From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com
 [209.85.215.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 767941468E8
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969711; cv=none;
 b=qK1JBI7va7msqaSTbLMem6VoKunFIdMGQfhORWqrC/AhU4QYMjUAq8S4ocZ8RjLFMWsMVabPmYs7of96p9gzHqdkCpRQ1pAzoqbpSdtMHe/wFZlLGtCZUtNY5bz6FIaDGzhvh1scQVO/z0xe/n7TjoxWlqQ9L3brVCL/iXL9t5k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969711; c=relaxed/simple;
	bh=GmPAxgHKHubLn9MGZBZdUQq9TsG2fUO2ZtsyyqCrjXQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=HWHqTy/sKuIDEhgMv5jrgvMGZctLVnpx5NKO8zGmN1cHwR5HnQWmOF8kpHiLpUN0Tjj06o7gpPZ9ukskMjEUo9yKN8dE0d8y94n6IgFS6UAYhGGh61CHtxCVFOp6zy31+kV1kDgwNBN4rhOhPbb4EPHLXmK7Ivj1y2MO5qSfL0M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=e78cyRK4; arc=none smtp.client-ip=209.85.215.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="e78cyRK4"
Received: by mail-pg1-f180.google.com with SMTP id
 41be03b00d2f7-5d3912c9a83so2349a12.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969708; x=1706574508;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=lArTqUWjSpk/OeY3+qANt+dZXdElsgEYjM7TfGsNafw=;
        b=e78cyRK4J2W1iHVEI8zdJDTYHx197PlonyDIjYn2Ih2ngXE/iccjvOD/CLy0KpbASX
         nMt3dUjdom+vz3WOMhHDtY94QzGosA5jorPJ/tFtPC+RBDk3YmfP45XMWcl/IvYlRKT7
         34waM7kYU0V/rUdZJv0fnyAXyX+WVlESS0j/g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969708; x=1706574508;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=lArTqUWjSpk/OeY3+qANt+dZXdElsgEYjM7TfGsNafw=;
        b=vJzByxBi4f7ZVO0ji/rjbxjDimv4T53nmO9C9ys4AV0o2TEky5UKjvvXqhEVAO14Py
         isgLHm4pfZWsuQf/NOf9ySpLEFHxKIHA0glYtxrsfkDEbjzpBzxPNMu+AZmGBfIl3awv
         FFw4nsUUhD2n0pvB/K0N3+0O7FyJ1ij/2vlDdqTI0/vTe7QBfiwJ9ENYexAAi74WO7ma
         bfuqOPJ6d0pCCjvN1RBDDsuPwO/XXypGl/aY5Fxsm1KsKTYRBTTOuaHwkI6JVzCom/Qd
         I6Hg5UfADkqK3hmr8tggisvWAuaACXoLcdmlbL8PfTCiMBPB+uJev97sSGks++KKzdHZ
         DwTA==
X-Gm-Message-State: AOJu0Yyeg50jFwtFtbf/0FboU/A1VwQBWeKDrXiwobFnrqbX9Jhd6xnW
	1/yzAw98WuLdXVJJcDuwnNRxNzKPAbIkd+BOUwPIkfq/OZNDoxp4WOgB5qI71w==
X-Google-Smtp-Source: 
 AGHT+IEL0OAhszuTE+DREqBy8kuie4n5JflXi9iAa/aUSzhFQ8heJUVRu/5klVCwSbJzSq+AVnRchw==
X-Received: by 2002:a05:6a20:8f09:b0:195:2770:5b7e with SMTP id
 b9-20020a056a208f0900b0019527705b7emr2683349pzk.119.1705969707738;
        Mon, 22 Jan 2024 16:28:27 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 j14-20020a170902da8e00b001d564115807sm7664893plx.46.2024.01.22.16.28.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:23 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	llvm@lists.linux.dev,
	linux-kernel@vger.kernel.org
Subject: [PATCH 01/82] overflow: Expand check_add_overflow() for pointer
 addition
Date: Mon, 22 Jan 2024 16:26:36 -0800
Message-Id: <20240123002814.1396804-1-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=10628;
 i=keescook@chromium.org;
 h=from:subject; bh=GmPAxgHKHubLn9MGZBZdUQq9TsG2fUO2ZtsyyqCrjXQ=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgDoUKTmAuWb19BxZjUN7+ddA/jXHTbKdyVN
 EfDFJR+7eOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IAwAKCRCJcvTf3G3A
 JpSCEACQ5mYrM7i5JOmYbVd+Q5AkrUZpJML/LWSTJVslOGTKtFY7pOJ4b5nGs0MuTs4RA6hn1fb
 fwi3JkVl/ohmms70RbzK9zztLs5bUM4HYuL+lomFGyZrxI/fzmKPtla94BdVgpWTXhJRWjWv5Yn
 2NBYey87p5SzGF/++U1RVuiMq6irTQcHecMhx7h1MYdtta20/en2Dps48cCka58pdT3v+2fASMj
 459rPl8qXF7VEfxqWA9kdjoCHnV7iLUFsngzMmV4T5bfSiNylZs1Quyc/XV0qHDaBvtZU8ahbmC
 ZE7QtaJmnp303xY4TT1jeblUY/MKFrZ7gxzx9ATtJIsOXEsp/4YbFJPUff3iAc3pLczCXi8qLYL
 extKud6V9k/5mf5uuNS7O3VlrHPELWkn9o4qIlonPGnLzkqT5F+K3Q1TNxI8uucoejBpS2nCXzz
 LpYDCVGx3Cz9e3Etw3mQmvgQbiRvlsE1gbhqAc8KzV0rB2e7LjUrdH1pHfUvW1M5/ED8RNiI0Ni
 evuBn4TAQKwKKykbMCeHS9Z8Nxai3n7wmHR+G1VK7TtLr389KSIRwKVsnEdaP84x07FTHGaaAtL
 qQkir3gVSorK9Sv6pAedjKOW1Azqro0bZpCflFfsyE2QTuP22RUSNSKiKEl23FNt+1FTcexvBU8
 Zxt/lP9SN8nyIPA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The check_add_overflow() helper is mostly a wrapper around
__builtin_add_overflow(), but GCC and Clang refuse to operate on pointer
arguments that would normally be allowed if the addition were open-coded.

For example, we have many places where pointer overflow is tested:

	struct foo *ptr;
	...
	/* Check for overflow */
	if (ptr + count < ptr) ...

And in order to avoid running into the overflow sanitizers in the
future, we need to rewrite these "intended" overflow checks:

	if (check_add_overflow(ptr, count, &result)) ...

Frustratingly the argument type validation for __builtin_add_overflow()
is done before evaluating __builtin_choose_expr(), so for arguments to
be valid simultaneously for sizeof(*p) (when p may not be a pointer),
and __builtin_add_overflow(a, ...) (when a may be a pointer), we must
introduce wrappers that always produce a specific type (but they are
only used in the places where the bogus arguments will be ignored).

To test whether a variable is a pointer or not, introduce the __is_ptr()
helper, which uses __builtin_classify_type() to find arrays and pointers
(via the new __is_ptr_or_array() helper), and then decays arrays into
pointers (via the new __decay() helper), to distinguish pointers from
arrays.

Additionally update the unit tests to cover pointer addition.

Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: llvm@lists.linux.dev
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Justin Stitt <justinstitt@google.com>
---
 include/linux/compiler_types.h | 10 +++++
 include/linux/overflow.h       | 44 ++++++++++++++++++-
 lib/overflow_kunit.c           | 77 ++++++++++++++++++++++++++++++----
 3 files changed, 121 insertions(+), 10 deletions(-)

diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 6f1ca49306d2..d27b58fddfaa 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -375,6 +375,16 @@ struct ftrace_likely_data {
 /* Are two types/vars the same type (ignoring qualifiers)? */
 #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b=
))
=20
+/* Is variable addressable? */
+#define __is_ptr_or_array(p)	(__builtin_classify_type(p) =3D=3D 5)
+
+/* Return an array decayed to a pointer. */
+#define __decay(p)		\
+	(&*__builtin_choose_expr(__is_ptr_or_array(p), p, NULL))
+
+/* Report if variable is a pointer type. */
+#define __is_ptr(p)		__same_type(p, __decay(p))
+
 /*
  * __unqual_scalar_typeof(x) - Declare an unqualified scalar type, leaving
  *			       non-scalar types unchanged.
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 7b5cf4a5cd19..099f2e559aa8 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -51,6 +51,45 @@ static inline bool __must_check __must_check_overflow(bo=
ol overflow)
 	return unlikely(overflow);
 }
=20
+/* Always produce an integral variable expression. */
+#define __filter_integral(x)		\
+	__builtin_choose_expr(!__is_ptr(x), (x), 0)
+
+/* Always produce a pointer value. */
+#define __filter_ptr(x)			\
+	__builtin_choose_expr(__is_ptr(x), (x), NULL)
+
+/* Always produce a pointer to an integral value. */
+#define __filter_ptrint(x)		\
+	__builtin_choose_expr(!__is_ptr(*(x)), x, &(int){ 0 })
+
+/**
+ * __check_ptr_add_overflow() - Calculate pointer addition with overflow c=
hecking
+ * @a: pointer addend
+ * @b: numeric addend
+ * @d: pointer to store sum
+ *
+ * Returns 0 on success.
+ *
+ * Do not use this function directly, use check_add_overflow() instead.
+ *
+ * *@d holds the results of the attempted addition, but is not considered
+ * "safe for use" on a non-zero return value, which indicates that the
+ * sum has overflowed or been truncated.
+ */
+#define __check_ptr_add_overflow(a, b, d)		\
+	({						\
+		typeof(a) __a =3D (a);			\
+		typeof(b) __b =3D (b);			\
+		size_t __bytes;				\
+		bool __overflow;			\
+							\
+		/* we want to perform the wrap-around, but retain the result */ \
+		__overflow =3D __builtin_mul_overflow(sizeof(*(__a)), __b, &__bytes); \
+		__builtin_add_overflow((unsigned long)(__a), __bytes, (unsigned long *)(=
d)) || \
+		__overflow;				\
+	})
+
 /**
  * check_add_overflow() - Calculate addition with overflow checking
  * @a: first addend
@@ -64,7 +103,10 @@ static inline bool __must_check __must_check_overflow(b=
ool overflow)
  * sum has overflowed or been truncated.
  */
 #define check_add_overflow(a, b, d)	\
-	__must_check_overflow(__builtin_add_overflow(a, b, d))
+	__must_check_overflow(__builtin_choose_expr(__is_ptr(a),	\
+		__check_ptr_add_overflow(__filter_ptr(a), b, d),	\
+		__builtin_add_overflow(__filter_integral(a), b,		\
+				       __filter_ptrint(d))))
=20
 /**
  * check_sub_overflow() - Calculate subtraction with overflow checking
diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
index c527f6b75789..2d106e880956 100644
--- a/lib/overflow_kunit.c
+++ b/lib/overflow_kunit.c
@@ -45,13 +45,18 @@
 # define SKIP_64_ON_32(t)	do { } while (0)
 #endif
=20
-#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t)			\
-	static const struct test_ ## t1 ## _ ## t2 ## __ ## t {	\
+#define DEFINE_TEST_ARRAY_NAMED_TYPED(n1, n2, n, t1, t2, t)	\
+	static const struct test_ ## n1 ## _ ## n2 ## __ ## n {	\
 		t1 a;						\
 		t2 b;						\
-		t sum, diff, prod;				\
+		t sum;						\
+		t diff;						\
+		t prod;						\
 		bool s_of, d_of, p_of;				\
-	} t1 ## _ ## t2 ## __ ## t ## _tests[]
+	} n1 ## _ ## n2 ## __ ## n ## _tests[]
+
+#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t)			\
+	DEFINE_TEST_ARRAY_NAMED_TYPED(t1, t2, t, t1, t2, t)
=20
 #define DEFINE_TEST_ARRAY(t)	DEFINE_TEST_ARRAY_TYPED(t, t, t)
=20
@@ -251,8 +256,10 @@ DEFINE_TEST_ARRAY(s64) =3D {
 };
=20
 #define check_one_op(t, fmt, op, sym, a, b, r, of) do {			\
-	int _a_orig =3D a, _a_bump =3D a + 1;				\
-	int _b_orig =3D b, _b_bump =3D b + 1;				\
+	typeof(a + 0) _a_orig =3D a;					\
+	typeof(a + 0) _a_bump =3D a + 1;					\
+	typeof(b + 0) _b_orig =3D b;					\
+	typeof(b + 0) _b_bump =3D b + 1;					\
 	bool _of;							\
 	t _r;								\
 									\
@@ -260,13 +267,13 @@ DEFINE_TEST_ARRAY(s64) =3D {
 	KUNIT_EXPECT_EQ_MSG(test, _of, of,				\
 		"expected "fmt" "sym" "fmt" to%s overflow (type %s)\n",	\
 		a, b, of ? "" : " not", #t);				\
-	KUNIT_EXPECT_EQ_MSG(test, _r, r,				\
+	KUNIT_EXPECT_TRUE_MSG(test, _r =3D=3D r,				\
 		"expected "fmt" "sym" "fmt" =3D=3D "fmt", got "fmt" (type %s)\n", \
 		a, b, r, _r, #t);					\
 	/* Check for internal macro side-effects. */			\
 	_of =3D check_ ## op ## _overflow(_a_orig++, _b_orig++, &_r);	\
-	KUNIT_EXPECT_EQ_MSG(test, _a_orig, _a_bump, "Unexpected " #op " macro sid=
e-effect!\n"); \
-	KUNIT_EXPECT_EQ_MSG(test, _b_orig, _b_bump, "Unexpected " #op " macro sid=
e-effect!\n"); \
+	KUNIT_EXPECT_TRUE_MSG(test, _a_orig =3D=3D _a_bump, "Unexpected " #op " m=
acro side-effect!\n"); \
+	KUNIT_EXPECT_TRUE_MSG(test, _b_orig =3D=3D _b_bump, "Unexpected " #op " m=
acro side-effect!\n"); \
 } while (0)
=20
 #define DEFINE_TEST_FUNC_TYPED(n, t, fmt)				\
@@ -333,6 +340,55 @@ DEFINE_TEST_ARRAY_TYPED(int, int, u8) =3D {
 };
 DEFINE_TEST_FUNC_TYPED(int_int__u8, u8, "%d");
=20
+#define DEFINE_TEST_PTR_FUNC_TYPED(n, t, fmt)				\
+static void do_ptr_test_ ## n(struct kunit *test, const struct test_ ## n =
*p) \
+{									\
+	/* we're only doing single-direction sums, no product or division */ \
+	check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of);\
+}									\
+									\
+static void n ## _overflow_test(struct kunit *test) {			\
+	unsigned i;							\
+									\
+	for (i =3D 0; i < ARRAY_SIZE(n ## _tests); ++i)			\
+		do_ptr_test_ ## n(test, &n ## _tests[i]);		\
+	kunit_info(test, "%zu %s arithmetic tests finished\n",		\
+		ARRAY_SIZE(n ## _tests), #n);				\
+}
+
+DEFINE_TEST_ARRAY_NAMED_TYPED(void, int, void, void *, int, void *) =3D {
+	{NULL, 0, NULL, NULL, NULL, false, false, false},
+	{(void *)0x30, 0x10, (void *)0x40, NULL, NULL, false, false, false},
+	{(void *)ULONG_MAX, 0, (void *)ULONG_MAX, NULL, NULL, false, false, false=
},
+	{(void *)ULONG_MAX, 1, NULL, NULL, NULL, true, false, false},
+	{(void *)ULONG_MAX, INT_MAX, (void *)(INT_MAX - 1), NULL, NULL, true, fal=
se, false},
+};
+DEFINE_TEST_PTR_FUNC_TYPED(void_int__void, void *, "%lx");
+
+struct _sized {
+	int a;
+	char b;
+};
+
+DEFINE_TEST_ARRAY_NAMED_TYPED(sized, int, sized, struct _sized *, int, str=
uct _sized *) =3D {
+	{NULL, 0, NULL, NULL, NULL, false, false, false},
+	{NULL, 1, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, false, fa=
lse, false},
+	{NULL, 0x10, (struct _sized *)(sizeof(struct _sized) * 0x10), NULL, NULL,=
 false, false, false},
+	{(void *)(ULONG_MAX - sizeof(struct _sized)), 1, (struct _sized *)ULONG_M=
AX, NULL, NULL, false, false, false},
+	{(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 1, NULL, NULL, NULL, tr=
ue, false, false},
+	{(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 2, (struct _sized *)(si=
zeof(struct _sized)), NULL, NULL, true, false, false},
+	{(void *)(ULONG_MAX - sizeof(struct _sized) + 1), 3, (struct _sized *)(si=
zeof(struct _sized) * 2), NULL, NULL, true, false, false},
+};
+DEFINE_TEST_PTR_FUNC_TYPED(sized_int__sized, struct _sized *, "%lx");
+
+DEFINE_TEST_ARRAY_NAMED_TYPED(sized, size_t, sized, struct _sized *, size_=
t, struct _sized *) =3D {
+	{NULL, 0, NULL, NULL, NULL, false, false, false},
+	{NULL, 1, (struct _sized *)(sizeof(struct _sized)), NULL, NULL, false, fa=
lse, false},
+	{NULL, 0x10, (struct _sized *)(sizeof(struct _sized) * 0x10), NULL, NULL,=
 false, false, false},
+	{NULL, SIZE_MAX - 10, (struct _sized *)18446744073709551528UL, NULL, NULL=
, true, false, false},
+};
+DEFINE_TEST_PTR_FUNC_TYPED(sized_size_t__sized, struct _sized *, "%zu");
+
 /* Args are: value, shift, type, expected result, overflow expected */
 #define TEST_ONE_SHIFT(a, s, t, expect, of)	do {			\
 	typeof(a) __a =3D (a);						\
@@ -1122,6 +1178,9 @@ static struct kunit_case overflow_test_cases[] =3D {
 	KUNIT_CASE(s32_s32__s32_overflow_test),
 	KUNIT_CASE(u64_u64__u64_overflow_test),
 	KUNIT_CASE(s64_s64__s64_overflow_test),
+	KUNIT_CASE(void_int__void_overflow_test),
+	KUNIT_CASE(sized_int__sized_overflow_test),
+	KUNIT_CASE(sized_size_t__sized_overflow_test),
 	KUNIT_CASE(u32_u32__int_overflow_test),
 	KUNIT_CASE(u32_u32__u8_overflow_test),
 	KUNIT_CASE(u8_u8__int_overflow_test),
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BF4A146907
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969714; cv=none;
 b=Rvp0UQ0IjGgkjfk82zdUdmVla0iJsQxe1UycjifYDTY9RHduu3TWpdw0Et7S/Pwa/SnAZ//Vdzmy19lBp0Srq+RWAWntIh3PyQYJyWwpkz6qihiAbMyJgk4cilEoN8oNmHaq+Z4txPqWi8+u/qw/mYs8Ce32VdjCh0jERzuan6I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969714; c=relaxed/simple;
	bh=rI7XvXs0gE8oB6y5lNdVJ89YzOLiYyZbayu1rCEj/HA=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ap+MGQosqGp4j9as1XN56oBHoGAwayVhsBRkhrikfH37oswox0hVnPokubkcWsAdQzBON0Mad6qe3A3NwzV+d/uS+5k5fMHYKI7FPOXXvLfakvIN3gpYJSrkKoXYc/vUX8/WCAHm14bN+//jQ8r2htkYTnnxT45xx0TIKepKoFY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=QEWQMC5L; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="QEWQMC5L"
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6dbb003be79so3306489b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969711; x=1706574511;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=;
        b=QEWQMC5LHFnUI+r+14MQmsNOrLfCXht+qZM2//2CWY2bxzWYDXkWdgeVHjhgOCoGVp
         YGizMpAGSsWnjQNPyR0jTpsRSJMmGMBY7UIsB9sfR8V82eLJefcWhydIfHO/aLo/bNyR
         IW52hKRTOAH+A/jFdd4qHndIEkwODR124a34Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969711; x=1706574511;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=bbPotP79yOptpL51tkgqhJq9nf6NFvv/p0BjBr/SdFE=;
        b=SgeL5J4KBXFGgU9h7Sv9GGM0A/fvMGGl/+NbmpSKh9UIixYSkFdHqtUTuVpmymPD1k
         WCUulnHcEwEvrTnCjIIP57CneEMUZnom1csxv84/ys2cMlJKxdjs5sN+LqtBWkZMLsS3
         sc1eKobTMH3HxecHk9/NZwrt0Z45thvZRNxnt2QAtfy7GxM0XxCICHFnoO9Zaz27I4RE
         G+lQNTusYBet81j5avOxx7R3hBCQj+9K72x5a3JxZdWs1m7QJSCYJAXxe4+L+2Yrpyae
         zETPh5QdrrH9BdJc/svev8X0vEQMcy0D6MiEBEK2VO+8D2PF2noyMrtoWAvNkFZQnUMx
         0mRA==
X-Gm-Message-State: AOJu0Yyt5Lu7sR3b/6iWbKPlJ0zt8h3aZW5/xGDq+pi6stlYkf+apact
	iTvjT3K2ebsgUl2bp4ZOGsnY41YQV1tzZKptj6VKMKAk2FAt7CE4C3viTue5IA==
X-Google-Smtp-Source: 
 AGHT+IGPGv7p6wvj5GKtaQOd4/72upnUNocrxjYTuU99MLscz+94FIEj/N+pJTtauYagf7uJKA/myw==
X-Received: by 2002:a05:6a20:d046:b0:199:fffd:a3e3 with SMTP id
 hv6-20020a056a20d04600b00199fffda3e3mr5559743pzb.52.1705969711526;
        Mon, 22 Jan 2024 16:28:31 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 10-20020a056a00070a00b006dbe1d91426sm2202104pfl.84.2024.01.22.16.28.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:25 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 02/82] overflow: Introduce add_would_overflow()
Date: Mon, 22 Jan 2024 16:26:37 -0800
Message-Id: <20240123002814.1396804-2-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1326; i=keescook@chromium.org;
 h=from:subject; bh=rI7XvXs0gE8oB6y5lNdVJ89YzOLiYyZbayu1rCEj/HA=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgE/Rg2DOBwpGm23xchVNBK/FIvMg7Pi7tuc
 hrgqGce9zOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JpK6D/4k9MYFmrgc6c/TYlvkWlxk7cgUas0VJ225O0PQXNgzPrwydo5r9or8JHba1AD9K1lQdyq
 iY/c00/ng+L0pXMnyUYZ5RlfA76Q9JVIOFl2227BDoVAwb8sQ3Xlwhz/+p860wwoMqwno5TxLPM
 iEVrs2M2EZZo+enpPucZmQra1oVUfjoTc4LBwgzW1f4CO87CyxlQo3WW1qqFcQKlFDx9qK0bhpw
 KTu3fyF0WBOF1vHOAzXRGacuCBEbmLPsDAiDI6spRQTRIheANwd4kr0s5jXyY4d32MNm8D6kCdw
 6o57Cm5NgRuXHzXB1diePd8nslD5neVySw31GHfZqmj9wMhnwKXi2lEZ/wqk3TO9hQ8l3WcSa0O
 AtuJ/dQI0LMgGmHU9s2J6rb3+sZYro4mWaVm09UCM02cSGj62u7H1KH/vj6Zw6MMiJ3GVmZomD+
 JkjQ5AmlveqxnP7sv/7BdpK866HqpW9PimFvELyrCATtMf206HO00xxjv5an7q1CRv9KGSi3Ifk
 lVlTmvb5GZS8sUdV+rAqL0M0E7Q+RrNmT6cRlRLqCdAdwUOiUblUXUkpg3CEifH1S3OVgJzSHbq
 bM1kAoa9NqEH8gQAHKfJGo01p01MIhMFhfpnhrorrnpTBOFCgnmxVLdlC8Wzo7PaLcqetog57uK
 SjUZaEfaNTdpghQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For instances where only the overflow needs to be checked (and the sum
isn't used), provide the new helper add_would_overflow(), which is
a wrapper for check_add_overflow().

Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/overflow.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 099f2e559aa8..ac088f73e0fd 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -108,6 +108,22 @@ static inline bool __must_check __must_check_overflow(=
bool overflow)
 		__builtin_add_overflow(__filter_integral(a), b,		\
 				       __filter_ptrint(d))))
=20
+/**
+ * add_would_overflow() - Check if an addition would overflow
+ * @a: first addend
+ * @b: second addend
+ *
+ * Returns true if the sum would overflow.
+ *
+ * To keep a copy of the sum when the addition doesn't overflow, use
+ * check_add_overflow() instead.
+ */
+#define add_would_overflow(a, b)			\
+	__must_check_overflow(({			\
+		size_t __result;			\
+		check_add_overflow(a, b, &__result);\
+	}))
+
 /**
  * check_sub_overflow() - Calculate subtraction with overflow checking
  * @a: minuend; value to subtract from
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E56BC1482E4
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969719; cv=none;
 b=KWTUeRhWlYZ24NERpzfz7L/44d//EJv8KyClYWY6cVvxAmkz575C2eFne7mH85sQeYuTTIA/oY+uX1SPu7oKSkRUBWIvLB1Z+cNUXG39izXU2KQSd1zRGXk9wfRCOh0Lhl5jk5DYEy8tps7/8eqP8/rUNX6X/s3gMAt9UvpmEbw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969719; c=relaxed/simple;
	bh=IJQ4VwF/XdURhwqKb20pArJOcqYtWwEP77l8CXMEO9A=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=KX5fs5DgKa1rEMf/sk/qopUd/7utzsfe2sQY5F396eIzcZRey8Ldce87C58sdM/GtSZQyuOJiGiGsaLwofykqouVKlg+oLyc0ZAEWiCdRz2CcU2V3dPY3J3AGgvRFcJUMyibVUMMJiu6vo0q1kmiyyErBrRvtNIYmEh6TWa5uuk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=W9rZgYk6; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="W9rZgYk6"
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-1d74dce86f7so12993065ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969717; x=1706574517;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+jDHEGsADozaBPzy87lyElMwpN6fXSBHhkt9/lWQvvg=;
        b=W9rZgYk61Iqfn9prLeNiSbTv3OpvaKxT39TUkP67jd/whB29kbf6LTakGVWTEt8Wkx
         hmAInx6f7SDsGMYO2OQsyHb8EGdPJc1dTJZZv+SyotYn+UuygCeOn3loeMhi9yy07XB0
         xX3alspmGSmPMhqlu96sub12KM3bBEnJIw5Tc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969717; x=1706574517;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+jDHEGsADozaBPzy87lyElMwpN6fXSBHhkt9/lWQvvg=;
        b=WEcmnyd5g/3dv7HcL+nAQ5r8tcOMp6YZPGKgIzEAXhOO5nPSXWOhdxtw3moAJ1baJA
         LICttD6MYpqxKLtCzsZbJy6IBGEXvTEq8KkLRnZEPm3MHYBf4BnTOmYrHP6ySHE+45wz
         D9kC+jf2J/VRKO8U1eYLSoZH0OorxoTe27UPpKLCgVw3jU63N/HOzy5U3SlPo50o3lyn
         N5Zca2IZbNNsM9tbKe5NLWmDNirRxeI5zPVE1w04XhjXTlfEIAMAwsYPUcEyun2jvkjl
         2m/zxpf7LrkmQIg58owCpRgM96BxV0nFyRjX8zC4R28zQMRl5QVpm+eUxecbZYKc9BSa
         p4Dg==
X-Gm-Message-State: AOJu0YwowosQDPL7hUlXs9eixp1DoK/3ut5lPUce1/+aggfHeCV3Er3r
	LVh8jXVzxOotciQ0gJXjSrn806FtwvNTHaP/b9yzkiHevqhF8uWyXFFZS+TvfQ==
X-Google-Smtp-Source: 
 AGHT+IGVvNQqP/Yfcue1CS/oyv4ugKBq3YsZQeXsJR0yi4vRWYbdC01kdPUlI/QCPnGswiLzQN7ZOw==
X-Received: by 2002:a17:903:1ca:b0:1d7:6c58:a654 with SMTP id
 e10-20020a17090301ca00b001d76c58a654mr321507plh.8.1705969717309;
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 k12-20020a170902f28c00b001d7492d9890sm2786498plc.146.2024.01.22.16.28.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:25 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 03/82] overflow: Introduce add_wrap()
Date: Mon, 22 Jan 2024 16:26:38 -0800
Message-Id: <20240123002814.1396804-3-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1195; i=keescook@chromium.org;
 h=from:subject; bh=IJQ4VwF/XdURhwqKb20pArJOcqYtWwEP77l8CXMEO9A=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEL8IucC9yEm2ouyrQ/hhMu5I3AUOX5/m7s
 cUy68MtvAaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JqGoD/0VbDA2K1vKkDXKw/XOmCvxckFsH1aXG4eTErag/Fyu11F/Hz71EheSTm63LgoPWiI+vwG
 vQcb3gzwgcA6Kv3ftEEWygG29jA30KCJdCnU7BgqLDouuIqhIzzubmXcqF0DF60tOIZCgObUYdW
 LboXVdtqnGzTV+ndwblWK6xc9gvy4kCGEHtQHUiTzqvKF3r0hNkAtTt/gyaIR8alh306zuznEUP
 Hy+3HE3U2/gyMkH8zjIoL7izNomyRAG+jGnzSTAQ+Y3Io/mDd4oLPhoQiGYK2gpGGj7B4xzcwGX
 ZfJsp3Ttomp+rMXKh/zDeoOy98JKGcFTIPxSR6pHgFfju/51K7XIIbJrWUYTJFCI+xGqAZoPJMA
 Z4nx57/RJXITaO74IOTE6xsVnwdW1XCDqNK8HVJcV4jcck3dqbaWeKq8G2Wn4oaUCpafB750LRo
 nG6bJ2EEORG+XgubtrKSu9fKiX5jB3Nua4vUxTjs3cpbB4Nn3+z1HECkX8puf7At08mJW7iuB9v
 eOLUNEvuugFexNTyysxKT9/pAWH+g8QUNUqvcuIpc1aKa+M51P2ektI1qunbV70+gASTfmfDtst
 8iHp9HNo7JldQqTsDLxzi7M2oSYZTd1Xnlv809kXKLW7oMGoxgBsHwO20fGby1A7AynToyEh9vY
 K6n3JQaCLci7AWg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Provide a helper that will perform wrapping addition without tripping
the arithmetic wrap-around sanitizers.

Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/overflow.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index ac088f73e0fd..30779905a77a 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -124,6 +124,22 @@ static inline bool __must_check __must_check_overflow(=
bool overflow)
 		check_add_overflow(a, b, &__result);\
 	}))
=20
+/**
+ * add_wrap() - Intentionally perform a wrapping addition
+ * @a: first addend
+ * @b: second addend
+ *
+ * Return the potentially wrapped-around addition without
+ * tripping any overflow sanitizers that may be enabled.
+ */
+#define add_wrap(a, b)					\
+	({						\
+		typeof(a) __sum;			\
+		if (check_add_overflow(a, b, &__sum))	\
+			/* do nothing */;		\
+		__sum;					\
+	})
+
 /**
  * check_sub_overflow() - Calculate subtraction with overflow checking
  * @a: minuend; value to subtract from
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 246FB1474A3
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:34 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969717; cv=none;
 b=fSQFeEBiClmmyfP6idk/EFFCE0bBiDj3Q7MC2evJNRIB/TRaV2DF0lSz+UYU92BdGD1PjQasykH7sqBAKSiTxAa81YJRWKDs02IO2SA5nEaPbYY6BLdA98f1fNv5VtG4zHkQR2tCSZ7BwoKAfIk52CS96qGnerqVQX9yXN3+WSY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969717; c=relaxed/simple;
	bh=+WA9Ct7l0slkMBBzNWpIPaSatsWk1P15wygbjb7RsC4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=dBhLfZ6xTdTXvlYZU1uyb9R3YEKGFxTEFZOgs2q4oVJEpxgT13B2o/wxsk+myAvBXC8vf5UTE9CjxCm80GycwePXf0zEco86J/u84mU6RlHjcMbR+xDEPyv1NksePPVIJb6c/rMUB4wGVWJ3M8RPYlZvE8SB/x0aWbAiMsjoVRg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=S01NyATJ; arc=none smtp.client-ip=209.85.214.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="S01NyATJ"
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-1d70b0e521eso27261995ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969714; x=1706574514;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iepksXH/P2CFRPbU7KRUTTSDHuc6hLdiCJiseIVsFEY=;
        b=S01NyATJigLb2mLJpyjE33kRdf85I3Wf/nPkxVh7yDLUDdybZJ7AWdJ5I9kgEXJpV3
         kVaxs2UfcoKXhMM4OinqBGg+lc7hYcnBfMfbKB5hMjpHnOalQbZSw+NYIeGPJaZZjeAz
         C4nPU/miZEAGTjkPeWiYBj8UHpwiYe+PtrzKQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969714; x=1706574514;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=iepksXH/P2CFRPbU7KRUTTSDHuc6hLdiCJiseIVsFEY=;
        b=M5Gf35ZEApK9RHNVvNfG8Hoa+zZsEcryMsb7TV2788Cd6M7px8FFOTKj7ouo5RzB4x
         iDg1pT9nJZzkJ0WtSyImhncnOFI0lgPsXZ7wOdDz6Y7U3fkQZHWQwMYzDH12cesB52c/
         0Rcx7/Q7oOqAtm3c468AWzPBqN2f/8PSTw5jAU3rDHuek0VhrKH1LocJFsaPYkS1kb/c
         YxrSneSDWPyaEf6/wjpjtS64JwO17MI8X2+QqE0MZXgZ19NJlFsx4aQjM7satbtNCmcQ
         GGtDeY8IN/BLKHa7SGtpnFwGxR6QyTI7sv3d3cfhT9vdCz7kql9THbblb7X3kZt3egfz
         SmTA==
X-Gm-Message-State: AOJu0Yznh8sHSxEBhR6MsNSLzJfV+Iz176hoRsM3BY8Rj6JeTixx+Zra
	4nlEHpqR9RBWBuAsoHqNT5JcfE6lPeRP5yimMTxMy4fd3AXJiwA4Cq1K0fDm9Q==
X-Google-Smtp-Source: 
 AGHT+IHzJfASWaHfc51wxjaPWnFJN6LIKQPulmtu7uPPGg4rctyOF85aFxL98jV7B3g96+HViVRi3Q==
X-Received: by 2002:a17:902:bf43:b0:1d6:f240:91eb with SMTP id
 u3-20020a170902bf4300b001d6f24091ebmr4675643pls.105.1705969714532;
        Mon, 22 Jan 2024 16:28:34 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 jv13-20020a170903058d00b001d72bd542d7sm4491222plb.139.2024.01.22.16.28.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:25 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Justin Stitt <justinstitt@google.com>,
	workflows@vger.kernel.org,
	linux-doc@vger.kernel.org,
	Bill Wendling <morbo@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 04/82] docs: deprecated.rst: deprecate open-coded arithmetic
 wrap-around
Date: Mon, 22 Jan 2024 16:26:39 -0800
Message-Id: <20240123002814.1396804-4-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2640; i=keescook@chromium.org;
 h=from:subject; bh=+WA9Ct7l0slkMBBzNWpIPaSatsWk1P15wygbjb7RsC4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEcKz/IVh6AHW78ErpCaprSPaxdFMlZJU/p
 nEc33LkKJKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JhDJD/4/hiDapZrRx3IUC8fORd2j7RQere5tpaqVjlU5VBEohjnZfgBrSaXLPJD3ittOSfiXpTV
 qwoChxq3tWBiw0rfSBAYOH5WTvj8crGO3YuggDjqh4H5lWZE77jcjns+LHN4vk56akzliSAXuZv
 VpJFUEbbPanlEo7ifJ9/ad7kPFB9q8vay7oT5hyuXlwp2drF/8gXQm+OisW84paPv9aM7FVgdSK
 BOXiuS6NzexkgeL8ppxZpxnGFruM8P5k0nKF6E+MskMuhJdeF7ZrwT9dFIeh2ZXUSNJ4k2Hxm9J
 hOaRQOVTLjPqkpfWOZKhvx4v908ITNUY0cicWNEJEXCDJzfpqMigkbIcLkrQ5xJk+7Mes5FAOdR
 fff5zKQdAT9bOjzhNoB8jjFopHoZ+gCVG4UoKKaHT2tx+gL2UnntgHBN8ErFZXqPzjO3vL48Vpy
 6zksiU8rnxZJOwYvYhiKE/0cxuoLBZh8MxA1OChyYAd+/1b2opzH1Xt/LXRZBz74jkFjCms7dpT
 U8+hjmblmd9nBpW3KwV3tVsXLztPgCXvBPZmoQp+0WaQPLGoqe0NE113GE6RGQyuaNN8QzmK3RK
 bPN3+gpjk7+hsX8K8CgR5LtYZJ0RCqkseGqMTmep+SuHpjigvNLo7eykHRtozTskavBta9U0tGc
 WLmj1ykhZxc4g5g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In pursuit of gaining full kernel instrumentation for signed[1],
unsigned[2], and pointer[3] arithmetic overflow, we need to replace
the handful of instances in the kernel where we intentionally depend on
arithmetic wrap-around. Document this goal and provide an example for
the most common code pattern, checking for simple overflow:

	if (VAR + OFFSET < VAR) ...

Link: https://github.com/KSPP/linux/issues/26 [1]
Link: https://github.com/KSPP/linux/issues/27 [2]
Link: https://github.com/KSPP/linux/issues/344 [3]
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Justin Stitt <justinstitt@google.com>
Cc: workflows@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 Documentation/process/deprecated.rst | 32 ++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/Documentation/process/deprecated.rst b/Documentation/process/d=
eprecated.rst
index 1f7f3e6c9cda..270f3af13b86 100644
--- a/Documentation/process/deprecated.rst
+++ b/Documentation/process/deprecated.rst
@@ -109,6 +109,38 @@ For more details, also see array3_size() and flex_arra=
y_size(),
 as well as the related check_mul_overflow(), check_add_overflow(),
 check_sub_overflow(), and check_shl_overflow() family of functions.
=20
+open-coded intentional arithmetic wrap-around
+---------------------------------------------
+Depending on arithmetic wrap-around without annotations means the
+kernel cannot distinguish between intentional wrap-around and accidental
+wrap-around (when using things like the overflow sanitizers).
+
+For example, where an addition is intended to wrap around::
+
+	magic =3D counter + rotation;
+
+please use the add_wrap() helper::
+
+	magic =3D add_wrap(counter, rotation);
+
+Another common code pattern in the kernel open coded testing for overflow
+by performing an overflow and looking for wrap-around::
+
+	if (var + offset < var) ...
+
+Instead, use either check_add_overflow() (when you want to use the
+resulting sum when it doesn't overflow) or add_would_overflow()::
+
+	if (add_would_overflow(var, offset)) ...
+
+In rare cases where helpers aren't available (e.g. in early boot code,
+etc) but overflow instrumentation still needs to be avoided, it can be
+replaced with a type max subtraction test instead::
+
+	int var;
+	...
+	if (INT_MAX - var < offset) ...
+
 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
 ----------------------------------------------------------------------
 The simple_strtol(), simple_strtoll(),
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-oo1-f42.google.com (mail-oo1-f42.google.com
 [209.85.161.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C121155A33
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969722; cv=none;
 b=goQNHy2/TfGoFWr/ncFRYKyoZGOuZvviDhadfeuHTeuCxIKDn4q8uU7QpOcy4fyEUzZ5Jq2Ik7feAyuAWyy+rI6Ge/CkdPO/VqaAINo36aYZx/WhpBIY7kLygmfdw3vUYOofuImAwNdhVQ1kBgDskYeoDrsRJ3kJ8akGej/BsGM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969722; c=relaxed/simple;
	bh=l7HVvTdScmVUEBhzQFpCKcbiCA9potNAVoRVMmpE5Cw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=IJXu3PISv8dCjUWG6vI29jmcKCYFguTxXolwnuGOSJEJs8/vHwMdegFPdC7d/4LyY6ZWmr+Dfi9iH2UK+7iXlOl0lzFzELbfcHCr2JJTOJZ4yVpMzEMR0+yT5EeMZ36F7VWjbjhfiJtGdUCmVruURSAqRQRBgn+F7MgVCC6pzdM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=mSLykj4R; arc=none smtp.client-ip=209.85.161.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="mSLykj4R"
Received: by mail-oo1-f42.google.com with SMTP id
 006d021491bc7-599a5266066so48083eaf.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969719; x=1706574519;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+JeEyKGn0lV8WeyRQc6wAgA/9wi6Y7j/WpnhdAob6+w=;
        b=mSLykj4R/hoz2kveKtbBhu0zXi+tfZGaVsKmdvKaMvnBiacg6+ZDXwmEQu/LbcW7aD
         R5V86tcbaasCiHyxVpbJNfehr6hrw52j/jzETUWVJzaqFKTEB/gs4Jacvdzp+jtmYSyO
         U462ee3VMJ5G/NyWTHO0KoyCmmmVdzWgEvhNE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969719; x=1706574519;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+JeEyKGn0lV8WeyRQc6wAgA/9wi6Y7j/WpnhdAob6+w=;
        b=ioZ/ZwOGPYXBdoiuIJzgosif+HfLpokynDSRpkxGA3VdgIduAz55qW1fefh5e2gdOa
         FUIcnB1XZJG0kQgOb0ew+8lJ8CGJiOCLOTcKcPY7KsbLirXQpCe10QMaoYz8oXLkoVAl
         8iMhn1HuSpNGKMKKYFf/Fuli8FoC1xSmrQPVujDGlSNLll6URPse9KzeUiho0D4qw3ew
         dLlvEgcGMlufcycVe40T4kbSeJiz0X5Y7qxmWNJSGNU+42yIHi/DPLJzt6P/WwlQnfXp
         wf5eUTRsJhQocSGnIE/bU/TJFWhJIQsgEHm6mTSaZXXCNoPdb2kfG7k2+Xr07Vzddtuh
         dCxg==
X-Gm-Message-State: AOJu0YwwdKmr28mhPYzHaFIAETiF2LVjkK0MbHowYaa0RKuIG4wdwPes
	t7r8dOu8MShdJk4VmLDqoGa5ohbmZAb1ix7xMsk9bYy6S3uxfbWj9qGC+M0gJw==
X-Google-Smtp-Source: 
 AGHT+IGXnjsVjmGefwUz4NLOYBkk1Pkgc02KLFnPxshR1dbCC7oBkGzlRDt2GgPOlPOZXTHSoOTbOQ==
X-Received: by 2002:a05:6358:ca5:b0:176:70d4:eb64 with SMTP id
 o37-20020a0563580ca500b0017670d4eb64mr388585rwj.10.1705969719547;
        Mon, 22 Jan 2024 16:28:39 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 rs14-20020a17090b2b8e00b0028c465b050asm10217097pjb.54.2024.01.22.16.28.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Julia Lawall <Julia.Lawall@inria.fr>,
	Nicolas Palix <nicolas.palix@imag.fr>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Justin Stitt <justinstitt@google.com>,
	cocci@inria.fr,
	Bill Wendling <morbo@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 05/82] cocci: Refactor open-coded arithmetic wrap-around
Date: Mon, 22 Jan 2024 16:26:40 -0800
Message-Id: <20240123002814.1396804-5-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2537; i=keescook@chromium.org;
 h=from:subject; bh=l7HVvTdScmVUEBhzQFpCKcbiCA9potNAVoRVMmpE5Cw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEsqMAH8qryJJXGj8e8QN0W9DMFFKrS9uda
 cVz4Vs0YzeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JsTiEACd8SkTPHWAe1kX56wx0lNF5c674TcY9C2ijoqRJGl/0QtJHQVrBWgFzStTMFRvdjVmSft
 OhisPGmKR6BjwIhxS8K5uADuSfceqnrcsSEq4gyGDysofHMym4LMXl0gyup0oUDHnTxmzDDExp8
 axLDbZ1DRxktaofds7/FAwvtSg9Npx8Xq5Zx4tpivhC+OR8ZgYaUX0FnfXi8mzwN5bhbZAMP3qH
 zi0ast7Pgu3OHTsqOvXYYT87SM3mnt0N24+ILjlZAdKkVKotxC/m33ndLhs9LII8dKzdCfL29Rs
 VdZmA4MtigsvUnzrrfEjFbZIMynSrgWPIUe2gFy1mJy2dkam07GXcuXbtLldd2EeuZN7D+r7RVd
 4+vlNouoeK8rsf39E9wUneF9w8ZEtnDG9Td4520g5ev1+d7MN2kp8jJVnYTIJLZFYRcpFk8LygE
 uf/9zPB/2zREBkdwxAKTln0vcFw6GHYhZi2F56FRL2tHXmxxw81CdKjM2fsB19JV5iG94WNZCGO
 Zu2C1agT5RsXzn+z37spD9fyW0/F1jNBMeiUiXU9IW8erIHEQqyA3HieDE8casRZj64hSFICMOa
 cLCu/yo1/gx4lr5s6qpSm4oZrC88HxZZVlZvy1WK6SRp2cGdT2tEJvOCA98bxxqAyXYYEoa1IrG
 FsID4fl2hSNgW1w==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In pursuit of gaining full kernel instrumentation for signed[1],
unsigned[2], and pointer[3] arithmetic overflow, we need to replace
the handful of instances in the kernel where we intentionally depend on
arithmetic wrap-around. Introduce Coccinelle script for finding these
and replacing them with the new add_would_overflow() helper, for this
common code pattern:

	if (VAR + OFFSET < VAR) ...

Link: https://github.com/KSPP/linux/issues/26 [1]
Link: https://github.com/KSPP/linux/issues/27 [2]
Link: https://github.com/KSPP/linux/issues/344 [3]
Cc: Julia Lawall <Julia.Lawall@inria.fr>
Cc: Nicolas Palix <nicolas.palix@imag.fr>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Justin Stitt <justinstitt@google.com>
Cc: cocci@inria.fr
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 .../coccinelle/misc/add_would_overflow.cocci  | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 scripts/coccinelle/misc/add_would_overflow.cocci

diff --git a/scripts/coccinelle/misc/add_would_overflow.cocci b/scripts/coc=
cinelle/misc/add_would_overflow.cocci
new file mode 100644
index 000000000000..b9b67c9c3714
--- /dev/null
+++ b/scripts/coccinelle/misc/add_would_overflow.cocci
@@ -0,0 +1,70 @@
+// SPDX-License-Identifier: GPL-2.0-only
+///
+/// Replace intentional wrap-around addition with calls to
+/// check_add_overflow() and add_would_overflow(), see
+/// Documentation/process/deprecated.rst
+///
+//
+// Confidence: High
+// Comments:
+// Options: --no-includes --include-headers
+
+virtual context
+virtual report
+virtual org
+virtual patch
+
+@report_wrap_sum depends on !patch@
+type RESULT;
+RESULT VAR;
+expression OFFSET;
+@@
+
+ {
+        RESULT sum;
+        ...
+        (
+*       VAR + OFFSET < VAR
+        )
+        ...
+        (
+        VAR + OFFSET
+        )
+        ...
+ }
+
+@wrap_sum depends on patch@
+type RESULT;
+RESULT VAR;
+expression OFFSET;
+@@
+
+ {
++       RESULT sum;
+        ...
+        (
+-       VAR + OFFSET < VAR
++       check_add_overflow(VAR, OFFSET, &sum)
+        )
+        ...
+        (
+-       VAR + OFFSET
++       sum
+        )
+        ...
+ }
+
+@report_wrap depends on !patch && !report_wrap_sum@
+identifier PTR;
+expression OFFSET;
+@@
+
+*       PTR + OFFSET < PTR
+
+@patch_wrap depends on patch && !wrap_sum@
+identifier PTR;
+expression OFFSET;
+@@
+
+-       PTR + OFFSET < PTR
++       add_would_overflow(PTR, OFFSET)
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com
 [209.85.167.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD61815699C
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969729; cv=none;
 b=mCnT9GHdNP8C0mpuwrJbbrmB5D9RIETk8tFujcYaJ31U6nZ4U0876kp7DHhoFX57nZTM5NEsZhsy60Xqo3MdAH2Kf0TTKT/HwKaUueV7L7fEh9Iz3bLHG0UCplTCpyamySSnFJRPst/hRE3bGl2DnBgaxnkcZ8dpPBqU0Ktodmc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969729; c=relaxed/simple;
	bh=gb1n+W1s5M95ctI44Q78KR4JuU4AKXHCS49FRg23Idk=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=dLHxxYQq4e3hqi56Uprob52ArotBNdJf0BdS4XpMebud3IFAZmIu+xXOj6V638gpHuOUdXSRIbElw5iAGyu3+SOczYBjw0vtUTo2tUKrwSQ3kYx+UwBWAaakTPw+3NmfDMhqIvbPS/hE4NNYdTTepvmuVTy1h0eJJRK8VqDnOxk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=A9qDI91W; arc=none smtp.client-ip=209.85.167.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="A9qDI91W"
Received: by mail-oi1-f173.google.com with SMTP id
 5614622812f47-3bd3b34a58dso2445593b6e.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969727; x=1706574527;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=BiCGHQCW4gkVIwAHs5whfe0Jo8nWbZkRUEu+EMnzU5w=;
        b=A9qDI91WAiNRJ2GAcq+oPlJ2gv1qQntYjPDaZuBSwkJPQGRE4JfseG0CguYV3GLi70
         FriJJXtD7FLBCwHzLBi/Vi+hqhtxragxctBtSDZEyzuFKP9O1PkylV0kSRMCPrtz1xTo
         khkVk20L/PuKXAcsJWWcEMIavMGnxdSCy9Mg8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969727; x=1706574527;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=BiCGHQCW4gkVIwAHs5whfe0Jo8nWbZkRUEu+EMnzU5w=;
        b=mazy430KHYLj0irsI8oMy9H7uf6vdiCBR++QUSeFxxGGR9AIxJtdITgcVaxbhnOq8x
         AyuBeOyzNW58BQQa11Gz2CTrdB1oLSa+pwN9IJs75bEKr9Y70mdBT3h+L9xrmLZJowiZ
         Pk+Lhw9KWoJx0YFWFmOxWsAKapsPwXsb11iPe1Bel7Mn/JURS76p7UYZIOMPSlhD9HQ/
         fWlU1CG3W+Hvw2LroP7kplmoY5kyiBX2b3PcHDf03/u6BhioqNq6bcMaa/EmdoXTYnxq
         KmS9IhQ/Ow5wZYH2wpVghBMQ4XG4C779yMdNsWqF/DeVQQDDJnBJ+q7uTeHKjM1itDyK
         Bujg==
X-Gm-Message-State: AOJu0YzuywBuXKa9sNPm4kBGV+g3z0XiMRr+ZeWOLcSZaacNzQUk3lpp
	iAhbUT8DLskCcfSseFf0Jl9be5FpOleiMADaAly9Ua17R5rc7dszpGkh4I3q5w==
X-Google-Smtp-Source: 
 AGHT+IH+t54oOODe+KjnT7B/1MefM50TtYuzHlu62Q+9kRwbDJoedt0TO5uBpgDTYWr0YTeNhOq7eA==
X-Received: by 2002:a05:6808:2094:b0:3bd:c568:faee with SMTP id
 s20-20020a056808209400b003bdc568faeemr103256oiw.74.1705969726746;
        Mon, 22 Jan 2024 16:28:46 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 v23-20020aa78517000000b006d9b8572e77sm10193889pfn.120.2024.01.22.16.28.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Justin Stitt <justinstitt@google.com>,
	Miguel Ojeda <ojeda@kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Marco Elver <elver@google.com>,
	Hao Luo <haoluo@google.com>,
	Przemek Kitszel <przemyslaw.kitszel@intel.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 06/82] overflow: Reintroduce signed and unsigned overflow
 sanitizers
Date: Mon, 22 Jan 2024 16:26:41 -0800
Message-Id: <20240123002814.1396804-6-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=10721;
 i=keescook@chromium.org;
 h=from:subject; bh=gb1n+W1s5M95ctI44Q78KR4JuU4AKXHCS49FRg23Idk=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEA8JtBdMXVlroZLnnJVqsE33+zfz01FBiy
 8wUuHAFgcuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 Jj7NEACQQm0AHeLUrG6Oi/9wnlDXtoUdVl1Mv/wQrYOsP79X65ZjO3hVSGvZCS7S0NNRNJ0+nM6
 faKW9qCG6h1SeV7Mq9tvvaeCPuz3eIpIwMMS3fbAESR0tYSuFgeKwKuUVbjEuNxqoUsjqfdU/XY
 Mujtuxq0jUTmXnSlLLCxjlYOtGJZM5rHwDsFRQYqF2hNNU1a6y5Bli0xLbT7KIYKOkYcKyYzo4h
 kmlDcYc1Hz4u3u5034zX8ThC77WVARvs//wMN6gQrNQl6jsb3Lmb2SYDb0L9Z6fGMctdDDHCzxZ
 coY9O2cJfrEZmoZSHxKW9OJfhIvbh14/2OIgP/GDqgQOh3l3elc48kUJprXmkH4F3GG+2xAIPBy
 riT7ABS/uMTCYdTgB0FqU9sEF9bWr/bbho0UDv49OphdQRwITiU1MjU3elMsFVSbXBt1MiByaMc
 Q6PMq91AfNUkClrlc3b2z1CmZKUzUQ6CwGtYUvwLRA5ggnEa6LsvOzIbTxpTxPTfofKpvdInh3k
 LmU6tamHSR6Q6mil7gT3LFOGB7kkzr2T6R2R6DaxrT4I1iQtD6WXGUnNYqSQLeYH7IrDmI1Q/57
 XX/8YpLCx9jHKWB6Yp6z9elE2HGVjb4BKKDGsU94dCJ3Zl8qf9GIt/pX2+nx2TmmYPzWNEm81VL
 zIsWJE46ig2NcLA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Effectively revert commit 6aaa31aeb9cf ("ubsan: remove overflow
checks"), to allow the kernel to be built with the "*-overflow"
sanitizers again. This gives developers a chance to experiment[1][2][3]
with the instrumentation again, while dealing with the impact of
-fno-strict-oveflow.

Notably, the naming of the options is adjusted to use the name "WRAP"
instead of "OVERFLOW". In the strictest sense, arithmetic "overflow"
happens when a result exceeds the storage of the type, and is considered
by the C standard and compilers to be undefined behavior for signed
and pointer types (without -fno-strict-overflow). Unsigned arithmetic
overflow is defined as always wrapping around.

Because the kernel is built with -fno-strict-overflow, signed and pointer
arithmetic is defined to always wrap around instead of "overflowing"
(which would either be elided due to being undefined behavior or would
wrap around, which led to very weird bugs in the kernel).

So, the config options are added back as CONFIG_UBSAN_SIGNED_WRAP and
CONFIG_UBSAN_UNSIGNED_WRAP. Since the kernel has several places that
explicitly depend on wrap-around behavior (e.g. counters, atomics, etc),
also introduce the __signed_wrap and __unsigned_wrap function attributes
for annotating functions where wrapping is expected and should not
be caught. This will allow us to distinguish in the kernel between
intentional and unintentional cases of arithmetic wrap-around.

Additionally keep these disabled under CONFIG_COMPILE_TEST for now.

Link: https://github.com/KSPP/linux/issues/26 [1]
Link: https://github.com/KSPP/linux/issues/27 [2]
Link: https://github.com/KSPP/linux/issues/344 [3]
Cc: Justin Stitt <justinstitt@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Marco Elver <elver@google.com>
Cc: Hao Luo <haoluo@google.com>
Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 Documentation/process/deprecated.rst |  4 ++
 include/linux/compiler_types.h       | 14 +++++-
 lib/Kconfig.ubsan                    | 19 ++++++++
 lib/test_ubsan.c                     | 49 ++++++++++++++++++++
 lib/ubsan.c                          | 68 ++++++++++++++++++++++++++++
 lib/ubsan.h                          |  4 ++
 scripts/Makefile.ubsan               |  2 +
 7 files changed, 159 insertions(+), 1 deletion(-)

diff --git a/Documentation/process/deprecated.rst b/Documentation/process/d=
eprecated.rst
index 270f3af13b86..aebd7c6cd2fc 100644
--- a/Documentation/process/deprecated.rst
+++ b/Documentation/process/deprecated.rst
@@ -141,6 +141,10 @@ replaced with a type max subtraction test instead::
 	...
 	if (INT_MAX - var < offset) ...
=20
+For inline helpers that are performing wrapping arithmetic, the entire
+function can be annotated as intentionally wrapping by adding the
+`__signed_wrap` or `__unsigned_wrap` function attribute.
+
 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
 ----------------------------------------------------------------------
 The simple_strtol(), simple_strtoll(),
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index d27b58fddfaa..d24f43fc79c6 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -282,11 +282,23 @@ struct ftrace_likely_data {
 #define __no_sanitize_or_inline __always_inline
 #endif
=20
+/* Allow wrapping arithmetic within an annotated function. */
+#ifdef CONFIG_UBSAN_SIGNED_WRAP
+# define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow=
")))
+#else
+# define __signed_wrap
+#endif
+#ifdef CONFIG_UBSAN_UNSIGNED_WRAP
+# define __unsigned_wrap __attribute__((no_sanitize("unsigned-integer-over=
flow")))
+#else
+# define __unsigned_wrap
+#endif
+
 /* Section for code which can't be instrumented at all */
 #define __noinstr_section(section)					\
 	noinline notrace __attribute((__section__(section)))		\
 	__no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage \
-	__no_sanitize_memory
+	__no_sanitize_memory __signed_wrap __unsigned_wrap
=20
 #define noinstr __noinstr_section(".noinstr.text")
=20
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index 59e21bfec188..a7003e5bd2a1 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -116,6 +116,25 @@ config UBSAN_UNREACHABLE
 	  This option enables -fsanitize=3Dunreachable which checks for control
 	  flow reaching an expected-to-be-unreachable position.
=20
+config UBSAN_SIGNED_WRAP
+	bool "Perform checking for signed arithmetic wrap-around"
+	default UBSAN
+	depends on !COMPILE_TEST
+	depends on $(cc-option,-fsanitize=3Dsigned-integer-overflow)
+	help
+	  This option enables -fsanitize=3Dsigned-integer-overflow which checks
+	  for wrap-around of any arithmetic operations with signed integers.
+
+config UBSAN_UNSIGNED_WRAP
+	bool "Perform checking for unsigned arithmetic wrap-around"
+	depends on $(cc-option,-fsanitize=3Dunsigned-integer-overflow)
+	depends on !X86_32 # avoid excessive stack usage on x86-32/clang
+	depends on !COMPILE_TEST
+	help
+	  This option enables -fsanitize=3Dunsigned-integer-overflow which checks
+	  for wrap-around of any arithmetic operations with unsigned integers. Th=
is
+	  currently causes x86 to fail to boot.
+
 config UBSAN_BOOL
 	bool "Perform checking for non-boolean values used as boolean"
 	default UBSAN
diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
index 2062be1f2e80..84d8092d6c32 100644
--- a/lib/test_ubsan.c
+++ b/lib/test_ubsan.c
@@ -11,6 +11,51 @@ typedef void(*test_ubsan_fp)(void);
 			#config, IS_ENABLED(config) ? "y" : "n");	\
 	} while (0)
=20
+static void test_ubsan_add_overflow(void)
+{
+	volatile int val =3D INT_MAX;
+	volatile unsigned int uval =3D UINT_MAX;
+
+	UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP);
+	val +=3D 2;
+
+	UBSAN_TEST(CONFIG_UBSAN_UNSIGNED_WRAP);
+	uval +=3D 2;
+}
+
+static void test_ubsan_sub_overflow(void)
+{
+	volatile int val =3D INT_MIN;
+	volatile unsigned int uval =3D 0;
+	volatile int val2 =3D 2;
+
+	UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP);
+	val -=3D val2;
+
+	UBSAN_TEST(CONFIG_UBSAN_UNSIGNED_WRAP);
+	uval -=3D val2;
+}
+
+static void test_ubsan_mul_overflow(void)
+{
+	volatile int val =3D INT_MAX / 2;
+	volatile unsigned int uval =3D UINT_MAX / 2;
+
+	UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP);
+	val *=3D 3;
+
+	UBSAN_TEST(CONFIG_UBSAN_UNSIGNED_WRAP);
+	uval *=3D 3;
+}
+
+static void test_ubsan_negate_overflow(void)
+{
+	volatile int val =3D INT_MIN;
+
+	UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP);
+	val =3D -val;
+}
+
 static void test_ubsan_divrem_overflow(void)
 {
 	volatile int val =3D 16;
@@ -90,6 +135,10 @@ static void test_ubsan_misaligned_access(void)
 }
=20
 static const test_ubsan_fp test_ubsan_array[] =3D {
+	test_ubsan_add_overflow,
+	test_ubsan_sub_overflow,
+	test_ubsan_mul_overflow,
+	test_ubsan_negate_overflow,
 	test_ubsan_shift_out_of_bounds,
 	test_ubsan_out_of_bounds,
 	test_ubsan_load_invalid_value,
diff --git a/lib/ubsan.c b/lib/ubsan.c
index df4f8d1354bb..5fc107f61934 100644
--- a/lib/ubsan.c
+++ b/lib/ubsan.c
@@ -222,6 +222,74 @@ static void ubsan_epilogue(void)
 	check_panic_on_warn("UBSAN");
 }
=20
+static void handle_overflow(struct overflow_data *data, void *lhs,
+			void *rhs, char op)
+{
+
+	struct type_descriptor *type =3D data->type;
+	char lhs_val_str[VALUE_LENGTH];
+	char rhs_val_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, type_is_signed(type) ?
+			"signed-integer-overflow" :
+			"unsigned-integer-overflow");
+
+	val_to_string(lhs_val_str, sizeof(lhs_val_str), type, lhs);
+	val_to_string(rhs_val_str, sizeof(rhs_val_str), type, rhs);
+	pr_err("%s %c %s cannot be represented in type %s\n",
+		lhs_val_str,
+		op,
+		rhs_val_str,
+		type->type_name);
+
+	ubsan_epilogue();
+}
+
+void __ubsan_handle_add_overflow(void *data,
+				void *lhs, void *rhs)
+{
+
+	handle_overflow(data, lhs, rhs, '+');
+}
+EXPORT_SYMBOL(__ubsan_handle_add_overflow);
+
+void __ubsan_handle_sub_overflow(void *data,
+				void *lhs, void *rhs)
+{
+	handle_overflow(data, lhs, rhs, '-');
+}
+EXPORT_SYMBOL(__ubsan_handle_sub_overflow);
+
+void __ubsan_handle_mul_overflow(void *data,
+				void *lhs, void *rhs)
+{
+	handle_overflow(data, lhs, rhs, '*');
+}
+EXPORT_SYMBOL(__ubsan_handle_mul_overflow);
+
+void __ubsan_handle_negate_overflow(void *_data, void *old_val)
+{
+	struct overflow_data *data =3D _data;
+	char old_val_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, "negation-overflow");
+
+	val_to_string(old_val_str, sizeof(old_val_str), data->type, old_val);
+
+	pr_err("negation of %s cannot be represented in type %s:\n",
+		old_val_str, data->type->type_name);
+
+	ubsan_epilogue();
+}
+EXPORT_SYMBOL(__ubsan_handle_negate_overflow);
+
+
 void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs)
 {
 	struct overflow_data *data =3D _data;
diff --git a/lib/ubsan.h b/lib/ubsan.h
index 5d99ab81913b..0abbbac8700d 100644
--- a/lib/ubsan.h
+++ b/lib/ubsan.h
@@ -124,6 +124,10 @@ typedef s64 s_max;
 typedef u64 u_max;
 #endif
=20
+void __ubsan_handle_add_overflow(void *data, void *lhs, void *rhs);
+void __ubsan_handle_sub_overflow(void *data, void *lhs, void *rhs);
+void __ubsan_handle_mul_overflow(void *data, void *lhs, void *rhs);
+void __ubsan_handle_negate_overflow(void *_data, void *old_val);
 void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs);
 void __ubsan_handle_type_mismatch(struct type_mismatch_data *data, void *p=
tr);
 void __ubsan_handle_type_mismatch_v1(void *_data, void *ptr);
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index 4749865c1b2c..de4fc0ae448a 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -8,6 +8,8 @@ ubsan-cflags-$(CONFIG_UBSAN_LOCAL_BOUNDS)	+=3D -fsanitize=
=3Dlocal-bounds
 ubsan-cflags-$(CONFIG_UBSAN_SHIFT)		+=3D -fsanitize=3Dshift
 ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO)		+=3D -fsanitize=3Dinteger-divide-by=
-zero
 ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE)	+=3D -fsanitize=3Dunreachable
+ubsan-cflags-$(CONFIG_UBSAN_SIGNED_WRAP)	+=3D -fsanitize=3Dsigned-integer-=
overflow
+ubsan-cflags-$(CONFIG_UBSAN_UNSIGNED_WRAP)	+=3D -fsanitize=3Dunsigned-inte=
ger-overflow
 ubsan-cflags-$(CONFIG_UBSAN_BOOL)		+=3D -fsanitize=3Dbool
 ubsan-cflags-$(CONFIG_UBSAN_ENUM)		+=3D -fsanitize=3Denum
 ubsan-cflags-$(CONFIG_UBSAN_TRAP)		+=3D -fsanitize-undefined-trap-on-error
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A39B7156984
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969728; cv=none;
 b=LWr3IgeNuT86QrgSB4bo4akKKP+ISB1ZqngWG0aBsSVMk0puogdWdUzMxgKPeNZYl3+Kn69tp7Nh1xaEw8xdmqB8E0R3aB90IvDC6TSzJlxAUk1OqvX+11kd5hEtQV3DIJVPiNO1Ig7aDiqEJVOC1QsXUxtZsaW42Tmpb3pVLIs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969728; c=relaxed/simple;
	bh=C+paLqxuFlWRTx/mjhIvhRPgaDtYk9vCEUD11OqlcCI=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=PHzj+K6p2q1EGkLN8HpzhPYWBwCXdBCrKaIiEDEWSXtewURO+9HHNFwa3P38XfE2i5cYbDVnxCTPqK62J3ZDQWBbpQF56LLdmdr7GVefMhsNohyqMmrIaihQyk4gEIhx4LwuBnV/CdMy77necJTyBImqZh3dZf6TfrwWMOqZdBc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=g6KI+FqU; arc=none smtp.client-ip=209.85.214.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="g6KI+FqU"
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-1d720c7fc04so19100585ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969726; x=1706574526;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MOuaDiRRvzJvgJST5lr851xVVDyg4sr9GwwDxREBfGs=;
        b=g6KI+FqUBOdebEdDOJA1SK+ASpBYukkrOtOGOPNBHOWE8PjMl3/IB1eyxjiqtg95fp
         vOaYbEV32Fz9zEtJtkHDqhqRIrSvE+gi9y+DzkhQuTdPr7K59UNpI2ewNxLOCOqH8iFZ
         YW0vpdlt7kiQ6KAt93LianzuAfMpZJrURgX8Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969726; x=1706574526;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MOuaDiRRvzJvgJST5lr851xVVDyg4sr9GwwDxREBfGs=;
        b=XnFUEHtAFR5zPYnv1eT7eGnWAh8IcBpfyvZvqd45PBQ2eXGKcmlNDUlEUAIHXiy5Z7
         NtAg3K9/Q0x2idaKXwWGZb34c0jdIcFhTlFCrmkHNcCFevw3NZ2Dynp1qrjhuvv38H0w
         EqjeuCwrMfPMFjKWzsEo1sI89hf0bJK5KlhIAOg/17KL0nOaZFUTm+KV/Q3h0qNqk3Tm
         OUZ9ia43eO+8VkwUHOQ0pNtidtAgz7e/GS3R/p/U4AojbamTguLFTA7HqPEV4hpakLKq
         wMUFYeiG1SWEC/AuZB9e7lHVUyKX9XUlA9lpQhp18URqRoG4aJCvSOlMHgzdwO/vh12l
         bsxQ==
X-Gm-Message-State: AOJu0YzEYl/HGhCCJpW1YKnH475Uw5Mry1pihkbqODeN3GtE2Z5a0qCZ
	cuT34zbCnJZgqrmCNGLMywLcmK1v7mbWLZI1vs9B6dKlt2Wszom2Xu/R8FibwBqGesPFGLoawQw
	=
X-Google-Smtp-Source: 
 AGHT+IEnqWEYs303ftT0O03yNmO4noVosyfBeQ8RPYpodKlYMbGKmtGGYH7WmtuBxDCTsLTefsiwSA==
X-Received: by 2002:a17:903:2782:b0:1d7:6343:e0f3 with SMTP id
 jw2-20020a170903278200b001d76343e0f3mr1050390plb.113.1705969726027;
        Mon, 22 Jan 2024 16:28:46 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 b5-20020a170902bd4500b001d74c170f2dsm2628770plx.90.2024.01.22.16.28.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Masahiro Yamada <masahiroy@kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nicolas Schier <nicolas@fjasle.eu>,
	linux-kbuild@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 07/82] overflow: Introduce CONFIG_UBSAN_POINTER_WRAP
Date: Mon, 22 Jan 2024 16:26:42 -0800
Message-Id: <20240123002814.1396804-7-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=6942; i=keescook@chromium.org;
 h=from:subject; bh=C+paLqxuFlWRTx/mjhIvhRPgaDtYk9vCEUD11OqlcCI=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgE1og5efJNhjKy5Q1+0ssByVxR6aJKZkw//
 XUDXODt8X2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 Jhb8D/oClO4uy32MUB/8Q9w0fFrcHiAthgnFfgxXS9v7zpnRqWirFxjdNMvEosVHK1wH10OEvQj
 OzrmAnWj9nGt2vZCAGk0Yel0I5e05q57I9rK5Qc2H1/5zTunlMIphYJBCzGp6ySKTYuOCEtRzVj
 cIIbHxJbOh9Z9TU3SweMVfOG4LrSqDyzCE0TKxiQkjt9fG7NuoKdqkHQySCMH9kd+6BZjGjP0jK
 yk5/X2K5lR3aTv+dZcsANfdk8s7z3u7yuXGp2rBtZmcs4RrsgsFEjR0fAggKx/65aE2eoZocs3v
 X7RwQbqPdPZef6+GKbEbDFShLokOsGmn2vmyGOi66Ph1buPm5OQsQ1zCU+75rHdTou7wxYLt3li
 nC91e512ZPlE5upQjtRb4BIl+Gnr0kI7IlF9YctYSwGg9QpWB1syjbwVW/53Q9i/lyt8Q/VwE7Z
 AzzKMJJ4Ry+vZomftuWws7kHewjOxEwzwiAJgRZl1a9TOsUq66KTXyRXDob1K7ALMVhO+nh0ftk
 50+m7VWiGiPujZu6hAMGYjMG7dyFAgfeGhrByYKN+DU0G2UOoihqStFIJJwRdUCfoqwvbzFXzej
 fihfMb64SYCKKrJ92PZVSi3mIZ4WYycTSaLsmDsbMUHFBoJXW/2h759jKxMBt7p9/AQU06Q7YNF
 uiXs1EiNMEkG9dA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Gain coverage for pointer wrap-around checking. Adds support for
-fsanitize=3Dpointer-overflow, and introduces the __pointer_wrap function
attribute to match the signed and unsigned attributes. Also like the
others, it is currently disabled under CONFIG_COMPILE_TEST.

Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nicolas Schier <nicolas@fjasle.eu>
Cc: linux-kbuild@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 Documentation/process/deprecated.rst |  2 +-
 include/linux/compiler_types.h       |  7 +++++-
 lib/Kconfig.ubsan                    |  8 +++++++
 lib/test_ubsan.c                     | 33 ++++++++++++++++++++++++++++
 lib/ubsan.c                          | 21 ++++++++++++++++++
 lib/ubsan.h                          |  1 +
 scripts/Makefile.ubsan               |  1 +
 7 files changed, 71 insertions(+), 2 deletions(-)

diff --git a/Documentation/process/deprecated.rst b/Documentation/process/d=
eprecated.rst
index aebd7c6cd2fc..15e77cbd4259 100644
--- a/Documentation/process/deprecated.rst
+++ b/Documentation/process/deprecated.rst
@@ -143,7 +143,7 @@ replaced with a type max subtraction test instead::
=20
 For inline helpers that are performing wrapping arithmetic, the entire
 function can be annotated as intentionally wrapping by adding the
-`__signed_wrap` or `__unsigned_wrap` function attribute.
+`__signed_wrap`, `__unsigned_wrap`, or `__pointer_wrap` function attribute.
=20
 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
 ----------------------------------------------------------------------
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index d24f43fc79c6..84cfd9d55453 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -293,12 +293,17 @@ struct ftrace_likely_data {
 #else
 # define __unsigned_wrap
 #endif
+#ifdef CONFIG_UBSAN_POINTER_WRAP
+# define __pointer_wrap __attribute__((no_sanitize("pointer-overflow")))
+#else
+# define __pointer_wrap
+#endif
=20
 /* Section for code which can't be instrumented at all */
 #define __noinstr_section(section)					\
 	noinline notrace __attribute((__section__(section)))		\
 	__no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage \
-	__no_sanitize_memory __signed_wrap __unsigned_wrap
+	__no_sanitize_memory __signed_wrap __unsigned_wrap __pointer_wrap
=20
 #define noinstr __noinstr_section(".noinstr.text")
=20
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index a7003e5bd2a1..04222a6d7fd9 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -135,6 +135,14 @@ config UBSAN_UNSIGNED_WRAP
 	  for wrap-around of any arithmetic operations with unsigned integers. Th=
is
 	  currently causes x86 to fail to boot.
=20
+config UBSAN_POINTER_WRAP
+	bool "Perform checking for pointer arithmetic wrap-around"
+	depends on !COMPILE_TEST
+	depends on $(cc-option,-fsanitize=3Dpointer-overflow)
+	help
+	  This option enables -fsanitize=3Dpointer-overflow which checks
+	  for wrap-around of any arithmetic operations with pointers.
+
 config UBSAN_BOOL
 	bool "Perform checking for non-boolean values used as boolean"
 	default UBSAN
diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
index 84d8092d6c32..1cc049b3ef34 100644
--- a/lib/test_ubsan.c
+++ b/lib/test_ubsan.c
@@ -56,6 +56,36 @@ static void test_ubsan_negate_overflow(void)
 	val =3D -val;
 }
=20
+static void test_ubsan_pointer_overflow_add(void)
+{
+	volatile void *top =3D (void *)ULONG_MAX;
+
+	UBSAN_TEST(CONFIG_UBSAN_POINTER_WRAP);
+	top +=3D 2;
+}
+
+static void test_ubsan_pointer_overflow_sub(void)
+{
+	volatile void *bottom =3D (void *)1;
+
+	UBSAN_TEST(CONFIG_UBSAN_POINTER_WRAP);
+	bottom -=3D 3;
+}
+
+struct ptr_wrap {
+	int a;
+	int b;
+};
+
+static void test_ubsan_pointer_overflow_mul(void)
+{
+	volatile struct ptr_wrap *half =3D (void *)(ULONG_MAX - 128);
+	volatile int bump =3D 128;
+
+	UBSAN_TEST(CONFIG_UBSAN_POINTER_WRAP);
+	half +=3D bump;
+}
+
 static void test_ubsan_divrem_overflow(void)
 {
 	volatile int val =3D 16;
@@ -139,6 +169,9 @@ static const test_ubsan_fp test_ubsan_array[] =3D {
 	test_ubsan_sub_overflow,
 	test_ubsan_mul_overflow,
 	test_ubsan_negate_overflow,
+	test_ubsan_pointer_overflow_add,
+	test_ubsan_pointer_overflow_sub,
+	test_ubsan_pointer_overflow_mul,
 	test_ubsan_shift_out_of_bounds,
 	test_ubsan_out_of_bounds,
 	test_ubsan_load_invalid_value,
diff --git a/lib/ubsan.c b/lib/ubsan.c
index 5fc107f61934..d49580ff6aea 100644
--- a/lib/ubsan.c
+++ b/lib/ubsan.c
@@ -289,6 +289,27 @@ void __ubsan_handle_negate_overflow(void *_data, void =
*old_val)
 }
 EXPORT_SYMBOL(__ubsan_handle_negate_overflow);
=20
+void __ubsan_handle_pointer_overflow(void *_data, void *lhs, void *rhs)
+{
+	struct overflow_data *data =3D _data;
+	unsigned long before =3D (unsigned long)lhs;
+	unsigned long after  =3D (unsigned long)rhs;
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, "pointer-overflow");
+
+	if (after =3D=3D 0)
+		pr_err("overflow wrapped to NULL\n");
+	else if (after < before)
+		pr_err("overflow wrap-around\n");
+	else
+		pr_err("underflow wrap-around\n");
+
+	ubsan_epilogue();
+}
+EXPORT_SYMBOL(__ubsan_handle_pointer_overflow);
=20
 void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs)
 {
diff --git a/lib/ubsan.h b/lib/ubsan.h
index 0abbbac8700d..5dd27923b78b 100644
--- a/lib/ubsan.h
+++ b/lib/ubsan.h
@@ -128,6 +128,7 @@ void __ubsan_handle_add_overflow(void *data, void *lhs,=
 void *rhs);
 void __ubsan_handle_sub_overflow(void *data, void *lhs, void *rhs);
 void __ubsan_handle_mul_overflow(void *data, void *lhs, void *rhs);
 void __ubsan_handle_negate_overflow(void *_data, void *old_val);
+void __ubsan_handle_pointer_overflow(void *_data, void *lhs, void *rhs);
 void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs);
 void __ubsan_handle_type_mismatch(struct type_mismatch_data *data, void *p=
tr);
 void __ubsan_handle_type_mismatch_v1(void *_data, void *ptr);
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index de4fc0ae448a..37e8c31dc655 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -10,6 +10,7 @@ ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO)		+=3D -fsanitize=3D=
integer-divide-by-zero
 ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE)	+=3D -fsanitize=3Dunreachable
 ubsan-cflags-$(CONFIG_UBSAN_SIGNED_WRAP)	+=3D -fsanitize=3Dsigned-integer-=
overflow
 ubsan-cflags-$(CONFIG_UBSAN_UNSIGNED_WRAP)	+=3D -fsanitize=3Dunsigned-inte=
ger-overflow
+ubsan-cflags-$(CONFIG_UBSAN_POINTER_WRAP)	+=3D -fsanitize=3Dpointer-overfl=
ow
 ubsan-cflags-$(CONFIG_UBSAN_BOOL)		+=3D -fsanitize=3Dbool
 ubsan-cflags-$(CONFIG_UBSAN_ENUM)		+=3D -fsanitize=3Denum
 ubsan-cflags-$(CONFIG_UBSAN_TRAP)		+=3D -fsanitize-undefined-trap-on-error
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com
 [209.85.210.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C9E71157031
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969731; cv=none;
 b=Du9jSccwQdm5vEDXHZNIEwpsEPJa1H6FvQ7qWIn7Gzyi2BlB7yOw3TzcSWDsXBM7SQVOwlBXskpaA93DnOzsVIDz5845+oTOt+keGNla1cG1sVR8k1cOo0jQUi8/7CWhDhvdiV+5zDrNT61tzG3BY8t9VA8sdabtFLw0b4oy5QU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969731; c=relaxed/simple;
	bh=wh7+GBhkNO1sVmVaz1rCepK3Q+pc7moaQJ0Rt+76i3M=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=n6zFSK0V5dApMpGHjLFEQDXEphFKGkxXU76xnPW63oLiAjKUdMTMsg9SsLXHuoQ3IoDWLgeZK8ft4GKY/VvrIeOVkkeAFbTfeG7zsVBrptKIyL9UJ/VNUTDdEbapObseQKiBjw7xxhSOxZtyCmG1rEzAmPWmFf8ER8npUEvYwq4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=nNO7D+O/; arc=none smtp.client-ip=209.85.210.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="nNO7D+O/"
Received: by mail-pf1-f171.google.com with SMTP id
 d2e1a72fcca58-6dbe3fc1421so785229b3a.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969729; x=1706574529;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PF/i2yiDIRENT0mwh/2n9kzjWsYDnfFtPr14I/rXEpM=;
        b=nNO7D+O/BFrDRrFSaF8132Z3RKBIkV40MmsmE23WuSWbwl+jIUzyIJEhgsSbIHe59G
         SWQl2vWk7lQkgM9yGiweSA7otlcJOyommcAtj5ZgbAMAkLkBlvCrf3F68lA78nzH1A9n
         m227tXr6wn9YTRIOQGmKOHeTeNx+TeXsqTWy8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969729; x=1706574529;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PF/i2yiDIRENT0mwh/2n9kzjWsYDnfFtPr14I/rXEpM=;
        b=ceL4vZRWTY1xLpXNXpZizZedw8sQUTKXzFI+p+ZCtqxf3i2WbdQn21UNI152nu04Cb
         TbHPEKiQzrcP/TR5lLKOGMqNqZpt3cUKxTcMaAUsdCc4/Lr/2TVchDcfswsixWnAiQA7
         tdVM3DBGZxKuyOWOErz4I7C9azmHRIjPgPQR7C08PDAFY2WgOh1fws7gl/ZreJHtjkbz
         ZmRvYZOH+eq7S/0q2J+gBBprwziTQJ2cZ7frP7KtIwbwu+gDqliA5z16scJLD8vDxw3A
         +d5L1xNxL1KJ4YMnFFEemqeO18iOWhUFKL3g2WAXAbIO4RLFphoQvooQ4e94Hiy5XYoi
         Kd+w==
X-Gm-Message-State: AOJu0YwAtl9OYMe+V4w0olAdOH4bfAA3MMAj0KvlHBUjfyhExSEsDxQC
	6Sdd7DpvN73zM2cN7er4fwoCrQ+CGNJOM71S0LV/tNXqQQEhZWRhk2abl2EzH5TSB5dbIe35XmM
	=
X-Google-Smtp-Source: 
 AGHT+IF0AD2yK5eOlHI73Qf0l24Vr7AY8Z8TEV46LGlNK1HMzni5jVd0N361f+kRLwkxWtRWm/rdOg==
X-Received: by 2002:a05:6a00:244e:b0:6d9:b385:26f9 with SMTP id
 d14-20020a056a00244e00b006d9b38526f9mr3480265pfj.2.1705969729016;
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 s25-20020a639e19000000b005d3646ae6e4sm66443pgd.24.2024.01.22.16.28.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 08/82] iov_iter: Avoid wrap-around instrumentation in
 copy_compat_iovec_from_user
Date: Mon, 22 Jan 2024 16:26:43 -0800
Message-Id: <20240123002814.1396804-8-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1539; i=keescook@chromium.org;
 h=from:subject; bh=wh7+GBhkNO1sVmVaz1rCepK3Q+pc7moaQJ0Rt+76i3M=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEV0qAxoV3HSGdN5QKjvrPLDYsC3mVorule
 CjY0wDbzwWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JqycD/9F1q9lCA/qtcVMnJ/DbvpEtV4bCUN2UDhmCqtFaVSmfFz5GkBooadVTFFRdc0AU81Eaa2
 fDh1T4zdDWUy3eY0HD9GbxBCvyRrzPljX/d2rE9odidCZus4n+8I2N+F/h/FEwwsKZ9EBOTDkcj
 cK32kXDBzm53ZIYIm/4H1LjN8V+y9LaKNXRzKSUWIvHqDOelWrBYY1mSfmsL6TdQL8rfw9a52Yc
 e06Sgl0/CiFLFyVzHwrfnuX8t6gEJWfWIIE6G2UJpuIObJUtAixAUIofBbBQLdfeRRpgq4Blat7
 C/qFo7mUuIeEj/S7hDCAdrqjkeSxDbf4ddevVFlhCMXQfg1YX4Nw+T0tfWPj1yx51nWSvUFScDG
 3Zvgmhrqi0Vdmbz5LtLlq9v1ZhZ3PwPtr+0uY9fBXdYJ2nDEdlXURt1qv5oOvg3IIsg/S8797+V
 bxAXszSNVbDYeOgEeQDgw+ecqzfwF+ntVpS6I4XQ1JOagLyuGTvf+fGNW+ATif0Z1useQk5i9rT
 YMpY4vcRMVQtV4BU79pBMA4gHMs6CQWUXNizjjetcvAtSgGtmJ0x+Td2X5k/z7zha6ny/SyzxSr
 GT+w0Hht9fp/RugdC94ZvrlMjDNgwjN4Od9qWIogtUvKIz55RmiSjjgIshFdIRladAbPAPsBJCM
 Arv9af5S8HAeKFA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The loop counter "i" in copy_compat_iovec_from_user() is an int, but
because the nr_segs argument is unsigned long, the signed overflow
sanitizer got worried "i" could wrap around. Instead of making "i" an
unsigned long (which may enlarge the type size), switch both nr_segs
and i to u32. There is no truncation with nr_segs since its is never
larger than UIO_MAXIOV anyway. This keeps sanitizer instrumentation[1]
out of a UACCESS path:

vmlinux.o: warning: objtool: copy_compat_iovec_from_user+0xa9: call to __ub=
san_handle_add_overflow() with UACCESS enabled

Link: https://github.com/KSPP/linux/issues/26 [1]
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/iov_iter.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index e0aa6b440ca5..d797a43dca91 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1166,11 +1166,12 @@ const void *dup_iter(struct iov_iter *new, struct i=
ov_iter *old, gfp_t flags)
 EXPORT_SYMBOL(dup_iter);
=20
 static __noclone int copy_compat_iovec_from_user(struct iovec *iov,
-		const struct iovec __user *uvec, unsigned long nr_segs)
+		const struct iovec __user *uvec, u32 nr_segs)
 {
 	const struct compat_iovec __user *uiov =3D
 		(const struct compat_iovec __user *)uvec;
-	int ret =3D -EFAULT, i;
+	int ret =3D -EFAULT;
+	u32 i;
=20
 	if (!user_access_begin(uiov, nr_segs * sizeof(*uiov)))
 		return -EFAULT;
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com
 [209.85.210.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BC26157046
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969731; cv=none;
 b=SuGwtEpTDgue9nNQWjMFUyA+q0rVrNKpkD5QXW6OZhPcop16Gb8PfqHZmNtyDAXeocrildZ5z3sl+j68UCnMpLmaO33KszsWQ9r4qS/LQuJ3q3gGkGnkhUrwdz+IeTMo4Eg/hN+VC4wvSBd18cmrIvb5EI+32GKgyEupdvnyqnk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969731; c=relaxed/simple;
	bh=PmD97Weq3WllHYy9c/D1C/9IrSV8qUdF4whlDGfFZE8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Q8y3fo52RXTgUKmUyX7xw+hHeuQNlrxPUwzNKeGcfxGPeH5JvV57rDuC8V4oH6j2YUj9ZVfx7O6i5iZgFI0sOIRHe2XdnnyrWVjYd3kyyW+WIxYShddHgLYqt3yuvwhUOTvQuGfbdSE200Du8uxmSGXi7Av4/MhOo8VGysjdve4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=KxLuwfNe; arc=none smtp.client-ip=209.85.210.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="KxLuwfNe"
Received: by mail-pf1-f172.google.com with SMTP id
 d2e1a72fcca58-6dbb003be79so3306634b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969729; x=1706574529;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=3TGYFkY09Xk6GAlz0uNRUAdH36K12Z/wH1iFNj2bT+k=;
        b=KxLuwfNeRJ+hmFoGPgKZdlSk+AYoOwcnwNz/P+4GZsPoSKEZ9HNAHLvM+HANHQRZT4
         IkXcv9H6RXrMOIwSYUYQinVC0WWTcub5AISix0D2fUXvIdSWUUfQmcTkEZYPNnWvb/0j
         MbKKp5qCJvCY3jSKGtEiavNakTz/xerufCI8Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969729; x=1706574529;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=3TGYFkY09Xk6GAlz0uNRUAdH36K12Z/wH1iFNj2bT+k=;
        b=LpEbBSFnfLUQW5ha7+VfSSRs3NkWco549Iwyg/j4uMjk0B7klbtWddt89xVfBlcRgs
         xVUNUdXlephtB5zo5V93umX10ipTlMmN3HpjpRwVbyS0EV/PqxMprXbbwwPYRJPdWdUm
         Sut8QLjkfnyiaf0Ya8M9wyrZP0ssuDWEbv6HZAh97xs9swJ+2WSJDFQQxeemRbZTcXOU
         bk1hKvwhIm5Qi4w8SSN/Dfgf1glqhZDF69lExEhxcxDaw6fj+Vu5fdB8v5TmUNSVuwQs
         EdupkB9qxFVbqVshnnBePqck9oyshJ9lRdPl9eDSjkJtNS+7gdGuIOIVgefoBWzm6Hko
         g79Q==
X-Gm-Message-State: AOJu0Yxh1/+/sa0LV9gFk4raBwGjzeYSrGHz1NAC6GfCx4kuOi0S35/2
	sWYCVnplMaUY4R+CXOwAUAyU6HdOl2RyKCJJeZ9nNYGm65culnjkunLujkLAzQ==
X-Google-Smtp-Source: 
 AGHT+IEfA0xPtU78X5p9h/WA+ZnUOTlNVoIOWKUAiv95UE+kyy39ruCd+kJ3jzTf5eQRZGjVvYX/ow==
X-Received: by 2002:a05:6a21:a59a:b0:19b:5b08:1f4b with SMTP id
 gd26-20020a056a21a59a00b0019b5b081f4bmr5434332pzc.15.1705969729702;
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 j3-20020a056a00130300b006d9c216a9e6sm10138528pfu.56.2024.01.22.16.28.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	linux-fsdevel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 09/82] select: Avoid wrap-around instrumentation in
 do_sys_poll()
Date: Mon, 22 Jan 2024 16:26:44 -0800
Message-Id: <20240123002814.1396804-9-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2641; i=keescook@chromium.org;
 h=from:subject; bh=PmD97Weq3WllHYy9c/D1C/9IrSV8qUdF4whlDGfFZE8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEytnksz1bThGRY5DK5TacZnS6Yl60KDnSM
 2MX5BKOiv6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 Jsc5D/4y3WYeKpzWOOCxgpOBEmELwR2i5cXRFClXQT8Dh5kznbNc+qjzrcINPA5tfSMCKqksOx2
 waq122UgLgvDs7kGRlptl6E9Kprq6DsDw7wdLfNoA3H+ez8jQf7JMzOFjWisqc+q+jJGBKio24e
 t5vJf6GnubB4mzBH4cZa61OqBJLmA1GNOx2gzWHE7j2iHZt5Iy2clBMGTO3SJukqU+UEfX1LM96
 E6oSsKlWVm1gG+iB/RYC5pJmH5aFoHPKxdNYXiMUR6/fPhx42TmcBw7unDDy1oG+rxPjMPPMZT2
 leZok2gnYc4BwgPfLMNk9ETxLWf+k36o/uDLrgpw/LraN9jvCqUzOUFCpFPD5+N4O0XII2AdJ+A
 tJK7FysfIpkuh80CwTkFnjC8SIOpbkM+mSyJ7PdArgrVe0L63H/dBv6ZlwKDZ5C/XX09BrbP3QC
 q2Yy0UBMTqv1wOFi9U04tsQ5mQ07h1ZuvDzmUtltQobblFJDqZq8WS6mT/pfB26btDsAJ2hBv6v
 YQEZZaUcq9UKzCcx9V1ZRnULm3/5JmndEptvjMNPeJk7dKuVUADDoSQYcb0YgpFZrwk1LSVwvLY
 wjTpDJn01qEVtVti3Y1lPIiR2B4JRJTy/PVM5W6p1kAdrkPJjFXMwq+zftEur4gCaiNYE5uahWZ
 R3xr3G8bEQBxjAw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The mix of int, unsigned int, and unsigned long used by struct
poll_list::len, todo, len, and j meant that the signed overflow
sanitizer got worried it needed to instrument several places where
arithmetic happens between these variables. Since all of the variables
are always positive and bounded by unsigned int, use a single type in
all places. Additionally expand the zero-test into an explicit range
check before updating "todo".

This keeps sanitizer instrumentation[1] out of a UACCESS path:

vmlinux.o: warning: objtool: do_sys_poll+0x285: call to __ubsan_handle_sub_=
overflow() with UACCESS enabled

Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/select.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/fs/select.c b/fs/select.c
index 0ee55af1a55c..11a3b1312abe 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -839,7 +839,7 @@ SYSCALL_DEFINE1(old_select, struct sel_arg_struct __use=
r *, arg)
=20
 struct poll_list {
 	struct poll_list *next;
-	int len;
+	unsigned int len;
 	struct pollfd entries[];
 };
=20
@@ -975,14 +975,15 @@ static int do_sys_poll(struct pollfd __user *ufds, un=
signed int nfds,
 		struct timespec64 *end_time)
 {
 	struct poll_wqueues table;
-	int err =3D -EFAULT, fdcount, len;
+	int err =3D -EFAULT, fdcount;
 	/* Allocate small arguments on the stack to save memory and be
 	   faster - use long to make sure the buffer is aligned properly
 	   on 64 bit archs to avoid unaligned access */
 	long stack_pps[POLL_STACK_ALLOC/sizeof(long)];
 	struct poll_list *const head =3D (struct poll_list *)stack_pps;
  	struct poll_list *walk =3D head;
- 	unsigned long todo =3D nfds;
+	unsigned int todo =3D nfds;
+	unsigned int len;
=20
 	if (nfds > rlimit(RLIMIT_NOFILE))
 		return -EINVAL;
@@ -998,9 +999,9 @@ static int do_sys_poll(struct pollfd __user *ufds, unsi=
gned int nfds,
 					sizeof(struct pollfd) * walk->len))
 			goto out_fds;
=20
-		todo -=3D walk->len;
-		if (!todo)
+		if (walk->len >=3D todo)
 			break;
+		todo -=3D walk->len;
=20
 		len =3D min(todo, POLLFD_PER_PAGE);
 		walk =3D walk->next =3D kmalloc(struct_size(walk, entries, len),
@@ -1020,7 +1021,7 @@ static int do_sys_poll(struct pollfd __user *ufds, un=
signed int nfds,
=20
 	for (walk =3D head; walk; walk =3D walk->next) {
 		struct pollfd *fds =3D walk->entries;
-		int j;
+		unsigned int j;
=20
 		for (j =3D walk->len; j; fds++, ufds++, j--)
 			unsafe_put_user(fds->revents, &ufds->revents, Efault);
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com
 [209.85.214.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 946DB155A52
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969725; cv=none;
 b=MQJ+xZ5czKItT6FnQ76/FzmJpO7pNyyTYVYpj1dUbK6F8L6NhH2WVBN/40lMwnvyRhQlQcWjoxj1pr6+6/di3AStcAoUVqOtIGkV0H8mGBimFz7kQuZkyrjkGHP2m1SZvcGDUcacctIMG6k9SnxyGj+ZLeognna5aC5HELHJSL0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969725; c=relaxed/simple;
	bh=NL4i6bTrYINnZ5CxcbHpw8YCfhRtLA5nCGl1fzFiRXM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=M0SG5h7H6SCudBcYu6zAu7Auf6hPCoQSHlZgeeBPugyFCZdss2U/N4nb3EcDE//KjQppd8qNsMeXEnZp3wUjRqoWcO2EY4hFEiOjzJ+74jsOSqasP0kTkEkpIxBsHbucSqBZHgg9DzmI2BZnAGVSjoyHcQjyIdlCJAN9FHBmQ5A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Y8S9QdP8; arc=none smtp.client-ip=209.85.214.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Y8S9QdP8"
Received: by mail-pl1-f181.google.com with SMTP id
 d9443c01a7336-1d50d0c98c3so38101175ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969723; x=1706574523;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7ba+SJRXi6zigp5yNKxV6w56BvmmlI5rW36eVy3OGs8=;
        b=Y8S9QdP8DgqPUnzAiLlxiMBNfBsuFwXYSulxpTZqqNXQYDD6DQR3yK8its2d1GJ/+X
         xMh0/0KydNdEQ/2cXW5f2AlpRKtRo9yHorGdqjCPXdhKXSxAg5XVocCYHE1gCqjZtagA
         U1g68YwzIDaFUDA+ZfLMq0UA2nS2XRaY4maIM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969723; x=1706574523;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=7ba+SJRXi6zigp5yNKxV6w56BvmmlI5rW36eVy3OGs8=;
        b=pxvyaAz27ppY7QDbahczpEF00DF93Jy+H8iO0+v47FQq45AkTzZNqDta2NmraiIovh
         g4xqPjbkq0rNB4yh+agGXO8UlPyY3eyoj1XzeEj+WTupFpkcC0bZgmSfgfm0dRo1h4gB
         rwhFNYQCIOY92LOtlBiU9X4+eZvd+YPXhHKX2HJOdD/4q+irYWeWqbDbCBQD24ysWNAS
         7Qcv22xZNHcHIYmBbjlxcVvHSZaOcsbWgQRjlZBVH14xFNfRRi/cnUp978cseYNceQe+
         6wSiXtigt2n77V/z7UtAUZ6RhetD7pOMdP3jpxXlv1AuE25xoi6aR1Rm9ULn2wPDr3UA
         OD0A==
X-Gm-Message-State: AOJu0YyiufH6Gz75CdotNjMF88Nr7x1ECU2fRUYVpRmiQ5AQjDMuPRMr
	3RablcZqANmM9Y51m+BQ8y64Lv2sSnWsVg6XpxI1iOPuuRtH74VbGred++U4Kw==
X-Google-Smtp-Source: 
 AGHT+IHQcrX5UyzgI3Bm4vvQyCphFgwNS1v5TuPH/cr2wDJrrcl4aZywV9TGXqEEG1hudUlUGDMIdA==
X-Received: by 2002:a17:902:eecd:b0:1d7:6c6:9fca with SMTP id
 h13-20020a170902eecd00b001d706c69fcamr6811474plb.30.1705969722956;
        Mon, 22 Jan 2024 16:28:42 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mj6-20020a1709032b8600b001d7057c2fbasm7670974plb.100.2024.01.22.16.28.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Will Deacon <will@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Boqun Feng <boqun.feng@gmail.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org,
	"H. Peter Anvin" <hpa@zytor.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 10/82] locking/atomic/x86: Silence intentional wrapping
 addition
Date: Mon, 22 Jan 2024 16:26:45 -0800
Message-Id: <20240123002814.1396804-10-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1192; i=keescook@chromium.org;
 h=from:subject; bh=NL4i6bTrYINnZ5CxcbHpw8YCfhRtLA5nCGl1fzFiRXM=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgEtlYLVvMON6u8nAd+7f45eDDaD4MUEJz3n
 57bKZbOnZ+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBAAKCRCJcvTf3G3A
 JlP6D/4u8pYwPHBrl199KKA3Xl2ZV9zqU8Mw8Os7Nd8y33hZwj6LsS01wPP6z6jSiddM3/hGchv
 rQHONauEIxmyByTRV5HT85mPCm/ncSaT719PWXFKVjyUXSkiKjO3QQdPfz2MfOyoEW7WIva6W2t
 Zd35j2E0rg0u2zkGqPAAHzmhK2/nD+c93RmUgoR2tEko0m3iEOnQFdzhw61Nm3YlbYUH3xKPbGQ
 jW0TXuROEnkxi/GOtXU82d5qC1xM2yk79p0LknCPi8iSgDQguTeMOg2LJLrKIdG6NfkeFYWfqFg
 yGPUiPtzOwyZnbHfUHNwOW3r+Ncg0xVW10JrHniCo5XDIzPoncXKJBzHri1+EaHKRvBTERunaZg
 05dn1owdZtkZAbaVP/ALiduc9RkerbYaQFv/xruC08jnijnw/6cGUzo48MfOi9J0TobE4ffCtAU
 udL/itLTV39/A+dHftTu0mT6oxKO8RfiMXPEhKG0eVjHoxp8HwETwJ4aqqKzbhlToIXkRhP7MP6
 Fytnvxr78dbMrfa3vQ0NPQHyZOl04u/dSGBORaKVBkA7mkn2kh54bggtXaWmvkPmnOiH4h0LbLi
 kfJw/tV2RV4idwY9ZVRu71pPQSZd7OqBz85j8Fy5dO7RGDrTsjRVDEnjwhtW8oxa70vIMYx6w66
 f0o7nKMznSYPssA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Annotate atomic_add_return() to avoid signed overflow instrumentation.
It is expected to wrap around.

Cc: Will Deacon <will@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/include/asm/atomic.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
index 55a55ec04350..4120cdd87da8 100644
--- a/arch/x86/include/asm/atomic.h
+++ b/arch/x86/include/asm/atomic.h
@@ -80,7 +80,7 @@ static __always_inline bool arch_atomic_add_negative(int =
i, atomic_t *v)
 }
 #define arch_atomic_add_negative arch_atomic_add_negative
=20
-static __always_inline int arch_atomic_add_return(int i, atomic_t *v)
+static __always_inline __signed_wrap int arch_atomic_add_return(int i, ato=
mic_t *v)
 {
 	return i + xadd(&v->counter, i);
 }
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D61ED13B79C
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970764; cv=none;
 b=bfwqiSVnFv9sHSg8+Tp5dArjETVpRN5+LuKq1NrALfIhW8oledkKI7G1BQjWL++SOoTxy+wGg6R7J0et4/kczZO0qnHwCitWPI4A8bhSQ5kn/F+HON0XHPANVn5tDm5NwLhw613u47D0sFaqlaKpEOvtlcyGVWmjaNYvR3jihS4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970764; c=relaxed/simple;
	bh=2wCmjbrcMRqWZC1sS4cD9WCoJa0FFJk9am0EA3arqac=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=rVEw2X4kWVms0frjo3I3BIG+QXvjzZr2excYzSsL/p9n3VPCpgpFaQ9sh/dYXddFmseuLI/GV/AOfvq9do2kieURdTNvBBkqN2nJ/6ZAX0gzTmfYeCGu7/EAFfNT5rx9MNELCPaxnHXq5IqZSlnQGFGtDaCREKebv2Dx/s1YoIQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=KCUf8pvh; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="KCUf8pvh"
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6dbd146c76cso1191894b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970762; x=1706575562;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SlB1so7iSYMMc+zMA5tTSobm4T+1cPSbyb1VsiUjWnA=;
        b=KCUf8pvhW5lDoA62Dg0ho5AAF7eES6N0E3wggigmWcLD4gBwfdHbAYU1jnQ/blWyf2
         gWy5xMKOy5dVNn41i1esbHP54VLr83dMOdMVv/vVGXE+dMib14/gz1MrdDASkEeqXoTP
         +e/1a6mSkwYNbTEdDngbGpncZDCe941m2vQNQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970762; x=1706575562;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=SlB1so7iSYMMc+zMA5tTSobm4T+1cPSbyb1VsiUjWnA=;
        b=XovwYxR4XH9rpZSqWZMcWb1bk6715gRctthHpDjljYyg1WJS3tkUlPva88JrLE9i3k
         U0yFK4/bK2nHLCLfQasJEsEjFaJS5dVp7Op5qpE21ySYXxOfw70UF9qYmpp0+coaLvdj
         Kxw3OagbNJ0/Aq4fuTCrPtqv0W9UDkLbo+Tpz9GBK8QZKapozz9dFYxiNkel7T1ahUZn
         1yEktWfD5Nt8exFStave8Vk0tGQlgcFKQDWFNMI1eXH+fnDOetHHZgxFMvjdsfM3HtfE
         T6cGUrqWBxnbAVfxWhbmsq/udajySJ7Q0VTL1ZDrBHUJ8aKNrsxNKxI+SpT/9HxACWl3
         Wk3w==
X-Gm-Message-State: AOJu0YyOXKpD6UZImCE8trS4uEL+0+W9rYdy3asyILBhbQsVIwjhKJvd
	bNrvm68oDHRLZ3iDkDZAi1b7pjElMkc5o3DxaAbKAs6sueREb3gNtJcWlGW6wQ==
X-Google-Smtp-Source: 
 AGHT+IGLP4BXrSpgwzgnQ7nt1vcN3XnbCRvJoUd/AxaYE/OKu5/w3uVCiBcdhGtFLCuc5GzcLIDIDA==
X-Received: by 2002:a62:5342:0:b0:6da:dc40:8a20 with SMTP id
 h63-20020a625342000000b006dadc408a20mr2301791pfb.33.1705970762317;
        Mon, 22 Jan 2024 16:46:02 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 ei5-20020a056a0080c500b006d9c1fb00c3sm10312922pfb.9.2024.01.22.16.45.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Will Deacon <will@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Boqun Feng <boqun.feng@gmail.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	linux-arm-kernel@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 11/82] arm64: atomics: lse: Silence intentional wrapping
 addition
Date: Mon, 22 Jan 2024 16:26:46 -0800
Message-Id: <20240123002814.1396804-11-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1927; i=keescook@chromium.org;
 h=from:subject; bh=2wCmjbrcMRqWZC1sS4cD9WCoJa0FFJk9am0EA3arqac=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFuIsRbthegybO8MY9YK3hU2NvgRq1O2YBO
 IjKE+N7ASyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JmSfD/4g1+DgHXHG72Hbmbb46rOcoRFhxRGXi7T5E+bZnxGlykSxPf0G1ANroXNNRfIaH6+o5qK
 35TXw+v7btBElrd4MhK4ZbF8bSpQvVhskXDNsG57NNiroN46LsPQA8rEzRHYhG5Eyc38fTe127A
 3uUz42N+LY2siqQGD2Ge2b4r0+8aGX/TL8kV/lNpzt3w6jnX9r7Z8vBrneYHiRSnfednC+Av3Pf
 RyCs0/HKJZcTjfnDEx1k3P3Fd18p2TW908PSpyBk06V72hx9SUZgSJ9SGH464OCpkN0xwipXw9+
 Nw+92WpGwHyD3dXcrFGs3E6SKlw14ZCPEccJAR+5CUKhOue2w42127aNFW4RDhqyYMWStyDHkCc
 8jLmwwWfs099pHTnMi6MvnMOljVyfXlkw8GdYMs2Lq/TXUAOMRpCTNnB4jgKK82LyeprXA1sOi2
 BVQVkAgQI0bQryBcaVLgoT3sRUmxuBKf/augjFVrSWSBXy2zdC0d0xxmMq4bCDtGucY1l/2xra7
 zAxQ6sOmpKKjLBiTo3y5+k90sf659nAJj8+4nIVWi+zKbtw/iOjer+EkTgQepBrzv/sgtu9EGTf
 KxBXUYWlM3yIUrnzexGV+3Ismg32ENElWW6xv1XZQUlvJr5IrgGwdbNbkzgTYRGZHPrDZjvzgWR
 m5rc8KKgBXxVe7A==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Annotate atomic_add_return() and atomic_sub_return() to avoid signed
overflow instrumentation. They are expected to wrap around.

Cc: Will Deacon <will@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm64/include/asm/atomic_lse.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/arm64/include/asm/atomic_lse.h b/arch/arm64/include/asm/a=
tomic_lse.h
index 87f568a94e55..30572458d702 100644
--- a/arch/arm64/include/asm/atomic_lse.h
+++ b/arch/arm64/include/asm/atomic_lse.h
@@ -79,13 +79,13 @@ ATOMIC_FETCH_OP_SUB(        )
 #undef ATOMIC_FETCH_OP_SUB
=20
 #define ATOMIC_OP_ADD_SUB_RETURN(name)					\
-static __always_inline int						\
+static __always_inline __signed_wrap int				\
 __lse_atomic_add_return##name(int i, atomic_t *v)			\
 {									\
 	return __lse_atomic_fetch_add##name(i, v) + i;			\
 }									\
 									\
-static __always_inline int						\
+static __always_inline __signed_wrap int				\
 __lse_atomic_sub_return##name(int i, atomic_t *v)			\
 {									\
 	return __lse_atomic_fetch_sub(i, v) - i;			\
@@ -186,13 +186,13 @@ ATOMIC64_FETCH_OP_SUB(        )
 #undef ATOMIC64_FETCH_OP_SUB
=20
 #define ATOMIC64_OP_ADD_SUB_RETURN(name)				\
-static __always_inline long						\
+static __always_inline __signed_wrap long				\
 __lse_atomic64_add_return##name(s64 i, atomic64_t *v)			\
 {									\
 	return __lse_atomic64_fetch_add##name(i, v) + i;		\
 }									\
 									\
-static __always_inline long						\
+static __always_inline __signed_wrap long				\
 __lse_atomic64_sub_return##name(s64 i, atomic64_t *v)			\
 {									\
 	return __lse_atomic64_fetch_sub##name(i, v) - i;		\
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E75F155A50
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969726; cv=none;
 b=JBRh/+kpVbs1tnQmxBPfaahnQy3t92sz/N68JXq3VZl/BPhg8mUZ3LUHfYxKgryxwcGXJS5o9ru20OXg4uNSrI3JMf+D8OMCpuY2K6eLgKwqmjgZyDi62efqfR83zJgATTi4juekeazYqHWiREcTTzt9/kQUDB8pJZ/Y5Mr/63E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969726; c=relaxed/simple;
	bh=gNYUL4lkD/q4q2Iw6mvmjCERgWt/Zx4ayDxuFa3qc3A=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=XhHWUS4dEZerrtm1zdKnAMBtmFQZ2APWmdw26hOGe9pYgHxwVrjd8RGJ6vTHR0hbMUTu1IyJya0phQVetxeCgtLTpFCWUNdM51uLiPCGdW7DpuuIp5DVjORUUOHJ0G8q1MYc8i4Z9GvpdbL/jutKw6RYa5vEDKe/+kCIw6qNOBE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=aRs2Fpzh; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="aRs2Fpzh"
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6db0fdd2b8fso1781870b3a.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969723; x=1706574523;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WnvzwX4y80p5z83E6IpBrKurnrIIBIFVjaFxfKXwLnU=;
        b=aRs2FpzhVlwpX6B1WZcqtvJnPve6adqUUdPqokmDearzfsvYssSEJIYvCbYUSAeN37
         0Tu6lm0QwtCkMjZvyE6guBPdsh8NHE9CPt1sayLebWOAFOrX5KpPGVZYXmde/2IvP47Y
         6ozI5NtgJjfNtiyyig6NJyZ6KPvfCAyMidGhg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969723; x=1706574523;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WnvzwX4y80p5z83E6IpBrKurnrIIBIFVjaFxfKXwLnU=;
        b=cB9u0kiuY3G1ibkC24C2MJIIchE+sIa6ZFvTTwPDmkY2tRhm38CTmREN2Bo8/ebscC
         wS4LcIh4kHdU1eYc7fbTEoBpPrHptPlzwov3JzRA9IWSKdd8k1gCr6P2lT8xcV0mGTBF
         aIC1O2sSBnv/Hce7dY8EohliScdr0ljunikvvVrSrP8aqyz5iWZhXiHGaHrNmmeyGw2j
         doHWmC7xGseVjPR3M2h8OQVNPXxJTsZ0xXsXMEo00T3r1d03q7/iFKZkftmXlmk9ajYr
         mM3f3i7083qRByVMvcwVL2+QGsn0RHXGXrJfdNotHuZA5Dc8R53hgcLYWpw8ce1osWEb
         67Sw==
X-Gm-Message-State: AOJu0Ywh1492S9lh1Owy9SaBMQK90YbiSx6DOUR0p7j9QoBW0UDoF197
	VlSXYJj+IA3bOZkIH5B8up6yRhDmFqOwW56/2Hqyb2v2u8hY3nM4cWZpkhOvEw==
X-Google-Smtp-Source: 
 AGHT+IHqWbCdbj4COoKXEiHtTaOvD5DiZiG+2we1Qlvg+cDhbkuK7H6vgq1QJRL6IheoOiqRzXhQFA==
X-Received: by 2002:a05:6a00:2e9e:b0:6db:d040:4d05 with SMTP id
 fd30-20020a056a002e9e00b006dbd0404d05mr2702259pfb.22.1705969722109;
        Mon, 22 Jan 2024 16:28:42 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 j18-20020a056a00175200b006dbd8dd4d49sm3283190pfc.112.2024.01.22.16.28.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:37 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	David Ahern <dsahern@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 12/82] ipv4: Silence intentional wrapping addition
Date: Mon, 22 Jan 2024 16:26:47 -0800
Message-Id: <20240123002814.1396804-12-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2170; i=keescook@chromium.org;
 h=from:subject; bh=gNYUL4lkD/q4q2Iw6mvmjCERgWt/Zx4ayDxuFa3qc3A=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFvlBO2la5fghnKIu98p+FkONV/wNVLTQSX
 IKk33CsfLWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JrmBD/9kKc8XzjSQWEXd+h2tu5y1xWCQNfVqCF8dPAmWo/5I58GZuuA5f0M1dCs8yLp/C8K+gn2
 VK1GNKHkGaTKkIuLqGdzPCV6K0KdIFC1RD9GWJCaPAKIH1ECgMvXF1pdJPgU3nVMvA5aEWn7S+l
 Yjz26ICJMWCYFnODX3nnptzdaOXv/giXZfGfPsfy8GpjWspiOnSLvKAzppic92dnlscOIYhAdzB
 qqh+Mxo7z04JwgzJT1sPoc/t0TRsmfabuJshG6qjUM6EfsCHUR/hBZP1TByMomhhjKZ6P8/pTxI
 bNZF2LT8ST8/uyEx4XzId+YeMdS66RVCa5tVAuWRQBXXzqAaDWExi+yjj1jbgBReLolsbbuOSc4
 yV+wC/7eXE0+vH6mVN2Vnae+iO0BS/UN7WUy3GJ7VJK/p+fNcuwOXVW22rI0hu5++1l09g1KUdJ
 WNNuP6lgZITL1NcGzIePLIoHjlXg2Ojobu//ovxGxWtoOoYX95DwVrnDQpO2sC0OVjAIuDgdOY4
 GOflLXPfmQWqRL53HgQNsFra7YLRm7D8mncQQRH+32SCoDsTrX+MFpKEkWwLraLheDi+0D+NjvT
 BV5/C9ql6p4WXJsvsGJB9Cu8v2eZ2Z/mv0OAWOuD0cNL8umP0Ps9I8ak+NZ7xOs+drWeBXjzu1k
 0xgg6au/qio0hFg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The overflow sanitizer quickly noticed what appears to have been an old
sore spot involving intended wrap around:

[   22.192362] ------------[ cut here ]------------
[   22.193329] UBSAN: signed-integer-overflow in ../arch/x86/include/asm/at=
omic.h:85:11
[   22.194844] 1469769800 + 1671667352 cannot be represented in type 'int'
[   22.195975] CPU: 2 PID: 2260 Comm: nmbd Not tainted 6.7.0 #1
[   22.196927] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS =
0.0.0 02/06/2015
[   22.198231] Call Trace:
[   22.198641]  <TASK>
[   22.198641]  dump_stack_lvl+0x64/0x80
[   22.199533]  handle_overflow+0x152/0x1a0
[   22.200382]  __ip_select_ident+0xe3/0x100

Explicitly perform a wrapping addition to solve for the needed
-fno-strict-overflow behavior but still allow the sanitizers to operate
correctly.

To see the (unchanged) assembly results more clearly, see:
https://godbolt.org/z/EhYhz6zTT

Cc: Jakub Kicinski <kuba@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: David Ahern <dsahern@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 net/ipv4/route.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 16615d107cf0..c52e85b06fe7 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -473,11 +473,11 @@ static u32 ip_idents_reserve(u32 hash, int segs)
 	if (old !=3D now && cmpxchg(p_tstamp, old, now) =3D=3D old)
 		delta =3D get_random_u32_below(now - old);
=20
-	/* If UBSAN reports an error there, please make sure your compiler
-	 * supports -fno-strict-overflow before reporting it that was a bug
-	 * in UBSAN, and it has been fixed in GCC-8.
+	/* If UBSAN reports an error there, please make sure your arch's
+	 * atomic_add_return() implementation has been annotated with
+	 * __signed_wrap.
 	 */
-	return atomic_add_return(segs + delta, p_id) - segs;
+	return atomic_add_return(add_wrap(segs, delta), p_id) - segs;
 }
=20
 void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com
 [209.85.210.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CC84612F6
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970758; cv=none;
 b=ty6U9xctyGUmbC4n7sXvd4dIv8ErH0JAIsVn0SLMslkGziRiPd1kapTu8KgbYcVSxJZysPQS61RWhYNc8arOPmoUOxNs2eQnR0yjn1bN8R17OrvVdAC+Pr25Ywe6JbD9xDmAlxY+HsYOY3yjyYWZbATJIZLyj+0wFgWuZwJiwQY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970758; c=relaxed/simple;
	bh=TpR6teHZ/mpSlljZAe5k5kCh5DgjaXZFO8tyJAngV40=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=YRLgpDcJCY8CMZOnf+IKjUoPJnR7tjXKE6uXAvamy0UOxJ0DoCL+ZqKKO7CNXtHV3dg9XEpfuDA2qFhIAFscHAWc5nTKFSZ1t7dy71OO2fZ7Zbxo81vfGBwLNnJrQMT42zJ59h7spn/t98ZWVEB1bcAKP3KAS0IeRW0Fyz5I3sQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=DhIrRYCc; arc=none smtp.client-ip=209.85.210.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="DhIrRYCc"
Received: by mail-ot1-f49.google.com with SMTP id
 46e09a7af769-6e0d86d4659so2667870a34.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970755; x=1706575555;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=OiT3/py78kD8Owr5bvLrUn8dFen8dEuc/D42dgSMckc=;
        b=DhIrRYCcvsDroyytmKzTBuWGR+vYa4okBNfNQKFOLkLerzs7SBzhm0R8SS+8YCvz9+
         W4tj+9TgBIv6tEvUrjxrUO39yvMxrMbzaYE/nLBSJqx5wPSeJkVIqgHIQiHnV9AvSfLx
         //dVx4d/s6CkRPdyQdd3hWj8pHXEW6ZEYb/Fg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970755; x=1706575555;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=OiT3/py78kD8Owr5bvLrUn8dFen8dEuc/D42dgSMckc=;
        b=iThP5WRjTUTGdkcTEEQoXKxPHXEz5+hgNcis/WZFhuWU0ZJLbswgHBK8WJDa1x/jbK
         H0rBzkxe2zSUq5hJUGllUjfYK/0D4gPwcf2NfWyER02s6eyrUa44Hg4xIA/QePmWAiS8
         PItXMBjqibUWYqsBbfVc/wEoQr77DiJa85n3DxooeUkpZozcE2saWd/1py54K00DtnX5
         TAkJ7qi2pqh5cHc2e3MNZHh/sdDDwv1owk5uLyv/BWLsCXqcJRbfOSxLEZwUXemB/f9i
         V5LV3m+uEpafANS0oGn299MzN0NZh54N7xpGpaEbWGWQ/0AOmgJ+xA5aqfTTNXAXGBSc
         WOEg==
X-Gm-Message-State: AOJu0YwlglTpqcCGzOPCkl20IiEqG3BrLrqR93J/hzb5aF/53XsOSdrB
	vZvZUVFNP3GnR3Po9LvVV1I8Sue9zSrACxN7i1Ci+DGnY6wpeXPJhyWKQsKTIg==
X-Google-Smtp-Source: 
 AGHT+IEbm9neBtrkf8zlMe/XQiNlvlxPGO4ufOom07ycfMTFLjsEggEqw0GSOC0u7hD3Q/8TGcH34A==
X-Received: by 2002:a05:6358:3a14:b0:176:411b:888b with SMTP id
 g20-20020a0563583a1400b00176411b888bmr4129504rwe.17.1705970755473;
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 32-20020a631160000000b005d32c807296sm134222pgr.68.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:54 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Chris Mason <clm@fb.com>,
	Josef Bacik <josef@toxicpanda.com>,
	David Sterba <dsterba@suse.com>,
	linux-btrfs@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 13/82] btrfs: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:48 -0800
Message-Id: <20240123002814.1396804-13-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2625; i=keescook@chromium.org;
 h=from:subject; bh=TpR6teHZ/mpSlljZAe5k5kCh5DgjaXZFO8tyJAngV40=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFfeVx2CwOxlQgJ6mdRUkjPKVsQ4wxQm8Eo
 0Fb22rxTrCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JtzMD/9eNR4myrR+1tOyMuPMfapd+Ep06GScRoVLgXKneVxiu0hmGlhtdzsHV1+AssbXdzOoJoW
 QxIVv3tr8VyrsCER1WPzf8VB2OQDS1dx7+ZaUTsznUwIiIOgAKkXBPi6mkVhSSB+VX//N0JkgJP
 9RuBQW8XpW9OuwfYclTiOjBQkejhwC5BIUuOMVKKnoOl6yVeyjCG7EnQj6qvk5sHelweXKF5xni
 rsdhQajVbbYHfPt5J0yDlhyRq7CFRRz+2g4fpAJXm7O/HZ9vaQvUZuVnMwhqvR/pBRCKtJUdxAy
 ITO7VVMQb+9gqG0S2to8c+Co6OURs7vo7MVGtt+gqIuNxs36otBVuePIz/eIhgNT/2ZHMLjct4Q
 ZyXnSbdqUzASQ7HL22SFnuTktI+YVp7uYuwPBJUFo2M7fOdsI77QWeDtrk6/omOocXBoRJ6bMZL
 86BG+Dh0WW8OWMaqgaCqjXQNdkWx9mPXgNuDBmKae/XNAgxA1twHKiasClUXIor/5ZIavg2lUsc
 JfbVN8cw+vltYIADHJIA2E8VPpKOhlCsIc68x6+DM2Z+p2TBNr1qlDZGnHZqKlkiLt8UGhpsNLo
 aEgMRmK0YTJW6fJId38qQmkVt2IoPug3NTPqLBc6Pq6tD3UXznkmfxhYHxgBYPa2iCxUyzlwm6G
 9MSor/xafFdN3yw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizer in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Chris Mason <clm@fb.com>
Cc: Josef Bacik <josef@toxicpanda.com>
Cc: David Sterba <dsterba@suse.com>
Cc: linux-btrfs@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/extent_map.c | 6 ++++--
 fs/btrfs/extent_map.h | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c
index b61099bf97a8..29a649507857 100644
--- a/fs/btrfs/extent_map.c
+++ b/fs/btrfs/extent_map.c
@@ -73,9 +73,11 @@ void free_extent_map(struct extent_map *em)
 /* Do the math around the end of an extent, handling wrapping. */
 static u64 range_end(u64 start, u64 len)
 {
-	if (start + len < start)
+	u64 sum;
+
+	if (check_add_overflow(start, len, &sum))
 		return (u64)-1;
-	return start + len;
+	return sum;
 }
=20
 static int tree_insert(struct rb_root_cached *root, struct extent_map *em)
diff --git a/fs/btrfs/extent_map.h b/fs/btrfs/extent_map.h
index e380fc08bbe4..3c4a6b977662 100644
--- a/fs/btrfs/extent_map.h
+++ b/fs/btrfs/extent_map.h
@@ -108,9 +108,11 @@ static inline int extent_map_in_tree(const struct exte=
nt_map *em)
=20
 static inline u64 extent_map_end(const struct extent_map *em)
 {
-	if (em->start + em->len < em->start)
+	u64 sum;
+
+	if (check_add_overflow(em->start, em->len, &sum))
 		return (u64)-1;
-	return em->start + em->len;
+	return sum;
 }
=20
 void extent_map_tree_init(struct extent_map_tree *tree);
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com
 [209.85.216.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA09A61663
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970759; cv=none;
 b=i6tVGnoa+3eIjGW4Sjn5z7lJ4QxMwEOx2SqiSx0gvIKwkfyqMfiHv40Tjut31TlUCaEKFHL7y45yN2krkTzr0hc6d4iGM9wS/gsFcKBFtBRhrFT78QacTZdW6qUw0d8+8NQOmiwxIgdJ/8b3+V3STcg9ImVH4MgkCCbdMddZ49Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970759; c=relaxed/simple;
	bh=pqahPWCtiilVxi2Cwewikz7N45reJkQJ7UJUXEGvxo0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=QI90Pb7AZC3DejsWondnlvQKPa7mzz+yUFGqbTbMIdPvVYp7MeOnzogQpi0u+j9h2hAKk72/ysfHrw9MQkl0n7swUfi/DnkPqqSbzp6mCE2tqePl0VCRTFg5+BgZ4wQlRlhVUu99B3WQ658+Xi0YxEZ/V1iWZ5kXT7l86Zq1iLY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=QsDkKLfB; arc=none smtp.client-ip=209.85.216.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="QsDkKLfB"
Received: by mail-pj1-f50.google.com with SMTP id
 98e67ed59e1d1-2907748497dso1579347a91.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970757; x=1706575557;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cRtEgA24maRm+G5gcEke23eL30Vj6MIdNe5RQrjo/8E=;
        b=QsDkKLfBWO7BdvpXfam5uZ0BIQsXQUO1qqd6M4QpYpsO6sd9MIZZXJRrNzTO65Y+hQ
         VoqSbft5M1Ckz5+NXB7r1zvru8OJj2GpsyfbuQVY0xcJkP/hmvGl+woNudrUVbPI+/EG
         fK1awRwMQqC+OwibXTaOtxGj+3ZYu6pnwWa9M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970757; x=1706575557;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=cRtEgA24maRm+G5gcEke23eL30Vj6MIdNe5RQrjo/8E=;
        b=j0WiKZBXEY3bC/CxtDUrvOkXucPRO9i34wKut1I3phO52N27U4ACTk1xQE5IQ8DS4z
         aHJWqBiEl8wQIFqwgrMMzBhLbaeSEYa8e6S3XwwVXf8T+PgC2O8AahHQsTDKBZDMAaQt
         x+0Rfy2PvVXh9Ik32mYHbQJxHdWOUYcTDCPqFEHuXGaqUyiPIZeZ5UYsIdTO1zm6wkQF
         KMlJrjjn/zqHyTGNUfF8dz3e9ekXyU5zuF9TJAHDRat51n+kv9GNuhVpOZlKD+6uhfel
         GFxm0q75jLfnUns7AWjmf4cKSAnMsUpsb3OcihdxSub5Ff+Ho+l5+0ksxB0aWubsUWMk
         Czhg==
X-Gm-Message-State: AOJu0YwbgVI/5ZD/ai/fDKgJLIeAxFSRXGPg8fvr69v8K356LUe4UZnO
	/CERuhRKRiDgx4dzS9x+Y9m0HVJn1RZfhjAizEcvs/zt4L/BEc2efH9Oki/3Qw==
X-Google-Smtp-Source: 
 AGHT+IFciWHO78/a7euH6rqJvtMdI+gSwn5MfNBM1NW2JHf/Lhr+OJ/TN/dJXuWD57I9PPPQxJ44Rw==
X-Received: by 2002:a17:90a:3941:b0:290:caf7:7a16 with SMTP id
 n1-20020a17090a394100b00290caf77a16mr435126pjf.0.1705970757093;
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 so18-20020a17090b1f9200b002909c6bf228sm3237373pjb.51.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Steve French <sfrench@samba.org>,
	Paulo Alcantara <pc@manguebit.com>,
	Ronnie Sahlberg <lsahlber@redhat.com>,
	Shyam Prasad N <sprasad@microsoft.com>,
	Tom Talpey <tom@talpey.com>,
	linux-cifs@vger.kernel.org,
	samba-technical@lists.samba.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 14/82] smb: client: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:26:49 -0800
Message-Id: <20240123002814.1396804-14-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2356; i=keescook@chromium.org;
 h=from:subject; bh=pqahPWCtiilVxi2Cwewikz7N45reJkQJ7UJUXEGvxo0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgF+RrezY1R+vJeoB3MoQno65kcsaFJYE8T7
 TFT3XWlULSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JghND/9sxXRpGBChydX6oXKHlWt5zCT0j1qCewzIX5EZfL6bLAAMMvbrryh0Kxi9Sj4hqZGsIHg
 LtEJVktXPEirje72RefP1RpOxo01UzeUOLmDOWUHMoB4B0z+XubPvEaAaQ93LFS0A5Cf2GSblOc
 Hx+I37mBMNSY3YGAsN9F86amVO0lc8gZY8oppvXg0goQD2o031eriElKHB3uK26o2m9SokcDyZW
 Q4di9IdRGvGZ4IPTbQ0R5Uc/QqdPqSBZ/tJyncI0bhVLAYKfqLdKCWvKzpFkbsxSnLFey7WJTtL
 N6JxOZoVgb+cu14E6OubQIRM4a2MF6lWjK/TSXxKa741TuGCCZWHVWy8HfQg/nEehtsBojQR5Ke
 n4ZK0eZDc+TVrnTYX09u87bgIwCCnlVBad9RNxR6MYfbB5PCTvmdApJodAX+eamo/22YvttIlV2
 lHj7KOeoKn1Ybl67n+iX3eJgQ4EssmZnEZG7XmODkiw6AR1iDdWqIvIfoThRxBNs46UjYdzaIa/
 KZn9l3Z/958uJ9DYefApgztvC4i06O+FIGSIYVn45yV+CgRlLA9VZjRlrzzgLoEgZrklYDey13J
 IlbCxjn/tjXnvRrqNAWm/i7hglaOoYH5il7sEsia1iH8bIkOkbWmiSISrRcH/ojibVnpKp/vaxx
 ikviov4jRF0L/Hg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded pointer wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizer in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Steve French <sfrench@samba.org>
Cc: Paulo Alcantara <pc@manguebit.com>
Cc: Ronnie Sahlberg <lsahlber@redhat.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/smb/client/readdir.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/smb/client/readdir.c b/fs/smb/client/readdir.c
index 94255401b38d..7715297359ab 100644
--- a/fs/smb/client/readdir.c
+++ b/fs/smb/client/readdir.c
@@ -467,12 +467,13 @@ static char *nxt_dir_entry(char *old_entry, char *end=
_of_smb, int level)
 				pfData->FileNameLength;
 	} else {
 		u32 next_offset =3D le32_to_cpu(pDirInfo->NextEntryOffset);
+		char *sum;
=20
-		if (old_entry + next_offset < old_entry) {
+		if (check_add_overflow(old_entry, next_offset, &sum)) {
 			cifs_dbg(VFS, "Invalid offset %u\n", next_offset);
 			return NULL;
 		}
-		new_entry =3D old_entry + next_offset;
+		new_entry =3D sum;
 	}
 	cifs_dbg(FYI, "new entry %p old entry %p\n", new_entry, old_entry);
 	/* validate that new_entry is not past end of SMB */
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com
 [209.85.210.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 145CE15EA90
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970176; cv=none;
 b=CPRvF2+PaxPkcwIgRdvEEFD0KxuRDgckKO9UAac4i/Pr7CmKzWBkKtocYLuWeQofLvvda6IUHRpNIuNWIvdtpV1F/G6H9UE1ucBqfWj6wVqBFTJGSjTodaV2TBQ5Vvods7b2FPRxOPPVBlVNl7wMjm/icDcMF4e2byN5GPA8bS0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970176; c=relaxed/simple;
	bh=O50T+ehgWO04+/PTwK/XEjtbdWM1siGuxiWx5Y9VWF8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=TkLCuvKljkHhLvWPBYLeZNHc7Qg8sqXyE7gVGwRy+CrHUQ7wVpCtS+/1VObruGkQw+2RT4zeAVZ7f1Fd0ZVfhuBtC3rWC+iZ2b5MJ3qQ5r8jE8AhmYTsHZ9ertDWd8txxFz0mOGPMw5gGPvNBOOKfb6t61oUu+XzLXAG1PxYqwQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=HFC2D/w8; arc=none smtp.client-ip=209.85.210.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="HFC2D/w8"
Received: by mail-ot1-f54.google.com with SMTP id
 46e09a7af769-6e0af93fdaaso3439645a34.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970172; x=1706574972;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SKixWzqfowMzvUX6r00bx/1VlD3LFsId3tPJIJRuIR0=;
        b=HFC2D/w8uclQu1y30dfKDrOf3EDdjqB5rPeIVnPGsAqsah4CP4enAkdphiBcykqKpz
         EAo95xODZqXsiNOS4A+vkjjOuGBI+mWHfVKsgsH/IR798pDBAST9TLl5ibXCe0VYwil3
         AGFLKlu8M/+rFzg6fRtzH7YaH9yB+Xewexpk4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970172; x=1706574972;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=SKixWzqfowMzvUX6r00bx/1VlD3LFsId3tPJIJRuIR0=;
        b=xIGtwu/GfBxPEyPL0VKh1roaoHsGFf7PyzCFgSswdTna7XkOTE/v89Cj/K5SrjiMxB
         jZco43lPm8sGikN75g/qTW3gb2I5+fZqk3cEAcofcgoD2t+Gigp62QsSR71fpBZ8OuPG
         DlosqG/snWxaMzvXR7yf2iE6P3LV3+QUl9m4hlZNLK66qOJy3ufEhdwe7CTpLUj3A/8s
         rBTKZ6/nG8fj0BiObpEm0vcRlpI0s2TubPiC8YNkDDn4k60wIw1p7XooREqiFflZC5VT
         EMiJDa9mEfYjwMrrvcZGXdrrd1VkTxY8cU3F4IdEayijY+Xut/EYYfGHDezJNjL/ugOY
         VDUg==
X-Gm-Message-State: AOJu0YyAT2TGWv1gxVOMPv9QzbYbefFsdqU5cog5Q/uRvZon3ijeSv2W
	J6QIA6T1AuOFZkKPrA8suIRmH6lh9HEvdB39VoF4ENjht+1i/U36w8n3jMxvhQ==
X-Google-Smtp-Source: 
 AGHT+IHGoYZGs2buOqQkiIhEJDExn82aWCutmrbis2Hs9LbtRGU/qouIkWFMc0AMtn7Yh4iOMq5Tmw==
X-Received: by 2002:a05:6358:719:b0:176:5d0d:4c6a with SMTP id
 e25-20020a056358071900b001765d0d4c6amr1659265rwj.29.1705970172214;
        Mon, 22 Jan 2024 16:36:12 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sb12-20020a17090b50cc00b0028cef2025ddsm10440436pjb.15.2024.01.22.16.36.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Sumit Semwal <sumit.semwal@linaro.org>,
	=?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>,
	linux-media@vger.kernel.org,
	dri-devel@lists.freedesktop.org,
	linaro-mm-sig@lists.linaro.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 15/82] dma-buf: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:50 -0800
Message-Id: <20240123002814.1396804-15-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
X-Developer-Signature: v=1; a=openpgp-sha256; l=2493; i=keescook@chromium.org;
 h=from:subject; bh=O50T+ehgWO04+/PTwK/XEjtbdWM1siGuxiWx5Y9VWF8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFQ84pwHJOpkJM7cBBjZQ+dyB2q0GyyRoUN
 phvzaNFVByJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 Jju2D/9msHfBekreecuP9d0fYucPYwOuP/5LSP35dnh1uQL9A/+S6Af8H21MOl+me8AiycS0dk2
 0Nd3au8vn2Nl78aIRV+C7DFP3rFOa3KdUfS/qJRRlEE9tAeJXHJECtKEMp7t9CehEJHacXZIT45
 r8trE7qdtUW4JMqG9sya72KThUcsRNHfVbJQQ536OU9zvx/NhCHm1onTJ2C9o3h+1II4GGGKmlJ
 1zJ3W0eVSeM24egFgMxHcqvYy+Cue+A5RfFDwojwaBnfmWhBtXesTBwFJTsQanPGWE9JxbSxsbz
 CglnWiNPjq9pDs31mtBqwR8DgmONGfQIo9NhxiQ+1Cdjx4VWvmPO49vDUmd1yNPDgbj/QxI/cRq
 ARVjAjmWNHxVGH0lTnwUrrDgtkF+R44Iuhdim/nvBSBZrpaG8yrRA+4NFpPtsZOwVdXMSnfI7wQ
 gE0joPsgazTDQFUqzcRtfyqrcvYXIeIiXdh/Y4Ej/km9tQ0/0DLxTbTCqoGtnoSuEVfvCzs+unU
 tfzaCnbjn45fawrtcGUb6pVdFQzPQRUw9P1lmZqDc+GxwioZP4dCvcu/bG0+essTAlw/09sdKqu
 O/ci8K7u1AkUc7NcLes5iGCNf8aWaXBCSkX8vB/mu6PUk7piIN/1FYcQTY+LYW8Hq5cLwHBPmQn
 wygzmyMo3p0bqsw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Christian K=C3=B6nig <christian.koenig@amd.com>
Cc: "Christian K=C3=B6nig" <christian.koenig@amd.com>
Cc: linux-media@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: linaro-mm-sig@lists.linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/dma-buf/dma-buf.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 8fe5aa67b167..3743c63a9b59 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -1458,6 +1458,8 @@ EXPORT_SYMBOL_NS_GPL(dma_buf_end_cpu_access, DMA_BUF);
 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
 		 unsigned long pgoff)
 {
+	unsigned long sum;
+
 	if (WARN_ON(!dmabuf || !vma))
 		return -EINVAL;
=20
@@ -1466,12 +1468,11 @@ int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_=
area_struct *vma,
 		return -EINVAL;
=20
 	/* check for offset overflow */
-	if (pgoff + vma_pages(vma) < pgoff)
+	if (check_add_overflow(pgoff, vma_pages(vma), &sum))
 		return -EOVERFLOW;
=20
 	/* check for overflowing the buffer's size */
-	if (pgoff + vma_pages(vma) >
-	    dmabuf->size >> PAGE_SHIFT)
+	if (sum > dmabuf->size >> PAGE_SHIFT)
 		return -EINVAL;
=20
 	/* readjust the vma */
--=20
2.34.1

