From patchwork Mon Sep 20 18:08:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12537765 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41548C433F5 for ; Tue, 21 Sep 2021 01:33:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 211E661175 for ; Tue, 21 Sep 2021 01:33:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230086AbhIUBea (ORCPT ); Mon, 20 Sep 2021 21:34:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57948 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229735AbhIUBeU (ORCPT ); Mon, 20 Sep 2021 21:34:20 -0400 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3C60C124A53 for ; Mon, 20 Sep 2021 11:08:57 -0700 (PDT) Received: by mail-pl1-x629.google.com with SMTP id t4so11662834plo.0 for ; Mon, 20 Sep 2021 11:08:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hidIkJOKxCMVjbSvcxBw4U/mexFomA4sB5K9H+f3WZo=; b=YW3OQ3doANQVp1KjDrjbbQtADmm1NDefevCVHKSXV34nKQJGQAZ9M4ueYT8C1vliki ENy7So7EsVBBjS37/XBuJinomCdYV1rAxvWqc+WgBbiOmshS2xMYgICQOYn2dJ7Ilgx0 9YyQIHcTNeDh+hTu2oK81q33SDgK7xCE0e/EQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hidIkJOKxCMVjbSvcxBw4U/mexFomA4sB5K9H+f3WZo=; b=37qtc6Rs5JzDjPXsxBNoGQy3VewTvzJxDySKdSPFMwwcnePXST9mkZr3vVWzSsevhn +ej8x06L1llN6JI8wXBd3pLzHyBoRv963S9P5zWoQakWHDdUrNvXwXUQMbalt7AKhxbc 37+oVT0ziJo1Mfbjaa4vHfKNcLaYtBpiCm/awIFhqdQxc31EF4RQJfm5ozV0GTEgOlw5 cY/1s9oYEp8rB5nHCrCumY3BLaBCwiDvmVTLoRkWxPa0edcdtC3w429cRawKCuyI1zdl UqAtVj+BPexGVyXVIcqvqsBer/xYeURqXTLartltJhRU3TomJ2mhXbAzfuwW4t2Exqhq F1WA== X-Gm-Message-State: AOAM533MYpKEAvXK4L18jyZGckPqewKvqA97qnIoiG1cLR5D7j7YFP3m nDNkUdTYUNjprUtlR0ijDCrUSNAmNjL++A== X-Google-Smtp-Source: ABdhPJyTejndKcYPkqiARVizqhdRS/CsuWoMu0OGDr/hDpO999aoEAPPh/CMIwMPA3BVgYw8G0hldw== X-Received: by 2002:a17:90a:86:: with SMTP id a6mr347372pja.190.1632161337429; Mon, 20 Sep 2021 11:08:57 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 126sm17743348pgi.86.2021.09.20.11.08.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Sep 2021 11:08:56 -0700 (PDT) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A . R . Silva" , Nathan Chancellor , Jason Gunthorpe , Nick Desaulniers , Leon Romanovsky , Keith Busch , Len Baker , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/2] overflow: Implement size_t saturating arithmetic helpers Date: Mon, 20 Sep 2021 11:08:52 -0700 Message-Id: <20210920180853.1825195-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210920180853.1825195-1-keescook@chromium.org> References: <20210920180853.1825195-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=10506; h=from:subject; bh=aYbE79r+2GzCEDXJOePs8DpTGJtx17vsz1taPQytKw4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhSM40XMzPcxqU+i87Qyjr/YrDY3MzjZfDUSZglvKq R2vvk2GJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYUjONAAKCRCJcvTf3G3AJoNaD/ 9wzLJ/LA3yNwGiPPhyoEIXSh1K0Rf/I36tZrncmN75R61nEQiYBnSu2FKF3W8XjD75O1hSzIVAx/Kq qyJJkUu605H9OfKnkz7n3a1o/g1wQaNbBq2raVXcRiB2kHiFMt+jYjIsZJlGPmnSfjHOq73McArMR7 pvEy1Yf9CwFgIeT3CSONCDoj7fEtXgwUUoFcQBFcZfgWIas97wDlYZ/8ku+/YiPbv6OGCcVWvhC3xZ DjsocvAkjbY0pEzsZ41xoadoSr+3vprdTz4YUFAJxJKTS1Qu47qdOIHqF0/KSgz14sYZR13HoSemmP ukglbTAIHWuUI1h9Ku5gi5DqQqRINyJ+wq4x3bJg6aKSSOOiwjop4HjpP2qEsBHQeZURGQgBOp4hqu 0b9N7nwDNxvokaNW1GP9s1t+0r8u3Eggyowe4J1LbW+PUg4dvfpZ3tCVGY7a/D6xvVmaVPhSx97Tf5 wc+g8r/XbEy7HGauYJC9fHeiiQVy4Ij/SvXjuc2Qs8lGePBslFp1fcw9qBhynkKh7p1p9OjMlaWu/s oCNu/MhPjRL/r4s98GTmoNnFGbwAIyXzP0GAE5gGAW6T9aHfxY/nlH/2bZfUTwHFzbrzzU2ioI+joU N4fI9jmwd4MyZ1LN4ItVowhoenl91k9s8r61KFXekm10pKLJts6qdSri5uog== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org In order to perform more