Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp72288pxa;
        Mon, 3 Aug 2020 23:15:02 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwhtGjozO6nMxjeBtOPSk91zUAoADXKQu34916dbHALvSRQV6URFRyXKGwl89MOp9SIwemL
X-Received: by 2002:a05:6402:1545:: with SMTP id p5mr18383443edx.388.1596521702360;
        Mon, 03 Aug 2020 23:15:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1596521702; cv=none;
        d=google.com; s=arc-20160816;
        b=KasPN1PLWRivmHsH02g9m0qgjuQZTo3vdf5lYf5fnkXIiyRkhz/nvs4ruSk32x6dgZ
         PBfez3YNwKg2VRbXvfZrtfh4yRITk+yk1L01zpO05Ot6JoJtVt14wWFUkswhVDJo+ZB5
         GLf4mGTApenkGHkcnqHvWQObz0lzSl5tZ+CufrySMnmDZjLtvv8hdZ6LoQ/z5gDWFOoV
         wxmBc7w4eI0szTYPEv5mDElQJaxbtCIaoxfpT53xJ881iO+xCRuC5ZNzB7mDJ8GCWIlB
         hE2qq9kHKj9ZA2tTzppPxT4QKgZvRdnKZbpT1ip8lUCqPX1x+1rF0ADi2Ur33CdEoe7R
         n7hg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=YATFUmsQEtwZnfgWdl5UeyWgtQO3fVAktQVuTkdNN84=;
        b=HbDRNkyFnkML2i/Ogk30JksFkWRviLSnJWKvKScvVvgQ+Pc7pG1lR0UpGUQl9kXCQp
         TLgIKyXwF6iR0yFVnDtYDkWLEe51+BSRFy2VY01ytDvSveg6y5fa3CrLs/uftBUALFil
         vt+bRmD5mNGccAYYAGq+J2Yas52cueq4pVXTMaYGV8lv5WTrBybkyouuapY+tcCK3Z0W
         W4PCL53a2ECHaXOyefWCfyZJxU2tMQ/t8B/VIAwIGwyqRqAyztoIyWbYdbLGLUQ9LQYr
         ruJ+j2aSKhUSSryVaZrllb5lH9fEtde63dSv/rJubGSSYF8Gb5VwNP1IHrPUYfziZrMy
         cGbQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=GxbN4MBW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b10si12400349eje.310.2020.08.03.23.14.39;
        Mon, 03 Aug 2020 23:15:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=GxbN4MBW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729254AbgHDGLv (ORCPT <rfc822;ostrlinux@gmail.com> + 99 others);
        Tue, 4 Aug 2020 02:11:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37318 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728602AbgHDGLv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 4 Aug 2020 02:11:51 -0400
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C03EFC06174A
        for <linux-kernel@vger.kernel.org>; Mon,  3 Aug 2020 23:11:50 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id 185so32012319ljj.7
        for <linux-kernel@vger.kernel.org>; Mon, 03 Aug 2020 23:11:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rasmusvillemoes.dk; s=google;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=YATFUmsQEtwZnfgWdl5UeyWgtQO3fVAktQVuTkdNN84=;
        b=GxbN4MBWT2QnFQZOx0XJ9UA0oemVZKu8DVMcXSsOQTdcD5FgLP+FKSLs1NUfxgZ1ym
         13SSwtjix3edIdHB/LzKs3oQPpp39yjbZz0rI2IhiLddmW+F8UNZh+wk+XgOcUFSgWpL
         KgS9WEfdPGYlDqwPVcA8ZupXspDOsB04Qv0+k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=YATFUmsQEtwZnfgWdl5UeyWgtQO3fVAktQVuTkdNN84=;
        b=cinXE3IDduiGQKqIghFxmSwhY8E5ekPL0UDuZRcV7b9/NzixxI0NGKYOpgkUcLJFK7
         VMpfUuwZ9hk9I2EMorS9m+s8p8eZWvImV2RzELSN97uOx1demOTl3YENuaMdrvq8TYyT
         NTiKwut/dl3WlAMPUUoZiKOS6wq2G0UUr4LvmvqmebdKl0RfLG++rhABaGip1tlRBLli
         qWOjlJHkI4zkkAagImlJSy8jp4H+gmS/JTJl8nGGDpQZY2wY333H7InjMXV3gOGI8DKC
         fcdGQSMUxGA1rxXv2QNQJq2FpeQX15An6pTrtHSqodJ/SKi5E7QO7HnltyPNKTwCOCaj
         /TmQ==
X-Gm-Message-State: AOAM533Nhl6oopfwRQQqPZjSWjd6Uq9731/m1I/DWCG+K2Q3WC/Hyanx
        axVkMnOjLAkw2F6v75zpBOH/fg==
X-Received: by 2002:a2e:93cd:: with SMTP id p13mr7914891ljh.460.1596521509227;
        Mon, 03 Aug 2020 23:11:49 -0700 (PDT)
Received: from [172.16.11.153] ([81.216.59.226])
        by smtp.gmail.com with ESMTPSA id l26sm2044101ljc.133.2020.08.03.23.11.46
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 03 Aug 2020 23:11:46 -0700 (PDT)
Subject: Re: [RFC] saturate check_*_overflow() output?
To:     Kees Cook <keescook@chromium.org>
Cc:     Jason Gunthorpe <jgg@ziepe.ca>, Leon Romanovsky <leon@kernel.org>,
        "Gustavo A. R. Silva" <gustavoars@kernel.org>,
        Matthew Wilcox <willy@infradead.org>,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com
References: <202008031118.36756FAD04@keescook>
From:   Rasmus Villemoes <linux@rasmusvillemoes.dk>
Message-ID: <f177a821-74a3-e868-81d3-55accfb5b161@rasmusvillemoes.dk>
Date:   Tue, 4 Aug 2020 08:11:45 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <202008031118.36756FAD04@keescook>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 03/08/2020 20.29, Kees Cook wrote:
> Hi,
> 
> I wonder if we should explicitly saturate the output of the overflow
> helpers as a side-effect of overflow detection? 

