Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp835247lqo; Wed, 8 May 2024 17:23:43 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW7kxzzbwGhWv/2XN9oAXTiW+LKTAyFbI2Q7EX2+fSJgx6tX06FiDygu2QddSwSaqG0RrHOd3qs5+/8tqWjpasf4MQad6/0uZEuIh11Lw== X-Google-Smtp-Source: AGHT+IHarKSf2R3aMlyztoSG5ccnUa6lPF0DcaXa5q35uqSj1y9DYuStnJs2s2fALx1R41T9WWSh X-Received: by 2002:a05:6a21:c91:b0:1a7:aabc:24ae with SMTP id adf61e73a8af0-1afc8d763efmr4575159637.18.1715214223597; Wed, 08 May 2024 17:23:43 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715214223; cv=pass; d=google.com; s=arc-20160816; b=C1O4GygkCC+1JqixoTn8EzJoUWUnvQvCrD5D/0LUr5ZgBby82O3R02ErxB15I7gNA4 OgrK3798+/POYKUIhcZAjTMo3WMTvE8JLKPIoAMExL0rE/ooZ0pRDAsuutBuwwxFrhfU Wf3mmaoRcNz/uZ3B7H8EnVHdNRrIygGeg1hqwlxySs28e26GxBT4SuuIkZKW1T23TUwR X0ijzGvLG7q2EhPAjsOmj39sudObDTldEZwhgU9TyZCPRFu6wyKZwhlbif9QSgtLuY/b O5dROq9PXZzxM9yYXZ6w3gMJr415cwXVW1D266+9Cjz/Y/oCRSQQjcuQOpQeEk3bHoHr X+VA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=tUREf8Y8+BNsNPUONsk6UGY92nmezphsmslNvqS96no=; fh=xQzDzohSN0CB7BLEtLh/OB9P+qlKK4qqQSqZTy+H4zQ=; b=vO/yzYtlqCP81VzxvrBeCezMCYoYcPmUCvqE4jAAt2aioNvp2PqCZlOngQ9mCh1xc/ oWo2u5sXVDWKUX+/cG8192AIbDkVtqHDl+A8YEt7Xw8o2zGUBaSHAf8GLuG3ip8vpWHA MANE5BKl2J9aU5J5HyT7U8V2ZDFDitmgfVfkB4T31/tPNWF0zZARFnQbKFmA+cUnPlmB mSPhfsaNvUGBGNXII2oJgOfFCE/XawcONgOXxf3ozn55QCiEpE5XB/RjudO8YcaclAXA X9e2ChjTqbnuR36lTdavPXSPJ/cChsa7rK2eEnzpPGqxGnwRf68jN1v6/TgpOK9GbuJ0 OyDQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="Xpo/PAws"; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-173966-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173966-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d9443c01a7336-1ef0c137f4dsi2650055ad.445.2024.05.08.17.23.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 May 2024 17:23:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-173966-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="Xpo/PAws"; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-173966-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173966-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 134BD284974 for ; Thu, 9 May 2024 00:23:43 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 738E64C6C; Thu, 9 May 2024 00:23:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="Xpo/PAws" Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D9A51FAA for ; Thu, 9 May 2024 00:23:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715214209; cv=none; b=oU+f6FZ06edPZOJMK/2moC2M3SonM2fQjPzmdPhUuBN0xZgIERWSyQNegHKppmWqK8GOsjhXxjgEDGxIxWbgS/6UQq4AYlvtVVdn9dxQLXn1wOo9xNUGuD886rKj34ZcTHjE+F3yU/Sh77Ci6hbbWW26GMl9KX+OGMZlwZmqLIU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715214209; c=relaxed/simple; bh=DODW/4URxRbA9DuTjYXWV8p06cnOAPHfE8OhcWBuxFQ=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=fah6J19zJlKA5R/Y8qKBTFpiKrQ0o8jM3IlkOgf0w54YTncuYnLgave5GI380fgilHx++a+u9RSl9D07piAL/SWlTBt6J83C0u6jzEfMCEPMmElQBqxQ18S95mk1GanTzLoWeCZWr2oV5TcvpduSmDMl4J8V8DRr7/c/YIe9hE8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org; spf=pass smtp.mailfrom=linuxfoundation.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=Xpo/PAws; arc=none smtp.client-ip=209.85.218.