open-coded replacements of common allocation size arithmetic, the kernel needs a saturating (SIZE_MAX) helper for addition and multiplication. It is common in allocators, especially on realloc, to add to an existing size. For example: p = krealloc(map->patch, sizeof(struct reg_sequence) * (map->patch_regs + num_regs), GFP_KERNEL); There is no existing saturating replacement for this calculation, and just leaving the addition open coded inside array_size() could potentially overflow as well. For example, an overflow in an expression for a size_t argument might wrap to zero: array_size(anything, something_at_size_max + 1) == 0 Introduce size_mul() and size_add() helpers to perform size_t promotion and saturated calculations for use in such allocations. With these helpers it is also possible to redefine array_size(), array3_size(), flex_array_size(), and struct_size() in terms of the new helpers. As with the check_*_overflow() helpers, the helpers are wrapped in a __must_check function that passes through the size_t result. In order for the helpers to be composed with themselves, they must have unique variable names to avoid shadowing, so this uses a similar method to what is already done in minmax.h for constructing unique names to be passed in as arguments to the statement expression that does the actual work. Cc: Rasmus Villemoes Cc: Gustavo A. R. Silva Cc: Nathan Chancellor Cc: Jason Gunthorpe Cc: Nick Desaulniers Cc: Leon Romanovsky Cc: Keith Busch Cc: Len Baker Signed-off-by: Kees Cook --- include/linux/overflow.h | 140 ++++++++++++++++++++++++--------------- lib/test_overflow.c | 61 +++++++++++++++++ 2 files changed, 149 insertions(+), 52 deletions(-) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 4669632bd72b..cd154d47807c 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -117,6 +117,77 @@ static inline bool __must_check __must_check_overflow(bool overflow) (*_d >> _to_shift) != _a); \ })) +/* + * As with __must_check_overflow() above, this is used to wrap the + * size_t output from a statement expression macro. + */ +static inline size_t __must_check __must_check_size(size_t size) +{ + return size; +} + +/* + * Internal logic for size_mul(). Takes variable names from UNIQUE_ID + * so that the local variables here will never collide with other local + * variables (for example, with itself). + */ +#define __size_mul(factor1, factor2, __factor1, __factor2, __product) \ +({ \ + size_t __product; \ + size_t __factor1 = (factor1); \ + size_t __factor2 = (factor2); \ + if (check_mul_overflow(__factor1, __factor2, &__product)) \ + __product = SIZE_MAX; \ + __product; \ +}) + +/** + * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX + * + * @factor1: first factor + * @factor2: second factor + * + * Returns: calculate @factor1 * @factor2, where both values are + * evaluated as size_t, with any overflow causing the return value to + * be SIZE_MAX. + */ +#define size_mul(factor1, factor2) \ + __must_check_size(__size_mul(factor1, factor2, \ + __UNIQUE_ID(__factor1_), \ + __UNIQUE_ID(__factor2_), \ + __UNIQUE_ID(__product_))) + +/* + * Internal logic for size_add(). Takes variable names from UNIQUE_ID + * so that the local variables here will never collide with other local + * variables (for example, with itself). + */ +#define __size_add(addend1, addend2, __addend1, __addend2, __sum) \ +({ \ + size_t __sum; \ + size_t __addend1 = (addend1); \ + size_t __addend2 = (addend2); \ + if (check_add_overflow(__addend1, __addend2, &__sum)) \ + __sum = SIZE_MAX; \ + __sum; \ +}) + +/** + * size_add() - Calculate size_t addition with saturation at SIZE_MAX + * + * @addend1: first addend + * @addend2: second addend + * + * Returns: calculate @addend1 + @addend2, where both values are + * evaluated as size_t, with any overflow causing the return value to + * be SIZE_MAX. + */ +#define size_add(addend1, addend2) \ + __must_check_size(__size_add(addend1, addend2, \ + __UNIQUE_ID(__addend1_), \ + __UNIQUE_ID(__addend2_), \ + __UNIQUE_ID(__sum_))) + /** * array_size() - Calculate size of 2-dimensional array. * @@ -128,15 +199,7 @@ static inline bool __must_check __must_check_overflow(bool overflow) * Returns: number of bytes needed to represent the array or SIZE_MAX on * overflow. */ -static inline __must_check size_t array_size(size_t a, size_t b) -{ - size_t bytes; - - if (check_mul_overflow(a, b, &bytes)) - return SIZE_MAX; - - return bytes; -} +#define array_size(a, b) size_mul(a, b) /** * array3_size() - Calculate size of 3-dimensional array. @@ -150,65 +213,38 @@ static inline __must_check size_t array_size(size_t a, size_t b) * Returns: number of bytes needed to represent the array or SIZE_MAX on * overflow. */ -static inline __must_check size_t array3_size(size_t a, size_t b, size_t c) -{ - size_t bytes; - - if (check_mul_overflow(a, b, &bytes)) - return SIZE_MAX; - if (check_mul_overflow(bytes, c, &bytes)) - return SIZE_MAX; - - return bytes; -} - -/* - * Compute a*b+c, returning SIZE_MAX on overflow. Internal helper for - * struct_size() below. - */ -static inline __must_check size_t __ab_c_size(size_t a, size_t b, size_t c) -{ - size_t bytes; - - if (check_mul_overflow(a, b, &bytes)) - return SIZE_MAX; - if (check_add_overflow(bytes, c, &bytes)) - return SIZE_MAX; - - return bytes; -} +#define array3_size(a, b, c) size_mul(size_mul(a, b), c) /** - * struct_size() - Calculate size of structure with trailing array. + * flex_array_size() - Calculate size of a flexible array member + * within an enclosing structure. + * * @p: Pointer to the structure. - * @member: Name of the array member. + * @member: Name of the flexible array member. * @count: Number of elements in the array. * - * Calculates size of memory needed for structure @p followed by an - * array of @count number of @member elements. + * Calculates size of a flexible array of @count number of @member + * elements, at the end of structure @p. * * Return: number of bytes needed or SIZE_MAX on overflow. */ -#define struct_size(p, member, count) \ - __ab_c_size(count, \ - sizeof(*(p)->member) + __must_be_array((p)->member),\ - sizeof(*(p))) +#define flex_array_size(p, member, count) \ + size_mul(count, \ + sizeof(*(p)->member) + __must_be_array((p)->member)) /** - * flex_array_size() - Calculate size of a flexible array member - * within an enclosing structure. + * struct_size() - Calculate size of structure with trailing flexible array. * * @p: Pointer to the structure. - * @member: Name of the flexible array member. + * @member: Name of the array member. * @count: Number of elements in the array. * - * Calculates size of a flexible array of @count number of @member - * elements, at the end of structure @p. + * Calculates size of memory needed for structure @p followed by an + * array of @count number of @member elements. * * Return: number of bytes needed or SIZE_MAX on overflow. */ -#define flex_array_size(p, member, count) \ - array_size(count, \ - sizeof(*(p)->member) + __must_be_array((p)->member)) +#define struct_size(p, member, count) \ + size_add(sizeof(*(p)), flex_array_size(p, member, count)) #endif /* __LINUX_OVERFLOW_H */ diff --git a/lib/test_overflow.c b/lib/test_overflow.c index 7a4b6f6c5473..01a469ff7ff6 100644 --- a/lib/test_overflow.c +++ b/lib/test_overflow.c @@ -588,12 +588,73 @@ static int __init test_overflow_allocation(void) return err; } +struct __test_flex_array { + unsigned long flags; + size_t count; + unsigned long data[]; +}; + +static int __init test_overflow_size_helpers(void) +{ + struct __test_flex_array *obj; + int count = 0; + int err = 0; + +#define check_one_size_helper(expected, func, args...) ({ \ + bool __failure = false; \ + size_t _r; \ + \ + _r = func(args); \ + if (_r != (expected)) { \ + pr_warn("expected " #func "(" #args ") " \ + "to return %zu but got %zu instead\n", \ + (size_t)(expected), _r); \ + __failure = true; \ + } \ + count++; \ + __failure; \ +}) + + err |= check_one_size_helper(5, size_add, 2, 3); + err |= check_one_size_helper(SIZE_MAX, size_add, SIZE_MAX, 1); + err |= check_one_size_helper(SIZE_MAX, size_add, SIZE_MAX, 3); + err |= check_one_size_helper(SIZE_MAX, size_add, SIZE_MAX, -3); + + err |= check_one_size_helper(6, size_mul, 2, 3); + err |= check_one_size_helper(SIZE_MAX, size_mul, SIZE_MAX, 1); + err |= check_one_size_helper(SIZE_MAX, size_mul, SIZE_MAX, 3); + err |= check_one_size_helper(SIZE_MAX, size_mul, SIZE_MAX, -3); + + err |= check_one_size_helper(0, flex_array_size, obj, data, 0); + err |= check_one_size_helper(sizeof(*obj->data), + flex_array_size, obj, data, 1); + err |= check_one_size_helper(7 * sizeof(*obj->data), + flex_array_size, obj, data, 7); + err |= check_one_size_helper(SIZE_MAX, + flex_array_size, obj, data, -1); + err |= check_one_size_helper(SIZE_MAX, + flex_array_size, obj, data, SIZE_MAX - 4); + + err |= check_one_size_helper(sizeof(*obj), struct_size, obj, data, 0); + err |= check_one_size_helper(sizeof(*obj) + sizeof(*obj->data), + struct_size, obj, data, 1); + err |= check_one_size_helper(SIZE_MAX, + struct_size, obj, data, -3); + err |= check_one_size_helper(SIZE_MAX, + struct_size, obj, data, SIZE_MAX - 3); + + pr_info("%d overflow size helper tests finished\n", count); + + return err; +} + static int __init test_module_init(void) { int err = 0; err |= test_overflow_calculation(); err |= test_overflow_shift(); + err |= test_overflow_size_helpers(); err |= test_overflow_allocation(); if (err) { From patchwork Mon Sep 20 18:08:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12537767 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7069C433F5 for ; Tue, 21 Sep 2021 01:35:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 86B9461168 for ; Tue, 21 Sep 2021 01:35:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231172AbhIUBhP (ORCPT ); Mon, 20 Sep 2021 21:37:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57502 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229961AbhIUBfA (ORCPT ); Mon, 20 Sep 2021 21:35:00 -0400 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 87035C03402F for ; Mon, 20 Sep 2021 11:08:57 -0700 (PDT) Received: by mail-pj1-x1036.google.com with SMTP id me1so3936542pjb.4 for ; Mon, 20 Sep 2021 11:08:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ghoO8vylrdI8hi6Tt30rRCJNGnXjoCjzQ+6Kg2uuqtk=; b=Mb/S0HS3nmZk/74q7Z77YZ+J8jlDOkyRESjhg0+WBGWdwYK47aKB7HsFRpZSB+aDnn YoKnxbcb2UdFBwEkYE+iUyi99i+5SqrOay4/tEzkCeP19IZj2YcTSUst0GPRvad/+Nui hUciPCLK78KvOR/dLI7Py4VuKg3s3XCwcs960= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ghoO8vylrdI8hi6Tt30rRCJNGnXjoCjzQ+6Kg2uuqtk=; b=GvcnGzaG26sYL/FDU5YUg02d6stNNQuzNIZ2gYMOdc1E2ERnmQFZrWJ8YeTIjGJMjW