[46/82] crypto: Refactor intentional wrap-around test

Message ID	20240123002814.1396804-46-keescook@chromium.org (mailing list archive)
State	Changes Requested
Headers	show Received: from mail-oi1-f169.google.com (mail-oi1-f169.google.com [209.85.167.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B99BA13BE8D for <linux-hardening@vger.kernel.org>; Tue, 23 Jan 2024 00:46:04 +0000 (UTC) From: Kees Cook <keescook@chromium.org> To: linux-hardening@vger.kernel.org Cc: Kees Cook <keescook@chromium.org>, Herbert Xu <herbert@gondor.apana.org.au>, "David S. Miller" <davem@davemloft.net>, Aditya Srivastava <yashsri421@gmail.com>, Randy Dunlap <rdunlap@infradead.org>, linux-crypto@vger.kernel.org, "Gustavo A. R. Silva" <gustavoars@kernel.org>, Bill Wendling <morbo@google.com>, Justin Stitt <justinstitt@google.com>, linux-kernel@vger.kernel.org Subject: [PATCH 46/82] crypto: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:21 -0800 Message-Id: <20240123002814.1396804-46-keescook@chromium.org> In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	overflow: Refactor open-coded arithmetic wrap-around \| expand [00/82] overflow: Refactor open-coded arithmetic wrap-around [01/82] overflow: Expand check_add_overflow() for pointer addition [02/82] overflow: Introduce add_would_overflow() [03/82] overflow: Introduce add_wrap() [04/82] docs: deprecated.rst: deprecate open-coded arithmetic wrap-around [05/82] cocci: Refactor open-coded arithmetic wrap-around [06/82] overflow: Reintroduce signed and unsigned overflow sanitizers [07/82] overflow: Introduce CONFIG_UBSAN_POINTER_WRAP [08/82] iov_iter: Avoid wrap-around instrumentation in copy_compat_iovec_from_user [09/82] select: Avoid wrap-around instrumentation in do_sys_poll() [10/82] locking/atomic/x86: Silence intentional wrapping addition [11/82] arm64: atomics: lse: Silence intentional wrapping addition [12/82] ipv4: Silence intentional wrapping addition [13/82] btrfs: Refactor intentional wrap-around calculation [14/82] smb: client: Refactor intentional wrap-around calculation [15/82] dma-buf: Refactor intentional wrap-around calculation [16/82] drm/nouveau/mmu: Refactor intentional wrap-around calculation [17/82] drm/vc4: Refactor intentional wrap-around calculation [18/82] ext4: Refactor intentional wrap-around calculation [19/82] fs: Refactor intentional wrap-around calculation [20/82] fpga: dfl: Refactor intentional wrap-around calculation [21/82] drivers/fsi: Refactor intentional wrap-around calculation [22/82] x86/sgx: Refactor intentional wrap-around calculation [23/82] KVM: Refactor intentional wrap-around calculation [24/82] KVM: arm64: vgic: Refactor intentional wrap-around calculation [25/82] KVM: SVM: Refactor intentional wrap-around calculation [26/82] buildid: Refactor intentional wrap-around calculation [27/82] m68k: Refactor intentional wrap-around calculation [28/82] niu: Refactor intentional wrap-around calculation [29/82] rds: Refactor intentional wrap-around calculation [30/82] s390/kexec_file: Refactor intentional wrap-around calculation [31/82] ARC: dw2 unwind: Refactor intentional wrap-around calculation [32/82] vringh: Refactor intentional wrap-around calculation [33/82] mm/vmalloc: Refactor intentional wrap-around calculation [34/82] ipc: Refactor intentional wrap-around calculation [35/82] ACPI: custom_method: Refactor intentional wrap-around test [36/82] agp: Refactor intentional wrap-around test [37/82] aio: Refactor intentional wrap-around test [38/82] arm: 3117/1: Refactor intentional wrap-around test [39/82] crypto: Refactor intentional wrap-around test [40/82] arm64: stacktrace: Refactor intentional wrap-around test [41/82] wil6210: Refactor intentional wrap-around test [42/82] bcachefs: Refactor intentional wrap-around test [43/82] bpf: Refactor intentional wrap-around test [44/82] btrfs: Refactor intentional wrap-around test [45/82] cifs: Refactor intentional wrap-around test [46/82] crypto: Refactor intentional wrap-around test [47/82] dm verity: Refactor intentional wrap-around test [48/82] drm/nouveau/mmu: Refactor intentional wrap-around test [49/82] drm/i915: Refactor intentional wrap-around test [50/82] drm/vc4: Refactor intentional wrap-around test [51/82] ext4: Refactor intentional wrap-around test [52/82] f2fs: Refactor intentional wrap-around test [53/82] fs: Refactor intentional wrap-around test [54/82] hpfs: Refactor intentional wrap-around test [55/82] kasan: Refactor intentional wrap-around test [56/82] usercopy: Refactor intentional wrap-around test [57/82] KVM: arm64: vgic-v3: Refactor intentional wrap-around test [58/82] s390/mm: Refactor intentional wrap-around test [59/82] lib/scatterlist: Refactor intentional wrap-around test [60/82] powerpc: Refactor intentional wrap-around test [61/82] scsi: mpt3sas: Refactor intentional wrap-around test [62/82] mwifiex: pcie: Refactor intentional wrap-around test [63/82] mm: Refactor intentional wrap-around test [64/82] netfilter: Refactor intentional wrap-around test [65/82] nios2: Refactor intentional wrap-around test [66/82] fs/ntfs3: Refactor intentional wrap-around test [67/82] ocfs2: Refactor intentional wrap-around test [68/82] PCI: Refactor intentional wrap-around test [69/82] perf tools: Refactor intentional wrap-around test [70/82] remoteproc: Refactor intentional wrap-around test [71/82] s390/mm: Refactor intentional wrap-around test [72/82] scsi: sd_zbc: Refactor intentional wrap-around test [73/82] sh: Refactor intentional wrap-around test [74/82] ARC: dw2 unwind: Refactor intentional wrap-around test [75/82] timekeeping: Refactor intentional wrap-around test [76/82] udf: Refactor intentional wrap-around test [77/82] virtio: Refactor intentional wrap-around test [78/82] mm/vmalloc: Refactor intentional wrap-around test [79/82] staging: vme_user: Refactor intentional wrap-around test [80/82] xen-netback: Refactor intentional wrap-around test [81/82] lib: zstd: Refactor intentional wrap-around test [82/82] mqueue: Refactor intentional wrap-around test

