| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 09 Mar 2017 14:38:07 +0000
From: Måns Rullgård <mans@...sr.com>
To: Tomas Winkler <tomasw@...il.com>
Cc: Henrique de Moraes Holschuh <hmh@....eng.br>,
"linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>,
linux-sparse@...r.kernel.org,
Herbert Xu <herbert@...dor.apana.org.au>,
Al Viro <viro@...iv.linux.org.uk>
Subject: Re: Arrays of variable length
Tomas Winkler <tomasw@...il.com> writes:
> On Thu, Mar 9, 2017 at 4:26 PM, Måns Rullgård <mans@...sr.com> wrote:
>> Tomas Winkler <tomasw@...il.com> writes:
>>
>>> On Thu, Mar 9, 2017 at 4:16 PM, Måns Rullgård <mans@...sr.com> wrote:
>>>> Tomas Winkler <tomasw@...il.com> writes:
>>>>
>>>>> On Thu, Mar 9, 2017 at 3:02 PM, Måns Rullgård <mans@...sr.com> wrote:
>>>>>> Tomas Winkler <tomasw@...il.com> writes:
>>>>>>
>>>>>>> On Mon, Mar 6, 2017 at 2:31 AM, Måns Rullgård <mans@...sr.com> wrote:
>>>>>>>> Henrique de Moraes Holschuh <hmh@....eng.br> writes:
>>>>>>>>
>>>>>>>>> On Sun, 05 Mar 2017, Måns Rullgård wrote:
>>>>>>>>>> Tomas Winkler <tomasw@...il.com> writes:
>>>>>>>>>> > Sparse complains for arrays declared with variable length
>>>>>>>>>> >
>>>>>>>>>> > 'warning: Variable length array is used'
>>>>>>>>>> >
>>>>>>>>>> > Prior to c99 this was not allowed but lgcc (c99) doesn't have problem
>>>>>>>>>> > with that https://gcc.gnu.org/onlinedocs/gcc/Variable-Length.html.
>>>>>>>>>> > And also Linux kernel compilation with W=1 doesn't complain.
>>>>>>>>>> >
>>>>>>>>>> > Since sparse is used extensively would like to ask what is the correct
>>>>>>>>>> > usage of arrays of variable length
>>>>>>>>>> > within Linux Kernel.
>>>>>>>>>>
>>>>>>>>>> Variable-length arrays are a very bad idea. Don't use them, ever.
>>>>>>>>>> If the size has a sane upper bound, just use that value statically.
>>>>>>>>>> Otherwise, you have a stack overflow waiting to happen and should be
>>>>>>>>>> using some kind of dynamic allocation instead.
>>>>>>>>>>
>>>>>>>>>> Furthermore, use of VLAs generally results in less efficient code. For
>>>>>>>>>> instance, it forces gcc to waste a register for the frame pointer, and
>>>>>>>>>> it often prevents inlining.
>>>>>>>>>
>>>>>>>>> Well, if we're going to forbid VLAs in the kernel, IMHO the kernel build
>>>>>>>>> system should call gcc with -Werror=vla to get that point across early,
>>>>>>>>> and flush out any offenders.
>>>>>>>>
>>>>>>>> If it were up to me, that's exactly what I'd do.
>>>>>>>
>>>>>>>>
>>>>>>> Some parts of the kernel depends on VLA such as ___ON_STACK macros in
>>>>>>> include/crypto/hash.h
>>>>>>> It's actually pretty neat implementation, maybe it's too harsh to
>>>>>>> disable VLA completely.
>>>>>>
>>>>>> And what happens if the requested size is insane?
>>>>>
>>>>> One option is to add '-Wvla-larger-than=n'
>>>>
>>>> If you know the upper bound, why use VLAs in the first place?
>>>
>>> This is a water mark and not actual usage, but maybe I didn't
>>> understand your comment.
>>
>> If there is an upper bound known at compile time, why not simply use
>> that size statically? If there is no upper bound, well, then you have a
>> problem.
>
> If the compiler can do the job, why not to use this flexibility ?
Because, as I already said, there are security implications if the size
is unbounded, and even with safely bounded size, using VLAs interferes
with compiler optimisations. Ensuring VLAs are used safely is usually
more work than simply avoiding them in the first place.
--
Måns Rullgård
Powered by blists - more mailing lists