| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Jan 2024 13:51:56 -0800
From: Kees Cook <keescook@...omium.org>
To: Rasmus Villemoes <rasmus.villemoes@...vas.dk>
Cc: linux-hardening@...r.kernel.org,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
Bill Wendling <morbo@...gle.com>,
Justin Stitt <justinstitt@...gle.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 03/82] overflow: Introduce add_wrap()
On Tue, Jan 23, 2024 at 09:14:20AM +0100, Rasmus Villemoes wrote:
> On 23/01/2024 01.26, Kees Cook wrote:
> > Provide a helper that will perform wrapping addition without tripping
> > the arithmetic wrap-around sanitizers.
> >
> > Cc: "Gustavo A. R. Silva" <gustavoars@...nel.org>
> > Cc: linux-hardening@...r.kernel.org
> > Signed-off-by: Kees Cook <keescook@...omium.org>
> > ---
> > include/linux/overflow.h | 16 ++++++++++++++++
> > 1 file changed, 16 insertions(+)
> >
> > diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> > index ac088f73e0fd..30779905a77a 100644
> > --- a/include/linux/overflow.h
> > +++ b/include/linux/overflow.h
> > @@ -124,6 +124,22 @@ static inline bool __must_check __must_check_overflow(bool overflow)
> > check_add_overflow(a, b, &__result);\
> > }))
> >
> > +/**
> > + * add_wrap() - Intentionally perform a wrapping addition
> > + * @a: first addend
> > + * @b: second addend
> > + *
> > + * Return the potentially wrapped-around addition without
> > + * tripping any overflow sanitizers that may be enabled.
> > + */
> > +#define add_wrap(a, b) \
> > + ({ \
> > + typeof(a) __sum; \
> > + if (check_add_overflow(a, b, &__sum)) \
> > + /* do nothing */; \
> > + __sum; \
> > + })
> > +
>
> I don't know where this is supposed to be used, but at first glance this
> seems to introduce a footgun. This is not symmetric in a and b, so both
> the type and value of the result may differ between add_wrap(a, b) and
> add_wrap(b, a). That seems dangerous.
I see three options here (and for add_would_overflow()):
1- document that it is typed to the first argument (but this seems weak)
2- require a and b have the same type, and use typeof(a) (but is possibly
inflexible, like the problems we've had with min()/max())
3- explicitly require a result type (this seems overly verbose, and might
have problems like we've had with min_t()/max_t())
In the one place this series uses add_wrap(), I have these arguments:
int segs
u32 delta
and the result type is expected to be int:
return atomic_add_return(add_wrap(segs, delta), p_id) - segs;
So as written (option 1) it's (accidentally?) correct.
It would be rejected with option 2, which seems a strong signal that
it's not a good option.
So, your idea about explicit typing is probably best, since I can't
examine the lvalue type within the macro.
return atomic_add_return(add_wrap(int, segs, delta), p_id) - segs;
I'll give this a try and check for binary differences.
-Kees
--
Kees Cook
Powered by blists - more mailing lists