Message ID

20240123002814.1396804-46-keescook@chromium.org (mailing list archive)

State

Changes Requested

Headers

From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Aditya Srivastava <yashsri421@gmail.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	linux-crypto@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 46/82] crypto: Refactor intentional wrap-around test
Date: Mon, 22 Jan 2024 16:27:21 -0800
Message-Id: <20240123002814.1396804-46-keescook@chromium.org>
In-Reply-To: <20240122235208.work.748-kees@kernel.org>
References: <20240122235208.work.748-kees@kernel.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

overflow: Refactor open-coded arithmetic wrap-around | expand

Commit Message

Kees Cook Jan. 23, 2024, 12:27 a.m. UTC

In an effort to separate intentional arithmetic wrap-around from
unexpected wrap-around, we need to refactor places that depend on this
kind of math. One of the most common code patterns of this is:

	VAR + value < VAR

Notably, this is considered "undefined behavior" for signed and pointer
types, which the kernel works around by using the -fno-strict-overflow
option in the build[1] (which used to just be -fwrapv). Regardless, we
want to get the kernel source to the position where we can meaningfully
instrument arithmetic wrap-around conditions and catch them when they
are unexpected, regardless of whether they are signed[2], unsigned[3],
or pointer[4] types.

Refactor open-coded wrap-around addition test to use add_would_overflow().
This paves the way to enabling the wrap-around sanitizers in the future.

Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Aditya Srivastava <yashsri421@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 crypto/adiantum.c                   | 2 +-
 drivers/crypto/amcc/crypto4xx_alg.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Eric Biggers Jan. 23, 2024, 3:07 a.m. UTC | #1

On Mon, Jan 22, 2024 at 04:27:21PM -0800, Kees Cook wrote:
> In an effort to separate intentional arithmetic wrap-around from
> unexpected wrap-around, we need to refactor places that depend on this
> kind of math. One of the most common code patterns of this is:
> 
> 	VAR + value < VAR
> 
> Notably, this is considered "undefined behavior" for signed and pointer
> types, which the kernel works around by using the -fno-strict-overflow
> option in the build[1] (which used to just be -fwrapv). Regardless, we
> want to get the kernel source to the position where we can meaningfully
> instrument arithmetic wrap-around conditions and catch them when they
> are unexpected, regardless of whether they are signed[2], unsigned[3],
> or pointer[4] types.
> 
> Refactor open-coded wrap-around addition test to use add_would_overflow().
> This paves the way to enabling the wrap-around sanitizers in the future.
> 
> Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
> Link: https://github.com/KSPP/linux/issues/26 [2]
> Link: https://github.com/KSPP/linux/issues/27 [3]
> Link: https://github.com/KSPP/linux/issues/344 [4]
> Cc: Herbert Xu <herbert@gondor.apana.org.au>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Aditya Srivastava <yashsri421@gmail.com>
> Cc: Randy Dunlap <rdunlap@infradead.org>
> Cc: linux-crypto@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  crypto/adiantum.c                   | 2 +-
>  drivers/crypto/amcc/crypto4xx_alg.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/crypto/adiantum.c b/crypto/adiantum.c
> index 60f3883b736a..c2f62ca455af 100644
> --- a/crypto/adiantum.c
> +++ b/crypto/adiantum.c
> @@ -190,7 +190,7 @@ static inline void le128_add(le128 *r, const le128 *v1, const le128 *v2)
>  
>  	r->b = cpu_to_le64(x + y);
>  	r->a = cpu_to_le64(le64_to_cpu(v1->a) + le64_to_cpu(v2->a) +
> -			   (x + y < x));
> +			   (add_would_overflow(x, y)));
>  }
>  
>  /* Subtraction in Z/(2^{128}Z) */
> diff --git a/drivers/crypto/amcc/crypto4xx_alg.c b/drivers/crypto/amcc/crypto4xx_alg.c
> index e0af611a95d8..33f73234ddd9 100644
> --- a/drivers/crypto/amcc/crypto4xx_alg.c
> +++ b/drivers/crypto/amcc/crypto4xx_alg.c
> @@ -251,7 +251,7 @@ crypto4xx_ctr_crypt(struct skcipher_request *req, bool encrypt)
>  	 * the whole IV is a counter.  So fallback if the counter is going to
>  	 * overlow.
>  	 */
> -	if (counter + nblks < counter) {
> +	if (add_would_overflow(counter, nblks)) {
>  		SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, ctx->sw_cipher.cipher);
>  		int ret;

Just to double check, you really intend to forbid *unsigned* integer wraparound?
This patch's commit message focuses on signed, and barely mentions unsigned.
The actual code changes in this patch only deals with unsigned.

Also, what's the motivation for addressing the 'x + y < x' case but not other
cases in the same file?  For example, the le128_add() function which this patch
modifies has two other intentional wraparounds, which this patch doesn't touch.
Also, the le128_sub() function just below le128_add() is very similar but does
wraparound in the other direction.  That's 6 cases in 20 lines of code, but this
patch only addresses 1.  And of course, lots of other crypto code relies on
unsigned wraparounds too, which this patch overlooks.  So I'm a bit confused
about the point of this patch.  If we really wanted to explicitly annotate all
the intentional wraparounds in a particular piece of code, so that the code can
be run with the corresponding sanitizer enabled, wouldn't it be necessary to
actually test the code with that sanitizer enabled to find all the cases?

