From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-185.mta1.migadu.com (out-185.mta1.migadu.com [95.215.58.185]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C17A55220 for ; Tue, 23 Jan 2024 05:13:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.185 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705986796; cv=none; b=JVCocwQfeHwb0qJkeSiMJMJp2xo3BjqGYizblObzAAkT/IW/mv4revToZkIrh3KR1JWCqIJ35BmHS4xpkg6LXpe4NNLrvBn6LYrrtZaOE1+W7lje+KYBb8blSQJHDb5d5tFtUN0KyJsZwWa4gRbUArHRMSNNwUrr5myiVj6nEg4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705986796; c=relaxed/simple; bh=t/KCU56R+dFtiwauwVUeRePUW1od4vVajaPW4USQIi8=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=TnM/X20zu2kQaTJ6gTw/MiJ5JTsxc6UyGegM4SDTE+1oZptiNrlmaZOENGLpcFHKFakB5nfhn/01h0/2NoSJAAIKNOh1gioUUKqzr6EqVfJ2jFcC3K+QYVL0UKPchPD+XyQQI8k+G9dYwcR5QoAyNJBOc/O4N9+alfCtiOXOoGU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=oWXuMBV4; arc=none smtp.client-ip=95.215.58.185 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="oWXuMBV4" Message-ID: <58625a60-af4e-4a90-bd65-5fb6c0822d33@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1705986791; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=T4kzbtw5h/pedHWa9T6Y5qZbauanbD5GJ6RoxeeZneA=; b=oWXuMBV4FcP3nvy9Nz9ix5sFWm1QrSwt/+YGRq++nDb+lsSTSNxjyxF0fViB6xAzxCO/jK Ebn0cpQcYtl4ztX1PJAM4NsHj0t64bxJUmvA8QCbeTEFHK2ZqoAHihZEdTNtNRYEDVe7Fa BHyhEo3ktoe1nAXPA+0hOr9rPfjBnGY= Date: Mon, 22 Jan 2024 21:13:05 -0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH 43/82] bpf: Refactor intentional wrap-around test Content-Language: en-GB To: Kees Cook , Kees Cook , linux-hardening@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, "Gustavo A. R. Silva" , Bill Wendling , Justin Stitt , linux-kernel@vger.kernel.org References: <20240122235208.work.748-kees@kernel.org> <20240123002814.1396804-43-keescook@chromium.org> <15d65e11-d957-4b03-bec3-0dcd58b50f97@linux.dev> <6CE08B7D-7E0C-45E2-8A6B-32691BE40D08@kernel.org> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Yonghong Song In-Reply-To: <6CE08B7D-7E0C-45E2-8A6B-32691BE40D08@kernel.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 1/22/24 8:07 PM, Kees Cook wrote: > > On January 22, 2024 8:00:26 PM PST, Yonghong Song wrote: >> On 1/22/24 4:27 PM, Kees Cook wrote: >>> In an effort to separate intentional arithmetic wrap-around from >>> unexpected wrap-around, we need to refactor places that depend on this >>> kind of math. One of the most common code patterns of this is: >>> >>> VAR + value < VAR >>> >>> Notably, this is considered "undefined behavior" for signed and pointer >>> types, which the kernel works around by using the -fno-strict-overflow >>> option in the build[1] (which used to just be -fwrapv). Regardless, we >>> want to get the kernel source to the position where we can meaningfully >>> instrument arithmetic wrap-around conditions and catch them when they >>> are unexpected, regardless of whether they are signed[2], unsigned[3], >>> or pointer[4] types. >>> >>> Refactor open-coded wrap-around addition test to use add_would_overflow(). >>> This paves the way to enabling the wrap-around sanitizers in the future. >>> >>> Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] >>> Link: https://github.com/KSPP/linux/issues/26 [2] >>> Link: https://github.com/KSPP/linux/issues/27 [3] >>> Link: https://github.com/KSPP/linux/issues/344 [4] >>> Cc: Alexei Starovoitov >>> Cc: Daniel Borkmann >>> Cc: John Fastabend >>> Cc: Andrii Nakryiko >>> Cc: Martin KaFai Lau >>> Cc: Song Liu >>> Cc: Yonghong Song >>> Cc: KP Singh >>> Cc: Stanislav Fomichev >>> Cc: Hao Luo >>> Cc: Jiri Olsa >>> Cc: bpf@vger.kernel.org >>> Signed-off-by: Kees Cook >>> --- >>> kernel/bpf/verifier.c | 12 ++++++------ >>> 1 file changed, 6 insertions(+), 6 deletions(-) >>> >>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >>> index 65f598694d55..21e3f30c8757 100644 >>> --- a/kernel/bpf/verifier.c >>> +++ b/kernel/bpf/verifier.c >>> @@ -12901,8 +12901,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, >>> dst_reg->smin_value = smin_ptr + smin_val; >>> dst_reg->smax_value = smax_ptr + smax_val; >>> } >>> - if (umin_ptr + umin_val < umin_ptr || >>> - umax_ptr + umax_val < umax_ptr) { >>> + if (add_would_overflow(umin_ptr, umin_val) || >>> + add_would_overflow(umax_ptr, umax_val)) { >> Maybe you could give a reference to the definition of add_would_overflow()? >> A link or a patch with add_would_overflow() defined cc'ed to bpf program. > Sure! It was earlier in the series: > https://lore.kernel.org/linux-hardening/20240123002814.1396804-2-keescook@chromium.org/ > > The cover letter also has more details: > https://lore.kernel.org/linux-hardening/20240122235208.work.748-kees@kernel.org/ Thanks for the pointer. Acked-by: Yonghong Song > >> The patch itselfs looks good to me. > Thanks! > > -Kees >