From patchwork Tue Jan 23 00:26:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526680 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 82B80C46CD2 for ; Tue, 23 Jan 2024 00:37:24 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 4A5F910F1BB; Tue, 23 Jan 2024 00:37:17 +0000 (UTC) Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) by gabe.freedesktop.org (Postfix) with ESMTPS id EC03A10E717 for ; Tue, 23 Jan 2024 00:37:12 +0000 (UTC) Received: by mail-ot1-f48.google.com with SMTP id 46e09a7af769-6e0df9aa43dso2946460a34.0 for ; Mon, 22 Jan 2024 16:37:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705970172; x=1706574972; darn=lists.freedesktop.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SKixWzqfowMzvUX6r00bx/1VlD3LFsId3tPJIJRuIR0=; b=k+P6pKYXexQpXalJaD3SRY3nihjjUpmD/6s3mCDg2eBa/OuiM6xvfWJnx9bGUmYxQB uo/H+/EwmU/0A3bOkyh9k7VYLZUtFZw9UbUc+xUwHFXD1SDTrWSo7nAQUPaK6NR3Y9uz DfQrTpEQBBnyO56uF0tey932txlts3Cy62lMg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705970172; x=1706574972; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SKixWzqfowMzvUX6r00bx/1VlD3LFsId3tPJIJRuIR0=; b=a4ZkiIU9oGGfopyzLhjXYSsDhlTxrHAzhA7zDhpb1H1xV77Ao3ZXlHG9Ksq+pLlvwm qTBUloHrlN3sEN9rJ5jI7lsBp9l6c/aQbG2UGA+v+R22nFTiiCugIkCIU9GW8kMEgIBE Fd3BN9wt+T0OyZ4ZZ8jt+C312yPxqa0g3VXYcCtOK4g+4Ejic/gAQKqEyZWTDl8WcmNO trkNtozNwsJUtJkMOEShbYIuDlcfr4uv28v8yH3HjEJxq4MMGwXlhs6HWpuOJtMFVCz7 N8z4IYo8G6zRw2eevsuqVKcg0qaaPdTO/CdTD9QNjsmEwLsKNY5xaMKogGzW+k918Sue k8cQ== X-Gm-Message-State: AOJu0YwuJaVkR6Sj3t3xKYozfhYOm6s3gvK8fclyrxmMyiScHYZNRhbZ S5gzs2AJmfyYMoVR9RrOsM/GpKsZ3rEliWd9fGxkaevAUxnHb8lC+Cc07BP/4w== X-Google-Smtp-Source: AGHT+IHGoYZGs2buOqQkiIhEJDExn82aWCutmrbis2Hs9LbtRGU/qouIkWFMc0AMtn7Yh4iOMq5Tmw== X-Received: by 2002:a05:6358:719:b0:176:5d0d:4c6a with SMTP id e25-20020a056358071900b001765d0d4c6amr1659265rwj.29.1705970172214; Mon, 22 Jan 2024 16:36:12 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id sb12-20020a17090b50cc00b0028cef2025ddsm10440436pjb.15.2024.01.22.16.36.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:36:08 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Subject: [PATCH 15/82] dma-buf: Refactor intentional wrap-around calculation Date: Mon, 22 Jan 2024 16:26:50 -0800 Message-Id: <20240123002814.1396804-15-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2493; i=keescook@chromium.org; h=from:subject; bh=O50T+ehgWO04+/PTwK/XEjtbdWM1siGuxiWx5Y9VWF8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFQ84pwHJOpkJM7cBBjZQ+dyB2q0GyyRoUN phvzaNFVByJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A Jju2D/9msHfBekreecuP9d0fYucPYwOuP/5LSP35dnh1uQL9A/+S6Af8H21MOl+me8AiycS0dk2 0Nd3au8vn2Nl78aIRV+C7DFP3rFOa3KdUfS/qJRRlEE9tAeJXHJECtKEMp7t9CehEJHacXZIT45 r8trE7qdtUW4JMqG9sya72KThUcsRNHfVbJQQ536OU9zvx/NhCHm1onTJ2C9o3h+1II4GGGKmlJ 1zJ3W0eVSeM24egFgMxHcqvYy+Cue+A5RfFDwojwaBnfmWhBtXesTBwFJTsQanPGWE9JxbSxsbz CglnWiNPjq9pDs31mtBqwR8DgmONGfQIo9NhxiQ+1Cdjx4VWvmPO49vDUmd1yNPDgbj/QxI/cRq ARVjAjmWNHxVGH0lTnwUrrDgtkF+R44Iuhdim/nvBSBZrpaG8yrRA+4NFpPtsZOwVdXMSnfI7wQ gE0joPsgazTDQFUqzcRtfyqrcvYXIeIiXdh/Y4Ej/km9tQ0/0DLxTbTCqoGtnoSuEVfvCzs+unU tfzaCnbjn45fawrtcGUb6pVdFQzPQRUw9P1lmZqDc+GxwioZP4dCvcu/bG0+essTAlw/09sdKqu O/ci8K7u1AkUc7NcLes5iGCNf8aWaXBCSkX8vB/mu6PUk7piIN/1FYcQTY+LYW8Hq5cLwHBPmQn wygzmyMo3p0bqsw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" , dri-devel@lists.freedesktop.org, Sumit Semwal , linaro-mm-sig@lists.linaro.org, Bill Wendling , Justin Stitt , =?utf-8?q?Christian_K=C3=B6nig?= , linux-media@vger.kernel.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded unsigned wrap-around addition test to use check_add_overflow(), retaining the result for later usage (which removes the redundant open-coded addition). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Sumit Semwal Cc: Christian König Cc: "Christian König" Cc: linux-media@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linaro-mm-sig@lists.linaro.org Signed-off-by: Kees Cook --- drivers/dma-buf/dma-buf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 8fe5aa67b167..3743c63a9b59 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -1458,6 +1458,8 @@ EXPORT_SYMBOL_NS_GPL(dma_buf_end_cpu_access, DMA_BUF); int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma, unsigned long pgoff) { + unsigned long sum; + if (WARN_ON(!dmabuf || !vma)) return -EINVAL; @@ -1466,12 +1468,11 @@ int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma, return -EINVAL; /* check for offset overflow */ - if (pgoff + vma_pages(vma) < pgoff) + if (check_add_overflow(pgoff, vma_pages(vma), &sum)) return -EOVERFLOW; /* check for overflowing the buffer's size */ - if (pgoff + vma_pages(vma) > - dmabuf->size >> PAGE_SHIFT) + if (sum > dmabuf->size >> PAGE_SHIFT) return -EINVAL; /* readjust the vma */ From patchwork Tue Jan 23 00:26:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526679 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5C898C46CD2 for ; Tue, 23 Jan 2024 00:37:21 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 52FA210F1BF; Tue, 23 Jan 2024 00:37:17 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by gabe.freedesktop.org (Postfix) with ESMTPS id 7B4DD10F19E for ; Tue, 23 Jan 2024 00:37:15 +0000 (UTC) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1d74678df08so8710535ad.1 for ; Mon, 22 Jan 2024 16:37:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705970175; x=1706574975; darn=lists.freedesktop.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FQ7xzZ4X+f3NMzxQv1jPrp9LwmGb/TMGKf+Qoe38F3w=; b=jlsP/qc0A3uVQM77vCpCfUNwLuEXrKBYzgarlyPq1ASik1K2tBBvb2GgNbce9wTpoY PkzoZnIY7D0LvT/InKA8cdE0OkHUkJ3brPXipyrkUW4qjVA4378zGjItJ4WS/azhxaDB M71K5xWxNE0aMvw0X+M5Y1dv7xSIBHXNOJkoI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705970175; x=1706574975; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FQ7xzZ4X+f3NMzxQv1jPrp9LwmGb/TMGKf+Qoe38F3w=; b=vD59/iRgx8IDy69x4ZHnDMHxoC3FCIXQNJh0csMD1qzAcXLcD8jkOH0FazYi68M6j1 NpPdPMWMprsAkMMshyWDjvWZmO4IAYP5JG04yA8tFgj8+ON48WGyhsLymlw0KpkAFhN1 z4uJXOycLdFU0/Zn6U3XTlms8PRVQYxQWftuRb85M0wVczLvQlaFUYymifEPk53x+ex2 tgxarqLm+tnczfilhKgD8VvaN/Le3vaF4h4rr3aIoVYkyCr22xLwuaikSBqjW3Q0OGsq ZmwL7lTB+t1w/kXOJ9HHrZD8ijDDEZEVPRv5J6QKi/0/HR5S75b6b6G95adRwBlnbxDw SAbg== X-Gm-Message-State: AOJu0Yyq0c6LxcnwfFFowhmEHyyPyIzIzVOAB1shbH99YQqeL1g00jWw Lk0DT2jNmv4fni8RUzdXHMLXIogX0rNlCWQRS++o+/Sf0b8oWgero8A2JGC530W9ZkeAb2kjV9o = X-Google-Smtp-Source: AGHT+IGexDA3GyNiC5HHivGPyYUFrDZgx/vvv3FbvTr4ymfT6W6OqPvq3tmWlk5gIBMYJDFDEGWKhQ== X-Received: by 2002:a17:903:2b0e:b0:1d7:2f55:c8a2 with SMTP id mc14-20020a1709032b0e00b001d72f55c8a2mr2946552plb.11.1705970175230; Mon, 22 Jan 2024 16:36:15 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id e6-20020a170902784600b001d70125ebcdsm8018696pln.277.2024.01.22.16.36.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:36:09 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Subject: [PATCH 16/82] drm/nouveau/mmu: Refactor intentional wrap-around calculation Date: Mon, 22 Jan 2024 16:26:51 -0800 Message-Id: <20240123002814.1396804-16-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2914; i=keescook@chromium.org; h=from:subject; bh=GfYx3pgFmjHNgd1GYzBGO0bWTMyDF98VVZ9Uwwibr6I=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgF0R3cMIb0bEJahqxzDH8aYuSuLtzDbLBcK MwJi5ln/oiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A JiWKD/9QgeDTjHor+aVubrm/891iXDAk7jazHlj5v3/F2SnXTi+bmLLP4OtopjBdUMsPCx2UIAX 2Op2QtDm8HkUK+QQ6zmG4KUaapZRcdeqnGmu9M0qvSuxvVVcJJI7xJUumjx7Q6vhbwjQGSQ5PHx tw7o/vHgfuo8HqWcIQlyDVJeim5ZIIs6Qsa/2lGfMnyEf6ggYmPPgDdwi3q8gy/Z2R5EmQXitFZ 02jYxw8yJtqK7iQMIw/+DdCmJga+zhFwFiajePglGFS280vfynresbsR/Ab5I9K/mF6hoaW5Nzj /9JADfxQJ+B/7RwcqVQt9//klWcituWydCxmm2pAJKa5qB1+5bM1cNbZfS+7Gqg7d5DQbpkhWvR FCz4RotvOZUU11+L/g0NMZhLFyUrsoS3XnWMJPQKLzLuqMIEwYdpUHTsgp2fGFgbJo6v8zILL3/ K7cq5u/axld11AryCmtQE6Xcl/NUaROikBH/clnZ621DMh6R2SgfHqHLq8LeFb+PV40D1lpjTUv KfPtyyrZh7N+9mj3AvF1kzruNYxNyozqGbZnhobgBHDiUh3Nc49GDnZWn5rot0j/cj4bNCHrvDK mkRTpRNTiSCzx1W+apGBT6IE6vC71q+Jq/tE64KklEKJ7L0Jq24pax9Z2T6UMrnNYMaRk8d5pT9 b0LSPqP/mgvSy0A== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Karol Herbst , nouveau@lists.freedesktop.org, "Gustavo A. R. Silva" , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Julia Lawall , Jiang Jian , Danilo Krummrich , Ben Skeggs , Daniel Vetter , Justin Stitt , Dave Airlie , David Airlie , Bill Wendling Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded unsigned wrap-around addition test to use check_add_overflow(), retaining the result for later usage (which removes the redundant open-coded addition). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Karol Herbst Cc: Lyude Paul Cc: Danilo Krummrich Cc: David Airlie Cc: Daniel Vetter Cc: Ben Skeggs Cc: Dave Airlie Cc: Julia Lawall Cc: Jiang Jian Cc: dri-devel@lists.freedesktop.org Cc: nouveau@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c index 9c97800fe037..6ca1a82ccbc1 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c @@ -1149,13 +1149,15 @@ nvkm_vmm_ctor(const struct nvkm_vmm_func *func, struct nvkm_mmu *mmu, vmm->root = RB_ROOT; if (managed) { + u64 sum; + /* Address-space will be managed by the client for the most * part, except for a specified area where NVKM allocations * are allowed to be placed. */ vmm->start = 0; vmm->limit = 1ULL << bits; - if (addr + size < addr || addr + size > vmm->limit) + if (check_add_overflow(addr, size, &sum) || sum > vmm->limit) return -EINVAL; /* Client-managed area before the NVKM-managed area. */ @@ -1174,7 +1176,7 @@ nvkm_vmm_ctor(const struct nvkm_vmm_func *func, struct nvkm_mmu *mmu, } /* Client-managed area after the NVKM-managed area. */ - addr = addr + size; + addr = sum; size = vmm->limit - addr; if (size && (ret = nvkm_vmm_ctor_managed(vmm, addr, size))) return ret; From patchwork Tue Jan 23 00:26:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526634 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D6391C46CD2 for ; Tue, 23 Jan 2024 00:30:00 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 02CA210F1A7; Tue, 23 Jan 2024 00:30:00 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by gabe.freedesktop.org (Postfix) with ESMTPS id 8A50A10F1A7 for ; Tue, 23 Jan 2024 00:29:58 +0000 (UTC) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-2901ac9ba23so1938690a91.3 for ; Mon, 22 Jan 2024 16:29:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705969738; x=1706574538; darn=lists.freedesktop.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ti9Pce6Lpu2kUzlJNdDw3MDPT1cyRxs9AHo9YOvXXwc=; b=J8RYq5Xx7WCYIm7r+PCNcYF59dpIJDs83pwjmuw8Z5oRdPNJ0S9+NSKWRb8QJz0cHF h2mVYgTooy617T0YnZaXUM/iwaqWFqsjxiRdXgi7pL3YHLmb3wAyi/YxCqfFtZdZpubO QAHLu5CzyLdxmjb4qOHP/b9duYGJT8yNP1LKc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705969738; x=1706574538; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ti9Pce6Lpu2kUzlJNdDw3MDPT1cyRxs9AHo9YOvXXwc=; b=HY+upVqHFE2yB2qlAUUndbWMFOBrO7xUvuqmhIVR2UkJeQtt9jYJSEQySyH2/EPwK5 0AnGbOMUBg8HWlRfeSeYKEEDKsfJgJBt2XMuViz6oRqwlO/W/nx9VxCr8PJ1irYD+xJV nBNhbRi+0mGSVEzKZLUzNu9DYE91e8yGK7odTyeEuskONFqXzq5ATu7NNRdmp1WH1IbH 4uXZtCrDVSlhEWU4R26WHzGF+hitgE1GgpxLO4hTkE0y6LBXk+KAAblk14mcNAk+fcV1 YcNhdV7jaT75Oz/UkebZ0KCNnlxMCh4FtRQUNIayN7ZML9IzERXnvreV3RBJ5K4+yDlq r6FQ== X-Gm-Message-State: AOJu0Yx0R/y6hmyIxOua4Z9VAu7GyIPla+EZHEpX2Y0m+p8bmRXdstAl 6E1Wek0nt8J8YjcJ8xMsD9I6L+eVl9y5lA9E9aQyrc3uWJILyOd3riEBu8r0IQ== X-Google-Smtp-Source: AGHT+IHxysOlKojjA+pzT7YKshwDp7mEoKxiFORi05Ne2gh5Z7r5EGY2fIV1rixzNAo1ByfAlcIy4A== X-Received: by 2002:a17:90b:3786:b0:290:666f:7be2 with SMTP id mz6-20020a17090b378600b00290666f7be2mr1543735pjb.82.1705969738187; Mon, 22 Jan 2024 16:28:58 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id eu7-20020a17090af94700b002902076c395sm9968033pjb.34.2024.01.22.16.28.