Re: [PATCH v7 1/8] overflow: Move and add few utility macros into overflow

From: Jani Nikula
Date: Mon Aug 22 2022 - 07:02:13 EST


On Wed, 17 Aug 2022, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Thu, Aug 18, 2022 at 01:07:29AM +0200, Andi Shyti wrote:
>> Hi Kees,
>>
>> would you mind taking a look at this patch?
>
> Hi! Thanks for the heads-up!

Thanks for your review. This actually reaffirms my belief that we need
to get these macros out of i915_utils.h and into the common headers,
where we can get more eyes on them.

BR,
Jani.


>
>>
>> Thanks,
>> Andi
>>
>> On Tue, Aug 16, 2022 at 06:35:18PM +0900, Gwan-gyeong Mun wrote:
>> > It moves overflows_type utility macro into overflow header from i915_utils
>> > header. The overflows_type can be used to catch the truncation between data
>> > types. And it adds safe_conversion() macro which performs a type conversion
>> > (cast) of an source value into a new variable, checking that the
>> > destination is large enough to hold the source value. And the functionality
>> > of overflows_type has been improved to handle the signbit.
>> > The is_unsigned_type macro has been added to check the sign bit of the
>> > built-in type.
>> >
>> > v3: Add is_type_unsigned() macro (Mauro)
>> > Modify overflows_type() macro to consider signed data types (Mauro)
>> > Fix the problem that safe_conversion() macro always returns true
>> > v4: Fix kernel-doc markups
>> > v6: Move macro addition location so that it can be used by other than drm
>> > subsystem (Jani, Mauro, Andi)
>> > Change is_type_unsigned to is_unsigned_type to have the same name form
>> > as is_signed_type macro
>> >
>> > Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@xxxxxxxxx>
>> > Cc: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>
>> > Cc: Matthew Auld <matthew.auld@xxxxxxxxx>
>> > Cc: Nirmoy Das <nirmoy.das@xxxxxxxxx>
>> > Cc: Jani Nikula <jani.nikula@xxxxxxxxx>
>> > Cc: Andi Shyti <andi.shyti@xxxxxxxxxxxxxxx>
>> > Reviewed-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx> (v5)
>> > ---
>> > drivers/gpu/drm/i915/i915_utils.h | 5 +--
>> > include/linux/overflow.h | 54 +++++++++++++++++++++++++++++++
>> > 2 files changed, 55 insertions(+), 4 deletions(-)
>> >
>> > diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h
>> > index c10d68cdc3ca..eb0ded23fa9c 100644
>> > --- a/drivers/gpu/drm/i915/i915_utils.h
>> > +++ b/drivers/gpu/drm/i915/i915_utils.h
>> > @@ -32,6 +32,7 @@
>> > #include <linux/types.h>
>> > #include <linux/workqueue.h>
>> > #include <linux/sched/clock.h>
>> > +#include <linux/overflow.h>
>> >
>> > #ifdef CONFIG_X86
>> > #include <asm/hypervisor.h>
>> > @@ -111,10 +112,6 @@ bool i915_error_injected(void);
>> > #define range_overflows_end_t(type, start, size, max) \
>> > range_overflows_end((type)(start), (type)(size), (type)(max))
>> >
>> > -/* Note we don't consider signbits :| */
>> > -#define overflows_type(x, T) \
>> > - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))
>> > -
>> > #define ptr_mask_bits(ptr, n) ({ \
>> > unsigned long __v = (unsigned long)(ptr); \
>> > (typeof(ptr))(__v & -BIT(n)); \
>> > diff --git a/include/linux/overflow.h b/include/linux/overflow.h
>> > index f1221d11f8e5..462a03454377 100644
>> > --- a/include/linux/overflow.h
>> > +++ b/include/linux/overflow.h
>> > @@ -35,6 +35,60 @@
>> > #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
>> > #define type_min(T) ((T)((T)-type_max(T)-(T)1))
>> >
>> > +/**
>> > + * is_unsigned_type - helper for checking data type which is an unsigned data
>> > + * type or not
>> > + * @x: The data type to check
>> > + *
>> > + * Returns:
>> > + * True if the data type is an unsigned data type, false otherwise.
>> > + */
>> > +#define is_unsigned_type(x) ((typeof(x))-1 >= (typeof(x))0)
>
> I'd rather not have separate logic for this. Instead, I'd like it to be:
>
> #define is_unsigned_type(x) (!is_signed_type(x))
>
>> > +
>> > +/**
>> > + * overflows_type - helper for checking the truncation between data types
>> > + * @x: Source for overflow type comparison
>> > + * @T: Destination for overflow type comparison
>> > + *
>> > + * It compares the values and size of each data type between the first and
>> > + * second argument to check whether truncation can occur when assigning the
>> > + * first argument to the variable of the second argument.
>> > + * Source and Destination can be used with or without sign bit.
>> > + * Composite data structures such as union and structure are not considered.
>> > + * Enum data types are not considered.
>> > + * Floating point data types are not considered.
>> > + *
>> > + * Returns:
>> > + * True if truncation can occur, false otherwise.
>> > + */
>> > +#define overflows_type(x, T) \
>> > + (is_unsigned_type(x) ? \
>> > + is_unsigned_type(T) ? \
>> > + (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) ? 1 : 0 \
>> > + : (sizeof(x) >= sizeof(T) && (x) >> (BITS_PER_TYPE(T) - 1)) ? 1 : 0 \
>> > + : is_unsigned_type(T) ? \
>> > + ((x) < 0) ? 1 : (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) ? 1 : 0 \
>> > + : (sizeof(x) > sizeof(T)) ? \
>> > + ((x) < 0) ? (((x) * -1) >> BITS_PER_TYPE(T)) ? 1 : 0 \
>> > + : ((x) >> BITS_PER_TYPE(T)) ? 1 : 0 \
>> > + : 0)
>
> Like the other, I'd much rather this was rephrased in terms of the
> existing macros (e.g. type_min()/type_max().)
>
>> > +
>> > +/**
>> > + * safe_conversion - perform a type conversion (cast) of an source value into
>> > + * a new variable, checking that the destination is large enough to hold the
>> > + * source value.
>> > + * @ptr: Destination pointer address
>> > + * @value: Source value
>> > + *
>> > + * Returns:
>> > + * If the value would overflow the destination, it returns false.
>> > + */
>> > +#define safe_conversion(ptr, value) ({ \
>> > + typeof(value) __v = (value); \
>> > + typeof(ptr) __ptr = (ptr); \
>> > + overflows_type(__v, *__ptr) ? 0 : ((*__ptr = (typeof(*__ptr))__v), 1); \
>> > +})
>
> I try to avoid "safe" as an adjective for interface names, since it
> doesn't really answer "safe from what?" This looks more like "assign, but
> zero when out of bounds". And it can be built from existing macros here:
>
> if (check_add_overflow(0, value, ptr))
> *ptr = 0;
>
> I actually want to push back on this a bit, because there can still be
> logic bugs built around this kind of primitive. Shouldn't out-of-bounds
> assignments be seen as a direct failure? I would think this would be
> sufficient:
>
> #define check_assign(value, ptr) check_add_overflow(0, value, ptr)
>
> And callers would do:
>
> if (check_assign(value, &var))
> return -EINVAL;
>
> etc.

--
Jani Nikula, Intel Open Source Graphics Center