Re: [PATCH v6 2/3] overflow: Introduce wrapping_add(), wrapping_sub(), and wrapping_mul()

[Mark Rutland <mark.rutland@arm.com>]

On Tue, Feb 13, 2024 at 02:10:58PM -0800, Kees Cook wrote:
> Provide helpers that will perform wrapping addition, subtraction, or
> multiplication without tripping the arithmetic wrap-around sanitizers. The
> first argument is the type under which the wrap-around should happen
> with. In other words, these two calls will get very different results:
> 
> 	wrapping_mul(int, 50, 50) == 2500
> 	wrapping_mul(u8,  50, 50) ==  196
> 
> Add to the selftests to validate behavior and lack of side-effects.
> 
> Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
> Cc: Marco Elver <elver@google.com>
> Cc: Eric Biggers <ebiggers@kernel.org>
> Cc: Mark Rutland <mark.rutland@arm.com>
> Cc: linux-hardening@vger.kernel.org
> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> Reviewed-by: Marco Elver <elver@google.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>

Acked-by: Mark Rutland <mark.rutland@arm.com>

Mark.

> ---
>  include/linux/overflow.h | 48 ++++++++++++++++++++++++++++++++++++++++
>  lib/overflow_kunit.c     | 24 ++++++++++++++++----
>  2 files changed, 68 insertions(+), 4 deletions(-)
> 
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index 4e741ebb8005..849a49fb496e 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -64,6 +64,22 @@ static inline bool __must_check __must_check_overflow(bool overflow)
>  #define check_add_overflow(a, b, d)	\
>  	__must_check_overflow(__builtin_add_overflow(a, b, d))
>  
> +/**
> + * wrapping_add() - Intentionally perform a wrapping addition
> + * @type: type for result of calculation
> + * @a: first addend
> + * @b: second addend
> + *
> + * Return the potentially wrapped-around addition without
> + * tripping any wrap-around sanitizers that may be enabled.
> + */
> +#define wrapping_add(type, a, b)				\
> +	({							\
> +		type __val;					\
> +		__builtin_add_overflow(a, b, &__val);		\
> +		__val;						\
> +	})
> +
>  /**
>   * check_sub_overflow() - Calculate subtraction with overflow checking
>   * @a: minuend; value to subtract from
> @@ -77,6 +93,22 @@ static inline bool __must_check __must_check_overflow(bool overflow)
>  #define check_sub_overflow(a, b, d)	\
>  	__must_check_overflow(__builtin_sub_overflow(a, b, d))
>  
> +/**
> + * wrapping_sub() - Intentionally perform a wrapping subtraction
> + * @type: type for result of calculation
> + * @a: minuend; value to subtract from
> + * @b: subtrahend; value to subtract from @a
> + *
> + * Return the potentially wrapped-around subtraction without
> + * tripping any wrap-around sanitizers that may be enabled.
> + */
> +#define wrapping_sub(type, a, b)				\
> +	({							\
> +		type __val;					\
> +		__builtin_sub_overflow(a, b, &__val);		\
> +		__val;						\
> +	})
> +
>  /**
>   * check_mul_overflow() - Calculate multiplication with overflow checking
>   * @a: first factor
> @@ -90,6 +122,22 @@ static inline bool __must_check __must_check_overflow(bool overflow)
>  #define check_mul_overflow(a, b, d)	\
>  	__must_check_overflow(__builtin_mul_overflow(a, b, d))
>  
> +/**
> + * wrapping_mul() - Intentionally perform a wrapping multiplication
> + * @type: type for result of calculation
> + * @a: first factor
> + * @b: second factor
> + *
> + * Return the potentially wrapped-around multiplication without
> + * tripping any wrap-around sanitizers that may be enabled.
> + */
> +#define wrapping_mul(type, a, b)				\
> +	({							\
> +		type __val;					\
> +		__builtin_mul_overflow(a, b, &__val);		\
> +		__val;						\
> +	})
> +
>  /**
>   * check_shl_overflow() - Calculate a left-shifted value and check overflow
>   * @a: Value to be shifted
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index c527f6b75789..d3fdb906d3fe 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -258,20 +258,36 @@ DEFINE_TEST_ARRAY(s64) = {
>  									\
>  	_of = check_ ## op ## _overflow(a, b, &_r);			\
>  	KUNIT_EXPECT_EQ_MSG(test, _of, of,				\
> -		"expected "fmt" "sym" "fmt" to%s overflow (type %s)\n",	\
> +		"expected check "fmt" "sym" "fmt" to%s overflow (type %s)\n",	\
>  		a, b, of ? "" : " not", #t);				\
>  	KUNIT_EXPECT_EQ_MSG(test, _r, r,				\
> -		"expected "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \
> +		"expected check "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \
>  		a, b, r, _r, #t);					\
>  	/* Check for internal macro side-effects. */			\
>  	_of = check_ ## op ## _overflow(_a_orig++, _b_orig++, &_r);	\
> -	KUNIT_EXPECT_EQ_MSG(test, _a_orig, _a_bump, "Unexpected " #op " macro side-effect!\n"); \
> -	KUNIT_EXPECT_EQ_MSG(test, _b_orig, _b_bump, "Unexpected " #op " macro side-effect!\n"); \
> +	KUNIT_EXPECT_EQ_MSG(test, _a_orig, _a_bump,			\
> +		"Unexpected check " #op " macro side-effect!\n");	\
> +	KUNIT_EXPECT_EQ_MSG(test, _b_orig, _b_bump,			\
> +		"Unexpected check " #op " macro side-effect!\n");	\
> +									\
> +	_r = wrapping_ ## op(t, a, b);					\
> +	KUNIT_EXPECT_TRUE_MSG(test, _r == r,				\
> +		"expected wrap "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \
> +		a, b, r, _r, #t);					\
> +	/* Check for internal macro side-effects. */			\
> +	_a_orig = a;							\
> +	_b_orig = b;							\
> +	_r = wrapping_ ## op(t, _a_orig++, _b_orig++);			\
> +	KUNIT_EXPECT_EQ_MSG(test, _a_orig, _a_bump,			\
> +		"Unexpected wrap " #op " macro side-effect!\n");	\
> +	KUNIT_EXPECT_EQ_MSG(test, _b_orig, _b_bump,			\
> +		"Unexpected wrap " #op " macro side-effect!\n");	\
>  } while (0)
>  
>  #define DEFINE_TEST_FUNC_TYPED(n, t, fmt)				\
>  static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
>  {									\
> +	/* check_{add,sub,mul}_overflow() and wrapping_{add,sub,mul} */	\
>  	check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of);	\
>  	check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of);	\
>  	check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of);	\
> -- 
> 2.34.1
>