From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
 [209.85.214.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B526515F32E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970177; cv=none;
 b=SAwdo26jSVMeq8uKD69N1AmEsgYpT5unRem4N/Q5aGpeSs/FPz7C/TNenDh5a+APttJk0Nxd0oycisr6GqdTHKWs8gm2JJcEAQjdnHCQ6AvCIHYWzxbTDI01CrIMJD0svTkfoenVusFyDs8/79mBYw4jNq95ym1fl+i4RZLBz5I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970177; c=relaxed/simple;
	bh=GfYx3pgFmjHNgd1GYzBGO0bWTMyDF98VVZ9Uwwibr6I=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=btu9+HzxuUGWlXHbLnihDknuZzoBzPf6z//PJE8aQ2HVW77EtL50VprYXD0TXBnW0ZNxfiN/reTsVco4B29BfFro3Ho7cSVFT0wfSZobB+r0OpgXryTIzIYKtzW3f7dCSqHpumVMmJBxRZMUnzOA50cTK3OIVUCS5yIxwYX51g4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Hf8E9Q0Y; arc=none smtp.client-ip=209.85.214.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Hf8E9Q0Y"
Received: by mail-pl1-f177.google.com with SMTP id
 d9443c01a7336-1d720c7fc04so19130025ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970175; x=1706574975;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FQ7xzZ4X+f3NMzxQv1jPrp9LwmGb/TMGKf+Qoe38F3w=;
        b=Hf8E9Q0YOgyRnW5HLUlHbReR4RXAGk34E4UEyV0pTgBl7Vl/nniCdv9Vq46xPoQVxT
         b5gYFIDCIMKxj2xRIEh5y9BXCysBCNseBXhCZNf/Kl/xG+SPrNU7D7K+pDmGCT3SYN2g
         g8ZJq0HlWpzRqYajStdVeowG9WkQr+xXzmYjs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970175; x=1706574975;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=FQ7xzZ4X+f3NMzxQv1jPrp9LwmGb/TMGKf+Qoe38F3w=;
        b=vcy+5Co+jDx9/MjVC+JNeWSBkUGAqDMHIrf2OZGCt5kFt50IsSSitkAPhMmsh1VuR5
         UEko9bgfFPYGKi+J4aKcR4ha8TSM2OXd3JMWC1nYRLut/2JtzIpOhEyjYvr/0MflEyr2
         F3GWuDL5dppQP8NzwNh7wBZeHibFqzzzD/UnKixlGX/D2efTsVOCgP+ziaUTYynUIw7D
         5VO+G3+sRdGn19XAvQsxSgfGKIi9y7B9IOO7xfAs0e1rIIYNR2r+9Lt76yA7IxRK9jSJ
         j6G3IZDNPKnfMmREm0J6joQ3rHQrWQ9NBN3zwZ5KJXdkPmdABmPM/hM8ciQgh87nbXjq
         2MLQ==
X-Gm-Message-State: AOJu0Ywt0i9G3XzwvU+IlFrTIORE2E0h2pHrjO2Wcr/UYq5z/hQqio9f
	tT3Vucl6Eiqot3P7SvISg9WJiacSxPoPo2oZPZCQj7rSHi686aJkxQw/2fKFUA==
X-Google-Smtp-Source: 
 AGHT+IGexDA3GyNiC5HHivGPyYUFrDZgx/vvv3FbvTr4ymfT6W6OqPvq3tmWlk5gIBMYJDFDEGWKhQ==
X-Received: by 2002:a17:903:2b0e:b0:1d7:2f55:c8a2 with SMTP id
 mc14-20020a1709032b0e00b001d72f55c8a2mr2946552plb.11.1705970175230;
        Mon, 22 Jan 2024 16:36:15 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e6-20020a170902784600b001d70125ebcdsm8018696pln.277.2024.01.22.16.36.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:09 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Karol Herbst <kherbst@redhat.com>,
	Lyude Paul <lyude@redhat.com>,
	Danilo Krummrich <dakr@redhat.com>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	Ben Skeggs <bskeggs@redhat.com>,
	Dave Airlie <airlied@redhat.com>,
	Julia Lawall <Julia.Lawall@inria.fr>,
	Jiang Jian <jiangjian@cdjrlc.com>,
	dri-devel@lists.freedesktop.org,
	nouveau@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 16/82] drm/nouveau/mmu: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:26:51 -0800
Message-Id: <20240123002814.1396804-16-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2914; i=keescook@chromium.org;
 h=from:subject; bh=GfYx3pgFmjHNgd1GYzBGO0bWTMyDF98VVZ9Uwwibr6I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgF0R3cMIb0bEJahqxzDH8aYuSuLtzDbLBcK
 MwJi5ln/oiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JiWKD/9QgeDTjHor+aVubrm/891iXDAk7jazHlj5v3/F2SnXTi+bmLLP4OtopjBdUMsPCx2UIAX
 2Op2QtDm8HkUK+QQ6zmG4KUaapZRcdeqnGmu9M0qvSuxvVVcJJI7xJUumjx7Q6vhbwjQGSQ5PHx
 tw7o/vHgfuo8HqWcIQlyDVJeim5ZIIs6Qsa/2lGfMnyEf6ggYmPPgDdwi3q8gy/Z2R5EmQXitFZ
 02jYxw8yJtqK7iQMIw/+DdCmJga+zhFwFiajePglGFS280vfynresbsR/Ab5I9K/mF6hoaW5Nzj
 /9JADfxQJ+B/7RwcqVQt9//klWcituWydCxmm2pAJKa5qB1+5bM1cNbZfS+7Gqg7d5DQbpkhWvR
 FCz4RotvOZUU11+L/g0NMZhLFyUrsoS3XnWMJPQKLzLuqMIEwYdpUHTsgp2fGFgbJo6v8zILL3/
 K7cq5u/axld11AryCmtQE6Xcl/NUaROikBH/clnZ621DMh6R2SgfHqHLq8LeFb+PV40D1lpjTUv
 KfPtyyrZh7N+9mj3AvF1kzruNYxNyozqGbZnhobgBHDiUh3Nc49GDnZWn5rot0j/cj4bNCHrvDK
 mkRTpRNTiSCzx1W+apGBT6IE6vC71q+Jq/tE64KklEKJ7L0Jq24pax9Z2T6UMrnNYMaRk8d5pT9
 b0LSPqP/mgvSy0A==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Karol Herbst <kherbst@redhat.com>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Danilo Krummrich <dakr@redhat.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Julia Lawall <Julia.Lawall@inria.fr>
Cc: Jiang Jian <jiangjian@cdjrlc.com>
Cc: dri-devel@lists.freedesktop.org
Cc: nouveau@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/dr=
m/nouveau/nvkm/subdev/mmu/vmm.c
index 9c97800fe037..6ca1a82ccbc1 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
@@ -1149,13 +1149,15 @@ nvkm_vmm_ctor(const struct nvkm_vmm_func *func, str=
uct nvkm_mmu *mmu,
 	vmm->root =3D RB_ROOT;
=20
 	if (managed) {
+		u64 sum;
+
 		/* Address-space will be managed by the client for the most
 		 * part, except for a specified area where NVKM allocations
 		 * are allowed to be placed.
 		 */
 		vmm->start =3D 0;
 		vmm->limit =3D 1ULL << bits;
-		if (addr + size < addr || addr + size > vmm->limit)
+		if (check_add_overflow(addr, size, &sum) || sum > vmm->limit)
 			return -EINVAL;
=20
 		/* Client-managed area before the NVKM-managed area. */
@@ -1174,7 +1176,7 @@ nvkm_vmm_ctor(const struct nvkm_vmm_func *func, struc=
t nvkm_mmu *mmu,
 		}
=20
 		/* Client-managed area after the NVKM-managed area. */
-		addr =3D addr + size;
+		addr =3D sum;
 		size =3D vmm->limit - addr;
 		if (size && (ret =3D nvkm_vmm_ctor_managed(vmm, addr, size)))
 			return ret;
--=20
2.34.1
From nobody Fri Dec 19 17:14:28 2025
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C86DC158D60
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969740; cv=none;
 b=C66PsrRJ7a9o2+CZZuBhiTfeDQ50CejEXxuViG09oiqkqOQ9h99cIa3nkajd5llVf1ZzlKspzkS6SuTbuKOyESaXlSs+rNN+p6vmfWStmakbdp8kkllMmwpTO1hzrReKYUGTMthJnwQ/6JWFe19G4iVy0SUux00ZYe+irMDj0JU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969740; c=relaxed/simple;
	bh=JgonJZnxkTCS8vYti6xK+vM63BFoTeMVUBVyb+CU9a8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=hnyR9nq9lNOPsUON+/2/+fUBF8rc0vTCgORktcsD6WaOskRUokdCXMcCV3Z0Cfq6e59Ab7JjwKJYvxleX7kyVUDUx2zStacuWHMHvvU4vSk3lPQYb47hnuf0rkXfuG8z+aR3VIL3qtcZTudhGl9MNdIjNGII2lDPY/H7+pQQWkw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=aH4tfvw3; arc=none smtp.client-ip=209.85.215.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="aH4tfvw3"
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-5d3912c9a83so2541a12.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969738; x=1706574538;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ti9Pce6Lpu2kUzlJNdDw3MDPT1cyRxs9AHo9YOvXXwc=;
        b=aH4tfvw3xYJkOkqDFOs7n+3cdJvceqVk7JpZkM1/qFbNECn7IeL0tXqXxwUt9oPyCH
         EnNWu62AsknRSDAIoMBL4mBXKHiUG606IYrPR6VrltQWWaNW1pZMoNtJVFs8znoNu1/y
         yfoJuOEyHHjI6Wa95nfhkNjriVK1oVIWGC754=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969738; x=1706574538;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ti9Pce6Lpu2kUzlJNdDw3MDPT1cyRxs9AHo9YOvXXwc=;
        b=CBaP+BAuXM6de5YDVqm9Nh5Qbamk1zbpku1JrAMGg2zUXmVNJCr8Qehf6NHGms3LWb
         PnP8oWDBEz0E5+K4UtERBsBSaInFZ9vaNWj91I0KFW2RSegqhPm0OkZPOXxjTYHts1N+
         lDeWVC2L/I5s7xiLZRoZTQL0MsL5rZUzperLZWCdsl1t70XN/Tep9iI4ntaEe5P+jdLE
         v4HF9GPupExCtj/ppqFEdcQBBz/EbeU6qP9cSBJWmTstIHXoHfjzLWdpIR7jy6g5oc4r
         cUU3bMP2Mqcu7JLEkkC5sU3cwCPFcnL17GvGwNRD07cPfV7KxoxOpUgsfBpk1h5PTH+a
         IIBw==
X-Gm-Message-State: AOJu0YyNhMktiIQ/pJzPbLiAhdWiXl3gd5Vhx0nuEMD8n4WKr6kWcAaq
	guFp8JmuF2sjFnz4k5ow9CQ1ah9bYTdZHIy8wKtk4+83K6+46X9/ZmPevBX8eg==
X-Google-Smtp-Source: 
 AGHT+IHxysOlKojjA+pzT7YKshwDp7mEoKxiFORi05Ne2gh5Z7r5EGY2fIV1rixzNAo1ByfAlcIy4A==
X-Received: by 2002:a17:90b:3786:b0:290:666f:7be2 with SMTP id
 mz6-20020a17090b378600b00290666f7be2mr1543735pjb.82.1705969738187;
        Mon, 22 Jan 2024 16:28:58 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 eu7-20020a17090af94700b002902076c395sm9968033pjb.34.2024.01.22.16.28.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:46 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Maxime Ripard <mripard@kernel.org>,
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	dri-devel@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 17/82] drm/vc4: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:52 -0800
Message-Id: <20240123002814.1396804-17-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2558; i=keescook@chromium.org;
 h=from:subject; bh=JgonJZnxkTCS8vYti6xK+vM63BFoTeMVUBVyb+CU9a8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFu/g3mFw6uq5pHkL3E8AN7SiAjt9KR8Xix
 +PwApphAJCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 Jge3D/4u45AQKfLOVnFIwiv0NBxYETFmX3tUKTuc2dXJyNb2JL5HZVqwUSUaSPll1jigd0ESq+3
 vBUnoJAMixRc0Wcmv8+S+NzuWlj/nljcpFOhIBrWsZt2Zdv0oFPuvDGXKWBwxohbLWGWqb2Otbc
 y99plRk4kHDWrILvbtqc+mviNEDD63DUOu70L2aT0MgDBP2WJHf/KckoFqWe9Gh49tuCZQHmX0e
 b9/uQAFad4dpfrO0Y7gWYu7QKC3HKK/EUXkvazbYav+WeTBL3JuifNiSmEE7wjLNSEod/GqFdt4
 tnTvyCjEqXGwfLzjaX8TyuOvKZZsj+VZ6ZypG+E8d9qBmL3zZoVTvVXLyaQKv8sSLmPT87PN2tA
 jlCMKrZYqld0WN2mSdTGlYWazdKvBvQ/wfaaeUY70H8G0dj2cWTwoC+wF/Wp/Ph1MIymiasAvIV
 Ntw3se/q/tquahs2oNjMCDDmarRwr38iKcMtNt8Pewb9eY75hXI61eRzFQWcI7e+ksu9xOdHTgy
 eV5ukAWCsrtg03FBRVxNX2eKCgWHTheAxQaBRGBD/XowDB712zwukECG7veQEoxDhY4DqRk3DlO
 ts+/zz0xpt30cc8yvKxN1v+A5ldw0a38veiStkHBXthkzyl3wr9n0DChf/4UhYKH7XME3RBusVq
 0W443HcucToeoOg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/vc4/vc4_validate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/vc4/vc4_validate.c b/drivers/gpu/drm/vc4/vc4_v=
alidate.c
index 7dff3ca5af6b..9affba9c58b3 100644
--- a/drivers/gpu/drm/vc4/vc4_validate.c
+++ b/drivers/gpu/drm/vc4/vc4_validate.c
@@ -305,6 +305,7 @@ validate_gl_array_primitive(VALIDATE_ARGS)
 	uint32_t length =3D *(uint32_t *)(untrusted + 1);
 	uint32_t base_index =3D *(uint32_t *)(untrusted + 5);
 	uint32_t max_index;
+	uint32_t sum;
 	struct vc4_shader_state *shader_state;
=20
 	/* Check overflow condition */
@@ -314,11 +315,11 @@ validate_gl_array_primitive(VALIDATE_ARGS)
 	}
 	shader_state =3D &exec->shader_state[exec->shader_state_count - 1];
=20
-	if (length + base_index < length) {
+	if (check_add_overflow(length, base_index, &sum)) {
 		DRM_DEBUG("primitive vertex count overflow\n");
 		return -EINVAL;
 	}
-	max_index =3D length + base_index - 1;
+	max_index =3D sum - 1;
=20
 	if (max_index > shader_state->max_index)
 		shader_state->max_index =3D max_index;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com
 [209.85.216.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DD23157E9E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969739; cv=none;
 b=OVsyrpOqiaS9+lYNRGoXFMTPKYjLYVL5k3hkbQ21xgoug6b1Uuwfk0pTzJvQFEvGeEFSJ/C8XrUZJ+wn5MsCdzA0wmcBcwDhlBIxEpW9TYt5hzLcWPj7cAqD9zFbc7O03dDa8AHBqLtV1wYdOKA5CIPvnFWP7D+SWKKSpVuftuw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969739; c=relaxed/simple;
	bh=TZe3odnvBVyfJhPUF1EWalH3cmWYwjoOXmYkt8y83LM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Q6k4Bpsg7VXtGfIMDk0U/72Dj9gXfzZPO5MxfKGirOhNUA9GKRRbpg2W/6WKDUpTfkUlJ8zVKeSzGY30hdjJaTFZyvkcm9CbgT5Z87vztwHJ0uofwxhYvE0zHikqcMXE0oNwd24cSaqWCuouoDUiyuh9iseEfMttwJfGe0M2c3w=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=eQHr8rK1; arc=none smtp.client-ip=209.85.216.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="eQHr8rK1"
Received: by mail-pj1-f49.google.com with SMTP id
 98e67ed59e1d1-290483f8c7bso2818884a91.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969734; x=1706574534;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=C4oSe2hXJ7pk/KBc8BZUNuxdPjm8v3u2X/zj6TSNySI=;
        b=eQHr8rK1pXHDUT50RVrwiy+mFABk4BVUlZ8EGtAUzckPC8XjwoN3Y/YvOngdCTBAho
         rdgcWm229QFuNWJ57i+i6dI7AVJLhEX/KS77ylf1sB+NuJd60QQuB2lgH9fHTIbPfluA
         sJIq2IBhTOtgVt67ULQxSpbGAzIFfekBCxzBE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969734; x=1706574534;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=C4oSe2hXJ7pk/KBc8BZUNuxdPjm8v3u2X/zj6TSNySI=;
        b=DQtjJTqMOLyqpVg/qG/+x7L3+Ud4mGHG7SZXiUlsBTx9syalc/K2DANWR+iIJdi2Rn
         7CJDjTCTz5LkmCdLiABgzHA/B5VoH2F71p5xb4tmX2yYs/2I9qYLarg/+lkjw2P1shsp
         wF6DvZjMGv9b70RQePr53yL0Nw8cnEij87gAK96nOP745h8dwQ0JPmA4vV7XYf5XYZEU
         2lRT9hLR6V0gsKMzLQXVKSoRSbvJYvI+72tUOjFIOaEZutaVZzjuMC1XxJJ0B3/JSvCQ
         XXK0cqyDDVMQzZKMCQcHJ33kbl9Q+hc9P57Zvw2CASdDYNLjmNRqnmbdqyZF4n3GqHID
         wwWg==
X-Gm-Message-State: AOJu0YxjqEcjvmvN9Aft91hWzVCKlJLZOL/H5HSt5NlLE22qAZm9FjFu
	dlqO7ZYnDkO4igsXYTPY+M7SBihnc3wXhaYc97nZc91j8dwwjeUnsf3bJkOtDg==
X-Google-Smtp-Source: 
 AGHT+IHE5VXPJ/SZ+DavCtR+nc5HV020yIw7EPe5k+TCBXO0lsqqdgfChhmXqbcMCwKngkP/Y8KKVQ==
X-Received: by 2002:a17:90b:890:b0:28d:f5db:70b8 with SMTP id
 bj16-20020a17090b089000b0028df5db70b8mr2628693pjb.37.1705969733837;
        Mon, 22 Jan 2024 16:28:53 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 px7-20020a17090b270700b002905f7b522fsm6607168pjb.15.2024.01.22.16.28.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	linux-ext4@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 18/82] ext4: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:53 -0800
Message-Id: <20240123002814.1396804-18-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2310; i=keescook@chromium.org;
 h=from:subject; bh=TZe3odnvBVyfJhPUF1EWalH3cmWYwjoOXmYkt8y83LM=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFt+QnG4/gVyM/p6dahmulSl2Pw5idqpssJ
 WhpHokSfNyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 Jl0BD/9Pq5dTMm0CvjsiDWoQ1WYiyg9B+Wl+VgmLFVzKjTb9Vbh+kZ7941xqPmleNwKfc28+892
 k4xn+mthv04qX2uimn/Qxjevj5zYOceZihc2UW0aNLwGjkCTcYf14TAqaqQEzY7CcT24cglyiO5
 sAUegw6S1rR6HqbuscZpd/dXrpaO81EMLwSbRGZi3FqURQTL1lOYbAFnSbaeyjK1T+WvPo3Tvdi
 bPw2D9CRzN8q7pCQ6GsS0KY5B/yrr2zfrDGPaJreRhHTFuSdAZSEkysMuZkh+09ROe0Ss9ZBn8p
 hING4Os64RCt1A1dyf6aoekoS1gD7Bda/KFFuVORIFi+czT3KD7fxOgIP6bzVzJuvzyZr9Qvryg
 U4SmUZ6o20SC8pHtGRXWjFaGRzD6X6vE+C4oyTPPSfSfQWpv2QtBL03gFWxw2HtV0DZ1GGQuq/1
 DvxQN/zBq1TSF0FtacemCsLl0BgDUR/C17WpAzCJ9tGVne9mzmTk9BFdjDKogCgs3z5wmtoWu8j
 kv4pRr+lwm8I1atVSuTFQmEAM5OAJQNbwSe9X9Nsk+2qe1BbHtdiWdWdLpQNwgtq8xk26tFWEnu
 adPmFtAIUM4nZUezpakHIvAcpSJslW4W08o27WMIZYogw/W5ZfRKPfTZ8o+D1TiEUlqygb7gZOE
 swUqE8VtwkrZLTw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Cc: linux-ext4@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/ext4/extents.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 01299b55a567..aa30b2c75959 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1920,6 +1920,7 @@ static unsigned int ext4_ext_check_overlap(struct ext=
4_sb_info *sbi,
 					   struct ext4_extent *newext,
 					   struct ext4_ext_path *path)
 {
+	ext4_lblk_t sum;
 	ext4_lblk_t b1, b2;
 	unsigned int depth, len1;
 	unsigned int ret =3D 0;
@@ -1943,14 +1944,14 @@ static unsigned int ext4_ext_check_overlap(struct e=
xt4_sb_info *sbi,
 	}
=20
 	/* check for wrap through zero on extent logical start block*/
-	if (b1 + len1 < b1) {
+	if (check_add_overflow(b1, len1, &sum)) {
 		len1 =3D EXT_MAX_BLOCKS - b1;
 		newext->ee_len =3D cpu_to_le16(len1);
 		ret =3D 1;
 	}
=20
 	/* check for overlap */
-	if (b1 + len1 > b2) {
+	if (sum > b2) {
 		newext->ee_len =3D cpu_to_le16(b2 - b1);
 		ret =3D 1;
 	}
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oo1-f45.google.com (mail-oo1-f45.google.com
 [209.85.161.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB61F1586CB
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969738; cv=none;
 b=cDJiptTkPD61diztOmUp/zh0G7ouyEcLPKNXr5TH/zjtjyuNDtC6KxSH0fyDg6GhwZ1PIGL+Eg+zd0H0QyU+2AlBXlYOyJDbfjeoRWAMuel5zDpzEamFwey0qh8zptEZfGtuB7sU6Kt81NYWipRQsju9XRf5D/WViUONjsX8QKA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969738; c=relaxed/simple;
	bh=hmcJNNt4Q4VRdZF2vWAi73bsrPppPr3nSkhgxxWjJIU=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=cLC4vyodZZqawuhI79USLLvLgDfrC8miKoEzkD4saj5z551lGJ1igFY72NDDCm4+M0hrEPueJM7XpFVhxOx7OinUEZRDwI69BAaVbtoRcb66BGnKQGxAzYuv8BnMtlLTptKc9zYn7d4IgYvWxEKHZ7Td4nljsnop6M3vD8Ck42k=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=khxnD3rI; arc=none smtp.client-ip=209.85.161.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="khxnD3rI"
Received: by mail-oo1-f45.google.com with SMTP id
 006d021491bc7-58e256505f7so1916332eaf.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969736; x=1706574536;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Lj0wfLNXUIfcFcpxjFCj6rC1hxMeO39B1XcxU2Z6FQQ=;
        b=khxnD3rIeNf8wx6F/TQfF4EEXCdrUsJ4+NeWzVmT1mI1f+lo+i4Dk7LgSq+osT3SEA
         KxgxZpCW92L3GUsZh5Jyaz2aWeyeJRR/3iIi/HwlPFThTDlD1mrZopKzTtjEKgD7QVAh
         g71KNRZ9m20hb9ja0eqTu2qjZUyFjs032ZAKY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969736; x=1706574536;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Lj0wfLNXUIfcFcpxjFCj6rC1hxMeO39B1XcxU2Z6FQQ=;
        b=CDfMOR2ZwAwYyW14nscbYf+6lHh2CcVhQ6dXQ2vNEsb3lZ4D7X7W7O4x7j0KbX1+t2
         Qhugi/DZJ8ylLR6gPDLgZsag/nqDlKux3LjTxbYX1yYJM4dJUlbarWrnQC7mGVcsYJow
         WpZB90CTuyJkNaGI4mOZxVWhG2s/or94hYS6wuI7GKcWP6ZTxHz9jyLjQWnkZx3heGvN
         0i42lFCINKUG8aWpEl1lKBYl2u3XnVPSMmRgV2byouTQTix+2fJ66h1f+UAMYSXMoe1b
         MewDoeZ09/WaxpRv2RVmJLBovoihsKdoPfwdmYw7p459UDh1AMhqqg2ahcO7QUS2+XxS
         nV/w==
X-Gm-Message-State: AOJu0Yyx6RAFpxdVpbSg8Bl2vKIOJFR4KpU93NQ21VMlnaeQYYOeyw0r
	APSOEyhzTxREKJKC64PCGcyKbjbl+Xzshz4kw0lH/sa+ScjL6KPUPGYbhspXDQ==
X-Google-Smtp-Source: 
 AGHT+IGxMyxotbMc1Cchrsm3rFcXhbTFlmI7s6erqf4s8ue04bzsUyGWqJUWv1AxYbLOpHQJNEDrtg==
X-Received: by 2002:a05:6358:9044:b0:171:4aa4:51 with SMTP id
 f4-20020a056358904400b001714aa40051mr2816637rwf.54.1705969735934;
        Mon, 22 Jan 2024 16:28:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sv13-20020a17090b538d00b0028d8fa0171asm10226018pjb.35.2024.01.22.16.28.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	linux-fsdevel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 19/82] fs: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:54 -0800
Message-Id: <20240123002814.1396804-19-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2642; i=keescook@chromium.org;
 h=from:subject; bh=hmcJNNt4Q4VRdZF2vWAi73bsrPppPr3nSkhgxxWjJIU=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFKlHII6LhFKix+ewETmVbpfBbbfsybJbPD
 x+7qNyR682JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A
 JliJD/sHf6ZqD8B/KWziPKmgyfqtW/R2omfg5NRF8ncdgxikerGRRFZGCvxzR4FW8MnjOxVf1uq
 VTlOujj9IdXmUGBNs6tlOuMkwDYDNxnpu2AhJz2L1ONpzLxW1Wo9TMy8M28suhDxJcE4bIhyVGL
 Fx2SEqEqstNDAG3Rd3j69TdEahfsyFepNOoEczntilqiJVXn+EVQfiYKnLqJOs/ClIXcT4I3UA0
 K5aspcqb7nZa9d9oLHl/gnMr+7tzhUthPyt2nmE9yXR1trn1C7UxLbzym+BovDdAEmBNHATqitV
 gowcGG8q+UqAhrey3vsLtf5HImIOfkVd+TOcmaqoeKn0pdU+2ClklkZWWuSPZ487SM0cmDnz2C1
 iGtEgxQSBrtf6GBC2d/etauF2TPzcSWLiA50TwSZMMnEv0e4ZAjBomBLGt6/oodBN4EEKFko0IC
 z7lNnU1chyMq5++BG9oppW4tU35qUGbM70e7vW5R2VenZeVNle7WRMV9PM7aoCll9FDyToggtFh
 y3nM1tyfxmnPcmhkmr6Arv/MeRImecDofJlbA8Gq1/NTHBdFh5h7VJz33oSPSRmR4KNJajQwru0
 oV6bvQm+LM2rktW39ya9RNbnqonExofCyI0arK6BQ3PYO4mcSczuAwRcMy9ABCKxBGIs9zpXCoo
 aXWaEhK33clY8pQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/read_write.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/fs/read_write.c b/fs/read_write.c
index d4c036e82b6c..e24b94a8937d 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1417,6 +1417,7 @@ static int generic_copy_file_checks(struct file *file=
_in, loff_t pos_in,
 	struct inode *inode_out =3D file_inode(file_out);
 	uint64_t count =3D *req_count;
 	loff_t size_in;
+	loff_t sum_in, sum_out;
 	int ret;
=20
 	ret =3D generic_file_rw_checks(file_in, file_out);
@@ -1451,7 +1452,8 @@ static int generic_copy_file_checks(struct file *file=
_in, loff_t pos_in,
 		return -ETXTBSY;
=20
 	/* Ensure offsets don't wrap. */
-	if (pos_in + count < pos_in || pos_out + count < pos_out)
+	if (check_add_overflow(pos_in, count, &sum_in) ||
+	    check_add_overflow(pos_out, count, &sum_out))
 		return -EOVERFLOW;
=20
 	/* Shorten the copy to EOF */
@@ -1467,8 +1469,8 @@ static int generic_copy_file_checks(struct file *file=
_in, loff_t pos_in,
=20
 	/* Don't allow overlapped copying within the same file. */
 	if (inode_in =3D=3D inode_out &&
-	    pos_out + count > pos_in &&
-	    pos_out < pos_in + count)
+	    sum_out > pos_in &&
+	    pos_out < sum_in)
 		return -EINVAL;
=20
 	*req_count =3D count;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oo1-f45.google.com (mail-oo1-f45.google.com
 [209.85.161.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0ABDB157E7E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:28:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969734; cv=none;
 b=auw2V7BKmmZ2QQDpTfUxsTV+EkxOjkHLesZmyK81CJ3ZzwJOW3VtvbCXVP4RkLi3jsiFYX3QFyyR4v25n8uD9O3qCFXhA2L3fze4I3Ins54WeqIp+FO5A6zgg/ARlqpsPQnk7UPF5FEuAxQNw2/QyBMVJMyh9QFwyklXE1ua81w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969734; c=relaxed/simple;
	bh=0vuR7p4ixw0RrC8ylPzI4bPxnFYZtvJs/dMTgGJ5vZw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=WzBilS+xw4zoSbXBWmDWeoBrlw09wOjvSXavv+1JhrHaXtlCkfNysYQ4N9q8wcVeOB8Zi81Gabkztu6q5jd3yaQlnw49F8d8lmXUY+9BhmO95dgH+MI2SZ6+6m25NtpuzNPZFlBYfgYtQFxhU2wqVjgIpT1LbptganuoK6Nw69g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=BRNBDGZB; arc=none smtp.client-ip=209.85.161.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="BRNBDGZB"
Received: by mail-oo1-f45.google.com with SMTP id
 006d021491bc7-598bcccca79so2068945eaf.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:28:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969732; x=1706574532;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+mzYhNEk22l7ZoNe1NF04GNMHFMRe0cWF2yVmwT+ra0=;
        b=BRNBDGZBMSAU9aDoATTUHu12p7MdSaKxA5X0EYOjPiDMomzyErl5tyrfoZkAvHTAFK
         k2tVSRquwV4dwqcx+G1nYmapU4n2kMr0FBoG3+1tEFeM9Zm8wNE4TMWOHGKqKxsuyWEF
         cYpDs0aBE87MIqfRD/EvQJ/eboax76PWm7Epc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969732; x=1706574532;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+mzYhNEk22l7ZoNe1NF04GNMHFMRe0cWF2yVmwT+ra0=;
        b=GOdbW1/OGZK5LB6W3SAzA6V4AZ9sdV2WvJ83qo185+aP4Jvkcf6O35FfaBzo46O/kl
         N+P2Gc3Ee0Ys0uiO1WgXcidqHZJj1fo3MJuTYhBize+e8/JzejJATpvgsy74Xos59uqM
         4vdB1E1282R6resXTjQ/qNyyGDdKtvln5rIqiTtymz35aIl5rwlYlEZvIcdscsJIaIAK
         342gtNy79E1SrfA1LP6hLZWH4TqXj+WjQx3MbCApN78Gl76zltG00/1wpAa1n6VYIIYE
         P4xS4NCg7Ga2ep0HMH8ZmFisKD3UGUYGbIXjoIy/7q24QajI1FgiN4wgN+8w1N3duZA1
         FSXg==
X-Gm-Message-State: AOJu0YxA9hbROGO5nHyEb6zR2OkvDzKqR/T7QvKPFT3+zyQhFE6I6C1R
	xoH0M8AY4RvAN96+N70uL6DipxlV9PtGIV2X3uHFgnGetmyVcZlppuLHfBSj2w==
X-Google-Smtp-Source: 
 AGHT+IEFFCjcvvjDs5VhZZKQMfxmfaEe58OGTZO8rYGeZSl+4Oabsb2rR0IG6UNlABUS+Hoo2bYUkQ==
X-Received: by 2002:a05:6358:89c:b0:176:302b:addf with SMTP id
 m28-20020a056358089c00b00176302baddfmr2445145rwj.11.1705969731980;
        Mon, 22 Jan 2024 16:28:51 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 t3-20020a628103000000b006d842c1eb6fsm10623083pfd.210.2024.01.22.16.28.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Wu Hao <hao.wu@intel.com>,
	Tom Rix <trix@redhat.com>,
	Moritz Fischer <mdf@kernel.org>,
	Xu Yilun <yilun.xu@intel.com>,
	linux-fpga@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 20/82] fpga: dfl: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:55 -0800
Message-Id: <20240123002814.1396804-20-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2215; i=keescook@chromium.org;
 h=from:subject; bh=0vuR7p4ixw0RrC8ylPzI4bPxnFYZtvJs/dMTgGJ5vZw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGHtjsSSN/FMeEK+eLhH3Rf2IQ7QXdGbQOh
 GLaFivRK7SJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JjwFEACq/xltKSW9/AcV8nURH4w+OhwZyCA5rN6lx9nRT19Yrrpsyh46ZacM7qLIRfXPyb9Wd+q
 W/ZaxHD6dec3ZWn2vr6dNx/S+6JulWL69SBFoD/Nui8MMG67egljBLYBcYz0NnTxdUaEovsRTjs
 00TCrQdq8uFVTCZ6uIY4TiHMPbUNMZSIsloMUE3cCSpElU7skC9RHl61eYgW3OZmEsMsFvxzNhS
 tSy6oEkp4ETYdA1qEZq5V7aiH2rIziK7CNNrYg5GM1xUrqRTAikI8yponLWEPC0Dm5IDWnB6ong
 LiLqB0xMeQYRH8YCAJLBZB5KVyHCESLS6n26/HQaNYaMcbMYmOCTuboxWSCxaJiz3OkSuxqErlH
 gpN5tMaUpGQzYwm39f2CsadQgOfSyR7i+g9+pFDdfY5st1jylp+v8o+Xc+b9M8gasnUpNSMyBKC
 i/KFVGgFOBzwf/a/iMqg81pPkTDiic9cMAzjQAni6b2u5Itiad2QmvNntQb8BMkqbhPwTMPJ8HB
 AMTt1Ok+GwJ+55EPC7JPQC73k/jEvTR3KlvYL98PqXom6c/pD+V9a1jSgu8JGydxhunOYziZ8Fm
 nCglfYM7BRv+8zjUyvboX5/hptVcbwqXJuzoAzMJd4vXJpZFuQ+bjhaph5jUnAq3ffbU6UEpTRw
 /dzTrO4kzPwetig==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Wu Hao <hao.wu@intel.com>
Cc: Tom Rix <trix@redhat.com>
Cc: Moritz Fischer <mdf@kernel.org>
Cc: Xu Yilun <yilun.xu@intel.com>
Cc: linux-fpga@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/fpga/dfl.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
index e6d12fbab653..7d10780e3a98 100644
--- a/drivers/fpga/dfl.c
+++ b/drivers/fpga/dfl.c
@@ -1939,15 +1939,16 @@ static int do_set_irq_trigger(struct dfl_feature *f=
eature, unsigned int idx,
 int dfl_fpga_set_irq_triggers(struct dfl_feature *feature, unsigned int st=
art,
 			      unsigned int count, int32_t *fds)
 {
+	unsigned int sum;
 	unsigned int i;
 	int ret =3D 0;
=20
 	/* overflow */
-	if (unlikely(start + count < start))
+	if (unlikely(check_add_overflow(start, count, &sum)))
 		return -EINVAL;
=20
 	/* exceeds nr_irqs */
-	if (start + count > feature->nr_irqs)
+	if (sum > feature->nr_irqs)
 		return -EINVAL;
=20
 	for (i =3D 0; i < count; i++) {
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com
 [209.85.210.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20A14158D8A
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969742; cv=none;
 b=NxR3zk8SYu81D2r4OvdMndeUrdm+4aYMUvEbQCXT5z1aLCSPy49Kw/EptTaRmPwtgO8rdSr11ju7FQJ1Wour80HkQ8wBSYyYUDYUKeE7M9iGzzzwCShaoTD8TA9cr0OX/Q5d7YpE1PLzaKnNVoRd0KKSOVDwabFR2y9pvA6OdBE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969742; c=relaxed/simple;
	bh=KXulPh4t4RiYFM61WwrsfgMxfDXtkwo2mrzOGlAVyok=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=g3FYD1xevt00MJ/Th32mDk1Ygg7BMzYV4nf5E2DxckILOvZZn11jWe4xDRPmZb0lXWnqDpAoJCS6euhCA6cqYzNptvwxOT70rFf/j4J37evII6o88CHl2vHHf+YUbYQREzvlQfvVIkYh/YPdw78PvjLWOXzPu8pmOZVY4FdX3Dc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=a9JLKB2a; arc=none smtp.client-ip=209.85.210.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="a9JLKB2a"
Received: by mail-ot1-f54.google.com with SMTP id
 46e09a7af769-6ddf26eba3cso2445261a34.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969740; x=1706574540;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iYPePh3YDAX5XeUL0YItedWtvGPjAEL8L/FW2KUYqQo=;
        b=a9JLKB2asiiC2oxI2X2Vud+WSqjrEcwmdrULfbgjYyoLE6Lk1/sws4gcifbIALZvSM
         vdhss2aHv8lxOZx35d4nGg0pBUi5vyow6o0ZYW0kcMCcOwqDnoL+tnOFHmgD4UV6Z0Ku
         WrISTk1pzTCz73nd6bR/36Vnm0YkjnVEtzbwU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969740; x=1706574540;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=iYPePh3YDAX5XeUL0YItedWtvGPjAEL8L/FW2KUYqQo=;
        b=p8LE6zVMLXwtICKvdwGPtRws7aZAxNaN/3lwR70heZ7WuKVZN5fqBAc2St3RGlI+JU
         ALygRLfhN9NppNgjsoUfzE2WmcaMDSm3rDpvCSnE8pEe4v0Tem7Ne++LvAK/dq/lOIpk
         39+QUNTD7w01kXC3w0CUxBAmGg9MJUU16vJt9LZiTsk6BaSgb8J34r38zBtGjtkXSy7S
         g1ZtsKJoi2ogpfr4RM3X4H6m2DiZ3q59YNmFDQJQu+XZTAQkgl9/cF55SvtH0OTGpX3z
         zpXoXTAXZ0BTgmD3xO+yTl1FJDJna4WOQowYDyvXM4qULToxBEKt1JgXv2MvrwVjsjEM
         g9Yg==
X-Gm-Message-State: AOJu0Yw5G9hO73q6l8jNMlbl0HnIfEq3GbeSLHYKqipi3JbkmNidSoOE
	QfRWHQatm2wJZv4rE/dlBgFgbR0P1df2V7Hx8iwDFLqeR+zoLqRBFpN5OKIepQ==
X-Google-Smtp-Source: 
 AGHT+IFMstEscoBrN0aJQvkfd72cl9+1Jfzh5pj8esCqjdIwXGP0lIWzK3WICAOAdiZSyvHClGKcsw==
X-Received: by 2002:a05:6358:d142:b0:176:5364:4c11 with SMTP id
 jz2-20020a056358d14200b0017653644c11mr1705146rwb.18.1705969740238;
        Mon, 22 Jan 2024 16:29:00 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sr4-20020a17090b4e8400b00290d1fe7004sm1125pjb.27.2024.01.22.16.28.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:49 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jeremy Kerr <jk@ozlabs.org>,
	Joel Stanley <joel@jms.id.au>,
	Alistar Popple <alistair@popple.id.au>,
	Eddie James <eajames@linux.ibm.com>,
	linux-fsi@lists.ozlabs.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 21/82] drivers/fsi: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:26:56 -0800
Message-Id: <20240123002814.1396804-21-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2068; i=keescook@chromium.org;
 h=from:subject; bh=KXulPh4t4RiYFM61WwrsfgMxfDXtkwo2mrzOGlAVyok=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGVuv+cx3dly309OCp0+qc8WOYsn33imp7w
 Era4ZtrnxCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JpxaD/wP0LVNx2em0pfpaFXC0tZD/FxxSF459U6XlRqkrqEKIO6/XBj3CX9EWp/TE005lzpc2N8
 +Lc4PJNwg6U/eOU70DhuzHbs8D4nlr4wf3TTdZrsyXO0gCVwv5qrfsz3rm69M4EflEjIN2dRsoJ
 T5hnFI3MQO4+iyiyBwSTAeEN1zN5PfiNBZyJQ/RbxU6y9hNJcfeaygZQLNELazPfzJg1gfA7h+X
 M9AH608Ag7OMHnQ/4P1gxYCwXpBF4fndGeeZW0aUW52myuvy3UBHiDNy6FnGILcAjJLe1lewKma
 K5K0wRZNO07RRdU71tSQDU5z8S6HhYWUQGHqMx11ubZamRt1q+ElS4USRGPyEogYbr08zGG5XNJ
 j8y1M6rdhGvpoO8GGjcNVeboA9LLCmkVNB4M+gN8yVtF8Dczbyl0sWbYvoesORKqvr2+t7VZELV
 AaSQmDgSAOTHrbYNZDGrZVxfowG/eHplD+Fw9oZIHuXHD4w2FuKcbOUzlq81MVW0/cgoejXmh/4
 0KUkG/jAHr0SfhYT0xvd015htl2LisW1Ma9fki+q2+kVV2h1Na7pn2PkxHlQ2pDDL8KVci3x/6H
 HttpHX/GSMfBm9LWUvZmaY0DRHHgMo7l1f9pb1A6YSdSejyOiQRR47YeFnuIbj4Wi2MfKXSZYKs
 bbHmMsPpbu9phdQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jeremy Kerr <jk@ozlabs.org>
Cc: Joel Stanley <joel@jms.id.au>
Cc: Alistar Popple <alistair@popple.id.au>
Cc: Eddie James <eajames@linux.ibm.com>
Cc: linux-fsi@lists.ozlabs.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/fsi/fsi-core.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c
index 097d5a780264..46b24d0aadc6 100644
--- a/drivers/fsi/fsi-core.c
+++ b/drivers/fsi/fsi-core.c
@@ -381,10 +381,12 @@ EXPORT_SYMBOL_GPL(fsi_slave_write);
 int fsi_slave_claim_range(struct fsi_slave *slave,
 			  uint32_t addr, uint32_t size)
 {
-	if (addr + size < addr)
+	uint32_t sum;
+
+	if (check_add_overflow(addr, size, &sum))
 		return -EINVAL;
=20
-	if (addr + size > slave->size)
+	if (sum > slave->size)
 		return -EINVAL;
=20
 	/* todo: check for overlapping claims */
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com
 [209.85.210.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 874DC15957D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969745; cv=none;
 b=lGNE2g3jzUiyp0UI0kOY9tGdicJ87AJ1EcjdDhwPM+O7cKgX9rfKYYP91PDjJM0NsFzVv8xQbV4uotlVC5H09hU8UA6g5bjfON43+2OwYV3OrTSAkU82SxTaMKGRS2BCVsMnt8zi8+ZRgqoQxncnjBJNJzhiZUNlxsO/XweoMDU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969745; c=relaxed/simple;
	bh=XAQoOIkQjY0zMk+dHWbybC5ZKFK8/5G+noOqaOKWewg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=nx/ShDgcBAzM0nbh2DFcsey9dyyuzXr7GPl00pW6o0RDKKD88+C59ePbKEWREXoDICoHFFunZFnHlU4XTe7F0xeERsTGfxBHcXjTv3hDDiQhAnyZv8ctoD2UxkAsCSpyn7x4yDhMwanw/oxpW8O7TDVp/LIiGD1uSUg4DBq0UHE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=ShOf69Of; arc=none smtp.client-ip=209.85.210.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="ShOf69Of"
Received: by mail-ot1-f42.google.com with SMTP id
 46e09a7af769-6ddef319fabso2473576a34.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969742; x=1706574542;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WNxK54+O9qfEZ1Gy1nh3zm9qMlmtWIma8ubsBMOVD0k=;
        b=ShOf69OfcQK3MJYztlKLI877DhjdHbYi2/Zlsm5AsMg0GHX+tT8m+ngD2wgLIfA4O0
         nImvmLjDw8BfkXweYJdy/WQp3ZDCBwwd2CVSc1lwHu0d55H1E8//sPa4Sp/ZJt8V4qXA
         Pc64VhF9OovKn0bzIoEVJnVrHv7NN4hJyelkE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969742; x=1706574542;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WNxK54+O9qfEZ1Gy1nh3zm9qMlmtWIma8ubsBMOVD0k=;
        b=w8lNXfkJzUKyAex2SPvLpGK5TV+gNRIYLl++1eBQkbU9yetfc0fgBD/V5w6oTZOkYG
         yTSisc11WgVoSgpCohXB44c5877zaxd98J34C56s9xw6+5QWFBNnjYnHOeqSqUq5H3ih
         V1BgFYXJyupEoGGuUBKuaQMXseKydDZBTNMzkANWZg0B4RldcxGzZqRj4G7QDCEXcoTB
         5n8lpWpOqj84dYTxIMpR6BxaiTO+xndqYCTJGIW+cJqbTtyidB5TsObPYNagFnSj8bVd
         5zz4jupQ2aMSTL3g2CD0usmwfIcVnbw9HbSd2GVZRVggid6AE9TSTxgYFUjG3kiwoSo1
         K4LA==
X-Gm-Message-State: AOJu0YwD6oGDZjgMk36i0YFhHrs130gTv+I7rN62Spn68owD6UNT/D/X
	3XAVI8NfRJ/o5YuA5enLwLin4gOwcmT6Nbn3Mq7wBgOogi9mh8MaAGkBY1bKAA==
X-Google-Smtp-Source: 
 AGHT+IHcKjQ9UWVfEMd4sCRoJ2KtUV8UZ+BQlmqhwHtwPzVxiVSMYPk7EMWK2rX13yct/KygbUM6ew==
X-Received: by 2002:a05:6358:9999:b0:175:cfa7:953d with SMTP id
 j25-20020a056358999900b00175cfa7953dmr2519120rwb.2.1705969742666;
        Mon, 22 Jan 2024 16:29:02 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 p42-20020a056a000a2a00b006d9b345092dsm10156378pfh.156.2024.01.22.16.28.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:52 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	x86@kernel.org,
	"H. Peter Anvin" <hpa@zytor.com>,
	linux-sgx@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 22/82] x86/sgx: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:57 -0800
Message-Id: <20240123002814.1396804-22-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2369; i=keescook@chromium.org;
 h=from:subject; bh=XAQoOIkQjY0zMk+dHWbybC5ZKFK8/5G+noOqaOKWewg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGQbHPFRGmKfOSqdiDbC4Thjjraj19mraOw
 mYJ6/1asvmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JsV0EACtnE13DJYW39J+GQUGo6U7VyUEWVQUS49LQ2SDzwdXizpn2bSM1TD02w8fnZIg0T6dkIk
 v/uDGtBM5IvLYD9W/W0jEpmhzAdG3rCoxz5P/IaK0izr0ev2nRnLEAnRjls5Y+sr7+uYnxPBkLx
 vgOaQ8DpjPOITXiVEVX05AMXq7EyJqcY9Ezs0MOXXetGTp7Om02ibPyP1ZZeJRDDn7vudS2CvSj
 /021pIzhlYeQdy6yp36Tb06pZaWpA0yM4BpfbJydZsqbLhJvVfb4I9kxAITxQ2hQkCr+k+KJQ7f
 7DbxPtmjFxbBeI2Nr4HHzaBnAcC2jSKos5rOoDtFlmQbqPvvoCdECsT29X1GpVHcsdVbLSqCkye
 YG+mBHrck+3CbY98P8Wowb0X5QYxLYOzFAUvdayNvpPrjp7kXjS+WubEuciOESOQrR5XymxwtfT
 tgm2igGs6tSKzMwxgihy+EnugBGZvADHPfykwok5xs70n1j7Py7ft4hm4dc7bF0J9rp9FcHZLPO
 VXKlESGWh24+cIwXYytA7Bhr/MeIdG6E1eJabICXAoqT+G2UbB0fsoheVYNp1dxVCXNEUe4Duwp
 uaRSmri6nG+++OLuEcJ19Cr7UmHD0KInl/LFpj1P8CQVt+gP6yXr1JJVkzo0gtKh6N0o+9ONWa+
 RloYCNoTLChVTjw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: linux-sgx@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
---
 arch/x86/kernel/cpu/sgx/ioctl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioct=
l.c
index b65ab214bdf5..4b8f6c9f8ef5 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -350,16 +350,18 @@ static int sgx_validate_offset_length(struct sgx_encl=
 *encl,
 				      unsigned long offset,
 				      unsigned long length)
 {
+	unsigned long sum;
+
 	if (!IS_ALIGNED(offset, PAGE_SIZE))
 		return -EINVAL;
=20
 	if (!length || !IS_ALIGNED(length, PAGE_SIZE))
 		return -EINVAL;
=20
-	if (offset + length < offset)
+	if (check_add_overflow(offset, length, &sum))
 		return -EINVAL;
=20
-	if (offset + length - PAGE_SIZE >=3D encl->size)
+	if (sum - PAGE_SIZE >=3D encl->size)
 		return -EINVAL;
=20
 	return 0;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A57F6167A
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970759; cv=none;
 b=f67fzJu0QQs6WuuzGDa37HUOVKdpVBRRPEQRswUQxKP4WGJxz2ESq745o/elzj2K0QNxyhp6BpeQhUEOfCpDdKbWloUlg16iJJX7/dqqyJlZ6QJAAtltbMhdb4Ec7cVavrdD8/h8VeqFp9rh2S6cx8gt++X8WwjVIRh8GscW6kA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970759; c=relaxed/simple;
	bh=7SK+CeaptbBP/v+CP2JEux9OatqqjJKzGmyq2Voqx04=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=RoxGkoKvrkbjTU0M/kq9K+c0awSphaK5DJc7+9d0M3SwdyMaQV2tEQ5wvf4b98W7XaRaXvJ4E8LZaKs1UbiI4C+UvB8htC8CEuOXw3u8bPAEqbI9338q5EyAF6zL2aYC48/3zv1BS9d1j23KrDv/kwudItoDeiHSfroopryw/hc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=NdcyDFzU; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="NdcyDFzU"
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1d7393de183so8820275ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970757; x=1706575557;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iBzwhtxHV7+0pkueVEdOMj16Ew6MX43q2RtCRgBYnfE=;
        b=NdcyDFzUhvzwX4yoUH4hoUPRRbxPVswsvgSrjYNQ54x5uzW9pV54KelUvXlN97GcLf
         LKSb1v1TQQEQ1HC134EB+87lJrhokCugQ1IC/LJwPjt0ndO4rBR7kCnNeaKMXfItHDYK
         HyNNFIBlgVVW+LRphKpcKBrr6QAdLpoZz+XIs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970757; x=1706575557;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=iBzwhtxHV7+0pkueVEdOMj16Ew6MX43q2RtCRgBYnfE=;
        b=IUM3Lu51opXi6gMryu0w18wXqQR0Gy40nzh51TNi2uLxLU8Fu7MM62gxUWMobgQvAi
         84LDbXv/A45PSP1V2bLc3+SiVQakPFL8oJyweVUwLJQret6lddtHcnmpwQo+HDaPDFOu
         UXdRE1A1VhL7NJd6x55ICGkafBi3Yp84QE2JC9nvgxyjAANt6zEkImk9C8HWU9gpVuPr
         Ir+8z13pERoiKDmVelET+Tc3ANZa8zqwtGwivthyn+A9OHCn6fnLA3MChFM957nhJglG
         LTynprqiiS/pk9S+uy0sYDv5zu/g8v7hU7fKCuFBBwmhJ67Vc+6CLlSkYsBaUUFXZDtE
         fWew==
X-Gm-Message-State: AOJu0YwUeaM+iBys9wa28nWs3EgNrBoJpZSFvV4+aRSPtviU6AO+2JJa
	gjveh2iecBx89+7eOfK98M9qmgPcPmd08pMW7WEo2JwCoOhioDIBgMTTgPcsLw==
X-Google-Smtp-Source: 
 AGHT+IF8yhCmkJNt7Ij2XpjUMJOmTKGRgOFOqqmGAHzjTF1WQ4RIpNJnjNIqKXh4JiYJsFhdhzQmyQ==
X-Received: by 2002:a17:903:249:b0:1d7:4f6:931b with SMTP id
 j9-20020a170903024900b001d704f6931bmr2578303plh.18.1705970757393;
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e6-20020a170902784600b001d66b134f53sm8013882pln.233.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	kvm@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 23/82] KVM: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:26:58 -0800
Message-Id: <20240123002814.1396804-23-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2091; i=keescook@chromium.org;
 h=from:subject; bh=7SK+CeaptbBP/v+CP2JEux9OatqqjJKzGmyq2Voqx04=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGMUghWI+PGsPguK5zp1jJTO9Udx8kDt3JM
 m98iBkuTfCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JsIxEACt5a2RN2oZ+4JYd2ymbmpv5B6nOsrUIqOPauBUQY+OHeVN8nMnsBdASH58oAT8jCD9WVQ
 7HAb+2ANB08IYc8/R0h6xkBqa2lCZk/3c5dpFUtpIlCTzY+hAfPnj3l7atArhXefRspVNbsJft8
 hYD5qHs7sMR4xnQPCwbKLBjLn46735BXMxnSYAn9JYVGEL740vCDkxpqmQgFiSX23MaRZDi2p8U
 v1qhycBB3BSMK6Lo8r85YYSK2XJ9x47dytKFlfuqi371X3bi2J4T1Zmf1zmU0ALDy4G3/NJIlX2
 JhbQiOfH98N9+MtqcBMq3RWtHRqVRJsqM4nPVlbzO4D0Z5EKX7HzxzAg+wZOWXOJqZBUflBMu00
 jbo8OBTZLfp9yRmymYTGlNNuanwYU4YZpdO9MQx9rvC1YQM+HdtO9YWpu+++sAgjyvdln94rlUO
 sMJ9ZmFXRxInaysdaafEyQBh06ugVvFdamYsCf6FILZP9XmKMUKSGcyiRVCG0f2brI9Fuyw3SRn
 cbpJzb9ATyxDFZyuhMI/7g3fuPMKee7yNNoMul1dOGNFcLCtwSAgsgOVJEGFdCgdgXj7MmvUulL
 ZBQpjnBa8JFB3UeWkmEc5ex6AaaLMKyDaTl9rbXMZXXt2w178+78kcYV5TBWH9Pt2AyakcqiqaQ
 C0S0f0g8Orqog+w==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notable, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed, unsigned, or
pointer types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/27 [2]
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 virt/kvm/coalesced_mmio.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
index 1b90acb6e3fe..0a3b706fbf4c 100644
--- a/virt/kvm/coalesced_mmio.c
+++ b/virt/kvm/coalesced_mmio.c
@@ -25,17 +25,19 @@ static inline struct kvm_coalesced_mmio_dev *to_mmio(st=
ruct kvm_io_device *dev)
 static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev,
 				   gpa_t addr, int len)
 {
+	gpa_t sum;
+
 	/* is it in a batchable area ?
 	 * (addr,len) is fully included in
 	 * (zone->addr, zone->size)
 	 */
 	if (len < 0)
 		return 0;
-	if (addr + len < addr)
+	if (check_add_overflow(addr, len, &sum))
 		return 0;
 	if (addr < dev->zone.addr)
 		return 0;
-	if (addr + len > dev->zone.addr + dev->zone.size)
+	if (sum > dev->zone.addr + dev->zone.size)
 		return 0;
 	return 1;
 }
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FF0B163A92
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970771; cv=none;
 b=VJwwQcClrrgFv5MEL/sLDogI22joyZw7jXQCQ2CwfwQjvW5IRaB/ibAfmMXm8HDjhIGU0GCsa2iHSkS5qjlOMW0fu0pDFclPE7pych7fy21nXNRbgcXmFcKhrSP1Xzo/W13oZsMjQXS9kADUfFi2cLTUl3YSoSc9vazgmJ5JCN4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970771; c=relaxed/simple;
	bh=GddXUjJuZ+2bGLFR1fNATJcBu0uRqs+B42yjt68FCHs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DSIJETVMMuyRBXHvS4p13p9eYUwLJ8NKPCe7g7ZoduVDRoCDYOI4xHpiAfV3LwsY7aD7Ehdbku7EY0obeoIepSCJBkwhXq8aqHWVQG7jM06ASTtIyTECAHROXu+7E95XZoMOyntlD+EKIZZpE6xCaCDGhU2IoFgW71R7QhAZGMc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=jP8trZ5U; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="jP8trZ5U"
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1d6fbaaec91so30439035ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970768; x=1706575568;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=F9VeAC0n6GMx4wPi40NMz4SGPTTQe2yHzPs1JgVwamw=;
        b=jP8trZ5Ux+surP57gcV9Qyxvx1cm3ehCLnwyPfzBh2K4bFN9S8sokZw3r9k97AcmkV
         g4DPgW3nd1dl2JWmvtq1SlyODXfbLIQitNsVCH4kWzomz1OzQuriYTYT7J1prHGARub2
         cu1YO2TejonQI2uWYkBZ0ON7ury4q/z4b2j1w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970768; x=1706575568;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=F9VeAC0n6GMx4wPi40NMz4SGPTTQe2yHzPs1JgVwamw=;
        b=LEcZ4yiNKO6OHe6zPAyow8oM7sjKwcNRO8zMu8p05tmpodIcPwuq4vEB+J2psTAM7M
         CO5B56lTG8S5qsCH41F+zJi+FzIRATUj5Tz2RwTWfUvs8Yl8qxP64d6jnu7ca8Eu6MRz
         DAY4o/d8pCGKUgoJ3CLrbeaxSamiPZMLDM14TrbtRjW/bC0yJXxHvmg6FgrPonyOy561
         ky4aJSOGD3GunTRDiZ92/Fh25u6O+PQGFrjumUDO4jLWKY7Byqp9bdUdpxBEdsTaP242
         +0BpQOB9qEZH8cxFCTNLR1c+lOmxxqM/cQ/QXUKaWUuMSa+jQ0u1lE3i/+zBjSwyQ9GV
         HKeQ==
X-Gm-Message-State: AOJu0YxFrnscwQRZ3gt4pffWDSsT1ekaI909mutclvF1wGAzBhnNDrXn
	+3ye9wtj/qMD+jJAJX3p9qyaRE9luzwmF48Z70/YUMO00enh9j/pyLBRT3HO/Q==
X-Google-Smtp-Source: 
 AGHT+IFeI6YycjKnBoqLRaEce0XOlcWb1lhT+14MzKScGnQ0O8QUPwnivDqc4t/MzboWs6mmtDCiSA==
X-Received: by 2002:a17:903:2348:b0:1d7:6060:c1fd with SMTP id
 c8-20020a170903234800b001d76060c1fdmr1485888plh.83.1705970768081;
        Mon, 22 Jan 2024 16:46:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mj11-20020a1709032b8b00b001d73a2acc2bsm3598712plb.142.2024.01.22.16.45.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:05 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Marc Zyngier <maz@kernel.org>,
	Oliver Upton <oliver.upton@linux.dev>,
	James Morse <james.morse@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Zenghui Yu <yuzenghui@huawei.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Reiji Watanabe <reijiw@google.com>,
	Eric Auger <eric.auger@redhat.com>,
	Ricardo Koller <ricarkol@google.com>,
	Raghavendra Rao Ananta <rananta@google.com>,
	Quentin Perret <qperret@google.com>,
	Jean-Philippe Brucker <jean-philippe@linaro.org>,
	linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 24/82] KVM: arm64: vgic: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:26:59 -0800
Message-Id: <20240123002814.1396804-24-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3802; i=keescook@chromium.org;
 h=from:subject; bh=GddXUjJuZ+2bGLFR1fNATJcBu0uRqs+B42yjt68FCHs=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGWO9y3Y/zEJG45Jiuj5PhDwKbjJDqkH4IS
 kNGsePCJRqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JqBCD/9v7CKsi/Hp5MouKCy7vLngZngkzYEdtOtxvOJgkUFMmGHIkK2gyz3sJe4U7qqfIEZ0SIH
 byjwpGGQ+Wkbvqgus0jhOeC7XosIpO5nK83FNGAUV+4MfxCBW9saxE0quwl3Ie+gR1zNXAXEqta
 HtaMpPyFf4WXUs4KsfbCtnxQHKhYiU+B/tB6lN1SBzRm60x/3cVJuQ20JZ/i/kmandUheqFP0bj
 A3H9hdaRlfvsDgWjIHJ8Eo1A6vVgRhkgrXPhd4/FenNP/Jz2IdwVDxNxU1ConcuKOt/aA8eavFW
 5rnNaKwaIgWZpM9B34AoDY07DSYmMlbC5jIIcFQCG22pmVItHkejUwE8DpLPrBjJWqpd75CkQvm
 VYPa4oC24OVpGUmyN6LyxhIjaVDqr5Y8WP2GqhwhOFLeq4ndz3iUyyeo+NCs9kbLiCIn+i/8UQd
 aTUuW4NzKzChhyeYxkQ3DSQ1oglFaVSoG+DZVG9LGK3pG2aGtPMupHfwxlyuGXB/0reNaDiCV4O
 th9KxB/tcrzhzWw7YGwOeUyw6UHIF8CUu/ecKm8CE8HiwxAxveX29SzicfeLz45rTrGItmaz6Zb
 19dbQNQyeeGBES1P35IUEbY7CsxIA6muFz7htulmypE1jgwHu2k/Dv0H0r5e4CdMI5J9gkBbRHw
 +10i2uWcrpKRsjg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: James Morse <james.morse@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Zenghui Yu <yuzenghui@huawei.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Reiji Watanabe <reijiw@google.com>
Cc: Eric Auger <eric.auger@redhat.com>
Cc: Ricardo Koller <ricarkol@google.com>
Cc: Raghavendra Rao Ananta <rananta@google.com>
Cc: Quentin Perret <qperret@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: kvmarm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
---
 arch/arm64/kvm/vgic/vgic-kvm-device.c |  6 ++++--
 arch/arm64/kvm/vgic/vgic-v2.c         | 10 ++++++----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/arch/arm64/kvm/vgic/vgic-kvm-device.c b/arch/arm64/kvm/vgic/vg=
ic-kvm-device.c
index f48b8dab8b3d..0eec5344d203 100644
--- a/arch/arm64/kvm/vgic/vgic-kvm-device.c
+++ b/arch/arm64/kvm/vgic/vgic-kvm-device.c
@@ -18,17 +18,19 @@ int vgic_check_iorange(struct kvm *kvm, phys_addr_t ioa=
ddr,
 		       phys_addr_t addr, phys_addr_t alignment,
 		       phys_addr_t size)
 {
+	phys_addr_t sum;
+
 	if (!IS_VGIC_ADDR_UNDEF(ioaddr))
 		return -EEXIST;
=20
 	if (!IS_ALIGNED(addr, alignment) || !IS_ALIGNED(size, alignment))
 		return -EINVAL;
=20
-	if (addr + size < addr)
+	if (check_add_overflow(addr, size, &sum))
 		return -EINVAL;
=20
 	if (addr & ~kvm_phys_mask(&kvm->arch.mmu) ||
-	    (addr + size) > kvm_phys_size(&kvm->arch.mmu))
+	    sum > kvm_phys_size(&kvm->arch.mmu))
 		return -E2BIG;
=20
 	return 0;
diff --git a/arch/arm64/kvm/vgic/vgic-v2.c b/arch/arm64/kvm/vgic/vgic-v2.c
index 7e9cdb78f7ce..c8d1e965d3b7 100644
--- a/arch/arm64/kvm/vgic/vgic-v2.c
+++ b/arch/arm64/kvm/vgic/vgic-v2.c
@@ -273,14 +273,16 @@ void vgic_v2_enable(struct kvm_vcpu *vcpu)
 /* check for overlapping regions and for regions crossing the end of memor=
y */
 static bool vgic_v2_check_base(gpa_t dist_base, gpa_t cpu_base)
 {
-	if (dist_base + KVM_VGIC_V2_DIST_SIZE < dist_base)
+	gpa_t dist_sum, cpu_sum;
+
+	if (check_add_overflow(dist_base, KVM_VGIC_V2_DIST_SIZE, &dist_sum))
 		return false;
-	if (cpu_base + KVM_VGIC_V2_CPU_SIZE < cpu_base)
+	if (check_add_overflow(cpu_base, KVM_VGIC_V2_CPU_SIZE, &cpu_sum))
 		return false;
=20
-	if (dist_base + KVM_VGIC_V2_DIST_SIZE <=3D cpu_base)
+	if (dist_sum <=3D cpu_base)
 		return true;
-	if (cpu_base + KVM_VGIC_V2_CPU_SIZE <=3D dist_base)
+	if (cpu_sum <=3D dist_base)
 		return true;
=20
 	return false;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E0F013D4E6
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970767; cv=none;
 b=RTt2qV3ExOPDmd7Qv00lSXe9z7e2hjFU6GHoduIx+Nua80wcCNN/OWkCQ56a7Ue0C/msMoOVDpcMZWufxitqpdxnvaYend06Jqi1KIud+9XtY2fYjm95CphwaQrZ4/k+ARQKzMI16XrpEfDeyZXxtEELCZ0lovUHoKeITB+77PQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970767; c=relaxed/simple;
	bh=afM5LZaCnX07Bbe5JWJGuHF/X6uWMNRJXTDiQd0kjMs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=vAPOg1fq1jxPkWPvxxW30ZzJF9fxGe1BHOzCJPN3iVidipPtjX7HxnCyyfEAFbyxeBqwbcHdAcmelpVUzPm9d59XqLOvh+WpByM+jWPKPawlQzyRu//w+56vroI2iLp8WZRJGxAno8MTcOITMmP8RRNWtEkb+I2vQ+74fYHZAZg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=jW92VdGh; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="jW92VdGh"
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1d5f252411aso19715905ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970765; x=1706575565;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=QjQQp3oKjiEkOLCQDWessloRW+CFQ/3ZLbNW3sGQwoY=;
        b=jW92VdGhT4caKnDMyIhsaxucrNHYt9LjcAw/8KVrjruAHX65uI6ruijP6uJyHPQsUe
         b6Rsq2lDl/nN8XvHu9FcgLUH5T8BLKnMLPiuwrJl8HPIVdn/hORWx4ZDIQe7vp7In31b
         O0AGDMLqbzknsMA8pyezUvOqy2P/hYTF4KQSE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970765; x=1706575565;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=QjQQp3oKjiEkOLCQDWessloRW+CFQ/3ZLbNW3sGQwoY=;
        b=BMZBK6rxeVefGJVvcmXTSRz59Es57b5sokyeDTVWCHhYy/A+V8HX7WexUzGrA7e0Ib
         uK+HAM0R3Q7R0Wfsd0dyqcI4NzDmeMMwRpXug/0rqRrAElS78ECZdjnNy11zm9BGiylx
         lxsMWZgCB7nPG/TxC35JJ7lOQTazs/7E6CsLbyVHb2kcSxTxtIba1OwfFlWMwcl4BywZ
         u5NPWc2MV02/fmj5EDsyk3iG9HSYjJfwbJmUBFqXxSTzG1isNPyOopV5y/i4yGsrHi4t
         Xfnn5i1jei65iP2luHBxwDRhmRgfDh28t3Tl76njGEoIqs2z7oY7c10vdJaij/+X1os3
         XrYw==
X-Gm-Message-State: AOJu0YyzkY06MAF2ryCDgVo8wlN4nHjIBLgzEQ6xC1mCDMed+4Ps0A4z
	gggoPhK2JvW5JiqZ79OuPRnGiq1t4qLN+pWGweIZP6CmQKzgtDQWOlmebzpsrQ==
X-Google-Smtp-Source: 
 AGHT+IHpYaDysANltMGaEwTo/0xTnoHF5sbNHXDT5Y5X6O/UQ28VSp8hWvJrAfNwlsSYZ4fWkc2uug==
X-Received: by 2002:a17:902:e5d2:b0:1d7:3238:b2bb with SMTP id
 u18-20020a170902e5d200b001d73238b2bbmr2471371plf.75.1705970765640;
        Mon, 22 Jan 2024 16:46:05 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 ji14-20020a170903324e00b001d72d3f9f3fsm4430426plb.104.2024.01.22.16.45.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Sean Christopherson <seanjc@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org,
	"H. Peter Anvin" <hpa@zytor.com>,
	kvm@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 25/82] KVM: SVM: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:00 -0800
Message-Id: <20240123002814.1396804-25-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2478; i=keescook@chromium.org;
 h=from:subject; bh=afM5LZaCnX07Bbe5JWJGuHF/X6uWMNRJXTDiQd0kjMs=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGUJoQyo2htNqioa5FWNemKH9GelxjiONaI
 nFBVYcw2o6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JqgLEACGR9pBif5bfE/Fp9APHiLwK4tCsaxVu9HuOM4LqZcBVK9RT4sWkLw1sa7ZA399NQJ7xqO
 qNf67b0E3MBPRFRC0wFggz5dAloMTDb19z7jhsHWDnefmrxf3KKjsEqVe6xhhWIAvfAzGdgi+nc
 FzQZ1niID+l1yb9LaTvZZHot9lrk5PajrODBYmdYRrMq77eQP5Pb4BHFIZyOHp2UtegxLXzbUC6
 0y4bH6GFEO917ps0m47gmJOfX4BMZyrhuzuA11o+q7yKJMTDTgO1aKwWRiTUw+wBGHUExa56zVU
 CtdNUJy7igPhmA4odmyr620vUPAoSbAf6iIQKgBlro1AWkWuNO02eBJh4nYzFZ+8Ppm8iI+ofqf
 MIOuQIr6O4nLXLcO9zTWJF/7c3IWPeH1GQF1DcYdSRrmvlpw7k2Yun3kJg4Al6otIViYBTb3Yp8
 q8qYZwfcAIjOV3blL0+F494sbI1QpB8KsAaawy2q9I036/tRKMiLFIVnOkUyj838HE6oxhuFgvN
 njQcjbhVq11/o+7hWYjpCYp7Tk16HpJDJ+BTxbC/RQc/ZTpIHfC6DiItv4snrcHLLzrMKdNGEST
 uYlkr5Nsq0zN5LBNZDWgRjFbaz2Vq3+EIoxmRJrLfBXZkOXXu0pt15SZhxscXnE7+qDusGqsliB
 rmYY5X++4rNj3Sw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: kvm@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/kvm/svm/sev.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index f760106c31f8..12a6a2b1ac81 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -400,16 +400,17 @@ static struct page **sev_pin_memory(struct kvm *kvm, =
unsigned long uaddr,
 	unsigned long locked, lock_limit;
 	struct page **pages;
 	unsigned long first, last;
+	unsigned long sum;
 	int ret;
=20
 	lockdep_assert_held(&kvm->lock);
=20
-	if (ulen =3D=3D 0 || uaddr + ulen < uaddr)
+	if (ulen =3D=3D 0 || check_add_overflow(uaddr, ulen, &sum))
 		return ERR_PTR(-EINVAL);
=20
 	/* Calculate number of pages. */
 	first =3D (uaddr & PAGE_MASK) >> PAGE_SHIFT;
-	last =3D ((uaddr + ulen - 1) & PAGE_MASK) >> PAGE_SHIFT;
+	last =3D ((sum - 1) & PAGE_MASK) >> PAGE_SHIFT;
 	npages =3D (last - first + 1);
=20
 	locked =3D sev->pages_locked + npages;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com
 [209.85.167.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B163856468
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970158; cv=none;
 b=LE8svYVeI8oZ4Ooj64crc585kyVgXAbEc+i4dud8g2GsYwYMRd4T0H+3UJdIAlfDGWLwbPKORZabe4klAbC0Ou+fw0mspXaOJWtVhV+2vCUqaGmUnzvxWXcWWyW2AnrSlVm9FgmBZVreUrAotob+2ESIZIZVlERT0+7lb+amAvg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970158; c=relaxed/simple;
	bh=KmdQOHR2wQwwvdbCWLH5gPumh1btink3RoAuAjMZ63I=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=TS7/LvrcPF5t1GiJ1Fnz7ll1UAx6dsriisbqHvGhZadHGwNpBGkS0QdWypFKcCWxf/Cg553tNGx/J6Di5+roz4azNkK9ZO3SyNQG9DrowTUD9ROY75uttCWTaRhh6+1kCEazzXHkQDfOC7JrcqgfzlNO1FBETr5StizyQwx6uoI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=G90jh2L+; arc=none smtp.client-ip=209.85.167.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="G90jh2L+"
Received: by mail-oi1-f177.google.com with SMTP id
 5614622812f47-3bd6581bc62so2721845b6e.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970156; x=1706574956;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WfrGPV0IGkD+5oY5bzUA1O2ZP/m+4NsFlK0DOdMmkOA=;
        b=G90jh2L+n9IhjBKBpZf0pPfzVXtpSh1dWGVHPuGIZl04FHqrvqkSlesk/0TLOecojH
         MKGt8WfdHofrlcrhJPaXLwrfxHKhlujiOVf3A2bMQJj6wxBFrSEw9k9gu3IFWPslJa0i
         o+3Ya/WsJmeer1l2r52ZlX79PVUPTngoMjuzQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970156; x=1706574956;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WfrGPV0IGkD+5oY5bzUA1O2ZP/m+4NsFlK0DOdMmkOA=;
        b=kK+TSqRnEdt7jWgu7mQJrq0hIyjm9dDHvJqYC7KQiQLDPT8XEvEqDE3D8wNd6STBXz
         LzD3IKk40tgsyE5tHxgdX8rjl8TsPDUrdKHUHMnVEDUH71RRpRcA7IByzWB3nk7P5q4A
         exmHFr/KdhlI1z29n/RrWOmkFobGsD+WPEtohNaCkZj9F60i7iZWuZKRyMmFaESMAZ89
         U2sSNpAult/gz/uTKHK3vGBUwp35N7xQwWIU3T6Vc0Cn0SZuuNlBbFsKwYH3QgPSeMZP
         KyEJtPn6xPHGjaitTZ5WMzStmgjScZcwDu5nE1p3SnNC4fhE7cUtSNzo+QWS7u1oSkqC
         flpg==
X-Gm-Message-State: AOJu0Ywh+4kO6A5/ON6NXWA5nWPV6VQ0IN3J1oEKrXPy9L89LIZP2KqQ
	WEGWlgm4K+bN+jnmka6B8CNzM2Io01zfbwMyOzbyuWne0Hu16whnEjGIpwcieg==
X-Google-Smtp-Source: 
 AGHT+IHZHo5Egp2kEgcDRX47HvbxGI43oLvJO2iYgsq7tj7lGeM9SaYtF2xT1UoPBae4y/00ds7/rQ==
X-Received: by 2002:a05:6808:1211:b0:3bd:a8b3:f5f5 with SMTP id
 a17-20020a056808121100b003bda8b3f5f5mr7279920oil.75.1705970155779;
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 p24-20020a62ab18000000b006d9b31f670esm10499254pff.143.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 26/82] buildid: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:01 -0800
Message-Id: <20240123002814.1396804-26-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2106; i=keescook@chromium.org;
 h=from:subject; bh=KmdQOHR2wQwwvdbCWLH5gPumh1btink3RoAuAjMZ63I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGUCr427Bvhdd+DlIEQSmFuOB0zAlGUaRHx
 sXqW6qzQiiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JqMUEACIPH6rM6cY2SMBwnodw1rMMjn1JdKktj9Iu6aGJquJ2fqWV4hXH3eOfqqDWhhLtRIx10m
 MBgFqDepBiW1bwcx3qy8doC7ieSHcOvFKOfj6KMywgUGVwFHQpkhWF/fz5lrUTSYFdaxZVCa+lr
 e3yfwjXsiGYJcB8O2lAqBoC6T5Oig7vnfqNw+lVTcicTSmEapNfiAbtUZb55sB7NxPG7D6nUH1c
 ZRLU4Ed2XedDT7eOfND6jgaGtqlz56GVi0q1U0XnAgqXTUSRm0+4M6NuQGAjxKba0EwMU9l5aJI
 8csxMMzpzLOtrQra/ANMvMry6yeTEIoX2ldbH8axmAnuD520xWjWuYemFLjrYagKmZvZqDe82yy
 cLA7vG0VaL2NfXpAY7mfSztcg+9pzQkXvPF7pzzTMp/vt10UubjGIRs65XTH+eDOO0+hSJwJ8sG
 /gM1k9uOf4WaHXlTYZMn73i0DMxquh80d7Y9FlpKCRlv9dJO3bPjk6P8rev6K/2fwda9vjRmFL0
 0nKVXJz/WtxTMgx0sDxb2a5++FGHN2HZSJUgTSvLynOCZmjqhh87r2gUM933h7Jd65s8MuV++rw
 ZS3P74wcMAOQPOljxC0JL6wdM5IGMy1pCA5rTTJpa+IG0h/fhYHD+aQ7rCOa9E34+wvfmdTPWGL
 PMoqRQ3lq/unYNg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded pointer wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/buildid.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/buildid.c b/lib/buildid.c
index e3a7acdeef0e..d0a310cb9b57 100644
--- a/lib/buildid.c
+++ b/lib/buildid.c
@@ -54,12 +54,14 @@ static inline int parse_build_id(const void *page_addr,
 				 const void *note_start,
 				 Elf32_Word note_size)
 {
+	const void *sum;
+
 	/* check for overflow */
-	if (note_start < page_addr || note_start + note_size < note_start)
+	if (note_start < page_addr || check_add_overflow(note_start, note_size, &=
sum))
 		return -EINVAL;
=20
 	/* only supports note that fits in the first page */
-	if (note_start + note_size > page_addr + PAGE_SIZE)
+	if (sum > page_addr + PAGE_SIZE)
 		return -EINVAL;
=20
 	return parse_build_id_buf(build_id, size, note_start, note_size);
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com
 [209.85.216.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FF5456464
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.53
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970158; cv=none;
 b=Zt8eBnjmtcnkRHbGN7eEFSrdCAvf7oJb3jM5eWyF5O9dvrP8yxwDO85fcqlOJDi0uKs0aasZ76kcy/bPde4jYJlV+aBeejoTI90fnL8M6ZqKxtHU+XPUHivQqO2XVTyly/tEx/qAJVJE32UjL2M60YQ2ixDNXXbgtyxJ/+7l5ME=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970158; c=relaxed/simple;
	bh=X+8lYZfwausQ7ppEEJSi8ujVkOr46HTxCp5e8PDYgLw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=eBN9sNGQryE0IHiHpL8s2gskH3kKDA2crUz9MJNwZC+JlLsD2wK2bGc51bJPn2PwUXwfjKBOLCdDayXlq1HeAoCTaSSsE5fTmIh7eYExEkLzgW4SAlBnULRQ2OxupH98oYi5iv+F01AI1ZeW++WiTQ7DzShTApkBs3Wcr1Xn04M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=lOwaZOn2; arc=none smtp.client-ip=209.85.216.53
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="lOwaZOn2"
Received: by mail-pj1-f53.google.com with SMTP id
 98e67ed59e1d1-2901ceb0d33so3331138a91.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970156; x=1706574956;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yjn3WA13frGFh/So+bkUR88Se/B2ZjAIsqCTRdISoWQ=;
        b=lOwaZOn20gj5kSl4RrIPb1yD6KxGoafGt4iY7aYFicxNRh08Poj5519WodLNdQiZ3F
         gLv9FkDc7Q/lLkogJhaihWUVmKe+EQwHxPX2A3rP6y47OWkbqMNaYWqKC2kY38juSMoo
         KtF5naYTw5aUPgF8V5h1x/1cEJcRnkq+2xRtk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970156; x=1706574956;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=yjn3WA13frGFh/So+bkUR88Se/B2ZjAIsqCTRdISoWQ=;
        b=EeuDFZewe6MFWz3VvEGcbN0iMj5nxT2TpStOfR0GKL8JxbK4uW6r5bGP3gJGdqzPPj
         xhrGf4q5Ih5j/I5gTKu0b5prWUAa3s7P9ZP8tLb8x88SGigotvYzt8z8gYUWfJfT4UuG
         fp4sEsXnBbDdjUp5m5TVIUc1eRL1OQ4/lnfEzyuW8/bScfsHo5czyqAFGpV4iW/vZCQY
         6Iq2UBS7j0qvEOFp1TbJloIKl0+9wDIWjMpqI6H+3A/3upqZkRoVt+zX2zR3b12pCw4l
         zPpPm2dXBUlTmqC0x0yVdKmLiuFUdCE57mU2Xo3BBE8I6aaH6yUWRWOMo3VXvo54yUXZ
         H3VQ==
X-Gm-Message-State: AOJu0Yz1MNKS8GhL2dyhN9e+/yky4L/tCW8jn6ST51aaD45OT9jOKrZ8
	CA4m5I1+SQZvq3QnuQdCnRaiW40IYc8yAdCvjLC25RH50Det9I2EfDJ55C9sfkvh3xfu/z74aec
	=
X-Google-Smtp-Source: 
 AGHT+IEyfTuL6aTwKFxTD2yVDhKLMQ/yhYL7MnyaB0lQ00kHUz62vvrrDFMKYyYwE3mOokyKej0s1A==
X-Received: by 2002:a17:90a:88b:b0:290:a33c:e6d2 with SMTP id
 v11-20020a17090a088b00b00290a33ce6d2mr2368564pjc.49.1705970156038;
        Mon, 22 Jan 2024 16:35:56 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 gb22-20020a17090b061600b0028ae9cb6ce0sm10407877pjb.6.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Geert Uytterhoeven <geert@linux-m68k.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Liam Howlett <liam.howlett@oracle.com>,
	"Matthew Wilcox (Oracle)" <willy@infradead.org>,
	Hugh Dickins <hughd@google.com>,
	linux-m68k@lists.linux-m68k.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 27/82] m68k: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:02 -0800
Message-Id: <20240123002814.1396804-27-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2444; i=keescook@chromium.org;
 h=from:subject; bh=X+8lYZfwausQ7ppEEJSi8ujVkOr46HTxCp5e8PDYgLw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGCBOFjblHeST3/ZilwfcWPfGLaZV7X8YPW
