76d4b81251
This is an experiment with a handful of macros for writing the checks, most of which are compile-time: MUL_OK(t, a, b) Does a*b avoid overflow in type t? ADD_OK(t, a, b) Does a + b avoid overflow in type t? TOOMANY(t, x, b, m) Are there more than m b-element blocks in x in type t? (I.e., does ceiling(x/b) > m?) Addenda that might make sense but are not needed here: MUL(t, a, b, &p) Set p = a*b and return 0, or return ERANGE if overflow. ADD(t, a, b, &s) Set s = a+b and return 0, or return ERANGE if overflow. Example: uint32_t a = ..., b = ..., y = ..., z = ..., x, w; /* input validation */ error = MUL(size_t, a, b, &x); if (error) fail; if (TOOMANY(uint32_t, x, BLKSIZ, MAX_NBLK)) fail; y = HOWMANY(x, BLKSIZ); if (z > Z_MAX) fail; ... /* internal computation */ __CTASSERT(MUL_OK(uint32_t, Z_MAX, MAX_NBLK)); w = z*y; Obvious shortcomings: 1. Nothing checks your ctassert matches your subsequent arithmetic. (Maybe we could have BOUNDED_MUL(t, x, xmax, y, ymax) with a ctassert inside.) 2. Nothing flows the bounds needed by the arithmetic you use back into candidate definitions of X_MAX/Y_MAX. But at least the reviewer's job is only to make sure that (a) the MUL_OK matches the *, and (b) the bounds in the assertion match the bounds on the inputs -- in particular, the reviewer need not derive the bounds from the context, only confirm they are supported by the paths to it. This is not meant to be a general-purpose proof assistant, or even a special-purpose one like gfverif <http://gfverif.cryptojedi.org/>. Rather, it is an experiment in adding a modicum of compile-time verification with a simple C API change. This also is not intended to serve as trapping arithmetic on overflow. The goal here is to enable writing the program with explicit checks on input and compile-time annotations on computation to gain confident that overflow won't happen in the computation.
171 lines
5.5 KiB
C
171 lines
5.5 KiB
C
/* $NetBSD: common.h,v 1.8 2017/07/29 21:04:07 riastradh Exp $ */
|
|
|
|
/*-
|
|
* Copyright (c) 2013 The NetBSD Foundation, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* This code is derived from software contributed to The NetBSD Foundation
|
|
* by Taylor R. Campbell.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifndef VNDCOMPRESS_COMMON_H
|
|
#define VNDCOMPRESS_COMMON_H
|
|
|
|
#include <sys/cdefs.h>
|
|
#include <sys/param.h>
|
|
|
|
#include <limits.h>
|
|
#include <stdint.h>
|
|
|
|
#ifndef __type_fit
|
|
|
|
/* XXX Cruft from HEAD. */
|
|
|
|
#define __type_mask(t) (/*LINTED*/sizeof(t) < sizeof(intmax_t) ? \
|
|
(~((1ULL << (sizeof(t) * NBBY)) - 1)) : 0ULL)
|
|
|
|
#define __zeroll() (0LL)
|
|
#define __negative_p(x) ((x) < 0)
|
|
|
|
#define __type_min_s(t) ((t)((1ULL << (sizeof(t) * NBBY - 1))))
|
|
#define __type_max_s(t) ((t)~((1ULL << (sizeof(t) * NBBY - 1))))
|
|
#define __type_min_u(t) ((t)0ULL)
|
|
#define __type_max_u(t) ((t)~0ULL)
|
|
#define __type_is_signed(t) (/*LINTED*/__type_min_s(t) + (t)1 < (t)1)
|
|
#define __type_min(t) (__type_is_signed(t) ? __type_min_s(t) : __type_min_u(t))
|
|
#define __type_max(t) (__type_is_signed(t) ? __type_max_s(t) : __type_max_u(t))
|
|
|
|
|
|
#define __type_fit_u(t, a) (/*LINTED*/sizeof(t) < sizeof(intmax_t) ? \
|
|
(((a) & __type_mask(t)) == 0) : !__negative_p(a))
|
|
|
|
#define __type_fit_s(t, a) (/*LINTED*/__negative_p(a) ? \
|
|
((intmax_t)((a) + __zeroll()) >= (intmax_t)__type_min_s(t)) : \
|
|
((intmax_t)((a) + __zeroll()) <= (intmax_t)__type_max_s(t)))
|
|
|
|
/*
|
|
* return true if value 'a' fits in type 't'
|
|
*/
|
|
#define __type_fit(t, a) (__type_is_signed(t) ? \
|
|
__type_fit_s(t, a) : __type_fit_u(t, a))
|
|
|
|
#endif
|
|
|
|
/* XXX urk */
|
|
#ifndef OFF_MAX
|
|
#define OFF_MAX __type_max(off_t)
|
|
#endif
|
|
|
|
/* XXX Why is this kernel-only? */
|
|
#define SET(t, f) ((t) |= (f))
|
|
#define CLR(t, f) ((t) &= ~(f))
|
|
#define ISSET(t, f) ((t) & (f))
|
|
|
|
/*
|
|
* Bounds checks for arithmetic.
