[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <aa42ebfa-03b8-93fa-e036-a7507397d0dc@rasmusvillemoes.dk>
Date: Tue, 21 Sep 2021 08:51:53 +0200
From: Rasmus Villemoes <linux@...musvillemoes.dk>
To: Kees Cook <keescook@...omium.org>
Cc: "Gustavo A . R . Silva" <gustavoars@...nel.org>,
Nathan Chancellor <nathan@...nel.org>,
Jason Gunthorpe <jgg@...pe.ca>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Leon Romanovsky <leon@...nel.org>,
Keith Busch <kbusch@...nel.org>, Len Baker <len.baker@....com>,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH 1/2] overflow: Implement size_t saturating arithmetic
helpers
On 20/09/2021 20.08, Kees Cook wrote:
> + * Internal logic for size_mul(). Takes variable names from UNIQUE_ID
> + * so that the local variables here will never collide with other local
> + * variables (for example, with itself).
> + */
> +#define __size_mul(factor1, factor2, __factor1, __factor2, __product) \
> +({ \
> + size_t __product; \
> + size_t __factor1 = (factor1); \
> + size_t __factor2 = (factor2); \
> + if (check_mul_overflow(__factor1, __factor2, &__product)) \
> + __product = SIZE_MAX; \
> + __product; \
> +})
> +
Why can't this just be a static inline taking and returning size_ts,
avoiding all the unique_id ritual and triple layers of macros?
> -static inline __must_check size_t array_size(size_t a, size_t b)
> -{
> - size_t bytes;
> -
> - if (check_mul_overflow(a, b, &bytes))
> - return SIZE_MAX;
> -
> - return bytes;
> -}
> +#define array_size(a, b) size_mul(a, b)
For example, it could be the very function that you remove here and then
add a compat alias. IDGI, if you want that functionality by another
name, just rename array_size, or let size_mul be a #define for array_size.
And we don't have a size_add, but that could just as well be a static
inline that has the __must_check itself.
Not that I can see that the __must_check matters much for these anyway;
if anybody does
size_mul(foo, bar);
that's just a statement with no side effects, so probably the compiler
would warn anyway, or at least nobody can then go on to do anything
"wrong". Unlike the check_*_overflow(), which have the (possibly
wrapped) result in a output-pointer and the "did it overflow" as the
return value, so you can do
check_mul_overflow(a, b, &d);
do_stuff_with(d);
were it not for the __must_check wrapper.
[Reminder: __must_check is a bit of a misnomer, the attribute is really
warn_unused_result, and there's no requirement that the result is part
of the controlling expression of an if() or while() - just passing the
result on directly to some other function counts as a "use", which is
indeed what we do with the size wrappers.]
Rasmus
Powered by blists - more mailing lists