On Mon, Jan 22, 2024 at 04:26:38PM -0800, Kees Cook wrote:
> Provide a helper that will perform wrapping addition without tripping
> the arithmetic wrap-around sanitizers.
>
> Cc: "Gustavo A. R. Silva" <gustavo...@kernel.org>
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Kees Cook <keesc...@chromium.org>
> ---
> include/linux/overflow.h | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index ac088f73e0fd..30779905a77a 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -124,6 +124,22 @@ static inline bool __must_check
> __must_check_overflow(bool overflow)
> check_add_overflow(a, b, &__result);\
> }))
>
> +/**
> + * add_wrap() - Intentionally perform a wrapping addition
> + * @a: first addend
> + * @b: second addend
> + *
> + * Return the potentially wrapped-around addition without
> + * tripping any overflow sanitizers that may be enabled.
> + */
> +#define add_wrap(a, b) \
> + ({ \
> + typeof(a) __sum; \
> + if (check_add_overflow(a, b, &__sum)) \
> + /* do nothing */; \
> + __sum; \
> + })
It's really difficult to see the semicolon for the empty statement here; could
we make that part:
if ((check_add_overflow(a, b, &__sum)) { \
/* do nothing */ \
} \
... to be a little clearer (and less at risk of breakage in a refactoring)?
I realise coding style says not to use braces for a single statement, but IMO
it's far clearer in this instance with the braces.
Mark.
> +
> /**
> * check_sub_overflow() - Calculate subtraction with overflow checking
> * @a: minuend; value to subtract from
> --
> 2.34.1
>
>