- Eric

Kees Cook Jan. 23, 2024, 3:29 a.m. UTC | #2

On January 22, 2024 7:07:45 PM PST, Eric Biggers <ebiggers@kernel.org> wrote:
>Just to double check, you really intend to forbid *unsigned* integer wraparound?
>This patch's commit message focuses on signed, and barely mentions unsigned.
>The actual code changes in this patch only deals with unsigned.

I don't mean to forbid wrap-around; we just need to annotate it. I can see how this commit log didn't do a great job explaining this. I hope the cover letter is more sensible:
https://lore.kernel.org/linux-hardening/20240122235208.work.748-kees@kernel.org/

>Also, what's the motivation for addressing the 'x + y < x' case but not other
>cases in the same file?

It's a code pattern we could find easily. It's working from the instances found via Coccinelle earlier in the series:
https://lore.kernel.org/linux-hardening/20240123002814.1396804-5-keescook@chromium.org/

> For example, the le128_add() function which this patch
>modifies has two other intentional wraparounds, which this patch doesn't touch.

For dedicated wrapping functions we can mark them with __unsigned_wrap:
https://lore.kernel.org/linux-hardening/20240123002814.1396804-6-keescook@chromium.org/

>Also, the le128_sub() function just below le128_add() is very similar but does
>wraparound in the other direction.  That's 6 cases in 20 lines of code, but this
>patch only addresses 1.  And of course, lots of other crypto code relies on
>unsigned wraparounds too, which this patch overlooks.  

Right -- finding these kinds of things is where a lot of time will be spent in the future, I suspect. :)

> So I'm a bit confused
>about the point of this patch.  If we really wanted to explicitly annotate all
>the intentional wraparounds in a particular piece of code, so that the code can
>be run with the corresponding sanitizer enabled, wouldn't it be necessary to
>actually test the code with that sanitizer enabled to find all the cases?

Yes, but there's a lot of code to test -- I'm trying to get the first steps done. And then once the sanitizers are in good shape, the fuzzers can grind. (I'm trying to add some parallelism to this project; this code pattern was known so I figured we could address it now.)

-Kees

diff --git a/crypto/adiantum.c b/crypto/adiantum.c
index 60f3883b736a..c2f62ca455af 100644
--- a/crypto/adiantum.c
+++ b/crypto/adiantum.c
@@ -190,7 +190,7 @@  static inline void le128_add(le128 *r, const le128 *v1, const le128 *v2)
 
 	r->b = cpu_to_le64(x + y);
 	r->a = cpu_to_le64(le64_to_cpu(v1->a) + le64_to_cpu(v2->a) +
-			   (x + y < x));
+			   (add_would_overflow(x, y)));
 }
 
 /* Subtraction in Z/(2^{128}Z) */
diff --git a/drivers/crypto/amcc/crypto4xx_alg.c b/drivers/crypto/amcc/crypto4xx_alg.c
index e0af611a95d8..33f73234ddd9 100644
--- a/drivers/crypto/amcc/crypto4xx_alg.c
+++ b/drivers/crypto/amcc/crypto4xx_alg.c
@@ -251,7 +251,7 @@  crypto4xx_ctr_crypt(struct skcipher_request *req, bool encrypt)
 	 * the whole IV is a counter.  So fallback if the counter is going to
 	 * overlow.
 	 */
-	if (counter + nblks < counter) {
+	if (add_would_overflow(counter, nblks)) {
 		SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, ctx->sw_cipher.cipher);
 		int ret;

[46/82] crypto: Refactor intentional wrap-around test

Commit Message

Comments

Patch