compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 OR MIT */
|
|
|
|
#ifndef __LINUX_OVERFLOW_H
|
|
|
|
#define __LINUX_OVERFLOW_H
|
|
|
|
|
|
|
|
#include <linux/compiler.h>
|
2020-09-13 18:29:28 +08:00
|
|
|
#include <linux/limits.h>
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* In the fallback code below, we need to compute the minimum and
|
|
|
|
* maximum values representable in a given type. These macros may also
|
|
|
|
* be useful elsewhere, so we provide them outside the
|
|
|
|
* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
|
|
|
|
*
|
|
|
|
* It would seem more obvious to do something like
|
|
|
|
*
|
|
|
|
* #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
|
|
|
|
* #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
|
|
|
|
*
|
|
|
|
* Unfortunately, the middle expressions, strictly speaking, have
|
|
|
|
* undefined behaviour, and at least some versions of gcc warn about
|
|
|
|
* the type_max expression (but not if -fsanitize=undefined is in
|
|
|
|
* effect; in that case, the warning is deferred to runtime...).
|
|
|
|
*
|
|
|
|
* The slightly excessive casting in type_min is to make sure the
|
|
|
|
* macros also produce sensible values for the exotic type _Bool. [The
|
|
|
|
* overflow checkers only almost work for _Bool, but that's
|
|
|
|
* a-feature-not-a-bug, since people shouldn't be doing arithmetic on
|
|
|
|
* _Bools. Besides, the gcc builtins don't allow _Bool* as third
|
|
|
|
* argument.]
|
|
|
|
*
|
|
|
|
* Idea stolen from
|
|
|
|
* https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
|
|
|
|
* credit to Christian Biere.
|
|
|
|
*/
|
|
|
|
#define is_signed_type(type) (((type)(-1)) < (type)1)
|
|
|
|
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
|
|
|
|
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
|
|
|
|
#define type_min(T) ((T)((T)-type_max(T)-(T)1))
|
|
|
|
|
2019-03-17 18:11:14 +08:00
|
|
|
/*
|
|
|
|
* Avoids triggering -Wtype-limits compilation warning,
|
|
|
|
* while using unsigned data types to check a < 0.
|
|
|
|
*/
|
|
|
|
#define is_non_negative(a) ((a) > 0 || (a) == 0)
|
|
|
|
#define is_negative(a) (!(is_non_negative(a)))
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
|
2020-08-13 05:47:03 +08:00
|
|
|
/*
|
|
|
|
* Allows for effectively applying __must_check to a macro so we can have
|
|
|
|
* both the type-agnostic benefits of the macros while also being able to
|
|
|
|
* enforce that the return value is, in fact, checked.
|
|
|
|
*/
|
|
|
|
static inline bool __must_check __must_check_overflow(bool overflow)
|
|
|
|
{
|
|
|
|
return unlikely(overflow);
|
|
|
|
}
|
|
|
|
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
|
|
|
|
/*
|
|
|
|
* For simplicity and code hygiene, the fallback code below insists on
|
|
|
|
* a, b and *d having the same type (similar to the min() and max()
|
|
|
|
* macros), whereas gcc's type-generic overflow checkers accept
|
|
|
|
* different types. Hence we don't just make check_add_overflow an
|
|
|
|
* alias for __builtin_add_overflow, but add type checks similar to
|
|
|
|
* below.
|
|
|
|
*/
|
2020-08-13 05:47:03 +08:00
|
|
|
#define check_add_overflow(a, b, d) __must_check_overflow(({ \
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
typeof(a) __a = (a); \
|
|
|
|
typeof(b) __b = (b); \
|
|
|
|
typeof(d) __d = (d); \
|
|
|
|
(void) (&__a == &__b); \
|
|
|
|
(void) (&__a == __d); \
|
|
|
|
__builtin_add_overflow(__a, __b, __d); \
|
2020-08-13 05:47:03 +08:00
|
|
|
}))
