From: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
To: Kees Cook <keescook@chromium.org>
Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Tom Rix <trix@redhat.com>, Daniel Latypov <dlatypov@google.com>,
Vitor Massaru Iha <vitor@massaru.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
<linux-hardening@vger.kernel.org>, <llvm@lists.linux.dev>,
<intel-gfx@lists.freedesktop.org>, <linux-kernel@vger.kernel.org>,
<dri-devel@lists.freedesktop.org>, <mchehab@kernel.org>,
<chris@chris-wilson.co.uk>, <matthew.auld@intel.com>,
<thomas.hellstrom@linux.intel.com>, <jani.nikula@intel.com>,
<nirmoy.das@intel.com>, <airlied@redhat.com>, <daniel@ffwll.ch>,
<andi.shyti@linux.intel.com>, <andrzej.hajda@intel.com>,
<mauro.chehab@linux.intel.com>, <linux@rasmusvillemoes.dk>,
<linux-sparse@vger.kernel.org>
Subject: Re: [PATCH v11.5] overflow: Introduce overflows_type() and __castable_to_type()
Date: Mon, 26 Sep 2022 18:57:53 +0300 [thread overview]
Message-ID: <06a907d2-e976-ed8a-bfff-277c835d9ab2@intel.com> (raw)
In-Reply-To: <20220926003743.409911-1-keescook@chromium.org>
On 9/26/22 3:37 AM, Kees Cook wrote:
> Add overflows_type() to test if a variable or constant value would
> overflow another variable or type. This can be used as a constant
> expression for static_assert() (which requires a constant
> expression[1][2]) when used on constant values. This must be constructed
> manually, since __builtin_add_overflow() does not produce a constant
> expression[3].
>
> Additionally adds __castable_to_type(), similar to __same_type(), for
> checking if a constant value will fit in a given type (i.e. it could
> be cast to the type without overflow).
>
> Add unit tests for overflows_type(), __same_type(), and
> __castable_to_type() to the existing KUnit "overflow" test.
>
> [1] https://en.cppreference.com/w/c/language/_Static_assert
> [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
> [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
> 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
> Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
> type3 *res)
>
> Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Tom Rix <trix@redhat.com>
> Cc: Daniel Latypov <dlatypov@google.com>
> Cc: Vitor Massaru Iha <vitor@massaru.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: linux-hardening@vger.kernel.org
> Cc: llvm@lists.linux.dev
> Co-developed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
> Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> include/linux/compiler.h | 1 +
> include/linux/overflow.h | 48 +++++
> lib/overflow_kunit.c | 393 ++++++++++++++++++++++++++++++++++++++-
> 3 files changed, 441 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> index 7713d7bcdaea..c631107e93b1 100644
> --- a/include/linux/compiler.h
> +++ b/include/linux/compiler.h
> @@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off)
> * bool and also pointer types.
> */
> #define is_signed_type(type) (((type)(-1)) < (__force type)1)
> +#define is_unsigned_type(type) (!is_signed_type(type))
>
> /*
> * This is needed in functions which generate the stack canary, see
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index 19dfdd74835e..c8cbeae5f4f8 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow)
> (*_d >> _to_shift) != _a); \
> }))
>
> +#define __overflows_type_constexpr(x, T) ( \
> + is_unsigned_type(typeof(x)) ? \
> + (x) > type_max(typeof(T)) ? 1 : 0 \
> + : is_unsigned_type(typeof(T)) ? \
> + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
> + : (x) < type_min(typeof(T)) || \
> + (x) > type_max(typeof(T)) ? 1 : 0 )
> +
> +#define __overflows_type(x, T) ({ \
> + typeof(T) v = 0; \
> + check_add_overflow((x), v, &v); \
> +})
> +
> +/**
> + * overflows_type - helper for checking the overflows between value, variables,
> + * or data type
> + *
> + * @n: source constant value or variable to be checked
> + * @T: destination variable or data type proposed to store @x
> + *
> + * Compares the @x expression for whether or not it can safely fit in
> + * the storage of the type in @T. @x and @T can have different types.
> + * If @x is a conxtant expression, this will also resolve to a constant
> + * expression.
> + *
> + * Returns: true if overflow can occur, false otherwise.
> + */
> +#define overflows_type(n, T) \
> + __builtin_choose_expr(__is_constexpr(n), \
> + __overflows_type_constexpr(n, T), \
> + __overflows_type(n, T))
> +
> +/**
> + * __castable_to_type - like __same_type(), but also allows for casted literals
> + *
> + * @n: variable or constant value
> + * @T: data type or variable
> + *
> + * Unlike the __same_type() macro, this allows a constant value as the
> + * first argument. If this value would not overflow into an assignment
> + * of the second argument's type, it returns true. Otherwise, this falls
> + * back to __same_type().
> + */
> +#define __castable_to_type(n, T) \
> + __builtin_choose_expr(__is_constexpr(n), \
> + !__overflows_type_constexpr(n, T), \
> + __same_type(n, T))
> +
This name is fine, but I prefer the __same_typable you suggested as a
comment in the previous patch better, what do you think?
( __castable_to_type(n, T); The macro name seems to handle if type
casting is possible to the second argument type from the first argument
variable. )
G.G.
next prev parent reply other threads:[~2022-09-26 16:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <202209251032.71251A8@keescook>
2022-09-26 0:37 ` [PATCH v11.5] overflow: Introduce overflows_type() and __castable_to_type() Kees Cook
2022-09-26 9:53 ` Gwan-gyeong Mun
2022-09-26 15:57 ` Gwan-gyeong Mun [this message]
2022-09-26 17:49 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=06a907d2-e976-ed8a-bfff-277c835d9ab2@intel.com \
--to=gwan-gyeong.mun@intel.com \
--cc=airlied@redhat.com \
--cc=andi.shyti@linux.intel.com \
--cc=andrzej.hajda@intel.com \
--cc=chris@chris-wilson.co.uk \
--cc=daniel@ffwll.ch \
--cc=dlatypov@google.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavoars@kernel.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jani.nikula@intel.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sparse@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=llvm@lists.linux.dev \
--cc=luc.vanoostenryck@gmail.com \
--cc=matthew.auld@intel.com \
--cc=mauro.chehab@linux.intel.com \
--cc=mchehab@kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=nirmoy.das@intel.com \
--cc=thomas.hellstrom@linux.intel.com \
--cc=trix@redhat.com \
--cc=vitor@massaru.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).