YVTbSHdp0Pu7cglgCuT
         FqZ7s1IaMucpKUNup6IEUg4PUtBMfYp/DqIP5xVJtTUSYKcDbgt5639opjIOVKQVI5jQ
         G3k2d5tuz5AVa8I233oiTQ2zjhIv3PxPrmMep2vwQV3/+R+Dzikr9Jc5W+88/6a5U/ZJ
         PxAg==
X-Gm-Message-State: AElRT7Gz0N96EFCp6q2uDlLKl2J+vfB0Ospitvhl1DEj+BGn5Arb79tD
        A0k9/Rc3CUd4ouz6/CAuvOMJ9jKUrwuEsX5quj+wGQ==
X-Received: by 10.31.198.131 with SMTP id w125mr14794273vkf.158.1520549399983;
 Thu, 08 Mar 2018 14:49:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.242.140 with HTTP; Thu, 8 Mar 2018 14:49:59 -0800 (PST)
In-Reply-To: <20180308141833.3fb57913bceae38f18db2bf1@linux-foundation.org>
References: <20180308214045.GA6787@beast> <20180308141833.3fb57913bceae38f18db2bf1@linux-foundation.org>
From:   Kees Cook <keescook@chromium.org>
Date:   Thu, 8 Mar 2018 14:49:59 -0800
X-Google-Sender-Auth: dHuytXVDrPWKeJpJlhDL-f-owFs
Message-ID: <CAGXu5j+6rPgn1biniy6Xju5w7=n9ogiOZvHs_kvT55LT9u9y2Q@mail.gmail.com>
Subject: Re: [PATCH] kernel.h: Skip single-eval logic on literals in min()/max()
To:     Andrew Morton <akpm@linux-foundation.org>
Cc:     Josh Poimboeuf <jpoimboe@redhat.com>,
        Rasmus Villemoes <linux@rasmusvillemoes.dk>,
        "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
        "Tobin C. Harding" <me@tobin.cc>,
        Steven Rostedt <rostedt@goodmis.org>,
        Jonathan Corbet <corbet@lwn.net>, Chris Mason <clm@fb.com>,
        Josef Bacik <jbacik@fb.com>, David Sterba <dsterba@suse.com>,
        "David S. Miller" <davem@davemloft.net>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Ingo Molnar <mingo@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Masahiro Yamada <yamada.masahiro@socionext.com>,
        Borislav Petkov <bp@suse.de>,
        Randy Dunlap <rdunlap@infradead.org>,
        Ian Abbott <abbotti@mev.co.uk>,
        Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
        Petr Mladek <pmladek@suse.com>,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
        Pantelis Antoniou <pantelis.antoniou@konsulko.com>,
        Linux Btrfs <linux-btrfs@vger.kernel.org>,
        Network Development <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Mar 8, 2018 at 2:18 PM, Andrew Morton <akpm@linux-foundation.org> w=
rote:
> On Thu, 8 Mar 2018 13:40:45 -0800 Kees Cook <keescook@chromium.org> wrote=
:
>
>> When max() is used in stack array size calculations from literal values
>> (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]", the compiler
>> thinks this is a dynamic calculation due to the single-eval logic, which
>> is not needed in the literal case. This change removes several accidenta=
l
>> stack VLAs from an x86 allmodconfig build:
>>
>> $ diff -u before.txt after.txt | grep ^-
>> -drivers/input/touchscreen/cyttsp4_core.c:871:2: warning: ISO C90 forbid=
s variable length array =E2=80=98ids=E2=80=99 [-Wvla]
>> -fs/btrfs/tree-checker.c:344:4: warning: ISO C90 forbids variable length=
 array =E2=80=98namebuf=E2=80=99 [-Wvla]
>> -lib/vsprintf.c:747:2: warning: ISO C90 forbids variable length array =
=E2=80=98sym=E2=80=99 [-Wvla]
>> -net/ipv4/proc.c:403:2: warning: ISO C90 forbids variable length array =
=E2=80=98buff=E2=80=99 [-Wvla]
>> -net/ipv6/proc.c:198:2: warning: ISO C90 forbids variable length array =
=E2=80=98buff=E2=80=99 [-Wvla]
>> -net/ipv6/proc.c:218:2: warning: ISO C90 forbids variable length array =
=E2=80=98buff64=E2=80=99 [-Wvla]
>>
>> Based on an earlier patch from Josh Poimboeuf.
>>
>> ...
>>
>> --- a/include/linux/kernel.h
>> +++ b/include/linux/kernel.h
>> @@ -787,37 +787,57 @@ static inline void ftrace_dump(enum ftrace_dump_mo=
de oops_dump_mode) { }
>>   * strict type-checking.. See the
>>   * "unnecessary" pointer comparison.
>>   */
>> -#define __min(t1, t2, min1, min2, x, y) ({           \
>> +#define __single_eval_min(t1, t2, min1, min2, x, y) ({       \
>>       t1 min1 =3D (x);                                  \
>>       t2 min2 =3D (y);                                  \
>>       (void) (&min1 =3D=3D &min2);                        \
>>       min1 < min2 ? min1 : min2; })
>>
>> +/*
>> + * In the case of builtin constant values, there is no need to do the
>> + * double-evaluation protection, so the raw comparison can be made.
>> + * This allows min()/max() to be used in stack array allocations and
>> + * avoid the compiler thinking it is a dynamic value leading to an
>> + * accidental VLA.
>> + */
>> +#define __min(t1, t2, x, y)                                          \
>> +     __builtin_choose_expr(__builtin_constant_p(x) &&                \
>> +                           __builtin_constant_p(y) &&                \
>> +                           __builtin_types_compatible_p(t1, t2),     \
>> +                           (t1)(x) < (t2)(y) ? (t1)(x) : (t2)(y),    \
>> +                           __single_eval_min(t1, t2,                 \
>> +                                             __UNIQUE_ID(max1_),     \
>> +                                             __UNIQUE_ID(max2_),     \
>> +                                             x, y))
>> +
>
> Holy crap.
>
> I suppose gcc will one day be fixed and we won't need this.
>
> Is there a good reason to convert min()?  Surely nobody will be using
> min to dimension an array - always max?  Just for symmetry, I guess.

I just went with symmetry. It seems like an ugly risk to implement min
and mix differently. :) In theory it may produce smaller code for rare
min() uses, but I haven't actually verified that.

I will send a v2 with the two nits mentioned...

-Kees

--=20
Kees Cook
Pixel Security