[PATCH v7 1/8] overflow: Move and add few utility macros into overflow

Gwan-gyeong Mun gwan-gyeong.mun at intel.com
Tue Aug 23 02:30:54 UTC 2022



On 8/23/22 5:12 AM, Kees Cook wrote:
> On Tue, Aug 23, 2022 at 04:32:10AM +0900, Gwan-gyeong Mun wrote:
>> On 8/22/22 11:05 PM, Andrzej Hajda wrote:
>>> On 18.08.2022 02:12, Kees Cook wrote:
>>>> On Thu, Aug 18, 2022 at 01:07:29AM +0200, Andi Shyti wrote:
>>>>> [...]
>>>>>> +#define safe_conversion(ptr, value) ({ \
>>>>>> +    typeof(value) __v = (value); \
>>>>>> +    typeof(ptr) __ptr = (ptr); \
>>>>>> +    overflows_type(__v, *__ptr) ? 0 : ((*__ptr =
>>>>>> (typeof(*__ptr))__v), 1); \
>>>>>> +})
>>>>
>>>> I try to avoid "safe" as an adjective for interface names, since it
>>>> doesn't really answer "safe from what?" This looks more like "assign, but
>>>> zero when out of bounds". And it can be built from existing macros here:
>>>>
>>>>      if (check_add_overflow(0, value, ptr))
>>>>          *ptr = 0;
>>>>
>>>> I actually want to push back on this a bit, because there can still be
>>>> logic bugs built around this kind of primitive. Shouldn't out-of-bounds
>>>> assignments be seen as a direct failure? I would think this would be
>>>> sufficient:
>>>>
>>>> #define check_assign(value, ptr)    check_add_overflow(0, value, ptr)
>>>>
>>>> And callers would do:
>>>>
>>>>      if (check_assign(value, &var))
>>>>          return -EINVAL;
>>>>
>> Yes, I also like check_assign() you suggested more than safe_conversion.
>> As shown below, it would be more readable to return true when assign
>> succeeds and false when it fails. What do you think?
> 
> No, this inverts the style of all the other check_*() functions, so it
> should remain "non-zero is failure".
> 
Hi Kees,
Yes, I will not invert this part as you commented.
>> /**
>>   * check_assign - perform a type conversion (cast) of an source value into
>>   * a new variable, checking that the destination is large enough to hold the
>>   * source value.
>>   *
>>   * @value: Source value
>>   * @ptr: Destination pointer address, If the pointer type is not used, a
>> warning message is output during build.
>>   *
>>   * Returns:
>>   * If the value would overflow the destination, it returns false. If not
>> return true.
>>   */
>> #define check_assign(value, ptr) __must_check_overflow(({	\
>> 	typecheck_pointer(ptr); 		\
>> 	!__builtin_add_overflow(0, value, ptr);	\
>> }))
> 
> Please don't use the __builtin*s, instead stick to the check_* family,
> as they correctly wrap the builtins and perform type checking, etc. As
> mentioned, check_assign() should just be:
> 
> #define check_assign(value, ptr)    check_add_overflow(0, value, ptr)
> 
> I don't think any of the other code is needed? What's the use-case for
> the other stuff? i.e. Why does anything need overflows_type()?
> 
And, the reason for using the __builtin_add_overflow() built-in function 
directly instead of using the check_add_overflow() function is ,

#define check_add_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_add_overflow(__a, __b, __d);	\
}))

In this part of the implementation of check_add_overflow()
	(void) (&__a == &__b);
	(void) (&__a == __d);


When comparing the pointer types of a, b, and d, if the pointer types of 
source and ptr in check_assign() are different, a warning may occur when 
building, I used the __builtin_add_overflow() built-in function directly.

Br,

G.G.
> -Kees
> 


More information about the dri-devel mailing list