DyO5CFKi3ccfddujKvYjbatHuq9xA1EqkE2e8BSlxRjn8n3k4x5WHsgigcA7+tXFY3aE Jcm/jgwc9ptN818kpVAyr4wcV/ucJ0YUM7OoZtdsqxb2Sy4R3vV+xZnxs2kxfhsdn8Zx a88L6l984hwNurfYf5Ss98QFAQXKXJdkCIkYb5cLi69B/sWIE3zcLByCVqGkivK5Ci/7 808BuqSFxsimehAkJ7BZ+chywO9q/1WE7YffybZv1G1XthwQggAP9AA7v+cRYInSnNsp aSXA== X-Gm-Message-State: AOAM531j70jTKq8SKTRV+RZ5U3ZzVfHAOTT1g/eQIJbSbmYeBQFff5+G BfyLiGeDarOsYrNkSFZfxdsF/Q== X-Google-Smtp-Source: ABdhPJxxNE9E0ONnMG7IKmLV3vOgEPcmq68f2gc8ALCv0/GbLpIdnN9VP01X374pPq3Fyw90oaGLEw== X-Received: by 2002:a17:902:7144:b0:13c:9821:75cb with SMTP id u4-20020a170902714400b0013c982175cbmr23915047plm.33.1632161337116; Mon, 20 Sep 2021 11:08:57 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 141sm16720868pgf.46.2021.09.20.11.08.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Sep 2021 11:08:56 -0700 (PDT) From: Kees Cook To: Rasmus Villemoes Cc: Kees Cook , "Gustavo A. R. Silva" , Nathan Chancellor , Jason Gunthorpe , Nick Desaulniers , Leon Romanovsky , Keith Busch , Len Baker , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 2/2] test_overflow: Regularize test reporting output Date: Mon, 20 Sep 2021 11:08:53 -0700 Message-Id: <20210920180853.1825195-3-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210920180853.1825195-1-keescook@chromium.org> References: <20210920180853.1825195-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5283; h=from:subject; bh=ngvKd0VV85H03jehfbaSVhjFlezpvhhQZYYqP8+XnJI=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhSM40EEDAZt7CSShMBrgESBuI4VDuu8KznCLXKNBF goT3bNuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYUjONAAKCRCJcvTf3G3AJvLSEA CFFg0tEU3pFeHEdgWciKQj6HTHc7OvzAda2N6R9ilIOY9UeRdMsrPgiggtN80z4Thgs6DZF8p4OES8 lW7G8Dah0PTRgp/9zpuT39cbqdOJmWsydNMuEIWNcBS8SZdLc62mDWco1e+gG6a8/uua6lyeuJOBiI sX4/9kAqgoT69k3NgjmqX7rS/9/ERWoimcggooy5Y5emcKKAZipjoyHzCsFngP3rgX5DfuI/Dw72U0 T6W0+sPU2eDwvtE52V6OM2NtexEp99HPPU5WlTAuIsTe5xPPxDhRF1qmraXA5MfWpVzqLk9WdeZ4eg /mRoryGB0ZxQOF3fmBsB46O2Atdm2iBqpxyiYla+jK6p4pXM3tAsDmpaNYcNKrseqbUM7pVHp6gyMX FGuWDaomvu/ac3QiEXi/FdnGj6bsdm5AzjmRZU+dC1TAxWkbWTMh4mDEwHhQEUXINbIHTlIj29+9Vd CErLkZgOMK9DaoxUVMI8vIQmBqeROZKll62SAUlXMQbJwqNY7CNBOUZoeClCJ7NuLRkwBX5Yaph7rk N6tScoWL58ZO+hl6IsEnG8/a6vyYi/agmtJXYhm1Gl7JHhQ1WEqYHh2h3vWD4PvoSDrF+Q3qniNiOm OeAZ84fVoGQmvfawT3VfG+BtOSHjZyxkVmSQ6HXl5SDCPm2W2yRdTE1ZkKIQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Report test run summaries more regularly, so it's easier to understand the output: - Remove noisy "ok" reports for shift and allocator tests. - Reorganize per-type output to the end of each type's tests. - Replace redundant vmalloc tests with __vmalloc so that __GFP_NO_WARN can be used to keep the expected failure warnings out of dmesg, similar to commit 8e060c21ae2c ("lib/test_overflow.c: avoid tainting the kernel and fix wrap size") Resulting output: test_overflow: 18 u8 arithmetic tests finished test_overflow: 19 s8 arithmetic tests finished test_overflow: 17 u16 arithmetic tests finished test_overflow: 17 s16 arithmetic tests finished test_overflow: 17 u32 arithmetic tests finished test_overflow: 17 s32 arithmetic tests finished test_overflow: 17 u64 arithmetic tests finished test_overflow: 21 s64 arithmetic tests finished test_overflow: 113 shift tests finished test_overflow: 17 overflow size helper tests finished test_overflow: 11 allocation overflow tests finished test_overflow: all tests passed Cc: Rasmus Villemoes Signed-off-by: Kees Cook Reviewed-by: Nick Desaulniers Acked-by: Rasmus Villemoes --- lib/test_overflow.c | 50 +++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/lib/test_overflow.c