Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp1230920rdb; Wed, 24 Jan 2024 08:33:17 -0800 (PST) X-Google-Smtp-Source: AGHT+IE8FNs/iyB/JXISNsTq1HeD3x0N/D9cdOJwzR3t2BwychPFbEKE5rf6hm3x3XbbiAetkGRq X-Received: by 2002:a05:6a20:959a:b0:19a:9989:8de1 with SMTP id iu26-20020a056a20959a00b0019a99898de1mr872120pzb.42.1706113997231; Wed, 24 Jan 2024 08:33:17 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706113997; cv=pass; d=google.com; s=arc-20160816; b=qa4VX3pu4NSLVJ0ANjeXHARcCYZlOTdH6gv2jOYpOe1/wZA0KcLyE5Nhh9Irm3usec 3SVs5czHYg8bAoAsEzxwvuqFkZ11EaL4PIdKw6cMpE7Za0silTAIexgLGbBgZiURhflu b/MDxn9arZi8VbD8NvhsFd059JvSQO2wpt5zGJtO98Ykz2uv4fMh+5DEFIPgxP+SpgTx vaTGcT75C8Pnj8RyUiX9jEZqS3BH/F4OIh91QsCKI7bzpANUqU19daRumTwyFNXQIyIk KiKmNS+Nfe/dz0LGbawqX786Kh0r7PDVgiKYSx1Rb51HYlVWrTtMiKeZV2oijQssqE/R +QnQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:references:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:in-reply-to:date :dkim-signature; bh=0CB9g0UuS73iITu6tgKIcBT+b0p2dqCHOybX6/OUmJA=; fh=QB0Yupz8n7bR8Ut+WNarj642h9HCBs1D/10LGX7GoiU=; b=s4Qoh6uV7DWmmTY/pJ/S/tlCeYc9xMF2l2E331DktMnn+f7bZ8+uHpz6qzJ+qds1ux USo1U7uBLnz4kSFyFO5le2YH6o2oN4zIH+o4KUBkrp6blMkpoudNxdkc7xfMdo4z34Jw T2Mu10Ff6L1PiqCn+In3yrcbzX5FgLO1CH+9kMCFqAR9QcnsoxxBX+rSj9y4oXvJlJex yf1cRriRj8jkE6vS91D1o0oSTCnFiDDSHk9aTPlRzrw0rf9nKTQnu1Z4dCP/TmHG2x2d 9zKOZifawZo+4ofu1rl4vwBIVSZZSXfzZjzcYnRLhMEyu6Ghr8U0DS0I4Cg46TWvnB2V RUOQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=kyUHQEMO; arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-37329-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37329-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id r15-20020a632b0f000000b005d5a3dcf222si442482pgr.884.2024.01.24.08.33.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 08:33:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-37329-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=kyUHQEMO; arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-37329-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37329-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 4496728EBBF for ; Wed, 24 Jan 2024 16:25:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EAE297E562; Wed, 24 Jan 2024 16:25:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="kyUHQEMO" Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80C8977652 for ; Wed, 24 Jan 2024 16:25:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706113522; cv=none; b=gou/gXbc/zFho9TPTK8ojHqs5jLXVjSKbXqqHBOOFZYpf6sPc4VDaRjrmfhT37H4iCph0HvKaMeJAwhgTWjMdLoIpchQhquR4UEebi5r+O5zx90FF7I4mZ9ZENO90pS4pPHbff+ziJKhxlN908m9j+kynxGk3RPT54rYSuOOuL4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706113522; c=relaxed/simple; bh=V8c2cPcx8qXCwYKsBCzYFb0VJkAo5lBKil3rUqnEWMM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=C8r9fIfKnemGun0rLnbf8gwqCjjcYYisxXsGh0/xX4oakOeYe8AXOAsopIddcAY0kugKjGe1gaTJRrKbd3AkqgGToN7JnR8c7PClfznmzzD2dmELALtmfMcJaeZvshnzb+krIszQto4qPPOi2w4ANyHFHSmMlyt7R/aa4PT5rlI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=kyUHQEMO; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-dbea2ea8363so4527854276.2 for ; Wed, 24 Jan 2024 08:25:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1706113519; x=1706718319; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=0CB9g0UuS73iITu6tgKIcBT+b0p2dqCHOybX6/OUmJA=; b=kyUHQEMOV/wR1EpynmH7BVnL1Rw+Yzq9mQzH//pfaBbRpfe2hYYxppGHM/t6CqebA+ I8YOVL+a4A1HIwiNu5u2MNGhtvxlbVhhavIuoY0UxZuFf7A9lYZ4i1jBFdYrGdtlRX0V tn94O8LuSOJF4POXyprE+fatIBQUoNVOTL4WIIfDDn1BbtjnF6i6NqX4FgczZC+47LQP H/rPQQg2kSh9dhlux7qR6/uUffv8TKeZ+4FZ1PWvZFh/3iwefLaxl9SQjWlBz5lvnJr4 XbScWzxptsTKZOnyantKW+8LZc2neF2kNriab6AAL8xNVGshChqVNqRvIGrUz6vgDVG3 Xx5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706113519; x=1706718319; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0CB9g0UuS73iITu6tgKIcBT+b0p2dqCHOybX6/OUmJA=; b=ueR6Cq7BYsrCGXohwzvlUJ3R1WPzmzHuMVOyqRvOKL0GHyfZjJi+3yUKlikDVfgE2A u510HQGqzbi4hTTQPtmoLUnG6bFna302o6G4/574XATr62YWyAmNL4Fm71JgXU6jIx09 