Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp2770887rwa; Mon, 22 Aug 2022 13:30:32 -0700 (PDT) X-Google-Smtp-Source: AA6agR4Kla5cf6YdHCI41jC3KA4PDgFcMGr5LGUrA2CZk4rH/yKuQfNIfVfPtmtDa57YRKYWLtz7 X-Received: by 2002:a63:1208:0:b0:423:c60e:ed09 with SMTP id h8-20020a631208000000b00423c60eed09mr17744901pgl.385.1661200231801; Mon, 22 Aug 2022 13:30:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661200231; cv=none; d=google.com; s=arc-20160816; b=iIz1Sb08/Q6zfRseeDBbFPzzMyCkgNV/u9TFSBwesHM9zkbwoXhUD7dd/qQ/M2aZcQ gfD+TcDluSYdS0JU9R+GhK2FNReGpkRwCpBphu7sTt5EIAQj5N5HKhpD4rMQB4A8PAi2 eUZu8x5sR4UBqqQNwZFtkOmWHMO6tDsrF71V9rgiRuTC5oUo277N3EtxJyy7yfU0hTTJ PzEQnrzwJFCC+VAtBUxSFvZpAbvMezdOzDsK+wldp51gt2Eqj0DoztHbWBZiK3vCzweu A+5LvGeTTylGyXVmGywVfzSYGCw7PbTto4d5z9OfQ0U1QDL6H+w+L974x8xAszx+15Yg Iz9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=EnKbvX9xMcUF8bvw923k4bLQbt044bTDeeYvXJD7Czs=; b=N+Zj2ST25lJiMqPvIHP59eWHX/vXWZp7QrDeKP+9SX6MmL3LQhDH4f+uSL0UZBbJsN aQUHQwN6xTRds+sKv3KkKaKdDNLXrIC9G9Md+GLPo+79q6zE0aiOEgDt8AbNQKYnYrnt 5nSoTXjgmsUiuR1etJohRg704w5OIh7BB0hnAgB+nLDV6LWY/Q2EmuxOJYtJsk2m0gGU cCLhEDm/gX+UhS9Y/3D6tvhS7MSMUeH9JG5znNpYP3D61pU0ek1u4Vv9yHqnROohj29e yixONE3a80xmJXyBCNgibuvWSnSdHDC/3Nrrhg7foWsyJfj5TEn71hhYd76WLrvOy91v iW2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZRBjLD5D; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b13-20020a17090a6acd00b001f310564e7bsi15245567pjm.100.2022.08.22.13.30.19; Mon, 22 Aug 2022 13:30:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZRBjLD5D; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232708AbiHVUMi (ORCPT + 99 others); Mon, 22 Aug 2022 16:12:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232688AbiHVUMf (ORCPT ); Mon, 22 Aug 2022 16:12:35 -0400 Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBF39543CB for ; Mon, 22 Aug 2022 13:12:32 -0700 (PDT) Received: by mail-pf1-x433.google.com with SMTP id f17so5262729pfk.11 for ; Mon, 22 Aug 2022 13:12:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc; bh=EnKbvX9xMcUF8bvw923k4bLQbt044bTDeeYvXJD7Czs=; b=ZRBjLD5DfpCjiGPnLVcp8T95oJyFpcwl/FshmKOsc5f+ipkEpmrxPMkPmtNGASxBXZ t3eX8tLsBzZOra5EHFU340BNRI7sV3qioe6iMcHKeW4bNdir3ZUqQgW9oBK5xwc1tPDl t+obqjrxd4v8QHRJ6GR08bTFPAwtZz789dhwI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc; bh=EnKbvX9xMcUF8bvw923k4bLQbt044bTDeeYvXJD7Czs=; b=JHi/U2LRzSkv6qaVYikbQdSrKie27gg6UfpHVxdnaMbGJzp8QYqdsDP1m9f5PZthKU nkiyQ7r1l2evU8d47VXX48wfZ8yFLdPtQ4OE6Y+YVbV/SpK0W/F1OUxQwLBqx2+hYpPY R8jCt36bsDcQhvS3wFXyXkS26GLDa9OOm01zodOegIlfObAcEJSG27RaZOcJ4kSV9Uz6 9LXLH9wTWz1Wz4XSKEhAgnhPc2qtnkk2ZmQdGc3gk4oU8jdQtCAE0T+YSh606vntSHjz p9ORn54M/8tDSGIIST2/phK1Or1WJYrTNNFUOvKotn3DWJoX4qB8J0o39iv8nEyrdKa5 cK6Q== X-Gm-Message-State: ACgBeo3vS9qLJZ5hDmCYCZZzBE2QZNsY+9gs5Sukbj1gdIe7o9amHKUg 6THrA5g3LmlF5Kon0zOeWxUQcw== X-Received: by 2002:a63:5252:0:b0:42a:9680:bd9c with SMTP id s18-20020a635252000000b0042a9680bd9cmr7772626pgl.469.1661199152102; Mon, 22 Aug 2022 13:12:32 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id n14-20020a170903110e00b0016d6963cb12sm8773868plh.304.2022.08.22.13.12.