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
|
2020-08-13 05:47:03 +08:00
|
|
|
#define check_sub_overflow(a, b, d) __must_check_overflow(({ \
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
typeof(a) __a = (a); \
|
|
|
|
typeof(b) __b = (b); \
|
|
|
|
typeof(d) __d = (d); \
|
|
|
|
(void) (&__a == &__b); \
|
|
|
|
(void) (&__a == __d); \
|
|
|
|
__builtin_sub_overflow(__a, __b, __d); \
|
2020-08-13 05:47:03 +08:00
|
|
|
}))
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
|
2020-08-13 05:47:03 +08:00
|
|
|
#define check_mul_overflow(a, b, d) __must_check_overflow(({ \
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
typeof(a) __a = (a); \
|
|
|
|
typeof(b) __b = (b); \
|
|
|
|
typeof(d) __d = (d); \
|
|
|
|
(void) (&__a == &__b); \
|
|
|
|
(void) (&__a == __d); \
|
|
|
|
__builtin_mul_overflow(__a, __b, __d); \
|
2020-08-13 05:47:03 +08:00
|
|
|
}))
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
|
|
|
|
#else
|
|
|
|
|
|
|
|
|
|
|
|
/* Checking for unsigned overflow is relatively easy without causing UB. */
|
|
|
|
#define __unsigned_add_overflow(a, b, d) ({ \
|
|
|
|
typeof(a) __a = (a); \
|
|
|
|
typeof(b) __b = (b); \
|
|
|
|
typeof(d) __d = (d); \
|
|
|
|
(void) (&__a == &__b); \
|
|
|
|
(void) (&__a == __d); \
|
|
|
|
*__d = __a + __b; \
|
|
|
|
*__d < __a; \
|
|
|
|
})
|
|
|
|
#define __unsigned_sub_overflow(a, b, d) ({ \
|
|
|
|
typeof(a) __a = (a); \
|
|
|
|
typeof(b) __b = (b); \
|
|
|
|
typeof(d) __d = (d); \
|
|
|
|
(void) (&__a == &__b); \
|
|
|
|
(void) (&__a == __d); \
|
|
|
|
*__d = __a - __b; \
|
|
|
|
__a < __b; \
|
|
|
|
})
|
|
|
|
/*
|
|
|
|
* If one of a or b is a compile-time constant, this avoids a division.
|
|
|
|
*/
|
|
|
|
#define __unsigned_mul_overflow(a, b, d) ({ \
|
|
|
|
typeof(a) __a = (a); \
|
|
|
|
typeof(b) __b = (b); \
|
|
|
|
typeof(d) __d = (d); \
|
|
|
|
(void) (&__a == &__b); \
|
|
|
|
(void) (&__a == __d); \
|
|
|
|
*__d = __a * __b; \
|
|
|
|
__builtin_constant_p(__b) ? \
|
|
|
|
__b > 0 && __a > type_max(typeof(__a)) / __b : \
|
|
|
|
__a > 0 && __b > type_max(typeof(__b)) / __a; \
|
|
|
|
})
|
|
|
|
|
|
|
|
/*
|
|
|
|
* For signed types, detecting overflow is much harder, especially if
|
|
|
|
* we want to avoid UB. But the interface of these macros is such that
|
|
|
|
* we must provide a result in *d, and in fact we must produce the
|
|
|
|
* result promised by gcc's builtins, which is simply the possibly
|
|
|
|
* wrapped-around value. Fortunately, we can just formally do the
|
|
|
|
* operations in the widest relevant unsigned type (u64) and then
|
|
|
|
* truncate the result - gcc is smart enough to generate the same code
|
|
|
|
* with and without the (u64) casts.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Adding two signed integers can overflow only if they have the same
|
|
|
|
* sign, and overflow has happened iff the result has the opposite
|
|
|
|
* sign.
|
|
|
|
*/
|
|
|
|
#define __signed_add_overflow(a, b, d) ({ \
|
|
|
|
typeof(a) __a = (a); \
|
|
|
|
typeof(b) __b = (b); \
|
|
|
|
typeof(d) __d = (d); \
|
|
|
|
(void) (&__a == &__b); \
|
|
|
|
(void) (&__a == __d); \
|
|
|
|
*__d = (u64)__a + (u64)__b; \
|
|
|
|
(((~(__a ^ __b)) & (*__d ^ __a)) \
|
|
|
|
& type_min(typeof(__a))) != 0; \
|
|
|
|
})
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Subtraction is similar, except that overflow can now happen only
|
|
|
|
* when the signs are opposite. In this case, overflow has happened if
|
|
|
|
* the result has the opposite sign of a.
