From: Kees Cook <keescook@chromium.org>
To: Andrzej Hajda <andrzej.hajda@intel.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
linux-hardening@vger.kernel.org,
Daniel Latypov <dlatypov@google.com>,
Vitor Massaru Iha <vitor@massaru.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] overflow: Allow mixed type arguments
Date: Tue, 30 Aug 2022 11:42:19 -0700 [thread overview]
Message-ID: <202208301141.8CA10CA@keescook> (raw)
In-Reply-To: <8d880425-72f5-6ba6-933f-b8b016da88cd@intel.com>
On Tue, Aug 30, 2022 at 08:40:25AM +0200, Andrzej Hajda wrote:
>
>
> On 29.08.2022 23:45, Kees Cook wrote:
> > When the check_[op]_overflow() helpers were introduced, all arguments were
> > required to be the same type to make the fallback macros simpler. However,
> > once the fallback macros were removed[1], it is fine to allow mixed
> > types, which makes using the helpers much more useful, as they can be
> > used to test for type-based overflows (e.g. adding two large ints but
> > storing into a u8), as would be handy in the drm core[2].
> >
> > Remove the restriction, and add additional self-tests that exercise some
> > of the mixed-type overflow cases.
> >
> > [1] https://git.kernel.org/linus/4eb6bd55cfb22ffc20652732340c4962f3ac9a91
> > [2] https://lore.kernel.org/lkml/20220824084514.2261614-2-gwan-gyeong.mun@intel.com
> >
> > Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
> > Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
> > Cc: Andrzej Hajda <andrzej.hajda@intel.com>
> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > Cc: Nick Desaulniers <ndesaulniers@google.com>
> > Cc: linux-hardening@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > v2: change names to "type1_type2__output-type" for better readability (Rasmus)
> > v1: https://lore.kernel.org/lkml/20220829204729.3409270-1-keescook@chromium.org
> > ---
> > include/linux/overflow.h | 6 ----
> > lib/overflow_kunit.c | 77 +++++++++++++++++++++++++++++-----------
> > 2 files changed, 57 insertions(+), 26 deletions(-)
> >
> > diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> > index 0eb3b192f07a..ad692fb11bf3 100644
> > --- a/include/linux/overflow.h
> > +++ b/include/linux/overflow.h
> > @@ -63,8 +63,6 @@ static inline bool __must_check __must_check_overflow(bool overflow)
> > typeof(a) __a = (a); \
> > typeof(b) __b = (b); \
> > typeof(d) __d = (d); \
> > - (void) (&__a == &__b); \
> > - (void) (&__a == __d); \
> > __builtin_add_overflow(__a, __b, __d); \
> > }))
>
> Is there a reason to keep all local vars?
> Why not:
> #define check_add_overflow(a, b, d)
> __must_check_overflow(__builtin_add_overflow((a), (b), (d)))
Excellent point! Those were there to avoid side-effects when doing the
type comparisons in the macro, which are being removed too. :P
--
Kees Cook
prev parent reply other threads:[~2022-08-30 18:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-29 21:45 [PATCH v2] overflow: Allow mixed type arguments Kees Cook
2022-08-30 6:40 ` Andrzej Hajda
2022-08-30 18:42 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202208301141.8CA10CA@keescook \
--to=keescook@chromium.org \
--cc=andrzej.hajda@intel.com \
--cc=dlatypov@google.com \
--cc=gustavoars@kernel.org \
--cc=gwan-gyeong.mun@intel.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=ndesaulniers@google.com \
--cc=vitor@massaru.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox