diff options
| author | Rasmus Villemoes <linux@rasmusvillemoes.dk> | 2018-05-07 18:36:27 -0400 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2018-05-31 19:41:41 -0400 |
| commit | f0907827a8a9152aedac2833ed1b674a7b2a44f2 (patch) | |
| tree | 20e45292a1202e5a33711a750b73f8b0a872ee6a | |
| parent | 75bc37fefc4471e718ba8e651aa74673d4e0a9eb (diff) | |
compiler.h: enable builtin overflow checkers and add fallback code
This adds wrappers for the __builtin overflow checkers present in gcc
5.1+ as well as fallback implementations for earlier compilers. It's not
that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
the same. We obviously don't want the wrappers to have different
semantics depending on $GCC_VERSION, so we also insist on that even when
using the builtins.
There are a few problems with the 'a+b < a' idiom for checking for
overflow: For signed types, it relies on undefined behaviour and is
not actually complete (it doesn't check underflow;
e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
is wrong for all types (signed and unsigned) narrower than
int. Similarly, when a and b does not have the same type, there are
subtle cases like
u32 a;
if (a + sizeof(foo) < a)
return -EOVERFLOW;
a += sizeof(foo);
where the test is always false on 64 bit platforms. Add to that that it
is not always possible to determine the types involved at a glance.
The new overflow.h is somewhat bulky, but that's mostly a result of
trying to be type-generic, complete (e.g. catching not only overflow
but also signed underflow) and not relying on undefined behaviour.
Linus is of course right [1] that for unsigned subtraction a-b, the
right way to check for overflow (underflow) is "b > a" and not
"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
covered here, and included mostly for completeness.
So is it worth it? I think it is, if nothing else for the documentation
value of seeing
if (check_add_overflow(a, b, &d))
return -EGOAWAY;
do_stuff_with(d);
instead of the open-coded (and possibly wrong and/or incomplete and/or
UBsan-tickling)
if (a+b < a)
return -EGOAWAY;
do_stuff_with(a+b);
While gcc does recognize the 'a+b < a' idiom for testing unsigned add
overflow, it doesn't do nearly as good for unsigned multiplication
(there's also no single well-established idiom). So using
check_mul_overflow in kcalloc and friends may also make gcc generate
slightly better code.
[1] https://lkml.org/lkml/2015/11/2/658
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kees Cook <keescook@chromium.org>
| -rw-r--r-- | include/linux/compiler-clang.h | 14 | ||||
| -rw-r--r-- | include/linux/compiler-gcc.h | 4 | ||||
| -rw-r--r-- | include/linux/compiler-intel.h | 4 | ||||
| -rw-r--r-- | include/linux/overflow.h | 205 |
4 files changed, 227 insertions, 0 deletions
diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h index 7d98e263e048..7087446c24c8 100644 --- a/include/linux/compiler-clang.h +++ b/include/linux/compiler-clang.h | |||
| @@ -32,3 +32,17 @@ | |||
| 32 | #ifdef __noretpoline | 32 | #ifdef __noretpoline |
| 33 | #undef __noretpoline | 33 | #undef __noretpoline |
| 34 | #endif | 34 | #endif |
| 35 | |||
| 36 | /* | ||
| 37 | * Not all versions of clang implement the the type-generic versions | ||
| 38 | * of the builtin overflow checkers. Fortunately, clang implements | ||
| 39 | * __has_builtin allowing us to avoid awkward version | ||
| 40 | * checks. Unfortunately, we don't know which version of gcc clang | ||
| 41 | * pretends to be, so the macro may or may not be defined. | ||
| 42 | */ | ||
| 43 | #undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW | ||
| 44 | #if __has_builtin(__builtin_mul_overflow) && \ | ||
| 45 | __has_builtin(__builtin_add_overflow) && \ | ||
| 46 | __has_builtin(__builtin_sub_overflow) | ||
| 47 | #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 | ||
| 48 | #endif | ||
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h index b4bf73f5e38f..f1a7492a5cc8 100644 --- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h | |||
| @@ -343,3 +343,7 @@ | |||
| 343 | * code | 343 | * code |
| 344 | */ | 344 | */ |
| 345 | #define uninitialized_var(x) x = x | 345 | #define uninitialized_var(x) x = x |
| 346 | |||
| 347 | #if GCC_VERSION >= 50100 | ||
| 348 | #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 | ||
| 349 | #endif | ||
diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h index bfa08160db3a..547cdc920a3c 100644 --- a/include/linux/compiler-intel.h +++ b/include/linux/compiler-intel.h | |||
| @@ -44,3 +44,7 @@ | |||
| 44 | #define __builtin_bswap16 _bswap16 | 44 | #define __builtin_bswap16 _bswap16 |
| 45 | #endif | 45 | #endif |
| 46 | 46 | ||
| 47 | /* | ||
| 48 | * icc defines __GNUC__, but does not implement the builtin overflow checkers. | ||
| 49 | */ | ||
| 50 | #undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW | ||
diff --git a/include/linux/overflow.h b/include/linux/overflow.h new file mode 100644 index 000000000000..c8890ec358a7 --- /dev/null +++ b/include/linux/overflow.h | |||
| @@ -0,0 +1,205 @@ | |||
| 1 | /* SPDX-License-Identifier: GPL-2.0 OR MIT */ | ||
| 2 | #ifndef __LINUX_OVERFLOW_H | ||
| 3 | #define __LINUX_OVERFLOW_H | ||
| 4 | |||
| 5 | #include <linux/compiler.h> | ||
| 6 | |||
| 7 | /* | ||
| 8 | * In the fallback code below, we need to compute the minimum and | ||
| 9 | * maximum values representable in a given type. These macros may also | ||
| 10 | * be useful elsewhere, so we provide them outside the | ||
| 11 | * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block. | ||
| 12 | * | ||
| 13 | * It would seem more obvious to do something like | ||
| 14 | * | ||
| 15 | * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0) | ||
| 16 | * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0) | ||
| 17 | * | ||
| 18 | * Unfortunately, the middle expressions, strictly speaking, have | ||
| 19 | * undefined behaviour, and at least some versions of gcc warn about | ||
| 20 | * the type_max expression (but not if -fsanitize=undefined is in | ||
| 21 | * effect; in that case, the warning is deferred to runtime...). | ||
| 22 | * | ||
| 23 | * The slightly excessive casting in type_min is to make sure the | ||
| 24 | * macros also produce sensible values for the exotic type _Bool. [The | ||
| 25 | * overflow checkers only almost work for _Bool, but that's | ||
| 26 | * a-feature-not-a-bug, since people shouldn't be doing arithmetic on | ||
| 27 | * _Bools. Besides, the gcc builtins don't allow _Bool* as third | ||
| 28 | * argument.] | ||
| 29 | * | ||
| 30 | * Idea stolen from | ||
| 31 | * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html - | ||
| 32 | * credit to Christian Biere. | ||
| 33 | */ | ||
| 34 | #define is_signed_type(type) (((type)(-1)) < (type)1) | ||
| 35 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type))) | ||
| 36 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T))) | ||
| 37 | #define type_min(T) ((T)((T)-type_max(T)-(T)1)) | ||