 C79tN/SYeiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JrLrD/9imhNacUFtEeErviKwZFpQOrHjRz9qfDPETHNojaoiOgYqepLMlRb2Ro9DVU0O/SNoauJ
 XDvSMCA29L49m19UUqfBC98mMaq6pMQyS1NYL3dNN2wfigmBHbgxSG6nokdw68ERa4QFn92dDwy
 bQwrdR1ku7ltobTrb9kWZP81HzorXQ53yz5cPLqMXn5u4vNUjxoZ6WlRUSJ/tEDJ085Y0o5sge1
 LBmfMY3FImhVAZxGzzY3zyjplajEiXwl2vKYZk6BCTy8gXY+veeoOEVDOnnIN2a4KvDEPyaaxot
 HR2z07RN8UtX6TH5kmJTHOWFe84EDKOCqi2aWFqGYAyRDkFpP0wty9kY6+0AC3gehj5w1ti2iiO
 NAD8yNoNlLtKKkMtjrfR6XrpsyZ0rROiAJov2mqM1I/OL4pV/aRK6BJYWmZNDTosqLgl+L80IWY
 p8KuezBrvoHfw0WGYNrhqdeJVZbU2Wdu0pHD+Yt4QzANL7JatZjIrCkplcEqXEtd88+vkizAwgN
 GMtPKAqJ8N2iL3FYauZ/MtkWupQDFcsJCs+zJtK0/ubZyvgDoPrepWguwDHZl8EiGA060zaJtRc
 AgqRGJkK2LmpBTJ9DPQPYtCnuBZcfKAOHGS6bIVCqHi0QsU+3CTeDiscqO9J3/m/SF/x7U/Q5xH
 NVY94wexVhKaRdg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: linux-m68k@lists.linux-m68k.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 arch/m68k/kernel/sys_m68k.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/m68k/kernel/sys_m68k.c b/arch/m68k/kernel/sys_m68k.c
index 1af5e6082467..b2b9248f2566 100644
--- a/arch/m68k/kernel/sys_m68k.c
+++ b/arch/m68k/kernel/sys_m68k.c
@@ -391,10 +391,11 @@ sys_cacheflush (unsigned long addr, int scope, int ca=
che, unsigned long len)
=20
 		mmap_read_lock(current->mm);
 	} else {
+		unsigned long sum;
 		struct vm_area_struct *vma;
=20
 		/* Check for overflow.  */
-		if (addr + len < addr)
+		if (check_add_overflow(addr, len, &sum))
 			goto out;
=20
 		/*
@@ -403,7 +404,7 @@ sys_cacheflush (unsigned long addr, int scope, int cach=
e, unsigned long len)
 		 */
 		mmap_read_lock(current->mm);
 		vma =3D vma_lookup(current->mm, addr);
-		if (!vma || addr + len > vma->vm_end)
+		if (!vma || sum > vma->vm_end)
 			goto out_unlock;
 	}
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2169164187
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970771; cv=none;
 b=ZD6XwNXMjX3Tu/oMUMxeHlKraleihXijIiWJVX1YYRx4l6xTuR40jfu1v3lQfHaqUAu/kb3tUUUqclcldX21D3XpChghevB4LqFfNWaYrA8mqAisiHX40lU0ilZlx02s9mFMka2aGvoHo4qiLafs7u07pSzlUc69rBPe0nUoKBc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970771; c=relaxed/simple;
	bh=4HPvynPR3Ko1dXfNMJBApuVlt9+5UyaMefuvQ347bXs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=imcK4SF6P6FgjtxlR212J1VjQ9qYnuJRVg9wSTSQyxWetUzypmsPLgFUD+lwJJSgH3L8a25H1FQ2l1MgRUF8kK5khIoEWR5NI6pRrSZqCWjWG0qOU0IXl/9+xkjI9pSMMkdf3ixHYneGpOo7PDbckz2z8I1bIHAUnNaN8yKYR5o=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=kqm0YraK; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="kqm0YraK"
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6dbd65d3db6so1289099b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970769; x=1706575569;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Sy3Mn0T2j/xVq+cywviUlH77t9Sq4eXs+6SMvLbadC8=;
        b=kqm0YraKJjzpYJ0YwLvcUV9muskZYih0/OWTiUjwU0iTPpX4+z/HD1HqdE0ll8XXQo
         3alVEQPZs49egUMpsaZItiIygz+MgfGy/mQ5mVJQ0Kopo82IFuX0A3Y47OOL/n4iAo5u
         opxu+BKRp50NVXte6m2zV2mcumq2XjSUDKdBs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970769; x=1706575569;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Sy3Mn0T2j/xVq+cywviUlH77t9Sq4eXs+6SMvLbadC8=;
        b=IYDgMZuaTgAneK/zithh2a/JrAUx2WhWnyy7nnYID3TVgBVbF9LOA9abXr8frQNzag
         fa75xcpnA41LiNEk/8RTKTbhPyTBoqfzVYkkQZqYojV1RFN3Ar0+tfIyXD7sBbTwvDpm
         3OCS0PF5Bfq0e0wuU0BgIq2acBmq1cFfa2Uq/f94IqoJYPj/JN7Xcl1BFiHB8c3MwlSL
         YrZCaUsVm/y1ihcViQHyJEqG8l74RFp4IhP9Tl08SFoWwFHZRAXQhrN5Bpy830Yh5Zbj
         kINsZVpSg7+kLwHgnTfzAGrM0BbH2FtrbiKFqEFzN6XESxvv6ipJ5541iQ8FNDT0YYPF
         j/aA==
X-Gm-Message-State: AOJu0YwWWD+t5HWAifK+a7KGOY+1pn9hJu6tOwGxwEDnVnn0lhzN7bbu
	Kbq/SJz6ZsEhAkqhXI8z756QKalE3WP7l7v3qtldno7oGG1A0yr/rEpSrVPM8w==
X-Google-Smtp-Source: 
 AGHT+IEUqe5dx8QwlTdc0Hf1S1rf52LAuqKi2r9NnTuHQLNKc8Ev2tu0ODkf4nLiv9kWyuVYwBzGmw==
X-Received: by 2002:a62:d444:0:b0:6da:63a5:3f32 with SMTP id
 u4-20020a62d444000000b006da63a53f32mr2087437pfl.66.1705970768640;
        Mon, 22 Jan 2024 16:46:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 y4-20020a62ce04000000b006dbd9fd2bebsm3352305pfg.163.2024.01.22.16.46.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:05 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Du Cheng <ducheng2@gmail.com>,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 28/82] niu: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:03 -0800
Message-Id: <20240123002814.1396804-28-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2297; i=keescook@chromium.org;
 h=from:subject; bh=4HPvynPR3Ko1dXfNMJBApuVlt9+5UyaMefuvQ347bXs=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgGajy61mavJLiiKlUcTrC+GpKwlQS32yLps
 eqkOZGrbz6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBgAKCRCJcvTf3G3A
 JjxnD/wLi8HDy6bvcWJHrheHwblvygg/rt1qDMgmueTdsD10P2P5hSQT9cDWcxBgYmPx3QSgkoN
 DI0zgPvjfV2y+4HKJvovXZDLUygnMhtUsoRYA/UNHeRo3fxPyLYLjfrT2mt9AgGEuctdamOfJfN
 Nyhy8b3RuJcDOH2afROIUlXeKQW8YrioLMJjJ0wJ/IcOJ96RyjCKSL3bkl5xvm5M44pX1p1msMI
 VeP+/9xS/uFDWzWbIxGAMyJmSE3mvm/7oqHlESxAcrq95OyuSOQELRAZh8vKFCW/rqedozh4HdH
 sVJlLxUPr3Yn2lJrlHD6tPKkVqGzcoeWyHjT+l5gX7BV+4bdXdkPJWwtqzIqi2rDJbgdC0K3nel
 nWwtV2xdyauZ1lhOAg26PgxW9+keBeEYI+M5ce14tRu5NjyjSKkqzT1oC3bjhXpmHDTXuyC5ncX
 z1CeOGSLxClD7kcLVWxPWNO37GNJpnVjy8Pbb0Ee7csz9cJOwmCKgjZeyqwkLvq5RHTlC4u0veZ
 DTaVGQArMh2rZAOiKSyag3NbemYIb6c2JHe451VJ8Pt0UjaPUxF3vXUs5NGPRXIcDYxNemUTxCv
 2Lsl/k243rDBq1Z/j3U8smcznTLGYwtCbkuYBOQGSX52s6/i5Xih21gZ/wq1SKE9OyNhm+9EgFl
 xjTJBfyCGFJiWDA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>
Cc: Du Cheng <ducheng2@gmail.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/ethernet/sun/niu.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
index 21431f43e4c2..a4de07c6e618 100644
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
@@ -6877,15 +6877,16 @@ static int niu_get_eeprom(struct net_device *dev,
 {
 	struct niu *np =3D netdev_priv(dev);
 	u32 offset, len, val;
+	u32 sum;
=20
 	offset =3D eeprom->offset;
 	len =3D eeprom->len;
=20
-	if (offset + len < offset)
+	if (check_add_overflow(offset, len, &sum))
 		return -EINVAL;
 	if (offset >=3D np->eeprom_len)
 		return -EINVAL;
-	if (offset + len > np->eeprom_len)
+	if (sum > np->eeprom_len)
 		len =3D eeprom->len =3D np->eeprom_len - offset;
=20
 	if (offset & 3) {
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A7F1E13B795
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970764; cv=none;
 b=sQW3k3XxSXPkyQL4j3b68SNQA2cxgoA7WP4Yx7ygWDD+KvMTUQ85RNH+nRV/+AzMuRRNqXiLMSBLWhz3hy8slbUM8clBm2YV1FOh3JgDDR0VywBoSkrbbUp9geVyz3UQRl+IfLOPs4HraOJykwlSYjEtgHkYo3vv/IBz5QiZW30=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970764; c=relaxed/simple;
	bh=rhiNkfwcsBY8pN0Aj3OX3M7epOQG7vcAhg9hdXLwAek=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=f3TuJ66tW2b8kFepQCzMsTN738jHOcurAco8WLqWUd5k3KVbVrrK/LKW7Z7/dd6VulL8FUC2mD93Tor2K1IDgEcWRKUPBzq8Ap4krtQdcisCNTbhDtNHbea7TAIhi7VsTtJAR684QYQZlHpnrTYY6zqRAF3JKQyLyL26GtzmeCk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=j8KUJJgt; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="j8KUJJgt"
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6dc1f02090fso454403b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970762; x=1706575562;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=koLuWwEc6R93KvA47iKWZn4p87NyejoVGKhwRpq6uhs=;
        b=j8KUJJgt1OC46MRP1rTSCjb3ikE3ot4TXw9Tukg8wx7H+83b6ohP4LHJ9UNddjKRl2
         fSHxXLpJPJivZGL1FttjKFG88OY1GIfXdbJmN3+4oYrwPx/KuMNiKYcL0usJSbXDhAA/
         pNz4tVDi9c8HBow8e9NE5hiv1GNBnowyNm78Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970762; x=1706575562;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=koLuWwEc6R93KvA47iKWZn4p87NyejoVGKhwRpq6uhs=;
        b=nH4Dzre987V+3928LlL46RUiQisZAI+gfZI7yd7STp0lKp0wDoMswklzAgqJw3wJjE
         fCOX22reNw+mAypaLcm0bjeGMmmI9y36lCDIGWkkRsmrVGRVtkCIHh3849SBw0mbxBMk
         vVAvFyX9VAtIs0cNkGRNy08tXBF2/HSZquGyhaPoyV5mBv2+XtGQ0GpusAQzVCJkK/hM
         +BHP9CwQviVifDAgxQvLDPlkiPcrsJSKxnbmn8P+W7+rrW7hS5H77I8jGvB/mp++9FQU
         sHfFEk+MR53hxX3XR2rN4xJK9f97ociJXY1Wfk3nPVH8mDlFFbXhsUUPzRBmm7fpeZfD
         JJHA==
X-Gm-Message-State: AOJu0Yy52FtyxS7Q88B0Zcaazx8sgzipDw+RqgdJjlysUeyVWvpv/JFw
	YzP7rM3+gG0NSxEps8Xr9h9M4iJ5B6s37zlGsdX+P4mCUKfMdYV+sRUONzmrjA==
X-Google-Smtp-Source: 
 AGHT+IHnnbXv7LLoQQuo5IERPmQ1aDbHfWs5esMUO9nvMTULeZpbAQsvNcJD7PAXZFLGmSXlcp3hjA==
X-Received: by 2002:a05:6a00:1385:b0:6d9:bf50:196e with SMTP id
 t5-20020a056a00138500b006d9bf50196emr7531070pfg.19.1705970761998;
        Mon, 22 Jan 2024 16:46:01 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 r5-20020aa78b85000000b006dbca81cc36sm5095359pfd.188.2024.01.22.16.45.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Santosh Shilimkar <santosh.shilimkar@oracle.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	rds-devel@oss.oracle.com,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 29/82] rds: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:04 -0800
Message-Id: <20240123002814.1396804-29-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2769; i=keescook@chromium.org;
 h=from:subject; bh=rhiNkfwcsBY8pN0Aj3OX3M7epOQG7vcAhg9hdXLwAek=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHOI22byaB9aq3JAA27hbl1bc2MNGKba4Qk
 /4yGoiLhCWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JrEqD/9OlGCVGN2v0bgu7DOOkBDw0dRbBn44WXpE64TTI2iaigc2NjR7rlxLD88o/toMj5HP2e8
 +KNhHHhwpn/78Xvy5Fu7OSRDC9Srz2FSdC3GIXCLEy3jHqWqKwpl8s89sAkiyFxj+oaSSd2hp1Z
 yyDFk5tnp4WFMby/w16JX9RJaUhf0Pac+SlpfX6LIhCtEDu16Ym3Zfy8+niKDzyKzgFnik3iBMB
 VlX0qsJgWtq/F5TyYJsdRkzQJiC6uqDjRDOmIrgGbtONP4N3x7eTO2RPGiq6W6sD6wqCCTfno+I
 TOyJBsebkoEC/gOponWRkhVaYuIKk76Rd+mpLbYKMeJ9sXs4c3jKafZerrydOpptCgnp1tAjfY0
 ubJ/wJ50cALOah3qX7E1BFVlS8g/8Cqst3G86qmJ+jErESB4X+ju8cl4kzQJrDdmKNVd/8RAdsb
 wNPuvNZwa3p4pqL+xtVz52yuC0AAOm1Ac9cbprphOD3okeaOY4R3ObpX9GV0e/990fYjXWl4bXk
 aTpyUseDCo88l0yQhgdSuHpJyQLFga2P8uROjArZRuSEBD9HUQ3LrxEC/e8Ns++bdkQ4Yu2PgDo
 Dty8RA9kx6885engKkChV3U1u51xbiNowBg4oJDE5G4q+gYIHu+fcsm6+5uoTqYHDGNdkR/t2tx
 b/RZj59k1eBK/EQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Cc: linux-rdma@vger.kernel.org
Cc: rds-devel@oss.oracle.com
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 net/rds/info.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/rds/info.c b/net/rds/info.c
index b6b46a8214a0..87b35d07ce04 100644
--- a/net/rds/info.c
+++ b/net/rds/info.c
@@ -163,6 +163,7 @@ int rds_info_getsockopt(struct socket *sock, int optnam=
e, char __user *optval,
 	unsigned long nr_pages =3D 0;
 	unsigned long start;
 	rds_info_func func;
+	unsigned long sum;
 	struct page **pages =3D NULL;
 	int ret;
 	int len;
@@ -175,7 +176,8 @@ int rds_info_getsockopt(struct socket *sock, int optnam=
e, char __user *optval,
=20
 	/* check for all kinds of wrapping and the like */
 	start =3D (unsigned long)optval;
-	if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) {
+	if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 ||
+	    check_add_overflow(start, len, &sum)) {
 		ret =3D -EINVAL;
 		goto out;
 	}
@@ -184,7 +186,7 @@ int rds_info_getsockopt(struct socket *sock, int optnam=
e, char __user *optval,
 	if (len =3D=3D 0)
 		goto call_func;
=20
-	nr_pages =3D (PAGE_ALIGN(start + len) - (start & PAGE_MASK))
+	nr_pages =3D (PAGE_ALIGN(sum) - (start & PAGE_MASK))
 			>> PAGE_SHIFT;
=20
 	pages =3D kmalloc_array(nr_pages, sizeof(struct page *), GFP_KERNEL);
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5B311272CC
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970762; cv=none;
 b=j5St2Y7usGnxy0JH5fgCAVxFeoaaISa8gKNSE7s6oAwPhi5X5FM2b+I5IcV+USFuezKhdNX/JRkYaOAF3YEa7Sx39itjjqeyuo8590wG//hpf+opWbWgnrRpmzS0l2kyr4dNQuKmIjtiByveTrMz8qPpPvbIpIQ71EoAuyyBYvc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970762; c=relaxed/simple;
	bh=cmItHHDJ2/yorzOokW4wLWtGAZ57hv5idzTs6y53l8w=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=tup38QUXfNJUY8CCT4BqIaRQ1dznjiToJPXUgQqEQPPB7FSPhis/xK2JXhvecDxMcvVvh7HuCmXZ84pY0lGiGEYoB2kLKr81M/NgaAT5OzU3geETu2h7/smCY+is7jZTsRwf1INvYN2C+M6GYyycz9ZGPgM93Ce5uBMnBa5BBfk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=XGH8bbX5; arc=none smtp.client-ip=209.85.210.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="XGH8bbX5"
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-6dbb26ec1deso3894338b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970760; x=1706575560;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Qw2b3tHeJEx9a76sk3FUumHURyBJJwj65NrMowk875Q=;
        b=XGH8bbX50dKD/LNZcdxj+jrFHSVD8nYifl2SGv+MYAtVxPyjHYryStFOrD767hbrUe
         GtskbhS/uzdFqJ5rcTltcvGpsMf9p6fZxMuEPowXsvPGIjMGA2aBS8PwVMKN/y8W/9mK
         Ju26un/oZVQPE9C29V0+Parje4ArmGhLc9dcQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970760; x=1706575560;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Qw2b3tHeJEx9a76sk3FUumHURyBJJwj65NrMowk875Q=;
        b=leuMaxkDIQ0WLMrXvMLDPg7Xke/snFR+Ax7clPRdm8iM+PDozTTRwM6ZMfZ+7QtrY2
         SF/shILrpJycGTIXBoAUV43WmtZ2YRUVy2kOFyRVx+SPEqGo57mwG83yo0sRk3G1F9Ir
         sbNHVZihEI0jHn30Djlepco6b2vKEuUI9fSdLXHbPjJrIdfgB0C8yErt6s9KRVjNJf0U
         YZ+HEo8mvFG9wujmKnuijMVBY8KIwQ8PAxkzbMkWFPPYbDNYbeaJJTe12UnCz/ibJKJi
         SXiz9526MHYFwKjHagQnaDbRxkzh5SNV8wr0Z504CcKLZVDNkKD70/5HKfFLGB2zjQGC
         ri5Q==
X-Gm-Message-State: AOJu0YwsOQirkrUfEzuPk0OqRiEVDKWlA3g6rcUQb5ChD1boYI8/z4cd
	PNXaICvroLsrEFaA5w2+UlozYvf/M9R1TDn3Hk/aFvdr3FECrr9aPIbiY1lL8w==
X-Google-Smtp-Source: 
 AGHT+IFpnmN5NeFDZoCtNSPJnK9l8YLwar/VS6Y7pK5lbfaQcHzj8ixTBuINNoXW+BgKQQm3i/BUKQ==
X-Received: by 2002:a05:6a20:354d:b0:199:e237:1497 with SMTP id
 f13-20020a056a20354d00b00199e2371497mr4858984pze.65.1705970760341;
        Mon, 22 Jan 2024 16:46:00 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e9-20020aa78249000000b006dae568baedsm10164690pfn.24.2024.01.22.16.45.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>,
	Christian Borntraeger <borntraeger@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	Nico Boehr <nrb@linux.ibm.com>,
	Philipp Rudo <prudo@redhat.com>,
	Baoquan He <bhe@redhat.com>,
	Tao Liu <ltao@redhat.com>,
	Alexander Egorenkov <egorenar@linux.ibm.com>,
	linux-s390@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 30/82] s390/kexec_file: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:27:05 -0800
Message-Id: <20240123002814.1396804-30-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3531; i=keescook@chromium.org;
 h=from:subject; bh=cmItHHDJ2/yorzOokW4wLWtGAZ57hv5idzTs6y53l8w=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHS1qljwX0OBc821aP1oPgrqcP/CIrbF9OK
 s6Ar47XlguJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JmY8D/4lOAfDyZzxJuod1mr8o99HqUKS7ycJ2w+BmUnwdIT7FhMHPjXYoOdI4ma1NGPbJghRMX1
 KQh4FV76MnS1guDFLwXwYDsJKWpS3LyA+nT73MbsxUuacxblqt5Hh3MLWsexvC3I5rq8UnyZ8Rz
 OxP9Q7+HCEtVVq95HnnbN4NH0ssyF02BVeyeP3cg1KVo7MMrKpR3oRkKY5uQ4ANfxACiQP8ERkC
 45YM4DwsS1FmhsgCHCGraTPD7DYb2sV5bhvL21RPfNaXig08zMT/5ZUQ9ZjYwxIoSByFzm7Il77
 JwwfaVVgTNG7P3Rs9WKhVNOmxa3xDsgK9dTuvm72SLUQI+Zwb8997/d7vjECwWEeGWfRUiMrguP
 vBRHMDpNBBg5NNXV7zCvcPmyv++hO8F98tw3mLfrc3I/zJJ5p1F3Df0LKZ2x/4WL2WDIcolRjFz
 +AOJQe6vXf62QuIPIf5w7zvk0yyUTLqdvT3OWqxqmCnvHsze82MBf8A+ZYHr3YxF6u3exhea9t8
 b0oMGLlaiEtp+HYdg27KcvRIktdQeyqQj1+pUWLNuoSWK4xIpaTmoHwpNyigdAUI/I6sw+LKfKe
 L0szrDlREhEFJ1ygZbsZfF5wnN2NSu6FsohS1ZFZt+JaQP/V4vq/nnABS/LJxgLyTU9lzo+nMcu
 NTXqQzK2ZrdRSTg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Nico Boehr <nrb@linux.ibm.com>
Cc: Philipp Rudo <prudo@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Tao Liu <ltao@redhat.com>
Cc: Alexander Egorenkov <egorenar@linux.ibm.com>
Cc: linux-s390@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/s390/include/asm/stacktrace.h    | 6 ++++--
 arch/s390/kernel/machine_kexec_file.c | 5 +++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/arch/s390/include/asm/stacktrace.h b/arch/s390/include/asm/sta=
cktrace.h
index 31ec4f545e03..3ce08d32a8ad 100644
--- a/arch/s390/include/asm/stacktrace.h
+++ b/arch/s390/include/asm/stacktrace.h
@@ -34,11 +34,13 @@ int get_stack_info(unsigned long sp, struct task_struct=
 *task,
 static inline bool on_stack(struct stack_info *info,
 			    unsigned long addr, size_t len)
 {
+	unsigned long sum;
+
 	if (info->type =3D=3D STACK_TYPE_UNKNOWN)
 		return false;
-	if (addr + len < addr)
+	if (check_add_overflow(addr, len, &sum))
 		return false;
-	return addr >=3D info->begin && addr + len <=3D info->end;
+	return addr >=3D info->begin && sum <=3D info->end;
 }
=20
 /*
diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machi=
ne_kexec_file.c
index 8d207b82d9fe..e5e925423061 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -238,6 +238,7 @@ void *kexec_file_add_components(struct kimage *image,
 	unsigned long max_command_line_size =3D LEGACY_COMMAND_LINE_SIZE;
 	struct s390_load_data data =3D {0};
 	unsigned long minsize;
+	unsigned long sum;
 	int ret;
=20
 	data.report =3D ipl_report_init(&ipl_block);
@@ -256,10 +257,10 @@ void *kexec_file_add_components(struct kimage *image,
 	if (data.parm->max_command_line_size)
 		max_command_line_size =3D data.parm->max_command_line_size;
=20
-	if (minsize + max_command_line_size < minsize)
+	if (check_add_overflow(minsize, max_command_line_size, &sum))
 		goto out;
=20
-	if (image->kernel_buf_len < minsize + max_command_line_size)
+	if (image->kernel_buf_len < sum)
 		goto out;
=20
 	if (image->cmdline_buf_len >=3D max_command_line_size)
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4FD875C91D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970166; cv=none;
 b=pPUzfqW90fXfNbet9PbMhqiwSGKAM6M0J5nVVcHOQipZ6DBUEPFoqyZOwJlIJpcZcjl0F3AeYqgXyT0LSVXHaVPkjBVnxK+IpPr8Ot0AqtGuUC/jaKIz0YalrMejfeipvXaZ/O8o6VA/21YK76RyoNWfOI+fL1jU02JE2u7p3v0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970166; c=relaxed/simple;
	bh=MKnCIiYxMUg6EMcU4GoE7nb0L53EnELIMYzEtk5B3VI=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=m6PLuMMskEnLH5L18uwAVRBI5EDcBwfJpUDMu/0ta0GnnJjSonosCSIv/mJlYtuLN/uCSH2aTx4gt323kg9GZnvAtW3sO97jDuU/KBshKnFjt/WnnyCfgzjJKHXeL6gV94JI07o14a5T7LCiWLmI7F8O4kyEIH11xKVJc5QkNso=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=CmEqp64l; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="CmEqp64l"
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6db599d5cb8so2838871b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970164; x=1706574964;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=oR81ltEJY1+adfuk1StzztmzyEgwb5jSI4QB5TV+ifU=;
        b=CmEqp64lzaU8ccRUlsbzVUt4PNkbi/BLgNiMcTfa72d+yWt5hBonV3jVtTHuCSvLVI
         0KXZ8nE9/612vqa13GHZw+0HEop5Zg1S/VaX6RMGqLELIN0TLWEmHmMlozM2mqEEFCxr
         sbULU9ipB0Oxz3g7e0w7yjLYkljoqpxJ4A1qg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970164; x=1706574964;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=oR81ltEJY1+adfuk1StzztmzyEgwb5jSI4QB5TV+ifU=;
        b=A/HK1IkjhatKAtCBJ9B8pNUBsc22Ik90C8YgTliH9J8jV2SpOm4ff+q9oYqc5u3P66
         JAta77CvtPPEpBj6f+DeX/D35siTebRWzaWzltrisYI/xjIK+hQT/iGUd+fiXYE8T6+u
         nHyW9QSIGVlbIXRPRGmZqqGpk+UfAsaiTGWKsDmIXfKkkwLNe4/an5WwP//3dqqchKoe
         ZRWpJ1MPDPQzRTR4HCryMfsoqVctfSwmg/If65s0//UqAgWbwACJIJqLuWydvlnoAxWl
         MdrE2VVBq/F9H9FMqJ0Ov2+eg1UqkFHVghi5WVg1GyBxTPDfWTORF5746d2qWZhBwi5M
         Y3Aw==
X-Gm-Message-State: AOJu0YwGmEAndqd/NxkU69UB2sPo4p6ZzOnmGauuwjZ70wnS6cBq/sab
	Y8a6LTFh/DKb0JdqfbBH3QIyzdmiV2tHo6UUSSxN1XVcXXsNtrj+Z5G2wZK+hA==
X-Google-Smtp-Source: 
 AGHT+IETzqCGXqh477w/Vt9X12Qb1US/a7Y7KVrRlOIsy+HxOGDJxNfQvSuTk1cc7EBIelGSQhNLMA==
X-Received: by 2002:a05:6a00:3d08:b0:6db:d3ae:c000 with SMTP id
 lo8-20020a056a003d0800b006dbd3aec000mr2323879pfb.58.1705970164470;
        Mon, 22 Jan 2024 16:36:04 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 fa20-20020a056a002d1400b006dbdfb7624bsm2604635pfb.170.2024.01.22.16.35.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Vineet Gupta <vgupta@kernel.org>,
	Luis Chamberlain <mcgrof@kernel.org>,
	Song Liu <song@kernel.org>,
	Yihao Han <hanyihao@vivo.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	"dean.yang_cp" <yangdianqing@yulong.com>,
	Jinchao Wang <wjc@cdjrlc.com>,
	linux-snps-arc@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 31/82] ARC: dw2 unwind: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:27:06 -0800
Message-Id: <20240123002814.1396804-31-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2495; i=keescook@chromium.org;
 h=from:subject; bh=MKnCIiYxMUg6EMcU4GoE7nb0L53EnELIMYzEtk5B3VI=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHizE4jMkQP4lVaRSlAN3nsXgRBmjv5Yv2Y
 jUxJ6mHsSKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JmQYD/98DgXrMI+bVIn8YEHNHDNyYFr5nzpnwmbjD3Sz8E9MWTiYwicpEwQnGO0Q/EEzKTOvBS1
 4Hrkrn3ocbughedFtxfFOlwivI79gd1rpJeBTQfjE6Py7r2/Y+5ESY7vktL0eRN9NBt4TvZl4Ja
 BJEGqffrG4McZdVzS59Cs0V6bCR+ihTOANdUe5VnZxVI3T/yT2UMfU7oWks2nWbulsUBccyMyaA
 cTvuGVwjKhkOZ9GLFj4CSu8RRzdKqCIeV4Eo9xnX02e7J77HX6UA8x3vLGyiWkvjOc7su6kypgd
 HOXyYTssc0iCHLUP8pVZE7n0YY6/clIuUL3Zu9934A8kkqPAaGkWp8JOWXZq1DnWiMrf8Ko6g8A
 w/SqcWooHJjVJiCWn2yrzhLzOYrCvBZ1266Y5Gi4uXt0nnNU4tPTM6HGXBhBzzKuIzRFEuxvwpK
 lzDMBUArU4Wc5iU8hESGejpfFvph+s6wkXFTOr9m0Zmt/3V50IO7OIv4z3iQyKjPExWQN+8ziw7
 xu2jcMJPbiHfLSLeLG7nr8rS6FFeYHwxbtX+hVwlYoY8+FWuoHvVgBtffkKaVAs7jrO4Qc9zOrz
 tLMrL5nM0Nox/WHEyYVc0R9XtIdpSXrz8wODRMyNbYJWdGbjPCsBw7iksSGfPcmy58Ox3u8RP0h
 BsHK0ekMlxhrX9g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded pointer wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which
removes the redundant open-coded addition). This paves the way to enabling
the unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Vineet Gupta <vgupta@kernel.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Song Liu <song@kernel.org>
Cc: Yihao Han <hanyihao@vivo.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "dean.yang_cp" <yangdianqing@yulong.com>
Cc: Jinchao Wang <wjc@cdjrlc.com>
Cc: linux-snps-arc@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arc/kernel/unwind.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/arc/kernel/unwind.c b/arch/arc/kernel/unwind.c
index 9270d0a713c3..8924fa2a8f29 100644
--- a/arch/arc/kernel/unwind.c
+++ b/arch/arc/kernel/unwind.c
@@ -612,6 +612,7 @@ static signed fde_pointer_type(const u32 *cie)
 		const char *aug;
 		const u8 *end =3D (const u8 *)(cie + 1) + *cie;
 		uleb128_t len;
+		const u8 *sum;
=20
 		/* check if augmentation size is first (and thus present) */
 		if (*ptr !=3D 'z')
@@ -630,10 +631,10 @@ static signed fde_pointer_type(const u32 *cie)
 		version <=3D 1 ? (void) ++ptr : (void)get_uleb128(&ptr, end);
 		len =3D get_uleb128(&ptr, end);	/* augmentation length */
=20
-		if (ptr + len < ptr || ptr + len > end)
+		if (check_add_overflow(ptr, len, &sum) || sum > end)
 			return -1;
=20
-		end =3D ptr + len;
+		end =3D sum;
 		while (*++aug) {
 			if (ptr >=3D end)
 				return -1;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oo1-f45.google.com (mail-oo1-f45.google.com
 [209.85.161.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 17777612C6
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970757; cv=none;
 b=IF4osI6KRXfFP9PA5a9vlDBdRCMlY4eGG3OlHP/PIRNJz3jYUO3K5LIMV+St9YagObSikMOUd+9e02BXgKCpanCM27S1n2/L5X7tsh+Z225FN/SY9yq8C/l4PRYni66EEUcMx7SlT5Jgrr/HeQylHBiOVyFT1YOx7T6WW+aFBGQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970757; c=relaxed/simple;
	bh=wEJz6ncP+qRtXKX7k2D+joSrafVF4O5OSdQFr3cojK4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=oLBLCXQDu/zxeKe11MnT+LmuI/1qiIHdDRr+z7KqwQ4n3V87KpZ2Y5m1HA48ZIVHiUlAONILUR99LpE9MxeWYDkScDailtBXmOxLiBlrzV2oNbwYTGETN03maGGL00AV2Xar0iXN27FTL3XLieGiQvf1p+QE4uqLtIy5OLfJ1hE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=G3Lo3qW7; arc=none smtp.client-ip=209.85.161.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="G3Lo3qW7"
Received: by mail-oo1-f45.google.com with SMTP id
 006d021491bc7-599a5266066so54702eaf.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970755; x=1706575555;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dOtaS8Q/PpRJgiodelWT3IFfX/962bDrzicKtXvnvo8=;
        b=G3Lo3qW7qs+sdo6ikHuS/j4yt/01dQGAj9Ib1ApRTJyVwP3IEiI4DgknpJ89s7oXCh
         aVFUzX2sLjVajlDTA9YmvkTVVJVylqhmBNcZV7VzqZKuSA4tWuWouW9/FkvqsoGjpREQ
         w6k9tubHuLfMzKDj5I3iOuYTQh5vxAE8WY+q0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970755; x=1706575555;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dOtaS8Q/PpRJgiodelWT3IFfX/962bDrzicKtXvnvo8=;
        b=gR2sT/doWx9+cSWVrAAY5cNmyeTO5hCMeP/3OoyhVKmTSCXSyN1HQANTd+I2U8eMQF
         bQLXIIJ3l1aXu+shxPKOI00Y8TpoBeFfTpecsOBA/82LFXuzWihCTrGKA1w8NX5wsgGh
         XonJ7FJbq4LBPKEmo0QjTcG/JkeEWkcD1cNppMTwYGU9HJxcQuHd9kffC1Sg/hqM1PMB
         kosQCCpj51242hoyOYRpAa6TVd0CDUtUi1UXZn0fA47QMhjRbMjr8Z9DmW/Cu0e2MxsW
         cNb7Ym7pJpqD4AgMnOeAjCsWS3JLDTdE3l9zKaBBX07jKyQDfi/RijhpKE3xZzd4nQKG
         SU8Q==
X-Gm-Message-State: AOJu0YwkSCP06NMXr+Eq2ibmQqBfQ4hrMSGQi3i1j1g8GVSZ8oHDT75h
	cabhnF73cHrqezUgWttNZc+xFO5IZF6pf39j/v4KYMFT+cSPwakCmv6SolAXnA==
X-Google-Smtp-Source: 
 AGHT+IGQwShADBm43GhljCU0u40cOaLZ1q4WsuoH3YKek1HoSlz9pHA07/Hox4IaetxxaQSRrpFeCQ==
X-Received: by 2002:a05:6358:99a0:b0:176:3e0d:9910 with SMTP id
 j32-20020a05635899a000b001763e0d9910mr4500624rwb.0.1705970755199;
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 g4-20020aa78744000000b006d9bb4400f0sm10234582pfo.88.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:54 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Jason Wang <jasowang@redhat.com>,
	kvm@vger.kernel.org,
	virtualization@lists.linux.dev,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 32/82] vringh: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:07 -0800
Message-Id: <20240123002814.1396804-32-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2682; i=keescook@chromium.org;
 h=from:subject; bh=wEJz6ncP+qRtXKX7k2D+joSrafVF4O5OSdQFr3cojK4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHD0u3YhpYy/8Dc5chh0+01JehokeF1vpzI
 BT65uKVfgWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JpFyEACdChSCT4Y0X47ea6T+PsrgS42Vou9eXn9FDMWCPIbD1kW1gHAFP1FAqkYnEij+0625LYZ
 2RtZVv0zZFrtRaGdtFZFQFDJTSr6QNj3uxivVtsmwb1pLXXDnFTFWikADuH5v60qkgSrb2bTZMY
 knyNpBo6L+ItzkaxgMhFX1rtdBM2iTj2HOYKmNkYIwvxCNExT4h+7TKnDNipWpdd5EwB3nV3F2p
 1pExl5eEqmY2Ma6oIf7cypf/bIKRIjUW1Ilre5bbCngLzeYZMqOG35bUlr3WC3w88nu6tYBXolx
 Erl0eGsiamN+wyuoxNKoT/h+WyXer3JpoxEq/sl38I39B23XaYVff/d+6Suvc+F3tV6jNdbyaem
 JxwjjNG4ksbLc5PdSetTuaRGyP3xwIiVRJmS3tlng0ghnRbKVS/FFw+qU64g1HMXFJ/qj6Ldypv
 ORamulyXPJU2FWA/g8/Ld+OnSQn41XCT6619haypc24tpwo9TMSlKhckwkeIgqTxMWBfiha0co8
 ANuXzPXBosDOYCZNhGhwsT9JNpMKS9otU4fcb4uoJ2RtASuAmGm82JgroIBM/MhrLeYmlZOwIk4
 jIzar8S+YFZz03aIUIiOxVH9cIhd+DZLz1UZb5Pc9SBnZc4u8HlyhSQOPf8eOZtvyR3Q+n8534w
 TxS3x9dEXm4+h9g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: kvm@vger.kernel.org
Cc: virtualization@lists.linux.dev
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Eugenio P=C3=A9rez <eperezma@redhat.com>
---
 drivers/vhost/vringh.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
index 7b8fd977f71c..07442f0a52bd 100644
--- a/drivers/vhost/vringh.c
+++ b/drivers/vhost/vringh.c
@@ -145,6 +145,8 @@ static inline bool range_check(struct vringh *vrh, u64 =
addr, size_t *len,
 			       bool (*getrange)(struct vringh *,
 						u64, struct vringh_range *))
 {
+	u64 sum;
+
 	if (addr < range->start || addr > range->end_incl) {
 		if (!getrange(vrh, addr, range))
 			return false;
@@ -152,20 +154,20 @@ static inline bool range_check(struct vringh *vrh, u6=
4 addr, size_t *len,
 	BUG_ON(addr < range->start || addr > range->end_incl);
=20
 	/* To end of memory? */
-	if (unlikely(addr + *len =3D=3D 0)) {
+	if (unlikely(U64_MAX - addr =3D=3D *len)) {
 		if (range->end_incl =3D=3D -1ULL)
 			return true;
 		goto truncate;
 	}
=20
 	/* Otherwise, don't wrap. */
-	if (addr + *len < addr) {
+	if (check_add_overflow(addr, *len, &sum)) {
 		vringh_bad("Wrapping descriptor %zu@0x%llx",
 			   *len, (unsigned long long)addr);
 		return false;
 	}
=20
-	if (unlikely(addr + *len - 1 > range->end_incl))
+	if (unlikely(sum - 1 > range->end_incl))
 		goto truncate;
 	return true;
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0A69115FB34
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970179; cv=none;
 b=Lmo8i4B3MNo+82QTcDwpdlQA27vEQUuClSNgATSI/eVeJlvEiREUFgWHYnO+Ov30HzuOkGVpMTWW3qrgSg66ckw1r2Mui8HzCUItmF2LwFme8rcJPX37UX2uTS/yLsQWo+2e9d0nGk2Ue61iCaOHnIvOlDxRZSHSi2uGrpIv9oI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970179; c=relaxed/simple;
	bh=38q5dA08W/MDhiiAfLHBMjgxLmUPPANEZSbZB460/eg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=pt2SXoFImS1X8TpDuYKx0O5NRVZw23GNLCU6DOLX/3+nsloyzz+TLBeN+PbPlk+lohYpvJxQw3BoZULbLdTW1nOH4gmIrsc+JrWfkNJNfX8OJ97z41KZQP4CFlsFN7qh8pOnjink/Zs5y4X9CCJIYhChDeS8tsp8RZ1lhfknrgM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=iTHcGwC+; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="iTHcGwC+"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-1d71cb97937so21191365ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970177; x=1706574977;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=0NeuRUk433ZNKdRiqKX8mhaA8jznwDCQBGOUrYcR3Zw=;
        b=iTHcGwC+TxdH8wNfXLwBDKEVQDF89Cssi7u45AB0zh+smdib7LGaXLygjz0Z8mTWG/
         xRou3eED4hvdmVeqOqGy1nyGA4SBGp2UfP0bpElZBo3tQSpUS+r8V8Udkjmh40t2MBQg
         DRCb4cf28W5gBhnGrM0j6SDfw6XZlDl1w5QKg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970177; x=1706574977;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=0NeuRUk433ZNKdRiqKX8mhaA8jznwDCQBGOUrYcR3Zw=;
        b=Ywcw7JkvxGwrp9qFGmXZXvX7YLVCa44GhL+Zw5O8u7az7FL/bSBfujkDsh1fwGujXj
         NoWjW6XPk24MWBFcXT91oWa8GX7Zs4pzCYsuK5xog8fK0y8hRlkSH9+xslnah/suoJGz
         kqDXBc288C0DaK/gOpvrBLOXFGdkFN/eZ3sFF2Wg53N1BcQs+aAOMcKVwWWWy9fzuKo9
         v6k4CFAhQ28epUNaeIfrb2GgL45X5tJ3a944IRe3lmni3L7pXSlrs4jzpgyXD/fPFCfl
         qvVE4zyRgKP0sev5vYm9WCa28mU9sk9Quqf1VpZ9LTf5bUClPA1Eaf4qAsKU7OuWqPu5
         YT7A==
X-Gm-Message-State: AOJu0Yyym0hxjmX30i1FWHRJgVpmr7/lMlQ7qtVMfdcjs+Xd8w3eBq7n
	yc382I1URIw6P7lCOItWeEqO7gq4qqmb1yu9acGXpUFSPj5AuhUvGkS180eAvQ==
X-Google-Smtp-Source: 
 AGHT+IGzeIhLGStyUXkk+prqRHH7Hh0fJDcXpjpuBSpJSnr3lUskSGrUG6ndGqpvhP7k6BsWTy450Q==
X-Received: by 2002:a17:902:e882:b0:1d7:600c:cc33 with SMTP id
 w2-20020a170902e88200b001d7600ccc33mr1403863plg.3.1705970177668;
        Mon, 22 Jan 2024 16:36:17 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 ky11-20020a170902f98b00b001d76ced199esm143464plb.31.2024.01.22.16.36.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:10 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Uladzislau Rezki <urezki@gmail.com>,
	Christoph Hellwig <hch@infradead.org>,
	Lorenzo Stoakes <lstoakes@gmail.com>,
	linux-mm@kvack.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 33/82] mm/vmalloc: Refactor intentional wrap-around
 calculation
Date: Mon, 22 Jan 2024 16:27:08 -0800
Message-Id: <20240123002814.1396804-33-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2352; i=keescook@chromium.org;
 h=from:subject; bh=38q5dA08W/MDhiiAfLHBMjgxLmUPPANEZSbZB460/eg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHVlKrqE6Nde4ZbwV5OP6txkBJRZom0feq8
 p5yVXsvnAKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JmDjD/45jgwtrPqGoB+jlF1mDgiUg9Ze61xsHyqXZi5GyOp0rRLZfu6w2qW/aeqxQOzjPHho3hN
 L2/snj7oP3CEPVZ0AsZx5pNEw4AdCtJLMAqBMw8/yxliXAWWX8mdo3JSCpQSuGT0wNY3HEJ6m3l
 767XUkSfXo0VMs7+zd9DD+QTPMbV8GiSHrIfuaQMWoFDTr2PGGuOkEJfKLkVm8xcx68Q3gXonHh
 HOulIEvVuQ1wZ/971AY053i6TtPwkVQwttgTrT2I7qKM1rpF4801pZ6otFPevs/V20afhyDicxd
 MYf8bStbkOH8rXCaMRPbidxMQjMXvYBiFsbP+mWpuT0JkM6pBI2LDqDlh8wSwQZgl8lebVhoHsE
 XK0CCEBLvbN+lIUob2oN9JnImaQHOqI3vVnVdhxbYb1UfWeyb+9l7M52MDTY2cu+v7FIrIQxQaT
 Fp3QVNpjmkPKha2+jQyIAdAzfh6eFs21bZ92fq1gfnflXD1g5DYntbs9alZUEupfryc0jVwHArb
 5cG743scfNC8Ph2+PXR6mQ/CI27ccqmUA2og/teJ1KqdKi31qS5E4P+XgGkowzLSabVuBBnq6t5
 T8sabUmzoJL8AOtQMe0b06WPwGDOieCgh/OR6kZEHeys+Dj/7McgMk4ZPYPsu1HFh7LgL0n/nRL
 JTk2zIhWKJNoPYA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Uladzislau Rezki <urezki@gmail.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
---
 mm/vmalloc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index d12a17fc0c17..7932ac99e9d3 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1223,6 +1223,7 @@ is_within_this_va(struct vmap_area *va, unsigned long=
 size,
 	unsigned long align, unsigned long vstart)
 {
 	unsigned long nva_start_addr;
+	unsigned long sum;
=20
 	if (va->va_start > vstart)
 		nva_start_addr =3D ALIGN(va->va_start, align);
@@ -1230,11 +1231,11 @@ is_within_this_va(struct vmap_area *va, unsigned lo=
ng size,
 		nva_start_addr =3D ALIGN(vstart, align);
=20
 	/* Can be overflowed due to big size or alignment. */
-	if (nva_start_addr + size < nva_start_addr ||
+	if (check_add_overflow(nva_start_addr, size, &sum) ||
 			nva_start_addr < vstart)
 		return false;
=20
-	return (nva_start_addr + size <=3D va->va_end);
+	return (sum <=3D va->va_end);
 }
=20
 /*
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D78913D519
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970769; cv=none;
 b=irUMP+eLmIxp7Qj/a4Y4fMi5b85KcdTy54YpPtm+eelPT4xQE8SrepkiTPZnFkn0oaXIESv0aJRv/zdp+RR7pt/+xYRz/6sEkkhZ1IWA5agnaGo+6iAonstiHagMN/YBFfyA6bRru6GJYm1Mu55AY+tWje7jnVWr/+Ayq9JIwFg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970769; c=relaxed/simple;
	bh=fB/vJlhvA9krznQ56xe/F9UTpDDJWr+0HII6dSIL9Rk=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=OklEQIUVCdDj3Fh1ged+MAgbT8Fv/8KiIQD3pXD4u8w7GpQNcDShctsVkuC/FO59uuVbSixi7BW4/iUW4xgCJgalZLXW/FipZ0bQCo7oDIpADVo5AChCz5m52LjJfDC9V7fNbKDFhqetZoqQ7Fu4cAtZEwaTTurJ8zOftxcyTG4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=WNPSVRLb; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="WNPSVRLb"
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6dd6c9cb6a8so19354b3a.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970767; x=1706575567;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=GeFy9ObsKdupjGxJomayoIpMA4DTjdZekNe8mU5qwlA=;
        b=WNPSVRLbGoHiG5MgcqmT7CzbjdHAV2zjOA+nWVjqgOy85P/xFgoCHnnsZXTEzfIqjT
         xcq1Z+6hWeI+wc5ciYo9azrmeOXzJBsf10DrCSINXf84tc5LFkP3kZ79ajLuTVYfkDGt
         LDuy1osU5QpLdRvIUJ257HMNwOgdC2lqVKjmM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970767; x=1706575567;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=GeFy9ObsKdupjGxJomayoIpMA4DTjdZekNe8mU5qwlA=;
        b=KEhb3PNbwwReobRoO0Fk0MWFJyN8Jyvxhz/LA/UhFr7fZPbXNos32ROUCEL1tYkXRC
         54UoY6kCSEUnNZs+OTSjCbzVxnNJ2Sy7H9qmAp8F/apztSkEwZQT2USVNzKfWPREM+1H
         TCGi7B664XPEr+GLAyUMJRc5RLc9fxsyDOYnWaetz4lH5TzqPr6gXpVK3chg0JQKFoNJ
         wTQg2dF6CjBzrY1JIN3pYVuWyxCOvbWUMTwMZi7hFORSrUZm72bR2mJVvWh7lWPl9CUM
         3j6y82XlboQzQqooScFoXNUgEPSSfZdaIcWnvI2G/mHW+F4DF2h4tkgmZDHtnEkicHSy
         IE5g==
X-Gm-Message-State: AOJu0YwoBot7JmlqlUsGe1dicEMJ3ym6Ds7mfF6ab4rcclMXoh3CMRkQ
	OWdeQ/5dItcGztefpuyfpOtnVPIMZrZdZelLVOLo6h3VIAXmliEVX2bXKIx+VQ==
X-Google-Smtp-Source: 
 AGHT+IHIo+QmX5SKs1eURQTgF6xjx1ivZ9dGJ20X5CSUJXxEMYCvOi1XFZ6jAhdY2cgab1CibcxQ2A==
X-Received: by 2002:a05:6a20:e116:b0:19a:f6f1:c643 with SMTP id
 kr22-20020a056a20e11600b0019af6f1c643mr2625807pzb.26.1705970767073;
        Mon, 22 Jan 2024 16:46:07 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 kt6-20020a170903088600b001d755acec64sm2112193plb.189.2024.01.22.16.45.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	Mark Brown <broonie@kernel.org>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Vasily Averin <vasily.averin@linux.dev>,
	Alexander Mikhalitsyn <alexander@mihalicyn.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 34/82] ipc: Refactor intentional wrap-around calculation
Date: Mon, 22 Jan 2024 16:27:09 -0800
Message-Id: <20240123002814.1396804-34-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2179; i=keescook@chromium.org;
 h=from:subject; bh=fB/vJlhvA9krznQ56xe/F9UTpDDJWr+0HII6dSIL9Rk=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHUrb+Pn30CFNG/PpuZxRTSyun9OKDLc811
 y0OFWm3o9WJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JkMAD/4l1He8Fl/Q5+UzintLb5ZAHreICrIvS38FaRAsRYin9PCIVE7R4QNAOgkUyOHy6/e82p4
 /LIzbTFYbGFCrcSkmQDoUut5ugYgmTsp5Zqy/pXkVLc+mbPkf9gcurcEQosUKumAxCNc2trCrFw
 okS0qbY8OC4HEYRVGgt+l2ylO1/KJ9sOziIDJIrwB3lHcSycnJiSmpHVanMkwQfKH0yF9btCWjO
 01oWUd4v52bx4ifqCleVxV8fbE8xrJxHjhMn0yqt7ONgPfySTR1ReOoVIaTK4SfgtQY9JkVN28C
 g2sOOOKzFYfPLr53vbfINFNulEl9mgIHMXiCo/yKFVxSnYyT9oCtEVd38MF1FhjY5+dOYug7fF3
 6Ne60lEOpmqIU/SgsY9pEt/YhlzFczZR9TMkn9OzBToVC7/tRx5rcdaa9QSiiJU5A+im9lLphn5
 khTkun6IVSlXKgX86MlCBGpJjD/kH1X6j3ND/vLePIgaJrTZFOpiZsa6oEfibcx9D1J8IkJahQx
 xKdWe7MM28oJ4stfbWkOIV/jOaQDjvhV1PnFn7pyz2jOqL0RrMOrQaPSsmSkz1ApWVL7aAPcqy1
 AdmQPabeL/NacbRL1LzSDCOm6CP/GMNam0Qie6oUUiWEiupKHafsqBVhAlIp+rwMElFlAmtrajF
 5Vc8hYcSaLxYkJA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded unsigned wrap-around addition test to use
check_add_overflow(), retaining the result for later usage (which removes
the redundant open-coded addition). This paves the way to enabling the
unsigned wrap-around sanitizer[2] in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Vasily Averin <vasily.averin@linux.dev>
Cc: Alexander Mikhalitsyn <alexander@mihalicyn.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 ipc/shm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index a89f001a8bf0..227a1610628a 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1650,11 +1650,13 @@ long do_shmat(int shmid, char __user *shmaddr, int =
shmflg,
 	}
=20
 	if (addr && !(shmflg & SHM_REMAP)) {
+		unsigned long sum;
+
 		err =3D -EINVAL;
-		if (addr + size < addr)
+		if (check_add_overflow(addr, size, &sum))
 			goto invalid;
=20
-		if (find_vma_intersection(current->mm, addr, addr + size))
+		if (find_vma_intersection(current->mm, addr, sum))
 			goto invalid;
 	}
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 623B9130E39
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971821; cv=none;
 b=rX2oFTa4BYPqbWaWI7vvE0Qf5DCbZUhh4DkhqYmu4ZVMkQchSinbtneUkxdySvILiGVNLljTht3BABQ+fynjrt42KdhhoCx4qI8m3OL5QO1j/RMayd5xlQzvkyQ7O5jIEyNRia8A8Xyp1BSSriAqlIagdMFPXaKLVJlRqG44ork=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971821; c=relaxed/simple;
	bh=EmH/DZbTBXxe0dWdplwnDgyJ2eUGGILv5amEUByys6s=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=bQkF+BhDaibjsF+o/eHmuHj9ZqOEKBc7MixH9JH5JqJDeFmoRr6c8orJVCbBOsOBeu7UFhrZTz0vAsKXc0k6bF/2W7Grtlu8oVtmutOOgapZcVLTanUwxTKdkSLpZXZ99//e9Q9bNYUQYDcPlgGcwvGTWnUPdL1uMrXCLDWSoYA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=DBLWUALz; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="DBLWUALz"
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6dbd146c76cso1200075b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971820; x=1706576620;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=vLd7hWEOoj/WL0ILJU9a6Kds4Kj9qjcWAXBu30bMrQE=;
        b=DBLWUALzzzduLFTN9Qj5HhHrhKB6NqKSzJmGUF8k6LU7y2W/VG57qYtKJNAhnNoTUo
         SLQ3IWKJeXUsfKHdev3s3J+xKxj+RZ/1yny9A6rApVQBUpc6FlCrzeG1FiaHNu5WX+qj
         6XfdllcTbkPJbuSo+7EBC38YQu8iTtbCBkHo8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971820; x=1706576620;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=vLd7hWEOoj/WL0ILJU9a6Kds4Kj9qjcWAXBu30bMrQE=;
        b=QZsv/yWAWMwIfr2GC1jNfLUtXoMpSr/wkVbNOu+EF2Gdaq20IfKbeA//yqfRGBZCaX
         uPmvHMBsqFrxv2z32fWKvouy+pZ2+ntEyGOY8CvLI4ke+URfBQNVociotrIyydOoOTC6
         Mq4zfKECbIA7EkaJgz3kkXO13JNuNaF3h5ZyqlNgUFdPg1/uVuUnrlJjl2HIlX6jq1E+
         8KhJ7IjutIUCK/quu+mwHtLEbJsIttGF6l/4SVtuX2IJkwqVLGHN0t53SnteHea89Wth
         7WJl/RTcefoym3edd29/6WUFYMJj2q2JToNwQ5Ct2/Zwvd0DQ1MBxT7nvaCPhFNEMnR8
         J6iw==
X-Gm-Message-State: AOJu0Yz1Vcq+YZu01erN5bblJl3VEL9zxzxrFu/sNH+jx5cgObvBysM8
	8Az3SSoaGlIVFyMYsY8hk3DdlWN67FkcXfrhHa6cJLkEnvZTpH1VShoOK1gfGA==
X-Google-Smtp-Source: 
 AGHT+IH4bCaTuK5q2oXQL/3LvOghBBeDr8MYYSdkNUAJgJVfYreLotGyY63qGusCbK0boNe459IYkg==
X-Received: by 2002:a05:6a00:21c9:b0:6db:9e9f:6a55 with SMTP id
 t9-20020a056a0021c900b006db9e9f6a55mr3113822pfj.25.1705971819741;
        Mon, 22 Jan 2024 17:03:39 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 z6-20020a62d106000000b006d9b0336a27sm10655197pfg.125.2024.01.22.17.03.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Rafael J. Wysocki" <rafael@kernel.org>,
	Len Brown <lenb@kernel.org>,
	linux-acpi@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 35/82] ACPI: custom_method: Refactor intentional wrap-around
 test
Date: Mon, 22 Jan 2024 16:27:10 -0800
Message-Id: <20240123002814.1396804-35-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1829; i=keescook@chromium.org;
 h=from:subject; bh=EmH/DZbTBXxe0dWdplwnDgyJ2eUGGILv5amEUByys6s=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHHHr/VKg/KAlcqjdcF5SYPKo1cfb9YxYbN
 Ub5YAXr20iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 Jm9OD/42OVFSF2SZuj2/Xm3blXVzWso1EIjDFteNwkRAzj/OhbsOveDY28YTwAprTxSc4mfzKh2
 r7wc8fydFpA5Y8yVoR5Jq17o3YOw7xu8gZiX8GUHzRZRLiI88Bn0jOqyO96m5KRz/Oku4J9OJ1n
 lmgM7ubTGbc02BXB8oXJyNpBdVzqIOlNwD/ECpnxos42xDCcYITE6BC+/JUaUTVtU3usc2e03+B
 TwiHzcwD6iRnWxRxmVXnPXQPaaRaHWhyeGbhoWy30SFcvTY0EFAKqcwzZ/HggSCogQiktvuo4jw
 yKlwoj8AIcEquL/jcpRDgr1y8ZIO9gbut1BiyYhWI4QNFcP+uDl6R36CWESOrfqtgF2FhHrxI8w
 +YNsJz1cVkXUm4++MjtKT1gQym/CI6Yo6CEatJSvLwV7UE+LvUU9Q03t27lqUKhe9zCK5IRhOKm
 n5j9sTlJJJdJJTul3h3jXlEbP6Incxf0zT/TPVJuwAVlmJPtH1PyZ+c0TIzPgU4F+n6SL8Pho79
 r8x2Q0FTlvu5RWYgG4P4HsGROu/rEfLajxdjnTbMLliKam77rFXZcJohT4UHLycRLcvT+2wuTrL
 1Iesm634rNZPYYLnMax9FyEZwv0Q2Y1lQEFiSybEDKXGM4pheL3Dba5LCqYt2434cbDGUg0vfpk
 77kzj9tRg0KuJ7Q==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Len Brown <lenb@kernel.org>
Cc: linux-acpi@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/acpi/custom_method.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index d39a9b474727..0789317f4a1a 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -54,7 +54,7 @@ static ssize_t cm_write(struct file *file, const char __u=
ser *user_buf,
=20
 	if ((*ppos > max_size) ||
 	    (*ppos + count > max_size) ||
-	    (*ppos + count < count) ||
+	    (add_would_overflow(count, *ppos)) ||
 	    (count > uncopied_bytes)) {
 		kfree(buf);
 		buf =3D NULL;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8ED21161B66
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970185; cv=none;
 b=R3b2ajgUoSxL1d/czXVZJoJV1ACaSfodr0y5tbq9I7ZiIUOuaA4+xIE1ckm3andF3geKJHkjeT8Pf6U69IPs2twuqeCSIuANZY+ilVHY7//EoQwOt4aI//hMKv3U/zyyZ3Z32JY8gZWa+YVwnkRuwb+tENS/Y7n/EtkdG+9hfHc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970185; c=relaxed/simple;
	bh=TtGEKwfEht79ULnpSVJcOtpH1GzIiQlRdhb7ZdKErag=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=mRie3ijnLmChFojNEXyFwENULSIl8KV5J/r2vT0ex0/LdhM5ElKxf9ArOjerJ4YAaoJkJNEoRahwUjst0kRCVL777NabOZ5NgBvn3q2QBbVyEZvkh3H6VFGnUXxNfAbz0qqMeMmO66Oz/32Y/84zWFgPn6yAzhnw8TqczDbwMaw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=OPh7dFco; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="OPh7dFco"
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-1d73066880eso18990505ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970183; x=1706574983;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=uuAginudDA34iqBrsX+BzE2nEMittQE6YVsuxv2qKnM=;
        b=OPh7dFcot4hsOkOMu9O6mJSAyTClh286gsa/W+PyfBaIdKcbw+VVCpwJj7yN3euPlO
         Y2LQjVKa/eRV5AtIcJutHCKE2fLswheYhQrP7Z+ebdF02qSWsiU8RC+O++iqa6+3N/or
         k2PPeSA0wE8D0skn2PNUtT0d+W32zUqrFdLl0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970183; x=1706574983;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=uuAginudDA34iqBrsX+BzE2nEMittQE6YVsuxv2qKnM=;
        b=X2grrb2a7fbGwV0GjsA3M1eEgSlc2czFRzPUkXTxQX7sC7WGDX5jICZMx0GoRX/6SZ
         7GwaSw8WbT3TZUXCbeQAr43CDAwIKjjeIyy+wKhqMHDmYUJGr7ODB619fTL/p7Lh6Px6
         Qu8GgVJfeLM4EPCHXlQdBD2XDkMEkADPDHj6Joi+HxT8ZOcD3NWzK72zMZciVPWjUXL1
         VdlSMCaNiY8aUDdJLBYklP2S+9ZIZ3QpJHWYfiEJ09Zd93BQ6ZIr6J+KZHPFf+WwaNA1
         gzF9lze8v3+dxLhtJIvJFwUX5T+wjeCFGuKUkjtzoNmbTdjG33AEU8pxkFUL6H780JcU
         XTgA==
X-Gm-Message-State: AOJu0Ywve2Is98o/9NyqfI+2YXFkvJirWFfKF8z6LiIFYXrP9vfT92jK
	FagHVBgvYn04cVMxrOnEixo2hEGrgqvNf+mXMyNPx4gjJte77eq39beQMUkKkQ==
X-Google-Smtp-Source: 
 AGHT+IHmJXE2ED2RuBUmR0soC9ICbU5uc/OdRD47vxh5aPLnNlxEs/5VczOR/qkUIL16NOENMz9+bA==
X-Received: by 2002:a17:902:8216:b0:1d6:c8e3:c3dd with SMTP id
 x22-20020a170902821600b001d6c8e3c3ddmr4942676pln.54.1705970183007;
        Mon, 22 Jan 2024 16:36:23 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 l12-20020a170902e2cc00b001d70af5be17sm7341961plc.229.2024.01.22.16.36.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:18 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	David Airlie <airlied@redhat.com>,
	dri-devel@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 36/82] agp: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:11 -0800
Message-Id: <20240123002814.1396804-36-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1899; i=keescook@chromium.org;
 h=from:subject; bh=TtGEKwfEht79ULnpSVJcOtpH1GzIiQlRdhb7ZdKErag=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgH4FFulwi6BUqjbAU5ENVQabX98Dt2rrVoU
 8g3IEj955KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 JnjyEACxi6nRzG/TeUzgA19psicAHgLDAObP0xBS4txCdCyuwD6vql4dHmloNCeJb8mV6QVHM+X
 qtG2DBYHCOfOAx2qlY4HvaVOj3PS5bcfXi6Ekv9oHApUiv9VATvsHzJMWgozbnrtd+ct/kzn1a8
 fdEqTsjCD1glzm7trq2UhSUjq7L9mf0ALUL92dfVjQVOuW3SJ9kkPuGgKtP6JPssetdPnVNENjg
 XGHgUvZbr7FjFWIbhVzk+QWvKkDn9x87RdguxM3yRMNuIU1rIPChiFeHt65F/fM9e/r6JWSqDYJ
 28GyQyB9g35uGguB023JwJmsj9WljHMy92O0442XwofQsjSwDoKiP6XK1wSn7N+Ko+xF+yXuo8D
 aGTAXPJpuMFj3tqUwX0bCJ2y/hZb9LGM68ygSkbs93I9XePUe38ehnUMIKTYBoC/PaH9cZiUO6O
 WpdtUG+wfYRGfiUetrFcgMqg7lc0bO2mieV7z8f1+ggx/2d+E2Yn9c//8JCWB6dDf3AOuNluFkl
 TPJTxjpslLZOCOHw60ZZVUW2p1qaNmoLXFmR7hSnVJuahaP/u15jWcSK2aizZflJKuj9uo7I/Jr
 iZ5+yDhNuVtMJrnevFhrq9ZhFajoLgGALCe41lhJERcPe3APaldrX8Abs0cIpjFwV5xN1XNAYND
 z2z1RVstb0xjjDA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: David Airlie <airlied@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/char/agp/generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index 3ffbb1c80c5c..fc2d07654154 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -228,7 +228,7 @@ struct agp_memory *agp_allocate_memory(struct agp_bridg=
e_data *bridge,
=20
 	cur_memory =3D atomic_read(&bridge->current_memory_agp);
 	if ((cur_memory + page_count > bridge->max_memory_agp) ||
-	    (cur_memory + page_count < page_count))
+	    (add_would_overflow(page_count, cur_memory)))
 		return NULL;
=20
 	if (type >=3D AGP_USER_TYPES) {
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
 [209.85.214.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4097C130E59
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971825; cv=none;
 b=Hb8Jq428Azx01/l+FH5o+hwGXrkqtmVzPuc9WoDI8NMLR70C7Q0IY9I1Z2OdLijUf6cjX9FtHUzshkEIyBCYWnJPrmEOCPZ99N9AO6njPXxm2mA1qrDur9OzQClk8FS1cGv2f9QeZPDzGwOdqqqzcpYF2+WECOGlAJVEhhDpui8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971825; c=relaxed/simple;
	bh=IB2lfGkRCBtaWjh4efF33fJJqpbLbcQ8iv2Ec/oLFcg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=sK74cSZW5PwWQpOCL1lufHg4zdm3DlUg0vj3L62sUSsGT5jgjnDRLvqEBPfT1FcmOd8jD+N/501DGBB/vSQ6YoZ+XFAnerLtEgbOhjHyMO7TgiBH07PiiqkcjNcX5j4s0e2kpYjHEbFpQNElDANk0tTb5zfXu4G6qivGBitzwMs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=l9fXPBfn; arc=none smtp.client-ip=209.85.214.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="l9fXPBfn"
Received: by mail-pl1-f177.google.com with SMTP id
 d9443c01a7336-1d71e184695so13647745ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971821; x=1706576621;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=X0d2UaZGLqhx8u565YivlSqF+Wqiy035MOx60/jiYzQ=;
        b=l9fXPBfnUqu56eaKYrQLJp2b6t5jO7o4VFSr0IhM5u54VaAqvyOLNQlJdySAnchxbj
         j/hTsyTkxD/fg3o/ioOnBmokyHL8aLKhHD/njv3BOI4otixka1sAKq2t0N17sU+NShKI
         1JYFkxEoplYM3YpzRRldxq+tabf6v4KNCiB8o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971821; x=1706576621;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=X0d2UaZGLqhx8u565YivlSqF+Wqiy035MOx60/jiYzQ=;
        b=J+G7KeLl1+xqGb91FpCHgAh8jwUc0rSDnCAjML6G3/PCoG/X+JR/HyP2/c6e1BGL+Y
         ernvayfcYwGe3HbHaAolj1TIX+h7Pwkt2HvVQM2Fmdp4LTQbhbyto/qxKUtH1U/4/chv
         m68RAiAIZ861Qm/t2f8Z9WL/F4BCBB1FSmfqB5eqlGYOVvNlMesygndYvVIQz8jIebs+
         V8UWdo6n9/nxTGxNXqRpaOp2jdb+abbbRFEG9pMVNMHJsARLLOtd34jTQbZkWBxl6/Z6
         NBaedRlPmmft7RGerIQZHk/YW5saOSq7+gmdcQMfxZyVYuliSSJOGyagxuduLQVvC+Ow
         Ry2w==
X-Gm-Message-State: AOJu0Yw2x/g7w4ivqaSUtBNQ79QQm/gNQrwiA+GMLCUsjRmtmBQ+XuHW
	u9GxfHx9H+/StEwOx50s+5i3f0ojt9Uelq88/+046J7so1Sb09M1m6FrIOklxw==
X-Google-Smtp-Source: 
 AGHT+IHYE/R5XonXRWLS/O4LizE4LdUTB1VLzM4BkeSVTle2CM1WdJXziTFcWq98gVQnc9ulPPYiUg==
X-Received: by 2002:a17:902:c952:b0:1d7:5ff8:ca07 with SMTP id
 i18-20020a170902c95200b001d75ff8ca07mr1511463pla.0.1705971821597;
        Mon, 22 Jan 2024 17:03:41 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 s2-20020a17090302c200b001d707987ce3sm7538451plk.194.2024.01.22.17.03.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Benjamin LaHaise <bcrl@kvack.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	linux-aio@kvack.org,
	linux-fsdevel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 37/82] aio: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:12 -0800
Message-Id: <20240123002814.1396804-37-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1888; i=keescook@chromium.org;
 h=from:subject; bh=IB2lfGkRCBtaWjh4efF33fJJqpbLbcQ8iv2Ec/oLFcg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgH+XJvl/2u5/B92EhxeYdENMTRs1wnkh1xr
 9hUH/VuXyeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A
 Jtg8D/9Kz/EW1ykUt81CF9pL76dSizLWvhro5VLsT0USPihaAkiPFGlwrR5ADLawemjbfsHCbL0
 y2ajirjz/gpH+F9soxesI7UTKaOtXNfrDeLFYYBxCuKefSRjlhkjBdN240HgsAMOJQrh+pe04NH
 rTO/yRaleiNL0aZYSoZIvvEuMd1fzbVOXjXOgUh0vu+Hsv16H/4kN3dIXYmPovEduhXyTJgSGH7
 ZGIslfnnmesh92mCEWrYn3rhjzLPCv7bWGujt9QQB96dWFdoz0ZN/EfR4AFYJhm/imLkEdIXduQ
 MUxFoV0gzuwMa87PuOG2dpH+U9DcliEY4H3Mq5RBdZs6wlbGVibNjbvVFxT4IoxpoLZLqlqQjch
 ZtxRmzdY8tMH/ZVW/mgikzYQifvrHq68kXRbwuglv+ZT81x8yxOlYRrQkY7XksLYSZAGda4eq73
 L/JYedm444TLva1eDV9R9UubQ2witsDaqTjZE/59j4zQeKdcoRakQBVcJlqhLmv44lrrPDC66Iy
 hv89rogp1k5rLt4h3Ud8wIFgTl2Lz/z9UcUpYgMp9QRJgeWoBzQi1ZAOByDnDHwWLA7hx85V//T
 3h+sL/yM7HR9K0A8NbZnruLp3tTkSoBzDEfB/XuJZvBkjRz6hG2z4ymvzYJ99psA2daJt9WCF+a
 APviVXHgDVSXNAg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Benjamin LaHaise <bcrl@kvack.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: linux-aio@kvack.org
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/aio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/aio.c b/fs/aio.c
index bb2ff48991f3..edd19be3f4b1 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -796,7 +796,7 @@ static struct kioctx *ioctx_alloc(unsigned nr_events)
 	/* limit the number of system wide aios */
 	spin_lock(&aio_nr_lock);
 	if (aio_nr + ctx->max_reqs > aio_max_nr ||
-	    aio_nr + ctx->max_reqs < aio_nr) {
+	    add_would_overflow(aio_nr, ctx->max_reqs)) {
 		spin_unlock(&aio_nr_lock);
 		err =3D -EAGAIN;
 		goto err_ctx;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D50A1137C40
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970170; cv=none;
 b=IuUc+bKZ8MFm4+Ctiiln6b23ZBjSVc7P9NgMt5rcFr84DYyj8AvE2aZY2G1dW/jbCS6dP5whVsNisrXsy/XAhK7baf/m4oG5sG10URRN6Kb4qIOK3UuusomrNgK/6rGz3LB8v22MnzP2EUntbKIgG2TUirMVbPg+HtbUGhnPt9k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970170; c=relaxed/simple;
	bh=t5NjTIyb78Owo8zdIrnO+cNPZQCmas8okHDaZcCW+8I=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=rIuzpxNqSDfbp3DJI0PVg5ppP2Db0ihLxs97K/k1AuxmWXbi/FHw+d5dFi+7JTy+ClrpGdaCe0ac/gd6Gr4yymoqLMI82aB2w9RsmPfAu6b+2SbylCJfcypO0qXrK9R9FFx/Y+L7vIV5KONGPs75I0M5IMpFNRKBVjSVErdrxzA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=RAxgGIe7; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="RAxgGIe7"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-1d7431e702dso10719335ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970168; x=1706574968;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=U7ZTM5SgKNIL4BhjlzbkN6VUe2+U+pKLPfyRCBZRraY=;
        b=RAxgGIe7WpZkyy1/QIFTkVXwi6QA8CPIs5r29T/otOrJZOPxH21Qa5Tj8m3RlYy0bs
         3LN+MybCVhxFdCBWuEQyLGQZ/VVkh0+mpkQn2+Zf2avlmGyhq/G1RjywwWg7kgyv/4Km
         RMGLGV/nM5b4HYjpBLnA9FUGjnX4+z+2w4Ni8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970168; x=1706574968;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=U7ZTM5SgKNIL4BhjlzbkN6VUe2+U+pKLPfyRCBZRraY=;
        b=h9EAfD+2naB0SbBkKS1i2F1sls+1J8GJKLxxrELXHenGGqqqcMH4dogbzrmGXJy6TN
         77uEMp4lXfEO8zkaVnftqVyFNq9EftFDgujwABIxaeTarlpF9j+6QbwU7a8FM5GA1bCu
         8n9hH/p98HZZkX6Cog3gtUy4OQvxbrCZaa6UoT1C4PuBpq5exUQv9q0VHqwe/o8aK21P
         vy9iQK6FJ5WefPxohCpOooIEv9hBiycQ3exVZm/kBw97BaBHvmbUP239qq9cpjuq648k
         31YsM1k4nHf6ycVuixTi7g3M6ynvuo2w9bKe5lOpdmVG6sBp6T7K6fFmWsfyUn0dV0Cy
         oPTw==
X-Gm-Message-State: AOJu0YyLLMz2FrQSLjlUPjdmv2jCt/opKGi6Ja6yXY+NFlonwoLQGRt0
	PgYvJHW3vgOGEbFOXgGQFsq+0y0tdFRTLwoU0IvBK2GAu27e8eHLNF/q73Wotg==
X-Google-Smtp-Source: 
 AGHT+IHma0YydFHbhFfrWsggKZl6acEMucYTfJQJ8bR7gd8MhZKLGwEpOVissYArHVSd6tQkC7YMdw==
X-Received: by 2002:a17:902:f80d:b0:1d7:1df6:4511 with SMTP id
 ix13-20020a170902f80d00b001d71df64511mr2230166plb.136.1705970168258;
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 bc1-20020a170902930100b001d6f33c6541sm7744955plb.285.2024.01.22.16.35.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Russell King <linux@armlinux.org.uk>,
	linux-arm-kernel@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 38/82] arm: 3117/1: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:13 -0800
Message-Id: <20240123002814.1396804-38-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1869; i=keescook@chromium.org;
 h=from:subject; bh=t5NjTIyb78Owo8zdIrnO+cNPZQCmas8okHDaZcCW+8I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIgNjftYd6KqWOKIJFbI/lZsVWsVXrAIYuR
 7MY5dEcPb6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JsJMEACd02wCA8LfA0u8syRk4/Rp0JpgNpsiW+94NxRf9Xb/Oa1P5P/23a62lAN63yHc33ODE4L
 M3ih112Dkk/GdYQYFQoseAYyd9wEwaRrK6OoELlJ0Ze4FwF5E9bPBzZBN+AToRmXDARPSePbk6Q
 HZi6hgbD4OnzpQBqRmCSRJL0lJyo2ziVbh5BXwDaxazgKG1QvTQQhuL4CBsH8QymXeO1WoobbQk
 26Lf+jshILYsRLrtCn0FlcZsh6mlBSxO0KJ4CUeMdPyXb/n97DlDo9ZRsMvL5zEVKBIg+JxLLAB
 eiERpGMH5u8wbAPvM68kknVE/5x/EhJxjD/72ZmB8fLPsBwqyfIi9/nCtDWqnxR+s8y62/FagId
 vKwupeZJckFZhlj3FplDpT5AgCdjiYDr04S5TE2z7ZeLF88go9lfifcAgNHiaMV2wVUow1AxKoR
 zhpXpqgauLnNTNDDvyIpLRyEB2bYOzXIbRViZ4g9pC6cZ61woUKFcXLKdlAzNydxV8+S0EGFsPY
 LlHwmd9SZ6ywdnnVcm7iVBZb85cRIWlqIuvHSZrpSZPbpuYmgm1uUl3D6tLwHejiVVkF8Aj/osn
 muUmAXMDNq1t61UekRGqmWwWEgZp9DdjcwBm/v9dRMK2z0ksyJYYhrFC7XUBmm6XVbRptGwp9ZQ
 Cpx0SvAPk2bRjTg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Russell King <linux@armlinux.org.uk>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm/nwfpe/softfloat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/nwfpe/softfloat.c b/arch/arm/nwfpe/softfloat.c
index ffa6b438786b..0635b1eda1d3 100644
--- a/arch/arm/nwfpe/softfloat.c
+++ b/arch/arm/nwfpe/softfloat.c
@@ -603,7 +603,7 @@ static floatx80
     roundBits =3D zSig0 & roundMask;
     if ( 0x7FFD <=3D (bits32) ( zExp - 1 ) ) {
         if (    ( 0x7FFE < zExp )
-             || ( ( zExp =3D=3D 0x7FFE ) && ( zSig0 + roundIncrement < zSi=
g0 ) )
+             || ( ( zExp =3D=3D 0x7FFE ) && (add_would_overflow(zSig0, rou=
ndIncrement)) )
            ) {
             goto overflow;
         }
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
 [209.85.214.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F34C5FF06
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970168; cv=none;
 b=UL/xlaJR812Vb9a/qWiMjus+qOT9oEd2W/uxhsyQklw13KDGSn2mS1JGtgyS1BZmDbSlMsiVZ6yZOKo29m8W71N05yYGfO0rLmwQ621Ac8vJaMU9Q0z91W6CqJIKT2RrYLPhxeyMnUQ5IQpqbTv3yfH6oL0co1+v5CjJekmjSz0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970168; c=relaxed/simple;
	bh=08gzPVNqKaIThrka0PRUXmbx8gcHwrKCAMm1CuCF8P8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=p9s5P26sa9O9POCmeqBQWflJzqGM7AAQ8y8FiWOkANmCML+90dlMytDjFJsEQLvlOs4i+5Qfg2/2edySYEykVTHUk/0Wef5cMofTxY3Vbj06u7Cdv854xQpnYibvYZC0WlPgRb1abtDsU1jhNh8jXmtW9LVtuts2ndnXwGEuVWo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=fRT0qu1b; arc=none smtp.client-ip=209.85.214.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="fRT0qu1b"
Received: by mail-pl1-f177.google.com with SMTP id
 d9443c01a7336-1d73066880eso18989015ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970166; x=1706574966;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=C0IWBalbPa7nBe+7qRPGByHWNgNICkmEQCfSed9PR50=;
        b=fRT0qu1bXS9ZtGZoXpSXONIkIFh7UtLb2IsyepAXfL2Ah8wh6fmE1Rw/ORb449ACUy
         l+r4Qk61/jFFe+d7sn6aEOzHuwc1rlvgXkxYKqu0ue9qh1HG3yPOQbdHILED/U1EvK8a
         eVemySHgabNAisfyG01oG9nwc9qNLUogv+eAw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970166; x=1706574966;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=C0IWBalbPa7nBe+7qRPGByHWNgNICkmEQCfSed9PR50=;
        b=pd2Z+l9OTMfyzt/ikDFOADdWxA0VqlPeiQj8yW7da4nk9GX8KdytNdxeMbjPpyv/Vx
         wJfRqnc9BhFWpyRiQzbCWDRQwIWv9f741sdjj4NZn2CoGR/Z++i+gg4ZTtjogGgE1noh
         u9dAEUfkRKa3JzP/A4YDCOHy5rgYzPuc90oCxbLkinh5JxEj+n4C5ja1Mt0+xECjyv82
         9Ozx09hM8nlJCJIbNEAYCP/9ElyHUiYPs65gPn/mRWWAbV7p6PpuL5MuHx4YrX7Seo76
         hnfDObekY+ce25fi/yYQJ8aJvMivupWmBejup2lm7OhsCogAf9JiRgVCjJ3OFJ0XJ6I0
         oFYA==
X-Gm-Message-State: AOJu0YzasmZpQsZKzUp6i3RExrbMG4DI0YIzOMXRoSAHHmwbaut76L+u
	EEiMsmWEj8QrMRfyvtQSXmC4yKiAPwCv6DccEXT/Oxy/O4ZmJ6N2CyLJ2FBScQ==
X-Google-Smtp-Source: 
 AGHT+IFAeQqI3FFXQ9+1Lb9KSwrHLPJKfBRcl5zF9RvXxq3cLLHLHaogLpM0B8iNqUxW5Y7pLSv+tw==
X-Received: by 2002:a17:903:482:b0:1d4:79b6:101a with SMTP id
 jj2-20020a170903048200b001d479b6101amr4643124plb.41.1705970166511;
        Mon, 22 Jan 2024 16:36:06 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 k17-20020a170902f29100b001d707a14316sm7490995plc.75.2024.01.22.16.35.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jesper Nilsson <jesper.nilsson@axis.com>,
	Lars Persson <lars.persson@axis.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	linux-arm-kernel@axis.com,
	linux-crypto@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 39/82] crypto: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:14 -0800
Message-Id: <20240123002814.1396804-39-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2049; i=keescook@chromium.org;
 h=from:subject; bh=08gzPVNqKaIThrka0PRUXmbx8gcHwrKCAMm1CuCF8P8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIRQrU4z+xZKgZEZXKAJfo17xdTxqMyiWe6