|
|
|
|
*/
|
|
|
|
#define __signed_sub_overflow(a, b, d) ({ \
|
|
|
|
typeof(a) __a = (a); \
|
|
|
|
typeof(b) __b = (b); \
|
|
|
|
typeof(d) __d = (d); \
|
|
|
|
(void) (&__a == &__b); \
|
|
|
|
(void) (&__a == __d); \
|
|
|
|
*__d = (u64)__a - (u64)__b; \
|
|
|
|
((((__a ^ __b)) & (*__d ^ __a)) \
|
|
|
|
& type_min(typeof(__a))) != 0; \
|
|
|
|
})
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Signed multiplication is rather hard. gcc always follows C99, so
|
|
|
|
* division is truncated towards 0. This means that we can write the
|
|
|
|
* overflow check like this:
|
|
|
|
*
|
|
|
|
* (a > 0 && (b > MAX/a || b < MIN/a)) ||
|
|
|
|
* (a < -1 && (b > MIN/a || b < MAX/a) ||
|
|
|
|
* (a == -1 && b == MIN)
|
|
|
|
*
|
|
|
|
* The redundant casts of -1 are to silence an annoying -Wtype-limits
|
|
|
|
* (included in -Wextra) warning: When the type is u8 or u16, the
|
|
|
|
* __b_c_e in check_mul_overflow obviously selects
|
|
|
|
* __unsigned_mul_overflow, but unfortunately gcc still parses this
|
|
|
|
* code and warns about the limited range of __b.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define __signed_mul_overflow(a, b, d) ({ \
|
|
|
|
typeof(a) __a = (a); \
|
|
|
|
typeof(b) __b = (b); \
|
|
|
|
typeof(d) __d = (d); \
|
|
|
|
typeof(a) __tmax = type_max(typeof(a)); \
|
|
|
|
typeof(a) __tmin = type_min(typeof(a)); \
|
|
|
|
(void) (&__a == &__b); \
|
|
|
|
(void) (&__a == __d); \
|
|
|
|
*__d = (u64)__a * (u64)__b; \
|
|
|
|
(__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \
|
|
|
|
(__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \
|
|
|
|
(__b == (typeof(__b))-1 && __a == __tmin); \
|
|
|
|
})
|
|
|
|
|
|
|
|
|
2020-08-13 05:47:03 +08:00
|
|
|
#define check_add_overflow(a, b, d) __must_check_overflow( \
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
__builtin_choose_expr(is_signed_type(typeof(a)), \
|
|
|
|
__signed_add_overflow(a, b, d), \
|
2020-08-13 05:47:03 +08:00
|
|
|
__unsigned_add_overflow(a, b, d)))
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
|
2020-08-13 05:47:03 +08:00
|
|
|
#define check_sub_overflow(a, b, d) __must_check_overflow( \
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
__builtin_choose_expr(is_signed_type(typeof(a)), \
|
|
|
|
__signed_sub_overflow(a, b, d), \
|
2020-08-13 05:47:03 +08:00
|
|
|
__unsigned_sub_overflow(a, b, d)))
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
|
2020-08-13 05:47:03 +08:00
|
|
|
#define check_mul_overflow(a, b, d) __must_check_overflow( \
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
__builtin_choose_expr(is_signed_type(typeof(a)), \
|
|
|
|
__signed_mul_overflow(a, b, d), \
|
2020-08-13 05:47:03 +08:00
|
|
|
__unsigned_mul_overflow(a, b, d)))
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
|
|
|
|
#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
|
|
|
|
|
2018-08-02 05:25:39 +08:00
|
|
|
/** check_shl_overflow() - Calculate a left-shifted value and check overflow
|
|
|
|
*
|
|
|
|
* @a: Value to be shifted
|
|
|
|
* @s: How many bits left to shift
|
|
|
|
* @d: Pointer to where to store the result
|
|
|
|
*
|
|
|
|
* Computes *@d = (@a << @s)
|
|
|
|
*
|
|
|
|
* Returns true if '*d' cannot hold the result or when 'a << s' doesn't
|
|
|
|
* make sense. Example conditions:
|
|
|
|
* - 'a << s' causes bits to be lost when stored in *d.
|
|
|
|
* - 's' is garbage (e.g. negative) or so large that the result of
|
|
|
|
* 'a << s' is guaranteed to be 0.
|
|
|
|
* - 'a' is negative.
|
|
|
|
* - 'a << s' sets the sign bit, if any, in '*d'.
|
|
|
|
*
|
|
|
|
* '*d' will hold the results of the attempted shift, but is not
|
2021-04-02 00:06:29 +08:00
|
|
|
* considered "safe for use" if true is returned.
|
2018-08-02 05:25:39 +08:00
|
|
|
*/
|
2020-08-13 05:47:03 +08:00
|
|
|
#define check_shl_overflow(a, s, d) __must_check_overflow(({ \
|
2018-08-02 05:25:39 +08:00
|
|
|
typeof(a) _a = a; \
|
|
|
|
typeof(s) _s = s; \
|
|
|
|
typeof(d) _d = d; \
|
|
|
|
u64 _a_full = _a; \
|
|
|
|
unsigned int _to_shift = \
|
2019-03-17 18:11:14 +08:00
|
|
|
is_non_negative(_s) && _s < 8 * sizeof(*d) ? _s : 0; \
|
2018-08-02 05:25:39 +08:00
|
|
|
*_d = (_a_full << _to_shift); \
|
2019-03-17 18:11:14 +08:00
|
|
|
(_to_shift != _s || is_negative(*_d) || is_negative(_a) || \
|
|
|
|
(*_d >> _to_shift) != _a); \
|
2020-08-13 05:47:03 +08:00
|
|
|
}))
|
2018-08-02 05:25:39 +08:00
|
|
|
|
2018-05-08 07:47:02 +08:00
|
|
|
/**
|
|
|
|
* array_size() - Calculate size of 2-dimensional array.