| 38 | |||
| 39 | |||
| 40 | #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW | ||
| 41 | /* | ||
| 42 | * For simplicity and code hygiene, the fallback code below insists on | ||
| 43 | * a, b and *d having the same type (similar to the min() and max() | ||
| 44 | * macros), whereas gcc's type-generic overflow checkers accept | ||
| 45 | * different types. Hence we don't just make check_add_overflow an | ||
| 46 | * alias for __builtin_add_overflow, but add type checks similar to | ||
| 47 | * below. | ||
| 48 | */ | ||
| 49 | #define check_add_overflow(a, b, d) ({ \ | ||
| 50 | typeof(a) __a = (a); \ | ||
| 51 | typeof(b) __b = (b); \ | ||
| 52 | typeof(d) __d = (d); \ | ||
| 53 | (void) (&__a == &__b); \ | ||
| 54 | (void) (&__a == __d); \ | ||
| 55 | __builtin_add_overflow(__a, __b, __d); \ | ||
| 56 | }) | ||
| 57 | |||
| 58 | #define check_sub_overflow(a, b, d) ({ \ | ||
| 59 | typeof(a) __a = (a); \ | ||
| 60 | typeof(b) __b = (b); \ | ||
| 61 | typeof(d) __d = (d); \ | ||
| 62 | (void) (&__a == &__b); \ | ||
| 63 | (void) (&__a == __d); \ | ||
| 64 | __builtin_sub_overflow(__a, __b, __d); \ | ||
| 65 | }) | ||
| 66 | |||
| 67 | #define check_mul_overflow(a, b, d) ({ \ | ||
| 68 | typeof(a) __a = (a); \ | ||
| 69 | typeof(b) __b = (b); \ | ||
| 70 | typeof(d) __d = (d); \ | ||
| 71 | (void) (&__a == &__b); \ | ||
| 72 | (void) (&__a == __d); \ | ||
| 73 | __builtin_mul_overflow(__a, __b, __d); \ | ||
| 74 | }) | ||
| 75 | |||
| 76 | #else | ||
| 77 | |||
| 78 | |||
| 79 | /* Checking for unsigned overflow is relatively easy without causing UB. */ | ||
| 80 | #define __unsigned_add_overflow(a, b, d) ({ \ | ||
| 81 | typeof(a) __a = (a); \ | ||
| 82 | typeof(b) __b = (b); \ | ||
| 83 | typeof(d) __d = (d); \ | ||
| 84 | (void) (&__a == &__b); \ | ||
| 85 | (void) (&__a == __d); \ | ||
| 86 | *__d = __a + __b; \ | ||
| 87 | *__d < __a; \ | ||
| 88 | }) | ||
| 89 | #define __unsigned_sub_overflow(a, b, d) ({ \ | ||
| 90 | typeof(a) __a = (a); \ | ||
| 91 | typeof(b) __b = (b); \ | ||
| 92 | typeof(d) __d = (d); \ | ||
| 93 | (void) (&__a == &__b); \ | ||
| 94 | (void) (&__a == __d); \ | ||
| 95 | *__d = __a - __b; \ | ||
| 96 | __a < __b; \ | ||
| 97 | }) | ||
| 98 | /* | ||
| 99 | * If one of a or b is a compile-time constant, this avoids a division. | ||
| 100 | */ | ||
| 101 | #define __unsigned_mul_overflow(a, b, d) ({ \ | ||
| 102 | typeof(a) __a = (a); \ | ||
| 103 | typeof(b) __b = (b); \ | ||
| 104 | typeof(d) __d = (d); \ | ||
| 105 | (void) (&__a == &__b); \ | ||
| 106 | (void) (&__a == __d); \ | ||
| 107 | *__d = __a * __b; \ | ||
| 108 | __builtin_constant_p(__b) ? \ | ||
| 109 | __b > 0 && __a > type_max(typeof(__a)) / __b : \ | ||
| 110 | __a > 0 && __b > type_max(typeof(__b)) / __a; \ | ||
| 111 | }) | ||
| 112 | |||
| 113 | /* | ||
| 114 | * For signed types, detecting overflow is much harder, especially if | ||
| 115 | * we want to avoid UB. But the interface of these macros is such that | ||
| 116 | * we must provide a result in *d, and in fact we must produce the | ||
| 117 | * result promised by gcc's builtins, which is simply the possibly | ||
| 118 | * wrapped-around value. Fortunately, we can just formally do the | ||
| 119 | * operations in the widest relevant unsigned type (u64) and then | ||
| 120 | * truncate the result - gcc is smart enough to generate the same code | ||
| 121 | * with and without the (u64) casts. | ||
| 122 | */ | ||
| 123 | |||