Please no.

(That way the output
> is never available with a "bad" value, if the caller fails to check the
> result or forgets that *d was written...) since right now, *d will hold
> the wrapped value.

Exactly. I designed the fallback ones so they would have the same
semantics as when using gcc's __builtin_* - though with the "all
operands have same type" restriction, since it would be completely
unwieldy to handle stuff like (s8) + (u64) -> (s32) in macros.

> Also, if we enable arithmetic overflow detection sanitizers, we're going
> to trip over the fallback implementation (since it'll wrap and then do
> the overflow test in the macro).

Huh? The fallback code only ever uses unsigned arithmetic, precisely to
avoid triggering such warnings. Or are you saying there are some
sanitizers out there which also warn for, say, (~0u) + 1u? Yes,
detecting overflow/underflow for a (s32)-(s32)->(s32) without relying on
-fwrapv is a bit messy, but it's done and AFAIK works just fine even
with UBSAN enabled.


What we might do, to deal with the "caller fails to check the result",
is to add a

static inline bool __must_check must_check_overflow(bool b) { return
unlikely(b); }

and wrap all the final "did it overflow" results in that one - perhaps
also for the __builtin_* cases, I don't know if those are automatically
equipped with that attribute. [I also don't know if gcc propagates
likely/unlikely out to the caller, but it shouldn't hurt to have it
there and might improve code gen if it does.]

Rasmus

PS: Another reason not to saturate is that there are two extreme values,
and choosing between them makes the code very messy (especially when
using the __builtins). 5u-10u should saturate to 0u, not UINT_MAX, and
even for for underflowing a signed computation like INT_MIN + (-7); it
makes no sense for that to saturate to INT_MAX.