Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp249680rdb; Mon, 22 Jan 2024 20:08:06 -0800 (PST) X-Google-Smtp-Source: AGHT+IHrK6WhoCmZK1m6+rzuokCVO0+kVPfGQfpSeBHalUkU3oY2qjFvP83V1yNzbXs7UW1xCTkl X-Received: by 2002:a05:620a:2620:b0:783:3244:418f with SMTP id z32-20020a05620a262000b007833244418fmr6945532qko.83.1705982886516; Mon, 22 Jan 2024 20:08:06 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705982886; cv=pass; d=google.com; s=arc-20160816; b=Gt7NVBTAVzy1RT3CAsBQ/6RH2pq7ItR/xk/Qnq1OooD+vDP1P88wJY+kQNO3EywlrW UNAcbhD9KxflgSsGsotCrsXnVLkUBxekFuBPs1hU093WE6ZGwGKsUgVGbZHPSCVXGJyQ tN8V+KexKp9Gph8b8BcvZ2n8CvIXIdtknhRk+wEGlkcMoymardzAlBZOmJhFcsMmVsCu 9DbNgaiCDxjboHZd/QARyMxM82l4riYoJHNb0xufZdzeIluq7RUHYLXizCrRCZ1ernS7 MY17y3wm9NmqRb7EUIZEOH9OOG6/sR5wgVlPYDTYwzAT01ytkgpgr+VMj1oYPuTPOpRe 9R8A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:references:in-reply-to :user-agent:subject:cc:to:from:date:dkim-signature; bh=xPlMRUS5EGxuSIrBTB1UhtKo8D6dFE2JPvnkrv2thsM=; fh=YjziNKeNUdj78mNWVbHabIHUed4nZLhXU4eDM8pHgkw=; b=0LYRmxj3tsh6ya3BbfgSR0LYR4ADaq6TMtilbrCavHbUxHjNM9EMrqKj71oSbETYJi hrThqyxB+DKWu84rhqh/0VNKmnj1gPf6vIZ5aVKKaCpluMbRhtgI7/i4l3cr0d+T+MFM Nq555nU6VQpf8Z1r7gjrnjcvre6T1TJmp+wi28UGeO2Pvn8K0++fSr8P6nGvgV0ow+T5 6xANvMjBX0WTNp1YKwNaqDc1+NQiMXd22rpW3pZ/G7ncVGceg4xHUAIwvX+QJoEAIcaY 9hstJetIOFLViDoL2YSjas7Lil049qMV6aQI4Qu2llbom1/2sHBtzuy9+W/dP6J5uaB8 Z1RA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=H6EXCGg3; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-34696-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34696-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id w12-20020a05620a094c00b007839a229569si4927555qkw.282.2024.01.22.20.08.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 20:08:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-34696-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=H6EXCGg3; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-34696-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34696-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 05B331C2617E for ; Tue, 23 Jan 2024 04:08:06 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EA3651C33; Tue, 23 Jan 2024 04:07:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="H6EXCGg3" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 16B5C626; Tue, 23 Jan 2024 04:07:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705982874; cv=none; b=c/Kfw11igkn4JCgrOSTIgCSHcEuOetJwP5QU7GzrUxHG6DemZeKF7MoeCRea81zE2PJlKTNDS7oKzd5i6SS+3sTc9tdS4NvI5aqh+pt/RiBTyS8Ur6Z61Osv0pGY9Gu87tphk+gprhyVn5pHaSky4RqWdYqcxOvp6mqPEBAAJqk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705982874; c=relaxed/simple; bh=F3J4VLhI3E5hi/a5J/HebUE680cU1BPix/0V2rHvQaI=; h=Date:From:To:CC:Subject:In-Reply-To:References:Message-ID: MIME-Version:Content-Type; b=aD2/iwsY6h9Skxqr1X+PVdQzDELK26eyNYc2Kjvc8Cjs9LWtC5Ay8ysdz06rnr0775Sx4EpHdNkOw13mWaqkZVvefeYmuK15x09UKaHqjzYYpFtbSgKlFx2B911dZT1KskQXzF1CP5lQTuy9DhU8sYbRACk+hERvTO3bDRVS6FM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=H6EXCGg3; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 59119C433C7; Tue, 23 Jan 2024 04:07:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1705982873; bh=F3J4VLhI3E5hi/a5J/HebUE680cU1BPix/0V2rHvQaI=; h=Date:From:To:CC:Subject:In-Reply-To:References:From; b=H6EXCGg36EBzrxB0TtpKgUYdqWpGsNZRQ667Y+OkOQsWbmUx6rvuWKcVHdbMvw/07 4Cr6X1PZ5bFIjWnyCxMKkloGBne5TTTudZQxIXtF7+q91hRZnD+4SpFB4ZY42NRcdq dv17RFfnP3DiUOK95LeCULP9L86Js/HyrW0F2l4+IjyUbl4XhMbY+wrRMMltpcKyzg