lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Feb 2022 10:34:09 +0000 From: Robin Murphy <robin.murphy@....com> To: Kees Cook <keescook@...omium.org>, Ard Biesheuvel <ardb@...nel.org> Cc: Victor Erminpour <victor.erminpour@...cle.com>, Lorenzo Pieralisi <lorenzo.pieralisi@....com>, Hanjun Guo <guohanjun@...wei.com>, Sudeep Holla <sudeep.holla@....com>, "Rafael J. Wysocki" <rafael@...nel.org>, Len Brown <lenb@...nel.org>, ACPI Devel Maling List <linux-acpi@...r.kernel.org>, Linux ARM <linux-arm-kernel@...ts.infradead.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, trivial@...nel.org Subject: Re: [PATCH v2] ACPI/IORT: Fix GCC 12 warning Hi Kees, On 2022-02-10 23:47, Kees Cook wrote: > On Thu, Feb 10, 2022 at 08:41:51PM +0100, Ard Biesheuvel wrote: >> On Thu, 10 Feb 2022 at 19:48, Victor Erminpour >> <victor.erminpour@...cle.com> wrote: >>> >>> When building with automatic stack variable initialization, GCC 12 >>> complains about variables defined outside of switch case statements. >>> Move the variable into the case that uses it, which silences the warning: >>> >>> ./drivers/acpi/arm64/iort.c:1670:59: error: statement will never be executed [-Werror=switch-unreachable] >>> 1670 | struct acpi_iort_named_component *ncomp; >>> | ^~~~~ >>> >>> Signed-off-by: Victor Erminpour <victor.erminpour@...cle.com> >> >> Please cc people that commented on your v1 when you send a v2. >> >> Still NAK, for the same reasons. > > Let me see if I can talk you out of this. ;) > > So, on the face of it, I agree with you: this is a compiler bug. However, > it's still worth fixing. Just because it's valid C isn't a good enough > reason to leave it as-is: we continue to minimize the subset of the > C language the kernel uses if it helps us get the most out of existing > compiler features. We've eliminated all kinds of other "valid C" from the > kernel because it improves robustness, security, etc. This is certainly > nothing like removing VLAs or implicit fallthrough, but given that this > is, I think, the only remaining case of it (I removed all the others a > while ago when I had the same issues with the GCC plugins), I'd like to > get it fixed. It concerns me if minimising the subset of the C language that the kernel uses is achieved by converting more of the kernel to a not-quite-C language that is not formally specified anywhere, by prematurely adopting newly-invented compiler options that clearly don't work properly (the GCC warning message quoted above may as well be "error: giraffes are not purple" for all the sense it makes.) > And I should point out that Clang suffers[1] from the same problem (the > variables will be missed for auto-initialization), but actually has a > worse behavior: it does not even warn about it. > > And note that the problem isn't limited to -ftrivial-auto-var-init. This > code pattern seems to also hide the variables from similar instrumentation > like KASan, etc. (Which is similarly silent like above.) From your security standpoint (and believe me, I really do have faith in your expertise here), which of these sounds better: 1: Being able to audit code based on well-defined language semantics 2: Playing whack-a-mole as issues are discovered empirically. 3: Neither of the above, but a warm fuzzy feeling because hey someone said "security" in a commit message. AFAICS you're effectively voting against #1, and the examples you've given demonstrate that #2 is nowhere near reliable enough either, so where does that leave us WRT actual secure and robust code in Linux? > In both compilers, it seems fixing this is not "easy", and given its > corner-case nature and ease of being worked around in the kernel source, > it isn't being highly prioritized. But since I both don't want these > blinds spots with Clang (and GCC) var-init, and I don't want these > warnings to suddenly appear once GCC 12 _does_ get released, so I'd like > to get this case fixed as well. > > All that said, I think this patch could be improved. > > I'd recommend, instead, just simply: > > diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c > index f2f8f05662de..9e765d30da82 100644 > --- a/drivers/acpi/arm64/iort.c > +++ b/drivers/acpi/arm64/iort.c > @@ -1671,13 +1671,14 @@ phys_addr_t __init acpi_iort_dma_get_max_cpu_address(void) > end = ACPI_ADD_PTR(struct acpi_iort_node, iort, iort->header.length); > > for (i = 0; i < iort->node_count; i++) { > + struct acpi_iort_named_component *ncomp; > + struct acpi_iort_root_complex *rc; > + phys_addr_t local_limit; > + > if (node >= end) > break; > > switch (node->type) { > - struct acpi_iort_named_component *ncomp; > - struct acpi_iort_root_complex *rc; > - phys_addr_t local_limit; > > case ACPI_IORT_NODE_NAMED_COMPONENT: > ncomp = (struct acpi_iort_named_component *)node->node_data; > > This results in no change in binary instruction output (when there is no > auto-init). In fairness I'd have no objection to that patch if it came with a convincing justification, but that is so far very much lacking. My aim here is not to be a change-averse Luddite, but to try to find a compromise where I can actually have some confidence in such changes being made. Let's not start pretending that 3 100ml bottles of shampoo are somehow "safer" than a 300ml bottle of shampoo... Thanks, Robin. > > -Kees > > [1] https://github.com/llvm/llvm-project/issues/44261 > >> >> >>> --- >>> drivers/acpi/arm64/iort.c | 12 ++++++------ >>> 1 file changed, 6 insertions(+), 6 deletions(-) >>> >>> diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c >>> index 3b23fb775ac4..65395f0decf9 100644 >>> --- a/drivers/acpi/arm64/iort.c >>> +++ b/drivers/acpi/arm64/iort.c >>> @@ -1645,7 +1645,7 @@ void __init acpi_iort_init(void) >>> */ >>> phys_addr_t __init acpi_iort_dma_get_max_cpu_address(void) >>> { >>> - phys_addr_t limit = PHYS_ADDR_MAX; >>> + phys_addr_t local_limit, limit = PHYS_ADDR_MAX; >>> struct acpi_iort_node *node, *end; >>> struct acpi_table_iort *iort; >>> acpi_status status; >>> @@ -1667,17 +1667,16 @@ phys_addr_t __init acpi_iort_dma_get_max_cpu_address(void) >>> break; >>> >>> switch (node->type) { >>> + case ACPI_IORT_NODE_NAMED_COMPONENT: { >>> struct acpi_iort_named_component *ncomp; >>> - struct acpi_iort_root_complex *rc; >>> - phys_addr_t local_limit; >>> - >>> - case ACPI_IORT_NODE_NAMED_COMPONENT: >>> ncomp = (struct acpi_iort_named_component *)node->node_data; >>> local_limit = DMA_BIT_MASK(ncomp->memory_address_limit); >>> limit = min_not_zero(limit, local_limit); >>> break; >>> >>> - case ACPI_IORT_NODE_PCI_ROOT_COMPLEX: >>> + } >>> + case ACPI_IORT_NODE_PCI_ROOT_COMPLEX: { >>> + struct acpi_iort_root_complex *rc; >>> if (node->revision < 1) >>> break; >>> >>> @@ -1686,6 +1685,7 @@ phys_addr_t __init acpi_iort_dma_get_max_cpu_address(void) >>> limit = min_not_zero(limit, local_limit); >>> break; >>> } >>> + } >>> node = ACPI_ADD_PTR(struct acpi_iort_node, node, node->length); >>> } >>> acpi_put_table(&iort->header); >>> >>> _______________________________________________ >>> linux-arm-kernel mailing list >>> linux-arm-kernel@...ts.infradead.org >>> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel >
Powered by blists - more mailing lists