Commit 4b21d25b authored by Kees Cook's avatar Kees Cook
Browse files

overflow: Introduce overflows_type() and castable_to_type() 

Implement a robust overflows_type() macro to test if a variable or
constant value would overflow another variable or type. This can be
used as a constant expression for static_assert() (which requires a
constant expression[1][2]) when used on constant values. This must be
constructed manually, since __builtin_add_overflow() does not produce
a constant expression[3].

Additionally adds castable_to_type(), similar to __same_type(), but for
checking if a constant value would overflow if cast to a given type.

Add unit tests for overflows_type(), __same_type(), and castable_to_type()
to the existing KUnit "overflow" test:

[16:03:33] ================== overflow (21 subtests) ==================
...
[16:03:33] [PASSED] overflows_type_test
[16:03:33] [PASSED] same_type_test
[16:03:33] [PASSED] castable_to_type_test
[16:03:33] ==================== [PASSED] overflow =====================
[16:03:33] ============================================================
[16:03:33] Testing complete. Ran 21 tests: passed: 21
[16:03:33] Elapsed time: 24.022s total, 0.002s configuring, 22.598s building, 0.767s running

[1] https://en.cppreference.com/w/c/language/_Static_assert
[2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
[3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html


    6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
    Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,

Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Tom Rix <trix@redhat.com>
Cc: Daniel Latypov <dlatypov@google.com>
Cc: Vitor Massaru Iha <vitor@massaru.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: linux-hardening@vger.kernel.org
Cc: llvm@lists.linux.dev
Co-developed-by: default avatarGwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Signed-off-by: default avatarGwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221024201125.1416422-1-gwan-gyeong.mun@intel.com
parent 6dd142d9

drivers/gpu/drm/i915/i915_user_extensions.c

+1 −1
Original line number Diff line number Diff line
@@ -51,7 +51,7 @@ int i915_user_extensions(struct i915_user_extension __user *ext, 
			return err;



		if (get_user(next, &ext->next_extension) ||

		    overflows_type(next, ext))

		    overflows_type(next, uintptr_t))

			return -EFAULT;



		ext = u64_to_user_ptr(next);

drivers/gpu/drm/i915/i915_utils.h

+0 −4
Original line number Diff line number Diff line
@@ -111,10 +111,6 @@ bool i915_error_injected(void); 
#define range_overflows_end_t(type, start, size, max) \

	range_overflows_end((type)(start), (type)(size), (type)(max))



/* Note we don't consider signbits :| */

#define overflows_type(x, T) \

	(sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))



#define ptr_mask_bits(ptr, n) ({					\

	unsigned long __v = (unsigned long)(ptr);			\

	(typeof(ptr))(__v & -BIT(n));					\

include/linux/compiler.h

+1 −0
Original line number Diff line number Diff line
@@ -236,6 +236,7 @@ static inline void *offset_to_ptr(const int *off) 
 * bool and also pointer types.

 */

#define is_signed_type(type) (((type)(-1)) < (__force type)1)

#define is_unsigned_type(type) (!is_signed_type(type))



/*

 * This is needed in functions which generate the stack canary, see

include/linux/overflow.h

+47 −0
Original line number Diff line number Diff line
@@ -128,6 +128,53 @@ static inline bool __must_check __must_check_overflow(bool overflow) 
	(*_d >> _to_shift) != _a);					\

}))



#define __overflows_type_constexpr(x, T) (			\

	is_unsigned_type(typeof(x)) ?				\

		(x) > type_max(typeof(T)) :			\

	is_unsigned_type(typeof(T)) ?				\

		(x) < 0 || (x) > type_max(typeof(T)) :		\

	(x) < type_min(typeof(T)) || (x) > type_max(typeof(T)))



#define __overflows_type(x, T)		({	\

	typeof(T) v = 0;			\

	check_add_overflow((x), v, &v);		\

})



/**

 * overflows_type - helper for checking the overflows between value, variables,

 *		    or data type

 *

 * @n: source constant value or variable to be checked

 * @T: destination variable or data type proposed to store @x

 *

 * Compares the @x expression for whether or not it can safely fit in

 * the storage of the type in @T. @x and @T can have different types.

 * If @x is a constant expression, this will also resolve to a constant

 * expression.

 *

 * Returns: true if overflow can occur, false otherwise.

 */

#define overflows_type(n, T)					\

	__builtin_choose_expr(__is_constexpr(n),		\

			      __overflows_type_constexpr(n, T),	\

			      __overflows_type(n, T))



/**

 * castable_to_type - like __same_type(), but also allows for casted literals

 *

 * @n: variable or constant value

 * @T: variable or data type

 *

 * Unlike the __same_type() macro, this allows a constant value as the

 * first argument. If this value would not overflow into an assignment

 * of the second argument's type, it returns true. Otherwise, this falls

 * back to __same_type().

 */

#define castable_to_type(n, T)						\

	__builtin_choose_expr(__is_constexpr(n),			\

			      !__overflows_type_constexpr(n, T),	\

			      __same_type(n, T))



/**

 * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX

 * @factor1: first factor

lib/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -374,6 +374,7 @@ obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o 
obj-$(CONFIG_SLUB_KUNIT_TEST) += slub_kunit.o

obj-$(CONFIG_MEMCPY_KUNIT_TEST) += memcpy_kunit.o

obj-$(CONFIG_IS_SIGNED_TYPE_KUNIT_TEST) += is_signed_type_kunit.o

CFLAGS_overflow_kunit.o = $(call cc-disable-warning, tautological-constant-out-of-range-compare)

obj-$(CONFIG_OVERFLOW_KUNIT_TEST) += overflow_kunit.o

CFLAGS_stackinit_kunit.o += $(call cc-disable-warning, switch-unreachable)

obj-$(CONFIG_STACKINIT_KUNIT_TEST) += stackinit_kunit.o