From: Kees Cook <keescook@chromium.org> To: Andrew Morton <akpm@linux-foundation.org> Cc: linux-kernel@vger.kernel.org, Josh Poimboeuf <jpoimboe@redhat.com>, Rasmus Villemoes <linux@rasmusvillemoes.dk>, "Gustavo A. R. Silva" <gustavo@embeddedor.com>, "Tobin C. Harding" <me@tobin.cc>, Steven Rostedt <rostedt@goodmis.org>, Jonathan Corbet <corbet@lwn.net>, Chris Mason <clm@fb.com>, Josef Bacik <jbacik@fb.com>, David Sterba <dsterba@suse.com>, "David S. Miller" <davem@davemloft.net>, Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>, Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>, Ingo Molnar <mingo@kernel.org>, Peter Zijlstra <peterz@infradead.org>, Thomas Gleixner <tglx@linutronix.de>, Masahiro Yamada <yamada.masahiro@socionext.com>, Borislav Petkov <bp@suse.de>, Randy Dunlap <rdunlap@infradead.org>, Ian Abbott <abbotti@mev.co.uk>, Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>, Petr Mladek <pmladek@suse.com>, Andy Shevchenko <andriy.shevchenko@linux.intel.com>, Pantelis Antoniou <pantelis.antoniou@konsulko.com>, Linux Btrfs <linux-btrfs@vger.kernel.org>, Network Development <netdev@vger.kernel.org>, Kernel Hardening <kernel-hardening@lists.openwall.com> Subject: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max() Date: Fri, 9 Mar 2018 12:05:36 -0800 [thread overview] Message-ID: <20180309200536.GA5670@beast> (raw) When max() is used in stack array size calculations from literal values (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]", the compiler thinks this is a dynamic calculation due to the single-eval logic, which is not needed in the literal case. This change removes several accidental stack VLAs from an x86 allmodconfig build: $ diff -u before.txt after.txt | grep ^- -drivers/input/touchscreen/cyttsp4_core.c:871:2: warning: ISO C90 forbids variable length array ‘ids’ [-Wvla] -fs/btrfs/tree-checker.c:344:4: warning: ISO C90 forbids variable length array ‘namebuf’ [-Wvla] -lib/vsprintf.c:747:2: warning: ISO C90 forbids variable length array ‘sym’ [-Wvla] -net/ipv4/proc.c:403:2: warning: ISO C90 forbids variable length array ‘buff’ [-Wvla] -net/ipv6/proc.c:198:2: warning: ISO C90 forbids variable length array ‘buff’ [-Wvla] -net/ipv6/proc.c:218:2: warning: ISO C90 forbids variable length array ‘buff64’ [-Wvla] Based on an earlier patch from Josh Poimboeuf. Signed-off-by: Kees Cook <keescook@chromium.org> --- v3: - drop __builtin_types_compatible_p() (Rasmus, Linus) v2: - fix copy/paste-o max1_/max2_ (ijc) - clarify "compile-time" constant in comment (Rasmus) - clean up formatting on min_t()/max_t() --- include/linux/kernel.h | 48 ++++++++++++++++++++++++++++++------------------ 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 3fd291503576..a0fca4deb3ab 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -787,37 +787,55 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } * strict type-checking.. See the * "unnecessary" pointer comparison. */ -#define __min(t1, t2, min1, min2, x, y) ({ \ +#define __single_eval_min(t1, t2, min1, min2, x, y) ({ \ t1 min1 = (x); \ t2 min2 = (y); \ (void) (&min1 == &min2); \ min1 < min2 ? min1 : min2; }) +/* + * In the case of compile-time constant values, there is no need to do + * the double-evaluation protection, so the raw comparison can be made. + * This allows min()/max() to be used in stack array allocations and + * avoid the compiler thinking it is a dynamic value leading to an + * accidental VLA. + */ +#define __min(t1, t2, x, y) \ + __builtin_choose_expr(__builtin_constant_p(x) && \ + __builtin_constant_p(y), \ + (t1)(x) < (t2)(y) ? (t1)(x) : (t2)(y), \ + __single_eval_min(t1, t2, \ + __UNIQUE_ID(min1_), \ + __UNIQUE_ID(min2_), \ + x, y)) + /** * min - return minimum of two values of the same or compatible types * @x: first value * @y: second value */ -#define min(x, y) \ - __min(typeof(x), typeof(y), \ - __UNIQUE_ID(min1_), __UNIQUE_ID(min2_), \ - x, y) +#define min(x, y) __min(typeof(x), typeof(y), x, y) -#define __max(t1, t2, max1, max2, x, y) ({ \ +#define __single_eval_max(t1, t2, max1, max2, x, y) ({ \ t1 max1 = (x); \ t2 max2 = (y); \ (void) (&max1 == &max2); \ max1 > max2 ? max1 : max2; }) +#define __max(t1, t2, x, y) \ + __builtin_choose_expr(__builtin_constant_p(x) && \ + __builtin_constant_p(y), \ + (t1)(x) > (t2)(y) ? (t1)(x) : (t2)(y), \ + __single_eval_max(t1, t2, \ + __UNIQUE_ID(max1_), \ + __UNIQUE_ID(max2_), \ + x, y)) /** * max - return maximum of two values of the same or compatible types * @x: first value * @y: second value */ -#define max(x, y) \ - __max(typeof(x), typeof(y), \ - __UNIQUE_ID(max1_), __UNIQUE_ID(max2_), \ - x, y) +#define max(x, y) __max(typeof(x), typeof(y), x, y) /** * min3 - return minimum of three values @@ -869,10 +887,7 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } * @x: first value * @y: second value */ -#define min_t(type, x, y) \ - __min(type, type, \ - __UNIQUE_ID(min1_), __UNIQUE_ID(min2_), \ - x, y) +#define min_t(type, x, y) __min(type, type, x, y) /** * max_t - return maximum of two values, using the specified type @@ -880,10 +895,7 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } * @x: first value * @y: second value */ -#define max_t(type, x, y) \ - __max(type, type, \ - __UNIQUE_ID(min1_), __UNIQUE_ID(min2_), \ - x, y) +#define max_t(type, x, y) __max(type, type, x, y) /** * clamp_t - return a value clamped to a given range using a given type -- 2.7.4 -- Kees Cook Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org> To: Andrew Morton <akpm@linux-foundation.org> Cc: linux-kernel@vger.kernel.org, Josh Poimboeuf <jpoimboe@redhat.com>, Rasmus Villemoes <linux@rasmusvillemoes.dk>, "Gustavo A. R. Silva" <gustavo@embeddedor.com>, "Tobin C. Harding" <me@tobin.cc>, Steven Rostedt <rostedt@goodmis.org>, Jonathan Corbet <corbet@lwn.net>, Chris Mason <clm@fb.com>, Josef Bacik <jbacik@fb.com>, David Sterba <dsterba@suse.com>, "David S. Miller" <davem@davemloft.net>, Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>, Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>, Ingo Molnar <mingo@kernel.org>, Peter Zijlstra <peterz@infradead.org>, Thomas Gleixner <tglx@linutronix.de>, Masahiro Yamada <yamada.masahiro@socionext.com>, Borislav Petkov <bp@suse.de>, Randy Dunlap <rdunlap@infradead.org>, Ian Abbott <abbotti@mev.co.uk>, Sergey Senozhatsky < Subject: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max() Date: Fri, 9 Mar 2018 12:05:36 -0800 [thread overview] Message-ID: <20180309200536.GA5670@beast> (raw) When max() is used in stack array size calculations from literal values (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]", the compiler thinks this is a dynamic calculation due to the single-eval logic, which is not needed in the literal case. This change removes several accidental stack VLAs from an x86 allmodconfig build: $ diff -u before.txt after.txt | grep ^- -drivers/input/touchscreen/cyttsp4_core.c:871:2: warning: ISO C90 forbids variable length array ‘ids’ [-Wvla] -fs/btrfs/tree-checker.c:344:4: warning: ISO C90 forbids variable length array ‘namebuf’ [-Wvla] -lib/vsprintf.c:747:2: warning: ISO C90 forbids variable length array ‘sym’ [-Wvla] -net/ipv4/proc.c:403:2: warning: ISO C90 forbids variable length array ‘buff’ [-Wvla] -net/ipv6/proc.c:198:2: warning: ISO C90 forbids variable length array ‘buff’ [-Wvla] -net/ipv6/proc.c:218:2: warning: ISO C90 forbids