HPvSf/4/fAE8SR6FYEOLMY0yeU2uM6lRgD3Y7MA70JaYE17pajKQY0mjUwZbS1l9Js AO0DYuRK1Qm58jBkqSaI284EFRYmoAIA3/M9ts0qPmkd8/0zsy7WDHvrBeBddeNzz5 Hy+Trm+s4hZvQ== Date: Mon, 22 Jan 2024 20:07:52 -0800 From: Kees Cook To: Yonghong Song , Kees Cook , linux-hardening@vger.kernel.org CC: Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, "Gustavo A. R. Silva" , Bill Wendling , Justin Stitt , linux-kernel@vger.kernel.org Subject: Re: [PATCH 43/82] bpf: Refactor intentional wrap-around test User-Agent: K-9 Mail for Android In-Reply-To: <15d65e11-d957-4b03-bec3-0dcd58b50f97@linux.dev> References: <20240122235208.work.748-kees@kernel.org> <20240123002814.1396804-43-keescook@chromium.org> <15d65e11-d957-4b03-bec3-0dcd58b50f97@linux.dev> Message-ID: <6CE08B7D-7E0C-45E2-8A6B-32691BE40D08@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On January 22, 2024 8:00:26 PM PST, Yonghong Song wrote: > >On 1/22/24 4:27 PM, Kees Cook wrote: >> In an effort to separate intentional arithmetic wrap-around from >> unexpected wrap-around, we need to refactor places that depend on this >> kind of math=2E One of the most common code patterns of this is: >>=20 >> VAR + value < VAR >>=20 >> Notably, this is considered "undefined behavior" for signed and pointer >> types, which the kernel works around by using the -fno-strict-overflow >> option in the build[1] (which used to just be -fwrapv)=2E Regardless, w= e >> want to get the kernel source to the position where we can meaningfully >> instrument arithmetic wrap-around conditions and catch them when they >> are unexpected, regardless of whether they are signed[2], unsigned[3], >> or pointer[4] types=2E >>=20 >> Refactor open-coded wrap-around addition test to use add_would_overflow= ()=2E >> This paves the way to enabling the wrap-around sanitizers in the future= =2E >>=20 >> Link: https://git=2Ekernel=2Eorg/linus/68df3755e383e6fecf2354a67b08f92f= 18536594 [1] >> Link: https://github=2Ecom/KSPP/linux/issues/26 [2] >> Link: https://github=2Ecom/KSPP/linux/issues/27 [3] >> Link: https://github=2Ecom/KSPP/linux/issues/344 [4] >> Cc: Alexei Starovoitov >> Cc: Daniel Borkmann >> Cc: John Fastabend >> Cc: Andrii Nakryiko >> Cc: Martin KaFai Lau >> Cc: Song Liu >> Cc: Yonghong Song >> Cc: KP Singh >> Cc: Stanislav Fomichev >> Cc: Hao Luo >> Cc: Jiri Olsa >> Cc: bpf@vger=2Ekernel=2Eorg >> Signed-off-by: Kees Cook >> --- >> kernel/bpf/verifier=2Ec | 12 ++++++------ >> 1 file changed, 6 insertions(+), 6 deletions(-) >>=20 >> diff --git a/kernel/bpf/verifier=2Ec b/kernel/bpf/verifier=2Ec >> index 65f598694d55=2E=2E21e3f30c8757 100644 >> --- a/kernel/bpf/verifier=2Ec >> +++ b/kernel/bpf/verifier=2Ec >> @@ -12901,8 +12901,8 @@ static int adjust_ptr_min_max_vals(struct bpf_v= erifier_env *env, >> dst_reg->smin_value =3D smin_ptr + smin_val; >> dst_reg->smax_value =3D smax_ptr + smax_val; >> } >> - if (umin_ptr + umin_val < umin_ptr || >> - umax_ptr + umax_val < umax_ptr) { >> + if (add_would_overflow(umin_ptr, umin_val) || >> + add_would_overflow(umax_ptr, umax_val)) { > >Maybe you could give a reference to the definition of add_would_overflow(= )? >A link or a patch with add_would_overflow() defined cc'ed to bpf program= =2E Sure! It was earlier in the series: https://lore=2Ekernel=2Eorg/linux-hardening/20240123002814=2E1396804-2-kee= scook@chromium=2Eorg/ The cover letter also has more details: https://lore=2Ekernel=2Eorg/linux-hardening/20240122235208=2Ework=2E748-ke= es@kernel=2Eorg/ >The patch itselfs looks good to me=2E Thanks! -Kees --=20 Kees Cook