| 124 | /* | ||
| 125 | * Adding two signed integers can overflow only if they have the same | ||
| 126 | * sign, and overflow has happened iff the result has the opposite | ||
| 127 | * sign. | ||
| 128 | */ | ||
| 129 | #define __signed_add_overflow(a, b, d) ({ \ | ||
| 130 | typeof(a) __a = (a); \ | ||
| 131 | typeof(b) __b = (b); \ | ||
| 132 | typeof(d) __d = (d); \ | ||
| 133 | (void) (&__a == &__b); \ | ||
| 134 | (void) (&__a == __d); \ | ||
| 135 | *__d = (u64)__a + (u64)__b; \ | ||
| 136 | (((~(__a ^ __b)) & (*__d ^ __a)) \ | ||
| 137 | & type_min(typeof(__a))) != 0; \ | ||
| 138 | }) | ||
| 139 | |||
| 140 | /* | ||
| 141 | * Subtraction is similar, except that overflow can now happen only | ||
| 142 | * when the signs are opposite. In this case, overflow has happened if | ||
| 143 | * the result has the opposite sign of a. | ||
| 144 | */ | ||
| 145 | #define __signed_sub_overflow(a, b, d) ({ \ | ||
| 146 | typeof(a) __a = (a); \ | ||
| 147 | typeof(b) __b = (b); \ | ||
| 148 | typeof(d) __d = (d); \ | ||
| 149 | (void) (&__a == &__b); \ | ||
| 150 | (void) (&__a == __d); \ | ||
| 151 | *__d = (u64)__a - (u64)__b; \ | ||
| 152 | ((((__a ^ __b)) & (*__d ^ __a)) \ | ||
| 153 | & type_min(typeof(__a))) != 0; \ | ||
| 154 | }) | ||
| 155 | |||
| 156 | /* | ||
| 157 | * Signed multiplication is rather hard. gcc always follows C99, so | ||
| 158 | * division is truncated towards 0. This means that we can write the | ||
| 159 | * overflow check like this: | ||
| 160 | * | ||
| 161 | * (a > 0 && (b > MAX/a || b < MIN/a)) || | ||
| 162 | * (a < -1 && (b > MIN/a || b < MAX/a) || | ||
| 163 | * (a == -1 && b == MIN) | ||
| 164 | * | ||
| 165 | * The redundant casts of -1 are to silence an annoying -Wtype-limits | ||
| 166 | * (included in -Wextra) warning: When the type is u8 or u16, the | ||
| 167 | * __b_c_e in check_mul_overflow obviously selects | ||
| 168 | * __unsigned_mul_overflow, but unfortunately gcc still parses this | ||
| 169 | * code and warns about the limited range of __b. | ||
| 170 | */ | ||
| 171 | |||
| 172 | #define __signed_mul_overflow(a, b, d) ({ \ | ||
| 173 | typeof(a) __a = (a); \ | ||
| 174 | typeof(b) __b = (b); \ | ||
| 175 | typeof(d) __d = (d); \ | ||
| 176 | typeof(a) __tmax = type_max(typeof(a)); \ | ||
| 177 | typeof(a) __tmin = type_min(typeof(a)); \ | ||
| 178 | (void) (&__a == &__b); \ | ||
| 179 | (void) (&__a == __d); \ | ||
| 180 | *__d = (u64)__a * (u64)__b; \ | ||
| 181 | (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \ | ||
| 182 | (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \ | ||
| 183 | (__b == (typeof(__b))-1 && __a == __tmin); \ | ||
| 184 | }) | ||
| 185 | |||
| 186 | |||
| 187 | #define check_add_overflow(a, b, d) \ | ||
| 188 | __builtin_choose_expr(is_signed_type(typeof(a)), \ | ||
| 189 | __signed_add_overflow(a, b, d), \ | ||
| 190 | __unsigned_add_overflow(a, b, d)) | ||
| 191 | |||
| 192 | #define check_sub_overflow(a, b, d) \ | ||
| 193 | __builtin_choose_expr(is_signed_type(typeof(a)), \ | ||
| 194 | __signed_sub_overflow(a, b, d), \ | ||
| 195 | __unsigned_sub_overflow(a, b, d)) | ||
| 196 | |||
| 197 | #define check_mul_overflow(a, b, d) \ | ||
| 198 | __builtin_choose_expr(is_signed_type(typeof(a)), \ | ||
| 199 | __signed_mul_overflow(a, b, d), \ | ||
| 200 | __unsigned_mul_overflow(a, b, d)) | ||
| 201 | |||
| 202 | |||
| 203 | #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ | ||
| 204 | |||
| 205 | #endif /* __LINUX_OVERFLOW_H */ | ||