|
|
*/
|
|
#define ADD_OK(T, A, B) ((A) <= __type_max(T) - (B))
|
|
|
|
#define MUL_OK(T, A, B) ((A) <= __type_max(T)/(B))
|
|
|
|
#define HOWMANY(X, N) (((X) + ((N) - 1))/(N))
|
|
#define TOOMANY(T, X, N, M) (!ADD_OK(T, X, (N) - 1) || HOWMANY(X, N) > (M))
|
|
|
|
/*
|
|
* We require:
|
|
*
|
|
* 0 < blocksize (duh)
|
|
* blocksize % DEV_BSIZE == 0 (for kernel use)
|
|
*
|
|
* blocksize <= UINT32_MAX (per the format)
|
|
* blocksize*2 <= SIZE_MAX (for a compression buffer)
|
|
* blocksize*2 <= ULONG_MAX (for zlib API)
|
|
*/
|
|
#define MIN_BLOCKSIZE DEV_BSIZE
|
|
#define DEF_BLOCKSIZE 0x10000
|
|
#define MAX_BLOCKSIZE \
|
|
rounddown(MIN(UINT32_MAX, (MIN(SIZE_MAX, ULONG_MAX) / 2)), \
|
|
MIN_BLOCKSIZE)
|
|
|
|
/*
|
|
* We require:
|
|
*
|
|
* n_offsets * sizeof(uint64_t) <= SIZE_MAX (array of 64-bit offsets)
|
|
* n_blocks = (n_offsets + 1) (extra offset to set last block end)
|
|
* n_blocks <= UINT32_MAX (per the format)
|
|
* n_offsets <= UINT32_MAX (for the sake of simplicity)
|
|
*/
|
|
#define MAX_N_BLOCKS \
|
|
(MIN(UINT32_MAX, (SIZE_MAX / sizeof(uint64_t))) - 1)
|
|
#define MAX_N_OFFSETS (MAX_N_BLOCKS + 1)
|
|
|
|
/*
|
|
* The window size is at most the number of offsets, or the largest
|
|
* uint32_t value. The default window size is chosen so that windows
|
|
* fit in one 4096-byte page of memory. We could use 64k bytes, or
|
|
* st_blksize, to maximize I/O transfer size, but the transfers won't
|
|
* be aligned without a lot of extra work.
|
|
*/
|
|
#define MAX_WINDOW_SIZE MIN(UINT32_MAX, MAX_N_OFFSETS)
|
|
#define DEF_WINDOW_SIZE 512
|
|
|
|
struct cloop2_header {
|
|
char cl2h_magic[128];
|
|
uint32_t cl2h_blocksize;
|
|
uint32_t cl2h_n_blocks;
|
|
} __packed;
|
|
|
|
#define CLOOP2_OFFSET_TABLE_OFFSET 136
|
|
|
|
struct options {
|
|
int flags;
|
|
#define FLAG_c 0x0001 /* Compress */
|
|
#define FLAG_d 0x0002 /* Decompress */
|
|
#define FLAG_p 0x0004 /* Partial */
|
|
#define FLAG_r 0x0008 /* Restart */
|
|
#define FLAG_b 0x0010 /* Block size */
|
|
#define FLAG_R 0x0020 /* abort on Restart failure */
|
|
#define FLAG_k 0x0040 /* checKpoint blocks */
|
|
#define FLAG_l 0x0080 /* Length of input */
|
|
#define FLAG_w 0x0100 /* Window size */
|
|
uint32_t blocksize;
|
|
uint32_t end_block; /* end for partial transfer */
|
|
uint32_t checkpoint_blocks; /* blocks before checkpoint */
|
|
uint64_t length; /* length of image in bytes */
|
|
uint32_t window_size; /* size of window into offset table */
|
|
};
|
|
|
|
int vndcompress(int, char **, const struct options *);
|
|
int vnduncompress(int, char **, const struct options *);
|
|
void usage(void) __dead;
|
|
|
|
static const char cloop2_magic[] = "\
|
|
#!/bin/sh\n\
|
|
#V2.0 Format\n\
|
|
insmod cloop.o file=$0 && mount -r -t iso9660 /dev/cloop $1\n\
|
|
exit $?\n\
|
|
";
|
|
|
|
#endif /* VNDCOMPRESS_COMMON_H */
|