lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202509292318.D9BC37B@keescook>
Date: Mon, 29 Sep 2025 23:21:10 -0700
From: Kees Cook <kees@...nel.org>
To: Martin Uecker <uecker@...raz.at>
Cc: Qing Zhao <qing.zhao@...cle.com>, Andrew Pinski <pinskia@...il.com>,
	Jakub Jelinek <jakub@...hat.com>,
	Richard Biener <rguenther@...e.de>,
	Joseph Myers <josmyers@...hat.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Ard Biesheuvel <ardb@...nel.org>, Jeff Law <jeffreyalaw@...il.com>,
	Jan Hubicka <hubicka@....cz>,
	Richard Earnshaw <richard.earnshaw@....com>,
	Richard Sandiford <richard.sandiford@....com>,
	Marcus Shawcroft <marcus.shawcroft@....com>,
	Kyrylo Tkachov <kyrylo.tkachov@....com>,
	Kito Cheng <kito.cheng@...il.com>,
	Palmer Dabbelt <palmer@...belt.com>,
	Andrew Waterman <andrew@...ive.com>,
	Jim Wilson <jim.wilson.gcc@...il.com>,
	Dan Li <ashimida.1990@...il.com>,
	Sami Tolvanen <samitolvanen@...gle.com>,
	Ramon de C Valle <rcvalle@...gle.com>,
	Joao Moreira <joao@...rdrivepizza.com>,
	Nathan Chancellor <nathan@...nel.org>,
	Bill Wendling <morbo@...gle.com>, gcc-patches@....gnu.org,
	linux-hardening@...r.kernel.org
Subject: Re: [PATCH v4 1/7] typeinfo: Introduce KCFI typeinfo mangling API

On Mon, Sep 29, 2025 at 12:34:02PM +0200, Martin Uecker wrote:
> Am Donnerstag, dem 25.09.2025 um 20:02 -0700 schrieb Kees Cook:
> 
> > 
> > An important aspect of the C++ typeinfo behavior that is retained here
> > is that typedefs are treated as pass-through except when the underlying
> > type lacks a tag (i.e. anonymous struct, union, or enum). This provides a
> > distinction between those typedefs and typedefs used to provide _aliases_
> > (u8, uint16_t).
> > 
> > In the future, an additional "strict mode" builtin helper pair could
> > also be added to follow strict ISO C type equivalency instead of the
> > existing typeinfo used here, but that is out of scope for this patch.
> 
> The ISO C mode would be *less* strict.  Or in other words,
> the current version would reject valid C programs at run-time.

Ah, gotcha.