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:28:46 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Subject: [PATCH 17/82] drm/vc4: Refactor intentional wrap-around calculation Date: Mon, 22 Jan 2024 16:26:52 -0800 Message-Id: <20240123002814.1396804-17-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2558; i=keescook@chromium.org; h=from:subject; bh=JgonJZnxkTCS8vYti6xK+vM63BFoTeMVUBVyb+CU9a8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgFu/g3mFw6uq5pHkL3E8AN7SiAjt9KR8Xix +PwApphAJCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBQAKCRCJcvTf3G3A Jge3D/4u45AQKfLOVnFIwiv0NBxYETFmX3tUKTuc2dXJyNb2JL5HZVqwUSUaSPll1jigd0ESq+3 vBUnoJAMixRc0Wcmv8+S+NzuWlj/nljcpFOhIBrWsZt2Zdv0oFPuvDGXKWBwxohbLWGWqb2Otbc y99plRk4kHDWrILvbtqc+mviNEDD63DUOu70L2aT0MgDBP2WJHf/KckoFqWe9Gh49tuCZQHmX0e b9/uQAFad4dpfrO0Y7gWYu7QKC3HKK/EUXkvazbYav+WeTBL3JuifNiSmEE7wjLNSEod/GqFdt4 tnTvyCjEqXGwfLzjaX8TyuOvKZZsj+VZ6ZypG+E8d9qBmL3zZoVTvVXLyaQKv8sSLmPT87PN2tA jlCMKrZYqld0WN2mSdTGlYWazdKvBvQ/wfaaeUY70H8G0dj2cWTwoC+wF/Wp/Ph1MIymiasAvIV Ntw3se/q/tquahs2oNjMCDDmarRwr38iKcMtNt8Pewb9eY75hXI61eRzFQWcI7e+ksu9xOdHTgy eV5ukAWCsrtg03FBRVxNX2eKCgWHTheAxQaBRGBD/XowDB712zwukECG7veQEoxDhY4DqRk3DlO ts+/zz0xpt30cc8yvKxN1v+A5ldw0a38veiStkHBXthkzyl3wr9n0DChf/4UhYKH7XME3RBusVq 0W443HcucToeoOg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bill Wendling , Thomas Zimmermann , "Gustavo A. R. Silva" , Maxime Ripard , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Daniel Vetter , Justin Stitt , David Airlie , Kees Cook Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded unsigned wrap-around addition test to use check_add_overflow(), retaining the result for later usage (which removes the redundant open-coded addition). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Maxime Ripard Cc: Maarten Lankhorst Cc: Thomas Zimmermann Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/vc4/vc4_validate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vc4/vc4_validate.c b/drivers/gpu/drm/vc4/vc4_validate.c index 7dff3ca5af6b..9affba9c58b3 100644 --- a/drivers/gpu/drm/vc4/vc4_validate.c +++ b/drivers/gpu/drm/vc4/vc4_validate.c @@ -305,6 +305,7 @@ validate_gl_array_primitive(VALIDATE_ARGS) uint32_t length = *(uint32_t *)(untrusted + 1); uint32_t base_index = *(uint32_t *)(untrusted + 5); uint32_t max_index; + uint32_t sum; struct vc4_shader_state *shader_state; /* Check overflow condition */ @@ -314,11 +315,11 @@ validate_gl_array_primitive(VALIDATE_ARGS) } shader_state = &exec->shader_state[exec->shader_state_count - 1]; - if (length + base_index < length) { + if (check_add_overflow(length, base_index, &sum)) { DRM_DEBUG("primitive vertex count overflow\n"); return -EINVAL; } - max_index = length + base_index - 1; + max_index = sum - 1; if (max_index > shader_state->max_index) shader_state->max_index = max_index; From patchwork Tue Jan 23 00:27:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526682 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BB624C47DDF for ; Tue, 23 Jan 2024 00:37:29 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 69FB710F1C5; Tue, 23 Jan 2024 00:37:26 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by gabe.freedesktop.org (Postfix) with ESMTPS id 4A2B810F1C2 for ; Tue, 23 Jan 2024 00:37:23 +0000 (UTC) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1d7354ba334so18317195ad.1 for ; Mon, 22 Jan 2024 16:37:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705970183; x=1706574983; darn=lists.freedesktop.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uuAginudDA34iqBrsX+BzE2nEMittQE6YVsuxv2qKnM=; b=L8M8Ho0mGJs/TesXNB9lwhLtkGU+zsjRN79foQ0tZL8B0WX/pkqhOjtYvtR/2oMik+ dZbzoBPtb7Iac0IoMsuFlBgjd2celhjeuKc5ToPmGyYNijCcun4rTw5wpljNBpx1sNmv NcOJt8nQJ/Yi7m5/nVLclmiC8BHaSYkxcU/mc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705970183; x=1706574983; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uuAginudDA34iqBrsX+BzE2nEMittQE6YVsuxv2qKnM=; b=utgnMWummVPRDlpuMWCSuAOMVyXk37CF1y5EQUk9XA6ORo7OZdwHZ7pyC0eJd8j+Ye GjhdnNRmP6Xm5Jvl+htQySFElaouc6QfyufW8CoDrj5aNXgGll28qpHaM5xJL76VnyrS jxkHpmcyFxJM4QSz+ja6G2rNck6O7hqKEcSy08F3893AOuNkZrKBCW92qO24rhlidnvR fx2WyUA5bfhv6847uCBQQ5uldMo4qj9OhUYQWOqNjyOgQgOiTkkN0Il63L1xrAlb2P4T zn/sEEvoDaLio2jtIozuPAXO8O7Q6TueYCpJxu0zrJukSXrs1KRILtcwN65ijq8iE5YO Hm9g== X-Gm-Message-State: AOJu0Yxe1Glcrs14OmsrbU8FgyzGLgleVHqyPbJorikNr3tVlGyU1sWm 3WS5L+tF2BQrAj5iYPxtBH60ke9kTusz11DEbXwbsA45BmSURNHgcnUpv+jCbyeJnhJXkYDT/O4 = X-Google-Smtp-Source: AGHT+IHmJXE2ED2RuBUmR0soC9ICbU5uc/OdRD47vxh5aPLnNlxEs/5VczOR/qkUIL16NOENMz9+bA== X-Received: by 2002:a17:902:8216:b0:1d6:c8e3:c3dd with SMTP id x22-20020a170902821600b001d6c8e3c3ddmr4942676pln.54.1705970183007; Mon, 22 Jan 2024 16:36:23 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id l12-20020a170902e2cc00b001d70af5be17sm7341961plc.229.2024.01.22.16.36.