lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1417046282-31825-1-git-send-email-sasha.levin@oracle.com>
Date:	Wed, 26 Nov 2014 18:58:01 -0500
From:	Sasha Levin <sasha.levin@...cle.com>
To:	mingo@...nel.org, akpm@...ux-foundation.org,
	torvalds@...ux-foundation.org
Cc:	linux-kernel@...r.kernel.org, Sasha Levin <sasha.levin@...cle.com>
Subject: [RFC v2 1/2] compiler: use compiler to detect integer overflows

We've used to detect integer overflows by causing an overflow and testing the
result. For example, to test for addition overflow we would:

	if (a + b < a)
		/* Overflow detected */

While it works, this is actually an undefined behaviour and we're not
guaranteed to have integers overflowing this way. GCC5 has introduced
built in macros (which existed in Clang/LLVM for a while) to test for
addition, subtraction and multiplication overflows.

Rather than keep relying on the current behaviour of GCC, let's take
it's olive branch and test for overflows by using the builtin
functions.

Changing existing code is simple and can be done using Coccinelle:

@@ expression X; expression Y; constant C; @@
(
- X + Y < Y
+ check_add_overflow(X, Y)
|
- X - Y > X
+ check_sub_overflow(X, Y)
|
- X != 0 && Y > C / X
+ check_mul_overflow(X, Y, C)
)

Signed-off-by: Sasha Levin <sasha.levin@...cle.com>
---

Changes in V2:

 - Comments from Vegard Nossum
 - Comments from Andrey Ryabinin
 - Use a relevant example commit

 include/linux/compiler-gcc5.h |   17 +++++++++++++++++
 include/linux/compiler.h      |   23 +++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
index c8c5659..0429519 100644
--- a/include/linux/compiler-gcc5.h
+++ b/include/linux/compiler-gcc5.h
@@ -63,3 +63,20 @@
 #define __HAVE_BUILTIN_BSWAP64__
 #define __HAVE_BUILTIN_BSWAP16__
 #endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */
+
+#define check_add_overflow(A, B)					\
+({									\
+	typeof((A) + (B)) __gcc_overflow_dummy;				\
+	__builtin_add_overflow((A), (B), &__gcc_overflow_dummy);	\
+})
+
+#define check_sub_overflow(A, B)					\
+({									\
+	typeof((A) - (B)) __gcc_overflow_dummy;				\
+	__builtin_sub_overflow((A), (B), &__gcc_overflow_dummy);	\
+})
+
+#define check_mul_overflow(A, B, C)					\
+	typeof((A) * (B)) __gcc_overflow_dummy;				\
+	__builtin_mul_overflow((A), (B), &__gcc_overflow_dummy);	\
+})
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 934a834..bbe85ab 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -388,4 +388,27 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
 # define __kprobes
 # define nokprobe_inline	inline
 #endif
+
+#ifndef check_add_overflow
+#define check_add_overflow(A, B)			\
+({							\
+	typeof(A) __tmp_A = (A);			\
+	 (((__tmp_A) + (B)) < (__tmp_A));		\
+})
+#endif
+#ifndef check_sub_overflow
+#define check_sub_overflow(A, B)			\
+({							\
+	typeof(A) __tmp_A = (A);			\
+	(((__tmp_A) - (B)) > (__tmp_A));		\
+})
+#endif
+#ifndef check_mul_overflow
+#define check_mul_overflow(A, B, C)			\
+({							\
+	typeof(A) __tmp_A = (A);			\
+	((__tmp_A) != 0 && (B) > (C) / (__tmp_A));	\
+})
+#endif
+
 #endif /* __LINUX_COMPILER_H */
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