 GGw7oiVmY2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JtNlD/0d9ZXpSr+O/WY+Z8RnA0WFcmb8q8dHDR+pV9DASBchjSH3T7j/DJE7/4sN+voKM6jipuP
 +b4X/XvukaDPGcJID6ZCEETKBPkMpdxZthLJ9z3AD+pID8v8vvqxW+pRFzY4po/kjeOset6zPFO
 7YxbAUWVwSXk7QDgV3gYX/lK9QILRqXGRAhvOcubjgDREfAc2MbuJk4ItNqk2WcMnk53cEFtYji
 lJKFR1cHbwVPaSk2x/UmWTY9FIg9orR7rjJtFSCaZPayWmA4lNONN5MKTyl9QbNbB6LkGju5DJM
 Hd0T890SCjvldjd2bfSaiG9wW3fOFHydZMzdTnzla2TMofjeNAsC6odLW9rM59EO6ovdpQJ1M0y
 4TeZl+acwIvrGJuRvXNx0Nokuls+m/qhpft8nMxOcVOmd3BVu+jgvguImnYNwmX/2gdr1tHBEEq
 uBNgF0pN3/zlUJqLU6Jaa55akZsk3vMrVRP+A2Tr00GdajqCWKlEYuwX7N2mQ+PojwYVoKRfsnA
 wgQYhoKfgkZAFdaSlsNJcKY6N951w+i8ooSo5xvTH/8LATZEBNEZ30239h/apCk/ho5GUZ/fXJM
 RLglccDfc4V+1WVhsOdPVy53he2MDI39X+mro/t056xBMjwT3L1D9ZvHF5GnpW4GVJs19uUshk+
 ZHeju5Fy9h8Zijw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: Lars Persson <lars.persson@axis.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-arm-kernel@axis.com
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/crypto/axis/artpec6_crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/axis/artpec6_crypto.c b/drivers/crypto/axis/art=
pec6_crypto.c
index dbc1d483f2af..cbec539f0e20 100644
--- a/drivers/crypto/axis/artpec6_crypto.c
+++ b/drivers/crypto/axis/artpec6_crypto.c
@@ -1190,7 +1190,7 @@ artpec6_crypto_ctr_crypt(struct skcipher_request *req=
, bool encrypt)
 	 * the whole IV is a counter.  So fallback if the counter is going to
 	 * overlow.
 	 */
-	if (counter + nblks < counter) {
+	if (add_would_overflow(counter, nblks)) {
 		int ret;
=20
 		pr_debug("counter %x will overflow (nblks %u), falling back\n",
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com
 [209.85.210.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4564956B6E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970160; cv=none;
 b=h59B8g+ZmE+zow1bSyMKYHiIuDQnrFmpOUEBYN3zEqWFQx+6vxTJ4QbFhaYRZ4DINhBWnkiM1/sag9Djdws6Yf8tc9RJ6LzyaP6K+1H+ehSXl6Ob+IarGIW5CM370XRkaJE2/tvpgiJPjUstr//VR9vSD54EDni55Wxy1OJcn/8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970160; c=relaxed/simple;
	bh=uCq9BZALf0j9/ETUS3uuALuSJ7AAwOFns9U/7aqT71s=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=lPeH6fvYIbG53pW/sKNWuLIzUmx8Rezs7v+3uBzDEeQ8aAJO4ulag6dpfnSSOfoU/CsEhIECDAgdxCbhbm4ZOJoIYtJaJiDdfym2YmZ9ZbeOhVB2q6QqV4lA8I1MTGyANcOXqVbJzbmSIMiXq54SqJNlY4Q1zOGip9FRA6BYGFM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=elAG1CCq; arc=none smtp.client-ip=209.85.210.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="elAG1CCq"
Received: by mail-ot1-f50.google.com with SMTP id
 46e09a7af769-6de83f5a004so2577043a34.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970157; x=1706574957;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wG9hLC1Y8Qz4XIU+37knJUuWpfkMo15LFrj6UcsKSzg=;
        b=elAG1CCqmiezPmZ1Yi8gmmxLq6vfzRQXyLvOsjBxatFVACT/cZT6uSlbKKSwRha3H2
         fUcW+SacpLLXbMKfAi/fAzXceA2s6bzqhAh7miE9xONWIoZ+CnzPLsbamIErdyFI11GJ
         oogrMqkGzct8WVZmPTI8hltWwS6MYXM2RyYDo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970157; x=1706574957;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wG9hLC1Y8Qz4XIU+37knJUuWpfkMo15LFrj6UcsKSzg=;
        b=iA9zQgqKCQuXjB6wGSgLuc7yjaNBYGwOJhp8FOOYuR6seK0KsRC16Aov+PopJgimj/
         p+yeqDNRs3CyfkqTNf0EHQrXoliaoaZ5MFdc6zZc5XKqk20v6uASXGavsN1aiTKqj0Ha
         1yj6K0PZTeYqXgBfnk9d54VYDlakNVLleRKZU3kTzlJ9IP6ZYc5NMS0GmEmx7Rr8gS+i
         rsVkzdduM1x/aNxL+npso6mq1Q+rGaLzkI8vV5Rv3VOa5sSizVzB/rYTzw2tdBD1uy6d
         Bp1pCl6yjw7ekq9KovqE45ESvkpAoPSXqUSjfNfl7F734+r36AbXuAwmSkH0OEKTCG1/
         JG3A==
X-Gm-Message-State: AOJu0YwEbWSSbdsupiNrBN7TxLyFvvsJMgUUhHARhXLljNhj3M3X8a/G
	+lXAWrxZKoAnJQ30r/SNGvW25QX1ZQUcsbaiWF8U0UytFQ+PcggpQzMN4/G7vA==
X-Google-Smtp-Source: 
 AGHT+IGbgL8Un0khLBlsN1pl13RP4p4uyS26GBQlOHuEQ2+m+4aEmkVM5e6HKgLY7UQK+FMw+Gq5gg==
X-Received: by 2002:a05:6358:3a1b:b0:176:49e6:d1be with SMTP id
 g27-20020a0563583a1b00b0017649e6d1bemr2746628rwe.7.1705970157322;
        Mon, 22 Jan 2024 16:35:57 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 cz4-20020a17090ad44400b0028ddfb484bfsm10223874pjb.49.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Kalesh Singh <kaleshsingh@google.com>,
	Fuad Tabba <tabba@google.com>,
	Mark Brown <broonie@kernel.org>,
	"Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>,
	Marc Zyngier <maz@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	linux-arm-kernel@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 40/82] arm64: stacktrace: Refactor intentional wrap-around
 test
Date: Mon, 22 Jan 2024 16:27:15 -0800
Message-Id: <20240123002814.1396804-40-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2174; i=keescook@chromium.org;
 h=from:subject; bh=uCq9BZALf0j9/ETUS3uuALuSJ7AAwOFns9U/7aqT71s=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIWLuyCnEjUOpchm9ZW7j82YoUv1l18xa4s
 B46n9dQEkGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JuwlD/9oy+jGtAZ3FCSqVsESv3Dn6Ts4xfGimKqQuQt33Bce9y47K5whT43UwUX/FxTZH/tqTgB
 TW3eKjRzRffUEDvN7ZT3GaQZJdk/dhoJFA5OwB26dEaeTJJ87F2CEIcM/XPxpKfWWV8laKhxXPW
 Azdz8NmHKXvqukygGhhgSEkQ2kpnbOFr/4IlSgZyItDfY4qACe9CngG6WRi14g/HSCU9Gywjg69
 ZJ4iAQu4qte9m5QXTwr49Fk4KN/ToizWcH4VTLjQyoJ5q/FZ71Xgw4QOa1223/YsX+bcqYMH4bu
 wrszgLp+AmxgO/JkCu2LfeuzW/PA81WplhvzGnpP0ARDAU9f1b3mGW4MnOu7+xSVcXxEPNBdHUd
 3qHBNykVoYEpQLXhzHp3489ya3gM8EnFQsefLnWYwE5at2WX4AB+AugITjOHRUKIKxVcMw/Yj5L
 vgdwRoSoXJjDDET92k/xcXhH34opUBHZT54vAmgUzK7pw3pfz8gKLwhZviN2r+BHKkBnSdMYFsM
 WjXNz1X2Tyl2wSrR4TmFPmaN+5owOGL0Rtmy9lrY6g0VnA1Ef5oRUD2D3FpyEPLXRpyKfY+/dY9
 jSlhYv7D+Rklx7QQ6QyLp0T/HQfyi460ttQUAt1JSZq2cjQhlrAimUKh31uhzT1WykiwMZzlyPc
 hxrjR+5ut598BkQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Kalesh Singh <kaleshsingh@google.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: "Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
---
 arch/arm64/include/asm/stacktrace/common.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/include/asm/stacktrace/common.h b/arch/arm64/includ=
e/asm/stacktrace/common.h
index f63dc654e545..6e0cb84961f8 100644
--- a/arch/arm64/include/asm/stacktrace/common.h
+++ b/arch/arm64/include/asm/stacktrace/common.h
@@ -49,7 +49,7 @@ static inline bool stackinfo_on_stack(const struct stack_=
info *info,
 	if (!info->low)
 		return false;
=20
-	if (sp < info->low || sp + size < sp || sp + size > info->high)
+	if (sp < info->low || add_would_overflow(sp, size) || sp + size > info->h=
igh)
 		return false;
=20
 	return true;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com
 [209.85.214.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12BA3159594
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969750; cv=none;
 b=tOm7NiRIsaQbcppOgTVfNq9I5+9A3S6eFArdynp+gCGcTG1s1Cg0P388IVb1VXGlCahtYBvkaXvBiQHRLvgo+tWfbSoyo59ACb5ghvgN4khwM+vNxXLLj/MbPbosOI4wDzDnTNiaoGiAPEDDwLPQCEMA+MXVYwh71fHP/scYzKw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969750; c=relaxed/simple;
	bh=e7A6lhz1YTrc42RiVqJvDHkNtpFxlmtLyS2WOTvLsQ0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=k8J2zeziCKf64iztdn7qR5LOqmPVzfdNW0xPXj/ffz/XmCDiBWVzHkdlqM78JRrQSHi24NgrvW5ZFS45ejHbHXt+gcslYrH+b9eYYj+q5SAAwa1rQWMFp6aZWriM4dnXkUvBE+C7YcvC5WHuUQLd3W+VSCCwGn5/eKQE6yqDKGY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=BNfM3xs+; arc=none smtp.client-ip=209.85.214.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="BNfM3xs+"
Received: by mail-pl1-f181.google.com with SMTP id
 d9443c01a7336-1d41bb4da91so19667575ad.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969744; x=1706574544;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2VCA4MiUm4hxtqb/2/ihwHQ4ffY15Cbnf0o55fNjhH8=;
        b=BNfM3xs+1yPOeKCdNABC7X502Zx3m74aSHmWYKpm3ntrrpPT4KTb9LShxaMCkOcBTZ
         jmP22vkgP4+b07DIGsPuBbyc7f04j2J1mo86pltd4yljNThSlMQVeTfiW7uwVm/iEHt0
         iN8mbVXnOJzqfqBVXlG5SFAi4/p2eW1zCYS1I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969744; x=1706574544;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=2VCA4MiUm4hxtqb/2/ihwHQ4ffY15Cbnf0o55fNjhH8=;
        b=XfaPwk7QYvqocHia3S0rl7TfgFoh47BYWdtNAIK0rpAWIrdLo9j8Ba4evQRgdJM7S1
         ZRW3b4AzoDP5OYia7JyBLVVx01TqWXj74VmHuwMQsEeeWbQy3jHF1k5xlHggmOAO2UCL
         8j18Ymq/Gmyhe9uefLSYmLafq9vOpwbgt5dQMeMPkxPwTxtx6+BC8yRUW3I2IBZujERV
         LxL5Yt3gArpC6+w2x1Fm0Wh8lKhBWUyY2V/HDrIe7965HjZX8a7ALncRCigQpCtpuw0n
         w1NeZ1lNxQ4+MD8la7QPoHBeYFIc1uzOyOglTk2BUcrGcHLw95oKsintUevxSB6bh+iy
         rJ4A==
X-Gm-Message-State: AOJu0YyX+iED5wGjGWTc67kpHHERF8vn47cjj1iqN5HuWKF3adeQgabF
	rEcNOZWV0r8nkhvbe4ThmOzCBBDN1F94N6/VMRgxwiyMl6LgkIiPIwQ21WYatw==
X-Google-Smtp-Source: 
 AGHT+IHkoc29tLvtCHNJqiIhDN5o0+Ip7IYWQLpp6GJH3AJ1YZPTOMPreFRrlPzqUZzxKRAp47Hy2Q==
X-Received: by 2002:a17:903:22c4:b0:1d7:601f:a093 with SMTP id
 y4-20020a17090322c400b001d7601fa093mr1304472plg.96.1705969744416;
        Mon, 22 Jan 2024 16:29:04 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 l17-20020a170902d05100b001d5e34b3285sm7806408pll.16.2024.01.22.16.28.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:52 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Kalle Valo <kvalo@kernel.org>,
	Johannes Berg <johannes.berg@intel.com>,
	Max Chen <mxchen@codeaurora.org>,
	Yang Shen <shenyang39@huawei.com>,
	linux-wireless@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 41/82] wil6210: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:16 -0800
Message-Id: <20240123002814.1396804-41-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2027; i=keescook@chromium.org;
 h=from:subject; bh=e7A6lhz1YTrc42RiVqJvDHkNtpFxlmtLyS2WOTvLsQ0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIQmyCTrW1bahod8KxHdvoHy58y6yL+ETvY
 BiEiuMJbS6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JiRmD/9zhsD2mE1miG7SGjJBAYcdyMqu0B11enBzCr3b8d5xqV58q4aN1ZngsnmNjttQaMFFr1T
 9Gh/s9u56ltYlqudIxPMUSZSrUHU2C35m4gtJ4TVkt8qtfF3folCHfMmbV4i9KMdE1IgEESn2G3
 ogHxJ2XbUbwxx78z6StXZHHDfv5VPBwzr9kupbCeVGteX2t9bmMldyxqif+YKl45puapBWNQ8Ib
 cMeONqZ1xuDyp0U/qIu9iXWQJJuzn/IvIutdDznavIBE1ZLOPgsHof0dVXEQjpsQ5oSNU05iKIy
 RCwhvKkR8cxQTqAQX5If0192u8p1TEX99NSo9gLaza1jNIdOd3aMy1J1x2Opk8hxzJLbpIOuzj1
 CTLFFWDkPJHVyQi+TjyQoxZYjoi4jpnAv3piOF3Qyc/Ftx+LToOJ5NZQIgUKQCEtNf33XjtQa6a
 UhBSAs1HZAXgKJZmFa+Pj8Pa78PFbLKWQSpTG4JE6qcecARMPZCyokWGe0WhhJzVf/hUAC2ogd8
 RJhNW+Yolg1sqIWb4Ywf08WqhPZzOgqnSxV7Wm1OaMy0cDOWgX/20YYlkZJXEe3jj840ChWrQDt
 6bAIZMUBgi1USCdj4y617A+WtpZFjXDgWs9Q7XoNPEbOQ9ovO/3v9cThNhMGw/rkG372enD2SYp
 VY+mP6vYO8kr7tw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Kalle Valo <kvalo@kernel.org>
Cc: Johannes Berg <johannes.berg@intel.com>
Cc: Max Chen <mxchen@codeaurora.org>
Cc: Yang Shen <shenyang39@huawei.com>
Cc: linux-wireless@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Kalle Valo <kvalo@kernel.org>
---
 drivers/net/wireless/ath/wil6210/wmi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/=
ath/wil6210/wmi.c
index 6fdb77d4c59e..3b3c991f77e9 100644
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
@@ -286,7 +286,7 @@ void __iomem *wmi_buffer_block(struct wil6210_priv *wil=
, __le32 ptr_, u32 size)
 	off =3D HOSTADDR(ptr);
 	if (off > wil->bar_size - 4)
 		return NULL;
-	if (size && ((off + size > wil->bar_size) || (off + size < off)))
+	if (size && ((off + size > wil->bar_size) || (add_would_overflow(off, siz=
e))))
 		return NULL;
=20
 	return wil->csr + off;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com
 [209.85.215.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D72F516274B
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970186; cv=none;
 b=BAQRtWoWk3fYOaqm/smL+Vvr09fq1FJ6xEBncRmcc9tcOe0vFawbri9r9sxpXRbMZKDbUD3ZDfllyLOgyx6u75UQWh8gaDsSws2jgByEG5S19fV5q9+f+TY2YAjvl+uwo4TAV2MqW88ve3wSNua2BTvoZJAxG9s9lOtApIPZ4wQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970186; c=relaxed/simple;
	bh=ep/lIptA9L4lr+f06tjVEEoLQ4MXnnp5iyNA3nOOpBE=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=RTFCyCag5o5n7YMF8IZGZRaiQbsIjcLHgXkyabcCqdseKmJ7AGCeerB7k9ymfeoEv730RxFUG+PcruYCAA5N1sXzUOSb8+EWcNWXpQkYyyZt6i7++x3Pjrr+ztuuJJNDCcU11z95yOJyCkNLOjrQFHMJpEEtrmw0fxk7h5k1VD0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=D717a4+h; arc=none smtp.client-ip=209.85.215.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="D717a4+h"
Received: by mail-pg1-f173.google.com with SMTP id
 41be03b00d2f7-53fa455cd94so1775821a12.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970184; x=1706574984;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Gu7JD83IcutVIpR+vN3JS6ozq09X5iWFwWB5AcENu1U=;
        b=D717a4+hchIOaKmqCVEbuWLkT6x4LFiOyOsg9820QbdtTjnxtBvHUX6v4s6sZAbgvD
         D4akV6dkP7oQx+px2xduOIbAhE/yLcXvQFa9oQhjhlsoZtyGFvpTPXrv6LxqsYGwZgtO
         dX9BlM60yl+1W5Ip70JgQgCk7MGQ1OsMud9/0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970184; x=1706574984;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Gu7JD83IcutVIpR+vN3JS6ozq09X5iWFwWB5AcENu1U=;
        b=FNkH5eMguHVczx0tmGA4YGE4aybz0dDRMnFmApAzEwvwdYKTMaIVTtenWwKuqpIWAD
         lDu0Ztz2pxNuq4B49eaQoPWaXAmfNmR4p+gynHC20adf6c/bNRB1b0vxkRLT/o2MDakI
         Dnz+j7VaFh8fPO7dP/0uhjJnN6PqPULY8zGMTVGggB9IMcbCyix3pNZxV2fDDtws9EC0
         TZ0yMmRR6XI5Qth0PsLTxN4P0KDKGX9D5ZNWiPcspCG3wAWTbmHWy10qj5qOZmUvB8qO
         0CK595BJ9Wh7hIN5czLqL6bi8S5e6ofbVcCtBvzhwuNbWZZRnvXs5bA7e7LmNGUyzatu
         vvkA==
X-Gm-Message-State: AOJu0Yy/862tNedv6H5qc1OELhexZqSUQ2Fj5K2T7ZfKPIiVw8/c2hv/
	afonzCpCPkot1R/4QGxCeNre+NgQm+w1bwpWPRT1T2R/rhYQ0gKnCE3ZuWQiTA==
X-Google-Smtp-Source: 
 AGHT+IHU9ZlgSYh0eMx7669Diqv2Km4wEiGnQJDHlmT3vbHjtvtixLA5vnHZex0ljbCE4nmOmTLkXQ==
X-Received: by 2002:a17:90b:3443:b0:290:20:2e7d with SMTP id
 lj3-20020a17090b344300b0029000202e7dmr2129175pjb.47.1705970184314;
        Mon, 22 Jan 2024 16:36:24 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sx7-20020a17090b2cc700b0029072c64439sm5247062pjb.5.2024.01.22.16.36.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:18 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Kent Overstreet <kent.overstreet@linux.dev>,
	Brian Foster <bfoster@redhat.com>,
	linux-bcachefs@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 42/82] bcachefs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:17 -0800
Message-Id: <20240123002814.1396804-42-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3557; i=keescook@chromium.org;
 h=from:subject; bh=ep/lIptA9L4lr+f06tjVEEoLQ4MXnnp5iyNA3nOOpBE=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgI2+Elt1IhHtkv5xgC3b3FRvTtskbiERH9l
 1ZNTeeF/b2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JjCLD/9xtD8moVS+50gZifAJkdU1ZG18tKRem8TQm9iujCTKM7k0RA9Gt8uWtXoWJI2iqcmr7so
 6wDWNya25DwDHnA6i6cJcDCSKOUIWj9scqgsnc/vc4ITbCC36C8LufYn9hTR2C8dxojAdmv+oWg
 AbBeJl5BpJ/nNaasEJCbPtG/FaEqLUr1cVCXz1f4t/JfMlxIvR3A1axBfLBZIMGjQDtJYXHkL9p
 LFdbnw42F7LQAZdMegEC8ocQU04rYslKCLVrwhOjQCcsv6Ws6kE9vl7RJy+m+9uPUWC0Sl3Du+I
 kaPcZbyCi8S96+rC+3Sqkn8nxgB0Ji3KlCWYiom6XD/SCas2mJlZV/Fsgw4ZogGoScMiYHeDVxA
 3uTAn740ytyh0GrA0mTeQCmVpWEEgRgl8yAEEFpN/x5prVl7B7OWBB3fLqipeDFvn+08dE6MQ44
 bK5og4830KAx7t1L/91syH794xNxDXyBfKMXgc8jHBAoPFLHV3Z11nzBQfhMFaLNyc3nKMCbkiP
 HgAKEE2E/rqRQZXoovbv2UsHH9qCg3D+20pG3URgwo9T1LgXTwOm94X59lEyn4fM80SQYA4kwUq
 lecpfKL9uzLXFqhGSnccEE+zNNjAHSFYJQxxeCm4t8TK3hf2xjDUryQOdhwdB+FESFtDBAzIc48
 oZI7aHBEQ8bWKPQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Kent Overstreet <kent.overstreet@linux.dev>
Cc: Brian Foster <bfoster@redhat.com>
Cc: linux-bcachefs@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Kent Overstreet <kent.overstreet@linux.dev>
---
 fs/bcachefs/bkey.c  | 4 ++--
 fs/bcachefs/fs.c    | 2 +-
 fs/bcachefs/quota.c | 2 +-
 fs/bcachefs/util.c  | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/fs/bcachefs/bkey.c b/fs/bcachefs/bkey.c
index 76e79a15ba08..c68f1cfd579e 100644
--- a/fs/bcachefs/bkey.c
+++ b/fs/bcachefs/bkey.c
@@ -448,7 +448,7 @@ static bool bkey_format_has_too_big_fields(const struct=
 bkey_format *f)
 			: 0;
 		u64 field_offset =3D le64_to_cpu(f->field_offset[i]);
=20
-		if (packed_max + field_offset < packed_max ||
+		if (add_would_overflow(packed_max, field_offset) ||
 		    packed_max + field_offset > unpacked_max)
 			return true;
 	}
@@ -664,7 +664,7 @@ int bch2_bkey_format_invalid(struct bch_fs *c,
 				: 0;
 			u64 field_offset =3D le64_to_cpu(f->field_offset[i]);
=20
-			if (packed_max + field_offset < packed_max ||
+			if (add_would_overflow(packed_max, field_offset) ||
 			    packed_max + field_offset > unpacked_max) {
 				prt_printf(err, "field %u too large: %llu + %llu > %llu",
 					   i, packed_max, field_offset, unpacked_max);
diff --git a/fs/bcachefs/fs.c b/fs/bcachefs/fs.c
index ec419b8e2c43..00a606171656 100644
--- a/fs/bcachefs/fs.c
+++ b/fs/bcachefs/fs.c
@@ -901,7 +901,7 @@ static int bch2_fiemap(struct inode *vinode, struct fie=
map_extent_info *info,
 	if (ret)
 		return ret;
=20
-	if (start + len < start)
+	if (add_would_overflow(start, len))
 		return -EINVAL;
=20
 	start >>=3D 9;
diff --git a/fs/bcachefs/quota.c b/fs/bcachefs/quota.c
index e68b34eab90a..1738b1fc1c75 100644
--- a/fs/bcachefs/quota.c
+++ b/fs/bcachefs/quota.c
@@ -392,7 +392,7 @@ static void __bch2_quota_transfer(struct bch_memquota *=
src_q,
 				  enum quota_counters counter, s64 v)
 {
 	BUG_ON(v > src_q->c[counter].v);
-	BUG_ON(v + dst_q->c[counter].v < v);
+	BUG_ON(add_would_overflow(v, dst_q->c[counter].v));
=20
 	src_q->c[counter].v -=3D v;
 	dst_q->c[counter].v +=3D v;
diff --git a/fs/bcachefs/util.c b/fs/bcachefs/util.c
index a135136adeee..2200c81edbd2 100644
--- a/fs/bcachefs/util.c
+++ b/fs/bcachefs/util.c
@@ -148,7 +148,7 @@ static int __bch2_strtou64_h(const char *cp, u64 *res)
 		return -ERANGE;
=20
 	f_n =3D div_u64(f_n * b, f_d);
-	if (v + f_n < v)
+	if (add_would_overflow(v, f_n))
 		return -ERANGE;
 	v +=3D f_n;
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 935CF130E3C
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971825; cv=none;
 b=tu9ZmFJx4duh/v/ezX+SRq+zqShyGOtAqHQe0a7uVZsU64K1ZbS9d7usQoK2TbiapjwGbwyYIM4USRqy9AY6B1ajRW5KQLf+aybsekA8zR9qbeCFBl9uPm2sSZNQKnz732mGtGaCczVlys/aUnhIyxryeueELEggx8m6vPMWwOk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971825; c=relaxed/simple;
	bh=2D/1q+K5ofLS3QNrb17mBia21R1L5nS1NTJwK1+Jywo=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DINcgAdNRFH20zUtBhvdY9rnqUlGnq2t7gKrJ3hkqY/TnkkEuGSfVbzAOQA+uL+uokxVZv5zR5bEXoUAOrjVmT1mFi7ldAlScSn3d3h8B8kdLr7W24nMIJRAUVwUnrTKyUsNpEL2QklGyF5Wypd9hKzAaWizAbe9EXKYG4dTXGo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=a2Idl6M/; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="a2Idl6M/"
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-1d7393de183so8875065ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971822; x=1706576622;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PzCem6cup4TdiKSfzyjJWNqgMtspOXnXOALwscH4Wdk=;
        b=a2Idl6M/nB7uU5CS8xxzI/5QidtiR6E4Q3sFDrKD1RsiwxD4SvHlSntigxg2OfCWvP
         c8rfPE7nnYFHY2q1SxwpkUVxKwA5u1ZiZCJSyFpIRafFLbOAjEGK8VLDKHK1f0EPZK9c
         DfyzEhjlT9cFFPR3DAiY0bQeHB4rNqJhDAha4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971822; x=1706576622;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PzCem6cup4TdiKSfzyjJWNqgMtspOXnXOALwscH4Wdk=;
        b=PpiWUg535BXXYnf1azCdpM+1kcal3j/zxCNJunJKqRAgeXyx1cCaZRkJI3RD9b9jmS
         nmShTBV7q3+c0XPLvasQYFuq0yHD8x5qaIpdDLjMvKM9UjQGZXlZxcshZjtzfSOwDdyC
         jNEclNRmH7lvOOunwE+HUkQi942mXOfdq7ZO5EDwp8YlaCEn1bmRSgDiiLfuho6eeMcZ
         /vMtDFtMlvD0XoUFJqalICRDKB316z9zU3dohCcEcHSuWAww9RwweIRn4cRQuL3ezciZ
         Hmyf7REfiIrUgBt5/CA5tEfnGylCFlHbIteQQLOdmnLhV2sJm6wEEi+gAIUa0SrfbuKs
         o7nQ==
X-Gm-Message-State: AOJu0YwbtX9NhcnFw9rQDvvdkYoX66RHCudC0BBqMUqiDwAR8FdH7TaS
	ua0tQKkRCpAcOo+j8YG5Tld6E4haSlomhlcRgnz81cyHciPb2J/gKcGNk5ppdg==
X-Google-Smtp-Source: 
 AGHT+IEInhZKVZDWnoUM/i8YQ5PB4DUxgiRH9R14Uyh3DsT8C3iOPJNGdMjkH5Jny8EX7IKezJTeTA==
X-Received: by 2002:a17:902:8e8a:b0:1d4:2ebf:66e9 with SMTP id
 bg10-20020a1709028e8a00b001d42ebf66e9mr2195121plb.66.1705971822051;
        Mon, 22 Jan 2024 17:03:42 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 k17-20020a170902f29100b001d707a14316sm7510636plc.75.2024.01.22.17.03.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@google.com>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	bpf@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 43/82] bpf: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:18 -0800
Message-Id: <20240123002814.1396804-43-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3267; i=keescook@chromium.org;
 h=from:subject; bh=2D/1q+K5ofLS3QNrb17mBia21R1L5nS1NTJwK1+Jywo=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIT/Z3KUQ2veJhvQyEt4ONL7c5mrClKFuYO
 X8phZz1OWKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JkHTD/4qgBnK24plRIXO+yoz2iQ+LnLu7ceo46R+EFzo/2zE4dZ+2u1CDIt1eEMllnG7GdIK+rx
 pbMn643YxLdpkcs5J68KMVdKkniWV1XXHwbVnmqxCo4f3HtuQS09iFdsyX5XJs2halhjXZuW75R
 y811Tm0ilp4N9T2dCDFe9xf02ruR51njy47egnuRN0VU3wH5eVAM2v+jk3FCeD3rlPEUpSpDQ6P
 IbHZAs1mjAVXG/iORESIdH1l+V5XRdrAhwLvmouMutwbyBdRSeemCsROlWgyRUEMAyCYANg0N2J
 iFtFwycRzbLWW6oOtS9lcxUUXATx7bjcDODVDigeUo9lnVhJgT4k3Eox4y7Xsl6jC7/Wo6rdWDk
 tWxp2TXKIwFm7GrPKQ9G6WCadosfMVqMKU9XxyQU+LGrgXVuV2vtDworRcNS4cTWKdWH32fhgnm
 PbPrx493hufpiEUxiHBg5a0Cx3Vp0nGNmEUyLl0IICmlG8MJJSdrh6iubiBRHOgFdZZIN0MGO0D
 jipUiaIzyLiQ0IoPELof8qAAkUP239U2GzBeV6tfZDmRwot08eR3a1n4Ghqvp72J6PkxFLB94r9
 /D9CqYn4moMTyD6tGRDSqYZ7623ETbGfVy32TpB8S7loBlaOQTbv+FJCb2GqADyXmCvziiN3rOI
 GVEF4TSjuaYfhyw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Song Liu <song@kernel.org>
Cc: Yonghong Song <yonghong.song@linux.dev>
Cc: KP Singh <kpsingh@kernel.org>
Cc: Stanislav Fomichev <sdf@google.com>
Cc: Hao Luo <haoluo@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: bpf@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
---
 kernel/bpf/verifier.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 65f598694d55..21e3f30c8757 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12901,8 +12901,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verif=
ier_env *env,
 			dst_reg->smin_value =3D smin_ptr + smin_val;
 			dst_reg->smax_value =3D smax_ptr + smax_val;
 		}
-		if (umin_ptr + umin_val < umin_ptr ||
-		    umax_ptr + umax_val < umax_ptr) {
+		if (add_would_overflow(umin_ptr, umin_val) ||
+		    add_would_overflow(umax_ptr, umax_val)) {
 			dst_reg->umin_value =3D 0;
 			dst_reg->umax_value =3D U64_MAX;
 		} else {
@@ -13023,8 +13023,8 @@ static void scalar32_min_max_add(struct bpf_reg_sta=
te *dst_reg,
 		dst_reg->s32_min_value +=3D smin_val;
 		dst_reg->s32_max_value +=3D smax_val;
 	}
-	if (dst_reg->u32_min_value + umin_val < umin_val ||
-	    dst_reg->u32_max_value + umax_val < umax_val) {
+	if (add_would_overflow(umin_val, dst_reg->u32_min_value) ||
+	    add_would_overflow(umax_val, dst_reg->u32_max_value)) {
 		dst_reg->u32_min_value =3D 0;
 		dst_reg->u32_max_value =3D U32_MAX;
 	} else {
@@ -13049,8 +13049,8 @@ static void scalar_min_max_add(struct bpf_reg_state=
 *dst_reg,
 		dst_reg->smin_value +=3D smin_val;
 		dst_reg->smax_value +=3D smax_val;
 	}
-	if (dst_reg->umin_value + umin_val < umin_val ||
-	    dst_reg->umax_value + umax_val < umax_val) {
+	if (add_would_overflow(umin_val, dst_reg->umin_value) ||
+	    add_would_overflow(umax_val, dst_reg->umax_value)) {
 		dst_reg->umin_value =3D 0;
 		dst_reg->umax_value =3D U64_MAX;
 	} else {
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BF61130E38
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971822; cv=none;
 b=c1XGQyzT6NLxJ2/VJKjQKSqYN3YMdPef/1Dohzpkmo/1K/qo5BJkMO/cML/KiJgxnEn5O/KfZamSrAbDLxCuttfdmUjgNuW6RtzGMJ+XqyEETKv/NW1eviQvBD/770evCV9O/27gaDdZmfS9SQOliLKjL+RYI3gY09npC3K3m80=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971822; c=relaxed/simple;
	bh=rpDQeHt+rynn8n8QexVW4diSx8zR3w05Bt9ydWpzlak=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=NNbukgUWPmnAYYQahhlpgfNNsFehjjpiBtWsVfSyDAIIFl4ymaeWurEOEqULJNWTFfFoeLQFiM4clyPdClZ7Gx2qiywaEtrAUviu0fQcbca+hYuh+0U8NRrL1K593annx41purIcDL8uBQsAq5Bihqs/FZhWMPcTmR67NJkobtE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=liWP+5dR; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="liWP+5dR"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-1d71e184695so13647555ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971819; x=1706576619;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=F152weUja9q4FQGMmlJGHPEDrqtjtzarPMH5qP0DvDA=;
        b=liWP+5dRu8mO1SL29LCzZQQncVwPybA2VRxCtasMgDIqtS3s99IzA/Okw5U2YKq7kC
         PY4UFynIz+BHDFIGmdFfJIhIfmHSo1HTZhIXt08DkEySulhZyNahwJTamAdYzfbVTE5q
         TyF08JsUXY4JEBkn7Ee603UteVcnHqceGadYo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971819; x=1706576619;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=F152weUja9q4FQGMmlJGHPEDrqtjtzarPMH5qP0DvDA=;
        b=iWQ2gJ6GAngnI+vNbi9sQ3KuDjZGS6wlXQ0K/vfh0Fv/O2d5NpwhifETMN4zBCf1hZ
         0ObxsBAnQE/Wiilz7a5wXIv6WQVvb3O1j/PIL2nmSammrOeijckt+lolu3jTnURian38
         SwGkC9x8g7DmifeBNJcPxZ2uTlnyFhyhu3leQvjQxeXGkAk6tbumQnNn+053bjGi2Ltr
         qhxFFmYu74A8A80Zc0q3P0ruPik0uT5j9XbgVXxTo4ruRylp2FVJex65dPykcdkSeGV1
         NEIozXuKLi4yyKIaUMKTP2+k0+TnIkpm9r7XTHgslZEJa3AC1DGGnMnNccw+rcip992L
         RSdg==
X-Gm-Message-State: AOJu0YySYlgVFnzNws6Rjw6Rc/Fgk9SjfUncST/y2vUIT5WqZPChpTdz
	hyDXbeyh23uFjF1bi/kjrATuJdYdYoyp6OICuzQWTpS0u62/9kNqeEBOKpmITQ==
X-Google-Smtp-Source: 
 AGHT+IHKrMC4R4tlkBB0HVPBTYWpwu5nmSinWUOiPDQnbcd6H4zLw6As+CREnzYMfD/v5y6s7fSv2g==
X-Received: by 2002:a17:902:e5c8:b0:1d7:3563:88ef with SMTP id
 u8-20020a170902e5c800b001d7356388efmr2226123plf.99.1705971819267;
        Mon, 22 Jan 2024 17:03:39 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 kq5-20020a170903284500b001d72df6edbfsm4407615plb.64.2024.01.22.17.03.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Chris Mason <clm@fb.com>,
	Josef Bacik <josef@toxicpanda.com>,
	David Sterba <dsterba@suse.com>,
	linux-btrfs@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 44/82] btrfs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:19 -0800
Message-Id: <20240123002814.1396804-44-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1822; i=keescook@chromium.org;
 h=from:subject; bh=rpDQeHt+rynn8n8QexVW4diSx8zR3w05Bt9ydWpzlak=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIF3SUyZAUAUFUZymlnGYgNXvads8gEltU4
 lCweHT05OmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JoRpD/0eSwV1znH/V5v1Xfpt67/pUkb05v3F8q48Cf6//F/42CAYj23Ytdmx0cfwpXGt+VFMkbv
 zRJF9MjrXB4r3591E/RSQF1lHCS+Hg5gB4UJwMDNntlDeXgFlFBsmC1rh4swgRH1/63HU+ULvzH
 jSPbL4G7LX1fk61Q43I3EIuXOD9Pu3VTpjS9QKMYmjLOHCNMh+dLBAjFtDo9PISK//9+QDI8ma9
 WNPaqwXfJ5bafdFGZaZgTzI8xS92+4JUqWjATHQULDm64yY8UbnxuKuQtVOvsIiDo5wQ6/+C81c
 0iaGWTKKgc1eJAvfA1QfbHkPe2FTXEzeAkKyY5RStYZfIAczyJQMjLaJH0knv/gui/jE34zSVoi
 wNO1h5mqbLoJJo3heDU6/5GReq+QbCewLgC/TicVoUvq0F/1uXFmkZgKPjVN3P+bK9g9GQ6x4q0
 82Uii7IGzmSz74kvoe8Oi2vE7fOB51tWmLYEm3oRWqmq/pUEbeHIJstu0kLu3YDdlPLtfKPk4DJ
 Wsa8K7Ucf0phEF3e2luJDa6weV0X19JU2oZ0EVZJGAB/ouAN9fpbnYbwmUk91t09dWJUEsfeOr2
 +UH+Z12FhF4TJEvTo6pP+fKalx2yPK29Ew7Y7Vj+8DoPN4gftBuehK8yKjQa6SSNNVdIRzGBc8H
 5wXugAOFGwhDEmw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Chris Mason <clm@fb.com>
Cc: Josef Bacik <josef@toxicpanda.com>
Cc: David Sterba <dsterba@suse.com>
Cc: linux-btrfs@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/ordered-data.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c
index 59850dc17b22..2e0865693cee 100644
--- a/fs/btrfs/ordered-data.c
+++ b/fs/btrfs/ordered-data.c
@@ -813,7 +813,7 @@ int btrfs_wait_ordered_range(struct inode *inode, u64 s=
tart, u64 len)
 	u64 orig_end;
 	struct btrfs_ordered_extent *ordered;
=20
-	if (start + len < start) {
+	if (add_would_overflow(start, len)) {
 		orig_end =3D OFFSET_MAX;
 	} else {
 		orig_end =3D start + len - 1;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38EF4612E2
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970765; cv=none;
 b=NT65EqOpv0zAx8AiUKVUZMcbqnG5ORwLX1ZB2rHyXh9Pxe0oHrrbUaHPTtaqiZxVrjti+94GjclURyHLOCpDckDat+918LKCrqMbCNSshEQYM/iJwF9wbBV2LvPpF0FONAyQf+c6iU7S//izRD67A/YTf5iDRZxzfTIDuCYQ6ec=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970765; c=relaxed/simple;
	bh=xNoy2DEKxPexmysOm1XEIuiIvV0tGdJOvp+eDp29H/0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=UC9yCPtzoV1kQyqW2GlR31fnayjtC6rFtjn0eBb6SdXG+esjJm7Ggzk3ZNJopCdXmv0s1KNV/Y4iEkaLXiREO51RQyWTmea2mYOESa6CDHWti9iG479IyNrFZC2KDEHkG79GkVynrE/QM33hIJKK7t4b4EyObnmgTMnkhe6NzS4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=MRjAVZJb; arc=none smtp.client-ip=209.85.214.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="MRjAVZJb"
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-1d748d43186so10872275ad.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970763; x=1706575563;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Sf0op9UA6jGtVwywOsAePMFRok3+ELaOdVPcTfD4XW0=;
        b=MRjAVZJbe42rSHmoOvvFIwJvZNVonvQg/oqutEfbNGF0UTgPcHbZ93GkDEbE+u8vAq
         qkZ4bWljeIcLpy8gcfFJOHNKPUb6+Z8M0WTNUbnoAyAnq+B6egwKtnudItlaJiTl3KYz
         ff+8RMc43P1FAS7qpz3hkvSn+NmpWDsWEtPfI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970763; x=1706575563;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Sf0op9UA6jGtVwywOsAePMFRok3+ELaOdVPcTfD4XW0=;
        b=pFP+g7aflBEPOG+siK1WQJJCKhQ9jUM1g58n4+Xh9fH4Fj8bHAu3n65Ywq0zZ8rFN0
         EGW8UEz8jyy8z5mRGN6foXptqLehH+OXNkL4cpouZXRAZzw/eu5CbxCT4bcqcEgCHY+q
         G5vsVKiMSRjMHYKTcL7KWhTlafiCYfBtuU5vdEMtKoYzs9r/KL6atf3CaZFrI3LlTU/W
         KvkxeRU744O3LI+HQUQ/BpAD+dDOnv4eNWb+XpWJyPVdIs+o2m7DM/sUYQYJaTVWeepK
         InNPf1PP1vCqoK1ASDmY49tvbuTUKHrujJbl8Tjm8/FMcf+LIIN6USSKtymi1iAueYti
         NhSw==
X-Gm-Message-State: AOJu0YyZo73aaGXGfV0Afs1gS/rnn4mZNp2PTDWw5JaeJPfn9Cz6z2Ik
	S0sw7OEySOl/3PATpFlOUbGZiUs4madaR2CjEcxaD2vsEugGB0ryIp7W7wZ8hQ==
X-Google-Smtp-Source: 
 AGHT+IE/WhXYgKQUaYpV5E0ASAMI7oMgYNg2DdzzRnLz2Ll1a0tefzWqoAbEPID43E3715pmMfsXlg==
X-Received: by 2002:a17:903:2348:b0:1d7:617f:6dea with SMTP id
 c8-20020a170903234800b001d7617f6deamr1290475plh.59.1705970763650;
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 r9-20020a170903014900b001d7211cd3f7sm5853984plc.265.2024.01.22.16.45.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Steve French <sfrench@samba.org>,
	Paulo Alcantara <pc@manguebit.com>,
	Ronnie Sahlberg <lsahlber@redhat.com>,
	Shyam Prasad N <sprasad@microsoft.com>,
	Tom Talpey <tom@talpey.com>,
	linux-cifs@vger.kernel.org,
	samba-technical@lists.samba.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 45/82] cifs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:20 -0800
Message-Id: <20240123002814.1396804-45-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2484; i=keescook@chromium.org;
 h=from:subject; bh=xNoy2DEKxPexmysOm1XEIuiIvV0tGdJOvp+eDp29H/0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIC9jJ8iaLQLpMHm2oaP/gJFWo6z16pwWIH
 frFA2mk5NyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JidPD/43jyw+n24wTT1kk3hrH8GaVm1jhQv0Peatn4T8EGaS6EeAlVVxyaPfgjyRlynINUrXvsK
 HaEtBB4FIngOHcdhwrcU6rjQ6dR1uIlyMg4E72yb8tVbdliP6qwkiT2ecDroeGiBrW1oaJGvoBV
 +BW2xWnKw/xUWkEuY5/gOAg70JYqLdhrj1+O/sBKrVG3Z//+lHssd0Gua1rN5yLWCexaUbs98/P
 fUwsGsPV3XXcpZRHQm6gxLzlUxUl2QRmAZpbc6yHf+iQqeQJNvMF+U9LjgVvk+FancFxNeVl71s
 1kNlAm/+gBZou1Mk97HK49dTT5BMklB1S9hoNjZWRMtCnuCxRyYOuMS6RpQxRkCQnU0BUBHuE2K
 h/F4dHaFnL67EdIG87Kkpl9QtRSQWBwr4BNIYF0jfEo/cM19ltK1b6Rs8D4X/OFvNYs0IABel5w
 znOAKXPr7JmH6UW2Sld9YPHUedVxOCMuk/i9PgzIUxJkF3D3W1yv/A0YaN/j0jNvdSkE3qalwbg
 QSWUHXbJtPytx7L+XPKl1zACMCU0Ul5NQUl11Vk2NbjuxayThC1Y0A1TayLxVq1gtmBUyO09nsS
 dH3jGnzw/kZTzoU6P0S5pw7QDLI6CVNv3Hho4jhx+k2DERI0biLRv+dl2VEtnMsVph/T9izC/Va
 gR1KNJ/P1/j+s7Q==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Steve French <sfrench@samba.org>
Cc: Paulo Alcantara <pc@manguebit.com>
Cc: Ronnie Sahlberg <lsahlber@redhat.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/smb/client/smb2pdu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 288199f0b987..85399525f0a7 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5007,7 +5007,7 @@ num_entries(int infotype, char *bufstart, char *end_o=
f_buf, char **lastentry,
 	entryptr =3D bufstart;
=20
 	while (1) {
-		if (entryptr + next_offset < entryptr ||
+		if (add_would_overflow(entryptr, next_offset) ||
 		    entryptr + next_offset > end_of_buf ||
 		    entryptr + next_offset + size > end_of_buf) {
 			cifs_dbg(VFS, "malformed search entry would overflow\n");
@@ -5023,7 +5023,7 @@ num_entries(int infotype, char *bufstart, char *end_o=
f_buf, char **lastentry,
 			len =3D le32_to_cpu(dir_info->FileNameLength);
=20
 		if (len < 0 ||
-		    entryptr + len < entryptr ||
+		    add_would_overflow(entryptr, len) ||
 		    entryptr + len > end_of_buf ||
 		    entryptr + len + size > end_of_buf) {
 			cifs_dbg(VFS, "directory entry name would overflow frame end of buf %p\=
n",
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oi1-f172.google.com (mail-oi1-f172.google.com
 [209.85.167.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B542C13B79D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970766; cv=none;
 b=uk6K9QIMewlabmdT23Bb/vnFfib42pz36lz2lCmfPcmKIKs926GLRpSNvCEz2ib1lyYREl/gB6pdtz5TVON+tcNDuaDW3Dsf9ACFGiNK+D59ozEZoiY9ZtO8Ohej7fiVw1OaNGJxWOiilOi+7eg3FYa5RPGxZBKcQea9ixwum34=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970766; c=relaxed/simple;
	bh=S3lE7Ai2Kf7cSpp8TfXi2drtS9rqiWeq8QqsQWJ+YHQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=XxJpo2skReAC73/ByslZMXI6aMBflc+NN37UdDDH0mydUjsmDUOJmddvBzHUZrYOklrwnAArDcSzDhZPLKjGDFXRaIzQ9JVAjJixattDu0mZM8anvPWqC81hSqlqy3E3Ll6YgwTgurBT7SsAwnfPWlret9xEbACV73s6ry53jl0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=h0bylp0f; arc=none smtp.client-ip=209.85.167.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="h0bylp0f"
Received: by mail-oi1-f172.google.com with SMTP id
 5614622812f47-3bb9d54575cso2649785b6e.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970764; x=1706575564;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MA2z3IWjgPLju653GpnPneuk8sSXMYIY7MDwgOrEeUA=;
        b=h0bylp0fFqwPx5/BKMBfmW9USISNvvpat7KoDOX5suv4LUlXw9P7Q3Sxv3EjiwwCTE
         cdMxROs0Fyiallp3UyEZVE5/2Sb+yBk2Ec64nZq1M4Cz5J/W14VmMQETuvQtAkPgxVvl
         F6uD1ygL6z4fkZcaIzqI//b2tj7OGwZcVOFaA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970764; x=1706575564;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MA2z3IWjgPLju653GpnPneuk8sSXMYIY7MDwgOrEeUA=;
        b=l5sKtT7swwLh5Trr1UtiYUA1SkDsfIiOCBejgaL/uWLpC+UxVW6T+broo5UcM/ORQk
         XAE819u2RCmgPs3yEa1QWbYWzHMyc9kU98X//QroYOrmiOs2KLtztXUIXyzGR1XBSfyw
         UeLYLb7LbdtHmYB6UGeLAlpJJuH8NdWswZ/Xw9goZrnpf5d+0BVl9GWUPNho/qYNkI03
         F3oHajoeIs1SqUlMj43WLnssPNL/wRie7XsIw0nkYXi8ADYAc973nDEbGvkWVUMckwVn
         +UE3O1MHdSS/anYu2JtacKzQCnqKK3bc6QVLLQBcWHTZ3uhXflrbxTCBDvA0BlSZjV+A
         W7RQ==
X-Gm-Message-State: AOJu0YxG6HqrI1YWz795YBWd+oEjN/BL3NVkhYk7uQOJi+RTDIDuQHLA
	VFclCc0dOykPMGQPCGdpI/bJ2vqBLfDOBZ52KN0oxwm6vvSSJYnySzLK4RHkBg==
X-Google-Smtp-Source: 
 AGHT+IE82MRtpWX2VuxmOTfFHh+1PdFwz2wQFqX8x+zaJmrylEg5bhZ1KNGEdB6W0UvaQn+s9Twnpg==
X-Received: by 2002:a05:6808:2129:b0:3bd:bc0b:c87f with SMTP id
 r41-20020a056808212900b003bdbc0bc87fmr1947843oiw.4.1705970763993;
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 fm27-20020a056a002f9b00b006d9af7f09easm10145496pfb.29.2024.01.22.16.45.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Aditya Srivastava <yashsri421@gmail.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	linux-crypto@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 46/82] crypto: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:21 -0800
Message-Id: <20240123002814.1396804-46-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2489; i=keescook@chromium.org;
 h=from:subject; bh=S3lE7Ai2Kf7cSpp8TfXi2drtS9rqiWeq8QqsQWJ+YHQ=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIFrBJhDm8/jRsFp5KXXGFXlyQFO17YIpWk
 HrPa3eVKkyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 Jv49D/46BDju32aQxhOHgZ6jc2ZxPYAa53gwYTEJs+crMQPxDAN2g9jCf9nyc2aDOCuLyDxZWKv
 rBrW3Ld9k2n7w4TWBQjl2B89slARHYYcfCgy71yrkGMpZhP+AVm/9C/sLAH69LUI9ODAmK1q12F
 LkTNTAnPMY6dinzgDjQ+tllqpakQz2Ah6/lrR3H3r7Re7yOd3Xe48z9tLhWRDb2kjaYYw+t+yE8
 SWyHOWVvBt9a8zReyFGDuTVfk7XOf95taKBrnX+O0UonyU7lyjzXWBNobIV1c66tELuOSswIo/i
 1kTJjl33xCiawkV/3eVMtvKZSUrQtFkckdg97HTQGJLKfLRzsfuWCEk4D7kgZ34+moGOI552zpo
 JTeh90ye5RwpqdtGoFBHCcs8+SfYFKRqtWwXtfj+iT5bvKGS318taLFS8/8ewnoI6V5dfbIxPwS
 FKj0LY8yDtgFnuDBJc+KqgeeCLIbsUeaYVQGccyMg+wbILzGUqTSbFLhtOLuBaPRT/hAcSexQ0Y
 /zji0LX72YqpF4NiRVweeuBbx2CTHDIuhko3l5ci0fTQhzvn+0kcjMjikO8YqQPgE/0IfdQ4o7V
 KPl6sJgP/PwfUOy6JiC5Xva6wJJ7Zh3AmgEWDbmyjPyAX4iD9JbKa+gndk+Wkk1RABXlj1qz+UT
 3sDol/meOz7ZHoQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Aditya Srivastava <yashsri421@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 crypto/adiantum.c                   | 2 +-
 drivers/crypto/amcc/crypto4xx_alg.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/adiantum.c b/crypto/adiantum.c
index 60f3883b736a..c2f62ca455af 100644
--- a/crypto/adiantum.c
+++ b/crypto/adiantum.c
@@ -190,7 +190,7 @@ static inline void le128_add(le128 *r, const le128 *v1,=
 const le128 *v2)
=20
 	r->b =3D cpu_to_le64(x + y);
 	r->a =3D cpu_to_le64(le64_to_cpu(v1->a) + le64_to_cpu(v2->a) +
-			   (x + y < x));
+			   (add_would_overflow(x, y)));
 }
=20
 /* Subtraction in Z/(2^{128}Z) */
diff --git a/drivers/crypto/amcc/crypto4xx_alg.c b/drivers/crypto/amcc/cryp=
to4xx_alg.c
index e0af611a95d8..33f73234ddd9 100644
--- a/drivers/crypto/amcc/crypto4xx_alg.c
+++ b/drivers/crypto/amcc/crypto4xx_alg.c
@@ -251,7 +251,7 @@ crypto4xx_ctr_crypt(struct skcipher_request *req, bool =
encrypt)
 	 * the whole IV is a counter.  So fallback if the counter is going to
 	 * overlow.
 	 */
-	if (counter + nblks < counter) {
+	if (add_would_overflow(counter, nblks)) {
 		SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, ctx->sw_cipher.cipher);
 		int ret;
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com
 [209.85.210.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6B7315FB2D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970179; cv=none;
 b=KNn1KWLQFvjLWNr7OEMuZGkum5kVQGEwyvfC3q2NUjqI5tI1cOplGnMW+vvLC79oaqvAVheP3ROpXHLNVLysGh4i06aPbwBfyUv7QLwRCiy53xV85EVpFcrAh3Y1n4QAjdyJxZwLO6ECuWBWxj4G0yCQKHt6fEt9HG8gNxZqaDY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970179; c=relaxed/simple;
	bh=u012BkgUEdp0Yfa+JP9ayO0CuZmd0xQIxgTb0lW/0m0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ifj68nXXjWlHFxPXjCuoIbtNLPoN4nzZweE3cHq9Z2CePJfmzqftxBf6tZXV2d7Fr4S8vht5ZJqwPWpur9iOwTHDqHcqh3Vy74DCOBrngedicnOQtgquY67B0Im+JRb3bGNeJcOsqLlV6RcmPE1OXwuMv6fF3Cq28rZjJCOGHVg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=LArPicDy; arc=none smtp.client-ip=209.85.210.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="LArPicDy"
Received: by mail-pf1-f171.google.com with SMTP id
 d2e1a72fcca58-6dbd65d3db6so1285455b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970177; x=1706574977;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MJHm0DC5rLzBB/eoWG0LMkWC0jMm/6XONFH952XC3EE=;
        b=LArPicDyQhwwdWiK/B97sN/mCpmSi+kj7GgoQmLbwy+tvV3gCVURsxmdVU/80RnjRb
         qoXG17CDmFrIPIbD7Czh6RhlN2ZUrNCfwwG9nA6detde4UND/PLOwvD46sw8ruw82XY8
         bUybefWqTKq52Yz2tScwSKBf5C6FHFh14C5kY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970177; x=1706574977;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MJHm0DC5rLzBB/eoWG0LMkWC0jMm/6XONFH952XC3EE=;
        b=IPmAOisSKl4OvdXGfEKYbBGtxC1l4RDSvCDG0y3ftywEQhTHddCwPnGpXPbPoWciw2
         oLukwfHHqTGO7VbeA1XYiqdlGYhy6y3XTyxK29ft62dTATq7gR/+Ae0if2pGacgs6AhU
         kMXykvqY/HhdyDvuodKMfKEL3Jqkg12efoT0DwtE694qsrmKI16UhRNVH5hWtXJLLwq5
         jouA5s6Ui8HgacFzco9K9RO4VmXKS7ncNt/+Lo3KM6fzteT4Anhmw7NBGqfLLG8fDbZ6
         OxxFroCQ5bi1vovAzMvlrjsLqWDehnD9nPhk2+4N1EWj/eH3tm+7dT8dlpWxxUrEGuNL
         WSDw==
X-Gm-Message-State: AOJu0YyNRiVYZ+qZ1+XbpKgvXcZRojTSGY2Qv643O7XIUBIz71CWVI4Z
	G2qSHRHDkCEnsj+ewYNPi+cGOpxmAe0rKfhQf1qW6+CyfvE5jaUF7E3Tg0TzdQ==
X-Google-Smtp-Source: 
 AGHT+IF2jDWV0WLFADq1O4kywaaalWkhYddlxpOSZoqASjCeALQZwDVPUM/x899kva9FC18kpSJEpw==
X-Received: by 2002:a05:6a00:1942:b0:6db:cd50:a579 with SMTP id
 s2-20020a056a00194200b006dbcd50a579mr2606158pfk.5.1705970177108;
        Mon, 22 Jan 2024 16:36:17 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 c32-20020a631c20000000b005c259cef481sm8967545pgc.59.2024.01.22.16.36.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:09 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alasdair Kergon <agk@redhat.com>,
	Mike Snitzer <snitzer@kernel.org>,
	Mikulas Patocka <mpatocka@redhat.com>,
	dm-devel@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 47/82] dm verity: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:22 -0800
Message-Id: <20240123002814.1396804-47-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3422; i=keescook@chromium.org;
 h=from:subject; bh=u012BkgUEdp0Yfa+JP9ayO0CuZmd0xQIxgTb0lW/0m0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgIOH/C9Swkckzh3c++V1FoaT4oWWLnIKzVK
 4ltn8zkF5aJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICAAKCRCJcvTf3G3A
 JmvnD/0b+Rlt+XJZK9q9byfYiA6awzBQkEEBdvuff5J9TBXpg3VgQqKvmwtxq0KAQ9l//zFEftq
 hIPzxFKu1d1NMiA9nNDx+HJTCSyH1/m6o1ipRM1kFQXmsc8kAnaTredMX/k7i+O/yDU5zs8Yrwm
 N7WW1ES8SIb5ANGi0jjOb0JGh9skCpUIOrxFbdYxWZIXFcGqFCzk57dT+ht74zNglySj8BttvgK
 XmZOnsrrgWyLqk7ssmfOEI92EsPIW21myf06U7/lm4hWRpna+zKlcZKj75+u+0rlIzY28aKGYKW
 YWJbXs/QCIFQFggWFD9fYNWKihQV1A3L/SSiMr7A1rQkQN3CevDh915CdIBiZT1/qjWkPVZGNca
 aFG8RuC9Z1b5/yyqFbSyqCHoheLU787NI9N+GEWF7LAdDjrRgus7+LULlmWpthe4XQY6o8tM2yQ
 HnoYeb2w162/qgvyXNQtgW/EEfb5nFybzcjE86jAPwk7aIghD2qVVkrYEzfJTxxIXTAT5qZ8e64
 /iVq6X5Ha8bMhMmO7r0gtwUMnTUbhz0zf19cYNJhkS/DY9vZphO38oEdVHuNLb/3vr7uLXNPJPj
 GF3+/usmLgU4WSakssSLDGLybbl0j6oIUPgLtkWAuGxWgp6aTN6i1i6GIOnaySjbgvmOtm4wisg
 TnZZ4zy5rEgGyMA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alasdair Kergon <agk@redhat.com>
Cc: Mike Snitzer <snitzer@kernel.org>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: dm-devel@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Mike Snitzer <snitzer@kernel.org>
---
 drivers/md/dm-switch.c        | 2 +-
 drivers/md/dm-verity-target.c | 2 +-
 drivers/md/dm-writecache.c    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/md/dm-switch.c b/drivers/md/dm-switch.c
index dfd9fb52a6f3..9053d7e65603 100644
--- a/drivers/md/dm-switch.c
+++ b/drivers/md/dm-switch.c
@@ -410,7 +410,7 @@ static int process_set_region_mappings(struct switch_ct=
x *sctx,
 				       cycle_length - 1, region_index);
 				return -EINVAL;
 			}
-			if (unlikely(region_index + num_write < region_index) ||
+			if (unlikely(add_would_overflow(region_index, num_write)) ||
 			    unlikely(region_index + num_write >=3D sctx->nr_regions)) {
 				DMWARN("invalid set_region_mappings region number: %lu + %lu >=3D %lu",
 				       region_index, num_write, sctx->nr_regions);
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 14e58ae70521..f2676c8c83c0 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -1392,7 +1392,7 @@ static int verity_ctr(struct dm_target *ti, unsigned =
int argc, char **argv)
 		v->hash_level_block[i] =3D hash_position;
 		s =3D (v->data_blocks + ((sector_t)1 << ((i + 1) * v->hash_per_block_bit=
s)) - 1)
 					>> ((i + 1) * v->hash_per_block_bits);
-		if (hash_position + s < hash_position) {
+		if (add_would_overflow(hash_position, s)) {
 			ti->error =3D "Hash device offset overflow";
 			r =3D -E2BIG;
 			goto bad;
diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c
index 074cb785eafc..45e54edd24aa 100644
--- a/drivers/md/dm-writecache.c
+++ b/drivers/md/dm-writecache.c
@@ -2631,7 +2631,7 @@ static int writecache_ctr(struct dm_target *ti, unsig=
ned int argc, char **argv)
 	offset =3D (offset + wc->block_size - 1) & ~(size_t)(wc->block_size - 1);
 	data_size =3D wc->n_blocks * (size_t)wc->block_size;
 	if (!offset || (data_size / wc->block_size !=3D wc->n_blocks) ||
-	    (offset + data_size < offset))
+	    (add_would_overflow(offset, data_size)))
 		goto overflow;
 	if (offset + data_size > wc->memory_map_size) {
 		ti->error =3D "Memory area is too small";
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oo1-f51.google.com (mail-oo1-f51.google.com
 [209.85.161.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B654715AAC0
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969751; cv=none;
 b=AiR4SRpTIvSIB09TzVtnAeffvn45d1/NNqUazpz+p5X9C1ucMAmJVOev/YvbRQIsmRHIzyAgk/iN4rGD0AK5dtiUIOJRJ0REoFq57QyvGPjnOIiHvS7+9wPUOKjLszLp8Ne1PJYVDOsMrQIw20o1z6ZtmcebFr27OdpQ9y4dlP4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969751; c=relaxed/simple;
	bh=uRCkCvFsyXVpf/RtG8GCWMvVuyi59RVZ9Ft/3XBajpQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=unQ4ZL9cfU/2npho6WL0zapkjLlxOCwmmDmLOouG2HdF1MYqYiym57xj3noQe/659+iHBR0dJEn61PjuuMwNqb56OJHKvBOUGljeXZ2RIip69hrdCHdzvDqqnPeOlyaU5LvR0cSbJHnEdXJFEeKLMA9DVZ7dPuEUI/M5WmYRMho=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=HTDd9vmf; arc=none smtp.client-ip=209.85.161.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="HTDd9vmf"
Received: by mail-oo1-f51.google.com with SMTP id
 006d021491bc7-5989d8decbfso2467126eaf.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969749; x=1706574549;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=HbagvK/BQHg13GLlZBGhyNRG5sgL74HVCqkvwUtdz7s=;
        b=HTDd9vmfMxS46oacnYCdJMd1aK63IRP3LlrUUFqEmg03ZV/vGdiTTd7LvPfz8BBW/L
         qr9ZquIFSeKht3Xb4VOrKDkGjfVkrir3csOYYaTazijM+1pWg0U4va6TBbNZoC5aksvs
         g15ZsvMVBstvuzMjdMpI+7xwTdA22rqtWlqQ0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969749; x=1706574549;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=HbagvK/BQHg13GLlZBGhyNRG5sgL74HVCqkvwUtdz7s=;
        b=BiLhR+h91sQgYpI7S2OtKqrQgvCuN/iKN1zmIIMvbl6+Xm8HGdSuALDyvs1sSaOjTg
         C+m9klNGyVHZF0Rv4hrPwm0C+FChKZS0dwQwxUD4w6WFSKCQwZOdCNy04CDIqTntUgHW
         aQH4TRo7OrT5mrpLbkN6Kl1qApQ1G+LkA6jSAx3f1hqGQeZRf4VoVUVoT5V5+QJrhFll
         yc1tX61uSfnIur4hJHU+9nN7oNAxR72Vyqh8uxNMyWQkyhx/qw/2VcBdR4MFV7H02234
         3qkn2FjiTeyzyyj3eapOSuP05vkHqjg8UsH3t6wP+fPrXIPjceaLIAHiF/cJVIBuhm91
         68Sw==
X-Gm-Message-State: AOJu0Yw+MeC130dhCjsArSzi8O275m3RjGHdRtV9cOVub72AIOp3TnrH
	ZT8yueqn5OuHTHIXKIB3gaMRkBASUrsnhm2LKKUTMhxdMUZqcqyCp3ffhgxsbQ==
X-Google-Smtp-Source: 
 AGHT+IE3YZZUAbSaTl6FBGOnqrae/sTpKUCuHtMEUe62rjmX2GkYQhqBolPrkv+LnabYxlrO3YWYvg==
X-Received: by 2002:a05:6358:916:b0:176:5d73:376f with SMTP id
 r22-20020a056358091600b001765d73376fmr1694130rwi.48.1705969748687;
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 h3-20020a056a00218300b006dbd341379dsm4094216pfi.68.2024.01.22.16.28.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:53 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Karol Herbst <kherbst@redhat.com>,
	Lyude Paul <lyude@redhat.com>,
	Danilo Krummrich <dakr@redhat.com>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	Dave Airlie <airlied@redhat.com>,
	Ben Skeggs <bskeggs@redhat.com>,
	dri-devel@lists.freedesktop.org,
	nouveau@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 48/82] drm/nouveau/mmu: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:23 -0800
Message-Id: <20240123002814.1396804-48-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2285; i=keescook@chromium.org;
 h=from:subject; bh=uRCkCvFsyXVpf/RtG8GCWMvVuyi59RVZ9Ft/3XBajpQ=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJXxmYjo3BZJuP6sKHQxKb/M3OqOpXccNUZ
 qhhlaPYu4iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 Jh/nD/91bB80GL2rgD2Qu9VZOfFU0YicaQRtXMeoaSbnOb9C6bplAraUcHoNvH0F/nzlJcxXU25
 tdFLoL0nVtuTpAc0QwLgnxaobRa9aNgWmW3DUkrO812C5TjVwlXYjliSrA5pLSd1FCOwfEGcLUB
 OasKeE6baUkZj6ytjNign6jV35ncfvu3y/C2MxtKBkts8n1Zwzi540pe8I5UtlySd6rBQjtelTV
 w6SFBV5r1npI2fEZqGplZzZO7EajApmc7jJz1thGgwOaC77JZl1JuklmvrMC4ret/lDs/ycUAAk
 D8MK5b6uevWOPdEY7obK82UJzkJkmcTaxAOtZlX95h01L7rkYBfeFsMYiZxSkbcDNRIQoWxack0
 kuRc0oFbZDU4aaCtjbvKo6CHFYuBsv1B3qzy/dUdlEfz7Q8x7GSiUp1v2zZMHdUUy9zFSFFvHoE
 kZoHAeuRu/Gh7kJhCX7dMPQXqmh1IyQcF7QoTRKQyay+Kirq8rSRKVyOK6qdr+F/8jCxx92g3nD
 2liBspnno23rcfzBqyJV5XbpEehmcvR0R30g5ubq4aeUy2+NIh26YpvJYBT9PIeuAR6WWh7/jm3
 dRFK6//1Q7sP6hjFLcugQJcs/LAqMyL9p1u+btGAthR59AQsdV1I6mj3Cqxb1SXG6UXNsaiPyRb
 lV4UD0ZObcOgDAQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Karol Herbst <kherbst@redhat.com>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Danilo Krummrich <dakr@redhat.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Cc: nouveau@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/dr=
m/nouveau/nvkm/subdev/mmu/vmm.c
index 6ca1a82ccbc1..87c0903be9a7 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
@@ -1291,7 +1291,7 @@ nvkm_vmm_pfn_map(struct nvkm_vmm *vmm, u8 shift, u64 =
addr, u64 size, u64 *pfn)
=20
 	if (!page->shift || !IS_ALIGNED(addr, 1ULL << shift) ||
 			    !IS_ALIGNED(size, 1ULL << shift) ||
-	    addr + size < addr || addr + size > vmm->limit) {
+	    add_would_overflow(addr, size) || addr + size > vmm->limit) {
 		VMM_DEBUG(vmm, "paged map %d %d %016llx %016llx\n",
 			  shift, page->shift, addr, size);
 		return -EINVAL;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com
 [209.85.216.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6CB5613A244
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970173; cv=none;
 b=S7+fzpbi0VFcDpxS+AqD8ackPpNKqyzKWMKJ4qMguiWt2EQLZH0puxJqWoOcJYZ1rZZ99mvbP4OXZozSXdpfoKNk2gTQKgn0ogPfAVQN3J/SdqAz5usLLjc4M2IC9vYSJiEetX9t/QSgaftjDctfU0CFh819rJQTjZlekBWv36A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970173; c=relaxed/simple;
	bh=oiG+TsWcxpCmRd1+V7WC6Rzkst0Tmp3FWPUBfyk7tD0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Ixs5qwNefq4gK+s+mWXjSYDchaDyRao9+u0nJcwMBMxkhqlw0v1kb14oYDqqg97p0JN03jllHo4INXX07+BEAA9gnNzjoayQuGk6tru9djUXM2Rs/GuvPxC4ZWlkxj5yJQ/tHQOw+UNB47OiYMzmwMoYik1w3aw+16AtNQj4nCQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=CHYfJeVP; arc=none smtp.client-ip=209.85.216.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="CHYfJeVP"
Received: by mail-pj1-f49.google.com with SMTP id
 98e67ed59e1d1-29065efa06fso1930038a91.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970172; x=1706574972;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ci14tXfoLWF8H9KP6TbhVJPvd4jolXPuWJ+qfgosDMI=;
        b=CHYfJeVP3CDJgqZED57usa0B0HVtYgLBTeIVkTP6tODa6HF9ZA/OjW1ZjRThClqANA
         uYKEXU2u8YY1xIEa2v4Uy/1Z+/gXT+sF6juVV69vtEV1hoz7cH76f91WIbFEsdICTgxY
         tWc5mHyxSHtXxTzycef0ILzaVGFD4rHgRKHaQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970172; x=1706574972;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ci14tXfoLWF8H9KP6TbhVJPvd4jolXPuWJ+qfgosDMI=;
        b=LnUJazdBIONKWEoEGUfTf8XJw9K52DUryKOPK8JhppDyl5YQhMI9zocrC2tw8Zgh6I
         08Bp0yE/w80pv1u2he8psSpgPn8pISlY/vFzwyUdwr4AbOVueKFyVvFskHYAbs97hNhj
         4uDIHGg8QsJaXvoXg2HhsHwBKJDZ4bIh0uXYEHf0IKl1UKKBUIs3XJHA3JDwgTgjT9gn
         BR1w/a4+LJKv7Z7ixSruuZ8ceUr3BWIa/sdUyxr7+vXsP/R9vNLqSxfIe22SqqtqU3uR
         HNK3gH7PtJNF8ZY30CtfCCdV22XL5YQdO+qx9uHv3FH6V7luMmlh84Rmqns4uh7bQVla
         DvTQ==
X-Gm-Message-State: AOJu0YxcHoWnvtSEOtnHCA8oU9z6GAW0uszysc0LMw8Zn9z5aN4u2M8p
	YWM8ODimxg8FQVojDS5b0/DxR5f0hxW+mmXAKvYexqzoqL1o7/Hda5gfQAeJGQ==
X-Google-Smtp-Source: 
 AGHT+IHbtzvrk4iZs4Gm8Yr+QrGFjKqhpB03Ocxh4U4TLvusg96tLGgJ15R5wkOaXT55grFNSwGjcg==
X-Received: by 2002:a17:90a:62c7:b0:28f:ef2b:e0ed with SMTP id
 k7-20020a17090a62c700b0028fef2be0edmr2421887pjs.5.1705970171811;
        Mon, 22 Jan 2024 16:36:11 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sd14-20020a17090b514e00b0028d9fc97c29sm10365268pjb.14.2024.01.22.16.36.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
	Maxime Ripard <mripard@kernel.org>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	Jani Nikula <jani.nikula@linux.intel.com>,
	Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
	Rodrigo Vivi <rodrigo.vivi@intel.com>,
	Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	intel-gfx@lists.freedesktop.org,
	dri-devel@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 49/82] drm/i915: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:24 -0800
Message-Id: <20240123002814.1396804-49-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2342; i=keescook@chromium.org;
 h=from:subject; bh=oiG+TsWcxpCmRd1+V7WC6Rzkst0Tmp3FWPUBfyk7tD0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJM8j5gj77tQNAWNgLrGW9Rf152U5LzsLsJ
 LLY7jY3zQCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JlTyD/9tInsgMQJNhzXLV4lkjEdwrZuxy10l8+2Dh6eeSAQbaL+DgNMujkfU/ewIc6vsc6zeZLn
 3ACm3O16LQN/0j5S0RYKIeVgjfXSZAYGJuwYmW3jBM3o8s9hNPi/SXXGp0toQyaZ73L3hcRB4AO
 2C01S7JnD87/2LBgN5VfyCDAUOfgYSqdE4ibXD+3+uyUSrbM8B+GimE4cH4ORUxm7YMLto9zpu+
 oxqd7qMyF6AyMavkv5ySlinqmiOVJ83f+YZ+oRowh0q5fTfSibio56QvEqpQZCtefn09GEz+IoC
 Tnb8E/IS3JJOLLdskrUiX3bNAd51XjStK5+qpc0F35indv1uLzV53YFhU5912hmIDcxwPmmtHTi
 OXiRWa2TWfKEgQKSVyJmGL9esA3rmPtERr7goeI8/nFMWEb4Qy+cpevxG1qft33h0Z7enHXDTBT
 JHJYXrmewrWmRrBpNFH54MHVPInL6YqLuU56FYnU3go2zz3tsoo8VutSaww+foZj6VUcti/X6fF
 PHZBFPajfhvY94xWQMXnk+iHmY7GJNwyVxOdnF8YsTZv23cXzWc9GXdAMMp6lw4By2hz73i3BNZ
 JSnAMxGSHmwnz/DNjaVSvjUSE5b/U82hIxtLLj6mKkDb5Osg8f47u2KWYVVd868CRAaVvfeVUVJ
 1IBIdYvVvwQ4wvw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: intel-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/i915/i915_vma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers/gpu/drm/i915/i915_vm=
a.c
index d09aad34ba37..1a4f048a5df9 100644
--- a/drivers/gpu/drm/i915/i915_vma.c
+++ b/drivers/gpu/drm/i915/i915_vma.c
@@ -1535,7 +1535,7 @@ int i915_vma_pin_ww(struct i915_vma *vma, struct i915=
_gem_ww_ctx *ww,
 		goto err_remove;
=20
 	/* There should only be at most 2 active bindings (user, global) */
-	GEM_BUG_ON(bound + I915_VMA_PAGES_ACTIVE < bound);
+	GEM_BUG_ON(add_would_overflow(bound, I915_VMA_PAGES_ACTIVE));
 	atomic_add(I915_VMA_PAGES_ACTIVE, &vma->pages_count);
 	list_move_tail(&vma->vm_link, &vma->vm->bound_list);
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oi1-f169.google.com (mail-oi1-f169.google.com
 [209.85.167.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C59F15EAB4
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970175; cv=none;
 b=jU8nxPkbV5YHf8QdtdaN3XDfo2lSqgbstNzRG5lA3lCDhZCAELruJDkP8cizyQ/dOkKajYMc4YHG7VKe1Dc66jAVLGnKFT9eQ4L+MzC1BOru1k3cgemrDGUC2LJwwbZHvEwBFVWYeBQAUQ3TXivmBBlZA8frrCfPBfVBfXLUlf8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970175; c=relaxed/simple;
	bh=KcdFfpjp2tEyCmOpl25iW2AS7m4+B6NStR38DJl8ObE=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DVogzDaY6B5cvaoAZ6VHZw7QVbEtisFoVnQeduQnj/m/XEQiwLg6WMh3Kz1LNe0NKW8t0n/0Sj+J5FCocwRO/oWAfB1A/pXMBbQCinQ4KZbxORj0rEMCx6ic1DfeARyizNITqNXme30pBV/+Jxpr52JEHbDrlJ/pinRTZ6mgE+k=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=MScpaeHa; arc=none smtp.client-ip=209.85.167.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="MScpaeHa"
Received: by mail-oi1-f169.google.com with SMTP id
 5614622812f47-3bb53e20a43so2822020b6e.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970173; x=1706574973;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=j2GMW5d6UiU7LajKCHttmnW2RyiQyBOWeh+blbgnn98=;
        b=MScpaeHaTiAmixwiYozj+sN+zLpInBsf3akPMG0Ro45d9vU9zyoP4qnLVBrq2xrlWO
         ta+0SM/69oOaRPPCM4JL3zGpZQEwbMuJQmOhsY47Ka9+mY+nkBum1z9iWNrPJ3lVMfRZ
         5Oa0FcARnk/MTCYObP1soS7PTDSQsqNNpRouA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970173; x=1706574973;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=j2GMW5d6UiU7LajKCHttmnW2RyiQyBOWeh+blbgnn98=;
        b=dyrFcDWHCn5hu7kUxxOxD2Os84UQkbYivjiQw2K3Wi2deG7h+YVEDeyGiIAdnq/IFK
         T+ghgy6V6WQOVGKwqRTptbqpKPH7XsdReSJO/wgw5L8zZbUg6GMaOEYkqiIv2oCgLqnk
         IpEMURqV69D/AJLipGHk1IoL2f0j5S4CDQcDbeuAnScUh+UI8+tjkGeKtmjGKUpOV7jQ
         7rhHprSuqY4QGHSNkEPW9om/Hgi8xyW+g7z/i7AoSNzgQuppBrHY3FxGTMepKqCV8mCW
         kWq4X97LCQWzpuAZzpJc19L10U0GpUr55rhzaz0d1XJk4L4rkm9DTcsj9ipZbmlja8W4
         qhtw==
X-Gm-Message-State: AOJu0Yw2/ScMRVOQFd0AD1sTK5t6gWxZxW+S4n/b91UHPv+m0xkVAnbz
	s4zRZA1buh+9AGgUVvAMkaJvuiHiZqtP6vxAQw48uiyMq2gc+YP80WrNrwtKJg==
X-Google-Smtp-Source: 
 AGHT+IHM+0P0FFoTrriCmMbo8B8EOrjWPouiok2qtQ86UTP2/HFLy+hSK6JukrOOVWReaOLPFOxUUQ==
X-Received: by 2002:a05:6808:2383:b0:3bd:bff5:e2c with SMTP id
 bp3-20020a056808238300b003bdbff50e2cmr1442385oib.42.1705970173539;
        Mon, 22 Jan 2024 16:36:13 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 h5-20020aa786c5000000b006dbd2fb0451sm4174214pfo.166.2024.01.22.16.36.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Maxime Ripard <mripard@kernel.org>,
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	David Airlie <airlied@gmail.com>,
	Daniel Vetter <daniel@ffwll.ch>,
	dri-devel@lists.freedesktop.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 50/82] drm/vc4: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:25 -0800
Message-Id: <20240123002814.1396804-50-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2077; i=keescook@chromium.org;
 h=from:subject; bh=KcdFfpjp2tEyCmOpl25iW2AS7m4+B6NStR38DJl8ObE=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJ2AMyzRsa5sDxZ4YRjmUqmbVj5uaz9YlbJ
 skuXbMaqBeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JlUcEACJwN1o8p9j5S/8sYa2gf2nY09bRSaqimJyQqXt58XWmacC7yhhCy8/YoRrWd4rtTKGNJO
 2pyhqZo0AjchZUD2eT/92rshpJ7BoxmmmipARVGs8rGccRxnL+NfA7KluKUS2arbEJZWAxsye1u
 7y9mIZmz0Rl2OEUDiZmLsRUn+x+avkj9t/3WyQhf6z4yB9UeAjExcIzx4ut7naUZQMOs4+nqkhO
 Zxzlk3pu3vEqZBDOzDzLUdhBPeX8m4ZfghTd9cnirA7bkdk+2o6zogqBJN3U6xN7BheU/BKOa1/
 z2viLhR6pAfqpCI5yqOPvSv1Vm+BuvP4sPKwJGV2Odq05P3+Crxq80AgR9KuL3Zuj0RUdDuPRr7
 CK2iELzMBzCaI6HGeRTGu1TcgkQK/Cc1GB5flX/hQ1gepvIzeDSxkg2zzksciW3yRdCdzK1R8vU
 Tp8TEvuJU2S75RSbpxkNPABsnumVvC61dAYZkurqkiHcZRtQWX2ycPQRm0/NVXUiHLtL5aNGijN
 xy3P5YOafRtNbo7sqqxpsgSvJHA6bW0Kp2/QMZetVh+TBxjwl1em23ZSqK8EVnA/Cpcn2GaT6N6
 eyYfB3sBKYHuJ6cigOdu7aG2tBuyJ9LI/IVLUrXbg5xH4fWbZdA2Dm/CSSYEZ4S40USso8DNtmk
 W8/+QxpbrEQYWUg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/gpu/drm/vc4/vc4_validate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vc4/vc4_validate.c b/drivers/gpu/drm/vc4/vc4_v=
alidate.c
index 9affba9c58b3..677d9975f888 100644
--- a/drivers/gpu/drm/vc4/vc4_validate.c
+++ b/drivers/gpu/drm/vc4/vc4_validate.c
@@ -206,7 +206,7 @@ vc4_check_tex_size(struct vc4_exec_info *exec, struct d=
rm_gem_dma_object *fbo,
 	stride =3D aligned_width * cpp;
 	size =3D stride * aligned_height;
=20
-	if (size + offset < size ||
+	if (add_would_overflow(size, offset) ||
 	    size + offset > fbo->base.size) {
 		DRM_DEBUG("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %zd)\n",
 			  width, height,
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81D661386CE