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:36:18 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Subject: [PATCH 36/82] agp: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:11 -0800 Message-Id: <20240123002814.1396804-36-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1899; i=keescook@chromium.org; h=from:subject; bh=TtGEKwfEht79ULnpSVJcOtpH1GzIiQlRdhb7ZdKErag=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgH4FFulwi6BUqjbAU5ENVQabX98Dt2rrVoU 8g3IEj955KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A JnjyEACxi6nRzG/TeUzgA19psicAHgLDAObP0xBS4txCdCyuwD6vql4dHmloNCeJb8mV6QVHM+X qtG2DBYHCOfOAx2qlY4HvaVOj3PS5bcfXi6Ekv9oHApUiv9VATvsHzJMWgozbnrtd+ct/kzn1a8 fdEqTsjCD1glzm7trq2UhSUjq7L9mf0ALUL92dfVjQVOuW3SJ9kkPuGgKtP6JPssetdPnVNENjg XGHgUvZbr7FjFWIbhVzk+QWvKkDn9x87RdguxM3yRMNuIU1rIPChiFeHt65F/fM9e/r6JWSqDYJ 28GyQyB9g35uGguB023JwJmsj9WljHMy92O0442XwofQsjSwDoKiP6XK1wSn7N+Ko+xF+yXuo8D aGTAXPJpuMFj3tqUwX0bCJ2y/hZb9LGM68ygSkbs93I9XePUe38ehnUMIKTYBoC/PaH9cZiUO6O WpdtUG+wfYRGfiUetrFcgMqg7lc0bO2mieV7z8f1+ggx/2d+E2Yn9c//8JCWB6dDf3AOuNluFkl TPJTxjpslLZOCOHw60ZZVUW2p1qaNmoLXFmR7hSnVJuahaP/u15jWcSK2aizZflJKuj9uo7I/Jr iZ5+yDhNuVtMJrnevFhrq9ZhFajoLgGALCe41lhJERcPe3APaldrX8Abs0cIpjFwV5xN1XNAYND z2z1RVstb0xjjDA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Greg Kroah-Hartman , "Gustavo A. R. Silva" , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Bill Wendling , Justin Stitt , David Airlie Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded wrap-around addition test to use add_would_overflow(). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Greg Kroah-Hartman Cc: David Airlie Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/char/agp/generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c index 3ffbb1c80c5c..fc2d07654154 100644 --- a/drivers/char/agp/generic.c +++ b/drivers/char/agp/generic.c @@ -228,7 +228,7 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge, cur_memory = atomic_read(&bridge->current_memory_agp); if ((cur_memory + page_count > bridge->max_memory_agp) || - (cur_memory + page_count < page_count)) + (add_would_overflow(page_count, cur_memory))) return NULL; if (type >= AGP_USER_TYPES) { From patchwork Tue Jan 23 00:27:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526635 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 851C0C46CD2 for ; Tue, 23 Jan 2024 00:30:13 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 2021010F1AB; Tue, 23 Jan 2024 00:30:11 +0000 (UTC) Received: from mail-oo1-f44.google.com (mail-oo1-f44.google.com [209.85.161.44]) by gabe.freedesktop.org (Postfix) with ESMTPS id 8C7D510F1A9 for ; Tue, 23 Jan 2024 00:30:09 +0000 (UTC) Received: by mail-oo1-f44.google.com with SMTP id 006d021491bc7-5957ede4deaso2291946eaf.1 for ; Mon, 22 Jan 2024 16:30:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705969749; x=1706574549; darn=lists.freedesktop.