variable length array ‘buff64’ [-Wvla] Based on an earlier patch from Josh Poimboeuf. Signed-off-by: Kees Cook <keescook@chromium.org> --- v3: - drop __builtin_types_compatible_p() (Rasmus, Linus) v2: - fix copy/paste-o max1_/max2_ (ijc) - clarify "compile-time" constant in comment (Rasmus) - clean up formatting on min_t()/max_t() --- include/linux/kernel.h | 48 ++++++++++++++++++++++++++++++------------------ 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 3fd291503576..a0fca4deb3ab 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -787,37 +787,55 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } * strict type-checking.. See the * "unnecessary" pointer comparison. */ -#define __min(t1, t2, min1, min2, x, y) ({ \ +#define __single_eval_min(t1, t2, min1, min2, x, y) ({ \ t1 min1 = (x); \ t2 min2 = (y); \ (void) (&min1 == &min2); \ min1 < min2 ? min1 : min2; }) +/* + * In the case of compile-time constant values, there is no need to do + * the double-evaluation protection, so the raw comparison can be made. + * This allows min()/max() to be used in stack array allocations and + * avoid the compiler thinking it is a dynamic value leading to an + * accidental VLA. + */ +#define __min(t1, t2, x, y) \ + __builtin_choose_expr(__builtin_constant_p(x) && \ + __builtin_constant_p(y), \ + (t1)(x) < (t2)(y) ? (t1)(x) : (t2)(y), \ + __single_eval_min(t1, t2, \ + __UNIQUE_ID(min1_), \ + __UNIQUE_ID(min2_), \ + x, y)) + /** * min - return minimum of two values of the same or compatible types * @x: first value * @y: second value */ -#define min(x, y) \ - __min(typeof(x), typeof(y), \ - __UNIQUE_ID(min1_), __UNIQUE_ID(min2_), \ - x, y) +#define min(x, y) __min(typeof(x), typeof(y), x, y) -#define __max(t1, t2, max1, max2, x, y) ({ \ +#define __single_eval_max(t1, t2, max1, max2, x, y) ({ \ t1 max1 = (x); \ t2 max2 = (y); \ (void) (&max1 == &max2); \ max1 > max2 ? max1 : max2; }) +#define __max(t1, t2, x, y) \ + __builtin_choose_expr(__builtin_constant_p(x) && \ + __builtin_constant_p(y), \ + (t1)(x) > (t2)(y) ? (t1)(x) : (t2)(y), \ + __single_eval_max(t1, t2, \ + __UNIQUE_ID(max1_), \ + __UNIQUE_ID(max2_), \ + x, y)) /** * max - return maximum of two values of the same or compatible types * @x: first value * @y: second value */ -#define max(x, y) \ - __max(typeof(x), typeof(y), \ - __UNIQUE_ID(max1_), __UNIQUE_ID(max2_), \ - x, y) +#define max(x, y) __max(typeof(x), typeof(y), x, y) /** * min3 - return minimum of three values @@ -869,10 +887,7 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } * @x: first value * @y: second value */ -#define min_t(type, x, y) \ - __min(type, type, \ - __UNIQUE_ID(min1_), __UNIQUE_ID(min2_), \ - x, y) +#define min_t(type, x, y) __min(type, type, x, y) /** * max_t - return maximum of two values, using the specified type @@ -880,10 +895,7 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } * @x: first value * @y: second value */ -#define max_t(type, x, y) \ - __max(type, type, \ - __UNIQUE_ID(min1_), __UNIQUE_ID(min2_), \ - x, y) +#define max_t(type, x, y) __max(type, type, x, y) /** * clamp_t - return a value clamped to a given range using a given type -- 2.7.4 -- Kees Cook Pixel Security