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970172; cv=none;
 b=LNv/8o1nJNnNd3bixAhxenU/Sj1CgICsPNHqk0nIj2gL/D0Dq3u7kYM85t6ih5yo+jcFsjO3Eea5rSelFw9uKpQU4TJba6YIuzidKfqd02ve6sb14glKc8htthgPE2uA7bRbfskmCSL04Qyhg1CuuitmY9dTlIYWueyfjXeEU3w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970172; c=relaxed/simple;
	bh=XxURT38No80Bn/RVyeHb/5pbIxR90+R/SV2DoW19O2Y=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=MZrLDPTEUbJesTgPQuZFRO661WzxpXtY/1AjCveLpYOY8Tpkz7of67OLLMAeWFPJsobxnBPQtE2KL6dL5uZCHu7aDyCnr16yV8poR4Hi3DfQoEsO/CIaV+QK2RCwzq6OkobTnKGrsl7N11uko0gXWH8aw87mZso0VgpodTODskE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=iQ77wHzx; arc=none smtp.client-ip=209.85.216.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="iQ77wHzx"
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-2907a17fa34so1544496a91.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970170; x=1706574970;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7puUcGGiErwlKQZQ/SVSg/vEPPE1AYFaDc22KRy1Uww=;
        b=iQ77wHzxsFB+ydAFWfKd+S/XZ+LypsaJmGoppSMp2hAGydQMfRxG31/YagWh0byQsk
         QvLJk/9wZtwQEIGbq+lNocPiC5KcilJyOv7zSifiXQapjk1jwIDfy44Zxrlwh0cOn1nn
         xaHbG76YcTadqtXDhFk3LcavzP+Oy0xWFTP9g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970170; x=1706574970;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=7puUcGGiErwlKQZQ/SVSg/vEPPE1AYFaDc22KRy1Uww=;
        b=cA7CyqJOcc6yP8t0cf7sGXcXquRbXu3lWdvwz01QD8WWxELMBJQAPiNfBA4TZIsIHh
         nhMlPQTAMdhuYZoEJif0+PaVq5dtmG5VsAw0dVjIpqHa0WPXaVQa9Ml2InY9dd02KkwQ
         1kqMICOCPQQ4RHyuBj1ucW55XvMX8s033QwZcjPz9sHm+LAHHUpABDiMJuavQLYOhI2U
         nPEQymSUtHIQOSVLVxbZOwU78oq8CwJ1pAxaqgipqw/GqsWdg64m2hTqE0t65e+qUBOx
         Csb/xYWAhRaxsiNer+Z9fBPPbNLUkVfVbJmYxZeWkLJLWXap+0zr36+Wv/hWZ2ipLj+Q
         jWJA==
X-Gm-Message-State: AOJu0YywJNUe9NFGanUXf5QurmHRym3t9NR4ssnqWQGNtfBScG99AwnG
	e9WC4kHeo9mprYvT4WCOX6zyjE/jN5EyT/4BOyGfCYCXkgk0grDOdMJReRJOcaXG2a7SGvXfgXs
	=
X-Google-Smtp-Source: 
 AGHT+IH4qjapN1tMtiuAmMoT6rpraF5HnEMZA53T3kwfW6qMWCEweAk30bq4o+8SIja2fpnNwNfHoQ==
X-Received: by 2002:a17:90b:1e02:b0:28b:2f4f:75e7 with SMTP id
 pg2-20020a17090b1e0200b0028b2f4f75e7mr2446852pjb.13.1705970170501;
        Mon, 22 Jan 2024 16:36:10 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sj5-20020a17090b2d8500b0029082d10fc4sm4349054pjb.39.2024.01.22.16.36.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	linux-ext4@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 51/82] ext4: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:26 -0800
Message-Id: <20240123002814.1396804-51-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2346; i=keescook@chromium.org;
 h=from:subject; bh=XxURT38No80Bn/RVyeHb/5pbIxR90+R/SV2DoW19O2Y=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJfc3EWrPnb832ItIHNOA2HJqk4KZ1EF6QZ
 nAnjsOI3MeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JgWoD/9yEuahhVuo6Oq9sxAGltEMRA9drZZ1a23BuUOmM7ZvlwVgfKpVuNfm3t/eJQl4ncEuQWj
 /HVpMwC1YBVZdX3w0/rGWglZt+M2kJmIQWeCqGLXHaDMwz5Dxh3Jc7TmXo8q74TLfC2Fjf2th2h
 c7ecJV6IDXQxgEsLqxa3PQ8hWO3PGhD+zM7MQVHjSE6wWqjehc0rmCDcqbTkP74PN3qe7E96VG1
 qI7uzGwGMQNd4NnM+y5A1YjqyBGP04ronv0Xc2RWiXgf28HIHWVpBHlJ+Ub35w3g7AP59giTyep
 TXWgeIzbP5hGlyCDaXms0dm6WsyDOENCHhdxBD4R3awzAkqy8QQGtF8uHNf/O/G8nj4xvMQ+to2
 HTntW8Ue/514yiE0+zj0QO6VWfaP5pj0PEu3Dg19w1eKMGM87Ca2ryqLsKVqPpRBesMm5+IAqHQ
 FT/38xjgNzw+NWo7TTxCHqxToHhwugtPYvTbfAy5G5Qfv6GqTz7+JL/+oJMqeKUfiiyWM7luO+v
 n4YU5karM6VqIQUMmKaXViotzQTQgqY4Fw0GtJtbK6H5HjtDcgMpsncMxAA0hMW1s8XS7G5VbCH
 L5cxsS8UZV0aduIr5pTDUMnRucJipPEdSCwDo/32479Rz+mXzFbaQFky+7aLi1ZY/xczgF1WZ+e
 m5L/I7exNH7Sh5g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Cc: linux-ext4@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/ext4/block_validity.c | 2 +-
 fs/ext4/resize.c         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
index 6fe3c941b565..85f859979d2f 100644
--- a/fs/ext4/block_validity.c
+++ b/fs/ext4/block_validity.c
@@ -302,7 +302,7 @@ int ext4_sb_block_valid(struct super_block *sb, struct =
inode *inode,
 	int ret =3D 1;
=20
 	if ((start_blk <=3D le32_to_cpu(sbi->s_es->s_first_data_block)) ||
-	    (start_blk + count < start_blk) ||
+	    (add_would_overflow(start_blk, count)) ||
 	    (start_blk + count > ext4_blocks_count(sbi->s_es)))
 		return 0;
=20
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index 4d4a5a32e310..fb8d3745d031 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1871,7 +1871,7 @@ int ext4_group_extend(struct super_block *sb, struct =
ext4_super_block *es,
=20
 	add =3D EXT4_BLOCKS_PER_GROUP(sb) - last;
=20
-	if (o_blocks_count + add < o_blocks_count) {
+	if (add_would_overflow(o_blocks_count, add)) {
 		ext4_warning(sb, "blocks_count overflow");
 		return -EINVAL;
 	}
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE4FA159569
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969744; cv=none;
 b=QelEBXC3+6Z4FvGncuAF/KOAWHMMQlnpuIlq3VPh9GhY0mGZfhDMmxrltTH0xRldDW15/b3v0WIRViQn6J1JPAapntdprlAxZBf0GV4PgDMLO7jOYKJUEmtnSbcmsjSE23YGj97HlVLTBF2KuZry65guoOypYu/R6YFF6Lg6CYA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969744; c=relaxed/simple;
	bh=wdQCpDFkq2XNuS6vp7VN0jrvsBX8D7+SnBrIJMJ3N+Q=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=hs5KR8/H9NiODKumsA/v6CWZ1BNrOT4YbIiyJyoBmEj/TiDyyAMt4OG4BA4YtVxdn+orjK4eiZFjq6hiS9uzGKWgfndxJS/TtbbFBWepRqTR0xozoBh7Fq+6ITO5vgepePPTzOmcDYhUVR2YyF6LXYm3Semv1zg8zjMdnh/tugc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=gbjQENA/; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="gbjQENA/"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-1d72f71f222so9661345ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969742; x=1706574542;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=CVxLR6f7iEMo7TAEPfaWn9vwjcL8lBg/KdBkMw33Rxo=;
        b=gbjQENA/8g5meX6QjWQL1VbfGuh0/U5pkhiX9v6A0uBKibyG7MkLhMXLsJXz89Jj3+
         8VPauqfi6YbErj6VO/sc8GwmGZj0Xi7nP9/QxKC9ZGJZ6JOY6TqQeAjJE+GE7zV2G9b9
         5UAv7JlyxKoFunZIQ77vQG0GtOxRKfYNjLFJA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969742; x=1706574542;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=CVxLR6f7iEMo7TAEPfaWn9vwjcL8lBg/KdBkMw33Rxo=;
        b=T2BwbbJqlwT/trD1NLy3gM4R1FLsPqVY9ZSrzbgQwvsjmSWuCgHInZO5ti6xWIbReo
         MH67m7VN3I6TeXLZNVC+SIKYjKtZ1AmXuDKS9rV9hRB20EKCMR7bULAN1cbp9iRhvxgx
         rzdPtHmiZsKavMbckjpDXvzcjH12u4p5Wr4LDgdhURBQsEjEbRvRrI9x9kVS+8v4Vy2b
         MqeIaTT9oqWKmikkzsNIDFNmAoNbTscqdVcyVyL7dlSQXw+pDUsiQ/2rTFob5Zvamh/2
         Xg4k45/VuDA353rClIv8QzU8HU5dkcd6vWrrHEILBOVSVxaWOs0QP6eYkh7X6UKiR8Ht
         Yc1g==
X-Gm-Message-State: AOJu0YztxcudnGbZ0z3q3hIx05vip/wNMt3D9BXjoHJH4tqZOVKrYOq+
	crMUQRW/Boizo88zKiV1cm0dGEZyUIALs1rPuAlYuZuIxj8h+464RHd9d5r1BFncz14gYN9rOl0
	=
X-Google-Smtp-Source: 
 AGHT+IEn/houl8Yw8FvYMNWC3B8MV8/fbDL4xsjwCWUCzj3v1wRhUvEgEWe5QKZnRXFlO7vX6H4DSA==
X-Received: by 2002:a17:902:f54e:b0:1d7:1e0c:f994 with SMTP id
 h14-20020a170902f54e00b001d71e0cf994mr3335214plf.45.1705969742100;
        Mon, 22 Jan 2024 16:29:02 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mp11-20020a170902fd0b00b001d75ea44323sm1403673plb.21.2024.01.22.16.28.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:28:52 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jaegeuk Kim <jaegeuk@kernel.org>,
	Chao Yu <chao@kernel.org>,
	linux-f2fs-devel@lists.sourceforge.net,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 52/82] f2fs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:27 -0800
Message-Id: <20240123002814.1396804-52-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2415; i=keescook@chromium.org;
 h=from:subject; bh=wdQCpDFkq2XNuS6vp7VN0jrvsBX8D7+SnBrIJMJ3N+Q=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJyxtpoS8kJtZtyqL6hKLCRushNAde9dDbx
 HeAgwOgglaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JqIBEAChZM9m9U2HlElYvUdy9F0F0UgsceQedYYNLYx0L54ESBSelfc98YP9tUZ1jkRspBdT1nC
 kijkb49E/qqF4YrjskPndLLLfvxjkzUksvg4xoaV5zyEKUTWNlk+oQ/70241cKc8IGAhpPwQl3j
 IP8LyEb8hrqYd1Gwv05+R/n7XJtH322XuuaSm+VUm++KmFC8YDRf3YRRQE65fPEC2kqrYnLank5
 +wDA7XxfBHYZ5VFHofOMUuKsBwQfmE9o8FtseQm0z4Bo1FQS3oSxQvE673WVKQhVmEwmbOR9ivC
 R5t6LF2QsZrbGDhITRyjy42nBPee5QFqI09uFA+RqI1xhZr+sXi7cXkvN9jzsy4GbJhquMIvoaG
 3y4wcyaqW0M1xPODI0RUOvqlK8vgezTN7sWCM6fcp3eFDI10YvIpiRlsN806ofvtT9OS4OdKak+
 ANIM9E3Ui3D5E/mxLwKbgarX5fgYxrdlwUSwgNaF75JxNETK7fusGPTtlmfq8XYfUeQu9bRajgR
 +XeU5K2axNZCgiE9Kza8K/h1REqqfniSyTWXH5qJS4mqpQk9QgxZgIowNKo/wodiPFN53Bo4WJB
 U5AlyxuOYHJ5rJtrcYirdcrjdv8FILsJ1P8owWZ3SVw0FjZ+qasWTxpHjLsDEI64mmy7fuXj1wv
 UMcFg1tT7pui2bw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Cc: Chao Yu <chao@kernel.org>
Cc: linux-f2fs-devel@lists.sourceforge.net
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/f2fs/file.c   | 2 +-
 fs/f2fs/verity.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index b58ab1157b7e..6360efb98f64 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2819,7 +2819,7 @@ static int f2fs_move_file_range(struct file *file_in,=
 loff_t pos_in,
 	}
=20
 	ret =3D -EINVAL;
-	if (pos_in + len > src->i_size || pos_in + len < pos_in)
+	if (pos_in + len > src->i_size || add_would_overflow(pos_in, len))
 		goto out_unlock;
 	if (len =3D=3D 0)
 		olen =3D len =3D src->i_size - pos_in;
diff --git a/fs/f2fs/verity.c b/fs/f2fs/verity.c
index 4fc95f353a7a..b641cb8d75e8 100644
--- a/fs/f2fs/verity.c
+++ b/fs/f2fs/verity.c
@@ -237,7 +237,7 @@ static int f2fs_get_verity_descriptor(struct inode *ino=
de, void *buf,
 	pos =3D le64_to_cpu(dloc.pos);
=20
 	/* Get the descriptor */
-	if (pos + size < pos || pos + size > inode->i_sb->s_maxbytes ||
+	if (add_would_overflow(pos, size) || pos + size > inode->i_sb->s_maxbytes=
 ||
 	    pos < f2fs_verity_metadata_pos(inode) || size > INT_MAX) {
 		f2fs_warn(F2FS_I_SB(inode), "invalid verity xattr");
 		f2fs_handle_error(F2FS_I_SB(inode),
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oi1-f170.google.com (mail-oi1-f170.google.com
 [209.85.167.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A932C15A4BD
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969749; cv=none;
 b=XZs20F0KXYmSoDe58sxlUSWS7vsn3ipj5S2psqYaaCZMchjdwEaV0LlttsxGHXysJpKuAMf8gzGVKRzInKvDhY+cBOr9SCp4d81pUvh8lju8OTGpDA8HDiCfwIIzdZfIkldz2Las36PSCY34wDbsoa/dyG73oUuHGraFwWJKlXU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969749; c=relaxed/simple;
	bh=nfo7Pn+Yi1zHl6gAcNSHg7VhEroNaouSkiXnEe5ME0I=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=IP8Rpu7z6hsUndpzPpT7SfrAlRXxosmVl3dpi2IFOxYUUQ2xrcZu3/Fk3+XE2Mij4FBEn8Wg7vQZjNwij991vHPocygVNX2R3v1gCR0CLY1XfeU+K0IdbhrsTI52+fhQJwdHpzC/Tb8+XqgDmi25nWULfttXMrmfAISsEbA3ZCE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=fwYvh+of; arc=none smtp.client-ip=209.85.167.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="fwYvh+of"
Received: by mail-oi1-f170.google.com with SMTP id
 5614622812f47-3bd884146e9so3101834b6e.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969747; x=1706574547;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bqOzYThsddRc/TP1ywPfEse4mdjcUMW6abmNPQSgVtA=;
        b=fwYvh+ofGDhJHVAXDPoztSdcYdb/g5pTbPhWug/P5ohZEGmUPv6kMUjzqQUbm3e5GC
         6e+yxFc2cXyo/JVStGJUQ5UjOJZfMjc7kFV/1aW/WPSSAvbgu5iOoSw1llPsvHe9AaGf
         s/3rl6A6JqT13f1NSBu4SQ3qt21dGP/xinBtE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969747; x=1706574547;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=bqOzYThsddRc/TP1ywPfEse4mdjcUMW6abmNPQSgVtA=;
        b=w+9nn3t3RRhcXAdf40DhKB65XT+5Hzv2diAjfJR3sPF+0cnF9bzy6CE5AHgPoHYoER
         VSfOXZp6L0gNd5RMYk0fB7f9YJhpJDlr7vwkgoHgbMocX/uBFAWaMfq1NFVT2iNogv7Y
         2Gyaent9+y2nNdhwbWt03hzYKoMY6BMACeoJt3jiuOv5iJJsKK5Ib2afEtu5QoFlv2CL
         xuNCfrjs6Wyb0hXr6wjhr1TyplcwLsd7qR5ZR3fRTby0HNyJRqzp+m2Uz91BSNTl6+/x
         wJNjP45jNh4Hl9hy0dYfXKTEiR4NMYFV0cojjyYtqhmBxFUs6PMPknpthZNi0bnHCIAX
         3LBQ==
X-Gm-Message-State: AOJu0YxsFHftCd+TK6HIpjUX+ZURfwD4qeEQqJ4V008LlG3MT/8Ylrr7
	zQqjFMvuvRMNTDFwbt6BOB7nc27oxcvvhiTj6PyQOWHm2cwqzfIAaUoJ+KaloA==
X-Google-Smtp-Source: 
 AGHT+IGWOLXCTwPI6j3GBh9rWczj1tm/GwWsrgoWZKK4I8jNyHd+KA4KE2ZFP1l8jjKQE1E/jOjvfA==
X-Received: by 2002:a05:6808:1916:b0:3bd:8201:f5de with SMTP id
 bf22-20020a056808191600b003bd8201f5demr5861585oib.33.1705969746846;
        Mon, 22 Jan 2024 16:29:06 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 y18-20020aa79e12000000b006d9ac45206bsm10198867pfq.206.2024.01.22.16.28.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:00 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	linux-fsdevel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 53/82] fs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:28 -0800
Message-Id: <20240123002814.1396804-53-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1854; i=keescook@chromium.org;
 h=from:subject; bh=nfo7Pn+Yi1zHl6gAcNSHg7VhEroNaouSkiXnEe5ME0I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJNnJ/s6Wgv/6AhsrzLX4ud+nwKsZVT6phE
 9TF2kTHZzqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JqgLD/9/8tepsjDo0cRyL40X6tIYA+MlThX9khW3Oe3bkhpOGQukol41PQ55NX8DKADGKtJeVXE
 zid5B46i5QDXe4vObMddWL03qTDHEu+NBMnj6IS1gcFy+ACV8M9LiMAjU+pEhRxIO7/NpMLI68u
 +AvCayzHQGjHq1qTfG2nYMi4TLZ9cRFbeZIun8kIm1YGDXWBctkqy3INiE/sR5MPcNpkAmIFxNz
 1dKrxf1i211L4BkQyoO/InMUKRrYVDF78PVzluyJTqSgLEc9D5qCcI+Vo0VaBO0R75DEIiOHfY5
 EViF1CVo/kpW4J3j3IS4RJlVmPbxL2UClAa7Vg9/z5dkuosRHRTVxdcPB4z3SjJCBZ7dUo3GpAq
 74GHlOV9yNPXB5VjDSPKEds9yYRy9c+44VGtmKxNAUBhCBJxwQPcb6wIcNvO27WVOZpYvbzamLc
 30PjGfsUiWxGN5uukY0/ckbaiG4dAIAPEo/KMSr/hNLub8qeGb/aSDQeu6CE+XPZqzPl1xtqHj9
 L7vkoaCthNao7p9MqU/e6qIIXd8gDyd4llaE0p2GQBBzc+FTEiugOeUj8qUCemSX2UK9Ykiy0Rt
 1tlwqyKloM/PgeSniTn79DIp3Uli7PmcwSwFFwomCXODyt8mGRBPw94d4JOAshi4fsjy+LsFTua
 Zx1eyKoK6bRm++A==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/remap_range.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/remap_range.c b/fs/remap_range.c
index f8c1120b8311..15e91bf2c5e3 100644
--- a/fs/remap_range.c
+++ b/fs/remap_range.c
@@ -45,7 +45,7 @@ static int generic_remap_checks(struct file *file_in, lof=
f_t pos_in,
 		return -EINVAL;
=20
 	/* Ensure offsets don't wrap. */
-	if (pos_in + count < pos_in || pos_out + count < pos_out)
+	if (add_would_overflow(pos_in, count) || add_would_overflow(pos_out, coun=
t))
 		return -EINVAL;
=20
 	size_in =3D i_size_read(inode_in);
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63D0215A483
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969746; cv=none;
 b=Nw+P8+tLRq61ydbvY1QRYPLr9nhcyhUapIPTUtzEcuql4nDoYKZoTnhIlFpnKP/uVltkH0O2k5RvSKXKQjWg6Z4R9b7+DZwQuOz8PsOvOCi4710pVfFVC8hy4ZdqClbNzkypRrg/rYyT8jQSV/2IxkQZ1s0IK9TwLR158A5ABTw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969746; c=relaxed/simple;
	bh=56np0SyxUjCTgMP+9tKKP1D3ChYs2w37QiPXxMh01j8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=sVBRRbjpbP9ME6GnaC/f+CvcMq+hkYYXcM4Fgv4QSMfRRl6wrG58adUiNbMjCqyiGjic0ZE6DtSd/cZ1YdnZE9fvk969Pdx0aWeEZzPp7KWrCHZA9L6nlIih1Ubn5588bsrlIxceNZLpLM9lbNf5d3NL5vhqGkAZw6JdLRAG3qI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Dv/4wML5; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Dv/4wML5"
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-1d6fbaaec91so30354655ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969745; x=1706574545;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=L2wmo1vvNOov2EEiIOf/RbN5b/05Srikd0wbYgbK+ps=;
        b=Dv/4wML54fGsUrh04Xt3iEoknuhKBC6fH6haRIX2fKe/t5ZbZFDwU+8XRA7G6/OvAo
         yqIwZpF3+LdUvGMd7Us7ujFWJ3Xnend+uO3brm/dKyuTycwYSE0k++pRtrT+yyPp1BjO
         ggL0oxwaBdQxOW36+eZzIA2//ssI/XXI9UDeg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969745; x=1706574545;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=L2wmo1vvNOov2EEiIOf/RbN5b/05Srikd0wbYgbK+ps=;
        b=eVthnMY4UdlXTrLxgjWdtm7TUJVxvYJXqVAFNHE8dfvBHIBlFV9vLZqTxb7zFf+vqE
         cQkrwJDGgxww1UWr2wu1cpfMGLsep0Sguck4EFdLH0mrd/a2no/fdpOubKeMdJOsEdDL
         nOjRhNlJjg6kCxHM4SmfkWSyAXBWFHSPAnboY2FPOKPsVUPio1tymgynd2Luy+zupwMk
         BokjP5mXMQUun9qCojwRMH+iT/7twvgbiEb1qdwvR2X3DgtDZLctk0BJ19xdqw0ade0c
         q8qcHAF8fKG6eqodsN+Led6dlXFU2Q1CGbWmKDGprKwztqKJWZcZdbGpwZnWEuwdELAz
         L0sQ==
X-Gm-Message-State: AOJu0YxYIOAmNCoEdkSlmKzrYowe1EXKR6huesMdzTPSuxCVi/6KWCWv
	uPekQkz0z3Guf+HSvcjXTBOwTTlZ0dYHvCWi/Q9pS4uHW6SRvsk9WcBSojX5Gw==
X-Google-Smtp-Source: 
 AGHT+IGG7bSIRs5hNa/qiAaeklkTYTEQimmy/waSXnO2AlAO5lkF1BydAnMo+sx+5Eh6BMzcdfFjIg==
X-Received: by 2002:a17:903:24d:b0:1d7:ae7:854 with SMTP id
 j13-20020a170903024d00b001d70ae70854mr6142733plh.127.1705969744870;
        Mon, 22 Jan 2024 16:29:04 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 w4-20020a170902d3c400b001d6f29c12f7sm7780642plb.135.2024.01.22.16.28.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:00 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 54/82] hpfs: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:29 -0800
Message-Id: <20240123002814.1396804-54-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1821; i=keescook@chromium.org;
 h=from:subject; bh=56np0SyxUjCTgMP+9tKKP1D3ChYs2w37QiPXxMh01j8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJNeBYHmccG3P4Um7r7rC1q7zY4IG1ilwQC
 7i8d6Fb8H6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JnqxD/4jJwT6D13eg4925zRy0AvUOgOehBe9WOd2FtYf+6bVVSdyEMjk90RP6WW4WsjI4hht0Ol
 BdSWyL3oTgr2ZAXh5YwVa82/Y+sf4kuijkik4GAbUTqi1BLIHtWDkSd4qF69MbAL6gqMtyV15lu
 wFL4M5BLZHqglughQKr7/pADyG2O1WB2zUNNlEYkJDrMip8nw5zPPfsOXV4ym75dff4zjiJT91U
 0vud2HVt+gkr5Qly4EosO5ixEPfR/r6cYZjqvai4nGnq40/Ob97pVDcA4+mzBrAVag2NMlHLnVQ
 Jgkkx1V/1PGHUEC7Qk8ax5o/8lCH92qV1AHbM4EVTtWBZgFWE/bi0Dp9I2lqIPNrvpjKkq45qq/
 Qn9ixqv3ShkNNVEUOEdRVc0mHG80mjA1KaPcFSjE3DZyGteYRvUJbCDAoqwVk47P5ruf8ZXZVmY
 lKiybeBY0mxvE4Hq2y/Ozd3u7ZRlrdiaGwUtrCv4tA9LpdCO4eqAQ6TFfdAb1JCMPdeWbt98xeZ
 fMqY48reU5uEP7W4SvEHEadhdzEnG+rNP3eXWpwK8SQFkwelNC2te384HJnc9B9/jP/U0m9JWBD
 KhDIRXBSMYc1RbWug7wZRLrFutl9+bDk84ozLU4+oD7wAs88uRWLLYXn2jqr5zx3PTCQg9/SDtv
 78aI/3WraN+2U4A==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/hpfs/alloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/hpfs/alloc.c b/fs/hpfs/alloc.c
index 66617b1557c6..e9c7cc6033b5 100644
--- a/fs/hpfs/alloc.c
+++ b/fs/hpfs/alloc.c
@@ -99,7 +99,7 @@ static int chk_if_allocated(struct super_block *s, secno =
sec, char *msg)
 =09
 int hpfs_chk_sectors(struct super_block *s, secno start, int len, char *ms=
g)
 {
-	if (start + len < start || start < 0x12 ||
+	if (add_would_overflow(start, len) || start < 0x12 ||
 	    start + len > hpfs_sb(s)->sb_fs_size) {
 	    	hpfs_error(s, "sector(s) '%s' badly placed at %08x", msg, start);
 		return 1;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC26B15B31C
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969756; cv=none;
 b=Rbp/UVqdvVaHfjeeVGJikZds+xjN/pdIrTC8v1SeZEBHcNeDSyr2FAR4y3RuxHA2BQGoPY6Q9DqsovznIlFFuUlV2OVorklxvsy/GtkQ5q3COuDpIvFo+qmNEow+fM3yj5d+REhVRrACtk82wTuxl4FebrbCttqy7uAitLVJyME=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969756; c=relaxed/simple;
	bh=6qOMhh3G8d7Y+vBH+FchTOnAwDno8ofs9WTRkK8e+v0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=mOHIOr9DeYplsbpowvofocHc/uf5cYB8Z3+8RoFYdkD/sHClfhRaNJ6FWvDh9kSLFMQgpw3f4G0LdauSE2JvDEebfcNzz1dMA4I5QJekoo1QZ1r7Py3g65dNpLGXpY4HdKFMelfOBrmuuBuyCBne4r+eIkhFF27DpMFJXsQewRQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Lf8yIIY7; arc=none smtp.client-ip=209.85.214.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Lf8yIIY7"
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-1d75c97ea6aso8724385ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969754; x=1706574554;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=tNWz3k2XvGRlF46qJEs9zgm+bcxMnCT9t6UFjEF9Av0=;
        b=Lf8yIIY7UiKA8mjS+9c1rETlaPqJOr0a7m4eiX7x9aENpkNdmL6Mdmq/6c13fzphO9
         oHyRJjy6djzQ/ucVuY1+opqOoRIRvZVTXVznvdMEvDq6hdlNuucuBOvJ/hzcj0oVgEzc
         c56yKPFVG893PTC/qbEJGxDbq0NCt1KHdE2Go=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969754; x=1706574554;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=tNWz3k2XvGRlF46qJEs9zgm+bcxMnCT9t6UFjEF9Av0=;
        b=SCu8h2qNxBG9WXvYblFhmSdV0t+iKgFJW9A/JS5T7a3L3Txb0acGZ1k1HhzBymyDQL
         cc1PNl1Ypdameunlp5WSDxbimIjiIjPBwAq1BUg82k5gNjE8NYizV8JHumnYXdRTY/ZI
         QU2yMLBx8RhHES+CwjxByQoVG9ZXON21C+b9/D57t7ILW4P1Yalc311NcWOAA+lkmpHR
         2KEBLEhXY/imD8nv7HvVsKtb0qxCuA+vECrlCnqLH3RmOwym0iGRf1XKU9Ptbc60e15+
         ktYMpjAi0Bi4x0ywrTi3+sxiIki4CjPfJbymBsO1xuZKT2CLalpJRKLTc86twG38cLPv
         BrIA==
X-Gm-Message-State: AOJu0YwUmOQua29RTSeYfJRFwQRHt6oWBZe4eRDONEpUMkAiobUgViFe
	ZUnYQQ15Rte2SkutV08Rq6edSU9CP1AlwJkbZ77f2W3POpZTPaIPYbO6+UTcOw==
X-Google-Smtp-Source: 
 AGHT+IGk12zskdqlbqb5d9/uS1ti1uac3FysGuFpOh6Y0g8EhOVnqrhzaYTVMUmTV/zjIhj9HOnRUA==
X-Received: by 2002:a17:902:76c8:b0:1d4:52f6:e046 with SMTP id
 j8-20020a17090276c800b001d452f6e046mr4743580plt.58.1705969754414;
        Mon, 22 Jan 2024 16:29:14 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 m20-20020a170902f21400b001d74ca3a89asm2622159plc.293.2024.01.22.16.28.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrey Ryabinin <ryabinin.a.a@gmail.com>,
	Alexander Potapenko <glider@google.com>,
	Andrey Konovalov <andreyknvl@gmail.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Vincenzo Frascino <vincenzo.frascino@arm.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	kasan-dev@googlegroups.com,
	linux-mm@kvack.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 55/82] kasan: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:30 -0800
Message-Id: <20240123002814.1396804-55-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2504; i=keescook@chromium.org;
 h=from:subject; bh=6qOMhh3G8d7Y+vBH+FchTOnAwDno8ofs9WTRkK8e+v0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJb7T0nkCbfHMK37KL55oiDeDfmOiEx7q5q
 XThjlEKQk+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JoqqEACE/4PoGFKLHpVkenKHgiwQeIuxCim9QWJGC+MdId7RYwearFTzkOQl8zglCUIZNl7fW9d
 KYyBu2j590qTJ3ins8G5kTpojs3DwiSG7NIjlDCuYemtfGOEDj4muFXpG5DpNNB/SXKfge3xXDy
 5WYmb/fU/J7+bo64TYtiSNKLR2K8Gp8i7ImUFx3yHYAWZufYCVg181wkAjQdVE9QDYyvZ7sGJoD
 mZvg2FSl8NJ5gNh6/n8lFHjoebiowaqz9rHfRIb9H0ruQMkeqFkKXhx4aTH16qMPf0eWME+Y+7J
 ogiYkcB141OqPEDQ2iR46G4NeG4lrsoMCZKzlBhmUT7RxPtYuZcvsCqZSAzAa3UF1RWmwdNOHWT
 QKCM3+s+mU5c7hXehiPzTXpwMMhUbnuW9WVWuFQzVH5K8RvofBCN7bnZZCKdDAoEN9Cc/sKYxEr
 q/BRzB2azJPyZ7AETk4B2xCLsuXEYrgz4hMVtO0QV6idTMpfIjNn4IgVm1nNoQUli5kyJqdcnf8
 gpz7+LeZbIwoIm4heS/k35pUDdcJOIRgPHC9zHqEIgxOE5/Jcu/+iMwplKoCiC7xP29btiDDmns
 OugXywD0SNhQjOaJt1krhL+j3HJZvwk7kx1o6FV+/GJoBK7sRO3WFjkmaJ8winj+Z4BPzvkMYuJ
 +inWzkA20S9t7Pg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: kasan-dev@googlegroups.com
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Andrey Konovalov <andreyknvl@gmail.com>
---
 mm/kasan/generic.c | 2 +-
 mm/kasan/sw_tags.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c
index df6627f62402..f9bc29ae09bd 100644
--- a/mm/kasan/generic.c
+++ b/mm/kasan/generic.c
@@ -171,7 +171,7 @@ static __always_inline bool check_region_inline(const v=
oid *addr,
 	if (unlikely(size =3D=3D 0))
 		return true;
=20
-	if (unlikely(addr + size < addr))
+	if (unlikely(add_would_overflow(addr, size)))
 		return !kasan_report(addr, size, write, ret_ip);
=20
 	if (unlikely(!addr_has_metadata(addr)))
diff --git a/mm/kasan/sw_tags.c b/mm/kasan/sw_tags.c
index 220b5d4c6876..79a3bbd66c32 100644
--- a/mm/kasan/sw_tags.c
+++ b/mm/kasan/sw_tags.c
@@ -80,7 +80,7 @@ bool kasan_check_range(const void *addr, size_t size, boo=
l write,
 	if (unlikely(size =3D=3D 0))
 		return true;
=20
-	if (unlikely(addr + size < addr))
+	if (unlikely(add_would_overflow(addr, size)))
 		return !kasan_report(addr, size, write, ret_ip);
=20
 	tag =3D get_tag((const void *)addr);
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80BF015B2E7
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969754; cv=none;
 b=gC3YxrvmAzisY1m1+BqPiVZ57Osqtp9vxgVfZlMSaNKI4t/BH19UPeAqwHoRRLHRJwLF0zp2Gxn/lBB65EPAtMav8CwYvA/n/n5OQD9g29fllz4WBbt315TL1qrb3Wni9rCu9fSSyxGgdQOvIoeyYFby8YP37H9OjtzhXi39pTU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969754; c=relaxed/simple;
	bh=Le2cw8/EMeZDvyWiTZfIKGAqobpbeo1xxbxe1eKIEog=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=OAW+1XK4vOvBPNetVFTFsNdZKD90+PfvnJddzXammGLLZ7K/RyvNZwaQhCxiobQgplOFeLOE80spbI5FHSzuICSAMyiQZeLZ6lmfvNejTDQpr6zELgXGXwOh3cvYF8IUZiZpCtEXN4Nux5BP2zzcUzv6swFvZHbclpGFd+WgQfA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=dei4nlrQ; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="dei4nlrQ"
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1d7431e702dso10690305ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969753; x=1706574553;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4kSZcErhkvLURXFhEcykitt7q+k1IsSKXy6VMnrbEx4=;
        b=dei4nlrQVSmZaRc7i9w34s2JHXoCLSllCDEuYyKgw7v/ZalCE32trcheV5afy+MkG4
         PJDijwomQl32hvpaX7i9vlIpJPROylLEcbAWBZlgsmhlVnMbt0Azr1BHJcpwp31KpjSR
         Jl+FV2Cok0fJt1RRiwZNQxM+Jm6CWWrYE87H8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969753; x=1706574553;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=4kSZcErhkvLURXFhEcykitt7q+k1IsSKXy6VMnrbEx4=;
        b=QTkk7IULCJYoHe12affgaQw0oPLQ+nNm+Isf9eXIyiGBLfuUKs+BGo3JJnr5JQLyx/
         B7+b82c43QCs1iYKrqwJcM007nSNojTY8AQ2h/QJsHng90Q/ebkcaWZLHKl4LmrQJsWw
         OTKawEpTHfTonLGDI++ak555TbC8la0oH8pDob9YgqtxURukuMm0AT2rUY4kS+gBlh4m
         Pt7ZE3RNGq1f/JvGlDgAHqZnjQKN2AYYS6YZg222pJ9smsjrEllMqMkkIskmApGd6Ydq
         dVm3XYjgeGJr53pw9RWU1OxGtyTZE4VYee+GkGQwPwgiWZHvtHQks4cxEWGKX7D6Avzf
         8rZA==
X-Gm-Message-State: AOJu0Ywh25ddgMNTG87ZpMIfFxLNXv7s3A+5J4ep4UrSl4+L9jouHFt9
	6GrvwglX7og9WUtO1kw+VLTiR3zVa8T1df9k0LK+voJN5BNYZA2o/ZfgyBh1UQ==
X-Google-Smtp-Source: 
 AGHT+IG3RDfq5susdGGtZ5t8hNNXczrgazB2fai6AkFle9yipHha6eOEWBtXrxnRKsK0nSd5aI3KHw==
X-Received: by 2002:a17:902:c946:b0:1d7:ad4:7d9 with SMTP id
 i6-20020a170902c94600b001d70ad407d9mr2794072pla.60.1705969752949;
        Mon, 22 Jan 2024 16:29:12 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 b4-20020a170902a9c400b001d74b1ef56fsm2652747plr.271.2024.01.22.16.28.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-mm@kvack.org,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 56/82] usercopy: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:31 -0800
Message-Id: <20240123002814.1396804-56-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1952; i=keescook@chromium.org;
 h=from:subject; bh=Le2cw8/EMeZDvyWiTZfIKGAqobpbeo1xxbxe1eKIEog=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJFBcLI030OvWlIdf+JlEl9ZpGqp2xZrVGc
 OF5/tb3LLKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A
 JlAfD/4hK8oQxeilJy5M1BswN23KROlrOk+00GSMbycYwZKmxQcAxh0DnW23pgXbeUgj2xRlH7k
 /F+1z4vu9eaAj8Y/Y9hBh2STz4jydgyEv7WtfzL7Jw1BNKRrtbBNLwAwKJ0huo8jHVSKWwPVexP
 H0dsQTMPDxMkMaS77DgFrqDnf83+cga/jJS5LHAev1F3Rt7Vzx4KZTVfeW2Dto3dvVvaDA7Mr1W
 zclIJH/mqpfAZHnTuBX0Lc9+8RKLG4qO+2/IUsGeLKMWwR1WVPmDTM2bkl/aMTUuS9zUOBkJ+kz
 KOHdKKXC1Rs12cJXs6FaDHdaa14Rs0A4hpkuD5hOdyzaS307IhV5depO3u68Tj2Uik5iOAg0Sd+
 mbpV425cNRUyFHClpds5aX3e702vMEC0hgaOLiRwlk5K3u6RQW1N7GluN4un20Sn6BhkHSH4U+N
 YixLEE2YDQcd7gaZZwk6n5ylkZBndaXc6h2B9qpnebQVrz7cHnXCvjJ523k41Bmm1MZTcW9H7Np
 ST8joAjzTwXfRq5dJvhigwFDMdUGFtxsZ2soh6RZ/+fTiuyYL+m8B2frhQ33eS/G9AbMn6WFBxK
 EFYGaKAJmKlp3x8HgzZyfaTqO4BFToZOSpxteo584SQH5dsfYvS3kwiZW/3iIX05kIzLTWTZTqU
 IgI+hkYy5CRcMww==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Kees Cook <keescook@chromium.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-hardening@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 mm/usercopy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/usercopy.c b/mm/usercopy.c
index 83c164aba6e0..5141c4402903 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -151,7 +151,7 @@ static inline void check_bogus_address(const unsigned l=
ong ptr, unsigned long n,
 				       bool to_user)
 {
 	/* Reject if object wraps past end of memory. */
-	if (ptr + (n - 1) < ptr)
+	if (add_would_overflow(ptr, (n - 1)))
 		usercopy_abort("wrapped address", NULL, to_user, 0, ptr + n);
=20
 	/* Reject if NULL or ZERO-allocation. */
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oo1-f47.google.com (mail-oo1-f47.google.com
 [209.85.161.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F16A612F8
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970758; cv=none;
 b=i4NwLmnhPuiCSYwBD851co/qgVZH9VTde33lIZHFI8MAEGy6LTiL3+IeFNCVJa2GBeYwBtnuARGxPPmakYSoW2kbsoFMN3Scbmg32fW+Quf/4mEq8xc81a4Uj7VGXCbVy0/j1zQ4qE9VaqEbSuHqh/7Z1+GztSudm+kO0w1EsnI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970758; c=relaxed/simple;
	bh=jUfBRygKEob0pYY7t7xuNdNYLn6sNoLNNiaAx8Qo6NY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=hVl+m3cfBTHfm/GZNZccsjbg64Y0Med3S4bcwi0SDTi2q3aRHUNauZGWmw54QKFpZi4Tq6vy2NQXmNYqvNKgFZUNKcYpqqkp1iHAJZb4F+viHDrVQOSKbnXtptvtAmVcxkcvh6cqmIAYn1lno8RcKcQFEqv78lvNgu1V5jywV+Q=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=dqR1af5m; arc=none smtp.client-ip=209.85.161.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="dqR1af5m"
Received: by mail-oo1-f47.google.com with SMTP id
 006d021491bc7-58e256505f7so1920899eaf.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970756; x=1706575556;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=E9D2RhyYqAg2d9K0ImTDYoiLNMME5NOa6lhB+xLPfvo=;
        b=dqR1af5mzPyfLO9xXiIoQvQM+PeTnpbvEBte9mASZeEiRoM7xDXs/nRAry/7bw/30j
         IaFSuFO1FL8njrxoNPXgL++CVOtxMga93y4Orfww3oHsJsVmrWE6oMUd1Gh5c1qLn6m7
         R9RpQwICkmY0cJYT7WIYtId5T0TirdTRUdzjo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970756; x=1706575556;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=E9D2RhyYqAg2d9K0ImTDYoiLNMME5NOa6lhB+xLPfvo=;
        b=Sjfn2Ez7wO4R1s1WqbErKqO/9BFF63Ms8xjsYphnclHIg+j4ZLB+0vgBz/tFc7Tzhq
         GDzUyGfjtzTPBxt9wMmjqV+XENzsSpxbcA0fEiI97mixnU8DnBIUya2ynbAvwsFuaVhQ
         QE28rvktjxCJ8B58GNbEl7J/TfeJW+3KuXLRhC2NtJHk0NO8cIMqu7siLFZ2ZzSYZF+K
         mludYXYAZrPiNFN9uL/tF0XucTK7tjjjQVvjW2quG3dNv1E7UM8FZAGvttbpYFWCBIHD
         /giPjxxYqJoQrS8C9Kt9i/2R1Rg6cdCECnFn2BZXBpmEOjmB+cBftMQK1oTk/Os4dOz3
         3tjQ==
X-Gm-Message-State: AOJu0YzzBuN0FqVN+yRHnL3OHuKPmszUjvBOllUcvZv/xGbPeX4jg9AR
	XTQhMQyiOe6724iZoztnuqrbD1QJ9pqWrX+6ss9JupifIK+C8xQsasb6edS9Pw==
X-Google-Smtp-Source: 
 AGHT+IFVISzrzSXSdVQ6Q9UgTnrk65aK8T32BzTL9w9bZOjlyVv+fDCi/DNB3qZ7M7Yj6ydPIU0wGg==
X-Received: by 2002:a05:6358:9044:b0:171:4aa4:51 with SMTP id
 f4-20020a056358904400b001714aa40051mr2836525rwf.54.1705970755743;
        Mon, 22 Jan 2024 16:45:55 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 q24-20020aa79838000000b006dba11edc7csm9613217pfl.218.2024.01.22.16.45.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:54 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Marc Zyngier <maz@kernel.org>,
	Oliver Upton <oliver.upton@linux.dev>,
	James Morse <james.morse@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Zenghui Yu <yuzenghui@huawei.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Eric Auger <eric.auger@redhat.com>,
	linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 57/82] KVM: arm64: vgic-v3: Refactor intentional wrap-around
 test
Date: Mon, 22 Jan 2024 16:27:32 -0800
Message-Id: <20240123002814.1396804-57-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2103; i=keescook@chromium.org;
 h=from:subject; bh=jUfBRygKEob0pYY7t7xuNdNYLn6sNoLNNiaAx8Qo6NY=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgK6p/l1eSrerQhSuQAXGj4NB7+sc1cNpXou
 bSA7eeLunuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JvcVEACO/+PPMjBquDJGhsJWwJDHC0YCgObRXdZAVFrFSsIROk0VLyG5+vouD43LP2qVe5ORA5j
 bl5cVYkqVOrsAC8uQaB+9i/mDFxTvj5VHQm1TUR2xuP827NRLV0VGb2f9Fj/FPIjyevrbu0PcMA
 UcER3p5QpR/cuOZBj3R/vah7DqHmaIne4dZAW9p54Oi514wjbLYhIfwOSVCQL6DDgGIxtnATzDD
 rAetbVwGi503y+FO6LYOjI422f/21hmyOca1/u/ISsjjrgZO428LuNq+QUdmIip/pVhEsXw8ww/
 p6vIlHQPoGVgnE7c+USyPLwZ3CV0VXxY5SD2sAnDH2sBy1akaJOFxzQW/An8acwegGir2tjE+9z
 hio1KXTg8hgdaASg3zurlSyzb/NdXrjdSN6i2SO3oMHjyswNoYDG6syzHtssPhYvXSMwoORpOb6
 Nx1W3AP8puZxaKMMtXwuTZ4hJP34sZZEphdi9Zjxm+/Mp+OOxcREehtCCqhGGuy1nli8/sDthQ7
 aoQzWOoHL5ZpbGHMN/SLiNoUgBhdBSRoZmgD+1JJk9d7k+fOkPqwiHE0BWvftclmj303mH/PUoN
 2BvnsyIvYnasZFwaeKFsyyhJujnG5CgR4qWeDlnraQiHQ9dpiPFRn6D3DgZwjPb7plAU6AHtvog
 iYvmKmaokbzYFnQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: James Morse <james.morse@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Zenghui Yu <yuzenghui@huawei.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Eric Auger <eric.auger@redhat.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: kvmarm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
---
 arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-=
mmio-v3.c
index c15ee1df036a..860b774c0c13 100644
--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c
+++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
@@ -863,7 +863,7 @@ static int vgic_v3_alloc_redist_region(struct kvm *kvm,=
 uint32_t index,
 	int ret;
=20
 	/* cross the end of memory ? */
-	if (base + size < base)
+	if (add_would_overflow(base, size))
 		return -EINVAL;
=20
 	if (list_empty(rd_regions)) {
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com
 [209.85.215.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B19415B113
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969754; cv=none;
 b=mXn4MFDyZtDPldFtlui21P4Th/NSjIT/swBwvTELxkvMXju+Zy/HSx/uZJQFecjvtm1FFrCVBeZVB3cGGFfbzgr5bze3B/9rgvm9mPF2k+YkrwiYpDqWrrgjLC6Xc/0ddvC9XfLNQhV3AFp+Cl46jhCWHUFtDaBeST5R1IuGx7g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969754; c=relaxed/simple;
	bh=DQU4joanXRgd1mS+gxXcm4BfbB4iNwIjQJ9FPFqx45U=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=NFUGVGxF8VDeV6Ykcyxx692z2g6AOu3NIrhm9YWRPWTSEc8k0AfglrRet8J18SstKBir6aqU4jCfYstC4g4Pbm4g/dzQIoWuZ1gTpg7aoMAsbqk0Y7gqYz8gB66EYHGwkxGLKundDjw4POk4ZDGSamuiTKW9kI16y/d/GZkd8Ck=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=U+XngC5y; arc=none smtp.client-ip=209.85.215.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="U+XngC5y"
Received: by mail-pg1-f179.google.com with SMTP id
 41be03b00d2f7-5ce10b5ee01so2594736a12.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969752; x=1706574552;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TvywcYW77f9W0/EEawC9chQVSlmM/wYw9WuZ4ujpaBk=;
        b=U+XngC5yhwSHfcAeXyiKIAwlBnviRYdrjm9mQAGzkrE04I/qggNqJ7EXr6byRqOOHS
         RmbMa0p+/7TquRmbrl5UNm3nscRJCeaXDVPqkkNj2ZepvzB7PK7Fmg8preYvpKu/jeVU
         lB0rngG+suGF/wLnhpOTqz7mvo8OZO5rKUGSk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969752; x=1706574552;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=TvywcYW77f9W0/EEawC9chQVSlmM/wYw9WuZ4ujpaBk=;
        b=KoSXHpg1YfKGo3ynCFEe71Z/SrVw9Mwow51tc1HZq3vJRSF912d+A6itZE2gU95zPI
         ktslMceNFWB0tnwOO6rvoJtzelufq/yLdm60/AHbqgfRBDHMgYmAIlzM1n2sYJAM4RwL
         FAAxv8JnZGypZtBhUeUKEQzrHk5e4X1m6HNSQn0oolCmIj70lhymOqgCuUoXi8gHMKeE
         yjDE1lD3/eSHKSbXc4MWQ8i+3N9700x1aYjmrVFQ+Hs9NeMFf03wiJgnsfVZbX+4MADy
         TadTKpGac8Kbdx+VbN+XfCuXb0cQjycetOhFMCvuK139aAlpJ5oXN4HMPMpKB+rg51AB
         CtFw==
X-Gm-Message-State: AOJu0YwHOoRXTCGC0r3Tzy6QWZLdWJDa9CeRAJ0xdEVT5fS5woGn2Ei9
	tZGsMa9yStDYEqyE5tTDHnmq0gM4cjA/uI++lsARjWY2wEqErAOtyMlpeEE4cW9S3x0WpoCPh78
	=
X-Google-Smtp-Source: 
 AGHT+IFj6nXDFRwAngJViBctccMejN1t3BelBA34ipms9cwPh9gV9+T4jqVADGchm5OGinfbn3pAmw==
X-Received: by 2002:a17:90b:607:b0:290:5246:beb3 with SMTP id
 gb7-20020a17090b060700b002905246beb3mr7402551pjb.37.1705969752595;
        Mon, 22 Jan 2024 16:29:12 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 4-20020a170902e9c400b001d706e373a9sm7559865plk.292.2024.01.22.16.28.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:02 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Christian Borntraeger <borntraeger@linux.ibm.com>,
	Janosch Frank <frankja@linux.ibm.com>,
	Claudio Imbrenda <imbrenda@linux.ibm.com>,
	David Hildenbrand <david@redhat.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>,
	Gerald Schaefer <gerald.schaefer@linux.ibm.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	kvm@vger.kernel.org,
	linux-s390@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 58/82] s390/mm: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:33 -0800
Message-Id: <20240123002814.1396804-58-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2557; i=keescook@chromium.org;
 h=from:subject; bh=DQU4joanXRgd1mS+gxXcm4BfbB4iNwIjQJ9FPFqx45U=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKR1fdbTlXCSNHaLsraY4kCN0NXjk4wrN/9
 ptrTecUkUCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 Juo/D/0Rijh7xs7t+z0k5sUC01Phuw7CfMgDm7ealxIpjEnqcPeKLdz3mD2xMlnLAWp8AQgMX7x
 UsVZepQBCW+mbZNcyaU8P17kkR/DVc7kuurh6A9/qg0Doo0FWrmPWygvxpM4QDhE0BWg+HnMgku
 n6+MLAW3qZ38qFK2TNKcR1VOhVuLWxTkckPN8Nec/7/x4EA/IrvviqK5ppVmcCCP1kkU6yqRS9V
 GLUxRZfvGVuFMMnb0GKhKAWo7DZdHEZR5LzYBFF10XJes46hmqVlAymMFxiN7EIxv0ywKkw+/jo
 nLiBSpXgpdEeNMvEbekQ9g18cBvZowM9RckCdGzvVuhqEE8wlYliS3Cl6xZFQKeDcLXNaS5Iddd
 l6LypkhXu8RsRGFMSTTeST3NLd2MV50Ak5N7MwlYwztrZhji/SUmMGdL6wI/FRsTLYy80nbrjy8
 fyZyR3PPt/w66FT/FbS1YpSxHVHI4lBm2rBauWi2Lt61XzIBNU5xedEqaQEl1dEb4INlRI7CV64
 nbqMv8Q+wAg8JFTpkVL0iRqSD8sKKxtAw4q49K9wuS9FmVtOcyDAcXkG7QMZPbW6fnyVYVPSPbY
 tEhStv2vcp7DGK/BOSTiwcIMprY0XAIyqKXaQ77rYBqq5JxZIOFNPSPAu/upxkCHl+TQQK0n5j7
 tszHYawERVCbBMA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Janosch Frank <frankja@linux.ibm.com>
Cc: Claudio Imbrenda <imbrenda@linux.ibm.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: kvm@vger.kernel.org
Cc: linux-s390@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/s390/mm/gmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
index 6f96b5a71c63..977b61ab59f2 100644
--- a/arch/s390/mm/gmap.c
+++ b/arch/s390/mm/gmap.c
@@ -411,7 +411,7 @@ int gmap_unmap_segment(struct gmap *gmap, unsigned long=
 to, unsigned long len)
 	BUG_ON(gmap_is_shadow(gmap));
 	if ((to | len) & (PMD_SIZE - 1))
 		return -EINVAL;
-	if (len =3D=3D 0 || to + len < to)
+	if (len =3D=3D 0 || add_would_overflow(to, len))
 		return -EINVAL;
=20
 	flush =3D 0;
@@ -443,7 +443,7 @@ int gmap_map_segment(struct gmap *gmap, unsigned long f=
rom,
 	BUG_ON(gmap_is_shadow(gmap));
 	if ((from | to | len) & (PMD_SIZE - 1))
 		return -EINVAL;
-	if (len =3D=3D 0 || from + len < from || to + len < to ||
+	if (len =3D=3D 0 || add_would_overflow(from, len) || add_would_overflow(t=
o, len) ||
 	    from + len - 1 > TASK_SIZE_MAX || to + len - 1 > gmap->asce_end)
 		return -EINVAL;
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBE5B160898
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970181; cv=none;
 b=pMeYZphWZeQ0hujx8eOxp3sRKGKyAddV08ZK5/IfvEDKCsXe0k+KAguzTHSaHEc5j6H6OT6z1mnvJrwA2F3XX2tbBk8DUmSeuRIaktoPcazV+7codOhzWn603LjrarJTYiAeHLlTwiCHo9oEIDcagnep1KmIdRiodyP5INcOkYE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970181; c=relaxed/simple;
	bh=X4KPC/UgpHzHjLm9oqtA3x4JymqJVZ0DUnLq+Paa7ds=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=PlPTtFUhsUnfh/mF82FzY+r/nolG1q/MLbDTpkZPQJa3nwWQlErtwB6U39GwpyvtqtVmoojbm4aQdc96qkGGFQ6eGV2wuPwCLkePqLybMJAur/PdidXajtpUEWbb9zGyIEjgyhz0/f6cFtFbVD9PLUnm0EhtHvDn4fEv9qN9ha4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=ftJiLXY9; arc=none smtp.client-ip=209.85.215.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="ftJiLXY9"
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-5c66b093b86so3417095a12.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970179; x=1706574979;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=aEc2d2rSfjhDoBoq9fLjQenSkCLNzDWcQ8adwJB0hG0=;
        b=ftJiLXY9mCM9agVXh7u5DCh6zmbHD90qFASbREWPWGQxFL9HD4aC15JYGrJDAgKAJa
         YFI8ZvEBfAV7Jwl9eIT3LEU5hhqdyUU2/3SsuCAk5JCYk6fNMSRXyKFERn7ikxpzUzdZ
         r9KM4Mx5HtpAYZwRWciPGHMr930UQsRuilDNc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970179; x=1706574979;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=aEc2d2rSfjhDoBoq9fLjQenSkCLNzDWcQ8adwJB0hG0=;
        b=Q0gal3cmIdz3rZqkvLPggNomuV4N6Wcx1bDvkXcsyUEOQo+uXuMrQETVGu32vigNhw
         sdoCb6YV3h7eVncimbTAJfAvxIhvrCjpbSzC1VDZhvBr+dX06X80rfKRNyDNYrcVjHCu
         57xSij91tTwF8GUg2NXXHj2H2xJqCAqs5bncTMJPGTPxpHBsp+ryOkP5qdjGKGwFobun
         WHfrP1OAqGXaIHFovCtTziAe4sDWqOWxYEinMdhFv/juoRFEvLxB/Qr9VZ+qHRV8+m53
         BUQMorlo81Dx5oLPb5i5O/Gr0LdVsz2r+0VkZZS1gWlz7laOkia0gJF5Fl9UFtLwJ5Ug
         wdRw==
X-Gm-Message-State: AOJu0YyvBL5tv4McIKpjamPT88SNHZT2yfKLz2msSVLh2xfoxa/ukjsy
	udeAw6E1undD1/fTmdIgtObkFDJPC2y2BmOBkPSmQictNnKiyEd3m2CjGW84qg==
X-Google-Smtp-Source: 
 AGHT+IHFbuHpc3vAdI6yegvV/L9r1Yb3ls3L9cW7fTD9Yq23EmXCVPkJqYozC29KOqZKziH+AAq5Jg==
X-Received: by 2002:a17:90a:ee42:b0:28f:fa9d:ebdf with SMTP id
 bu2-20020a17090aee4200b0028ffa9debdfmr6732264pjb.3.1705970179438;
        Mon, 22 Jan 2024 16:36:19 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 dj7-20020a17090ad2c700b0029065f70565sm5824388pjb.41.2024.01.22.16.36.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:17 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 59/82] lib/scatterlist: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:34 -0800
Message-Id: <20240123002814.1396804-59-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1669; i=keescook@chromium.org;
 h=from:subject; bh=X4KPC/UgpHzHjLm9oqtA3x4JymqJVZ0DUnLq+Paa7ds=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKl36vVZG1nmdlZHD5EeRVSkhvMUsUGq27H
 GGTsQQr0yKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 Jko4D/wLOSdJgcYUIEXEWyZ094Wxs/bc+vFZ1200/hCn8653ZUrA3GFBQlNpz2j4KN4SGZaAUwx
 XwJbrwaPYj5jQDHGgEpePQTxEQUZO3iNMJarAxDNOV8Jp4y7Z8D58Mf31v/9HugXKic4tf8wXbd
 2z7mUpcMaG2/zFyfcuVCd5nuP6SGOfw1qSMdqDdEgHAF4lJuOPMi3jORDXoKcY1016c01JbQFzG
 PyzDWakatUQn3fG/IurRu8FlgDWXY0nfhz/R+ZG5YLj0KJ+FIceKRbj+fdDgDXUfYsbPBiSn7Kv
 cyv4nHAzcFSeV6kggiiFvczA0o+iQctKOUObrv9u8LzDKPU/gg72Yy1yeHoItbt8faH08EQGpHN
 IOFLAykVxVuBAhxbaKjqC8CiMDLtjlf56mwXKZkI1dGqzB2t01l1K/M/NU52aiJsd+pjZcfOPHy
 TqFEHvtJhzsPQXZag5/nu6I1yqmaIhbwCFDIJ7BnFuJYgvqUctQJFuJipD3T7jKZhAEyjUdFvDZ
 GULJFLehEJ3dGgLpoBn8tpWS/rVuuHQ4JF3zdxUPpoy2rjXbWm7xoXLCiiey4bCZK21q+OHDJCH
 8dDMZazDyBgAiPwQCGHfaAHulyiW6eEJe7qpDt5dmJHGrR6kOEELOyqY78LX7F7ljWlSML1tfWH
 lPasxNIE4hn6XbA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/scatterlist.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index 68b45c82c37a..121905119bbc 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -624,7 +624,7 @@ struct scatterlist *sgl_alloc_order(unsigned long long =
length,
 	nalloc =3D nent;
 	if (chainable) {
 		/* Check for integer overflow */
-		if (nalloc + 1 < nalloc)
+		if (add_would_overflow(nalloc, 1))
 			return NULL;
 		nalloc++;
 	}
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 93F011615AB
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970183; cv=none;
 b=H8xXS2qIs6r9C4uQxPZ81Gypjlz5k33I0cpFB83Syc6TnlALXI3oL8jlxqPGP6c3SASl7TpTK/Ge6fxe3qeGfSnsM0VA6BBl7oSeezaQI6VqBTG5QDja09E+w1sMK13rZJ2HHw+FICsRPD5J1UwMbZM/G960gbp6rKBfJpExul8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970183; c=relaxed/simple;
	bh=gGIR1+eHbOSAQms308Zk1nT40iClIFMbQz6VhnPDbi8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=R0x7I36F1RHnMVYheM7msp5O39HGrpzYyhQLjynUkMKBLGVbodNVltCLV2hQ5hFYCuBsmOEwQXpFFD7tPw5ak8Nya/qNfVZxJ3j5hhubPjf3SbnhyV3+sMb7Yd0mSDP7A7CRGGfTNtkyZU6f3WSlpWkL7EabFMiyHmxKuYsRH14=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=LSpKdMVT; arc=none smtp.client-ip=209.85.210.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="LSpKdMVT"
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-6d9344f30caso2312081b3a.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970181; x=1706574981;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=YjTv0JWp2wh4DoATrj62+gp6F7EFeXqYtPy6neelVk8=;
        b=LSpKdMVTgnaJngWZZM9cZACINZhuUWpsBOaJC4R2h/mzYdw2bD/VjReb/rDUXf1i+M
         y5uIk6CUGtLsjZ7/Q69R/859sv11u2pwsQAWM96NYyH2lFyvfG1fpzhn6ah78DR5QKlN
         Q0xy6dDDQ75nHiN1SbySf9Elp6WYAMABNUNjI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970181; x=1706574981;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=YjTv0JWp2wh4DoATrj62+gp6F7EFeXqYtPy6neelVk8=;
        b=lSWZ2hS7lDuiiMjQk7YoJNftTdty1BnPsN0/X3Ph2lHkZDCa03L3afaevKJ3WDNY4g
         RCE+zRuSqqyDBUQ73NTN8yp5W1+xmcQmoeLlXr9tWF9GoPFQZty16XNwqhzsXerrDlM4
         +7uHWW+XWzXCb6sBxweKs7pTOqsvm1rmM4RJYO0qWTt3e/QI8ivx2qM0GsvsuzFS+ipC
         xSrbUpjV1BFI9fs3FNSmgjRFDYrfB38Joi7AOChXkJxJ5t1H41INXNbdTT8DYkzYqwy0
         gvHZJgqGxBalTiYevrPH+K4lPhefUkhEkkx3ztWcMZxiYWOhWLzX769kOUuI39ern9Vn
         4PCw==
X-Gm-Message-State: AOJu0YwkwTP7MpGjI8UOR5kjkgSuHI5qiXO05ZownYFP3UJkpFJHZYTN
	6IMQLupsGRJrQtNuZfdKaa7bQlPt65Jr4w8Zyvh1CkvnPoRyvgHHr4h4qBIYvQ==
X-Google-Smtp-Source: 
 AGHT+IEdiv0sQvhk5DF6DmJpOnGI+AupQQxjyZFGDT/RapAwhNquQoSG7WtikHFZHphx3/AnNJEzKg==
X-Received: by 2002:a05:6a00:88a:b0:6d9:c0a4:67eb with SMTP id
 q10-20020a056a00088a00b006d9c0a467ebmr7154515pfj.35.1705970181078;
        Mon, 22 Jan 2024 16:36:21 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 r11-20020a056a00216b00b006dbce4a2136sm4727845pff.142.2024.01.22.16.36.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:17 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Michael Ellerman <mpe@ellerman.id.au>,
	Nicholas Piggin <npiggin@gmail.com>,
	Christophe Leroy <christophe.leroy@csgroup.eu>,
	"Aneesh Kumar K.V" <aneesh.kumar@kernel.org>,
	"Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
	Mahesh Salgaonkar <mahesh@linux.ibm.com>,
	Vasant Hegde <hegdevasant@linux.vnet.ibm.com>,
	dingsenjie <dingsenjie@yulong.com>,
	linuxppc-dev@lists.ozlabs.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 60/82] powerpc: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:35 -0800
Message-Id: <20240123002814.1396804-60-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2692; i=keescook@chromium.org;
 h=from:subject; bh=gGIR1+eHbOSAQms308Zk1nT40iClIFMbQz6VhnPDbi8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKZlRqKBNSnPKaV9Q+qNDqro5fLhpWmnwga
 Q7YzUH80IiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JrbeEACw9Qm/wbTPg4Z6IKIJQxXVouLRzxfnSHgzNiD276XXnPVJrJiBcSCvmSL7fpJ9SDej5TV
 9PYH7UGkT6J3bCE8PLoBp5JqS24+wSC9f6aqnuqpGLfoi5P3MxHPufDB9EbUyasJgVcGybCxci6
 sMhNpj+acmdoPvOc6m5jx5a7RAAA/ym1iJPdj0+2ccaR5cIeImnNF30sRViNQzozLcnn4DA1H8p
 XENTLdbPf/j0h+wTxLu70B2HUAAQUyBzLfpb9waKCwX03HXJ0lwpxUXvZgA99nbb0tmF717h1lV
 mh1AktyNwBxm0tJEUEWQcHUqY2a19p5L9QI5ZPhhISQsaZIBGWdlB6vjLPvnUgSTZ57SpVnQ+8g
 vENCyDxuI3pWKiz9shHbiKHxOL67K4hYdaQNF9iB3J7KpvCE6JfKuIeBURpd1JrU9S+z3MGRo8V
 Hkk6J4qgEhi5rzMO9I2yhzZGMl2+5U1RhdSdwRY0ol+lsIsKnCKDNTXAbw07S9zoYa4lmNyPvwM
 HT3G5UCgsab2bqAvSQ9I63Fr+lt7BaHqGREuxYKUun/1NWDIQhhH1CFpy8K2kKFqJjqxWDH6wj5
 Yzpr1wcFOCzLytejNRGkB2uIRgzQqhzzbhg+XbUgDUjc/mkGvnLvsVMVLP96m+FIehjUX0J6mJU
 BDk7KOdYQY3UuXQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@kernel.org>
Cc: "Naveen N. Rao" <naveen.n.rao@linux.ibm.com>
Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Cc: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Cc: dingsenjie <dingsenjie@yulong.com>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Aneesh Kumar K.V <aneesh.kumar@kernel.org>
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
---
 arch/powerpc/platforms/powernv/opal-prd.c | 2 +-
 arch/powerpc/xmon/xmon.c                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/platforms/powernv/opal-prd.c b/arch/powerpc/platf=
orms/powernv/opal-prd.c
index b66b06efcef1..eaf95dc82925 100644
--- a/arch/powerpc/platforms/powernv/opal-prd.c
+++ b/arch/powerpc/platforms/powernv/opal-prd.c
@@ -51,7 +51,7 @@ static bool opal_prd_range_is_valid(uint64_t addr, uint64=
_t size)
 	struct device_node *parent, *node;
 	bool found;
=20
-	if (addr + size < addr)
+	if (add_would_overflow(addr, size))
 		return false;
=20
 	parent =3D of_find_node_by_path("/reserved-memory");
diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
index b3b94cd37713..b91fdda49434 100644
--- a/arch/powerpc/xmon/xmon.c
+++ b/arch/powerpc/xmon/xmon.c
@@ -3252,7 +3252,7 @@ memzcan(void)
 		} else if (!ok && ook)
 			printf("%.8lx\n", a - mskip);
 		ook =3D ok;
-		if (a + mskip < a)
+		if (add_would_overflow(a, mskip))
 			break;
 	}
 	if (ook)
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B510D5BAEA
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970161; cv=none;
 b=nNgLUOZaMahJChCccVhvUmKn705gJxDR6Dv2poyGjqdzopK55RXqYu+a+98pfOot6nqaQSeQI9eydt0O8bLMXEB8f/zzizr4Vc9BLNb6ivvwtbGXAIWlDhPlMST340/1/QflJJ3nfmwWAgTljhKUJt3JKVkpzTkhRZf+zJWwm74=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970161; c=relaxed/simple;
	bh=JaJ2RzkYot/4sV3jiZLTi+/y/zDvkmsfkl8XZ+sAZv8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=GFb1jhfOtv6s7oZ58fykE5Hp8zj4RiaJIkR4P1Xr8wwQeMvME/RknutvDI8YsCRgtRaUthxmWCthXgVh6RLTfHhcC5A+mirYafNFrhhY4/E2GYTjPk56wdBTff9MDlotC+vmzYwygHUgWJpYFa2tBiJTDUZ/hsPdiiA1F1ZywSM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=UvKOomai; arc=none smtp.client-ip=209.85.214.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="UvKOomai"
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-1d71e184695so13585375ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970159; x=1706574959;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iIWUdIrQWRkhOO5TDXuKcaUsLitTbGyLlklsAfWCzWo=;
        b=UvKOomaiN2VhtkDv5+8QNC+MtjXQx/iwGzTtFLEcj5s1VSKPBHwN2l2gwIDJh4mjBL
         zFvy+2Ct3bGei9Mw5MsNWsE/Djk5CfXLRWpyVexzj5Wml53eHNq93AIxm5GsGJ/wZx+w
         dVai29oFleneBo8Y+z3PkQ2GT9BFfJa0FDSaM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970159; x=1706574959;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=iIWUdIrQWRkhOO5TDXuKcaUsLitTbGyLlklsAfWCzWo=;
        b=O4DUCeRZjXlHVOaVUDudmSMNhbHyaWl/3uERsbWa2/iZ7i/9SsXqsIA/E1Ur6lNWOv
         pzBXTtXWcQ6bRmWqY2XtgsfJYjNAsNP9+iKpI4LovyDFPAuAHiQbhY+aP4CerRzbwbmE
         O7PpSyYVobUAex5gvpp2A8Dk3v0HV6w1OWtYWFq7D9VKH6F5AMB1UB7BXARpzEyToyE0
         8V2v8e1wXpZARy0cohK/S3DaFy66dLeIDMMjwWvGFdL91pSyWFJ3jhsIyS21h1/25pdB
         BMF0F6ovLF7BvV+3lDOoytMVE1HG1wd+/r5HxpQicVcsheN4tmjWYADHld+vocu0emg0
         d9EQ==
X-Gm-Message-State: AOJu0YxFJC13KN8K1/63f9JTl3+HkSQo/lgTJj3QjXKPCp/YC1OI++EA
	QKVUOGAKXJyB8Ot8E9FvFpEv8CF7enYE7NPrQ6T4h+sbkrbsocDSLVYyma2+1Q==
X-Google-Smtp-Source: 
 AGHT+IGbD3nHFvLOHAqRpTgdheaQGatmkkSF5LsUW843Igdg/5hvIeA3Y0uoIVSr4tGmabJc+mdbbg==
X-Received: by 2002:a17:902:e5c8:b0:1d7:3563:88ef with SMTP id
 u8-20020a170902e5c800b001d7356388efmr2199690plf.99.1705970159024;
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e2-20020a170902744200b001d5f5887ae8sm7708987plt.10.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Sathya Prakash <sathya.prakash@broadcom.com>,
	Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
	Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>,
	"James E.J. Bottomley" <jejb@linux.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	MPT-FusionLinux.pdl@broadcom.com,
	linux-scsi@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 61/82] scsi: mpt3sas: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:36 -0800
Message-Id: <20240123002814.1396804-61-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2218; i=keescook@chromium.org;
 h=from:subject; bh=JaJ2RzkYot/4sV3jiZLTi+/y/zDvkmsfkl8XZ+sAZv8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKR/y0c/t8XBxk6HBTKTo2onZffQ1Swuzxk
 YruIIw+tTCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JsGHD/wO+1S4S3MYfwC+Xgo0UsnlP4RNEo76XTqku6Gtqo7+RgF/OJErJi+PSvELd675QOu9xdC
 EMr1YFfvIBEMrbHHvwJWkaErziO0Y3hRKhrFQr02QIrOnXeDwnIPzHDCv18K0d3Q+q041p/sRyj
 YB7tjSXSsTcFhvkEQ9dY+VylEL1PLD4Ozx1qB10yg6+pNkm/uCWrmiLvfSgSXIluY++aIRb26NL
 VaSRkVOonQ4P4lvoMg00EP5cCn0zHYNyG1e6Ea4+cIaFLUKcV46uB4xzGTwfw+vtbMdtn3jZaly
 hU/RxpkvU2oW1VIYwSeakNHq76noGBszsSTs6meNnd62v/yEdmDyqyTfqFKcm5jwd4LupJnffRl
 PaKJclzIEUwHDQGYtmTMzzYksMJ7+emnQ4pgS08Dr4frBXv3Kw20xwphAev7CU3j6ei4ghTajDd
 xxiU8Oq8sW9mW5SwmfrVaIgLmJe+Uwy7bC1EHgFeqFpqK/AbTNh+FplhncR9+E+Gonpq3iKfGC8
 46fX7SBvoMASJQFlZP+ErSYOfIkvdt5fDwy3899f5cTVxe+NtVeUWwbBhp0I/BMoiXbh/N4Wz/m
 1JLczsOR6Y1t0bzwiFfJd2zNYEyI8gvNaAak6MrluQfkHLAx0zAGsyXDQta1R52iYGD2+9KjtmB
 cB9P/HPcsvjdiPA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Sathya Prakash <sathya.prakash@broadcom.com>
Cc: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
Cc: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: MPT-FusionLinux.pdl@broadcom.com
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3=
sas_ctl.c
index 147cb7088d55..b36a9188720f 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -2382,7 +2382,7 @@ _ctl_diag_read_buffer(struct MPT3SAS_ADAPTER *ioc, vo=
id __user *arg)
 			    karg.bytes_to_read));
=20
 	/* Truncate data on requests that are too large */
-	if ((diag_data + karg.bytes_to_read < diag_data) ||
+	if ((add_would_overflow(diag_data, karg.bytes_to_read)) ||
 	    (diag_data + karg.bytes_to_read > request_data + request_size))
 		copy_size =3D request_size - karg.starting_offset;
 	else
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com
 [209.85.210.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D17DC15B0EE
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969754; cv=none;
 b=UAd2jwAIuXx4QGIwQ1s94JTlQ+A3d5Da6evVhwGJKiETNIiNLrLMYbTnIh1N4dBSaL0Zscfoae/VRn3VUKCqEhA3SuZl9t9B6sD45ZMTB1qX172xNYg1Slt9YYC6VHtu90uGe1eEg993TP4vu+4b7fCA4ipLuKGNWDezvktoZfk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969754; c=relaxed/simple;
	bh=7JUW6Se3ttck3u03IUn6h22SlYY5f4wzvv59fMMlk7U=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=T3PCjvZAZdupwN9dIAefAQkYNqd6nZKpkLQP4qLnPss09vr3NCWOYQUSqT29y1fGhJPYFy8lsMnfeavw9UVjOFBKnd9OfSesphD5/9B6Al9KnZLqR4L+9vrAYlugcQ+fZrk4NRqgZ4GmmIFagntnRUQIguPzsSAm/pOS5XPU1/A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Z7EUVBVk; arc=none smtp.client-ip=209.85.210.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Z7EUVBVk"
Received: by mail-ot1-f54.google.com with SMTP id
 46e09a7af769-6e0a64d9449so2432903a34.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969751; x=1706574551;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Ie3OTr5sznD5HalHa+6zn+LnARRkCye1/EzAPt6ehMc=;
        b=Z7EUVBVkONDMsQtdqm0Q343HbVNgU8Ys/Z1cwQJbcFaj/ZUQG6Oz2Ld0TAwsIhtuU0
         foBw3rYg05H3K9uYPSn7jWhi6AlCFucQAR1dmLqUUITT1cCGz0/sPecGal2vu62vlSge
         EZHiPWRMVfxkD1BgS1wGMVtLzX16pAcvvYxDw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969751; x=1706574551;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Ie3OTr5sznD5HalHa+6zn+LnARRkCye1/EzAPt6ehMc=;
        b=wfWnmqh3MX6L2fKhjvBIZNBHbspcFBi9tFxO/5cfAQDOYAiq+q36sqJnk7NMLRZAm5
         QjBRAK6bPXzDS2x3tcvKWvQjtR5XnZEBkBeXUOmh9T2jJ9sgzX+LuTA9yL7eQ42kLhuA
         O76nvh8aGIyen80UAdA9/kuiUFBaM58Cn1znaQ76Ltb46LhEr+XCtDB6Ks19gvKYobVv
         VmTWiqgQLClGlU6LCNzRBeJdJNQzw5TDzdIX8dxXQWcn4vZbcKWkHcHotfXNSjUMnJMI
         iUjDZmQYF7HYbNTtLb2KEyWJFmPCwk6c0RZa2txakdXwW0htjdVR0ScEnLGc5G1077l9
         FWqA==
X-Gm-Message-State: AOJu0YyDptG/sY2vLtEYfqqawsjTfqyO68kDc/NcPEWwMtqqfj4v1AzE
	e8Um8O6JJ3I+aP3c4FbG+qSXVrOnxCcuvS+a1tm1puj+HKiLOK+I/QYv9rca7g==
X-Google-Smtp-Source: 
 AGHT+IFu1VaQEw9sFXv+HjTUE3GiTFvw/CXFMuGTa+QFdqe8mKXPpftBjYBhP/mp26Aucx61/cVbWQ==
X-Received: by 2002:a05:6358:1804:b0:176:5d73:3778 with SMTP id
 u4-20020a056358180400b001765d733778mr1791008rwm.36.1705969750988;
        Mon, 22 Jan 2024 16:29:10 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 v6-20020aa78086000000b006dbda1b19f7sm3156587pff.159.2024.01.22.16.28.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:06 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Brian Norris <briannorris@chromium.org>,
	Kalle Valo <kvalo@kernel.org>,
	=?UTF-8?q?Jonas=20Dre=C3=9Fler?= <verdre@v0yd.nl>,
	Dmitry Antipov <dmantipov@yandex.ru>,
	Tsuchiya Yuto <kitakar@gmail.com>,
	linux-wireless@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 62/82] mwifiex: pcie: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:37 -0800
Message-Id: <20240123002814.1396804-62-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
X-Developer-Signature: v=1; a=openpgp-sha256; l=2776; i=keescook@chromium.org;
 h=from:subject; bh=7JUW6Se3ttck3u03IUn6h22SlYY5f4wzvv59fMMlk7U=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKEfuOUm8gdUPZ8vO/KuClWsfQ2f3pzbTem
 aIxnbAM+fGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JonQD/9WVyaa9kGcf/DTeFmgfzqdX7xnM18yRtPWxEh32TPyVUA9IygNLB2Mzz7Mzf/1z1oLx5q
 y6Uf/vyz4gMUfg0RBu4V8FJXTNaL+fZtfonFGhqdJJClaBBDFVd+vTLW4YjC2SBU3KoLfkXXOq2
 7bkrtOFIv7f20UQSh0t9WqD3TpID+zmHpIZvvP9d1x9ZqTkzcibWw0o5ZMuGl0KUOlFccvvXP+o
 t5jfiwQoOn9vESyzTRCcdLFh+EvH3+0EqK2qvNuTBuuHD2rKuFauD7WFvMSJHXrvqzrig23cJRh
 2zz4ePXncay641mG9MIX2AghTvd0BXeUoNdMT2XoIc/G4FPNL62a0r04JF25hoDFE9uYhE7HOUr
 py+wlbBwWORaTtcW5nC4dkTB8JgNhmBvm17GrHAPIu6mqlZHRb7dzU/INOEZaMNSwDAhXjjrRjO
 NSmZSSPrUmkcJLxcAk3hFfbiT62Ad8EBnkaTXnMfLammAc/mmAlnOtABI64GIfFYBXc359RDmbq
 T/ikhjpd19tZo9mFB6ePKrrqeXpNz6UJO8M1WUi7y+9calE0yGanCbvnXGPAgnq51BkvTXMU44k
 iFtizJzAsxk+HlRrziOXDHeWih6lFTrScEFVxBGE/7wFBi4xSw5Te7dWdKwU8Olt009JASnOl+g
 iafvZ3vYcSNfmBw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Brian Norris <briannorris@chromium.org>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "Jonas Dre=C3=9Fler" <verdre@v0yd.nl>
Cc: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Tsuchiya Yuto <kitakar@gmail.com>
Cc: linux-wireless@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Kalle Valo <kvalo@kernel.org>
---
 drivers/net/wireless/marvell/mwifiex/pcie.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wire=
less/marvell/mwifiex/pcie.c
index 5f997becdbaa..e69347e65f0e 100644
--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
+++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
@@ -2086,7 +2086,7 @@ static int mwifiex_extract_wifi_fw(struct mwifiex_ada=
pter *adapter,
=20
 		switch (dnld_cmd) {
 		case MWIFIEX_FW_DNLD_CMD_1:
-			if (offset + data_len < data_len) {
+			if (add_would_overflow(data_len, offset)) {
 				mwifiex_dbg(adapter, ERROR, "bad FW parse\n");
 				ret =3D -1;
 				goto done;
@@ -2110,7 +2110,7 @@ static int mwifiex_extract_wifi_fw(struct mwifiex_ada=
pter *adapter,
 		case MWIFIEX_FW_DNLD_CMD_5:
 			first_cmd =3D true;
 			/* Check for integer overflow */
-			if (offset + data_len < data_len) {
+			if (add_would_overflow(data_len, offset)) {
 				mwifiex_dbg(adapter, ERROR, "bad FW parse\n");
 				ret =3D -1;
 				goto done;
@@ -2120,7 +2120,7 @@ static int mwifiex_extract_wifi_fw(struct mwifiex_ada=
pter *adapter,
 		case MWIFIEX_FW_DNLD_CMD_6:
 			first_cmd =3D true;
 			/* Check for integer overflow */
-			if (offset + data_len < data_len) {
+			if (add_would_overflow(data_len, offset)) {
 				mwifiex_dbg(adapter, ERROR, "bad FW parse\n");
 				ret =3D -1;
 				goto done;
--=20
2.34.1

