Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp661997rdb; Thu, 15 Feb 2024 11:13:12 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUeGlAiTMiV9KDm5jS/7zB/dxibv6FwS60U3AT2DZL3uBSfgSI1S7G3cpwI4D54htv82CAwIngDplDm9m2gDOqixmTyJz45XNPwL7bjDQ== X-Google-Smtp-Source: AGHT+IHN3Log2rurjdgpaItUXGsyYEPr09NNkPseLMGKPUiaD5DYO9X4LxcqwlP1WGx+lDvAs8R3 X-Received: by 2002:a17:902:f68e:b0:1da:1dbc:bf9e with SMTP id l14-20020a170902f68e00b001da1dbcbf9emr3420707plg.47.1708024392422; Thu, 15 Feb 2024 11:13:12 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708024392; cv=pass; d=google.com; s=arc-20160816; b=iCTeLhm+1b7Bnm51FGAx3NS8J7ftbdQsrORu7nufL3f3f9UHYeKsZiWxqykBDmTtNW 3siPkleWtlbmonmqLGTvejZTeFElD6sFwvKYb8zHEDGySkIzLDiKoPqU9LxRNxGxP/rU VAoUXU8hrH3R5Axd5YNTsVUt8NP9UQ2vzSCRRC4ocHuOXwkIM2w5Kaj01WI81WR3jUE2 OvpCvRGhf/0V3HcWmA5Sm6jLQm9uOAWCnppZvPCQ4fEaeukqlzBguhgqRlPAqJDG6i4+ kLy+J8pvxhRzZ0NDH3yWJQt+7LKmqRzDwG9RownJTM3QuRLROJ3OF7LpAiCdKWYpVZhZ fJYA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=7Cgjd8j0lGhuZAEPZiz3aSk342Nhzq+fv9nQyppW3Ak=; fh=h50q+LEaj2X7QQjGj8RFMUG6px67hLvLnqSHmybLMl8=; b=rJGvWNd7jHuj8IMDhkvl+qSqAzjL34sPd6lUwqkBzlDY3HEE8ophZ8WROGhvK7sW6e BlkzYri00T6yGzEPECj6Dt2FJFrSLz40I2/bPQFRTnHg3TuW4rgl09JVCJwC4s432yCX k2T4hpLSYrB12vGc4zSF7QqpWAZzOGoRbfdkEcosaarQB+NiwjJGXXI1gCpqG4pLMfkw TkWw0wxqzn/ycPgwnSX+hNPjqZPeI9sYeTv/G6rjNd8N2LFfnOBv482SoPDyyezWRP6+ CnAD01WY/8r5Yfhh9ENYfc1wxnPitnAzLMI0r0aBrCKn81AgCudXghX7dHlnlzAW+7tA gpkg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ltWU3OnK; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-67517-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-67517-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id k2-20020a170902760200b001db5b4036fesi1530641pll.108.2024.02.15.11.13.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Feb 2024 11:13:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-67517-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ltWU3OnK; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-67517-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-67517-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 74BABB2B153 for ; Thu, 15 Feb 2024 18:35:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E0A7B1386DD; Thu, 15 Feb 2024 18:33:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ltWU3OnK" Received: from mail-vk1-f171.google.com (mail-vk1-f171.google.com [209.85.221.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 646FA2595 for ; Thu, 15 Feb 2024 18:33:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.171 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708022008; cv=none; b=MqjWHIaBHBzxjn8VdUurXAuco9tvHqGVEcuqS3IUXE7MPabtbfV4dWahOsH7lj8/mC6Rf/Kz5we9JG7YsJcCMwiOkgO523000Cy8njen7U5n/hWeprxFCoaEXc4+Ge0ishH9R/ka56t7boUxz5pjn6KK5s1dP3vGIM5sKXjZWAs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708022008; c=relaxed/simple; bh=h7H4FBwDjtFZTfSMi65y7rCAC7HWqJMf/6EX7pmmTNA=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=ol4epbY9vy3KPT8wea5az9ATQrgpzF0O5xXtnVBUlE2JFEh0mgun0oqyLUv1WRCAamnC9T2Hz6TVvSRi4w/3DsRU80rriGM0vNsnQcSFpeEj+/8NPJdTu2UT0yCFSyvcx0ZleohTvpT9vud74d6saqm42zIogacimBTQwB3uNeQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ltWU3OnK; arc=none smtp.client-ip=209.85.221.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-vk1-f171.google.com with SMTP id 71dfb90a1353d-4b7fc7642fcso431111e0c.0 for ; Thu, 15 Feb 2024 10:33:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1708022005; x=1708626805; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7Cgjd8j0lGhuZAEPZiz3aSk342Nhzq+fv9nQyppW3Ak=; b=ltWU3OnKp4/3lUfq6gbTRBraf4nlO/dJ3zuK0NlTz4xkaBR9tb1WRSLg0yccEyxjby 6j+lWkZrmghJ7PQcL6JXjy5pGoVRBQdhmLD5cujYHx6LYK2yE0gSojPIJ/R2Qa6MLZi6 j2DRSww6Vm8EmMIrV3bU/756w9kH5FqmM1px2WhH7fGQAQuVI7wvDrv6FbBJWbbVzXJn CvAbCzNF5lQJ4PaGhTVmQS5j3R5gvIlY9uFCYdXB+2OeNlXZ9UabbjY1zu8hlYAMol8R AqZcyx00V5hTkkbyivnb3t/vHNXWpcRUmJw6gJq+Rd/hV0G9pWGoPoCQTxgw9BJ/0o3T leKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708022005; x=1708626805; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7Cgjd8j0lGhuZAEPZiz3aSk342Nhzq+fv9nQyppW3Ak=; b=YSfMEz+W7Z5N/t2zmT6C4tfecM0eLEzbG16LZSlrxolcxqqKrWmd6sGuyn+4YtU1w8 ZdUk9DcHQcwdPUVKkcjBD22V9TW27iSoScw6+QKdSozGaUWjySgvnGmW83ypoS+jATvC