Line data Source code
1 : /* SPDX-License-Identifier: GPL-2.0 OR MIT */
2 : #ifndef __LINUX_OVERFLOW_H
3 : #define __LINUX_OVERFLOW_H
4 :
5 : #include <linux/compiler.h>
6 : #include <linux/limits.h>
7 :
8 : /*
9 : * In the fallback code below, we need to compute the minimum and
10 : * maximum values representable in a given type. These macros may also
11 : * be useful elsewhere, so we provide them outside the
12 : * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
13 : *
14 : * It would seem more obvious to do something like
15 : *
16 : * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
17 : * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
18 : *
19 : * Unfortunately, the middle expressions, strictly speaking, have
20 : * undefined behaviour, and at least some versions of gcc warn about
21 : * the type_max expression (but not if -fsanitize=undefined is in
22 : * effect; in that case, the warning is deferred to runtime...).
23 : *
24 : * The slightly excessive casting in type_min is to make sure the
25 : * macros also produce sensible values for the exotic type _Bool. [The
26 : * overflow checkers only almost work for _Bool, but that's
27 : * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
28 : * _Bools. Besides, the gcc builtins don't allow _Bool* as third
29 : * argument.]
30 : *
31 : * Idea stolen from
32 : * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
33 : * credit to Christian Biere.
34 : */
35 : #define is_signed_type(type) (((type)(-1)) < (type)1)
36 : #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
37 : #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
38 : #define type_min(T) ((T)((T)-type_max(T)-(T)1))
39 :
40 : /*
41 : * Avoids triggering -Wtype-limits compilation warning,
42 : * while using unsigned data types to check a < 0.
43 : */
44 : #define is_non_negative(a) ((a) > 0 || (a) == 0)
45 : #define is_negative(a) (!(is_non_negative(a)))
46 :
47 : /*
48 : * Allows for effectively applying __must_check to a macro so we can have
49 : * both the type-agnostic benefits of the macros while also being able to
50 : * enforce that the return value is, in fact, checked.
51 : */
52 5380166 : static inline bool __must_check __must_check_overflow(bool overflow)
53 : {
54 5380159 : return unlikely(overflow);
55 : }
56 :
57 : #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
58 : /*
59 : * For simplicity and code hygiene, the fallback code below insists on
60 : * a, b and *d having the same type (similar to the min() and max()
61 : * macros), whereas gcc's type-generic overflow checkers accept
62 : * different types. Hence we don't just make check_add_overflow an
63 : * alias for __builtin_add_overflow, but add type checks similar to
64 : * below.
65 : */
66 : #define check_add_overflow(a, b, d) __must_check_overflow(({ \
67 : typeof(a) __a = (a); \
68 : typeof(b) __b = (b); \
69 : typeof(d) __d = (d); \
70 : (void) (&__a == &__b); \
71 : (void) (&__a == __d); \
72 : __builtin_add_overflow(__a, __b, __d); \
73 : }))
74 :
75 : #define check_sub_overflow(a, b, d) __must_check_overflow(({ \
76 : typeof(a) __a = (a); \
77 : typeof(b) __b = (b); \
78 : typeof(d) __d = (d); \
79 : (void) (&__a == &__b); \
80 : (void) (&__a == __d); \
81 : __builtin_sub_overflow(__a, __b, __d); \
82 : }))
83 :
84 : #define check_mul_overflow(a, b, d) __must_check_overflow(({ \
85 : typeof(a) __a = (a); \
86 : typeof(b) __b = (b); \
87 : typeof(d) __d = (d); \
88 : (void) (&__a == &__b); \
89 : (void) (&__a == __d); \
90 : __builtin_mul_overflow(__a, __b, __d); \
91 : }))
92 :
93 : #else
94 :
95 :
96 : /* Checking for unsigned overflow is relatively easy without causing UB. */
97 : #define __unsigned_add_overflow(a, b, d) ({ \
98 : typeof(a) __a = (a); \
99 : typeof(b) __b = (b); \
100 : typeof(d) __d = (d); \
101 : (void) (&__a == &__b); \
102 : (void) (&__a == __d); \
103 : *__d = __a + __b; \
104 : *__d < __a; \
105 : })
106 : #define __unsigned_sub_overflow(a, b, d) ({ \
107 : typeof(a) __a = (a); \
108 : typeof(b) __b = (b); \
109 : typeof(d) __d = (d); \
110 : (void) (&__a == &__b); \
111 : (void) (&__a == __d); \
112 : *__d = __a - __b; \
113 : __a < __b; \
114 : })
115 : /*
116 : * If one of a or b is a compile-time constant, this avoids a division.