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HbagvK/BQHg13GLlZBGhyNRG5sgL74HVCqkvwUtdz7s=; b=jCl7DvjriEIX7xTSssi7UZbrLRJvnL/YtwbsqQc6AFttHymQ+fGgVSus/d2LbQftBM CSU/eYMn/wicKYjd8FEUBwTZbA3wEYGJHFNv3pv1WV4F/+OSGhWtrfXXm6whSiP2of0W 9OzXpABiwsOjJEeqfBv1eZZi8sBnGEnd+7wSM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705969749; x=1706574549; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HbagvK/BQHg13GLlZBGhyNRG5sgL74HVCqkvwUtdz7s=; b=maY2nuGNX5bk6DGmGfVy/5rjoNNUJMkmtirsbSh0OvOzF9XT4Bc9Ap7qLzKSGPmEP3 i7sYgQH32hWIdv+G1U53aXhujUZ8zvWgv6LiJpb3+uSJSPoaVKXiPtoJFAdei1CQjM9g O4IEvrsHjFcO6FjMMryOUytcyrm6v8v7txFOuyKHzc95PZ1UumIeaALhjZXLRidbOUtc y8rz+kFHDF/vtoijbg4ZEQn4nU9UmBtxhvD5GOHwkCSwoOc1JCRHD8FCq+6Gs6s1rkdE kpzWWYpPNS7+lpmNZn3svgqhOcV3EAV/bXhlQwLfD3HdYi57oafsLS+aDnoKL9JmeTiZ FNFw== X-Gm-Message-State: AOJu0YzqL8ETuGeejRf/iEIgeiWmCbJADDIiZgiQ0dBggY4eTdLfQP3j FAEiFXyaQtmMINkzTP5PpSkzxdcLjRoCBa+5oNK68ym38i0MuYwubb26fk9syA== X-Google-Smtp-Source: AGHT+IE3YZZUAbSaTl6FBGOnqrae/sTpKUCuHtMEUe62rjmX2GkYQhqBolPrkv+LnabYxlrO3YWYvg== X-Received: by 2002:a05:6358:916:b0:176:5d73:376f with SMTP id r22-20020a056358091600b001765d73376fmr1694130rwi.48.1705969748687; Mon, 22 Jan 2024 16:29:08 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id h3-20020a056a00218300b006dbd341379dsm4094216pfi.68.2024.01.22.16.28.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:28:53 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Subject: [PATCH 48/82] drm/nouveau/mmu: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:23 -0800 Message-Id: <20240123002814.1396804-48-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2285; i=keescook@chromium.org; h=from:subject; bh=uRCkCvFsyXVpf/RtG8GCWMvVuyi59RVZ9Ft/3XBajpQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJXxmYjo3BZJuP6sKHQxKb/M3OqOpXccNUZ qhhlaPYu4iJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A Jh/nD/91bB80GL2rgD2Qu9VZOfFU0YicaQRtXMeoaSbnOb9C6bplAraUcHoNvH0F/nzlJcxXU25 tdFLoL0nVtuTpAc0QwLgnxaobRa9aNgWmW3DUkrO812C5TjVwlXYjliSrA5pLSd1FCOwfEGcLUB OasKeE6baUkZj6ytjNign6jV35ncfvu3y/C2MxtKBkts8n1Zwzi540pe8I5UtlySd6rBQjtelTV w6SFBV5r1npI2fEZqGplZzZO7EajApmc7jJz1thGgwOaC77JZl1JuklmvrMC4ret/lDs/ycUAAk D8MK5b6uevWOPdEY7obK82UJzkJkmcTaxAOtZlX95h01L7rkYBfeFsMYiZxSkbcDNRIQoWxack0 kuRc0oFbZDU4aaCtjbvKo6CHFYuBsv1B3qzy/dUdlEfz7Q8x7GSiUp1v2zZMHdUUy9zFSFFvHoE kZoHAeuRu/Gh7kJhCX7dMPQXqmh1IyQcF7QoTRKQyay+Kirq8rSRKVyOK6qdr+F/8jCxx92g3nD 2liBspnno23rcfzBqyJV5XbpEehmcvR0R30g5ubq4aeUy2+NIh26YpvJYBT9PIeuAR6WWh7/jm3 dRFK6//1Q7sP6hjFLcugQJcs/LAqMyL9p1u+btGAthR59AQsdV1I6mj3Cqxb1SXG6UXNsaiPyRb lV4UD0ZObcOgDAQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Karol Herbst , nouveau@lists.freedesktop.org, "Gustavo A. R. Silva" , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Danilo Krummrich , Ben Skeggs , Daniel Vetter , Justin Stitt , Dave Airlie , David Airlie , Bill Wendling Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded wrap-around addition test to use add_would_overflow(). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Karol Herbst Cc: Lyude Paul Cc: Danilo Krummrich Cc: David Airlie Cc: Daniel Vetter Cc: Dave Airlie Cc: Ben Skeggs Cc: dri-devel@lists.freedesktop.org Cc: nouveau@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c index 6ca1a82ccbc1..87c0903be9a7 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c @@ -1291,7 +1291,7 @@ nvkm_vmm_pfn_map(struct nvkm_vmm *vmm, u8 shift, u64 addr, u64 size, u64 *pfn) if (!page->shift || !IS_ALIGNED(addr, 1ULL << shift) || !IS_ALIGNED(size, 1ULL << shift) || - addr + size < addr || addr + size > vmm->limit) { + add_would_overflow(addr, size) || addr + size > vmm->limit) { VMM_DEBUG(vmm, "paged map %d %d %016llx %016llx\n", shift, page->shift, addr, size); return -EINVAL; From patchwork Tue Jan 23 00:27:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526678 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8C9DEC46CD2 for ; Tue, 23 Jan 2024 00:37:18 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 6BEA210F186; Tue, 23 Jan 2024 00:37:13 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by gabe.freedesktop.org (Postfix) with ESMTPS id 323E710E717 for ; Tue, 23 Jan 2024 00:37:12 +0000 (UTC) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-29065efa06fso1930040a91.1 for ; Mon, 22 Jan 2024 16:37:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705970172; x=1706574972; darn=lists.freedesktop.