Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2383702pxb; Mon, 20 Sep 2021 20:55:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxOa2OyRxVkN+mFVW88OQw1pgc7QvwF4dwoxNNxEvelHVyPskk85QeU1zL8O/aZKKwcASBI X-Received: by 2002:a50:9d83:: with SMTP id w3mr20480968ede.305.1632196551619; Mon, 20 Sep 2021 20:55:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632196551; cv=none; d=google.com; s=arc-20160816; b=dEt9LS47BDBvlfo//jTQ2pzGuvO81wYINpYAzI21JYFP9hZHaa5FF9UQUq25HmVxMs Wy4EnCl7gMh8aEjOZZU60mjpyZmSF9ehlBDKjoCff+DQia26sUz1Klz1gD1w6GSazZu3 h9hIi3BizbAElqR85inbr6zLoAQoqbpdHAN672/fAxMC5RAa9aI0E8i2DzG6v95El5hl DaVKzGkl1Vie5GXp17jzAgdErDR8sJgGsN931wcZdsM0yy1omcGyyWYdRBjzFaFgPZCJ 88u8GuQ5Q7dcxJ9nXbyW+TLue0y4tEKKlZ0xYG5+zTyGyBgIF2P8CG2zHdJzv6PSzB3b hCDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=hidIkJOKxCMVjbSvcxBw4U/mexFomA4sB5K9H+f3WZo=; b=XCVU+vcYoIj3doA2X+6vlbG75m/yhM+L/k9alTewEVezPUaXmtumIF9AaFVS8gN/QB l3SbJMmjxzO0opejMNDTWPVvfbSwXKathjP0KXe7jeIMkfEDgY/8SQKxxg1kzCjhU4Z1 RpMcPks5PaAE2x4434I0KH+tiI5wbeZ2ig2NBZj774Yg0/DlyVZFqD5v6s3R8BVfHFWM MJc6V4tCT03QSIFSjOELRL6qzl60+vY9g2or1iumGFCJTD/TOoE+wRK8nCqF2mV4wJny h9MVtkHHRzwXGx8Hs5sBo6qxy471N04PF4r1Id/w4csAvUUR2NDqkbmgCB6Iegusz5J5 jM7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=YW3OQ3do; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q9si17369391ejn.647.2021.09.20.20.55.28; Mon, 20 Sep 2021 20:55:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=YW3OQ3do; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230483AbhIUBhJ (ORCPT + 99 others); Mon, 20 Sep 2021 21:37:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57514 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229973AbhIUBfA (ORCPT ); Mon, 20 Sep 2021 21:35:00 -0400 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3FB8C124A54 for ; Mon, 20 Sep 2021 11:08:57 -0700 (PDT) Received: by mail-pj1-x102d.google.com with SMTP id n13-20020a17090a4e0d00b0017946980d8dso35865pjh.5 for ; Mon, 20 Sep 2021 11:08:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hidIkJOKxCMVjbSvcxBw4U/mexFomA4sB5K9H+f3WZo=; b=YW3OQ3doANQVp1KjDrjbbQtADmm1NDefevCVHKSXV34nKQJGQAZ9M4ueYT8C1vliki ENy7So7EsVBBjS37/XBuJinomCdYV1rAxvWqc+WgBbiOmshS2xMYgICQOYn2dJ7Ilgx0 9YyQIHcTNeDh+hTu2oK81q33SDgK7xCE0e/EQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hidIkJOKxCMVjbSvcxBw4U/mexFomA4sB5K9H+f3WZo=; b=fxNLHJcZ+4SqxcMEodALbNbYd3JX1DkRU3OEJp7yX10XU71SAX5qmPwspAcdBMqMH1 qei1ZdF0h7LV4hLwnyknAPk/TtBqVt6K+p/8YkXORQR5zE/jlv+JqbX2eGT0kguSMmm5 2bFFbH76Fq4a7s7VOpWbYCY9y1QGjo6DhKFkyMiVfEJ+Mn80Ebn5whgrD/fjnfCzeAZN wxAPJev0Jjt+GUdxtNqLMcQ6aGUDX6jYahsDsosgZbPF6XCpT82qmoBskx5RNGgM+pRh vIPxbh+Wlm0wzWKF18BrRCzBiDpymKDvTUz7vwmoCyH2HTncfeObL8bjLDRLDs9Q4Lw4 Vc7A== X-Gm-Message-State: AOAM533muvd9hBdp+xbz8gbHhpc8p6TCc91IgPPG/ES+A4+iLB3TCd2x /KGZKCMhRIGNe17BPD/OoKrpsw== X-Received: by 2002:a17:90a:86:: with SMTP id a6mr347372pja.190.1632161337429; Mon, 20 Sep 2021 11:08:57 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 126sm17743348pgi.86.2021.09.20.11.08.