next reply other threads:[~2018-03-09 20:05 UTC|newest] Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-03-09 20:05 Kees Cook [this message] 2018-03-09 20:05 ` [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max() Kees Cook 2018-03-09 21:10 ` Linus Torvalds 2018-03-09 21:10 ` Linus Torvalds 2018-03-09 21:47 ` Kees Cook 2018-03-09 21:47 ` Kees Cook 2018-03-11 22:46 ` Tobin C. Harding 2018-03-11 22:46 ` Tobin C. Harding 2018-03-11 22:46 ` Tobin C. Harding 2018-03-13 13:31 ` David Laight 2018-03-13 13:31 ` David Laight 2018-03-10 0:07 ` Andrew Morton 2018-03-10 0:07 ` Andrew Morton 2018-03-10 0:28 ` Linus Torvalds 2018-03-10 0:28 ` Linus Torvalds 2018-03-10 0:32 ` Andrew Morton 2018-03-10 0:32 ` Andrew Morton 2018-03-10 0:38 ` Linus Torvalds 2018-03-10 0:38 ` Linus Torvalds 2018-03-10 1:30 ` Kees Cook 2018-03-10 1:30 ` Kees Cook 2018-03-10 1:31 ` Kees Cook 2018-03-10 1:31 ` Kees Cook 2018-03-10 2:37 ` Linus Torvalds 2018-03-10 2:37 ` Linus Torvalds 2018-03-12 22:55 ` Andrew Morton 2018-03-12 22:55 ` Andrew Morton 2018-03-12 23:57 ` Linus Torvalds 2018-03-12 23:57 ` Linus Torvalds 2018-03-13 4:28 ` Kees Cook 2018-03-13 4:28 ` Kees Cook 2018-03-13 21:02 ` Andrew Morton 2018-03-13 21:02 ` Andrew Morton 2018-03-13 22:14 ` Kees Cook 2018-03-13 22:14 ` Kees Cook 2018-03-14 11:35 ` David Laight 2018-03-14 11:35 ` David Laight 2018-03-10 3:11 ` Randy Dunlap 2018-03-10 3:11 ` Randy Dunlap 2018-03-10 6:10 ` Miguel Ojeda 2018-03-10 6:10 ` Miguel Ojeda 2018-03-10 7:03 ` Miguel Ojeda 2018-03-10 7:03 ` Miguel Ojeda 2018-03-10 16:04 ` Linus Torvalds 2018-03-10 16:04 ` Linus Torvalds 2018-03-10 15:33 ` Kees Cook 2018-03-10 15:33 ` Kees Cook 2018-03-10 16:11 ` Linus Torvalds 2018-03-10 16:11 ` Linus Torvalds 2018-03-10 16:30 ` Linus Torvalds 2018-03-10 16:30 ` Linus Torvalds 2018-03-10 17:34 ` Miguel Ojeda 2018-03-10 17:34 ` Miguel Ojeda 2018-03-10 17:51 ` Linus Torvalds 2018-03-10 17:51 ` Linus Torvalds 2018-03-10 19:08 ` Miguel Ojeda 2018-03-10 19:08 ` Miguel Ojeda 2018-03-11 11:05 ` Ingo Molnar 2018-03-11 11:05 ` Ingo Molnar 2018-03-11 18:23 ` Linus Torvalds 2018-03-11 18:23 ` Linus Torvalds 2018-03-10 2:34 [PATCH 0/3] tracing: Rewrite the function filter code Steven Rostedt 2018-03-10 2:34 ` [PATCH 1/3] tracing: Combine enum and arrays into single macro in " Steven Rostedt 2018-03-12 10:31 ` Masami Hiramatsu 2018-03-10 2:34 ` [PATCH 2/3] tracing: Clean up and document pred_funcs_##type creation and use Steven Rostedt 2018-03-12 13:42 ` Masami Hiramatsu 2018-03-10 2:34 ` [PATCH 3/3] tracing: Rewrite filter logic to be simpler and faster Steven Rostedt 2018-03-10 3:10 ` Steven Rostedt 2018-03-10 3:10 ` Steven Rostedt 2018-03-10 3:15 ` Steven Rostedt 2018-03-10 3:15 ` Steven Rostedt 2018-03-10 3:22 ` Steven Rostedt 2018-03-10 3:22 ` Steven Rostedt 2018-03-10 3:18 ` Steven Rostedt 2018-03-12 12:42 ` Jiri Olsa 2018-03-12 18:38 ` Steven Rostedt 2018-03-12 15:10 ` Jiri Olsa 2018-03-12 18:40 ` Steven Rostedt 2018-03-12 18:54 ` Jiri Olsa 2018-03-12 19:10 ` Steven Rostedt 2018-03-12 23:52 ` Steven Rostedt 2018-03-13 10:14 ` Jiri Olsa 2018-03-13 14:12 ` Steven Rostedt 2018-03-13 14:27 ` Jiri Olsa 2018-03-11 19:54 ` [PATCH 0/3] tracing: Rewrite the function filter code Jiri Olsa
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180309200536.GA5670@beast \ --to=keescook@chromium.org \ --cc=abbotti@mev.co.uk \ --cc=akpm@linux-foundation.org \ --cc=andriy.shevchenko@linux.intel.com \ --cc=bp@suse.de \ --cc=clm@fb.com \ --cc=corbet@lwn.net \ --cc=davem@davemloft.net \ --cc=dsterba@suse.com \ --cc=gustavo@embeddedor.com \ --cc=jbacik@fb.com \ --cc=jpoimboe@redhat.com \ --cc=kernel-hardening@lists.openwall.com \ --cc=kuznet@ms2.inr.ac.ru \ --cc=linux-btrfs@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux@rasmusvillemoes.dk \ --cc=me@tobin.cc \ --cc=mingo@kernel.org \ --cc=netdev@vger.kernel.org \ --cc=pantelis.antoniou@konsulko.com \ --cc=peterz@infradead.org \ --cc=pmladek@suse.com \ --cc=rdunlap@infradead.org \ --cc=rostedt@goodmis.org \ --cc=sergey.senozhatsky.work@gmail.com \ --cc=tglx@linutronix.de \ --cc=yamada.masahiro@socionext.com \ --cc=yoshfuji@linux-ipv6.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.