On 2/6/24 04:31, Kees Cook wrote:
Provide helpers that will perform wrapping addition, subtraction, or multiplication without tripping the arithmetic wrap-around sanitizers. The first argument is the type under which the wrap-around should happen with. In other words, these two calls will get very different results: wrapping_mul(int, 50, 50) == 2500 wrapping_mul(u8, 50, 50) == 196 Add to the selftests to validate behavior and lack of side-effects. Cc: Rasmus Villemoes <[email protected]> Cc: Marco Elver <[email protected]> Cc: Eric Biggers <[email protected]> Cc: Mark Rutland <[email protected]> Cc: [email protected] Reviewed-by: Gustavo A. R. Silva <[email protected]> Signed-off-by: Kees Cook <[email protected]> --- include/linux/overflow.h | 54 ++++++++++++++++++++++++++++++++++++++++ lib/overflow_kunit.c | 24 +++++++++++++++--- 2 files changed, 74 insertions(+), 4 deletions(-) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 4e741ebb8005..429c4d61a940 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -64,6 +64,24 @@ static inline bool __must_check __must_check_overflow(bool overflow) #define check_add_overflow(a, b, d) \ __must_check_overflow(__builtin_add_overflow(a, b, d))+/**+ * wrapping_add() - Intentionally perform a wrapping addition + * @type: type for result of calculation + * @a: first addend + * @b: second addend + * + * Return the potentially wrapped-around addition without + * tripping any wrap-around sanitizers that may be enabled. + */ +#define wrapping_add(type, a, b) \ + ({ \ + type __val; \ + if (__builtin_add_overflow(a, b, &__val)) { \ + /* do nothing */ \ + } \ + __val; \
mmh... now that __builtin_*_overflow() is directly used, I guess we don't need to _check_ for overflow anymore. Thanks -- Gustavo