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Sep 2021 11:08:56 -0700 (PDT) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A . R . Silva" , Nathan Chancellor , Jason Gunthorpe , Nick Desaulniers , Leon Romanovsky , Keith Busch , Len Baker , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/2] overflow: Implement size_t saturating arithmetic helpers Date: Mon, 20 Sep 2021 11:08:52 -0700 Message-Id: <20210920180853.1825195-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210920180853.1825195-1-keescook@chromium.org> References: <20210920180853.1825195-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=10506; h=from:subject; bh=aYbE79r+2GzCEDXJOePs8DpTGJtx17vsz1taPQytKw4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhSM40XMzPcxqU+i87Qyjr/YrDY3MzjZfDUSZglvKq R2vvk2GJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYUjONAAKCRCJcvTf3G3AJoNaD/ 9wzLJ/LA3yNwGiPPhyoEIXSh1K0Rf/I36tZrncmN75R61nEQiYBnSu2FKF3W8XjD75O1hSzIVAx/Kq qyJJkUu605H9OfKnkz7n3a1o/g1wQaNbBq2raVXcRiB2kHiFMt+jYjIsZJlGPmnSfjHOq73McArMR7 pvEy1Yf9CwFgIeT3CSONCDoj7fEtXgwUUoFcQBFcZfgWIas97wDlYZ/8ku+/YiPbv6OGCcVWvhC3xZ DjsocvAkjbY0pEzsZ41xoadoSr+3vprdTz4YUFAJxJKTS1Qu47qdOIHqF0/KSgz14sYZR13HoSemmP ukglbTAIHWuUI1h9Ku5gi5DqQqRINyJ+wq4x3bJg6aKSSOOiwjop4HjpP2qEsBHQeZURGQgBOp4hqu 0b9N7nwDNxvokaNW1GP9s1t+0r8u3Eggyowe4J1LbW+PUg4dvfpZ3tCVGY7a/D6xvVmaVPhSx97Tf5 wc+g8r/XbEy7HGauYJC9fHeiiQVy4Ij/SvXjuc2Qs8lGePBslFp1fcw9qBhynkKh7p1p9OjMlaWu/s oCNu/MhPjRL/r4s98GTmoNnFGbwAIyXzP0GAE5gGAW6T9aHfxY/nlH/2bZfUTwHFzbrzzU2ioI+joU N4fI9jmwd4MyZ1LN4ItVowhoenl91k9s8r61KFXekm10pKLJts6qdSri5uog== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In order to perform more open-coded replacements of common allocation size arithmetic, the kernel needs a saturating (SIZE_MAX) helper for addition and multiplication. It is common in allocators, especially on realloc, to add to an existing size. For example: p = krealloc(map->patch, sizeof(struct reg_sequence) * (map->patch_regs + num_regs), GFP_KERNEL); There is no existing saturating replacement for this calculation, and just leaving the addition open coded inside array_size() could potentially overflow as well. For example, an overflow in an expression for a size_t argument might wrap to zero: array_size(anything, something_at_size_max + 1) == 0 Introduce size_mul() and size_add() helpers to perform size_t promotion and saturated calculations for use in such allocations. With these helpers it is also possible to redefine array_size(), array3_size(), flex_array_size(), and struct_size() in terms of the new helpers. As with the check_*_overflow() helpers, the helpers are wrapped in a __must_check function that passes through the size_t result. In order for the helpers to be composed with themselves, they must have unique variable names to avoid shadowing, so this uses a similar method to what is already done in minmax.h for constructing unique names to be passed in as arguments to the statement expression that does the actual work. Cc: Rasmus Villemoes Cc: Gustavo A. R. Silva Cc: Nathan Chancellor Cc: Jason Gunthorpe Cc: Nick Desaulniers Cc: Leon Romanovsky Cc: Keith Busch Cc: Len Baker Signed-off-by: Kees Cook --- include/linux/overflow.h | 140 ++++++++++++++++++++++++--------------- lib/test_overflow.c | 61 +++++++++++++++++ 2 files changed, 149 insertions(+), 52 deletions(-) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 4669632bd72b..cd154d47807c 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -117,6 +117,77 @@ static inline bool __must_check __must_check_overflow(bool overflow) (*_d >> _to_shift) != _a); \ })) +/* + * As with __must_check_overflow() above, this is used to wrap the + * size_t output from a statement expression macro. + */ +static inline size_t __must_check __must_check_size(size_t size) +{ + return size; +} + +/* + * Internal logic for size_mul(). Takes variable names from UNIQUE_ID + * so that the local variables here will never collide with other local + * variables (for example, with itself). + */ +#define __size_mul(factor1, factor2, __factor1, __factor2, __product) \ +({ \ + size_t __product; \ + size_t __factor1 = (factor1); \ + size_t __factor2 = (factor2); \ + if (check_mul_overflow(__factor1, __factor2, &__product)) \ + __product = SIZE_MAX; \ + __product; \ +}) + +/** + * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX + * + * @factor1: first factor + * @factor2: second factor + * + * Returns: calculate @factor1 * @factor2, where both values are + * evaluated as size_t, with any overflow causing the return value to + * be SIZE_MAX. + */ +#define size_mul(factor1, factor2) \ + __must_check_size(__size_mul(factor1, factor2, \ + __UNIQUE_ID(__factor1_), \ + __UNIQUE_ID(__factor2_), \ + __UNIQUE_ID(__product_))) + +/* + * Internal logic for size_add(). Takes variable names from UNIQUE_ID + * so that the local variables here will never collide with other local + * variables (for example, with itself). + */ +#define __size_add(addend1, addend2, __addend1, __addend2, __sum) \ +({ \ + size_t __sum; \ + size_t __addend1 = (addend1); \ + size_t __addend2 = (addend2); \ + if (check_add_overflow(__addend1, __addend2, &__sum)) \ + __sum = SIZE_MAX; \ + __sum; \ +}) + +/** + * size_add() - Calculate size_t addition with saturation at SIZE_MAX + * + * @addend1: first addend + * @addend2: second addend + * + * Returns: calculate @addend1 + @addend2, where both values are + * evaluated as size_t, with any overflow causing the return value to + * be SIZE_MAX. + */ +#define size_add(addend1, addend2) \ + __must_check_size(__size_add(addend1, addend2, \ + __UNIQUE_ID(__addend1_), \ + __UNIQUE_ID(__addend2_), \ + __UNIQUE_ID(__sum_))) + /** * array_size() - Calculate size of 2-dimensional array. * @@ -128,15 +199,7 @@ static inline bool __must_check __must_check_overflow(bool overflow) * Returns: number of bytes needed to represent the array or SIZE_MAX on * overflow. */ -static inline __must_check size_t array_size(size_t a, size_t b) -{ - size_t bytes; - - if (check_mul_overflow(a, b, &bytes)) - return SIZE_MAX; - - return bytes; -} +#define array_size(a, b) size_mul(a, b) /** * array3_size() - Calculate size of 3-dimensional array. @@ -150,65 +213,38 @@ static inline __must_check size_t array_size(size_t a, size_t b) * Returns: number of bytes needed to represent the array or SIZE_MAX on * overflow. */ -static inline __must_check size_t array3_size(size_t a, size_t b, size_t c) -{ - size_t bytes; - - if (check_mul_overflow(a, b, &bytes)) - return SIZE_MAX; - if (check_mul_overflow(bytes, c, &bytes)) - return SIZE_MAX; - - return bytes; -} - -/* - * Compute a*b+c, returning SIZE_MAX on overflow. Internal helper for - * struct_size() below. - */ -static inline __must_check size_t __ab_c_size(size_t a, size_t b, size_t c) -{ - size_t bytes; - - if (check_mul_overflow(a, b, &bytes)) - return SIZE_MAX; - if (check_add_overflow(bytes, c, &bytes)) - return SIZE_MAX; - - return bytes; -} +#define array3_size(a, b, c) size_mul(size_mul(a, b), c) /** - * struct_size() - Calculate size of structure with trailing array. + * flex_array_size() - Calculate size of a flexible array member + * within an enclosing structure. + * * @p: Pointer to the structure. - * @member: Name of the array member. + * @member: Name of the flexible array member. * @count: Number of elements in the array. * - * Calculates size of memory needed for structure @p followed by an - * array of @count number of @member elements. + * Calculates size of a flexible array of @count number of @member + * elements, at the end of structure @p. * * Return: number of bytes needed or SIZE_MAX on overflow. */ -#define struct_size(p, member, count) \ - __ab_c_size(count, \ - sizeof(*(p)->member) + __must_be_array((p)->member),\ - sizeof(*(p))) +#define flex_array_size(p, member, count) \ + size_mul(count, \ + sizeof(*(p)->member) + __must_be_array((p)->member)) /** - * flex_array_size() - Calculate size of a flexible array member - * within an enclosing structure. + * struct_size() - Calculate size of structure with trailing flexible array. * * @p: Pointer to the structure. - * @member: Name of the flexible array member. + * @member: Name of the array member. * @count: Number of elements in the array. * - * Calculates size of a flexible array of @count number of @member - * elements, at the end of structure @p. + * Calculates size of memory needed for structure @p followed by an + * array of @count number of @member elements. * * Return: number of bytes needed or SIZE_MAX on overflow. */ -#define flex_array_size(p, member, count) \ - array_size(count, \ - sizeof(*(p)->member) + __must_be_array((p)->member)) +#define struct_size(p, member, count) \ + size_add(sizeof(*(p)), flex_array_size(p, member, count)) #endif /* __LINUX_OVERFLOW_H */ diff --git a/lib/test_overflow.c b/lib/test_overflow.c index 7a4b6f6c5473..01a469ff7ff6 100644 --- a/lib/test_overflow.c +++ b/lib/test_overflow.c @@ -588,12 +588,73 @@ static int __init test_overflow_allocation(void) return err; } +struct __test_flex_array { + unsigned long flags; + size_t count; + unsigned long data[]; +}; + +static int __init test_overflow_size_helpers(void) +{ + struct __test_flex_array *obj; + int count = 0; + int err = 0; + +#define check_one_size_helper(expected, func, args...) ({ \ + bool __failure = false; \ + size_t _r; \ + \ + _r = func(args); \ + if (_r != (expected)) { \ + pr_warn("expected " #func "(" #args ") " \ + "to return %zu but got %zu instead\n", \ + (size_t)(expected), _r); \ + __failure = true; \ + } \ + count++; \ + __failure; \ +}) + + err |= check_one_size_helper(5, size_add, 2, 3); + err |= check_one_size_helper(SIZE_MAX, size_add, SIZE_MAX, 1); + err |= check_one_size_helper(SIZE_MAX, size_add, SIZE_MAX, 3); + err |= check_one_size_helper(SIZE_MAX, size_add, SIZE_MAX, -3); + + err |= check_one_size_helper(6, size_mul, 2, 3); + err |= check_one_size_helper(SIZE_MAX, size_mul, SIZE_MAX, 1); + err |= check_one_size_helper(SIZE_MAX, size_mul, SIZE_MAX, 3); + err |= check_one_size_helper(SIZE_MAX, size_mul, SIZE_MAX, -3); + + err |= check_one_size_helper(0, flex_array_size, obj, data, 0); + err |= check_one_size_helper(sizeof(*obj->data), + flex_array_size, obj, data, 1); + err |= check_one_size_helper(7 * sizeof(*obj->data), + flex_array_size, obj, data, 7); + err |= check_one_size_helper(SIZE_MAX, + flex_array_size, obj, data, -1); + err |= check_one_size_helper(SIZE_MAX, + flex_array_size, obj, data, SIZE_MAX - 4); + + err |= check_one_size_helper(sizeof(*obj), struct_size, obj, data, 0); + err |= check_one_size_helper(sizeof(*obj) + sizeof(*obj->data), + struct_size, obj, data, 1); + err |= check_one_size_helper(SIZE_MAX, + struct_size, obj, data, -3); + err |= check_one_size_helper(SIZE_MAX, + struct_size, obj, data, SIZE_MAX - 3); + + pr_info("%d overflow size helper tests finished\n", count); + + return err; +} + static int __init test_module_init(void) { int err = 0; err |= test_overflow_calculation(); err |= test_overflow_shift(); + err |= test_overflow_size_helpers(); err |= test_overflow_allocation(); if (err) { -- 2.30.2