From a15f2a35ea71487b10aefbac07f5a501cfd45bba Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 11 Mar 2025 15:29:45 +0100 Subject: [PATCH] 5.4-stable patches added patches: overflow-add-__must_check-attribute-to-check_-helpers.patch overflow-allow-mixed-type-arguments.patch overflow-correct-check_shl_overflow-comment.patch --- ...st_check-attribute-to-check_-helpers.patch | 129 ++++++++++++++++++ .../overflow-allow-mixed-type-arguments.patch | 123 +++++++++++++++++ ...w-correct-check_shl_overflow-comment.patch | 34 +++++ queue-5.4/series | 3 + 4 files changed, 289 insertions(+) create mode 100644 queue-5.4/overflow-add-__must_check-attribute-to-check_-helpers.patch create mode 100644 queue-5.4/overflow-allow-mixed-type-arguments.patch create mode 100644 queue-5.4/overflow-correct-check_shl_overflow-comment.patch diff --git a/queue-5.4/overflow-add-__must_check-attribute-to-check_-helpers.patch b/queue-5.4/overflow-add-__must_check-attribute-to-check_-helpers.patch new file mode 100644 index 0000000000..6d6cc549e2 --- /dev/null +++ b/queue-5.4/overflow-add-__must_check-attribute-to-check_-helpers.patch @@ -0,0 +1,129 @@ +From 9b80e4c4ddaca3501177ed41e49d0928ba2122a8 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 12 Aug 2020 14:47:03 -0700 +Subject: overflow: Add __must_check attribute to check_*() helpers + +From: Kees Cook + +commit 9b80e4c4ddaca3501177ed41e49d0928ba2122a8 upstream. + +Since the destination variable of the check_*_overflow() helpers will +contain a wrapped value on failure, it would be best to make sure callers +really did check the return result of the helper. Adjust the macros to use +a bool-wrapping static inline that is marked with __must_check. This means +the macros can continue to have their type-agnostic behavior while gaining +the function attribute (that cannot be applied directly to macros). + +Suggested-by: Rasmus Villemoes +Link: https://lore.kernel.org/lkml/202008151007.EF679DF@keescook/ +Signed-off-by: Kees Cook +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/overflow.h | 39 ++++++++++++++++++++++++--------------- + 1 file changed, 24 insertions(+), 15 deletions(-) + +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -44,6 +44,16 @@ + #define is_non_negative(a) ((a) > 0 || (a) == 0) + #define is_negative(a) (!(is_non_negative(a))) + ++/* ++ * Allows for effectively applying __must_check to a macro so we can have ++ * both the type-agnostic benefits of the macros while also being able to ++ * enforce that the return value is, in fact, checked. ++ */ ++static inline bool __must_check __must_check_overflow(bool overflow) ++{ ++ return unlikely(overflow); ++} ++ + #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW + /* + * For simplicity and code hygiene, the fallback code below insists on +@@ -53,32 +63,32 @@ + * alias for __builtin_add_overflow, but add type checks similar to + * below. + */ +-#define check_add_overflow(a, b, d) ({ \ ++#define check_add_overflow(a, b, d) __must_check_overflow(({ \ + typeof(a) __a = (a); \ + typeof(b) __b = (b); \ + typeof(d) __d = (d); \ + (void) (&__a == &__b); \ + (void) (&__a == __d); \ + __builtin_add_overflow(__a, __b, __d); \ +-}) ++})) + +-#define check_sub_overflow(a, b, d) ({ \ ++#define check_sub_overflow(a, b, d) __must_check_overflow(({ \ + typeof(a) __a = (a); \ + typeof(b) __b = (b); \ + typeof(d) __d = (d); \ + (void) (&__a == &__b); \ + (void) (&__a == __d); \ + __builtin_sub_overflow(__a, __b, __d); \ +-}) ++})) + +-#define check_mul_overflow(a, b, d) ({ \ ++#define check_mul_overflow(a, b, d) __must_check_overflow(({ \ + typeof(a) __a = (a); \ + typeof(b) __b = (b); \ + typeof(d) __d = (d); \ + (void) (&__a == &__b); \ + (void) (&__a == __d); \ + __builtin_mul_overflow(__a, __b, __d); \ +-}) ++})) + + #else + +@@ -191,21 +201,20 @@ + }) + + +-#define check_add_overflow(a, b, d) \ ++#define check_add_overflow(a, b, d) __must_check_overflow( \ + __builtin_choose_expr(is_signed_type(typeof(a)), \ + __signed_add_overflow(a, b, d), \ +- __unsigned_add_overflow(a, b, d)) ++ __unsigned_add_overflow(a, b, d))) + +-#define check_sub_overflow(a, b, d) \ ++#define check_sub_overflow(a, b, d) __must_check_overflow( \ + __builtin_choose_expr(is_signed_type(typeof(a)), \ + __signed_sub_overflow(a, b, d), \ +- __unsigned_sub_overflow(a, b, d)) ++ __unsigned_sub_overflow(a, b, d))) + +-#define check_mul_overflow(a, b, d) \ ++#define check_mul_overflow(a, b, d) __must_check_overflow( \ + __builtin_choose_expr(is_signed_type(typeof(a)), \ + __signed_mul_overflow(a, b, d), \ +- __unsigned_mul_overflow(a, b, d)) +- ++ __unsigned_mul_overflow(a, b, d))) + + #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ + +@@ -228,7 +237,7 @@ + * '*d' will hold the results of the attempted shift, but is not + * considered "safe for use" if false is returned. + */ +-#define check_shl_overflow(a, s, d) ({ \ ++#define check_shl_overflow(a, s, d) __must_check_overflow(({ \ + typeof(a) _a = a; \ + typeof(s) _s = s; \ + typeof(d) _d = d; \ +@@ -238,7 +247,7 @@ + *_d = (_a_full << _to_shift); \ + (_to_shift != _s || is_negative(*_d) || is_negative(_a) || \ + (*_d >> _to_shift) != _a); \ +-}) ++})) + + /** + * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX diff --git a/queue-5.4/overflow-allow-mixed-type-arguments.patch b/queue-5.4/overflow-allow-mixed-type-arguments.patch new file mode 100644 index 0000000000..80eb9429aa --- /dev/null +++ b/queue-5.4/overflow-allow-mixed-type-arguments.patch @@ -0,0 +1,123 @@ +From d219d2a9a92e39aa92799efe8f2aa21259b6dd82 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 29 Aug 2022 13:37:17 -0700 +Subject: overflow: Allow mixed type arguments + +From: Kees Cook + +commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 upstream. + +When the check_[op]_overflow() helpers were introduced, all arguments +were required to be the same type to make the fallback macros simpler. +However, now that the fallback macros have been removed[1], it is fine +to allow mixed types, which makes using the helpers much more useful, +as they can be used to test for type-based overflows (e.g. adding two +large ints but storing into a u8), as would be handy in the drm core[2]. + +Remove the restriction, and add additional self-tests that exercise +some of the mixed-type overflow cases, and double-check for accidental +macro side-effects. + +[1] https://git.kernel.org/linus/4eb6bd55cfb22ffc20652732340c4962f3ac9a91 +[2] https://lore.kernel.org/lkml/20220824084514.2261614-2-gwan-gyeong.mun@intel.com + +Cc: Rasmus Villemoes +Cc: Gwan-gyeong Mun +Cc: "Gustavo A. R. Silva" +Cc: Nick Desaulniers +Cc: linux-hardening@vger.kernel.org +Reviewed-by: Andrzej Hajda +Reviewed-by: Gwan-gyeong Mun +Tested-by: Gwan-gyeong Mun +Signed-off-by: Kees Cook +[florian: Drop changes to lib/test_overflow.c] +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/overflow.h | 72 ++++++++++++++++++++++++++--------------------- + 1 file changed, 41 insertions(+), 31 deletions(-) + +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -55,40 +55,50 @@ static inline bool __must_check __must_c + } + + #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW +-/* +- * For simplicity and code hygiene, the fallback code below insists on +- * a, b and *d having the same type (similar to the min() and max() +- * macros), whereas gcc's type-generic overflow checkers accept +- * different types. Hence we don't just make check_add_overflow an +- * alias for __builtin_add_overflow, but add type checks similar to +- * below. ++/** check_add_overflow() - Calculate addition with overflow checking ++ * ++ * @a: first addend ++ * @b: second addend ++ * @d: pointer to store sum ++ * ++ * Returns 0 on success. ++ * ++ * *@d holds the results of the attempted addition, but is not considered ++ * "safe for use" on a non-zero return value, which indicates that the ++ * sum has overflowed or been truncated. + */ +-#define check_add_overflow(a, b, d) __must_check_overflow(({ \ +- typeof(a) __a = (a); \ +- typeof(b) __b = (b); \ +- typeof(d) __d = (d); \ +- (void) (&__a == &__b); \ +- (void) (&__a == __d); \ +- __builtin_add_overflow(__a, __b, __d); \ +-})) ++#define check_add_overflow(a, b, d) \ ++ __must_check_overflow(__builtin_add_overflow(a, b, d)) + +-#define check_sub_overflow(a, b, d) __must_check_overflow(({ \ +- typeof(a) __a = (a); \ +- typeof(b) __b = (b); \ +- typeof(d) __d = (d); \ +- (void) (&__a == &__b); \ +- (void) (&__a == __d); \ +- __builtin_sub_overflow(__a, __b, __d); \ +-})) ++/** check_sub_overflow() - Calculate subtraction with overflow checking ++ * ++ * @a: minuend; value to subtract from ++ * @b: subtrahend; value to subtract from @a ++ * @d: pointer to store difference ++ * ++ * Returns 0 on success. ++ * ++ * *@d holds the results of the attempted subtraction, but is not considered ++ * "safe for use" on a non-zero return value, which indicates that the ++ * difference has underflowed or been truncated. ++ */ ++#define check_sub_overflow(a, b, d) \ ++ __must_check_overflow(__builtin_sub_overflow(a, b, d)) + +-#define check_mul_overflow(a, b, d) __must_check_overflow(({ \ +- typeof(a) __a = (a); \ +- typeof(b) __b = (b); \ +- typeof(d) __d = (d); \ +- (void) (&__a == &__b); \ +- (void) (&__a == __d); \ +- __builtin_mul_overflow(__a, __b, __d); \ +-})) ++/** check_mul_overflow() - Calculate multiplication with overflow checking ++ * ++ * @a: first factor ++ * @b: second factor ++ * @d: pointer to store product ++ * ++ * Returns 0 on success. ++ * ++ * *@d holds the results of the attempted multiplication, but is not ++ * considered "safe for use" on a non-zero return value, which indicates ++ * that the product has overflowed or been truncated. ++ */ ++#define check_mul_overflow(a, b, d) \ ++ __must_check_overflow(__builtin_mul_overflow(a, b, d)) + + #else + diff --git a/queue-5.4/overflow-correct-check_shl_overflow-comment.patch b/queue-5.4/overflow-correct-check_shl_overflow-comment.patch new file mode 100644 index 0000000000..445a3c7c43 --- /dev/null +++ b/queue-5.4/overflow-correct-check_shl_overflow-comment.patch @@ -0,0 +1,34 @@ +From 4578be130a6470d85ff05b13b75a00e6224eeeeb Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Thu, 1 Apr 2021 09:06:29 -0700 +Subject: overflow: Correct check_shl_overflow() comment + +From: Keith Busch + +commit 4578be130a6470d85ff05b13b75a00e6224eeeeb upstream. + +A 'false' return means the value was safely set, so the comment should +say 'true' for when it is not considered safe. + +Cc: Jason Gunthorpe +Signed-off-by: Keith Busch +Signed-off-by: Kees Cook +Fixes: 0c66847793d1 ("overflow.h: Add arithmetic shift helper") +Link: https://lore.kernel.org/r/20210401160629.1941787-1-kbusch@kernel.org +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/overflow.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -235,7 +235,7 @@ static inline bool __must_check __must_c + * - 'a << s' sets the sign bit, if any, in '*d'. + * + * '*d' will hold the results of the attempted shift, but is not +- * considered "safe for use" if false is returned. ++ * considered "safe for use" if true is returned. + */ + #define check_shl_overflow(a, s, d) __must_check_overflow(({ \ + typeof(a) _a = a; \ diff --git a/queue-5.4/series b/queue-5.4/series index 8336f11447..d77ad0cf16 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,5 +1,8 @@ perf-cs-etm-add-missing-variable-in-cs_etm__process_queues.patch udf-fix-use-of-check_add_overflow-with-mixed-type-arguments.patch +overflow-add-__must_check-attribute-to-check_-helpers.patch +overflow-correct-check_shl_overflow-comment.patch +overflow-allow-mixed-type-arguments.patch afs-fix-directory-format-encoding-struct.patch nbd-don-t-allow-reconnect-after-disconnect.patch partitions-ldm-remove-the-initial-kernel-doc-notatio.patch -- 2.47.2