From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com
 [209.85.215.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9753415B995
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969758; cv=none;
 b=lMcw+evUHpIPFb/qeGOkAjeDmLhsemvPGQ0k2yjiFEdpKsaAekY9PgCfxVEg4jJrenAhnHVOq5Ru/L7YXdeDv9+rHRYQ/bSY7OfjYO7M87YaFzCsv0qfnKZmfz9eM+Fa+awT1tKS6dtER3uHiIPC418ky6Y4VeaUKhmiXrlOIwQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969758; c=relaxed/simple;
	bh=IXC9gHJS+Pnry0+OD6RifuKC5iruziQtcHdroYUu0NY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=GyMSXWnvPXvWwkkWn8e6vDJABi/Tmhc+WVV5TYQiGiIM7jebx013UILFoUrw8BebiHajvGIxZYBC8TxPoR68BDJqQ4i4PMZxnJdVJ3L2m91VSy6k4vaUdBmeQr8s6CDWSKs2FQvdTSg1+POLWmSdnm4dccHvZHVfK6jvXi3CrOM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=SJQaGBFy; arc=none smtp.client-ip=209.85.215.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="SJQaGBFy"
Received: by mail-pg1-f177.google.com with SMTP id
 41be03b00d2f7-5cddfe0cb64so1786534a12.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969756; x=1706574556;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4R+UH41sqIFBEg2yHgSz9fASiwRmxO8UrEbFS39w0BY=;
        b=SJQaGBFyaHQfX8ipErQPchtmgreagwEZD2Ajm7xOsT53ZYHhkdP+g1QHTIkxLJgiGo
         2c7zlIAoka+I4U6gIDnQCLVsPEgnzUlxaHCCjq+S0sX8Ya4h9UDEd/NGrTAgqv2/cCYt
         p6o1/RBfIP+SRbcyntIEYmRXiptwsFa5E1AoE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969756; x=1706574556;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=4R+UH41sqIFBEg2yHgSz9fASiwRmxO8UrEbFS39w0BY=;
        b=mbLDaQItpjxy9hmgVP6ICcMk6NTDDhxzAcuKq7R+S8k+fj3EtRfM62xs3EtNJLaMuI
         yedFdhkSSWXJa02pXnVulhVY1c3O/s2gjHdaWC+4hT4Bm0xR1mLegp8XxVygMZuTKnKm
         5N8wfqBAKvE7QOeHCwGDjSXQs/esk61Hi0SlXlaGtzp+qR2RxMtqM1N0Fcyb+VP7qI2b
         11lb8Ul8ylp1B7AD2P6EDT84TaYBe1Uo4Mt73lFMmqNDRZbxCaor7DDEhShIoUTRv1Bz
         Wtb6+59QEMOCBClbr+wAtVeavOAhU+g5O5BUkkz8n68zWtI1IFhPqUeZ1a4FyUHt7bQG
         8uiA==
X-Gm-Message-State: AOJu0Yy8yDVlgCiJT7gKD/7t4Ww+JLZ1B8G/b0yytNOUBv7h+atD4/0r
	5/z82U5toKDWYBxItlgNH/QvYmH/5hiaFUg/+kxZKfOHOxKPEZtJ9ClPJ7O+Uw==
X-Google-Smtp-Source: 
 AGHT+IEOQPxBrxeTVknuQ85iWItECd3oDMC0wKeLvQMG9XfT1svGRvJdDWYE3hUC2zG+qCIX3weiSw==
X-Received: by 2002:a05:6a20:1446:b0:19c:5821:1d6b with SMTP id
 a6-20020a056a20144600b0019c58211d6bmr373911pzi.71.1705969756091;
        Mon, 22 Jan 2024 16:29:16 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 s2-20020a17090302c200b001d707987ce3sm7513949plk.194.2024.01.22.16.29.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Shuah Khan <shuah@kernel.org>,
	linux-mm@kvack.org,
	linux-kselftest@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 63/82] mm: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:38 -0800
Message-Id: <20240123002814.1396804-63-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4403; i=keescook@chromium.org;
 h=from:subject; bh=IXC9gHJS+Pnry0+OD6RifuKC5iruziQtcHdroYUu0NY=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKGl7sIklkp9DpywnYDLBMy17rUJMlBDpuZ
 IF1ZnQBhjmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JiG2D/9PRn4Y/k1W4IyELDW0vMaP8RPiiJfMCcL4ThXwWsfGmaqGLqfV1zQEvJXDHSGEjV3qA6f
 1QWoI9IwuKjfA6OfO0JlksQZDvV/d4C1mTWzdQrRY2/LthSJBzsCK5VbReL0TpTAcFMajuY0JUk
 y79Nm7lQVGIPVT5kz9GE4HegEGGPsCk202fOQjGOid1P2FXfyctaxE7AC8A1oTmzBr7B6go6pES
 ZTzR/Z2fyNRTV4EbHBr9C3U447jLgO+uGVXj5FYunn/XaHZoFkbicu5CWTluotmM8My6vrUQc+R
 OVe3VQn2KHnuQsPPgENWLrMitHmaACD3nc3KGOQ5Nq6c9iVKKDGGSDopVfAm0cnC4JZNZssedWq
 QpeBszRZxgPbM6k0GMuCe73qgQg1GJuz4XqNNsDbrPNFJfH5ZXInUZt7+xx3wQ05371PA60Z8t0
 tmCrWOgNSP9F1389si16h87Pzo/PvgvSF70Hbml6OUR4kU8xvA5OMHvggCQlwJG4zIykjLq9Ggu
 inHAl1IReCphEG4kev2pugmVlUlmGGkFAeg2uA4m/PbIKGl61suJep0mr5S3biRpHUZh/FVpWS0
 dBLSKvx/lkw1jpHcmaLhj8srWr/oF+71hPZ7pLlb7R43ZReS0qw78SWDbOAttKIb6nPhBw9l//1
 jTPSgii2rrZymlQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-mm@kvack.org
Cc: linux-kselftest@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 mm/memory.c | 4 ++--
 mm/mmap.c   | 2 +-
 mm/mremap.c | 2 +-
 mm/nommu.c  | 4 ++--
 mm/util.c   | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/mm/memory.c b/mm/memory.c
index 7e1f4849463a..d47acdff7af3 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2559,7 +2559,7 @@ int vm_iomap_memory(struct vm_area_struct *vma, phys_=
addr_t start, unsigned long
 	unsigned long vm_len, pfn, pages;
=20
 	/* Check that the physical memory area passed in looks valid */
-	if (start + len < start)
+	if (add_would_overflow(start, len))
 		return -EINVAL;
 	/*
 	 * You *really* shouldn't map things that aren't page-aligned,
@@ -2569,7 +2569,7 @@ int vm_iomap_memory(struct vm_area_struct *vma, phys_=
addr_t start, unsigned long
 	len +=3D start & ~PAGE_MASK;
 	pfn =3D start >> PAGE_SHIFT;
 	pages =3D (len + ~PAGE_MASK) >> PAGE_SHIFT;
-	if (pfn + pages < pfn)
+	if (add_would_overflow(pfn, pages))
 		return -EINVAL;
=20
 	/* We start the mapping 'vm_pgoff' pages into the area */
diff --git a/mm/mmap.c b/mm/mmap.c
index b78e83d351d2..16501fcaf511 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -3023,7 +3023,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, star=
t, unsigned long, size,
 		return ret;
=20
 	/* Does pgoff wrap? */
-	if (pgoff + (size >> PAGE_SHIFT) < pgoff)
+	if (add_would_overflow(pgoff, (size >> PAGE_SHIFT)))
 		return ret;
=20
 	if (mmap_write_lock_killable(mm))
diff --git a/mm/mremap.c b/mm/mremap.c
index 38d98465f3d8..efa27019a05d 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -848,7 +848,7 @@ static struct vm_area_struct *vma_to_resize(unsigned lo=
ng addr,
 	/* Need to be careful about a growing mapping */
 	pgoff =3D (addr - vma->vm_start) >> PAGE_SHIFT;
 	pgoff +=3D vma->vm_pgoff;
-	if (pgoff + (new_len >> PAGE_SHIFT) < pgoff)
+	if (add_would_overflow(pgoff, (new_len >> PAGE_SHIFT)))
 		return ERR_PTR(-EINVAL);
=20
 	if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
diff --git a/mm/nommu.c b/mm/nommu.c
index b6dc558d3144..299bcfe19eed 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -202,7 +202,7 @@ EXPORT_SYMBOL(vmalloc_to_pfn);
 long vread_iter(struct iov_iter *iter, const char *addr, size_t count)
 {
 	/* Don't allow overflow */
-	if ((unsigned long) addr + count < count)
+	if (add_would_overflow(count, (unsigned long)addr))
 		count =3D -(unsigned long) addr;
=20
 	return copy_to_iter(addr, count, iter);
@@ -1705,7 +1705,7 @@ int access_process_vm(struct task_struct *tsk, unsign=
ed long addr, void *buf, in
 {
 	struct mm_struct *mm;
=20
-	if (addr + len < addr)
+	if (add_would_overflow(addr, len))
 		return 0;
=20
 	mm =3D get_task_mm(tsk);
diff --git a/mm/util.c b/mm/util.c
index 5a6a9802583b..e6beeb23b48b 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -567,7 +567,7 @@ unsigned long vm_mmap(struct file *file, unsigned long =
addr,
 	unsigned long len, unsigned long prot,
 	unsigned long flag, unsigned long offset)
 {
-	if (unlikely(offset + PAGE_ALIGN(len) < offset))
+	if (unlikely(add_would_overflow(offset, PAGE_ALIGN(len))))
 		return -EINVAL;
 	if (unlikely(offset_in_page(offset)))
 		return -EINVAL;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com
 [209.85.215.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0F0F15AADA
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969752; cv=none;
 b=L3uoUBzFI9iGYAU2Tc8PGx5IZKWV++zmXxE0lmSCn4eiNGcPlu4kZw8rxbMx0MkDJ2vKYOwSf4WT4kSFvgv9N0rT2+aCVu61sG2BZc6hMsVdgB919zIEXz75mC0BU4z442nDCdv7HR7QKfsCB7+0OXrZL73q+m0aXC1edQ3h16k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969752; c=relaxed/simple;
	bh=sfFm968ER0g+7mpUBiy9zsTjSD8V36BGzdg8Ckdsgr4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=R2Qwt8VOlDv0BktF5aFvSdEK8+vMEsmMqr7QnrTtnKb7us+WXaAkT0B4H8IzbV0WwzBgC1+dVPWyyHtcE2lzCGoXbpSRMcqfGgnQZR7KKvRw8JVLmme0oQ4fr5ePCxb1CMOozWc/PInPmdTzHoNBiVdfKsbt1Wg9qOESJ/C8vCU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=LXDP5Rb/; arc=none smtp.client-ip=209.85.215.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="LXDP5Rb/"
Received: by mail-pg1-f177.google.com with SMTP id
 41be03b00d2f7-5ceb3fe708eso1718952a12.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969750; x=1706574550;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+mLSKitlZEHkOhHFi0dPXu2bMCmR94CcgGqjj67vCaY=;
        b=LXDP5Rb/nU/4aB5TMuWOFdFA2o4C64ikbJw3TuTi7RptJKH4zfl3RJ/OR31Vgy6uKv
         ny7OrYLKlFNheIZqyEHQcj5u4uE36ChnU1gK1WdxNj6Q0mnvgw2y9oM62WGuEP/o3ZdX
         NpzMGzV7/O9BRvleucSJywBcIDGPxUjhW21SY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969750; x=1706574550;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+mLSKitlZEHkOhHFi0dPXu2bMCmR94CcgGqjj67vCaY=;
        b=wjutT3GBQppx49m5Dn8NpBoabugRKe5z0GtuLDLu++NTesxan/zj3QCrIitRsegEI+
         hoxOZE3kionIWaz1zI4TZ8bk0ByPQZe9f7vxY02BehcTcHWkaA16WrX4ktgHnIZ41rEI
         u/yceoP8EF/CX9cuB+k3ZYY7S2KVwnA1AIRskqbPnVACKIoHnooadd2wcukQMaSBDiL+
         BIBbwjoPMtNSCr32TNpJFjQFYp+xX/IA9U2DMEEJ2mPIUhU6OvMfwy40VPXXyxvMm2DG
         gQ12nb+Nubjms0GWpsSh0oPSwqgcirERQDFe2XfO8otvPhsXDTFqlyBbGJpiJj4cmOtl
         5ABA==
X-Gm-Message-State: AOJu0YwMjGbMEXmkXLV/lGZtp7pEh9PcO2ZrSRmOUGy+VdiCpXCTpxKX
	txgot6uIlxXHf1v/MLoBuM2EFYMOLQJsnvoIL/mMsSlD6NRRRN2EgRkHEiWrqg==
X-Google-Smtp-Source: 
 AGHT+IGrY9MQG0ft34pGrqx+WgVWJ0LldxehDkYnLe9iXGm0anLbICr1j+vq5RPEd47+Q6ZueeEblA==
X-Received: by 2002:a17:902:b112:b0:1d7:56c3:75f1 with SMTP id
 q18-20020a170902b11200b001d756c375f1mr1421910plr.122.1705969750268;
        Mon, 22 Jan 2024 16:29:10 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e2-20020a170902f1c200b001d7313140b1sm4196654plc.202.2024.01.22.16.29.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 64/82] netfilter: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:39 -0800
Message-Id: <20240123002814.1396804-64-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2183; i=keescook@chromium.org;
 h=from:subject; bh=sfFm968ER0g+7mpUBiy9zsTjSD8V36BGzdg8Ckdsgr4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKYkU8DxU6eHYCBe6vz1zpyDMyVzXW4j2c/
 6DTcxcBaQmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 Jp+AD/46wcCh8Srst3UxH7Lyw5MG3LkRtUVrmbc4rNc6HLYVkN5hxDPTfR5v6ZnbYvrcY3DfFpt
 9WMJVlg/jp44Mqk4QAkWuEYAizZjTv5lwBrLJOeC0uq3FiRv7sFMT0ulGhCS+VYVkHlA7XB7vR1
 MmG7M2/24UnH0N9fZ+7JPMVUY+pYnS9hlrpgB4se6e1XatYdKRe2/iEGCIksdXmXkaoRwEhS4OD
 7E6W9aO9/1ZcsdkripFuDU6Y3ZnXOZs6n6L5M3IJPMlx9UyB8ALK41BlHPkbDbifHKGXVNmhOwb
 HmzFCqfvx56BB+0Wh3YImRj5SPxxhVIOXJLg2SL9AnxsfGlenBYt4PsP/nINeqRoK4SriXQ1ZVx
 A8F9g7q/0fYbNlWOGnAaB+L070tVt1AO03SkXcHssyCHMj67illZ5F11k6WXyTTH/TBv56WLUbL
 sqDjoJJaIFkU07SIQBRNMf/0pn2aDjru0143ldKfWm6UgeWUDGzBPLBuB7yCSzZTpYK7QjmIOux
 jZNgE79r+yrBg6Cn7T5tXCBAkoRDVLME8tHidPdZGNKe0EAfi4WXXvVEwHeYboA8DPbIal0fKFl
 48oFeI2TLeS8cWHi576qMGc07tAXDixqU5ocHqyWj62iBwljid0v9hV7SpV2DTd13zjC96ftjzq
 sT9zNmIYvbNtyUg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/xt_u32.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 117d4615d668..8623fe2d97e9 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -58,11 +58,11 @@ static bool u32_match_it(const struct xt_u32 *data,
 				val >>=3D number;
 				break;
 			case XT_U32_AT:
-				if (at + val < at)
+				if (add_would_overflow(at, val))
 					return false;
 				at +=3D val;
 				pos =3D number;
-				if (at + 4 < at || skb->len < at + 4 ||
+				if (add_would_overflow(at, 4) || skb->len < at + 4 ||
 				    pos > skb->len - at - 4)
 					return false;
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com
 [209.85.215.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 01E8615CD7E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969761; cv=none;
 b=KLcQ9dc6Nl8UCys0zj2//SKDfIhYQcXShtibR0Vzkb/GTpSERb+88L0GhMqTkTuqI5tKOjHvFFg0oSefr6wuyNlw8Si69QIwIWEMWxV8ipqYnAscvFmOEbB0RQy6kSrvdFNgxCtKZyVnP85Vm61f7wKm2SbW5dJJ0hVy7XgSITU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969761; c=relaxed/simple;
	bh=IYGzuP/zbxp+fClF7wd/omCSj0Nxp5Np0wtMoITSwGs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Qdyivr44Rc7SQx9MsUM/FXxB8QvxzSRVvtZ/2fW9xaQ3IbfSEkswkhIgO5p0O8dd8gJ/A2GMGxWPpv1b4ua3B9chLvjytuUa5xjlj5FxCTDP3T7oLzh+o4oloDNUug3yVcLbDoGEwpy48f4n3JzicH7LKG6xhAQaSZXFGodTdd8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=VUAKwByd; arc=none smtp.client-ip=209.85.215.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="VUAKwByd"
Received: by mail-pg1-f174.google.com with SMTP id
 41be03b00d2f7-5cedfc32250so1873118a12.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969758; x=1706574558;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=aQMc6LYHhhvfAhiKIOUC5BbUkraaT6seSDCXTI3gkRA=;
        b=VUAKwBydeDXMX+0O3f3aF3wB1K9OSDyO+3tWQEoOHa2ptgPUdjLlnE2dVMyMj4HnaM
         yFO1rW1srrLz1uIYntxbWZc1HUP+ACkeDLJiw8id/HZKHiJwL2pJ6daHJA53KDlgjET1
         VoADxHxQokHgfmTMZZJZVVGecN4aRm7XqO18o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969758; x=1706574558;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=aQMc6LYHhhvfAhiKIOUC5BbUkraaT6seSDCXTI3gkRA=;
        b=LV7bz0utoFyOta+r5M31U0WrNjD4eRkjs/csFuCeei2IhnbNWuAYoqs39sT4cMLX/G
         79F5gb21Rh0FzaT410CmzhVbV+r++3MPfNdiHkbtvqZsWJxyul9ThfPSr0R8XTbp114u
         7Fj5p3YB3fH0XXOW7lDYQ+81Twh0+PhWGyAeX7GQYYa/0urId/xEzcUK4rXA/kYBnNDh
         1zfv6apz75LvuGXYkdta9P8IGz3DZouc/io5wm7sg4qiVL0wKN4Nv9YLMebF5hj+3av7
         gTHXDOHUnj92k+2UHmZ8rEAbxXleiX3wF0MxvXW4GFqd2jBzO9PYwBoVTdzNS5TKi7us
         LMsA==
X-Gm-Message-State: AOJu0YwlbucC39DGP9jXZO23xFkoOjqcwp6w/Wr6hYUqnRPquz8thGgp
	qgcd4e7G/t1kcfgTtpDOm9uMt7KZAfLpIgnF6Dd7VOIJlaSYQwcIaTyL7dKHBQ==
X-Google-Smtp-Source: 
 AGHT+IEpujyvF8ZBIrjLlmz8z5ihm+ZtEPZnFLaeE9eUMT6Wm7BDVE7X0cfAZ38X01e/nZbuABoGKA==
X-Received: by 2002:a05:6a20:d38e:b0:19b:5c69:cfef with SMTP id
 iq14-20020a056a20d38e00b0019b5c69cfefmr3286788pzb.12.1705969758648;
        Mon, 22 Jan 2024 16:29:18 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mp11-20020a170902fd0b00b001d75ea44323sm1403806plb.21.2024.01.22.16.29.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:14 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Dinh Nguyen <dinguyen@kernel.org>,
	Jann Horn <jannh@google.com>,
	Ley Foon Tan <ley.foon.tan@intel.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 65/82] nios2: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:40 -0800
Message-Id: <20240123002814.1396804-65-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1796; i=keescook@chromium.org;
 h=from:subject; bh=IYGzuP/zbxp+fClF7wd/omCSj0Nxp5Np0wtMoITSwGs=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKMiALMxRVyvOwDduElZdyTxYkqj4GeVA+a
 y3wk6N3AgyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A
 JhCUD/wIVTUQiqiCpHFrR06gPF8QmgTtiayCbewZJyiRbeVMW9KWTSVqZeeS/W4FujOI+kuefUl
 c1iRvHycbTJB+ZegE3DX5fbkBfC6gtwdiSKMuU749fbJ0MEvMeb9mJsjJGWVuyOtRO6EY8034cz
 xXpbMjqbgS9a9IxRFrBpuWh/LwZjHC8Cvoytga/Gh6anYLfvSXRkShgbRdyqy6UJD5dg4yZUz/C
 lgYYsrVhnk7oGPlrHJwfzMRHKTi64faA4BBGAf83/FOkcHMJJXgFJXJoTSsuuvw0nsNGwZR09Kw
 gHNjbedjRX1SFnP11Zy859gKsdZGWFLpVdxgd+10v8Ply5UzSe8jr8boGKRBXAv4001kBg2iD+f
 9GQ/2oqlQ36bbYPJTCCbf3d5oeOB7ZhQYgrJPbKEA9n5IShs+fLviPgmTrszr94BVxrab/1txf7
 QDmlS4I+0dnZTGaX5mPPMkOJNmfVrUt6SiCuTwV+jNjz9mirPTlKWt7RHBXvWg+MBWfr3foA2Jm
 wIwx3GImSqoaVALimD4EI9/xINZY52KGFz/wNuANU/5LFBOr3rp7QZWpYVzH3lHPhvEFjD1kU1F
 xrWkywBh3VHMXGHRTB4XgqsiwnpgoAlN5FNbsJPFpuGIQeReKd5FMPdrTu79eZQ31jpqmDGxlxt
 WMYUiNesncupVEA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Dinh Nguyen <dinguyen@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Ley Foon Tan <ley.foon.tan@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Dinh Nguyen <dinguyen@kernel.org>
---
 arch/nios2/kernel/sys_nios2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/nios2/kernel/sys_nios2.c b/arch/nios2/kernel/sys_nios2.c
index b1ca85699952..df53efdc96e3 100644
--- a/arch/nios2/kernel/sys_nios2.c
+++ b/arch/nios2/kernel/sys_nios2.c
@@ -32,7 +32,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigne=
d long len,
 		return -EINVAL;
=20
 	/* Check for overflow */
-	if (addr + len < addr)
+	if (add_would_overflow(addr, len))
 		return -EFAULT;
=20
 	if (mmap_read_lock_killable(mm))
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com
 [209.85.210.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A56B15D5BE
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969762; cv=none;
 b=PF7S9n5XbOWX3Fw8rRNWm7YQMKJ+Jsu5wvSo5/S7ebwMBGPj6lWWdc76Ptqb+J+t22dwVWO2vtJwe1og/Jel+etnbXfoq/f9iUQ/nIP8uxQKw+JPTQyUF8wmxeBM7Hu7Gpvh/Gds6/6/qPMQN+aFLH0u13muQwzalvo4gzCJ7tg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969762; c=relaxed/simple;
	bh=8qeORySSyeeOFCvn5wyOgST7nKcIWdoDreQsWgVCbpw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=diY0yL6fUT0+MUnz16QYoh8x3AS0CQa0/XNf9FrHRha8BjRY/V+kcDjx4JQVg00ii+s1SDHafwS6cph19/evhnIFWq9CyvVDiLJopkv1uf9/r5FpH7eDyhltlY9lUbjSaxli2uzWmY6kUxpZ13PdOivdLOs3Pmj3uf2oKlVfuIM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=lsGrQNAQ; arc=none smtp.client-ip=209.85.210.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="lsGrQNAQ"
Received: by mail-pf1-f171.google.com with SMTP id
 d2e1a72fcca58-6dd6c3c8a0eso25751b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969760; x=1706574560;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jj6O26KYu1fAV2IWaDbvOkUC3P2XNQ8BTcng3nNITcI=;
        b=lsGrQNAQmADn5qRVD1lLMgRKwIgeB61jxoLB6TiTzQtwHE25WItR6I6facgZOKK30G
         /NYBIPmCVRn1sIANNImk8Fwrr4LYMCPttFukLDEzYS8XbwIvLPhLc5QDMTQzvO6wBJRc
         Cry0adtAJTSI1Li4ECWo3sE++EfAKZrTaOiHQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969760; x=1706574560;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jj6O26KYu1fAV2IWaDbvOkUC3P2XNQ8BTcng3nNITcI=;
        b=MHkV111Wr4Sqyr0Nh75dFWVmlOr5IBLPMmF09g26WJiTajtTeDxDH34AzQeJNALDdy
         inPI1TMFnkBS9l+c+Aqd+TlMfRzUiA63WPjpBUChub7dv5A2w8SOcvyskq935bbTs3Ls
         zF2KB7eYQ/HTjBnmdI8MiWP8kg39mrX0DwsO/YAUtdLVD84BXQJihHtSuZNuZ7jrwFs2
         kHEqly+Gamct9pMIH3hQjW/WdK06fmcISmc0Z27Y8Fd+hwQ/qEp02Ft2HWGrTLANxHPo
         mrh55w5ZGcAmwR55IjBN8olmSYZAKhtjmqIkkxRIdrjTQWOq/hULJUNioVYoBtCO5dsT
         d6Iw==
X-Gm-Message-State: AOJu0YzIaVfAMqb8qwcsj65VeNsPKmHjBG6F15Yx0XdYSyld4Q++tR5/
	BurXsK6+jxmJ9+u2oz6W5AAkVtN+32nZU26xNPt/9Yt4ph1h2PvE6Sa4PMyWrWD5XxdBMuOpAZM
	=
X-Google-Smtp-Source: 
 AGHT+IHAQChb7g8SI6STief9SKN0djwi9CiRmcDxVV80wtZwD8CFDo3iPR3Q1VR95dnOuAqo1f2PZg==
X-Received: by 2002:a05:6a00:85:b0:6db:cfd7:956d with SMTP id
 c5-20020a056a00008500b006dbcfd7956dmr1855388pfj.31.1705969760561;
        Mon, 22 Jan 2024 16:29:20 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 fa20-20020a056a002d1400b006dbdfb7624bsm2598975pfb.170.2024.01.22.16.29.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:15 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
	ntfs3@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 66/82] fs/ntfs3: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:41 -0800
Message-Id: <20240123002814.1396804-66-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2025; i=keescook@chromium.org;
 h=from:subject; bh=8qeORySSyeeOFCvn5wyOgST7nKcIWdoDreQsWgVCbpw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLYI6HJPlV99UDk+QdjoC7axWmLKoVJvfrA
 yjhVrtzy/eJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JlSvEACT09RyU2KoE3Zx24RyCPuIOZDDteFSvGfF2qQqodQJh5m+7FyYk21boUYR5X6kbtJH31j
 qGxql0FY+H1zojgKB0eVDOYVZegBlrJh5hYoIyl6xHKAHTjxblXQ4pwBtfFuF2LgLLHM1AVNuw5
 bDF2vNEPSeLk0QsAh+h563cxPosIEeFPEZ2j29FlkDvzvehudmsvOH/DE7ZewkH+gwkEKB8J/da
 nCKiXsFoJCcPtn+MAef4L5CCLTTYsb/TAIgEyyacfc5PGITpPXTEfPzgfsoMYykbtGzFGxI7iRp
 Kwczfqg81OIypvkDfnSXc7S3aRu/0piZoZAuDKJrvh41IGWk4+cQlraNxBwIr+5wid3dVct7vRa
 A6RnI7gi0TC+ccHq0ByecHe4oOiSKhI/L9fu2F4P/FnhOQ1b7q7Z3hZpsR9DFUEadjtBEX4XUrt
 nrRLvENYt6roKvpFwo6NURFWfw2AX9EdLQw+pjv+HdA4Xejxobwh23hRVmfLTMetGyxhT2QjAbc
 h9kXTwFpEkrvzmcxDROc89dIt9KB5uMIaz4esBi6HhXFmlwWxCIY7VfqPnNApp6FbzT863SJsK8
 iWlg8vi2F3zQOzatwoqImnx5OhCud313Yi/+J4TPb41HJMWPYa5nhGq9GcIaGk0kViuK4kMpls0
 thVhlNnm5s2FwrQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Cc: ntfs3@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/ntfs3/record.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c
index 53629b1f65e9..8cd738c1dbe6 100644
--- a/fs/ntfs3/record.c
+++ b/fs/ntfs3/record.c
@@ -235,7 +235,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struc=
t ATTRIB *attr)
 		}
=20
 		/* Overflow check. */
-		if (off + asize < off)
+		if (add_would_overflow(off, asize))
 			return NULL;
=20
 		prev_type =3D le32_to_cpu(attr->type);
@@ -266,7 +266,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struc=
t ATTRIB *attr)
 		return NULL;
=20
 	/* Check overflow and boundary. */
-	if (off + asize < off || off + asize > used)
+	if (add_would_overflow(off, asize) || off + asize > used)
 		return NULL;
=20
 	/* Check size of attribute. */
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com
 [209.85.167.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC22B1386BD
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970173; cv=none;
 b=G9vi8jktlY76XnQOj6gQsCkZGAQkVWbJe0rVbZpL8ih+FUa1d7EbA3uBl+PIJD/3hwC9YpNqMWB9DWiCIqk6yWTnRHTF7Cv2ni04+VlniLp6/hpF1C/8Jgl+wGktetHuHSBZcuCIZQC6cGaVwEJiwCkRNbRfvDBk/Q0wRbyVk5c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970173; c=relaxed/simple;
	bh=ZKqw9ply6ZG+LFAC1qtZzJrjBMrrtfDNMuKnfctsPv4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ec4cQEof6nJ9ggQUqi7R/QShnbR8nQ62+I4YwGLWSA85RvkjHFlBCNe30U6x8zeL7FOsrgKyK8+rQ/b4Uyj+oAcfyR18/vgyRYG7O4rTXXv4pI6060HbDSY9F1aivChA3kqXrdG1vPnuU469fbYK+HwjonIUdYahZVszAvKlFY4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=cxdAv+WQ; arc=none smtp.client-ip=209.85.167.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="cxdAv+WQ"
Received: by mail-oi1-f173.google.com with SMTP id
 5614622812f47-3bb53e20a43so2821996b6e.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970170; x=1706574970;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TPUcAg1VyxpFmMGL66jrEY5u/DzPqgMzFU1ubmNn7CA=;
        b=cxdAv+WQcx3PMhzG8IdqPe0dP0fqy9Rn5074ahQiGydvFgkOOrpsPV7iQHRNi4hhTC
         ztJRRGAi90fVKwquefOsv15j9bLPme9B/3dqPgzSEOUY3z/WFucWi8MrhL1Hbu6E16Dy
         IPHwPU424x0oC2qeH0ECD+h3ZVyoKv8qJGQJY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970170; x=1706574970;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=TPUcAg1VyxpFmMGL66jrEY5u/DzPqgMzFU1ubmNn7CA=;
        b=WZxe6njmshRVIadmNknzBTMivxRwBMpazRCDnUxPFRHdgERvxp41UrAJKErlnMCaSu
         lhXT/hBytxCuQrUMmDuqpD+kFgvSwrKPz1ktbqXh50BwZ91iAQust/XfK2Q0SE9oap00
         Y7lV6zaxGwkpGWjrjeYdyaiyHytFv93mREeTFf6MS2jA3OPkTqEIDta7j9LKs5RRPCsI
         YrOT6hcuWV+UxVuu0vGv6Rr13T+0Q6GSgk29/MYxBk5QaDNUlrSplevS6Rv24KQa/oE2
         M/OBgKxEW3q0TTmMifKC35UDy2P54Omez2L2mm9gqjLC6OlzhTjqLBC69P94zZd5oB2D
         QFkA==
X-Gm-Message-State: AOJu0Yz1Eb384vKbTFoS6y/KnH+WHu1Exn70BW64aSSi1+LEnxWYjPnV
	JoaPodlC2xOrxx+SyDFgeQoJoVBApZCPNz3rQqzr6zezeOG1n39DwG/7zGzSFw==
X-Google-Smtp-Source: 
 AGHT+IHn0rHrTN7AfNo2yWFw9/hZYCK1CweBY/Mf8uXJNSo6ocgMkzbozn7U/SCAROW0O2ojH6f/3g==
X-Received: by 2002:a05:6808:14ce:b0:3bd:bb13:7614 with SMTP id
 f14-20020a05680814ce00b003bdbb137614mr2240442oiw.4.1705970170029;
        Mon, 22 Jan 2024 16:36:10 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 i18-20020aa79092000000b006d9a7a48bbesm10140754pfa.116.2024.01.22.16.35.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:04 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Mark Fasheh <mark@fasheh.com>,
	Joel Becker <jlbec@evilplan.org>,
	Joseph Qi <joseph.qi@linux.alibaba.com>,
	ocfs2-devel@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 67/82] ocfs2: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:42 -0800
Message-Id: <20240123002814.1396804-67-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2026; i=keescook@chromium.org;
 h=from:subject; bh=ZKqw9ply6ZG+LFAC1qtZzJrjBMrrtfDNMuKnfctsPv4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLsowbEEQcK318jVpYmHDG0BYXC4F28Daev
 cikbLcIvweJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JncHD/9hJH61vumulCHUP2PnVK997OwzaOOMiiasi/2S5ooDGTgqr1QWT796eZEq0RfrdB3aIP4
 6urDWpWWfpvFMyU9ZMvh+kpv5VGpTTlbV4qjGbd8q+kVRXcf0vkDMwI+9Wukhjf/UtL6k2voweX
 1RQGU4IOK/VUJnhGikPRvMCutiyYARG6TpPQL7EiUYygx2dLd/Ek+kww5PjlWOoyUZD+6ppywAf
 ITX/wVFy96nq+9JmsjEx1wZMsEUQADOeonRWlJb54RJDqLDgLZmrW895mVTNEUyLr3JqGQRXLtj
 32obnvG46VpYu24pgWMb+hOLwXiIdPI4I5Dijfcxbs3Js7fP3G1uSH9xXyD5VtWfnKokabPZwAs
 W0odHp7HVM0/ENU6TRX6J7wLQ7ErFSp6GMsojV4vzWbjYbwHWSl6cqB55KqzT60l861ZbJHLTGd
 gY59JBeiiijfcgl6MZtxE20l0Vp1dq+47Wftp2wzSD2ZzD2iVLA9X4yhTmTziLuPr6ywRHoUtMX
 mfEhqrsklSZJ34IygHfPTmQofap7J3BPgx3oTG6pSNB0ZVswsX7TSZ2DPxbmv7ZGZiIJ7AnPTnP
 SJp1B7jAa6Qci1eJBOWFNfcLlRSn1Btu4+k+9vwoOcXMh1zORuYKVHS1OhWbrKZS/eaUHbypPis
 JBkFsVbGbKamkXg==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: ocfs2-devel@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/ocfs2/resize.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c
index d65d43c61857..5cc83e1d54a7 100644
--- a/fs/ocfs2/resize.c
+++ b/fs/ocfs2/resize.c
@@ -423,7 +423,7 @@ static int ocfs2_verify_group_and_input(struct inode *i=
node,
 	else if (next_free !=3D cl_count && next_free !=3D input->chain)
 		mlog(ML_ERROR,
 		     "the add group should be in chain %u\n", next_free);
-	else if (total_clusters + input->clusters < total_clusters)
+	else if (add_would_overflow(total_clusters, input->clusters))
 		mlog(ML_ERROR, "add group's clusters overflow.\n");
 	else if (input->clusters > cl_cpg)
 		mlog(ML_ERROR, "the cluster exceeds the maximum of a group\n");
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E80E5EE88
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970163; cv=none;
 b=Hl4pqPjlJrHlX5sue/Du31stjrO/EXA41G+NsuLrd+vYV4A/JDgujy4gIteoJ1oNVR2NLSPHnoohz8IcxexS2DcqjjDtIjg1on8iADypEm2cEG6lUksDZViWbmkiRhUqljOEmfnIrWAnHipFOor0e0duAaany9mIehsGxeUZG+g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970163; c=relaxed/simple;
	bh=nGybLOIsuTz/Gb9B1iN3NLpbKPO1DsQM9K1PTfrNPdM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=iqv4akYektQqpEF5mv5ivSdCvwq9FDwrmohCPnsZZYtgLMBaStFxORnuyyWqJVqZ6PML0UI5pM9HjS+kvUtxea9otYwecgsijWefyqhHICulnXTV1M3ChseQC4Thq+wpAV9PjHFY0Kzix2BdjxJKTG7LNi999IEwvTcWZkszgKw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=XUanmnYs; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="XUanmnYs"
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6daa89a6452so2375709b3a.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970161; x=1706574961;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dDa9oNn6F2ovUjbcqpVWupPtvSG3Yc95imKuqvbvgJs=;
        b=XUanmnYsPUxr2gTvzGVYaMzZL9E9AcU3GUA52Gz9cz66xR/dpNoDbA4kCJpY5GEAzb
         WU6dTn0ZwSxqqCNHu3v4br4nJPLpNwvukbM8xY3FM08wejMl/RHBgp1CmId2JPM0hivM
         5eA84oUg2lG083FsEyz7ga8BhzqiSjFEi1L1k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970161; x=1706574961;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dDa9oNn6F2ovUjbcqpVWupPtvSG3Yc95imKuqvbvgJs=;
        b=HijBJnPPCK18I4Zbw2EnmRxmDu8/5lA0x9RZEcwEM4SGstaBIP5LaR3I4BRix78WCr
         p5IWwJqhm2Gs7IZfU6Bb2gS6SuIdvPe/0gq0Ue36F2aqSeXqqVyBXgH2dkaf6F6DnLTa
         9gluOMl/1XH407Vnor76pAovsB6AX9rkVwkCOqiT09dhCDlqffJOB7+kQQqS6sXklPdt
         54kikDbFuJASdITqYOgABQiD0BSKUQMuyeOtVNTnV5e03KJtZ3PXpOlncw5TNuIkMU7a
         6p5u8Ae6U+pkH7BmaKQZrVv3hXGVku+XRKSWGs5Zkr4j1vd5lHWeVJgFigPzUw5EFgP2
         6UWQ==
X-Gm-Message-State: AOJu0YxTyREnqX6Q3VEpTog7A3myLEa/7wU9yNVAO6T/kIJAODyjJBdI
	SoUhm+Hp6p3BrPlKoNPpp0dAfJRmWFOU0A/kugoQ/DakIawlmZuLQ8Md1+QaUg==
X-Google-Smtp-Source: 
 AGHT+IGFisF1295Ij2x4vO/0+LvR+AVsOSL///qInuAxURZWY7CGHJ9Maj35pV/npREH2JNW8qXFIw==
X-Received: by 2002:a05:6a20:c420:b0:19b:1e87:5a6c with SMTP id
 en32-20020a056a20c42000b0019b1e875a6cmr2159488pzb.79.1705970161063;
        Mon, 22 Jan 2024 16:36:01 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 w20-20020a170902d11400b001d717e64f0esm6400820plw.87.2024.01.22.16.35.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Bjorn Helgaas <bhelgaas@google.com>,
	linux-pci@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 68/82] PCI: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:43 -0800
Message-Id: <20240123002814.1396804-68-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1740; i=keescook@chromium.org;
 h=from:subject; bh=nGybLOIsuTz/Gb9B1iN3NLpbKPO1DsQM9K1PTfrNPdM=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLXzUyFv8ROCBAkarbyBq08JOy1Jiw/R0yL
 UURfO04CTOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JuF8EACyGcPp93JqF5tp2S7pbgmh+m2YVe5oYzmcs4GyaCIJEg5zXT/fdkd6tu2LWmWPsIg40Fr
 SbKeYY5YJaOP/yC8bfFrSsUOCoCQFIOLM4SkZgOC3hAJtNPv+NG31XNwAmBQ3ogTFje0YjRk7qX
 OYSeEqoBDlAMmU4ce5qwEHM06VtNVtQCVNp5oulK1zW8BMSBgHMTXzBijtO/DtiBVki8i41z0wI
 5ErrZ+PQQvnc9zRdALPpt5gb/S8dIR7TKzb2KvbM6frT9lAgHflHE9pO5u1EhFtAejTqdWrGrN6
 pz7/2Fv4SETQBDdstfnc15QJJZCgPscQjsL9qw7dy5mLg+E40l1MBYJXivSBEyHPeiVE6vgl8xb
 9P5WqEdq1qfxNLckOqUq9TrZNeGxgxaio+1lM+9xtkKqRSW145a7mRn0Drc9DMHh0KKsUX5TNLk
 xCrBbdKnNhC+Jeqa6I6f6WQW9MgVjNkA17fQdWf/jxsjsf+JGxlVE1livqEEMJbpn66rbvl8iW4
 ypcRIykksrriHbd1C2Aq0g4i9QdSGL/ol0MeuQ2Q92JZUf05lKqbOyhUGChwz26XkLS4M9lRwh5
 usd0VpO9+Y4iU3JXhrCoN2j8ab6+8PU3rZesVh+i68xSHd06pfjnsC0JJQjMi9vWmUHq7sCOINd
 cznG4a3YV1rp9VQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: linux-pci@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/pci/pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index d8f11a078924..ebf6d9064a59 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -4251,7 +4251,7 @@ int pci_register_io_range(struct fwnode_handle *fwnod=
e, phys_addr_t addr,
 #ifdef PCI_IOBASE
 	struct logic_pio_hwaddr *range;
=20
-	if (!size || addr + size < addr)
+	if (!size || add_would_overflow(addr, size))
 		return -EINVAL;
=20
 	range =3D kzalloc(sizeof(*range), GFP_ATOMIC);
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 588EC15F31A
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970178; cv=none;
 b=s/BaA+VSOZswn6Asc4zQc3eU9W+WFRdmA13iYbUVRTke5ROpOdce89QLs69Al05tsI6R/mzDumkSCJVfjUJoRuZG80OP3wVhbx1c9pNso5qPmvz9qe0RzVdFvz2qKLVzBT8rOJ0gTZq6FGPtjzK/+mRUIvcpiet3n7GKZFQw70M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970178; c=relaxed/simple;
	bh=ISxb0EX289Hm6r/C1D5v5yNh7MxoLH57ssbQ8ckbm+8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Shd9PLc7b6H2X+54xOz4FtXvHOCZK/uBA8vO2iyNwYpPvm3eAUZeXu0R56cF42gZySpP3/vxfy+xTFUOzFXkfH5sHAAIRraoewQgqAJR/ETaBh0x+HqsGGbYkbnoxufG4zHBAM4CRYQMDRMqy9SPJwwMq3Q5alp+XYsGtEudMZo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=hpL79Dbq; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="hpL79Dbq"
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-1d76671e5a4so6012245ad.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970175; x=1706574975;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MXaD2uRSXjbWvCISCAsK9PvXAhuUUaV/f9FkaBUIbgc=;
        b=hpL79Dbq0yRyAO4E5UL+btj2Huh/LAHlMiAwcSNUwaoSyDXeipYNy0ryyPoJeYJrXn
         CQjE3PRMgh5J9Xsbl54XIbwycSdoOAbXIl+A9fzkPrza4Fa031Wy/2RNToGMeCDszRzv
         0Mrg2fFGgkgBkbHCl+6AmNd79YCeySXI0n8YU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970175; x=1706574975;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MXaD2uRSXjbWvCISCAsK9PvXAhuUUaV/f9FkaBUIbgc=;
        b=n15mcZvGkLCwSPhMqadOLufyRMSWBkkNDDq05l4r32zVzAmGREWxhf67oJVDPdr9u4
         qA+lPooRaurxD8WF2/o71jaoDnrxPUwQmyFPjMR3ZjushxFVPR/B519Qcfs1CB6o8TYq
         /QoZPLhVD0/pLLJQEZguh5lWhGcR8G02aSWU3anBhAVk6ctPXzIaHu2fZMBIBKa8x1cH
         ZlYrmxnOIf3FvkVrSaPUrjaiuwpiRDf7shN59K1dUhXpGOy3f7EUehLhbYVvUo7P7aBU
         U8EUMU47gxYcuLb7ED8tAaOtAeDTFfiyLm8Y5n1NJvkRvs7XmeP9n+Tsi3no36ZCUyJ6
         q7pg==
X-Gm-Message-State: AOJu0YxGyMNktu7+pfWJv67tpAvPSpFIdBMv4yDBqTMQAo9Ce8gRved6
	82UYX4vsKxhQs9Y/vgle7AU2+IvKpUY2B2Qc5P3/67GZQS4T5lynEh79GJh4cA==
X-Google-Smtp-Source: 
 AGHT+IGWmDZtRBX8t4DIu1G+/5DAGjQKMndSmo0VI+PUTi/ec2cucVkWCjGhYE9pTAFe4zoXAskPqg==
X-Received: by 2002:a17:903:1cf:b0:1d7:2b14:2af6 with SMTP id
 e15-20020a17090301cf00b001d72b142af6mr6463789plh.123.1705970174843;
        Mon, 22 Jan 2024 16:36:14 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 13-20020a170902e9cd00b001d403f114d2sm7788749plk.303.2024.01.22.16.36.08
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:09 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Namhyung Kim <namhyung@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	John Garry <john.garry@huawei.com>,
	Fangrui Song <maskray@google.com>,
	linux-perf-users@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 69/82] perf tools: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:44 -0800
Message-Id: <20240123002814.1396804-69-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3386; i=keescook@chromium.org;
 h=from:subject; bh=ISxb0EX289Hm6r/C1D5v5yNh7MxoLH57ssbQ8ckbm+8=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLpFNG1APqWmXvdolDfH8+mocaXwk0HgcGM
 VNIE3sBBkiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JqWsD/4gHfuTTgS+0XmICb2SSlqKOGKBXK1LMgEpx9me/IY6PVtyCZIG+VUohcpdnaICiQtsFUU
 mImtzAjxoLI2Irht7ZKE6PZszQWlu//xBiu4J2tjYEiRBxzNLndGImZ9xkpLWcf+MOQ2fJ6CtXT
 x0EzQFGUiWY+pSAmxMzmbG/F43IXjMBKDpCrc4Kl2LgtSOf+vRh/hXGXy1G5U2LxXag7qpxaPYe
 GX30l9A5JiqF1VckkWguaIT/rLugkXZAV9gEAqKhMDgsuCYm56vVEHX3Sze++BjQwZntch3wQ03
 JI2FYzS++gQePJNhK7jY5Rfld2a2JIMlegBz+Hu3QqB0n2qt536h7AVvtInr9/Rwo9vxfb2mRkS
 DNeNvD0hpJMJaT+nnq60lc5TJcP7Iv/YakS8XosoMNvu13dzSu0LrOe5YWv6kkK8VEoBA5gHcfj
 tf+mG2bFptvj7Z6sCjfkONfPSe3FDMT8Pzcu2qTHVKl0WmmcQ1rXFGuYFlkIb0L+aExtRwUzzo4
 UOLOdmnPsOyKWxDwTG7NxbT7ryzP5PdjYN02A8pg+p5fPVExzAMKqaJR74bicaMbNL+yLAUzeeJ
 Qdvf1XAOObDb6ftvw5Bh0jKlLorh6wRY7+sJnokpHlgswERulKf6CcNyMY3q7BkoW4MUjYHoC2M
 X7XHeWzYBiFCDZQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: John Garry <john.garry@huawei.com>
Cc: Fangrui Song <maskray@google.com>
Cc: linux-perf-users@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 tools/perf/util/dso.c                    | 2 +-
 tools/perf/util/unwind-libdw.c           | 2 +-
 tools/perf/util/unwind-libunwind-local.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
index 22fd5fa806ed..470a86f1cdfd 100644
--- a/tools/perf/util/dso.c
+++ b/tools/perf/util/dso.c
@@ -1122,7 +1122,7 @@ static ssize_t data_read_write_offset(struct dso *dso=
, struct machine *machine,
 	if (offset > dso->data.file_size)
 		return -1;
=20
-	if (offset + size < offset)
+	if (add_would_overflow(offset, size))
 		return -1;
=20
 	return cached_io(dso, machine, offset, data, size, out);
diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c
index 6013335a8dae..45a89cbb2c8d 100644
--- a/tools/perf/util/unwind-libdw.c
+++ b/tools/perf/util/unwind-libdw.c
@@ -198,7 +198,7 @@ static bool memory_read(Dwfl *dwfl __maybe_unused, Dwar=
f_Addr addr, Dwarf_Word *
 	end =3D start + stack->size;
=20
 	/* Check overflow. */
-	if (addr + sizeof(Dwarf_Word) < addr)
+	if (add_would_overflow(addr, sizeof(Dwarf_Word)))
 		return false;
=20
 	if (addr < start || addr + sizeof(Dwarf_Word) > end) {
diff --git a/tools/perf/util/unwind-libunwind-local.c b/tools/perf/util/unw=
ind-libunwind-local.c
index dac536e28360..ac71cc7f53b9 100644
--- a/tools/perf/util/unwind-libunwind-local.c
+++ b/tools/perf/util/unwind-libunwind-local.c
@@ -587,7 +587,7 @@ static int access_mem(unw_addr_space_t __maybe_unused a=
s,
 	end =3D start + stack->size;
=20
 	/* Check overflow. */
-	if (addr + sizeof(unw_word_t) < addr)
+	if (add_would_overflow(addr, sizeof(unw_word_t)))
 		return -EINVAL;
=20
 	if (addr < start || addr + sizeof(unw_word_t) >=3D end) {
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BF0F15CD49
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969758; cv=none;
 b=fi+WRa+tj79/yLEvRxskTL+sBbQvD6ZcaEQk+y/9RjpffZYY7bmx7uFQUkshZneCLEBzWtvxQTUyIQrdKu7a0nrhD8Ods+ptBi6snxmAyAB295BpkXvSIY/9CnmpEldbO2U5HYKZP80sKlQ8YQCCwnYlRPmy3aEIkkhGN5PJ2V4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969758; c=relaxed/simple;
	bh=E4fnTWRdYYjzKyqD4/S7hWZrsgLHeDrGLLUjsAQr6BY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DeWFqCjTKrn79MigbpyajGy5Cqsl3i4ts+8xlLlL0RXCPy8BCL7qnA6kZo4QYew9oM22qgNq+lunQNlWY3OHD43CzZYUstOz+xuP5QwqDMpQX24o41xk4IupKhCADdAyRXvT6lyT9SFJZyHyyAJW0UfGTXPjtGStyLBgn506Z5A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=OEYgJ61F; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="OEYgJ61F"
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-1d7431e702dso10690425ad.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969756; x=1706574556;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Ozg2hLXb4DmKd1HybaSf4vbbssFf/awskMowmtEYutc=;
        b=OEYgJ61F8Nx+mz3V87A33fYK0ZzNj/GNdOOR490W+79OtdBN/Ee1TsRyeT2wWPzImY
         T3fosuo6LOH1/fbvbzr20xqwCnTT4Rfzk05nvoOsiRDKMdD56x+zF0j4dMY0J6NG7KBq
         +rLBWd04918N9pUYUPA10pNHGTIM+hy9wv1Bo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969756; x=1706574556;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Ozg2hLXb4DmKd1HybaSf4vbbssFf/awskMowmtEYutc=;
        b=wY+n116wFQebgvEqn8m1HyAmJb9d2jBu8bhJOBOudIWaBEzGs1H97c3Cgz+C5/maKH
         MaF2fKLnRsn+6xqbSZDr5LpefbC2FljT+xDjfGhTbyqvLasN55/N7HVEpUiHjKKvkOLg
         puev1ay7H7jdWfsUsD2xXGjOyvaf/VnSLGyiWgkQVAN9jiocV/9ZQWX/PQx65+Qa7ECj
         xv6LdEbtpjGx06FqyOW9z/G1mqUwco1xTKcpCdp01HLWraqmUF2z75ILfffGwX0422d0
         WSg5/iK4EV5xkcR6YvYtEobjQP7GW4nxngPsm4yD2FagcxLUPLduzWuyL8u6WRVdJ9Mn
         n4IQ==
X-Gm-Message-State: AOJu0Yxkc1KbLUhzeC0huPRh+Ofz43T/TZrlcic3WJH1/Kka3QRhZnko
	MGUysiBxdsx8EPrD5gcrI4aOIyMbCf6ok24OXxfjYdYUjfukMDHtysEn67quLQ==
X-Google-Smtp-Source: 
 AGHT+IH3xItkb51q9poV3e4gk9+5kLPIsnJ/D1iDYZ2E26EFuOHRpQfvl1dXLHU1JWWRAwr3q4sIyw==
X-Received: by 2002:a17:902:da86:b0:1d7:510d:745 with SMTP id
 j6-20020a170902da8600b001d7510d0745mr1963425plx.86.1705969756440;
        Mon, 22 Jan 2024 16:29:16 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 j2-20020a17090276c200b001d5d736d1b2sm7671556plt.261.2024.01.22.16.29.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:08 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Bjorn Andersson <andersson@kernel.org>,
	Mathieu Poirier <mathieu.poirier@linaro.org>,
	linux-remoteproc@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 70/82] remoteproc: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:45 -0800
Message-Id: <20240123002814.1396804-70-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3781; i=keescook@chromium.org;
 h=from:subject; bh=E4fnTWRdYYjzKyqD4/S7hWZrsgLHeDrGLLUjsAQr6BY=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgL5LhyO8lbwwC9JZQAOOgJrqb3OX0EPvh6l
 8bugQLiKQ2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JnhyD/47D3dgLuSjvUBevHVUX8m0J9aMINDwyLe8YOJ3pS9h4ozZClTAxPECjJJWHjtLg7OJyvy
 xNz1BO/Z4axDLuZsrUujG5UW3sD8uYFJRWwGx0xeNzp5hLbUeLi/yJMah9zRJg9w038a3N6o53/
 /TmiV68eAjsRlBFm3aX7XiefhKVMLDKZhTNEf6CiWF9QfNPS69ktWpDj0ZUa6ui+cDBddo9V61U
 8nBaGbyQHfqJtg9gJaY8hkjJB+D2yT9PKxX1Ty/L50mjkHJAMd5po+wwYKl7tkgjizogRGvsMuT
 +vuIsRfaIQ6rcBLHGTf5vVH7rHZq1pd4CY5zUbo9L9n3uoizF0G1V60SZbG5aMW/E8CMonLRtnI
 knnFGL334iuQo0Gw2CVpMttL4qByUtAQB6n4N1tzT5RPMdiB3T+Ra2gPKRHWQ0pvbCSF9ZdBMR/
 CYnaCLhY5+gqCUlDxOH1w4FxQ1jT++o/5/tS3mDwe3Y4q4/SOskxXFy/lY7mXvF0mCsFY2gkdfF
 royUCOjy+Zt4PH8x+B6LXlzHbZIk7JT57rxoZ/T1VSCghRZmXE1qagz+W1f3UvBUiuTvi4gxm/Z
 MlAZvNbQSQN5ReZV+4nUMvwmaZhJzoKqPsXcgil6mWAuL6mKyS8mAC9pWH4z3nLENV5pftqUiJl
 XHm7uY9FF7gVkZw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Bjorn Andersson <andersson@kernel.org>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: linux-remoteproc@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Bjorn Andersson <andersson@kernel.org>
---
 drivers/remoteproc/pru_rproc.c             | 2 +-
 drivers/remoteproc/remoteproc_elf_loader.c | 2 +-
 drivers/remoteproc/remoteproc_virtio.c     | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/remoteproc/pru_rproc.c b/drivers/remoteproc/pru_rproc.c
index 327f0c7ee3d6..834249ee3dd3 100644
--- a/drivers/remoteproc/pru_rproc.c
+++ b/drivers/remoteproc/pru_rproc.c
@@ -893,7 +893,7 @@ pru_rproc_find_interrupt_map(struct device *dev, const =
struct firmware *fw)
 			continue;
=20
 		/* make sure we have the entire irq map */
-		if (offset + size > fw->size || offset + size < size) {
+		if (offset + size > fw->size || add_would_overflow(size, offset)) {
 			dev_err(dev, ".pru_irq_map section truncated\n");
 			return ERR_PTR(-EINVAL);
 		}
diff --git a/drivers/remoteproc/remoteproc_elf_loader.c b/drivers/remotepro=
c/remoteproc_elf_loader.c
index 94177e416047..b9231cf46d68 100644
--- a/drivers/remoteproc/remoteproc_elf_loader.c
+++ b/drivers/remoteproc/remoteproc_elf_loader.c
@@ -278,7 +278,7 @@ find_table(struct device *dev, const struct firmware *f=
w)
 		table =3D (struct resource_table *)(elf_data + offset);
=20
 		/* make sure we have the entire table */
-		if (offset + size > fw_size || offset + size < size) {
+		if (offset + size > fw_size || add_would_overflow(size, offset)) {
 			dev_err(dev, "resource table truncated\n");
 			return NULL;
 		}
diff --git a/drivers/remoteproc/remoteproc_virtio.c b/drivers/remoteproc/re=
moteproc_virtio.c
index 83d76915a6ad..58742c666e35 100644
--- a/drivers/remoteproc/remoteproc_virtio.c
+++ b/drivers/remoteproc/remoteproc_virtio.c
@@ -298,7 +298,7 @@ static void rproc_virtio_get(struct virtio_device *vdev=
, unsigned int offset,
 	rsc =3D (void *)rvdev->rproc->table_ptr + rvdev->rsc_offset;
 	cfg =3D &rsc->vring[rsc->num_of_vrings];
=20
-	if (offset + len > rsc->config_len || offset + len < len) {
+	if (offset + len > rsc->config_len || add_would_overflow(len, offset)) {
 		dev_err(&vdev->dev, "rproc_virtio_get: access out of bounds\n");
 		return;
 	}
@@ -316,7 +316,7 @@ static void rproc_virtio_set(struct virtio_device *vdev=
, unsigned int offset,
 	rsc =3D (void *)rvdev->rproc->table_ptr + rvdev->rsc_offset;
 	cfg =3D &rsc->vring[rsc->num_of_vrings];
=20
-	if (offset + len > rsc->config_len || offset + len < len) {
+	if (offset + len > rsc->config_len || add_would_overflow(len, offset)) {
 		dev_err(&vdev->dev, "rproc_virtio_set: access out of bounds\n");
 		return;
 	}
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85170131E31
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971826; cv=none;
 b=gpoR+QtR93WpoL2MccliQDhk3Hp7r5l7LP+zBuyCDjt1mNzn7fvih8SUA+W7vAqYzT2hkcWs9Witt2kUTlT7E2FazphZiyQyT9f5uFsBQ5pPElYM0bZi/v0ZsdRloqYCKG3C0mmRFHJsLSDz91bnt58Nzh418lxuDi7kxfOgWWk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971826; c=relaxed/simple;
	bh=0h5G2tRq27FIpo4Q7qModudkA+HmHi/wgWR1Q2jDdRM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=uLfyF3r1S9GiFG99RM2PH15eNBa5+2et0SFVKs316EwOByrC3WsTyX0NKputPQcsIBqhHLu2HcNh+Pa1g7GReq9fkYIvizVe7GpPbQhpdfMGCrcfbmWBYjUhmh/OCAAo2u0VvMtMRqzbCQdEPu4xMygy378RpEpA0myxHgeQOmo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=KIdjwNrN; arc=none smtp.client-ip=209.85.210.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="KIdjwNrN"
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-6dbebe4938bso819178b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971824; x=1706576624;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PHzaAgF/BvT1ydL5OjrG2T32BsfjtHiswnni+cftQZw=;
        b=KIdjwNrNfztB+9sApXU8+AmNq+1j3EAk0XGIsme3K/4b7xQMf/NvAZhahQnHguW2ds
         BrgujlKCAjUi72g25ttj2EftG+At1FNxAq9H5pCNQeZWvRgSwNJmgNadDLhmCeYmKRCw
         Ai2hltH3QbJWENzjPeMwPJdan61Q6jpHmGgGU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971824; x=1706576624;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PHzaAgF/BvT1ydL5OjrG2T32BsfjtHiswnni+cftQZw=;
        b=QROn1GCP7u3vvkGeprYfrO0wgTi8CyX21vc0oOMp2zHvBziUddId4F9IuyBOwIX9Kt
         TGRL0Swk38k4JtqJuHkZJUqbL/+TzDAQzy7x5wr4gkWWW48g8qKkZeBnU1SNNfaG6Fo9
         748UyY+BCdcaWLM/7Z6g3p29JPL6n7oxgYDP/hD274Sar/dS5BWx6EDcrK6S4YbuJLhf
         gUuQusCufBseaoDWQkbrjt2nCNOtd4mns7CwAs8qC8BHQD48eP8zgn/TcBVgsJY3KBLA
         LBFq+iCXpq8yEVZUnp8Ur/wcGZnXi+iWMR7rVk2OfyaBu2+gYSm6PnCHbZGJ88cudoi6
         PFvQ==
X-Gm-Message-State: AOJu0YwnL1YCagigkHiBy+uKIdBxpvrEfAfYO+Kdk9KHper2kJWrfrMG
	76YTiAV3dzmERSrRYNYCrMNkAfqa0JWPUpdEIaY4RuKS9wtNvmT32gdWQQtVMVy05+P672G10Ch
	HSQ==
X-Google-Smtp-Source: 
 AGHT+IHvroj2CO8ZLYbE446i2XqYNffjGeUmqPm7hHeasKcoNWT1iFohUjGr20Vo2qOU4QDlncK//Q==
X-Received: by 2002:a05:6a20:1587:b0:19c:5643:faee with SMTP id
 h7-20020a056a20158700b0019c5643faeemr678799pzj.19.1705971824060;
        Mon, 22 Jan 2024 17:03:44 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 mm3-20020a1709030a0300b001d740d195e0sm3193684plb.93.2024.01.22.17.03.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:42 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Alexander Gordeev <agordeev@linux.ibm.com>,
	Gerald Schaefer <gerald.schaefer@linux.ibm.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Christian Borntraeger <borntraeger@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	linux-s390@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 71/82] s390/mm: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:46 -0800
Message-Id: <20240123002814.1396804-71-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1951; i=keescook@chromium.org;
 h=from:subject; bh=0h5G2tRq27FIpo4Q7qModudkA+HmHi/wgWR1Q2jDdRM=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLpMT9noDscy8y7zO/F2OVlDacpSoottbqW
 UQWgBJTZW6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JnnYEACr61LHBTRgtHLdcMb2Y/zEYEf9fNAgAUuvvxO5kW/+qOG1DgGldVNv/XDAOoTlvFck4ak
 FIYHx3fNLtAD8BeeK5FOheewr9wuzYSB2sgKs8XYqaq4sSAAXBqcUVwzQIYDgLycXM91gBv6XWk
 TeOK+U3cPpE1u8dG2uO+vai6gmjkM7zS0Lj3DSFl+yAomYD2D3zqqmmJ1Qib47sgyy5CQPLbYwq
 8hQXgWNrKwuC55t2HcHW7NaosV0nPz8gyjVVzEIOMqB66z9DJ3S2/XGk+rN+hzjOpGhO3LNgIoE
 0JLif7W0eA5mpxrskfe/zXJl7nPYZw2fwH3JgQ/rsfxRvTv9FrGq6Q4WJGpTyXoopYaPLotcPNQ
 frGK+B1yd5iZMGtbAaN5bq8DiNvFU3q3H3QJIQ4StPWYLeUFyLZxZpOsvYOKUO/G+LYtFyMisV3
 1EhF6Eg+Mb9MOAF0D/l0yE6tyCJqLC6jgcWaK1APTpgKOfeLbel2oOBr/QNOy6USDpmVnd10rui
 j6e1h1sC5OpJF7ML0bu+pIvfu57zLAyPFc1RW3fZbOpExWdOhgnkfMjvf1sqq67wTBn+Bw1urz3
 T/U0rOzWsOjUlMKwey8HgpQb1NBONSo8NXBrAEgZK0bKLp2E1JOdlZi6mD9rOPfnew+b8F/eOtO
 vrl+6rhRn/aFP4w==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: linux-s390@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/s390/mm/vmem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/s390/mm/vmem.c b/arch/s390/mm/vmem.c
index 186a020857cf..98a7f08141f0 100644
--- a/arch/s390/mm/vmem.c
+++ b/arch/s390/mm/vmem.c
@@ -538,7 +538,7 @@ int vmem_add_mapping(unsigned long start, unsigned long=
 size)
=20
 	if (start < range.start ||
 	    start + size > range.end + 1 ||
-	    start + size < start)
+	    add_would_overflow(start, size))
 		return -ERANGE;
=20
 	mutex_lock(&vmem_mutex);
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com
 [209.85.210.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7D5A1615B6
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970183; cv=none;
 b=IWepVfquKoTeDOtHKY0wQ70H9OblV1EghcK6rDENLlKGJ2k0HkcSgGxjog/oQkxGTl8W+w6STFTX1jGs+XQXkfU8g39AZJ4q28CWzZ7VHadSbOAy5SG25f0m2tcdQAyb3EZS9nZnMVPlcRiQXZUCV2ff3Q4CLCOXXnvGeYlA3xI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970183; c=relaxed/simple;
	bh=LBqk/a/7XxyM37MkXdksahXfcAh3M0YpOfyluKrlFV0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=OY2vElNJvRvdnoP9/xIVcEOiOLchkQDqxHKGeGWfWQdxU76j6mL4FE/9ssBO2Ib5KAXiBpJ24KKulqnj1QTem3cncge8tkSjGYYy3WxbiYq6bOtxHZaloSJ9VvOkhZf/1FiZkfo9QDwPwIOyVIANRTPEnehprz7y71sr/sACo18=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=GCwh5Ys5; arc=none smtp.client-ip=209.85.210.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="GCwh5Ys5"
Received: by mail-pf1-f173.google.com with SMTP id
 d2e1a72fcca58-6dc6f47302bso620629b3a.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970181; x=1706574981;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=XUCj35B+IoUqLMsvIqNWwmNsYz5bFEZJWHH794ML50A=;
        b=GCwh5Ys5AreNGnJv/o5MlywdeWL+y/chxDSHj197Kcl65QXHWa/QrusK3ZOTD8lhq9
         AoucqwVyfC2267GBWyiT9UUNs0e4MK/Fm63YrIjOfzaz6VsyUcf4aCwCac/yAqDb2vyR
         PEKbRWcUWlhwUm7GcO+gaCdfhkCEWJy62yo5Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970181; x=1706574981;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=XUCj35B+IoUqLMsvIqNWwmNsYz5bFEZJWHH794ML50A=;
        b=uROMZ6pSQ9A9Lf8ZJWGFML+Vg5k+c4BRjzxbTvgQQkZITX1gpguk1CdNXIX/x/dXIn
         z+KF5qqpwoaurZw29AWA2cZWwGBX7u7t8FaiUU28oDui2zPAQ2JlkUPDuIDnADuyhTNf
         WqE6rCZpl1dLOjvkN/hu6gvU4ZdQZUtpZ42Tx3jPdfoKPwNI4Iz5U1As4d9fi4/bc2JQ
         a6P7G6vLrMinchCfH8ioXuBL4FDICWokOM5T/u4azvVl65G6GJSNh2DBIlYzVZRnqOZu
         AM575s02ddtHCfgNpkv2Dd2ZHu9Usfctcg3oUgIkyQtS7gGemy1r1vTH1rHiV/G98F53
         GhbA==
X-Gm-Message-State: AOJu0YxfULNUJTCMSzm+yG082PDl0OnHXwQ+IoaeQ98jQHs3Hla3lihr
	n2b0x9fveetSR53JE1VQaigSWZtjSW3SJvmwIoFz4qvv7Wfik9iyrrmiy8TRDQ==
X-Google-Smtp-Source: 
 AGHT+IGHAOZ5RbrxlekwcgptdcBkTzY/+KlPMJsJzP8k7ICUY18jNvt4AfpnzbQWNGfW72d9WEsgGg==
X-Received: by 2002:a05:6a20:72a9:b0:19c:4dca:a86 with SMTP id
 o41-20020a056a2072a900b0019c4dca0a86mr1877300pzk.66.1705970181377;
        Mon, 22 Jan 2024 16:36:21 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 u20-20020aa78494000000b006dab0d09ef0sm10164283pfn.45.2024.01.22.16.36.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:18 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"James E.J. Bottomley" <jejb@linux.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	linux-scsi@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 72/82] scsi: sd_zbc: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:47 -0800
Message-Id: <20240123002814.1396804-72-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1962; i=keescook@chromium.org;
 h=from:subject; bh=LBqk/a/7XxyM37MkXdksahXfcAh3M0YpOfyluKrlFV0=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLEf/Cz5+23/+enVsVIkLx8QMLFJ93FtDfb
 s/ses2igzyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JpEDD/9MrWjc6bOmLUNDTK8C65JpgDJf58ljxn97yBwSxMLQcWeG03LZ2GDDyQBTzP63WppqnI7
 ikfMG8tyk4rfJg5sDwA2nSAc0ZBsSwVQFMlPTIH7bAaKqsDDw4a8GBqBMXyJIqODCBt4pT4VDsF
 cYb3ksk+uVx42hbg+85EHCyBBDtW+UgTWsJnEKTG7SYN2rdS8mxVACStdqvaijZrgDeQucGZBV0
 5t3y06uoK9tzxx11ps0PiwZD1Eb30y/j1Puzv+wuIik8LpMUijX/QOF4spJeXn9Uf/kTrdiXrtD
 CAjxej0vsOSSdJgXMK1SdKvSfYjGaYdXkI8LiM/rUs5o0ZUUvZiZu53llRz5BRrqDAIFfUGeJP/
 bvu8LIIJHygXBw0InDKzOgSz7a9VcQOlWz7oHfbeZ8NUVwheYgIl+J4lUiBVKR7eXEg2Gi7L24O
 HyHMkzEePZv03dkGkLTu9NiV9a5Ncv4emMcauHel4wVwzEk/akthm0xu2LcJFkqvkcL/bN1ayT6
 yRwPu5VutSooWXVuKdM3Zq9Q/bn2TJJTuZAZo2zaMG6ugxX/03/6zTGuC0Mz5z17SedNM9c/6sv
 zA29mGYVnEl4G+dotIhrrvQ2UU2LJZEWJCtvONixSMW665U+C3gyac/J1KHzBgFDXuWD98EU+xD
 AiN7s4tQdaMO3kA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/sd_zbc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c
index 26af5ab7d7c1..2c377e4cdb2b 100644
--- a/drivers/scsi/sd_zbc.c
+++ b/drivers/scsi/sd_zbc.c
@@ -295,7 +295,7 @@ int sd_zbc_report_zones(struct gendisk *disk, sector_t =
sector,
 			    (lba < start_lba ||
 			     lba >=3D start_lba + zone_length)) ||
 			    (zone_idx > 0 && start_lba !=3D lba) ||
-			    start_lba + zone_length < start_lba) {
+			    add_would_overflow(start_lba, zone_length)) {
 				sd_printk(KERN_ERR, sdkp,