117 : */
118 : #define __unsigned_mul_overflow(a, b, d) ({ \
119 : typeof(a) __a = (a); \
120 : typeof(b) __b = (b); \
121 : typeof(d) __d = (d); \
122 : (void) (&__a == &__b); \
123 : (void) (&__a == __d); \
124 : *__d = __a * __b; \
125 : __builtin_constant_p(__b) ? \
126 : __b > 0 && __a > type_max(typeof(__a)) / __b : \
127 : __a > 0 && __b > type_max(typeof(__b)) / __a; \
128 : })
129 :
130 : /*
131 : * For signed types, detecting overflow is much harder, especially if
132 : * we want to avoid UB. But the interface of these macros is such that
133 : * we must provide a result in *d, and in fact we must produce the
134 : * result promised by gcc's builtins, which is simply the possibly
135 : * wrapped-around value. Fortunately, we can just formally do the
136 : * operations in the widest relevant unsigned type (u64) and then
137 : * truncate the result - gcc is smart enough to generate the same code
138 : * with and without the (u64) casts.
139 : */
140 :
141 : /*
142 : * Adding two signed integers can overflow only if they have the same
143 : * sign, and overflow has happened iff the result has the opposite
144 : * sign.
145 : */
146 : #define __signed_add_overflow(a, b, d) ({ \
147 : typeof(a) __a = (a); \
148 : typeof(b) __b = (b); \
149 : typeof(d) __d = (d); \
150 : (void) (&__a == &__b); \
151 : (void) (&__a == __d); \
152 : *__d = (u64)__a + (u64)__b; \
153 : (((~(__a ^ __b)) & (*__d ^ __a)) \
154 : & type_min(typeof(__a))) != 0; \
155 : })
156 :
157 : /*
158 : * Subtraction is similar, except that overflow can now happen only
159 : * when the signs are opposite. In this case, overflow has happened if
160 : * the result has the opposite sign of a.
161 : */
162 : #define __signed_sub_overflow(a, b, d) ({ \
163 : typeof(a) __a = (a); \
164 : typeof(b) __b = (b); \
165 : typeof(d) __d = (d); \
166 : (void) (&__a == &__b); \
167 : (void) (&__a == __d); \
168 : *__d = (u64)__a - (u64)__b; \
169 : ((((__a ^ __b)) & (*__d ^ __a)) \
170 : & type_min(typeof(__a))) != 0; \
171 : })
172 :
173 : /*
174 : * Signed multiplication is rather hard. gcc always follows C99, so
175 : * division is truncated towards 0. This means that we can write the
176 : * overflow check like this:
177 : *
178 : * (a > 0 && (b > MAX/a || b < MIN/a)) ||
179 : * (a < -1 && (b > MIN/a || b < MAX/a) ||
180 : * (a == -1 && b == MIN)
181 : *
182 : * The redundant casts of -1 are to silence an annoying -Wtype-limits
183 : * (included in -Wextra) warning: When the type is u8 or u16, the
184 : * __b_c_e in check_mul_overflow obviously selects
185 : * __unsigned_mul_overflow, but unfortunately gcc still parses this
186 : * code and warns about the limited range of __b.
187 : */
188 :
189 : #define __signed_mul_overflow(a, b, d) ({ \
190 : typeof(a) __a = (a); \
191 : typeof(b) __b = (b); \
192 : typeof(d) __d = (d); \
193 : typeof(a) __tmax = type_max(typeof(a)); \
194 : typeof(a) __tmin = type_min(typeof(a)); \
195 : (void) (&__a == &__b); \
196 : (void) (&__a == __d); \
197 : *__d = (u64)__a * (u64)__b; \
198 : (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \
199 : (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \
200 : (__b == (typeof(__b))-1 && __a == __tmin); \
201 : })
202 :
203 :
204 : #define check_add_overflow(a, b, d) __must_check_overflow( \
205 : __builtin_choose_expr(is_signed_type(typeof(a)), \
206 : __signed_add_overflow(a, b, d), \
207 : __unsigned_add_overflow(a, b, d)))
208 :
209 : #define check_sub_overflow(a, b, d) __must_check_overflow( \
210 : __builtin_choose_expr(is_signed_type(typeof(a)), \
211 : __signed_sub_overflow(a, b, d), \
212 : __unsigned_sub_overflow(a, b, d)))
213 :
214 : #define check_mul_overflow(a, b, d) __must_check_overflow( \
215 : __builtin_choose_expr(is_signed_type(typeof(a)), \
216 : __signed_mul_overflow(a, b, d), \
217 : __unsigned_mul_overflow(a, b, d)))
218 :
219 : #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
220 :
221 : /** check_shl_overflow() - Calculate a left-shifted value and check overflow
222 : *
223 : * @a: Value to be shifted
224 : * @s: How many bits left to shift
225 : * @d: Pointer to where to store the result
226 : *
227 : * Computes *@d = (@a << @s)
228 : *
229 : * Returns true if '*d' cannot hold the result or when 'a << s' doesn't
230 : * make sense. Example conditions:
231 : * - 'a << s' causes bits to be lost when stored in *d.
232 : * - 's' is garbage (e.g. negative) or so large that the result of
233 : * 'a << s' is guaranteed to be 0.
234 : * - 'a' is negative.
235 : * - 'a << s' sets the sign bit, if any, in '*d'.
236 : *
237 : * '*d' will hold the results of the attempted shift, but is not
238 : * considered "safe for use" if false is returned.
239 : */
240 : #define check_shl_overflow(a, s, d) __must_check_overflow(({ \
241 : typeof(a) _a = a; \
242 : typeof(s) _s = s; \
243 : typeof(d) _d = d; \
244 : u64 _a_full = _a; \
245 : unsigned int _to_shift = \
246 : is_non_negative(_s) && _s < 8 * sizeof(*d) ? _s : 0; \
247 : *_d = (_a_full << _to_shift); \
248 : (_to_shift != _s || is_negative(*_d) || is_negative(_a) || \
249 : (*_d >> _to_shift) != _a); \
250 : }))
251 :
252 : /**
253 : * array_size() - Calculate size of 2-dimensional array.
254 : *
255 : * @a: dimension one
256 : * @b: dimension two
257 : *
258 : * Calculates size of 2-dimensional array: @a * @b.
259 : *
260 : * Returns: number of bytes needed to represent the array or SIZE_MAX on
261 : * overflow.
262 : */
263 5345233 : static inline __must_check size_t array_size(size_t a, size_t b)
264 : {
265 5345233 : size_t bytes;
266 :
267 5345233 : if (check_mul_overflow(a, b, &bytes))
268 0 : return SIZE_MAX;
269 :
270 : return bytes;
271 : }
272 :
273 : /**
274 : * array3_size() - Calculate size of 3-dimensional array.
275 : *
276 : * @a: dimension one
277 : * @b: dimension two
278 : * @c: dimension three
279 : *
280 : * Calculates size of 3-dimensional array: @a * @b * @c.
281 : *
282 : * Returns: number of bytes needed to represent the array or SIZE_MAX on
283 : * overflow.
284 : */
285 : static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
286 : {
287 : size_t bytes;
288 :
289 : if (check_mul_overflow(a, b, &bytes))
290 : return SIZE_MAX;
291 : if (check_mul_overflow(bytes, c, &bytes))
292 : return SIZE_MAX;
293 :
294 : return bytes;
295 : }
296 :
297 : /*
298 : * Compute a*b+c, returning SIZE_MAX on overflow. Internal helper for
299 : * struct_size() below.
300 : */
301 13459 : static inline __must_check size_t __ab_c_size(size_t a, size_t b, size_t c)
302 : {
303 13459 : size_t bytes;
304 :
305 13457 : if (check_mul_overflow(a, b, &bytes))
306 : return SIZE_MAX;
307 13459 : if (check_add_overflow(bytes, c, &bytes))
308 0 : return SIZE_MAX;
309 :
310 : return bytes;
311 : }
312 :
313 : /**
314 : * struct_size() - Calculate size of structure with trailing array.
315 : * @p: Pointer to the structure.
316 : * @member: Name of the array member.
317 : * @count: Number of elements in the array.
318 : *
319 : * Calculates size of memory needed for structure @p followed by an
320 : * array of @count number of @member elements.
321 : *
322 : * Return: number of bytes needed or SIZE_MAX on overflow.
323 : */
324 : #define struct_size(p, member, count) \
325 : __ab_c_size(count, \
326 : sizeof(*(p)->member) + __must_be_array((p)->member),\
327 : sizeof(*(p)))
328 :
329 : /**
330 : * flex_array_size() - Calculate size of a flexible array member
331 : * within an enclosing structure.
332 : *
333 : * @p: Pointer to the structure.
334 : * @member: Name of the flexible array member.
335 : * @count: Number of elements in the array.
336 : *
337 : * Calculates size of a flexible array of @count number of @member
338 : * elements, at the end of structure @p.
339 : *
340 : * Return: number of bytes needed or SIZE_MAX on overflow.
341 : */
342 : #define flex_array_size(p, member, count) \
343 : array_size(count, \
344 : sizeof(*(p)->member) + __must_be_array((p)->member))
345 :
346 : #endif /* __LINUX_OVERFLOW_H */
|
