| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Feb 2024 01:04:49 -0800 From: Kees Cook <keescook@...omium.org> To: Przemek Kitszel <przemyslaw.kitszel@...el.com> Cc: Rasmus Villemoes <rasmus.villemoes@...vas.dk>, "Gustavo A. R. Silva" <gustavoars@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>, llvm@...ts.linux.dev, linux-hardening@...r.kernel.org, Mark Rutland <mark.rutland@....com>, Miguel Ojeda <ojeda@...nel.org>, Marco Elver <elver@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Masahiro Yamada <masahiroy@...nel.org>, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2 2/5] overflow: Expand check_add_overflow() for pointer addition On Thu, Feb 01, 2024 at 10:19:15AM +0100, Przemek Kitszel wrote: > On 1/30/24 23:06, Kees Cook wrote: > > The check_add_overflow() helper is mostly a wrapper around > > __builtin_add_overflow(), but GCC and Clang refuse to operate on pointer > > arguments that would normally be allowed if the addition were open-coded. > > > > For example, we have many places where pointer overflow is tested: > > > > struct foo *ptr; > > ... > > /* Check for overflow */ > > if (ptr + count < ptr) ... > > > > And in order to avoid running into the overflow sanitizers in the > > future, we need to rewrite these "intended" overflow checks: > > > > if (check_add_overflow(ptr, count, &result)) ... > > > > Frustratingly the argument type validation for __builtin_add_overflow() > > is done before evaluating __builtin_choose_expr(), so for arguments to > > be valid simultaneously for sizeof(*p) (when p may not be a pointer), > > and __builtin_add_overflow(a, ...) (when a may be a pointer), we must > > introduce wrappers that always produce a specific type (but they are > > only used in the places where the bogus arguments will be ignored). > > > > To test whether a variable is a pointer or not, introduce the __is_ptr() > > helper, which uses __builtin_classify_type() to find arrays and pointers > > (via the new __is_ptr_or_array() helper), and then decays arrays into > > pointers (via the new __decay() helper), to distinguish pointers from > > arrays. > > This is (not just commit msg but together with impl), at first glance, too > complicated for regular developers to grasp (that is perhaps fine), > but could we make it simpler by, say _Generic() or other trick? I haven't been able to find a way to do this, unfortunately. :( I would *love* to find something simpler, but it eludes me. -- Kees Cook
Powered by blists - more mailing lists