 					  "Zone %d at LBA %llu is invalid: %llu + %llu\n",
 					  zone_idx, lba, start_lba, zone_length);
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oo1-f42.google.com (mail-oo1-f42.google.com
 [209.85.161.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE9F75FDBC
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970167; cv=none;
 b=MDxr3OXV9IEAZmQmPOoQQt9LdWHTDuUp6rWS4MbYetPWNowLebbQdpjxlH9e/hySVLULBoUl7CIxIRNp2FzE9r4utDsoDBPExwC7syeoUZ1t72Dwd7kxMUysvQcVCwOn6sez9O6KhwBkouz/ZHlAqHzyppXsuPoxUB/WYkpQrd0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970167; c=relaxed/simple;
	bh=ZK9PQLCXLKqeI6EmNJVF0wuj6cnB4GzhbTbrgojBZ9E=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=bTWU2Sjr5FVkZWlMvFLaeJkvK5l2HVUy25yGXDlBdfI8ODj4rjsOD4HMVmRJ4F+YWD37MIfGSQ8cLMJ3giYMcCcmeHVNfRW/mRKJAcbmlReDPOZwQWhwmxsXiV4aPtEfxVE4Lj1y3s5ZpHKiQofbRgwcl+lg6UZu7LBrGLNJeOQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=kfSIlFZA; arc=none smtp.client-ip=209.85.161.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="kfSIlFZA"
Received: by mail-oo1-f42.google.com with SMTP id
 006d021491bc7-59998b4db22so490411eaf.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970165; x=1706574965;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=k6q/05jnWeDl9wgQC0c2qm9hOe5mPaDwj5Q60EimLqQ=;
        b=kfSIlFZA6fnZU+ngo0vOwEzFDExHHTpN9Sow18ZXhBmwklUjezd2BJwZiMKy0piJTl
         4S/GC0HoUkS+YyL+Os4PbRA3MBBX89iR5oWnbdTnM7yJzHxrTZIRFmOU53gEIPpylooi
         prjdon2a1bSZf5Zp3sMoN16NHSNlQWhdqYDCk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970165; x=1706574965;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=k6q/05jnWeDl9wgQC0c2qm9hOe5mPaDwj5Q60EimLqQ=;
        b=nJqpH2V+l8I+31ujnjz+c+n+lYPMAZNJRruLam3SYa6nKKmRn1K6pU6K6lEKhUpAgt
         Ntoc1yZ/1zFwqBY+AjLHQ3z77kyHy5mj0cXGL1fUn6nZy68qkpK/MOr5bolsx3OiJjxb
         DyRRFfk5lTq9EDBneU6TiK4PGodsAqODuTzbw5+zFO28ts6YSxv/hFcdVPA2jAC/CegM
         Mqiu1D1lli26SKgJkOUYOY9O1eJuYLGh0QLSnC4d7GNP+ip3y+mYHxngmMOdPA1QRfvy
         foEQvd1L+m2Rc6fi6A+Un5drjbIdWI8eVb84woiQuOymbem9MtLWGn0q35VnSkkR5AXb
         AKTA==
X-Gm-Message-State: AOJu0Ywsl8gHkC6XmPEe83XMZMVe8QxBH1q4LzEtFa1R76TB6tsbeCJ7
	dfKuhUS0J2rrxkJU7spssv3lUJz44fJpRPtVjmANjkZH79ZP0pr4cSNkFqzoMA==
X-Google-Smtp-Source: 
 AGHT+IFKzSLUEO//rfGN7z0yklmQ5nmdIr50yIhfprlff4HJFkLJGsjAr2HPDwPu40EicdjBjXXTcQ==
X-Received: by 2002:a05:6358:6f89:b0:170:c91a:b466 with SMTP id
 s9-20020a0563586f8900b00170c91ab466mr3835144rwn.23.1705970164998;
        Mon, 22 Jan 2024 16:36:04 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 8-20020a631648000000b005ccf10e73b8sm8711311pgw.91.2024.01.22.16.35.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Yoshinori Sato <ysato@users.sourceforge.jp>,
	Rich Felker <dalias@libc.org>,
	John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>,
	linux-sh@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 73/82] sh: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:48 -0800
Message-Id: <20240123002814.1396804-73-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1873; i=keescook@chromium.org;
 h=from:subject; bh=ZK9PQLCXLKqeI6EmNJVF0wuj6cnB4GzhbTbrgojBZ9E=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLPxEAqie9ltCp6SXpHxJz4a8frf9JpRCdW
 Ks3k+P95JSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JvckEACcdyYY2SIWpI3UA8mAOkYcOxPIionsaXUa6hl6QfIhatPHcfLoS0jDS13mORx6DesE8QR
 cEMphGUFZaW309UODp7aj2yCE0TFoSPXkaVTK17BfmoRQIwhtk0f8XfbAE5ingmsTuXMtAnJOsC
 TuJCmFXEgdPGKvUH3Xb36aFDcfbo+XCAUnEJNX2SZCgGukPkeLLLbjS8PvuLCJtMMEnECnnR1B1
 G/OOQHRWemIAHGZHOxhqiqTULKLtQDEb9ah+eWfzVXVhPlSrg2dTXOvPz6UzqYDBuoGKwF5BOIt
 eXzxRTA/iyaVaOWQawo8BpS7RbJQO6ZgXrwtWcTjjEheh7JWOgHGzCIKRfW2kG45QTP3evtFpIA
 kOvZdB51R6QuF6t47RBV550QbgsF80t2UmsPYjsToEE0nPBdZ26Iq3l2lQxqDG1fxHv71r2LzjW
 DH+rai0uNuRUpzJ7IMpon9RPoW2yuFaProOmaiX21mVY9baklpdewo53p9mh/6iRCJ/vuUq/xSi
 kmUDoE7kbNyXIda7pkfffdCgpbBKQDzjA8F8iTmT9Zrw/O0z3Om2bC/qlgXNnZQLwenVATU5Qrj
 1otM6joYjNE87mYWGpZ614abu55pynw/87WeqCPNKZuArSS6+IqDTjPVGcwDtTjK4KqNff/y6iO
 TlhNUzg3ntPt4Qw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Cc: Rich Felker <dalias@libc.org>
Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Cc: linux-sh@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
---
 arch/sh/kernel/sys_sh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/sh/kernel/sys_sh.c b/arch/sh/kernel/sys_sh.c
index a5a7b33ed81a..e390caeb8c00 100644
--- a/arch/sh/kernel/sys_sh.c
+++ b/arch/sh/kernel/sys_sh.c
@@ -66,7 +66,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigne=
d long len, int op)
 	 * Verify that the specified address region actually belongs
 	 * to this process.
 	 */
-	if (addr + len < addr)
+	if (add_would_overflow(addr, len))
 		return -EFAULT;
=20
 	mmap_read_lock(current->mm);
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 59BA25F568
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970164; cv=none;
 b=K3cLS2BPhWkNb2bSDlWtYmBQhnJ7aWcz/sPLRvniy3Ef01YdrWbBnP40QuKGX8epjf0RpgnYgXMyNA6VRmqB65UW+g+/N6RI6VR4oB1mJkYib9RDB0ulOE6nOx5qJne0eYFJXS9CIPPG7V3A63X7Kqpi5YRMgkIZrdGfHI1We5M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970164; c=relaxed/simple;
	bh=8xMicWCCIGnY5GKvzZPD3ZX2aaa2K5PDmR+v+tHiKy4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=nffQwYeZzkmgjQOIhTIJ2AaiQ2J9m0YzWYUJ7dmume0W+gsSG0H2OyZWiT/M4fzbR7Hsg4evR7zAmbgNV9M0StailQ0cpMEGhmAtIUwGQAHWDyrVOtr5jlGy1qifTf6Ufe/LVH8bVt5f/oHbi9rKxgLqq9087n7VEguXW42DGW4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=iol/av7l; arc=none smtp.client-ip=209.85.214.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="iol/av7l"
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-1d74dce86f7so13027095ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970163; x=1706574963;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=plGxjteRa5N+fIhm76KZZ2X9yyNuyI4/ZE1C443mi7c=;
        b=iol/av7lTNSJjvBCqOOz0QA6pCamcIl1/RioLK+JF0rNm8+WSH/v5lLylOgfCScnqV
         tL5+juGrtfzTK+o2JruIp2ymCCCwISJRNB4Wy0Ocuej2H2ok1eu35of9YxOYNTViBqIR
         y/0H/1W6pLQ4ODlpnsa/TaOcq8NBoMwjjyW8U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970163; x=1706574963;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=plGxjteRa5N+fIhm76KZZ2X9yyNuyI4/ZE1C443mi7c=;
        b=SoImPb6AS8jTHru3nteOJQ7dSNAm4JWrCNEgoLx7zE4guX0p6lGjnyX8I9/PZ1Jhdp
         +iwTXvB2eeqH7bEAzuTaAvDMQGM3W/zetuoQH8mXM0JG+Hrah2uZSSM2BhwIJJiLplsO
         XLFS/XGxt6/pMhFj2J+mbb16QmYm/Sr22jbgvS4HJCa49wXtip8c8mVqU18H8W9UuLNY
         iLGsnx5o+3knQZco1Z/KhzdblCOk6wCS/IGbfdocTSd2Bt6sdM85y81KzJTliP45AfUH
         a4n+Y0+PImGsH36c0Vqbn1ZxJPun8WdIuqRuVA/tGYvZkG6cicguioKxBMuTbZRj+Ptm
         Tx7Q==
X-Gm-Message-State: AOJu0YwE8cnMl+QK8b2WA8fWn31PSGgH5Purx/Z5hpfWgAPa2GmtTnIz
	Nv/cs7vQeEOLUS4aWWR0JxBL0TpN5ovSOq9QYGWEcImM9nnPo0pk5wRGUJFZEQ==
X-Google-Smtp-Source: 
 AGHT+IFKRKBK9VkrLk8Gvj2KGY6rQijWePcBEXl1QP0qD1UcdfCZ3HnRfHtBDMtyo6SzfYFYbeiiuA==
X-Received: by 2002:a17:902:b10e:b0:1d7:244e:906e with SMTP id
 q14-20020a170902b10e00b001d7244e906emr4823001plr.68.1705970162892;
        Mon, 22 Jan 2024 16:36:02 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 u2-20020a17090341c200b001d4593a2e8fsm7733952ple.83.2024.01.22.16.35.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Vineet Gupta <vgupta@kernel.org>,
	Luis Chamberlain <mcgrof@kernel.org>,
	"dean.yang_cp" <yangdianqing@yulong.com>,
	Song Liu <song@kernel.org>,
	Yihao Han <hanyihao@vivo.com>,
	linux-snps-arc@lists.infradead.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 74/82] ARC: dw2 unwind: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:49 -0800
Message-Id: <20240123002814.1396804-74-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1989; i=keescook@chromium.org;
 h=from:subject; bh=8xMicWCCIGnY5GKvzZPD3ZX2aaa2K5PDmR+v+tHiKy4=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgLa43MyLCbPnS7rIKEr6C5f+3w+xjELlHCV
 wb92b59i9WJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICwAKCRCJcvTf3G3A
 JrpAD/4xhn2HsV5zKKag0M7HS/9i28lHFY4IgZ7Sp/FXWqsjhJpe+6L8PIMzWEBAz92FxtyORdf
 VL+eitydi1OUF4wQn5MlkJ9CuYUuRkqygF2GNN2Yv1RxYn41vBvNCuYIauc6D5qu0qdxnnP6Md6
 84Wz30+PNpfqG+4iMSiroUyKG54Rs5mizS1WG6YfWtx3YbaH1cN9/tF3YP8GRKMwDUUaO0a+eAN
 KE4rFgsPGobQpzzmomeGjLNzFgA1quKNvV0vj4JNIex/9cb4WYPOVEYFoSmbC7GKjxW+Feoh6sk
 OvDSN1cF+uHp0J/HNlCu9234++OHS3O99H6uPHVYrJAff5v2Y8xQIZOHQexnwz+XpjOzwRTEaMg
 AaQwsD98zVWDntX4MOwBtxsAygM2tc6IF7b0qZdHQy3UdlFBRbUiOVa9hOnRJxYLVRxmfZofKAF
 FszP40YEw5lDzaprhTGytbpNvVCQmqppB3GhHMQrCBA6irAcVze8V7JWHb/QOfsXzW1dfZ+wm6b
 JqEyk+UA0/YDj29GWvTQ3Eyx1i2tZ6p1xL3sR0USkZszG+zbF2E1aaV1tNGWKi8AysZfjkgMMaP
 3hABbeKJFLwRLimh1GaqkDPDGG7vbdgQYbJVljd6TndE+Vys1auQJU6Hdc2dM0CmHHDf3UNBzRC
 hw1N/vlLdn0dvOw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Vineet Gupta <vgupta@kernel.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: "dean.yang_cp" <yangdianqing@yulong.com>
Cc: Song Liu <song@kernel.org>
Cc: Yihao Han <hanyihao@vivo.com>
Cc: linux-snps-arc@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arc/kernel/unwind.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arc/kernel/unwind.c b/arch/arc/kernel/unwind.c
index 8924fa2a8f29..649b56204580 100644
--- a/arch/arc/kernel/unwind.c
+++ b/arch/arc/kernel/unwind.c
@@ -1278,7 +1278,7 @@ int arc_unwind(struct unwind_frame_info *frame)
 			if ((state.regs[i].value * state.dataAlign)
 			    % sizeof(unsigned long)
 			    || addr < startLoc
-			    || addr + sizeof(unsigned long) < addr
+			    || add_would_overflow(addr, sizeof(unsigned long))
 			    || addr + sizeof(unsigned long) > endLoc)
 					return -EIO;
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-oo1-f51.google.com (mail-oo1-f51.google.com
 [209.85.161.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6FB86137C50
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970171; cv=none;
 b=fF0bJCZlbe54YP8ZNbZuEHo2o4h6mNM2zjVNnrwXgAzBp+zFca3PDG9qGWDWKmoI/Jp6jSOzkfHhgiXYRAeHvkMrCAYc4scdDPrpmxwWU9C6rjOOJu9kK5DC41IFjryNlEM+87eoovF16kDL1pIwsnzFK9bCJz/e+2KC6RPSdv0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970171; c=relaxed/simple;
	bh=j3gjFFi89fE5hWuOH0xzr9hUX4P6fWiq/YFrtYI1j0Y=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=K6Bd3GELIlyOSibLNrU6l/MYE8V2UzB9DbYc4pkwVS8ZFjd3NBNpyg4RSgNYL109AgUkOQn1pmYA99FN6F7yjCO5r31H2uKk1HOHARGPHcXNZu0NuHaKiBrYKqm+9tS+BZ4GpABr+ZSDhQZ/wLYpMiL1ujxLLmd3X4O1BVRcFt0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=DsFGLxaT; arc=none smtp.client-ip=209.85.161.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="DsFGLxaT"
Received: by mail-oo1-f51.google.com with SMTP id
 006d021491bc7-5955a4a9b23so2240587eaf.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970168; x=1706574968;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nWkbiiH3/fFBjXvcbT3aPuNGXGqy/rkl4yqgLah2PkQ=;
        b=DsFGLxaTrkEC18juVhDlERfHhwExSuj7q6WnJDWX+RXKC+nsuo2F7BzakjL8d3jQuK
         b2gzSlgoocgnPgGztGxMYrud13lL8R09bk3oSVPwuSEMIUrQplba3UjdSkL3Uk/Ec2Tw
         J/zJoMzsXW3Z9ditfU4i3/UrF1WqtOHzSDo6Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970168; x=1706574968;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=nWkbiiH3/fFBjXvcbT3aPuNGXGqy/rkl4yqgLah2PkQ=;
        b=gNYDU9UCUEUiEn0kXJAJOGBgLklyePAdigiWU7HlsX1K5RZTh3O9aFL/ZwaJFYJ0EN
         j7BrHKsRfjy80MdCIwkBY2lvXlhbsEaH/RofClT/QM49yJaa3UsTri/836+Mawieyq1Y
         nzYLFfJo8w8JIVFXBmQDq6dFchu5uPqLGjzj2TRIdLfAf3pq7/9cfHqbqE+nd6YHHbDE
         nVjk2YvcTvR/gS01Dwj6082CuRa+vVKjTKlrGCm8e0HrxBuJny0WF6MRwoFyuA0yQf0j
         NlwfqldPkmaOBrUXem+R8XNaTogxVGRazjQY4e7cFb2rq8Cd6WWOFJ0TY0BRUKegnTP2
         gMlA==
X-Gm-Message-State: AOJu0Yz5EeNDN/GDUnZODo6UfwdSpLRDtKdR17pKB5dwpFxvMatOfF1l
	jYwO8vcT8dp2qJ0hg5tqAi3SV4o2dHAO5GykMRtpqsm7Tw2OWDSGpJMPvqr4CQ==
X-Google-Smtp-Source: 
 AGHT+IGCE6wKB0vFo5DQU4i3rippgddBtp79PTYZ3m2V82MozDWJLYPquNrFjcuiK2uXFRm90PZo9Q==
X-Received: by 2002:a05:6358:6f97:b0:176:2c3d:fb35 with SMTP id
 s23-20020a0563586f9700b001762c3dfb35mr3682344rwn.20.1705970168652;
        Mon, 22 Jan 2024 16:36:08 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 e33-20020a631e21000000b005d0796e779bsm443952pge.12.2024.01.22.16.35.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:59 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	John Stultz <jstultz@google.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Stephen Boyd <sboyd@kernel.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 75/82] timekeeping: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:50 -0800
Message-Id: <20240123002814.1396804-75-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1918; i=keescook@chromium.org;
 h=from:subject; bh=j3gjFFi89fE5hWuOH0xzr9hUX4P6fWiq/YFrtYI1j0Y=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMYckjD86gf/4cfDfniKeSqD0L0XmJ51qsC
 Om3IcpSCEWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JhBOD/9e96QfLEjRR2+qhyB61fGhN/WxCMNySyJQM8sIeDxAo5K/ULqUmvt+L1RbQj6LFEsxhM4
 UJedG+p4JcnhH+R53J7/OuNQPRgCIS+tzlF/8uGd3mRLdB145zOQ9ukNMQCzfFQEZqtdfkpf/n4
 VdhGXTw/fOWZ57e+MMGyyWYDMm/ER8H0IWMflMlG1f4L7wAAzSuLgaZXr6h8I4jBY9knySyVuWh
 fDVPZod66S5Vyp3vqUrRnatGxHW/SbYv6odYSz21titb2F/Xzzr+yICMeW2pGzkMtrpohySkGBh
 FdJoQ/LY+nEMfaGLIQibr+dLnkqa3B0Qg7/Vi/XKbuTr395lI2LnCx1A4HpSwgKlktNV/2Ih2Ey
 JhZhiZhJeIhGtTmuqlLXyFpmzkVuvTUVwKLFQlfY5HekV7kZY0Zzgu4ZqR/4HtRCm+jqmaw5tX1
 MovwgIpbaHHXZiFPQyX0X5RZg8/xral+SZXA3NBwFOI8nutl0Nbghz7xEFHaluKv+1kIVBg3WSp
 9vM0UEXQ2adsZPgp2g71YeWak3Fac8p6QgFlGRZNextT3T0ZLYWoleTfjj74Ij3mj0DI6Tedbmi
 gikhr35jTk3wjvNCX+vdwRxeEJoKDbe2uO1Kj1JlhmkXnVS5cQUUOT+tgAaewBUK6bw48xlhXwm
 57RPQajdkj16fbw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: John Stultz <jstultz@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Stultz <jstultz@google.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
---
 kernel/time/timekeeping.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 266d02809dbb..2fc7cf16584c 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -1984,7 +1984,7 @@ static __always_inline void timekeeping_apply_adjustm=
ent(struct timekeeper *tk,
 	 * Which simplifies to:
 	 *	xtime_nsec -=3D offset
 	 */
-	if ((mult_adj > 0) && (tk->tkr_mono.mult + mult_adj < mult_adj)) {
+	if ((mult_adj > 0) && (add_would_overflow(mult_adj, tk->tkr_mono.mult))) {
 		/* NTP adjustment caused clocksource mult overflow */
 		WARN_ON_ONCE(1);
 		return;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com
 [209.85.210.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC1FA15D5A4
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:29:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705969760; cv=none;
 b=pw3NYy/8nV5AJYlAHJM73Ia2mjvqZXL1U2DSZaudvRzKKyiUIY00uki1NIkHYXh4YaWmx5NSQM1sbcMoxY+caZYLj3N54cLj0O8L2vSJZMpDnErlgr2/U1GQDPH4ZoBgyMyatEYKO3kr8omRG7qehzNAhC9vrIY18QMvylUVsvc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705969760; c=relaxed/simple;
	bh=NRYAFFjPwwQS7mIFvZnh2t0+iUmsnpaZsL63ZPTCQ6U=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=gNtEZgVxojHrKl4gHJ9Q9dnczm/cF+vCnIBqgk/EwODLe1T/SOFUO1ufvuWu3HYw7BPaXnv/Z9/MZ8o+HjrTtClUHVebILLljWrc1O7T8ifHPm1o/Ne3MQ+vhPUf5SIJDYiT6hCmUgZEw65+oMhJKGWW/vC9D01RKULsUkLY9oE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=E6nP5f4C; arc=none smtp.client-ip=209.85.210.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="E6nP5f4C"
Received: by mail-ot1-f51.google.com with SMTP id
 46e09a7af769-6ddf05b1922so2839076a34.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:29:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705969758; x=1706574558;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Z1DxNdRHBflJbmbDYuxIbQcedkbFsBliolzYulMuTN0=;
        b=E6nP5f4CcSoVdM6hp+465wgCFAfEpBoQ80HMEQwtTHIYc/r6ibKBjwJnGK4p7RHv/2
         7R2R7cVRu+XIOczvmdaxykFeyB4cXpwWL+obE00LcR7Y1gi95NeJGqYzNmjNGlMRwSzu
         QX6EJ8TJ8aYaZeFBU92XojjLeZxYDpD7i6aYU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705969758; x=1706574558;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Z1DxNdRHBflJbmbDYuxIbQcedkbFsBliolzYulMuTN0=;
        b=vPg0WkzIIqo6jiBcUD1cYWPQ0tpjHNCKzNPVnBMWUln3oeuJdl45Ktorae3z5/IxQO
         oDhOySv8g+teD5xU23AxfeGLp91X8lvPvZapzpsIlPFihqWXO417tUetGQVNG5fFzhMJ
         lzq7sdzzPpIktZw9+Yq1pnLmu5qkE5DSSkGE48+qLPJGjVWVO30NvwPBrgezDuXlY93f
         PYlsgIurtWxVItCrh7sqWHDbxeqFmbPmV9U7vKUS2qaIJrH8gbcwD151djC6O0M5E9VF
         crdsa44lsYusB2+fm6hDt3Ay1GHNU6FTTOql4v3h8MW5Cq/7htHDleDIiAXzYa0Mh9/C
         R1FQ==
X-Gm-Message-State: AOJu0YwGs4q9wI923ShYxnJBdq1o3XUcdpqwLU3Sk1xpMTkiodg0t6UV
	KeeroFbkbH128gKjSuxRiIXmDXuJNSduR1gnih2Fb2hu+gHgQTfr7OAQNFiFRA==
X-Google-Smtp-Source: 
 AGHT+IEErLwhFdHhXqFPSHROcPX6dDCZlFhvJYjpwzygJo7X4gRnaoVAA+NbgzqckFw0q8wdbkYqXA==
X-Received: by 2002:a05:6358:2245:b0:175:cb7d:74ef with SMTP id
 i5-20020a056358224500b00175cb7d74efmr4887240rwc.25.1705969758150;
        Mon, 22 Jan 2024 16:29:18 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 sv13-20020a17090b538d00b0028d8fa0171asm10226441pjb.35.2024.01.22.16.29.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:29:12 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Jan Kara <jack@suse.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 76/82] udf: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:51 -0800
Message-Id: <20240123002814.1396804-76-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2243; i=keescook@chromium.org;
 h=from:subject; bh=NRYAFFjPwwQS7mIFvZnh2t0+iUmsnpaZsL63ZPTCQ6U=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMK3jte18rzddAc5u2oIbz/en8DIzVvj/9f
 tACbF2GE7mJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JltSEACOR1X2f4YzSTUWirLbiPo7iFpAcmKQQuWJudbXBybocaEGktZ91dSkGU1ret9HSOaDFZ5
 ML1P9w6bVsuc8lDdJdgDv2SVGqJRdj+2+xI3rUyDLnwWqbiLeD/s4deHEfwMTW65MWW5HY9X/ue
 zMThSZ0Sy6b4g1lkai1AInfLI+GK6Eo5X+08+mkr2CCh986mej8lVGAb7/5oGG4MYe/n+8JmwtR
 hDiFUnLLkEEcjrsyk7o4jl8BRomBfZ/PWkpLpt2D30aJJ0gW9Miqd1hed492/DJIsX1Z8hYQBoV
 E7q035WbqjiEFbhszJBHtt2UUrv1/2In9MJhAOkU8MK6O+yU/rp6shdMlh01IHq/pc01dIBXEzV
 njNDI2L3U5+bq9jetWc0yaz2qt8B12pZcQ68P8dPxxLQa8x6hjW+exF1ZwE+UAk4fgcgyr0CEc+
 XjQJcleZ2OGG2Z7XtnNz2EShFPtqKrZ5qrPfI48add5Zp7ePE0Wepk3CjYI70dVNia8Y8BgwLWz
 041z1qmkwOtO3nLDGlRFoBWDFluTPvDhRSygJ/u1EkOtEj4EhOPt12zQZcf0nBMORvbHMzYoZIt
 3fkcz/f9xISf7jsy8iEWlxCATRXXc9k4XnIfY3Vn0fKZb2qZ9jSuDILDsDVvsYEsbFC8tB/WVbU
 gaVCGgqwVJIgmnw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Jan Kara <jack@suse.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/udf/balloc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
index ab3ffc355949..5c88300c3de7 100644
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -139,7 +139,7 @@ static void udf_bitmap_free_blocks(struct super_block *=
sb,
=20
 	mutex_lock(&sbi->s_alloc_mutex);
 	partmap =3D &sbi->s_partmaps[bloc->partitionReferenceNum];
-	if (bloc->logicalBlockNum + count < count ||
+	if (add_would_overflow(count, bloc->logicalBlockNum) ||
 	    (bloc->logicalBlockNum + count) > partmap->s_partition_len) {
 		udf_debug("%u < %d || %u + %u > %u\n",
 			  bloc->logicalBlockNum, 0,
@@ -390,7 +390,7 @@ static void udf_table_free_blocks(struct super_block *s=
b,
=20
 	mutex_lock(&sbi->s_alloc_mutex);
 	partmap =3D &sbi->s_partmaps[bloc->partitionReferenceNum];
-	if (bloc->logicalBlockNum + count < count ||
+	if (add_would_overflow(count, bloc->logicalBlockNum) ||
 	    (bloc->logicalBlockNum + count) > partmap->s_partition_len) {
 		udf_debug("%u < %d || %u + %u > %u\n",
 			  bloc->logicalBlockNum, 0,
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 55B1A58228
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:35:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970161; cv=none;
 b=AJ0AUO/2EGFEe9H+2GVCfvZZ0AWs106pa7htbIcD9WKc/Vz41EL463EJ1K/aVJRc9aOI9DUD0KAmiB4dO0KW1Me6My8Vtgjw2OHq+CQ+uT4YY8ywmFuPGh+9UZNZHdZ0oHDcAKbwqWemdN2ppKDkcp4ekcMdne163LQnWkxKDsU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970161; c=relaxed/simple;
	bh=NqZesPGdhPMPIXo9vzbA31ktFf0tGVVn+vj19wjCjyg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=c3KTkPafIj/PIvMcZhlqZbW/5TyW6yawZ9Gckqnnikzv0uUFzUaiAf1NdzuxBGS3I/TnMbph2zMilT58oab66bAvcNCVJedeO2wknAk9tJyiaeJOtKxdoda8SM5AtkoTB/WcXlCY3+t8AYBKoIlQkq/FM5A/VZg2C8Rhc4j5m3c=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Q88LuU0a; arc=none smtp.client-ip=209.85.210.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Q88LuU0a"
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-6db0fdd2b8fso1784036b3a.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:35:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970158; x=1706574958;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ug/eJpZr5lllg7fGddUawSE71HAAShvEy2mnfZ3dSCI=;
        b=Q88LuU0aCSdlMIjPCD+2vN4/TKC4zvp5U9k4fGRAOAl/oKS80yxBw8KPyg3uri24yx
         d+4zNimaNpDjwKiC9iqJUbdfelVkQl/AlM00ynYs9RIKVP0oLp/P+6w6UVHlPSQdg34w
         /SdaeMsd6/On8+6dUiUn9cmSOvrcLOHav46Nk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970158; x=1706574958;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ug/eJpZr5lllg7fGddUawSE71HAAShvEy2mnfZ3dSCI=;
        b=TMoFp5MaWgw88lHisNR9yiMM6Pcu1rUeIog0eDB7cYwXMrkJMhBqPirkenh7sXOGao
         t0VU1qyPF1q8umcQxiAa6XwsnLXI+GIDDXgvb37tNIjXYAhW69UqF15iaOAatTX4h4+a
         wrwquWFhCbUhvTc6383xEse/A53X9ibLw1T7GRHFgkv7f2oSub/wCWb79qiAZgB+HM4I
         XQ5lEzBwBQ8m6sve1HscTds87VVQqP8ROnFF0Dm+cIgR4HFLmFksHwpvi+kDTQzEzwS7
         7UGV144DGvbEOvVtR6zN0kmJ8fdqAhkKgio/Dscp4zHuP13+mylkSGHxp2lA0AKUVziC
         Bodg==
X-Gm-Message-State: AOJu0YwaI7+eIzBniYE0R74uXYMvv/85ujR2uQBYHtEjPAXaK08FMYeX
	QGWxDkht+kE1valOILHF8U8Zh8OR/zs3XZVyn61RCt+/4xoAHumqJlvM+E5wGQ==
X-Google-Smtp-Source: 
 AGHT+IGbHO8F/hVPNAS+cYdBXp0aETE+5zl8nFoMOWvMrZu0haS/FCh6jw4MqmTh+lKcIiTOdQpn4w==
X-Received: by 2002:a17:903:189:b0:1d5:c77c:1bad with SMTP id
 z9-20020a170903018900b001d5c77c1badmr3603424plg.111.1705970157756;
        Mon, 22 Jan 2024 16:35:57 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 ki12-20020a170903068c00b001d739667fc3sm3599795plb.207.2024.01.22.16.35.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:35:55 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Jason Wang <jasowang@redhat.com>,
	Xuan Zhuo <xuanzhuo@linux.alibaba.com>,
	virtualization@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 77/82] virtio: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:52 -0800
Message-Id: <20240123002814.1396804-77-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2234; i=keescook@chromium.org;
 h=from:subject; bh=NqZesPGdhPMPIXo9vzbA31ktFf0tGVVn+vj19wjCjyg=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMtLBZT/T1zFr3Pk7LIqHdfeKoLB+DZJ6nU
 eJpFhVGy+SJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 Jr4wD/wNabBI/0k3KRp2JIInEpH4vZHXxi+YXYN1Q6ldFb4lgheY70n+09zwS5YCFmaS7Phow0q
 sQ3NGqc/LMQu52WIyo9eugQ66X+NsHyvKquukfCdLtx9jSzToGbIYd3DB7x1EEPHipoH7lvtgRD
 nHtsh3kq/C+p70AybGlMydqgrrPNb1DfboeLRz6rxhIfDmWVI5kH+L5Z0ZNxYR3cZC1UOdz2GsH
 KtsEbUpmOKyh2q+iG4Y4H4OtA819vV908Jkbrzzo666no9Hz7D2Hjobm86ELfkhgFZa1vC6CEDk
 8U6VsHqeS46f14sFovFnBkEUS94+Z6gIjrvogisCPd9R3N9fV9/0WsPm5aNbWjXhHnCEkAV2gEB
 aEHMvQSF+FMpizGRzlqkGgFJMIN3SlKmVZH7t/ukK0Lc4kmSKkRYvqf8JMnlbdjnpruwRJf7K+J
 s2JFixwTZjankT9R4zLLM/lfaoqTW626q9FqA+biBMk7J+INeZZ8mXCYTmjch3KoF7TCRQW0Ix5
 cZXEgUMIySr4lY4yafH6qxLzcfXHPLJPd5D38PR+eEu8djg/Lnn9abNdmb3uTneMPskrwx2EaH4
 PL3NCneQumc5tifvlHneHC5q0YWKR5J4nwuLNsc3GN0YIAGrN2jiQuCqADn3NM/LbxnUwX7Jsxw
 lLlz7iPwOj69EMA==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: virtualization@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Eugenio P=C3=A9rez <eperezma@redhat.com>
---
 drivers/virtio/virtio_pci_modern_dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/virtio/virtio_pci_modern_dev.c b/drivers/virtio/virtio=
_pci_modern_dev.c
index 0d3dbfaf4b23..710d3bd45b4f 100644
--- a/drivers/virtio/virtio_pci_modern_dev.c
+++ b/drivers/virtio/virtio_pci_modern_dev.c
@@ -59,7 +59,7 @@ vp_modern_map_capability(struct virtio_pci_modern_device =
*mdev, int off,
=20
 	length -=3D start;
=20
-	if (start + offset < offset) {
+	if (add_would_overflow(offset, start)) {
 		dev_err(&dev->dev,
 			"virtio_pci: map wrap-around %u+%u\n",
 			start, offset);
@@ -81,7 +81,7 @@ vp_modern_map_capability(struct virtio_pci_modern_device =
*mdev, int off,
 	if (len)
 		*len =3D length;
=20
-	if (minlen + offset < minlen ||
+	if (add_would_overflow(minlen, offset) ||
 	    minlen + offset > pci_resource_len(dev, bar)) {
 		dev_err(&dev->dev,
 			"virtio_pci: map virtio %zu@%u "
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D3635130E3E
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 01:03:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705971822; cv=none;
 b=QSft30Nyz59HoS+cZgK6Ar/K+jF/DvSTpK/BkKgwrVWuqC1e56xgGCKzm0bEtxT/2NVyb8KPNpwaUJyyiKcy2cAwN04TjBDvlhhLtoYzkG05vQcICVOWAvQ/ZF2IEHjFNFHsLWek8mZ8Xs9O4Jxh2m/eBHXk3+I+IqM7mcVOG4c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705971822; c=relaxed/simple;
	bh=nJ/Dbne7d4x17jpkuEGwBkY4HOJHaHOZVri7BDLojVU=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=h+kNQhsijcFh5rYTDXuIG24GJ4Ia2hDv6nuX3S74wRzgRaJ58kvXJBmS5Jla5hAO9FyH936TTe6UA71ofL7q564lcfguQFba4kVFgUduuXxxNcLwfbtqrKu7ZhPMtu0hyDiUEodE0OZQqbt/CI5ayIhxxbdGMKafQIMbD7EEbDQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=V5M+Mvm5; arc=none smtp.client-ip=209.85.216.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="V5M+Mvm5"
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-290b37bb7deso888683a91.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 17:03:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705971820; x=1706576620;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=xnep1Nz3UUWk+A97sey3opJKdGJPhXQxINirZ47tsts=;
        b=V5M+Mvm57yre8XBDEzda6xuGtZ6RGabnHELPj7SkTCt9SlOT1ifjf+c+4BGHy6XtFB
         WjRzq6Y9Y4hn9QdwJt8L7NjqqlOFfdoDik+QB5AuAyD9nx7itsBkYb1M7vA+DFKPV4gX
         G72HYf/sVMwxOSCIKhuhQORHU9uPNuJgBpP6c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705971820; x=1706576620;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=xnep1Nz3UUWk+A97sey3opJKdGJPhXQxINirZ47tsts=;
        b=SCj24cCadZdXofOMaPAkfLL6yn3jJw4im6nf2KieRKpuozsl8FCqhIcZOy39jIy+Pa
         kBwZJs4SuMPKVd39bae7EzsZuZMF3Lfpajbrncke8dkNHfneJTn9Pl7ad6pRn+lC24OF
         UtqHQyY1eJfva+SeCEH1cfWxdiChgG5F60AdxhziisL09RAkeg5F5aTrWrMN40gixQFI
         HX6/phgvDVRdQ4OZw6WzBB4wvZy1hrhjGV/EOvzTewtNESp057AHhgkCltKK8jjMuE3A
         XnuyafnRUMd+qT7JL1r+KAXiXuk8eGZOmWNWacUdotmNun4rQCBDqqDgfUaIaVVwz1bH
         UKYA==
X-Gm-Message-State: AOJu0Ywi6ub8WC2qzXqo7ZPgOGDWDPCIx1Q7PPnNLFqZYrwJfASdiFDI
	CiHJHtu+tcx4tO+hWPmFwIRFXG8hTM0zCUT1hHzZYVoKYtIKUICv+IB+UTW/xA==
X-Google-Smtp-Source: 
 AGHT+IHtDT1yrq6PLJdBjifV6sVndraNqQcRTaZ6r3kszvNUHhuC9VOVEAQ7fl/+G79Q0TkuxmIxEQ==
X-Received: by 2002:a17:90a:bb85:b0:290:2f93:610 with SMTP id
 v5-20020a17090abb8500b002902f930610mr2563687pjr.43.1705971820287;
        Mon, 22 Jan 2024 17:03:40 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 m1-20020a17090b068100b0028d53043053sm10363069pjz.50.2024.01.22.17.03.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 17:03:38 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Uladzislau Rezki <urezki@gmail.com>,
	Christoph Hellwig <hch@infradead.org>,
	Lorenzo Stoakes <lstoakes@gmail.com>,
	linux-mm@kvack.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 78/82] mm/vmalloc: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:53 -0800
Message-Id: <20240123002814.1396804-78-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1848; i=keescook@chromium.org;
 h=from:subject; bh=nJ/Dbne7d4x17jpkuEGwBkY4HOJHaHOZVri7BDLojVU=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMYqbiC9CfEEv7H4hKDed0Ckaf1Z1VbaYnE
 qoWkPaOgCiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JoAFEACV8xbsMUxa2NDUN1xXMDrXI740/x4qynm76Y5yHDXd8g4dDNlV6TgPgaKrMcZxegbZ2QU
 R5cRYG/J7JglC10FqOIhwD6AtUxi84C/xDwgUdTjMekuyQtf8oDx7YLLgAKw8bq0t4X3rpW6CvQ
 789Dm5r/bO09y037XiiADu+c0Kfca0kz4l4hsD3wqzySP4Ha6OvsDs8CBNbY6tRlGGUthfub7II
 tb1WtKY1ZinjdC4ghifbgFhlRrCOgj7biFA8ou8CciPsdg7rnA7965zlYbuVFdMDC7AsDA5W/0t
 iCmgY4z2UsX2FErJx60tBeyjU5boRyhss2AYcsWP/7W0bNE3DeDbwIi91im5pXaPnnnh++xW9ie
 viskQzEHVGCp9fzX5vKIf8jWzSJ7kshlSMNsQ0O4SzwcFPvVJk/escQgdR6K+1QBoVAorEWDOhx
 EsxeHB0NO1Ze8mw6jGQTqe83Ccv2wJrRp3YX2kRVqeK/+4OnQ/uXFWUnnKJD4RNds5YD7tAxgIQ
 3J2yAO+sh6kXYGC+2QQd0JG9eMTxuQbNeW3l6pbJpV4Ar0Hkhq3u7dOEqgZrnciBM9n0pEUPmza
 VmlL1fSQYFD2oTO8q5g9EePyBH83lEZSENHLTs6nrCpzpCdeFQQTfsTySvMG6AFuxAd+iNZc0Q8
 3j9NIiBzvjukfKw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Uladzislau Rezki <urezki@gmail.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
---
 mm/vmalloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 7932ac99e9d3..3d73f2ac6957 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -3750,7 +3750,7 @@ long vread_iter(struct iov_iter *iter, const char *ad=
dr, size_t count)
 	addr =3D kasan_reset_tag(addr);
=20
 	/* Don't allow overflow */
-	if ((unsigned long) addr + count < count)
+	if (add_would_overflow(count, (unsigned long)addr))
 		count =3D -(unsigned long) addr;
=20
 	remains =3D count;
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com
 [209.85.210.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 810BD15FB2D
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:36:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970185; cv=none;
 b=F4L3OjMLUDCblprnKjcvEHNtvzoQSR9hylaCDgNUqOmkssnPb2HJU7gsAT+E+Ri941TCMjskRu1LxO17pHD/QPC+1yLyIH88XJBVWRXkzuMhGgZ5PFLXePoHz1n8V4n2fxme59xcTndi2tzlGVerk8tlfGlgeiQ6wXHmTO4+gno=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970185; c=relaxed/simple;
	bh=GiWhP3MrtF/n6FOjCeTrtngKdYU/XXg3g36941RXt68=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=LlujD3eDvkSYTo5hMXlsXl+AygAHh6MSyOGLTOrgjCFJnZsqVdamHxtB1Ux0gre5jMPRmYhEFiL+pSO4qleMK7a+/64LGH6OrBLyc+yH5Cr9p8FtbEmWlqf8CvlF7KREaOBbCXgd/v7tPV1K7zR+CdGEiXxBpZuF+AvnJyhPVuM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=U5w+TCj3; arc=none smtp.client-ip=209.85.210.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="U5w+TCj3"
Received: by mail-ot1-f42.google.com with SMTP id
 46e09a7af769-6e0e08c70f7so1619636a34.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:36:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970182; x=1706574982;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nfUPSLWLFR2aaFBB7T6PJOGyzs3EsvCpQit0VhIc77o=;
        b=U5w+TCj3OYdJ3nUk8pG+3r3BOkuYEfZpnYKA1Uejeu/YHAIFIcQ8bYLtI08jD8If63
         Vb70yGwIs8rkcQGNU6lMVrr4DGaPiRVtqcd5ZNExuaKhqOGX5eI/mJSseo+3fSQp4L4W
         4bO8IH9mJJUWix5a+5biqdITiQcQcgDGyN8ak=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970182; x=1706574982;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=nfUPSLWLFR2aaFBB7T6PJOGyzs3EsvCpQit0VhIc77o=;
        b=bPGSKva1mZfsTZJdMKeueLmvEs69JKcne2Rn23axMNfcpe3SEVk1vVfBwDHgyObyXR
         M6b2UrTM1oieHVc0njVe0OwsVojC8Zlf07mslzkXdwqCnRraeKECPP4H20Rw98aQtUhM
         gGxxIEXA8wevkbAeEvsklKaWzmovMX9MsMlBpMRpZJbrRuZ9jOnwMmsBl+5VfvaDWAhu
         gx1JilubBax6EetJGxOK2YQkrle9orCgNOqogJ9zp+aP6FzdSy+9IkaG/7dJEGcFKfiX
         wEQGZfwMYGVsKObVnc4oJnYVw5DjHM6Offksh2KkVT0r592UkbRUAVAFkuLnHbD6+wFv
         Kprg==
X-Gm-Message-State: AOJu0YxzARXCgU0dtCJ7NtWbf+52FiH9nJDXW7/jIuAdlXo4ZCh10u2w
	zhFQruCuAEvjUlBG0RacsBLiT9V6kby0f7Ntl9MHJoavUybas01EvFqT/dkW3Q==
X-Google-Smtp-Source: 
 AGHT+IFWer+CHPYFKz4aogRg2rh9FM/Qdoj3c5YAE1QWiQ2/ARGjmNAbYrJIVCmUtb1J4VGTkYl8bA==
X-Received: by 2002:a05:6358:4b4c:b0:176:5381:7508 with SMTP id
 ks12-20020a0563584b4c00b0017653817508mr1802125rwc.29.1705970182669;
        Mon, 22 Jan 2024 16:36:22 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 c2-20020a62e802000000b006da24e7c16dsm10181497pfi.186.2024.01.22.16.36.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:36:18 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Martyn Welch <martyn@welchs.me.uk>,
	Manohar Vanga <manohar.vanga@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Soumya Negi <soumya.negi97@gmail.com>,
	Alexon Oliveira <alexondunkan@gmail.com>,
	linux-staging@lists.linux.dev,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 79/82] staging: vme_user: Refactor intentional wrap-around
 test
Date: Mon, 22 Jan 2024 16:27:54 -0800
Message-Id: <20240123002814.1396804-79-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1910; i=keescook@chromium.org;
 h=from:subject; bh=GiWhP3MrtF/n6FOjCeTrtngKdYU/XXg3g36941RXt68=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMOyPanh0a8qKmM4y2TAR3HGUyEXSwoxVEk
 MEgKnhG10iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JlyEEACa0F1lV4dIXFWgeCdkJHhSC7mnxnguEgyncSJiop+k0Bd7fCoJ6xCBI/VsrDDiOV5JO7h
 YlfkKkorKeHSwQ4eF7kA5ad0WAs43pP9aHx+fgnexAdyAv8q6kB4EV+m12jZXMkqpa1a2arGVBX
 vU/kVtSPYhonhrHCjR8yD/RJzZQCOq0Mv9L/oNW0TClnra68UXFMsMrx8r02ANI98S3Kkm/fePG
 YWRN7tYvnoXzmS1Mv+bd4pACK3H9sNQQa4gC3fsjOQTevRfKf/goaHyRRd6b7JoulGhmmzXXtZr
 OFWkOtLXFLah6ZOtxrTfcxSwwBuPTZeJrkLQlwBkjxPZoZU7IR5rhIfBgONwxTkOAmv0aR/cRis
 kfuHPvu7SaQ6xuRNFXVsgmqxwWDG19eC/B0UrD0D1lhkRNPRS2OqC813G9hba/iMw+CpRd/0P81
 hMVIoIAdLBsZO0VwmPrpH/1YTRMjHholnWqUb5fHwnaWIpK2vWGNWf/CrSgsmdKWdxFqGMHHWPL
 1ZqTf5JCBXXb+6xfg4LQdl07I2loTL6jVB6DMwFSRDXhu0ntLycT8xi4Q0NZlqBMJ9TBC+FJcPZ
 zHKyXn2zD48i8oZMzFdhMU19Crj+Kb4D8Ea+yCfWCOxvs/YIxPgxMOz0MPl54rpj/jcm60Kua5P
 WbhzXjTYboExRrw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Martyn Welch <martyn@welchs.me.uk>
Cc: Manohar Vanga <manohar.vanga@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Soumya Negi <soumya.negi97@gmail.com>
Cc: Alexon Oliveira <alexondunkan@gmail.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/staging/vme_user/vme.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/vme_user/vme.c b/drivers/staging/vme_user/vme.c
index e9461a7a7ab8..a0acf2a295cd 100644
--- a/drivers/staging/vme_user/vme.c
+++ b/drivers/staging/vme_user/vme.c
@@ -165,7 +165,7 @@ int vme_check_window(struct vme_bridge *bridge, u32 asp=
ace,
 {
 	int retval =3D 0;
=20
-	if (vme_base + size < size)
+	if (add_would_overflow(size, vme_base))
 		return -EINVAL;
=20
 	switch (aspace) {
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=none dis=none)  header.from=chromium.org
ARC-Seal: i=1; a=rsa-sha256; t=1705970816; cv=none;
	d=zohomail.com; s=zohoarc;
	b=g1AJHnUEHQyfdzPkMZ6+eC3dIsQxBcG9q4JmpNvezG7y3wzfP6L/Mpj5gqViUYJKYQctfqqEAohPK/Jze9bpiBF6ChTYodeJSGjQHvs+69mLbddrLuj/huNv5oZIaEAYfzidz/vAK/btxLhyJpnlw9Zb8374zYZ4CWn7V3oBTpE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1705970816;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=QL2EbelNfKplPRaLFa/5pxqZ1ShWs/qPJgvqE5R3xUI=;
	b=VH1sB9t7aYnPONMxWJzRWUwogpu6OAPjRNkmFZV8BfCFXd839xb/lEYbZ+YY9MgFoTtEz8+6Bt3awTbuuS8po0T0CU7Mr79sFnr3cMQ9BCIcjZs9UCmh/qNtVREu9enW1gpOG+WxyCNNTSZRnaeBuHnpv+rSZy+cUhTSxRxi6Zw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<keescook@chromium.org> (p=none dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1705970816377575.2568014036733;
 Mon, 22 Jan 2024 16:46:56 -0800 (PST)
Received: from list by lists.xenproject.org with
 outflank-mailman.670228.1042818 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1rS4ve-0007OX-4l; Tue, 23 Jan 2024 00:46:14 +0000
Received: by outflank-mailman (output) from mailman id 670228.1042818;
 Tue, 23 Jan 2024 00:46:14 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1rS4ve-0007OQ-2G; Tue, 23 Jan 2024 00:46:14 +0000
Received: by outflank-mailman (input) for mailman id 670228;
 Tue, 23 Jan 2024 00:46:12 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=1h7C=JB=chromium.org=keescook@srs-se1.protection.inumbo.net>)
 id 1rS4vb-0007OI-Tu
 for xen-devel@lists.xenproject.org; Tue, 23 Jan 2024 00:46:12 +0000
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com
 [2607:f8b0:4864:20::1029])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id cbc95fa5-b988-11ee-9b0f-b553b5be7939;
 Tue, 23 Jan 2024 01:46:09 +0100 (CET)
Received: by mail-pj1-x1029.google.com with SMTP id
 98e67ed59e1d1-2902b0e9524so1818034a91.1
 for <xen-devel@lists.xenproject.org>; Mon, 22 Jan 2024 16:46:09 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
 by smtp.gmail.com with ESMTPSA id
 oe11-20020a17090b394b00b00290d0459e3bsm120871pjb.47.2024.01.22.16.45.57
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 22 Jan 2024 16:46:03 -0800 (PST)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: cbc95fa5-b988-11ee-9b0f-b553b5be7939
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970767; x=1706575567;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=QL2EbelNfKplPRaLFa/5pxqZ1ShWs/qPJgvqE5R3xUI=;
        b=WbXDn9UWjxedW/+j5hkqtm8I5CTjihUPYIkPhipaM3LHHXbjIE7adHC6HrSv63VXyR
         WiG9xpiuqbGiFVDs0CUirniv3tJRjNkywjtjR5gQZ1y2JLSs7HWiJlPBAxxYMWF+nKRe
         Cw4px2CBQn9uvgJImW0IoQHTrSpYw2iM9MtdI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970767; x=1706575567;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=QL2EbelNfKplPRaLFa/5pxqZ1ShWs/qPJgvqE5R3xUI=;
        b=eec7VaQjvVQpne7PpIGGfNenAqCV6hJY3+c7zFy6pMKB13HF1tY6ltHGSyeFs6ndiY
         6Pz8QFhOn6o3z3I5pVXpn8zbXbNfLIl+4lAmQbldNMwsnw2ZAaRKpn7QmTMbhIMTUSth
         6ZN2ob3ssazdn9u182hfIcw1h5mNLp49CKw9xPaGJf0p+4ZO1XCYJZ2Bxi97mq4pq+4l
         WYMD+RM/4bY8a06qxzRj62CPZx34ZctEMnLCJNMCCh3GTTelwJUQHM/ir4Wmlfuz3iwV
         fwcQZm2o8o0hkncjFB3eU5Yu2jwjS7iXWGwoB028M5nDbreoUeP22XkjrGpUnmvSTXPH
         7lHw==
X-Gm-Message-State: AOJu0YxgAC3LQK2iTzz3RuQo4Mr6bWUVGSFvxBTulwZerD0z57hYYq8C
	FM7g7qlhargtDnM4246t0KiF3JPeLlX1/9gzhjXuk12a5fehm+rwoRPj0443Iw==
X-Google-Smtp-Source: 
 AGHT+IGRFhkPzejcuLL4VRK+c8dRwaf1aYOd9GmP0Xdnbl6TsX/mwlLYTiaazDEJC80Uor5945a4rA==
X-Received: by 2002:a17:90a:d306:b0:290:5ccf:af0 with SMTP id
 p6-20020a17090ad30600b002905ccf0af0mr2174216pju.60.1705970767490;
        Mon, 22 Jan 2024 16:46:07 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Wei Liu <wei.liu@kernel.org>,
	Paul Durrant <paul@xen.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	xen-devel@lists.xenproject.org,
	netdev@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 80/82] xen-netback: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:55 -0800
Message-Id: <20240123002814.1396804-80-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2080; i=keescook@chromium.org;
 h=from:subject; bh=7EjHVZinq5vMXU1+hzn38DepLpa6iDayHYypzEUYJ8I=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMGbwjLdUBipRWV/86VXIdYYa28FnqDE8e3
 ji0sb3+qXmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JsN6D/9/9pZCcQMxkCKVjCzbTzXOAQTMNmntEY/KiITUeK8EZC1n44hzsCtSDO9z3x4VtvUW53Y
 pRmydxh3JiySpsfiK4OxljXZ/xvSG+v1GEOgkMGo2iye6zXeVeadXsRCP2MY/IsaXKyM0TKUH5i
 g4+ChtKvF7D9haRMeRaLK4ST+SPfUX52+Z0xW6LUaGrz824SDJhB6Gq9j70+OoNvQaUNHrgZjdR
 a67Kgz/3+HnspC4bx9lGFxCUiPdmTZOz2mgatPghMoE1oX04GIjku1UTthsh6180c00i2Sk/LJI
 1bRchLyEexiVH65VHvz3Ge37s/qRJosLl2xW1ds7SHJKd3qfVFTBa++CN+0tvpd22m7lAAYF7cU
 Rkfs/ZXcyHX1COeG62Bsp15wHODlwmJxEzU00q1Rl6ynr8uVniiXT4RIR9ZRxO5c25/mmUzGvmW
 3rnZGTP9QuvpKRY6GaVrOWKPiaKo3XhsasnsuFP3f6lkYw/WdOVxY2UUWqvlpj3eah/klmSKi1a
 lDJR8pC8b50zoXsumq3xtz1lKSL3iETbnda7hCBHkYCfEhGJi2WPdHrfeEaXwDkde5gZEwPCzZ3
 EJ9TGrYsYcED0KeZFlmbguqSvBeanX+PMcLQckWAXPEbi1WgzcVvFGckq6ZyPuUJHl0C9DAM8Dk
 2036V40Dg9GXNKw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @chromium.org)
X-ZM-MESSAGEID: 1705970816995100001
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Wei Liu <wei.liu@kernel.org>
Cc: Paul Durrant <paul@xen.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: xen-devel@lists.xenproject.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/xen-netback/hash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
index ff96f22648ef..69b03b4feba9 100644
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -345,7 +345,7 @@ u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gre=
f, u32 len,
 		.flags =3D GNTCOPY_source_gref
 	}};
=20
-	if ((off + len < off) || (off + len > vif->hash.size) ||
+	if ((add_would_overflow(off, len)) || (off + len > vif->hash.size) ||
 	    len > XEN_PAGE_SIZE / sizeof(*mapping))
 		return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
=20
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com
 [209.85.216.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 805A013D4F3
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:46:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970768; cv=none;
 b=AfZscc05avUMS1RkjDMxChopq5YfJYFYxZuLQK+GjnYeIglr57/OYXrls6bTGVpr1OpruaPrnEZTr/uF7wH0XUKMTheJG05e05JDZWxkJsjoar+rGdlf2GQuovavlAwQ/nHmIgE+H0y1uU0P3pzndaQt893f0miFEEYSsxKbA/k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970768; c=relaxed/simple;
	bh=WZR8DP53aWhUMhJpMj4CZ9RIOBxzp7ygRqxTQMoMeYo=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=t40SCODg0MPnWobMlc95YnSdekyzsECh4GeJEs6TuL5DXacrtaEhW51+v8/D+u7BQviwuvclfiKZ/pShihBku+tTuDNWidYWrmSlDqjE3D7NgnCN1DbRh59jLyr7/ObF4HFImT0srk7QoQ13iyVuWoujxAqjt1LU0LGYj19lQZA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=Nzdh+4ns; arc=none smtp.client-ip=209.85.216.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="Nzdh+4ns"
Received: by mail-pj1-f42.google.com with SMTP id
 98e67ed59e1d1-290b37bb7deso881612a91.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:46:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970766; x=1706575566;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=a3KJ5I/uilVKWIX5sZxDEWyboawAxb7T38/MRRy/AI8=;
        b=Nzdh+4nsqDJcPrq1QYN5wtrpF88u6NPRTZoi7JjhPsoJxsI+St1E/LSbZyp0/JfkzV
         GDUfq03xLuMtN7ZN06ceIoK4D4sGTvF2OEH/17UwTscl7Fzdn0I7IRN3p2a9NP121ADO
         lI3YBRVXq7a4mvbbjo+48Ri1UbO6CtdfZ9+w4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970766; x=1706575566;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=a3KJ5I/uilVKWIX5sZxDEWyboawAxb7T38/MRRy/AI8=;
        b=JXSS6HDIGAb8RzxJN6Ai1Ht4avMyTys8xyUsTUsy0RbYbBH1xIUp5Wo3zzui/WQSX/
         b3dXpZNX/oNnK1WNJNbHpR8EP99wAQ8BQgJBIxkGaL9pj1tCxzUoiKrNNtrG/6usoCpu
         taUs9YgKKQyEbFG96O+CthDPD5Gi13FqkL1EhetGHZB4Z9WvEMhSMAEYQ+8h95YgZGPE
         vTSMQ+hLmu8yQvcYKNW5l1Fjw4DKZ+8tKnWZMnj353inb9EOFGOzvdmpCIV9Ie9xOHZ5
         5W6Rre8ihHm5EhHJoQKJEoD5ekLPdMpf46TnBUoG/o2KQLaFSn9Vm4piGm6pV7lCKtLi
         1fSA==
X-Gm-Message-State: AOJu0YyWRFv5OfX/KmSF8ZRo38LzRV2vuJyKpeX+JmBR7OgyKiHZV9PH
	wNCQbkt4+WxJAWav1GyjbpV2XaAZsH4F846F5TMRKhh0UbjQmLpEonfomumAiA==
X-Google-Smtp-Source: 
 AGHT+IEeXyrTcy2GTeJ9XtG67uA2W53TBp8f+wQgOJZ4pd2pfMtrSlp3dLG1JJIDUVmVLNqmM2ly4Q==
X-Received: by 2002:a17:90a:6b84:b0:28e:87a0:c05b with SMTP id
 w4-20020a17090a6b8400b0028e87a0c05bmr2374190pjj.40.1705970765941;
        Mon, 22 Jan 2024 16:46:05 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 px7-20020a17090b270700b0028ffc524086sm10568431pjb.24.2024.01.22.16.45.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:46:03 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Nick Terrell <terrelln@fb.com>,
	Paul Jones <paul@pauljones.id.au>,
	Sedat Dilek <sedat.dilek@gmail.com>,
	Oleksandr Natalenko <oleksandr@natalenko.name>,
	Xin Gao <gaoxin@cdjrlc.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 81/82] lib: zstd: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:56 -0800
Message-Id: <20240123002814.1396804-81-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2736; i=keescook@chromium.org;
 h=from:subject; bh=WZR8DP53aWhUMhJpMj4CZ9RIOBxzp7ygRqxTQMoMeYo=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgM0MuXKRXzKz6P9gaIByx6Ha+nvmKs3dQ0P
 O+8CgmFoqOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JniTD/9tZtlILMGEKY0ggQVVN96o3hW7HM6cQwEPtdhvKS+YVeZmzxX1tpzwl2nHL0FRBw8sp8/
 3n9O2a1CKGeE1qP1XFG5nLey1iciPLp4hQA4+gBQuGdjIuAbcnXjZVa8y4O6JwfU8fuKuMImcit
 v6bra8xrveAYBHncT3x7as9aDE+GG7LRKuSB3EiPX5enR6YKQ9AjAJPZkJRQSU7I7LUzePuF7pf
 px2nhKBQcIcDBbFr2aZrptPXCLJFPinvp3MnPsEg8S78lMxKj4m94tZtOrVuTqBhso31jS8Z5AW
 YcXmSCyvtjkiaD5pDPQWauQlAQi7TZh3PEOuYd3MU75BuK0LobPknTPxrp39QxKNQik13HlJXDd
 SW6Ox6jV5DifJjDi/MAXpCACEy9FGzO7thzQks3x4WVESY3ow4m0R7cJLKScih5ImK6rVyutqNx
 pWV2WKuzV7oGEcLDwOaxCX4U+b+IBNkpqW41qzClTrUjgeEi2/FTNBC/3W7InGTOKOpZ+aKdxg8
 LEbszRtpDs+vrnrTLyBC1Or1/+2iAhrGvI/fhvLmU7ElC3MlBZNgHFwJVeeo6a26t46MBsc6W7H
 KRSZepdY+RVK8DWkgkXNMtNJ5+scDPVieTGTCE5NQcC3kLEMkr4nlYSOZF7ktB8EMeEiUKHf8MZ
 JoCCcRgn1M6x75w==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Switch to a more regular type for a 64-bit value and refactor the
open-coded wrap-around addition test to use subtraction from the type max
(since add_would_overflow() may not be defined in early boot code). This
paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Nick Terrell <terrelln@fb.com>
Cc: Paul Jones <paul@pauljones.id.au>
Cc: Sedat Dilek <sedat.dilek@gmail.com>
Cc: Oleksandr Natalenko <oleksandr@natalenko.name>
Cc: Xin Gao <gaoxin@cdjrlc.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/zstd/decompress/zstd_decompress.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/zstd/decompress/zstd_decompress.c b/lib/zstd/decompress/zs=
td_decompress.c
index 6b3177c94711..2c87cf702ad6 100644
--- a/lib/zstd/decompress/zstd_decompress.c
+++ b/lib/zstd/decompress/zstd_decompress.c
@@ -585,7 +585,7 @@ ZSTDLIB_API size_t ZSTD_readSkippableFrame(void* dst, s=
ize_t dstCapacity, unsign
  *  @return : decompressed size of the frames contained */
 unsigned long long ZSTD_findDecompressedSize(const void* src, size_t srcSi=
ze)
 {
-    unsigned long long totalDstSize =3D 0;
+    U64 totalDstSize =3D 0;
=20
     while (srcSize >=3D ZSTD_startingInputLength(ZSTD_f_zstd1)) {
         U32 const magicNumber =3D MEM_readLE32(src);
@@ -606,7 +606,7 @@ unsigned long long ZSTD_findDecompressedSize(const void=
* src, size_t srcSize)
             if (ret >=3D ZSTD_CONTENTSIZE_ERROR) return ret;
=20
             /* check for overflow */
-            if (totalDstSize + ret < totalDstSize) return ZSTD_CONTENTSIZE=
_ERROR;
+            if (U64_MAX - totalDstSize < ret) return ZSTD_CONTENTSIZE_ERRO=
R;
             totalDstSize +=3D ret;
         }
         {   size_t const frameSrcSize =3D ZSTD_findFrameCompressedSize(src=
, srcSize);
--=20
2.34.1
From nobody Fri Dec 19 17:14:29 2025
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BE187F7C8
	for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2024 00:45:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1705970761; cv=none;
 b=la9+RPEpxTY3psaQbIMQKTHiA84k6wF5E/qXgiOpYQbmFp9sNswKhUMdFfmPjdGiPKCbpZSLQy950vVBi29YxQChZ/9affwUN1xy5MfhCHTZF26Tlf2ZAh0AZWxDrEiAxQq6okenKSWK3xhZesSg6NS0zGgpaQVFtMlJk7CScoA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1705970761; c=relaxed/simple;
	bh=otrmpo4br5ciuWiM78a/Ceyb2KdAR01tXk9aBpC8wMw=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Ue6Ael8mh12OQgVnNWVQSBR07G3A2rnrpVhPZ9Dhb1/2z2QQXwA/hn3VTbh4RMNy5hUENFfKVpqriyO8Pd285UEe1UwqWpWVc/exRg3FKejfa5mCKKB07uXy/75dE/HG38/vCVdaneC8y6u+HSR+szn2itXwP1OWskO+USCQ/vg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=eisSFIOg; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="eisSFIOg"
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-6da9c834646so3761176b3a.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 22 Jan 2024 16:45:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1705970759; x=1706575559;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=S7qeKC064ZzlHJa5msLrHHdCXg1stkKcC4+dJKmdneQ=;
        b=eisSFIOg4fJ3vz+bS/iu3KnkrgcvtlmfD/uWTb7T5vEdGsjqRSMe86hoDv4U/tNV+Y
         4Vj4tG2KD3+v7KuRhIlPs7aYoprJNO0SANxUOoVQPNyca6DmEvSB9eGQvrL3ij81cGQa
         r3jFVmpg6E4I3ga+Km1hyGgbM2j2k2pJdlKr8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1705970759; x=1706575559;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=S7qeKC064ZzlHJa5msLrHHdCXg1stkKcC4+dJKmdneQ=;
        b=b6vGJQHej9AO8uaR0i5vWzS7ngbdOKlwhXGnPGp3BNBhMWWxsBpg+n/R91mwWciJpF
         SODTJbmBrRiymQbd3LZOqJn/12DRVFnVFd1rlgGolC4LeEKnx4UHJheM2xrV8UyZ3r1Q
         adiTScq3ki5sAODIcc2dIEr+jj3eQSq9XYj9r74WJVJRK7DoqMgpvdIYBklvTXXh12Hk
         QjBMCqeLL9ZukC5EXsPnI9mqdYr8s541xb3qcgn/dP+UW1nm4ETfKJNxlpGdKuBXikIo
         646l1jC3VNor8/LlzLrBntyj6uMW3EVx/IguNJqq+Demhp5fOHKS23Xge7ohOszTzS0+
         fBHA==
X-Gm-Message-State: AOJu0Yw9ktbjWF1paXcYkqLDX50iDjkm0ZRfWICQG2kn8jQzeOOf4tnc
	TpCAwuRINfAHztIG9ol2EpTxWXs2ZCU9RIiZJxlmKSjzR6RVOYRa205xrz094w==
X-Google-Smtp-Source: 
 AGHT+IEfPSCAfbNkrsnvfNR/6lrRJTvzZ8aFbU2AhLJiZvXczWMg97ditkNX3fZkM39QiMucgiQfyA==
X-Received: by 2002:a05:6a21:32a2:b0:19c:30a5:5c54 with SMTP id
 yt34-20020a056a2132a200b0019c30a55c54mr4120604pzb.28.1705970758815;
        Mon, 22 Jan 2024 16:45:58 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id
 dj11-20020a17090ad2cb00b0029051dad730sm7733772pjb.26.2024.01.22.16.45.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Jan 2024 16:45:57 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Christian Brauner <brauner@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Dave Chinner <dchinner@redhat.com>,
	Alexey Gladkov <legion@kernel.org>,
	Jeff Layton <jlayton@kernel.org>,
	Waiman Long <longman@redhat.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 82/82] mqueue: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:57 -0800
Message-Id: <20240123002814.1396804-82-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2072; i=keescook@chromium.org;
 h=from:subject; bh=otrmpo4br5ciuWiM78a/Ceyb2KdAR01tXk9aBpC8wMw=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMplzxY/SLj9+bxbGPriiBi7drTq3OXWSJm
 svPwIQ44g2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A
 JkmCEACY37o5F1LgKmBQ/X+GY7t3DI3LwjJCZxndVTmZbmKfVSOia2DA4d7XI1UV1bLDavheiOD
 ZspAXfK1XmENeXellFyMfyPquNHRcsarUQ1eWVcWnrDOE0opNQOc0QFe+6R8uveX/n9ivxN6Wa1
 hOaIRaYdtaG0pl0/p61larNEe0AnWHy+RtEMHuE39N9gWCpwcPqHoA5mCo1dxrD2K2uh/qlF7ES
 OzWJchorCRsC5GNs9Ui0GFKsf6zpgZU/FyCbyLayRLUF4nfFP2LiO3h9b6WRp0vltQF54wKsTNu
 KqLuPuvIO0elWbihDwdLbI8EutfMxrfBmbbk7MzP7yL8iwl37lrpoXTKwF75rDVE1n9y0I33Z3e
 kbO+/3Rj0fjARWduA04Taqd3iu+/l1YaEl+sm0k+KsXXpau+AtqNR9KyrfyBDpM8DRtqXNx8mvs
 P4VT9g7ZVTJqargqoTFlGh5dcyq+u0cZGRvguOrlRuIGifiAE6HPv46NzI8V4HCRdFKqGQ/5XR3
 guih4Ak2DS4ygw8ba5mwnBdRsQiwDjfWRY9xwAc10W8T4ZikUx8/kDV0HnL2+ZQNa1zKFuQvnaK
 AnAki/aXhT0xQPUk4ZlJRdVZJ1v3xn7aOA4UscmWvvlFVA4Yj7/ScJZKtoGdQI2rcgZYM6BAU97
 FairA3wiIkm3Fdw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594=
 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Christian Brauner <brauner@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Dave Chinner <dchinner@redhat.com>
Cc: Alexey Gladkov <legion@kernel.org>
Cc: Jeff Layton <jlayton@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 ipc/mqueue.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 5eea4dc0509e..7ef9d325183a 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -366,7 +366,7 @@ static struct inode *mqueue_get_inode(struct super_bloc=
k *sb,
 			min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
 			sizeof(struct posix_msg_tree_node);
 		mq_bytes =3D info->attr.mq_maxmsg * info->attr.mq_msgsize;
-		if (mq_bytes + mq_treesize < mq_bytes)
+		if (add_would_overflow(mq_bytes, mq_treesize))
 			goto out_inode;
 		mq_bytes +=3D mq_treesize;
 		info->ucounts =3D get_ucounts(current_ucounts());
--=20
2.34.1