[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKwvOd=PB9Kpbnf3y0e5u6LrZ=Lv2Ex8O7y=VY63D67Jf2eyHQ@mail.gmail.com>
Date: Thu, 14 Jul 2022 14:38:28 -0700
From: Nick Desaulniers <ndesaulniers@...gle.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Kees Cook <keescook@...omium.org>,
Sudip Mukherjee <sudipm.mukherjee@...il.com>,
Nathan Chancellor <nathan@...nel.org>,
Tom Rix <trix@...hat.com>, Marco Elver <elver@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Josh Poimboeuf <jpoimboe@...nel.org>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
clang-built-linux <llvm@...ts.linux.dev>,
Alexander Potapenko <glider@...gle.com>
Subject: Re: [PATCH] ubsan: disable UBSAN_DIV_ZERO for clang
On Thu, Jul 14, 2022 at 2:25 PM Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
>
> The way you do that is by warning, and giving it defined behavior. It
> really is that simple.
int do_div (int dividend, int divisor) {
return dividend / divisor;
}
has UB should divisor ever be zero, not much different from:
int deref (int *foo) {
return *foo;
}
when foo is NULL. Should the two of those be:
int do_div (int dividend, int divisor) {
if (!divisor)
return -EOOPS;
return dividend / divisor;
}
int deref (int *foo) {
if (!foo)
return -EOOPS;
return *foo;
}
or keep the unchecked versions and wait for a report from a user or
bot with a sanitizer splat?
I get the sanitizer doesn't work as advertised. I _agree_ with you.
Hence this patch (which I _think_ works towards your point, shouldn't
you Ack it?). I feel like you're talking past me without addressing
my point, let me try rephrasing it:
I _additionally_ think we should be adding more checks to guard
against division by zero to the kernel sources. Or are we happy to
wait and find out if divisors are ever zero and fix them as they pop
up/become problematic?
--
Thanks,
~Nick Desaulniers
Powered by blists - more mailing lists