| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Sep 2018 06:27:54 +0000
From: "Uecker, Martin" <Martin.Uecker@....uni-goettingen.de>
To: "torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>
CC: "keescook@...omium.org" <keescook@...omium.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: VLAs and security
Am Montag, den 03.09.2018, 14:28 -0700 schrieb Linus Torvalds:
> On Mon, Sep 3, 2018 at 12:40 AM Uecker, Martin
> <Martin.Uecker@....uni-goettingen.de> wrote:
> >
> > But if the true bound is smaller, then IMHO it is really bad advise
> > to tell programmers to use
> >
> > char buf[MAX_SIZE]
> >
> > instead of something like
> >
> > assert(N <= MAX_SIZE);
> > char buf[N]
>
> No.
>
> First off, we don't use asserts in the kernel. Not acceptable. You
> handle errors, you don't crash.
Ofcourse. But this is unrelated to my point.
> Secondly, the compiler is usually very stupid, and will generate
> horrible code for VLA's.
>
> Third, there's no guarantee that the compiler will actually even
> realize that the size is limited, and guarantee that it won't screw up
> the stack.
If this is about the quality of the generated code, ok.
I just don't buy the idea that removing precise type-based
information about the size of objects from the source code
is good long-term strategy for improving security.
> So no. VLA's are not acceptable in the kernel. Don't do them. We're
> getting rid of them.
All right then.
Martin
Powered by blists - more mailing lists