b/lib/test_overflow.c index 01a469ff7ff6..e1fd2d72dc61 100644 --- a/lib/test_overflow.c +++ b/lib/test_overflow.c @@ -252,10 +252,10 @@ static int __init test_ ## t ## _overflow(void) { \ int err = 0; \ unsigned i; \ \ - pr_info("%-3s: %zu arithmetic tests\n", #t, \ - ARRAY_SIZE(t ## _tests)); \ for (i = 0; i < ARRAY_SIZE(t ## _tests); ++i) \ err |= do_test_ ## t(&t ## _tests[i]); \ + pr_info("%zu %s arithmetic tests finished\n", \ + ARRAY_SIZE(t ## _tests), #t); \ return err; \ } @@ -291,6 +291,7 @@ static int __init test_overflow_calculation(void) static int __init test_overflow_shift(void) { int err = 0; + int count = 0; /* Args are: value, shift, type, expected result, overflow expected */ #define TEST_ONE_SHIFT(a, s, t, expect, of) ({ \ @@ -313,9 +314,7 @@ static int __init test_overflow_shift(void) pr_warn("got %llu\n", (u64)__d); \ __failed = 1; \ } \ - if (!__failed) \ - pr_info("ok: (%s)(%s << %s) == %s\n", #t, #a, #s, \ - of ? "overflow" : #expect); \ + count++; \ __failed; \ }) @@ -479,6 +478,8 @@ static int __init test_overflow_shift(void) err |= TEST_ONE_SHIFT(0, 31, s32, 0, false); err |= TEST_ONE_SHIFT(0, 63, s64, 0, false); + pr_info("%d shift tests finished\n", count); + return err; } @@ -530,7 +531,6 @@ static int __init test_ ## func (void *arg) \ free ## want_arg (free_func, arg, ptr); \ return 1; \ } \ - pr_info(#func " detected saturation\n"); \ return 0; \ } @@ -544,10 +544,7 @@ DEFINE_TEST_ALLOC(kmalloc, kfree, 0, 1, 0); DEFINE_TEST_ALLOC(kmalloc_node, kfree, 0, 1, 1); DEFINE_TEST_ALLOC(kzalloc, kfree, 0, 1, 0); DEFINE_TEST_ALLOC(kzalloc_node, kfree, 0, 1, 1); -DEFINE_TEST_ALLOC(vmalloc, vfree, 0, 0, 0); -DEFINE_TEST_ALLOC(vmalloc_node, vfree, 0, 0, 1); -DEFINE_TEST_ALLOC(vzalloc, vfree, 0, 0, 0); -DEFINE_TEST_ALLOC(vzalloc_node, vfree, 0, 0, 1); +DEFINE_TEST_ALLOC(__vmalloc, vfree, 0, 1, 0); DEFINE_TEST_ALLOC(kvmalloc, kvfree, 0, 1, 0); DEFINE_TEST_ALLOC(kvmalloc_node, kvfree, 0, 1, 1); DEFINE_TEST_ALLOC(kvzalloc, kvfree, 0, 1, 0); @@ -559,8 +556,14 @@ static int __init test_overflow_allocation(void) { const char device_name[] = "overflow-test"; struct device *dev; + int count = 0; int err = 0; +#define check_allocation_overflow(alloc) ({ \ + count++; \ + test_ ## alloc(dev); \ +}) + /* Create dummy device for devm_kmalloc()-family tests. */ dev = root_device_register(device_name); if (IS_ERR(dev)) { @@ -568,23 +571,22 @@ static int __init test_overflow_allocation(void) return 1; } - err |= test_kmalloc(NULL); - err |= test_kmalloc_node(NULL); - err |= test_kzalloc(NULL); - err |= test_kzalloc_node(NULL); - err |= test_kvmalloc(NULL); - err |= test_kvmalloc_node(NULL); - err |= test_kvzalloc(NULL); - err |= test_kvzalloc_node(NULL); - err |= test_vmalloc(NULL); - err |= test_vmalloc_node(NULL); - err |= test_vzalloc(NULL); - err |= test_vzalloc_node(NULL); - err |= test_devm_kmalloc(dev); - err |= test_devm_kzalloc(dev); + err |= check_allocation_overflow(kmalloc); + err |= check_allocation_overflow(kmalloc_node); + err |= check_allocation_overflow(kzalloc); + err |= check_allocation_overflow(kzalloc_node); + err |= check_allocation_overflow(__vmalloc); + err |= check_allocation_overflow(kvmalloc); + err |= check_allocation_overflow(kvmalloc_node); + err |= check_allocation_overflow(kvzalloc); + err |= check_allocation_overflow(kvzalloc_node); + err |= check_allocation_overflow(devm_kmalloc); + err |= check_allocation_overflow(devm_kzalloc); device_unregister(dev); + pr_info("%d allocation overflow tests finished\n", count); + return err; }