Q/a1mdPiI2QCZsWo+opDOpQ/DJudY1hR2/xMyeCWBSkBLfgomnw37QLT0dbUWUSNzBLQ q+jjS91ncCybJBtUAQLhaKN8b9vN0xykSoCId9KtBfFeLv7N0eXMAoxIBNDsbc6Qsq9t 3zbKPOI3gEm7oeSUJtrhZBihd8GAxUALBA3ClA/pc7I/B/GHi2/2JXD4mfTN0jaogI5M RwOA== X-Forwarded-Encrypted: i=1; AJvYcCWY/B97QFVkcRv5Oe54xLUKNC8N8CooKsQRiK3FitfjGxqdsSWm1IqOoOm85Rbb92TkAI4PacsSRa85JWdDMjUtIINWCtTWYaYtfc1f X-Gm-Message-State: AOJu0YwAKA+3yet7cTjR7vjvMfE/0QG3lq3lGlIkkP0znnIajUTmdaUB CoxIUjWEfcrBx1Evlt0LNfsrwMbcoevxFIuGyaC+lWpE/bBQg97a+PrGRUqkS3/lF4tIG5u6iMw pKbwOMMmxX5Oudtwg5fTuSzFia4Fiu4AD8ZKY X-Received: by 2002:a1f:4fc5:0:b0:4c0:1cc8:8821 with SMTP id d188-20020a1f4fc5000000b004c01cc88821mr2433933vkb.9.1708022003768; Thu, 15 Feb 2024 10:33:23 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240214194432.makes.837-kees@kernel.org> <20240214194605.602505-3-keescook@chromium.org> In-Reply-To: <20240214194605.602505-3-keescook@chromium.org> From: Marco Elver Date: Thu, 15 Feb 2024 19:32:45 +0100 Message-ID: Subject: Re: [PATCH v7 3/3] overflow: Introduce wrapping_assign_add() and wrapping_assign_sub() To: Kees Cook Cc: Andy Shevchenko , Rasmus Villemoes , Eric Biggers , Mark Rutland , "Gustavo A. R. Silva" , linux-hardening@vger.kernel.org, Andrew Morton , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" On Wed, 14 Feb 2024 at 20:46, Kees Cook wrote: > > This allows replacements of the idioms "var += offset" and "var -= > offset" with the wrapping_assign_add() and wrapping_assign_sub() helpers > respectively. They will avoid wrap-around sanitizer instrumentation. > > Add to the selftests to validate behavior and lack of side-effects. > > Signed-off-by: Kees Cook Reviewed-by: Marco Elver > --- > Cc: Rasmus Villemoes > Cc: Marco Elver > Cc: Eric Biggers > Cc: Mark Rutland > Cc: "Gustavo A. R. Silva" > Cc: linux-hardening@vger.kernel.org > --- > include/linux/overflow.h | 32 ++++++++++++++++++++++++++++++ > lib/overflow_kunit.c | 43 ++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 75 insertions(+) > > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > index d3ff8e2bec29..dede374832c9 100644 > --- a/include/linux/overflow.h > +++ b/include/linux/overflow.h > @@ -81,6 +81,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > __val; \ > }) > > +/** > + * wrapping_assign_add() - Intentionally perform a wrapping increment assignment > + * @var: variable to be incremented > + * @offset: amount to add > + * > + * Increments @var by @offset with wrap-around. Returns the resulting > + * value of @var. Will not trip any wrap-around sanitizers. > + * > + * Returns the new value of @var. > + */ > +#define wrapping_assign_add(var, offset) \ > + ({ \ > + typeof(var) *__ptr = &(var); \ > + *__ptr = wrapping_add(typeof(var), *__ptr, offset); \ > + }) > + > /** > * check_sub_overflow() - Calculate subtraction with overflow checking > * @a: minuend; value to subtract from > @@ -111,6 +127,22 @@ static inline bool __must_check __must_check_overflow(bool overflow) > __val; \ > }) > > +/** > + * wrapping_assign_sub() - Intentionally perform a wrapping decrement assign > + * @var: variable to be decremented > + * @offset: amount to subtract > + * > + * Decrements @var by @offset with wrap-around. Returns the resulting > + * value of @var. Will not trip any wrap-around sanitizers. > + * > + * Returns the new value of @var. > + */ > +#define wrapping_assign_sub(var, offset) \ > + ({ \ > + typeof(var) *__ptr = &(var); \ > + *__ptr = wrapping_sub(typeof(var), *__ptr, offset); \ > + }) > + > /** > * check_mul_overflow() - Calculate multiplication with overflow checking > * @a: first factor > diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c > index d3fdb906d3fe..65e8a72a83bf 100644 > --- a/lib/overflow_kunit.c > +++ b/lib/overflow_kunit.c [...] > + /* wrapping_assign_{add,sub}() */ \ > + check_self_op(fmt, assign_add, +=, p->a, p->b); \ > + check_self_op(fmt, assign_add, +=, p->b, p->a); \ > + check_self_op(fmt, assign_sub, -=, p->a, p->b); \ > } \ Merely a curiosity, and am not suggesting this for this patch: I wonder how much of this could be tested at compile-time. These are very primitive operations, so I suspect the compiler could either check these in a static_assert(), or if some of it isn't constexpr-friendly, after optimizations with a BUILD_BUG.