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linuxfoundation.org Received: by mail-ej1-f45.google.com with SMTP id a640c23a62f3a-a59ad344f7dso57370066b.0 for ; Wed, 08 May 2024 17:23:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; t=1715214205; x=1715819005; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tUREf8Y8+BNsNPUONsk6UGY92nmezphsmslNvqS96no=; b=Xpo/PAwsYDRRhcVVgrwnbY0zUMiOW/DCeIubYiyek5eabFag4nE1xkqSv/ppZr0XJX Ojr6FH75NjQJ9w9oyggoUaFzU4jsrJqBp8pZArjlaN1SZLMLIGBHy+eEgby4Fe88hO3u 5VBisOXnbuR+/xXI0zO7yEHW/Y6ZTgeMDmPag= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715214205; x=1715819005; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tUREf8Y8+BNsNPUONsk6UGY92nmezphsmslNvqS96no=; b=fbTenb53eDwF7vRpGbeiiyLRYmt+bQ2QEkwdOac0HpaHXJvmQHyG6bArAWoa3DZqH1 h5pB8WX0E/kumeGuy8ocbzRdMapq6qFHxaNUXlEBgv/uSqrIkXzdJJOxMeXGPACEvGbn 3GUf++vqJ5MWLhq+S4exl1p67MsKDZgSshr0odcl3UAOsdnRlG12KtnlmMpLGRYCv6YT EYVgkXLjquqgzEgGO2hYYLoeZM38WOB26BXAx1R+czeUtqe8zkmh0LyRYD9HmGU5X55V XRbaBzmGr2a+XnY22PRhybd7GIVByxIZMFP5qfLlBCov6wAdXpPREuWlEbAc4gwtC9Z7 H8fw== X-Forwarded-Encrypted: i=1; AJvYcCWadYfhrMN4jbnFjGMOPgUx9/u0S7LhNwD6vAStysBNyaDvjqsJ+OObe08nwpbllpC3xmdrW8Ej8IbWzc0tlKrnOS75AGniTYBCXwMf X-Gm-Message-State: AOJu0Yy6uh8wgPXXjzazVYohDsmsL10qQrzte0MqEhHYW2X4UFN/ABrF wL/l/w3c/lfbnXf6qJIQUuULabqFetUfvH+gka6CHgOycC8hWDB9ge/OesK7RG++Oq8ZTDhErXd ggYe3GQ== X-Received: by 2002:a17:906:260a:b0:a59:f3f9:d24c with SMTP id a640c23a62f3a-a59fb9e6872mr270339266b.76.1715214205413; Wed, 08 May 2024 17:23:25 -0700 (PDT) Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com. [209.85.218.41]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a1781cf60sm15430966b.14.2024.05.08.17.23.24 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 May 2024 17:23:24 -0700 (PDT) Received: by mail-ej1-f41.google.com with SMTP id a640c23a62f3a-a59a387fbc9so68755366b.1 for ; Wed, 08 May 2024 17:23:24 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCUyx1HcnbSXYn5f0m9sAwGjL9WL1IeiOzjuiodhk2GvZsTnEuoNpXI7A+pXgwxsQHQpmaWfzQQRU8/IFlsAIaCGXENUnGRO/+aZBRUy X-Received: by 2002:a17:906:f6cd:b0:a59:a7b7:2b8f with SMTP id a640c23a62f3a-a59fb923241mr262394466b.9.1715214204485; Wed, 08 May 2024 17:23:24 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <202404291502.612E0A10@keescook> <202405081144.D5FCC44A@keescook> <202405081354.B0A8194B3C@keescook> In-Reply-To: From: Linus Torvalds Date: Wed, 8 May 2024 17:23:08 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC] Mitigating unexpected arithmetic overflow To: Kees Cook Cc: Justin Stitt , Peter Zijlstra , Mark Rutland , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" On Wed, 8 May 2024 at 16:47, Linus Torvalds wrote: > > So *that* I feel could be something where you can warn without a ton > of compiler smarts at all. If you see an *implicit* cast to unsigned > and then the subsequent operations wraps around, it's probably worth > being a lot more worried about. Side note on this part: quite often, because of C promotion rules, you have "int" as an "intermediate" type. IOW, while I had that example of int a; ... a * sizeof(xyz); being questionably not-UB (because "int a" gets promoted to unsigned as part of C integer promotion, and thus you really had a signed value that was involved in unsigned wrap-around), if you have unsigned short a; ... a * sizeof(xyz); then technically that 'a' is first promoted to 'int' (because all arithmetic on types smaller than int get promoted to int), and then it gets promoted to size_t because the multiply gets done in the bigger type. So in one sense that unsigned multiply may actually have involved a cast from a signed type, but at the same time it's not at all in that kind of "accidentally not UB" class. I suspect most compilers would have combined the two levels of implicit casts into just one, so at no point outside of perhaps some very intermediate stage will it show as a signed int cast to unsigned, but I thought I'd mention it anyway. Implicit casts get nasty not just in assignments, but also in these kinds of situations. I still suspect the "implicit truncating cast at assignment" is likely a much more common case of loss of information than actual arithmetic wrap-around, but clearly the two have commonalities. Linus