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ci14tXfoLWF8H9KP6TbhVJPvd4jolXPuWJ+qfgosDMI=; b=a/5e/l9BsAGxzmAjvgSC6N2bFCkGFfHJOrT8+ibsKzslv1iCO2YwljyvrO4a8L65Jk Vyw9xsZSN2ccrFoNfORY9rN69rQS6uMjXdyxCxYRPSEEnfLY0CmeaDc64hdJvNN9iYcr 6LiSa4lRWR6LasZRtdqbQFl2jWPjKWkli9e2Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705970172; x=1706574972; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ci14tXfoLWF8H9KP6TbhVJPvd4jolXPuWJ+qfgosDMI=; b=ooblfthbtdcVRJQ+MyplcpLu9pEpeoQUrUExwwc670dJKgoqn92MI/pKK68+tzXbKv 1u1aMdfdbvNS0vEefAcFAOqEWEh6mNDQJoGiJVKEf15G24+i2KPyEjz+8rj6f2qJhfa3 rJeJ351WgoqEY6dMtsPAesqsw0C/3cfEu73B8nURRHOVSxYP5SDqqGw3MaApojeEPhYK UTayxKhdrJfxzmCg6IuavtHViP+B/cGhL6fjo6LJ5LPWq4sngapKENGGK4yo9IiE8Zkm ldGTK4OVQABb2Q/IhNGadBKXXw6liCkvocztr4YI2EQ4oRVj8KHAG09pA/1EhGAjV9IT 2ffA== X-Gm-Message-State: AOJu0YySBn7v2G8yaHGsf6+eKQr2+MTMUX7rre1IsjTF3Sfql6ilpAQg /fLz+63X4eHjCYrTYX7Xgf8zuDdNAuN/DBrFdimVVXRNA/XtFSuL5U213g6F7g== X-Google-Smtp-Source: AGHT+IHbtzvrk4iZs4Gm8Yr+QrGFjKqhpB03Ocxh4U4TLvusg96tLGgJ15R5wkOaXT55grFNSwGjcg== X-Received: by 2002:a17:90a:62c7:b0:28f:ef2b:e0ed with SMTP id k7-20020a17090a62c700b0028fef2be0edmr2421887pjs.5.1705970171811; Mon, 22 Jan 2024 16:36:11 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id sd14-20020a17090b514e00b0028d9fc97c29sm10365268pjb.14.2024.01.22.16.36.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:36:08 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Subject: [PATCH 49/82] drm/i915: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:24 -0800 Message-Id: <20240123002814.1396804-49-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2342; i=keescook@chromium.org; h=from:subject; bh=oiG+TsWcxpCmRd1+V7WC6Rzkst0Tmp3FWPUBfyk7tD0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJM8j5gj77tQNAWNgLrGW9Rf152U5LzsLsJ LLY7jY3zQCJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A JlTyD/9tInsgMQJNhzXLV4lkjEdwrZuxy10l8+2Dh6eeSAQbaL+DgNMujkfU/ewIc6vsc6zeZLn 3ACm3O16LQN/0j5S0RYKIeVgjfXSZAYGJuwYmW3jBM3o8s9hNPi/SXXGp0toQyaZ73L3hcRB4AO 2C01S7JnD87/2LBgN5VfyCDAUOfgYSqdE4ibXD+3+uyUSrbM8B+GimE4cH4ORUxm7YMLto9zpu+ oxqd7qMyF6AyMavkv5ySlinqmiOVJ83f+YZ+oRowh0q5fTfSibio56QvEqpQZCtefn09GEz+IoC Tnb8E/IS3JJOLLdskrUiX3bNAd51XjStK5+qpc0F35indv1uLzV53YFhU5912hmIDcxwPmmtHTi OXiRWa2TWfKEgQKSVyJmGL9esA3rmPtERr7goeI8/nFMWEb4Qy+cpevxG1qft33h0Z7enHXDTBT JHJYXrmewrWmRrBpNFH54MHVPInL6YqLuU56FYnU3go2zz3tsoo8VutSaww+foZj6VUcti/X6fF PHZBFPajfhvY94xWQMXnk+iHmY7GJNwyVxOdnF8YsTZv23cXzWc9GXdAMMp6lw4By2hz73i3BNZ JSnAMxGSHmwnz/DNjaVSvjUSE5b/U82hIxtLLj6mKkDb5Osg8f47u2KWYVVd868CRAaVvfeVUVJ 1IBIdYvVvwQ4wvw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dri-devel@lists.freedesktop.org, Tvrtko Ursulin , Justin Stitt , Kees Cook , intel-gfx@lists.freedesktop.org, "Gustavo A. R. Silva" , linux-kernel@vger.kernel.org, Maxime Ripard , Thomas Zimmermann , Rodrigo Vivi , Daniel Vetter , David Airlie , Bill Wendling Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded wrap-around addition test to use add_would_overflow(). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: Tvrtko Ursulin Cc: David Airlie Cc: Daniel Vetter Cc: intel-gfx@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/i915/i915_vma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers/gpu/drm/i915/i915_vma.c index d09aad34ba37..1a4f048a5df9 100644 --- a/drivers/gpu/drm/i915/i915_vma.c +++ b/drivers/gpu/drm/i915/i915_vma.c @@ -1535,7 +1535,7 @@ int i915_vma_pin_ww(struct i915_vma *vma, struct i915_gem_ww_ctx *ww, goto err_remove; /* There should only be at most 2 active bindings (user, global) */ - GEM_BUG_ON(bound + I915_VMA_PAGES_ACTIVE < bound); + GEM_BUG_ON(add_would_overflow(bound, I915_VMA_PAGES_ACTIVE)); atomic_add(I915_VMA_PAGES_ACTIVE, &vma->pages_count); list_move_tail(&vma->vm_link, &vma->vm->bound_list); From patchwork Tue Jan 23 00:27:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526681 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 68C60C47DDB for ; Tue, 23 Jan 2024 00:37:27 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 65ADC10F1C1; Tue, 23 Jan 2024 00:37:17 +0000 (UTC) Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177]) by gabe.freedesktop.org (Postfix) with ESMTPS id 267B710F19E for ; Tue, 23 Jan 2024 00:37:14 +0000 (UTC) Received: by mail-oi1-f177.google.com with SMTP id 5614622812f47-3bd7c15a745so2700082b6e.2 for ; Mon, 22 Jan 2024 16:37:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705970173; x=1706574973; darn=lists.freedesktop.