|
|
|
|
*
|
|
|
|
* @a: dimension one
|
|
|
|
* @b: dimension two
|
|
|
|
*
|
|
|
|
* Calculates size of 2-dimensional array: @a * @b.
|
|
|
|
*
|
|
|
|
* Returns: number of bytes needed to represent the array or SIZE_MAX on
|
|
|
|
* overflow.
|
|
|
|
*/
|
|
|
|
static inline __must_check size_t array_size(size_t a, size_t b)
|
|
|
|
{
|
|
|
|
size_t bytes;
|
|
|
|
|
|
|
|
if (check_mul_overflow(a, b, &bytes))
|
|
|
|
return SIZE_MAX;
|
|
|
|
|
|
|
|
return bytes;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* array3_size() - Calculate size of 3-dimensional array.
|
|
|
|
*
|
|
|
|
* @a: dimension one
|
|
|
|
* @b: dimension two
|
|
|
|
* @c: dimension three
|
|
|
|
*
|
|
|
|
* Calculates size of 3-dimensional array: @a * @b * @c.
|
|
|
|
*
|
|
|
|
* Returns: number of bytes needed to represent the array or SIZE_MAX on
|
|
|
|
* overflow.
|
|
|
|
*/
|
|
|
|
static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
|
|
|
|
{
|
|
|
|
size_t bytes;
|
|
|
|
|
|
|
|
if (check_mul_overflow(a, b, &bytes))
|
|
|
|
return SIZE_MAX;
|
|
|
|
if (check_mul_overflow(bytes, c, &bytes))
|
|
|
|
return SIZE_MAX;
|
|
|
|
|
|
|
|
return bytes;
|
|
|
|
}
|
|
|
|
|
2019-04-11 04:27:25 +08:00
|
|
|
/*
|
|
|
|
* Compute a*b+c, returning SIZE_MAX on overflow. Internal helper for
|
|
|
|
* struct_size() below.
|
|
|
|
*/
|
|
|
|
static inline __must_check size_t __ab_c_size(size_t a, size_t b, size_t c)
|
2018-05-08 07:47:02 +08:00
|
|
|
{
|
|
|
|
size_t bytes;
|
|
|
|
|
2019-04-11 04:27:25 +08:00
|
|
|
if (check_mul_overflow(a, b, &bytes))
|
2018-05-08 07:47:02 +08:00
|
|
|
return SIZE_MAX;
|
|
|
|
if (check_add_overflow(bytes, c, &bytes))
|
|
|
|
return SIZE_MAX;
|
|
|
|
|
|
|
|
return bytes;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct_size() - Calculate size of structure with trailing array.
|
|
|
|
* @p: Pointer to the structure.
|
|
|
|
* @member: Name of the array member.
|
2020-06-09 09:22:33 +08:00
|
|
|
* @count: Number of elements in the array.
|
2018-05-08 07:47:02 +08:00
|
|
|
*
|
|
|
|
* Calculates size of memory needed for structure @p followed by an
|
2020-06-09 09:22:33 +08:00
|
|
|
* array of @count number of @member elements.
|
2018-05-08 07:47:02 +08:00
|
|
|
*
|
|
|
|
* Return: number of bytes needed or SIZE_MAX on overflow.
|
|
|
|
*/
|
2020-06-09 09:22:33 +08:00
|
|
|
#define struct_size(p, member, count) \
|
|
|
|
__ab_c_size(count, \
|
2018-05-08 07:47:02 +08:00
|
|
|
sizeof(*(p)->member) + __must_be_array((p)->member),\
|
|
|
|
sizeof(*(p)))
|
|
|
|
|
2020-06-09 09:22:33 +08:00
|
|
|
/**
|
|
|
|
* flex_array_size() - Calculate size of a flexible array member
|
|
|
|
* within an enclosing structure.
|
|
|
|
*
|
|
|
|
* @p: Pointer to the structure.
|
|
|
|
* @member: Name of the flexible array member.
|
|
|
|
* @count: Number of elements in the array.
|
|
|
|
*
|
|
|
|
* Calculates size of a flexible array of @count number of @member
|
|
|
|
* elements, at the end of structure @p.
|
|
|
|
*
|
|
|
|
* Return: number of bytes needed or SIZE_MAX on overflow.
|
|
|
|
*/
|
|
|
|
#define flex_array_size(p, member, count) \
|
|
|
|
array_size(count, \
|
|
|
|
sizeof(*(p)->member) + __must_be_array((p)->member))
|
|
|
|
|
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-05-08 06:36:27 +08:00
|
|
|
#endif /* __LINUX_OVERFLOW_H */
|