> I try to point out the differences below.
> 
> 
> 
> > +
> > +    /* Test pointer types */
> > +    TEST_STRING(char*, "Pc");
> > +    TEST_STRING(int*, "Pi");
> > +    TEST_STRING(void*, "Pv");
> > +    TEST_STRING(const char*, "PKc");
> 
> > +
> > +    /* Test array types */
> > +    TEST_STRING(int[10],  "A10_i");
> > +    TEST_STRING(char[20], "A20_c");
> > +    TEST_STRING(short[],  "A_s");
> > +
> > +    /* Test basic function types */
> > +    extern void func_void(void);
> > +    extern void func_char(char x);
> > +    extern void func_short(short x);
> > +    extern void func_int(int x);
> > +    extern void func_long(long x);
> > +    TEST_STRING(func_void,  "FvvE");
> > +    TEST_STRING(func_char,  "FvcE");
> > +    TEST_STRING(func_short, "FvsE");
> > +    TEST_STRING(func_int,   "FviE");
> > +    TEST_STRING(func_long,  "FvlE");
> > +
> > +    /* Test functions with unsigned types */
> > +    extern void func_unsigned_char(unsigned char x);
> > +    extern void func_unsigned_short(unsigned short x);
> > +    extern void func_unsigned_int(unsigned int x);
> > +    TEST_STRING(func_unsigned_char,  "FvhE");
> > +    TEST_STRING(func_unsigned_short, "FvtE");
> > +    TEST_STRING(func_unsigned_int,   "FvjE");
> > +
> > +    /* Test functions with signed types */
> > +    extern void func_signed_char(signed char x);
> > +    extern void func_signed_short(signed short x);
> > +    extern void func_signed_int(signed int x);
> > +    TEST_STRING(func_signed_char,  "FvaE");
> > +    TEST_STRING(func_signed_short, "FvsE");
> > +    TEST_STRING(func_signed_int,   "FviE");
> > +
> > +    /* Test functions with pointer types */
> > +    extern void func_void_ptr(void *x);
> > +    extern void func_char_ptr(char *x);
> > +    extern void func_short_ptr(short *x);
> > +    extern void func_int_ptr(int *x);
> > +    extern void func_int_array(int arr[]); /* Decays to "int *".  */
> > +    extern void func_long_ptr(long *x);
> > +    TEST_STRING(func_void_ptr,  "FvPvE");
> > +    TEST_STRING(func_char_ptr,  "FvPcE");
> > +    TEST_STRING(func_short_ptr, "FvPsE");
> > +    TEST_STRING(func_int_ptr,   "FvPiE");
> > +    TEST_STRING(func_int_array, "FvPiE");
> > +    TEST_STRING(func_long_ptr,  "FvPlE");
> > +
> > +    /* Test functions with const qualifiers */
> > +    extern void func_const_void_ptr(const void *x);
> > +    extern void func_const_char_ptr(const char *x);
> > +    extern void func_const_short_ptr(const short *x);
> > +    extern void func_const_int_ptr(const int *x);
> > +    extern void func_const_long_ptr(const long *x);
> > +    TEST_STRING(func_const_void_ptr,  "FvPKvE");
> > +    TEST_STRING(func_const_char_ptr,  "FvPKcE");
> > +    TEST_STRING(func_const_short_ptr, "FvPKsE");
> > +    TEST_STRING(func_const_int_ptr,   "FvPKiE");
> > +    TEST_STRING(func_const_long_ptr,  "FvPKlE");
> 
> 
> This ok, but there is a proposal to relax the rules for
> qualifiers, so in the future preserving all qualifiers
> might be too strict for C.
> 
> 
> 
> > +    /* Test 2D VLA with fixed dimension: should be all the same.  */
> > +    extern void func_vla_2d_first(int n, int arr[n][10]);
> > +    extern void func_vla_2d_empty(int n, int arr[][10]);
> > +    extern void func_vla_2d_ptr(int n, int (*arr)[10]);
> > +    TEST_STRING(func_vla_2d_first, "FviPA10_iE");
> > +    TEST_STRING(func_vla_2d_empty, "FviPA10_iE");
> > +    TEST_STRING(func_vla_2d_ptr,   "FviPA10_iE");
> > +
> > +    /* Test 2D VLA with both dimensions variable: should be all the same.  */
> > +    extern void func_vla_2d_both(int rows, int cols, int arr[rows][cols]);
> > +    extern void func_vla_2d_second(int rows, int cols, int arr[][cols]);
> > +    extern void func_vla_2d_star(int rows, int cols, int arr[*][cols]);
> > +    TEST_STRING(func_vla_2d_both,   "FviiPA_iE");
> > +    TEST_STRING(func_vla_2d_second, "FviiPA_iE");
> > +    TEST_STRING(func_vla_2d_star,   "FviiPA_iE");
> 
> While the top-most decays to a pointer, the deeper arrays are stay but
> are compatible between the fixed and variable case.  So according to
> C rules, they would all need to be canonicalized to the same.

Okay, thanks for the notes! How do you want me to phrase the commit log
for this patch as far as the potential future mode/builtins?

And do you think the existing builtin names are okay? I think "typeinfo"
has a very specific current meaning, so I think the names I have here
are good for this mode.

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