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Aug 2022 13:12:31 -0700 (PDT) Date: Mon, 22 Aug 2022 13:12:30 -0700 From: Kees Cook To: Gwan-gyeong Mun Cc: Andrzej Hajda , Andi Shyti , thomas.hellstrom@linux.intel.com, jani.nikula@intel.com, intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, chris@chris-wilson.co.uk, airlied@linux.ie, linux-hardening@vger.kernel.org, matthew.auld@intel.com, mchehab@kernel.org, nirmoy.das@intel.com, Mauro Carvalho Chehab Subject: Re: [PATCH v7 1/8] overflow: Move and add few utility macros into overflow Message-ID: <202208221301.366A33DACA@keescook> References: <20220816093525.184940-1-gwan-gyeong.mun@intel.com> <20220816093525.184940-2-gwan-gyeong.mun@intel.com> <202208171657.63AE7AC@keescook> <52c09fde-f788-4c2b-efdc-d1783dbc0f6c@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <52c09fde-f788-4c2b-efdc-d1783dbc0f6c@intel.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 23, 2022 at 04:32:10AM +0900, Gwan-gyeong Mun wrote: > On 8/22/22 11:05 PM, Andrzej Hajda wrote: > > On 18.08.2022 02:12, Kees Cook wrote: > > > On Thu, Aug 18, 2022 at 01:07:29AM +0200, Andi Shyti wrote: > > > > [...] > > > > > +#define safe_conversion(ptr, value) ({ \ > > > > > +??? typeof(value) __v = (value); \ > > > > > +??? typeof(ptr) __ptr = (ptr); \ > > > > > +??? overflows_type(__v, *__ptr) ? 0 : ((*__ptr = > > > > > (typeof(*__ptr))__v), 1); \ > > > > > +}) > > > > > > I try to avoid "safe" as an adjective for interface names, since it > > > doesn't really answer "safe from what?" This looks more like "assign, but > > > zero when out of bounds". And it can be built from existing macros here: > > > > > > ????if (check_add_overflow(0, value, ptr)) > > > ??????? *ptr = 0; > > > > > > I actually want to push back on this a bit, because there can still be > > > logic bugs built around this kind of primitive. Shouldn't out-of-bounds > > > assignments be seen as a direct failure? I would think this would be > > > sufficient: > > > > > > #define check_assign(value, ptr)??? check_add_overflow(0, value, ptr) > > > > > > And callers would do: > > > > > > ????if (check_assign(value, &var)) > > > ??????? return -EINVAL; > > > > Yes, I also like check_assign() you suggested more than safe_conversion. > As shown below, it would be more readable to return true when assign > succeeds and false when it fails. What do you think? No, this inverts the style of all the other check_*() functions, so it should remain "non-zero is failure". > /** > * check_assign - perform a type conversion (cast) of an source value into > * a new variable, checking that the destination is large enough to hold the > * source value. > * > * @value: Source value > * @ptr: Destination pointer address, If the pointer type is not used, a > warning message is output during build. > * > * Returns: > * If the value would overflow the destination, it returns false. If not > return true. > */ > #define check_assign(value, ptr) __must_check_overflow(({ \ > typecheck_pointer(ptr); \ > !__builtin_add_overflow(0, value, ptr); \ > })) Please don't use the __builtin*s, instead stick to the check_* family, as they correctly wrap the builtins and perform type checking, etc. As mentioned, check_assign() should just be: #define check_assign(value, ptr)??? check_add_overflow(0, value, ptr) I don't think any of the other code is needed? What's the use-case for the other stuff? i.e. Why does anything need overflows_type()? -Kees -- Kees Cook