lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 24 Sep 2022 21:46:38 -0700
From:   Nathan Chancellor <nathan@...nel.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     Miguel Ojeda <ojeda@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Tom Rix <trix@...hat.com>, llvm@...ts.linux.dev,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] Compiler Attributes: Introduce __access_*() function
 attribute

On Sat, Sep 24, 2022 at 08:07:15AM -0700, Kees Cook wrote:
> Added in GCC 10.1, the "access" function attribute is used to mark pointer
> arguments for how they are expected to be accessed in a given function.
> Both their access type (read/write, read-only, or write-only) and bounds
> are specified.
> 
> These can improve GCC's compile-time diagnostics including -Warray-bounds,
> -Wstringop-overflow, etc, and can affect __builtin_dynamic_object_size()
> results.
> 
> Cc: Miguel Ojeda <ojeda@...nel.org>
> Cc: Nick Desaulniers <ndesaulniers@...gle.com>
> Cc: Nathan Chancellor <nathan@...nel.org>
> Cc: Tom Rix <trix@...hat.com>
> Cc: llvm@...ts.linux.dev
> Signed-off-by: Kees Cook <keescook@...omium.org>

The GCC docs say it is 'access', instead of '__access__'. I assume it is
probably okay so:

Reviewed-by: Nathan Chancellor <nathan@...nel.org>

> ---
>  include/linux/compiler_attributes.h | 30 +++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
> 
> diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h
> index 9a9907fad6fd..465be5f072ff 100644
> --- a/include/linux/compiler_attributes.h
> +++ b/include/linux/compiler_attributes.h
> @@ -20,6 +20,36 @@
>   * Provide links to the documentation of each supported compiler, if it exists.
>   */
>  
> +/*
> + * Optional: only supported since gcc >= 10
> + * Optional: not supported by Clang
> + *
> + *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-access-function-attribute
> + *
> + * While it is legal to provide only the pointer argument position and
> + * access type, the kernel macros are designed to require also the bounds
> + * (element count) argument position; if a function has no bounds argument,
> + * refactor the code to include one.
> + *
> + * These can be used multiple times. For example:
> + *
> + * __access_wo(2, 3) __access_ro(4, 5)
> + * int copy_something(struct context *ctx, u32 *dst, size_t dst_count,
> + *		      const u8 *src, int src_len);
> + *
> + * If "dst" will also be read from, it could use __access_rw(2, 3) instead.
> + *
> + */
> +#if __has_attribute(__access__)
> +# define __access_rw(ptr, count)	__attribute__((__access__(read_write, ptr, count)))
> +# define __access_ro(ptr, count)	__attribute__((__access__(read_only,  ptr, count)))
> +# define __access_wo(ptr, count)	__attribute__((__access__(write_only, ptr, count)))
> +#else
> +# define __access_rw(ptr, count)
> +# define __access_ro(ptr, count)
> +# define __access_wo(ptr, count)
> +#endif
> +
>  /*
>   *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-alias-function-attribute
>   */
> -- 
> 2.34.1
> 

Powered by blists - more mailing lists