Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp127446lqo;
        Thu, 9 May 2024 15:01:41 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCU7mZYu/YN5B6VQi5oyYy7mBdjLScKr6LsMzLZiPrUw7if2RmEjHQuNLLioITOQKsos1j1lO1V2kWSgm3G5GNophpcHwNIoTy9oiTGlow==
X-Google-Smtp-Source: AGHT+IE0gqPCOS2ua3Yw6khwjPWna26IMBoJAaNm/8KiaQlB5k9e/21yCX8K6YvnXSfmWWw8Z84G
X-Received: by 2002:a17:902:7ed0:b0:1eb:dae:bdab with SMTP id d9443c01a7336-1ef43f4e315mr10992755ad.46.1715292100916;
        Thu, 09 May 2024 15:01:40 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715292100; cv=pass;
        d=google.com; s=arc-20160816;
        b=cG6HoewYy3SOT5B66rvUYIsboVxsJ+2v37Pf5IUNQJ8qzBApoZUGRGmil9OpNdTO+s
         cJ0ouJRHlpshNoZkuJ1+R0NMjsxVaoD3apnMkO9UfCXHXBzfGJXDFKwHvQ/9jgGqTgw1
         afjnc2Gna6iesO6NfmnNL7j6b/hqumkB0GYi2nJ/nf6d0xLjDD68Fj55o3EoMi7+qGy/
         XnZ6Gtw9rboys+dXoK++7GLbur+bJjtWXzXIeYXLUMz6nmlod55ks6ScKQlfqv9XehAi
         wR3k31pXNfUrEbiUHFIbX+X9O8KjMUIjo0T1W5rOBT1YGbQk2mUQ6RJEhYDVZODHzkfo
         utOw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=qZVCnwpSsnSCs9fQXtvRvnFquz+a/pLR0kXJSXFyRYE=;
        fh=qkwQPPO9Iee6Zp4lyVuJBD4VX/Tl+MJlLuUYa9jzxag=;
        b=PQG+pUpWcL3GmNVxJPtL4kxvhGv1POZsZv9rP1ElUf1z2koKV2WsQnXPphl65GQAS6
         PZSf8Iu5cEPeLkfxutZfbWPHPfTmszBJBuRk5YxZb89ZOy+gf44p5D+z0JUu2l9ygXAB
         uheJwzza6FfD1QL8yP3Cu/nMG4xYEt+kgtRYEbmIyAq/K6V9pAmwWG+E0ReUton6Lb6H
         3mAthNJtSkSGxyoghx4JW0CMs4pdUuLqV/jG0aOa8TuE25FlBeQo82lbn36OgO5I95fQ
         LLT1xfoBrMs7Rua1bTDfcSY/HrZvekCnJpwdt8E+dGiAz11AONQPRLLFOWcUawrw4l2i
         MNfA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=XbODzUHS;
       arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
       spf=pass (google.com: domain of linux-kernel+bounces-175016-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-175016-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel+bounces-175016-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id d9443c01a7336-1ef0c14c7b6si22494295ad.485.2024.05.09.15.01.40
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 May 2024 15:01:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-175016-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=XbODzUHS;
       arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
       spf=pass (google.com: domain of linux-kernel+bounces-175016-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-175016-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 87C28282867
	for <linux.lists.archive@gmail.com>; Thu,  9 May 2024 22:01:40 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E3B0C129A7C;
	Thu,  9 May 2024 22:01:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="XbODzUHS"
Received: from mail-oo1-f48.google.com (mail-oo1-f48.google.com [209.85.161.48])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C2F51292E6
	for <linux-kernel@vger.kernel.org>; Thu,  9 May 2024 22:01:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.48
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715292090; cv=none; b=ujYznMJOWt/9LiGsMeVnif2GL/w/1Hmuh25fhg1jXHL16oaPw7mcU20qGy4dPp4aG8F2ArHHEgMSYqvRsfPSKWnlNvCVib1Sh3c2sJiHV5Ef8/ZUWgFVwlFnj0Yhc9CVZ3OuQVNypRgszeFmf4SESamzgKA00YtkTTg9+rMHlmM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715292090; c=relaxed/simple;
	bh=eTFM0lR+pV19/1K9nIEi52f8o0e9EXmBU+po3xooddM=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=rJGlKqqJY+fRi84EF6079lquYF8tLsi8sEfppAay3NP4iYDR66kwrOr76W7SCE1RdwCbEqwSEZSARwZCfvNhcI71TCMmagVIJJaqWtpijHAJuJuQNOwmVVnhaCVNHvaRUSz0UVhPhgydYwhU6Y6AEJVvWIP9swVFNuY5tcaHXzg=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=XbODzUHS; arc=none smtp.client-ip=209.85.161.48
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com
Received: by mail-oo1-f48.google.com with SMTP id 006d021491bc7-5aa28cde736so805777eaf.1
        for <linux-kernel@vger.kernel.org>; Thu, 09 May 2024 15:01:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1715292087; x=1715896887; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qZVCnwpSsnSCs9fQXtvRvnFquz+a/pLR0kXJSXFyRYE=;
        b=XbODzUHSPCAZhBqt2SCVvCf2VPGhkSGFf6gmm8wKt+o8qaLjb9NSt4jLzgQeNuTtXZ
         8ZFtmeiPDNW+yj5NFZcI3lKGFJ415mhpt633jFbucX/CfxJnIShu8DlonsMefnwe8kr6
         PWb/fJyhMm9NSMjE4Ockm2DWyRVlchgwTSundHb7eG1qTEKTrZv5lI59fpvYw2vGoFv9
         HhyS++rud5bRn3Tq5oYNEz8IOeeKc3viailTQ8ONN9z737Kpx7p3O3ZxTQ2NI/bYNcac
         vp36tYTk6jHTdYGRlLzdjmWYEHnhdVwZWfHc2oDjhut6qSH591SLoILXDINjOlyjjdV3
         NKFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1715292087; x=1715896887;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=qZVCnwpSsnSCs9fQXtvRvnFquz+a/pLR0kXJSXFyRYE=;
        b=A/pwlTjXLgZKMcacFXnOo4AbODw8Fc3RDi6TxnmbBXU8ea+FcaxJ/Trk/Ci4+22RtW
         4WMbtZ3OZ70bhXRuOiRjTbs1uhusaOgZ58sbJg2aoh83fWKGprj8fEv1NFBL7Mr6HA1i
         K1WSTPfLlKsr1r+IKAKkR+zEvvWdmoQoWnKwSvrqnNf/mfUK3oCNKhmOF7x2OG4ew8EA
         rN5Ao2/+VokDqV2KsV6O/B+smk7/ondiQIJvFBggzLpehGDhhSwgJTWNUjl769uj2M+/
         HdQ/uPARSFPHbFyhraKDn0kjJePUFtmjng63v/ZMyM389bntZ+5wWyynPo4D2pr6p4PK
         bI3A==
X-Forwarded-Encrypted: i=1; AJvYcCUSp0n/Sh0mgfGu+mMFWAudVQ9+P89QWW9CEwvvu5vNT9gdMr5tjxkXGmovlrgKbnU/7mXmFSAZgciyMCXhQUir/q2AAJBZv14UYGbk
X-Gm-Message-State: AOJu0Yz4uJPfTXPRtJYeIh1s/qBU60GPysvXNT7kkOizryHV4sm6iaph
	dNr1oOU+78PZrfoXaU1EE8EbH7Nx8gWLsU/2zKszg6mvrtI94DWbGYd5JXjbrlREs7DF9wp349n
	DOxaUXca+5sdfpi/vSoU780FsB3LzWC8iQ/+w
X-Received: by 2002:a05:6358:7e41:b0:17e:bfb8:dd86 with SMTP id
 e5c5f4694b2df-193bb401498mr92029755d.3.1715292087108; Thu, 09 May 2024
 15:01:27 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240506-b4-sio-scrollback-delta-v1-1-4164d162a2b8@google.com> <f7775510-09d8-41ef-97b2-0457e721a9ec@kernel.org>
In-Reply-To: <f7775510-09d8-41ef-97b2-0457e721a9ec@kernel.org>
From: Justin Stitt <justinstitt@google.com>
Date: Thu, 9 May 2024 15:01:14 -0700
Message-ID: <CAFhGd8qkYYQZi37Tsj-V5pN5S4xhcyUeAZj1of2kTXG+EtVMgg@mail.gmail.com>
Subject: Re: [PATCH] tty: vt: saturate scrollback_delta to avoid overflow
To: Jiri Slaby <jirislaby@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Nathan Chancellor <nathan@kernel.org>, 
	Bill Wendling <morbo@google.com>, linux-kernel@vger.kernel.org, 
	linux-serial@vger.kernel.org, llvm@lists.linux.dev
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Wed, May 8, 2024 at 11:31=E2=80=AFPM Jiri Slaby <jirislaby@kernel.org> w=
rote:
>
>
> And what is actually broken, given signed overflow is well defined under
> the -fwrapv wings?
>