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=j2GMW5d6UiU7LajKCHttmnW2RyiQyBOWeh+blbgnn98=; b=JoTxnm/B4YV4fthnYQOXazFdExc0FHI76uJ2HCG9YjG3rUn+i+qcfrytj64ACajyDu m7ysWEZqWUSkikk+CkanKQyb1tcUG18Gt+x2HjKebEnaMbGvlB9PmWVMOZPP4r9b2nP5 0hvHbgHBT3g0gTV4JmZ3jVe6IsSqOHx3VqHL8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705970173; x=1706574973; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=j2GMW5d6UiU7LajKCHttmnW2RyiQyBOWeh+blbgnn98=; b=OoxbEZBFMVNC0Soeaov6DMYnBEHBNmTWmVJFEWuZIB4CCsTQLD84TrgEAgmvJuKAUK 6dje4XeToelqcdYA95I+Y5h2hS2gCCJ87AOBrMOIysVcrNhNyhOvZbJWKyuO2bYnOHkP ZfoXqJzqHQtVQSj+1tBlEkXzik10orUxTbwIwx+cST6Oafe/z0/BdCPdRWxLkXLwxG3a 5B+YhLGU46bErMD3F7W69ew3cNKry9ghvkIDAYeNoLApE6Kk2vTtlRdLR98XoIeZXiai A1qqGwnphq7pjYYwBp4+k261IHCsdZYhUrfFXFXrxWElmSlhyL9VDcIHbuDu46scJn3C AZzg== X-Gm-Message-State: AOJu0YwiEhnRJ4BBN8dMmEvvf/FhXq+5FoF2dSTeoLZd2Rutnx7/sb5D 6Q4mYzZnBfLFbFwbPZCroWp1x3BTt6hss6m8ooIpU76WuXAScgr3G9pnlrafsg== X-Google-Smtp-Source: AGHT+IHM+0P0FFoTrriCmMbo8B8EOrjWPouiok2qtQ86UTP2/HFLy+hSK6JukrOOVWReaOLPFOxUUQ== X-Received: by 2002:a05:6808:2383:b0:3bd:bff5:e2c with SMTP id bp3-20020a056808238300b003bdbff50e2cmr1442385oib.42.1705970173539; Mon, 22 Jan 2024 16:36:13 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id h5-20020aa786c5000000b006dbd2fb0451sm4174214pfo.166.2024.01.22.16.36.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:36:08 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Subject: [PATCH 50/82] drm/vc4: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:25 -0800 Message-Id: <20240123002814.1396804-50-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2077; i=keescook@chromium.org; h=from:subject; bh=KcdFfpjp2tEyCmOpl25iW2AS7m4+B6NStR38DJl8ObE=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJ2AMyzRsa5sDxZ4YRjmUqmbVj5uaz9YlbJ skuXbMaqBeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A JlUcEACJwN1o8p9j5S/8sYa2gf2nY09bRSaqimJyQqXt58XWmacC7yhhCy8/YoRrWd4rtTKGNJO 2pyhqZo0AjchZUD2eT/92rshpJ7BoxmmmipARVGs8rGccRxnL+NfA7KluKUS2arbEJZWAxsye1u 7y9mIZmz0Rl2OEUDiZmLsRUn+x+avkj9t/3WyQhf6z4yB9UeAjExcIzx4ut7naUZQMOs4+nqkhO Zxzlk3pu3vEqZBDOzDzLUdhBPeX8m4ZfghTd9cnirA7bkdk+2o6zogqBJN3U6xN7BheU/BKOa1/ z2viLhR6pAfqpCI5yqOPvSv1Vm+BuvP4sPKwJGV2Odq05P3+Crxq80AgR9KuL3Zuj0RUdDuPRr7 CK2iELzMBzCaI6HGeRTGu1TcgkQK/Cc1GB5flX/hQ1gepvIzeDSxkg2zzksciW3yRdCdzK1R8vU Tp8TEvuJU2S75RSbpxkNPABsnumVvC61dAYZkurqkiHcZRtQWX2ycPQRm0/NVXUiHLtL5aNGijN xy3P5YOafRtNbo7sqqxpsgSvJHA6bW0Kp2/QMZetVh+TBxjwl1em23ZSqK8EVnA/Cpcn2GaT6N6 eyYfB3sBKYHuJ6cigOdu7aG2tBuyJ9LI/IVLUrXbg5xH4fWbZdA2Dm/CSSYEZ4S40USso8DNtmk W8/+QxpbrEQYWUg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bill Wendling , Thomas Zimmermann , "Gustavo A. R. Silva" , Maxime Ripard , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Daniel Vetter , Justin Stitt , David Airlie , Kees Cook Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded wrap-around addition test to use add_would_overflow(). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Maxime Ripard Cc: Maarten Lankhorst Cc: Thomas Zimmermann Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/vc4/vc4_validate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vc4/vc4_validate.c b/drivers/gpu/drm/vc4/vc4_validate.c index 9affba9c58b3..677d9975f888 100644 --- a/drivers/gpu/drm/vc4/vc4_validate.c +++ b/drivers/gpu/drm/vc4/vc4_validate.c @@ -206,7 +206,7 @@ vc4_check_tex_size(struct vc4_exec_info *exec, struct drm_gem_dma_object *fbo, stride = aligned_width * cpp; size = stride * aligned_height; - if (size + offset < size || + if (add_would_overflow(size, offset) || size + offset > fbo->base.size) { DRM_DEBUG("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %zd)\n", width, height,