Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp4620731rwe; Tue, 30 Aug 2022 13:41:23 -0700 (PDT) X-Google-Smtp-Source: AA6agR6g0bHO2eCA2iAcCBmEY3qelBRoQd25wakjFVYZpAfw6x1YJgGoHKh86LLCUL2xY/S6LBAP X-Received: by 2002:a17:902:e549:b0:174:d234:6116 with SMTP id n9-20020a170902e54900b00174d2346116mr10304009plf.131.1661892082971; Tue, 30 Aug 2022 13:41:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661892082; cv=none; d=google.com; s=arc-20160816; b=Jk6WPUJ1T7TVBGJp7LqI2F8qlZNCKwkXFZbPIEuuX/XuleesJ4/1by12Z2kpMMwB9m 2c/m8tsOQZuWxu/VfzGhtQwKkq3SX1Xh8Fz7V5g3+2+h/wgNVpKMTIsgPjiXWP/9iJGp qKJDCjMtjUA2ny0mW0LhZrY4DihXxF9iy4E3vO5PHbdqeUKHhFNoH2ZE2zmUooavK6TM tf1wAgezRXoA7KDshXhthxkfRVvxTw8Z1VweS7TgHN14u4Q8ioPyQSjIecA7H2/mDiYb kV/arKR1iVZ2gYzozx2QwxlNprbT7XilkosN9pS8daCL8sOE86pYpqIjofcaWCIM+4iA yrig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=Sy+n+bKGaBE42tMW22JXIKGEDRgNGzu/p2SD3vodKvA=; b=I4cI4OjmMOcy2xtSY7XicLbPS+pdZanP/iv7FB8RMsnndH/wkiUIXv02iafqnANU1q ivMm6GVNCbU2G8+ziV5X6dCG/1nryklIZKbPkJe8jl1Zg79fr4zn6Lpkppj/x6Rji46B 8DSaaaDElPHF+IqPn6NbJNJfclX82EYyilOOHWhUzsl8G7IV2xeusJ0A34x7Ap0CVeKk dq6liKkp6CYhrWke+OEg1wpJvoOFueG82VBLm0gsAEvhbFgDAGIBEgBj07RuoTY284P8 pSVVsQZM94ElCDjmd9YU0Hayj1OLeWaEUG/1MaIseaoxxBtJJ9bMyWDTuzcOc1APZ8IU pG6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=OFP2zrlp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d16-20020a056a00245000b0052ee0cdd1fbsi13830945pfj.265.2022.08.30.13.41.12; Tue, 30 Aug 2022 13:41:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=OFP2zrlp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231728AbiH3Tw6 (ORCPT + 99 others); Tue, 30 Aug 2022 15:52:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57488 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231772AbiH3Twz (ORCPT ); Tue, 30 Aug 2022 15:52:55 -0400 Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59E0B7F0BC for ; Tue, 30 Aug 2022 12:52:36 -0700 (PDT) Received: by mail-ej1-x62d.google.com with SMTP id u9so24358160ejy.5 for ; Tue, 30 Aug 2022 12:52:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc; bh=Sy+n+bKGaBE42tMW22JXIKGEDRgNGzu/p2SD3vodKvA=; b=OFP2zrlps/N/cK0IIDLM5wHfe8i+ddoBQoask/MkYh/KTe97GaoHc7x7ozWyEDrR+Y IZ1aHXqfIznrYyqwb/+hC1gSF2Wxxhw1OE41eqvPYxgHCxnMb9XX/qPrv6GAMMgedT+o hk/RAwaKnzwqLNF1P2fJHwIdJLtOWdqfYGKeo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc; bh=Sy+n+bKGaBE42tMW22JXIKGEDRgNGzu/p2SD3vodKvA=; b=fY8x1iQ8D6OC/a9/7GsfzDBFsgFKT+s56vp/0n4ouXahZF4KE+TlVy62wfQclrgne8 qWsfJEr9aDr5sw6Xu9sXYvprlffMit9NGa34b9V/xriE+CsQQplj8q+P+iDzoQ1+6LW4 x9c74BDNjPO5HNInyjV5sMtbXTIZ04gswm/C/vq/Sf25YNvVWEfK3Zdp4FJo6rcXmc6O AILW6CLWkqdmABeyuKDJPGOk4Rdu90USlQ8n9Zn4U5EK/fHIKHHNrPL4K2EMr2JztwC7 auNGWNY7h5JA+/fyOarQIWfRJNRY5C2pLaNaogwJZuov3TBsSFH2tnMCiDAfHQRowMBY 8r5Q== X-Gm-Message-State: ACgBeo094p4VKxaW8CbAZY6Q5xoNSPo8YSpkmdxUqSpMDYuGHU0fdcvu AxxnDi2kLO8tsXC4zuwFtzuDfg== X-Received: by 2002:a17:906:730d:b0:73d:c8a1:a8ee with SMTP id di13-20020a170906730d00b0073dc8a1a8eemr18232325ejc.661.1661889154071; Tue, 30 Aug 2022 12:52:34 -0700 (PDT) Received: from [192.168.1.149] ([80.208.71.65]) by smtp.gmail.com with ESMTPSA id l17-20020a1709060cd100b0073d81b0882asm6166941ejh.7.2022.08.30.12.52.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 30 Aug 2022 12:52:33 -0700 (PDT) Message-ID: <787894a0-b1b7-43c2-c509-f246f94f58f7@rasmusvillemoes.dk> Date: Tue, 30 Aug 2022 21:52:32 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH v3] overflow: Allow mixed type arguments Content-Language: en-US To: Kees Cook Cc: Gwan-gyeong Mun , Andrzej Hajda , "Gustavo A. R. Silva" , Nick Desaulniers , linux-hardening@vger.kernel.org, Daniel Latypov , Vitor Massaru Iha , linux-kernel@vger.kernel.org References: <20220830192147.47069-1-keescook@chromium.org> From: Rasmus Villemoes In-Reply-To: <20220830192147.47069-1-keescook@chromium.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 30/08/2022 21.21, Kees Cook wrote: > When the check_[op]_overflow() helpers were introduced, all arguments were > required to be the same type to make the fallback macros simpler. However, > now that the fallback macros have been removed[1], it is fine to allow > mixed types, which makes using the helpers much more useful, as they > can be used to test for type-based overflows (e.g. adding two large ints > but storing into a u8), as would be handy in the drm core[2]. > > Remove the restriction, and add additional self-tests that exercise some > of the mixed-type overflow cases, and double-check for accidental macro > side-effects. > > -/* > - * For simplicity and code hygiene, the fallback code below insists on > - * a, b and *d having the same type (similar to the min() and max() > - * macros), whereas gcc's type-generic overflow checkers accept > - * different types. Hence we don't just make check_add_overflow an > - * alias for __builtin_add_overflow, but add type checks similar to > - * below. > +/** check_add_overflow() - Calculate addition with overflow checking > + * > + * @a: first addend > + * @b: second addend > + * @d: pointer to store sum > + * > + * Returns 0 on success. > + * > + * *@d holds the results of the attempted addition, but is not considered > + * "safe for use" on a non-zero return value, which indicates that the > + * sum has overflowed or been truncated. I don't like that wording. It makes it sound like there's some ambiguity or (implementation|un)-definedness involved in what the destination holds on overflow. The gcc documentation is perfectly clear that the result is the infinite-precision result truncated to N bits, with N being the bitwidth of d. Rasmus