• Kees Cook's avatar
    overflow: Implement size_t saturating arithmetic helpers · e1be43d9
    Kees Cook authored
    In order to perform more open-coded replacements of common allocation
    size arithmetic, the kernel needs saturating (SIZE_MAX) helpers for
    multiplication, addition, and subtraction. For example, it is common in
    allocators, especially on realloc, to add to an existing size:
    
        p = krealloc(map->patch,
                     sizeof(struct reg_sequence) * (map->patch_regs + num_regs),
                     GFP_KERNEL);
    
    There is no existing saturating replacement for this calculation, and
    just leaving the addition open coded inside array_size() could
    potentially overflow as well. For example, an overflow in an expression
    for a size_t argument might wrap to zero:
    
        array_size(anything, something_at_size_max + 1) == 0
    
    Introduce size_mul(), size_add(), and size_sub() helpers that
    implicitly promote arguments to size_t and saturated calculations for
    use in allocations. With these helpers it is also possible to redefine
    array_size(), array3_size(), flex_array_size(), and struct_size() in
    terms of the new helpers.
    
    As with the check_*_overflow() helpers, the new helpers use __must_check,
    though what is really desired is a way to make sure that assignment is
    only to a size_t lvalue. Without this, it's still possible to introduce
    overflow/underflow via type conversion (i.e. from size_t to int).
    Enforcing this will currently need to be left to static analysis or
    future use of -Wconversion.
    
    Additionally update the overflow unit tests to force runtime evaluation
    for the pathological cases.
    
    Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
    Cc: Nathan Chancellor <nathan@kernel.org>
    Cc: Jason Gunthorpe <jgg@ziepe.ca>
    Cc: Nick Desaulniers <ndesaulniers@google.com>
    Cc: Leon Romanovsky <leon@kernel.org>
    Cc: Keith Busch <kbusch@kernel.org>
    Cc: Len Baker <len.baker@gmx.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    e1be43d9
overflow.h 7.52 KB