well-defined code can still be broken.

We want to better safeguard against accidental overflow as this is the
root cause of many bugs/vulnerabilities. So, in this spirit, we
recently enhanced the signed-integer-overflow sanitizer and its
ability to function with -fwrapv enabled [1]. On the Kernel side of
things, Kees' tree [2] has done a lot of the groundwork to get this
sanitizer enabled and less noisy.

WIth all that being said, my solution to this problem in this
particular instance is not the most elegant, as you rightly pointed
out.


> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> > index 9b5b98dfc8b4..b4768336868e 100644
> > --- a/drivers/tty/vt/vt.c
> > +++ b/drivers/tty/vt/vt.c
> > @@ -308,7 +308,14 @@ static inline void scrolldelta(int lines)
> >       /* FIXME */
> >       /* scrolldelta needs some kind of consistency lock, but the BKL w=
as
> >          and still is not protecting versus the scheduled back end */
> > -     scrollback_delta +=3D lines;
> > +
> > +     /* saturate scrollback_delta so that it never wraps around */
> > +     if (lines > 0 && unlikely(INT_MAX - lines < scrollback_delta))
> > +             scrollback_delta =3D INT_MAX;
> > +     else if (lines < 0 && unlikely(INT_MIN - lines > scrollback_delta=
))
> > +             scrollback_delta =3D INT_MIN;
> > +     else
> > +             scrollback_delta +=3D lines;
>
> NACK, this is horrid.

Agreed.

Does an implementation like this look any better?

static inline void scrolldelta(int lines)
{
        ...
        /* saturate scrollback_delta so that it never wraps around */
        if (lines > 0)
                scrollback_delta =3D min(scrollback_delta, INT_MAX -
lines) + lines;
        else
                scrollback_delta =3D max(scrollback_delta, INT_MIN -
lines) + lines;
        schedule_console_callback();
}

Accounting for the possibility of both underflow and overflow is what
is making this code a bit bloated but if this new approach looks good
enough I can send a v2.

>
> Introduce a helper for this in overflow.h if we have none yet.

We have these but for unsigned (size_t) types. I'm open to adding
signed_saturating_add(addend1, addend2, ceiling, floor) or something
similar.

>
> thanks,
> --
> js
> suse labs
>

[1]: https://github.com/llvm/llvm-project/pull/82432
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=
=3Ddev/v6.8-rc2/signed-overflow-sanitizer

Thanks
Justin