5rV4OjuLsUBcgBsrso98LbX9HV0YX+80LgEYS8rgCFjxs72PCNfl2Kbj9BbfVbsixZj1 pAOFs3mJ0Jnj6RTMeoEkhYZ94cM54BoprfJnJFPeRLd1AJ0GDF7Bs76Q+eiXZYri1Zi/ JX84vpiiOE5po4EtMXqvqOi0cog+9L70kr99PzvSgLZruKVfj2IQPFJBrfP+CXvQZBA0 6wTg== X-Gm-Message-State: AOJu0YwcHdHP6/LC5DM9Uw42c+DRBI/BXRk5P6nLGAOoE4TlTJk1RRWQ 72OyRwYo63AMYBwqWHV/+1K63VuuPAUOMcpxsJbHk7XzfVXWLy6trXYixlCYv5m/eh5jT7Q5IFF iwA== X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a25:ab4e:0:b0:dc2:4921:cc0 with SMTP id u72-20020a25ab4e000000b00dc249210cc0mr48970ybi.5.1706113519660; Wed, 24 Jan 2024 08:25:19 -0800 (PST) Date: Wed, 24 Jan 2024 08:25:18 -0800 In-Reply-To: <20240123002814.1396804-23-keescook@chromium.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240122235208.work.748-kees@kernel.org> <20240123002814.1396804-23-keescook@chromium.org> Message-ID: Subject: Re: [PATCH 23/82] KVM: Refactor intentional wrap-around calculation From: Sean Christopherson To: Kees Cook Cc: linux-hardening@vger.kernel.org, Paolo Bonzini , kvm@vger.kernel.org, "Gustavo A. R. Silva" , Bill Wendling , Justin Stitt , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="us-ascii" On Mon, Jan 22, 2024, Kees Cook wrote: > In an effort to separate intentional arithmetic wrap-around from > unexpected wrap-around, we need to refactor places that depend on this > kind of math. One of the most common code patterns of this is: > > VAR + value < VAR > > Notable, this is considered "undefined behavior" for signed and pointer > types, which the kernel works around by using the -fno-strict-overflow > option in the build[1] (which used to just be -fwrapv). Regardless, we > want to get the kernel source to the position where we can meaningfully > instrument arithmetic wrap-around conditions and catch them when they > are unexpected, regardless of whether they are signed, unsigned, or > pointer types. > > Refactor open-coded unsigned wrap-around addition test to use > check_add_overflow(), retaining the result for later usage (which removes > the redundant open-coded addition). This paves the way to enabling the > unsigned wrap-around sanitizer[2] in the future. > > Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] > Link: https://github.com/KSPP/linux/issues/27 [2] > Cc: Paolo Bonzini > Cc: kvm@vger.kernel.org > Signed-off-by: Kees Cook > --- > virt/kvm/coalesced_mmio.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c > index 1b90acb6e3fe..0a3b706fbf4c 100644 > --- a/virt/kvm/coalesced_mmio.c > +++ b/virt/kvm/coalesced_mmio.c > @@ -25,17 +25,19 @@ static inline struct kvm_coalesced_mmio_dev *to_mmio(struct kvm_io_device *dev) > static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev, > gpa_t addr, int len) > { > + gpa_t sum; s/sum/end? Also, given that your're fixing a gpa_t, which is a u64, presumably that means that this code in __kvm_set_memory_region() also needs to be fixed: if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr) return -EINVAL; and for that one I'd really like to avoid an ignored output parameter (KVM converts the incoming mem->memory_size to pages, so the "sum" is never used directly). Would it make sense to add an API that feeds a dummy "sum" value? I assume UBSAN won't fire on the usage of the known good value, i.e. using the output parameter isn't necessary for functional correctness. Having an API that does just the check would trim down the size of many of these patches and avoid having to come up with names for the local variables. And IMO, the existing code is a wee bit more intuitive, it'd be nice to give developers the flexibility to choose which flavor yields the "best" code on a case-by-case basis. > + > /* is it in a batchable area ? > * (addr,len) is fully included in > * (zone->addr, zone->size) > */ > if (len < 0) > return 0; > - if (addr + len < addr) > + if (check_add_overflow(addr, len, &sum)) > return 0; > if (addr < dev->zone.addr) > return 0; > - if (addr + len > dev->zone.addr + dev->zone.size) > + if (sum > dev->zone.addr + dev->zone.size) > return 0; > return 1; > } > -- > 2.34.1 >