Received: by 2002:a05:7412:bb8d:b0:d7:7d3a:4fe2 with SMTP id js13csp683055rdb; Tue, 15 Aug 2023 08:54:05 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGDNTE5iZaSLyn+OZKoVoC71KcN3CotVkPfGCmWO2ceHoffutYQAvQyu6/luLPiA+xSstMU X-Received: by 2002:a05:6512:234a:b0:4f7:6017:8fb with SMTP id p10-20020a056512234a00b004f7601708fbmr9753284lfu.26.1692114845417; Tue, 15 Aug 2023 08:54:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692114845; cv=none; d=google.com; s=arc-20160816; b=UR3GF/cIeOAL65Lw4IN9qH8/Nkqq8DJvUXeu49TtHhIY4wCGWB2EFcvqqOMzNYzoPp Qpn399OJKwrgygtnIK6xxYkBuK/+bUg6NauUrh/Ij6X9j6wh6Rv650yLV6KNtWaPBKtq KgiAbVQaNi35ZVl6ZwPIUX3Hwu+Ao3gyqp55I3YPwAGsrL3wONM5AgM+TjZZMoYX+Ptt vTn35v/EZF6/LWjDDX6NIPv5EtEHLGMD6FLanNyla2VwFiYerRZJ+8kGWRZc8cClHkp1 LFnAyfwg96JtPH/SsZsQRgfGGCBLqYAa7U4SSGpQCu893MmPxwtW8t8OW2gkKAd90Usg NpGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=MugiyEIDXs93MPUQbaujsosdZH0doSaVQNM1pTOcFwo=; fh=xzfTWjfvlrE8mLQFZfUYn8/mUoGzkFKxeRgSNnwQSrU=; b=Ty51Qh7WckCNMdvFazku1he/Gl27NkBRxCwMbDDcwrI3YW69QclJlI4I9kV9tIYEzC 27MF/GGTdrtdpTeQ465SiSz/OrH32heDv3a3hE40Aacj0s3txCRkRbB71sEJDk/TEzQU bKL0YQV3NnJ4qm0kQeOCC76C4MQXFy8e60w3LmRnCQ3qU91CcE/HAZ3GA5ABLqlQLEWP ww5tI1VISmX4v8aQ4enjRtHSRu5ASljSyhB4xdcTQOoh2NAncdXWx63yoTQgrwjhRij0 jHj1fw/KilaJlT6CJs/NKfYsnRUdJVSDGKNQ1u4xinAOnsh7VUjNPl8bQqrU7VZMC4T8 tr8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a26-20020aa7cf1a000000b00523a43f9b28si9132980edy.198.2023.08.15.08.53.40; Tue, 15 Aug 2023 08:54:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235829AbjHOI7L convert rfc822-to-8bit (ORCPT + 99 others); Tue, 15 Aug 2023 04:59:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235931AbjHOI6C (ORCPT ); Tue, 15 Aug 2023 04:58:02 -0400 Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.86.151]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A57721FE5 for ; Tue, 15 Aug 2023 01:56:01 -0700 (PDT) Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by relay.mimecast.com with ESMTP with both STARTTLS and AUTH (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id uk-mta-33-Zp5xXA1jN9KEuQKoEhG7Og-1; Tue, 15 Aug 2023 09:55:57 +0100 X-MC-Unique: Zp5xXA1jN9KEuQKoEhG7Og-1 Received: from AcuMS.Aculab.com (10.202.163.4) by AcuMS.aculab.com (10.202.163.4) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 15 Aug 2023 09:55:55 +0100 Received: from AcuMS.Aculab.com ([::1]) by AcuMS.aculab.com ([::1]) with mapi id 15.00.1497.048; Tue, 15 Aug 2023 09:55:55 +0100 From: David Laight To: 'Kees Cook' CC: "'linux-kernel@vger.kernel.org'" , "'Andy Shevchenko'" , 'Andrew Morton' , "'Matthew Wilcox (Oracle)'" , 'Christoph Hellwig' , "'Jason A. Donenfeld'" , Linus Torvalds Subject: RE: [PATCH next v3 0/5] minmax: Relax type checks in min() and max(). Thread-Topic: [PATCH next v3 0/5] minmax: Relax type checks in min() and max(). Thread-Index: AdnGwQ6IGYkn0IjZSjuTaOSyeQI0UwIK8m4AABl1+KA= Date: Tue, 15 Aug 2023 08:55:55 +0000 Message-ID: <2dd09c4033644239a314247e635fa735@AcuMS.aculab.com> References: <01e3e09005e9434b8f558a893a47c053@AcuMS.aculab.com> <202308141416.89AC5C2@keescook> In-Reply-To: <202308141416.89AC5C2@keescook> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook > Sent: 14 August 2023 22:21 > > On Fri, Aug 04, 2023 at 10:50:59AM +0000, David Laight wrote: > > [...] > > I also suspect that many of the min_t(u16, ...) are actually wrong. > > For example copy_data() in printk_ringbuffer.c contains: > > data_size = min_t(u16, buf_size, len); > > Here buf_size is 'unsigned int' and len 'u16', pass a 64k buffer > > (can you prove that doesn't happen?) and no data is returned. > > Stars aligning... this exact bug (as you saw in the other thread[1]) got > hit. And in the analysis, I came to the same conclusion: min_t() is a > serious foot-gun, and we should be able to make min() Just Work in the > most common situations. It is all a question of what 'work' means. To my mind (but Linus disagrees!) the only problematic case is where a negative signed value gets converted to a large unsigned value. This snippet from do_tcp_getsockopt() shows what I mean: copy_from_user(&len,...) len = min_t(unsigned int, len, sizeof(int)); if (len < 0) return -EINVAL; That can clearly never return -EINVAL. That has actually been broken since the test was added in 2.4.4. That predates min_t() in 2.4.10 (renamed from min() in 2.4.9 when the 'strict typecheck' version on min() was added). So min_t() actually predates min()! > It seems like the existing type_max/type_min macros could be used to > figure out that the args are safe to appropriately automatically cast, > etc. e.g. type_max(u16) <= type_max(unsigned int) && type_min(u16) >= > type_min(unsigned int) ... That doesn't really help; min(a,b) is ok if any of: 1) is_signed(a) == is_signed(b). 2) is_signed(a + 0) == is_signed(b + 0) // Converts char/short to int. 3) a or b is a constant between 0 and MAXINT and is cast to int. The one you found passes (1) - both types are unsigned. min(len, sizeof (int)) passes (3) and is converted to min(len, (int)sizeof (int)) and can still return the expected negatives. (Clearly that getsockopt code only works for len != 4 on LE.) David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)