[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <99da3934-2c44-4a1f-832f-3f182ddadefa@huaweicloud.com>
Date: Fri, 17 May 2024 09:45:20 +0200
From: Jonas Oberhauser <jonas.oberhauser@...weicloud.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Kees Cook <keescook@...omium.org>
Cc: Justin Stitt <justinstitt@...gle.com>,
Peter Zijlstra <peterz@...radead.org>, Mark Rutland <mark.rutland@....com>,
linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org,
llvm@...ts.linux.dev
Subject: Re: [RFC] Mitigating unexpected arithmetic overflow
Am 5/8/2024 um 10:07 PM schrieb Linus Torvalds:
> And no, the answer is ABSOLUTELY NOT to add cognitive load on kernel
> developers by adding yet more random helper types and/or functions.
Just to show an option without "more types and helper functions", one
could also instead add a coverage requirement:
Every arithmetic operation should either:
- have a test case where the wrap around happens, or
- have a static analyser say that overflow can not happen, or
- have a static analyser say that overflow is fine (e.g., your a+b < a case)
Then the answer to safe wrap situations isn't to make the kernel code
less readable, but to have a component-level test that shows that the
behavior on overflow (in at least one case :)) ) is what the developer
expected.
For static analysis to prove that overflow can not happen, one sometimes
would need to add BUG_ON() assertions to let the analyser know the
assumptions on surrounding code, which has its own benefits.
static inline u32 __item_offset(u32 val)
{
BUG_ON(val > INT_MAX / ITEM_SIZE_PER_UNIT);
return val * ITEM_SIZE_PER_UNIT;
}
Obviously, the effort involved is still high. Maybe if someone as a pet
project proves first that something in this direction is actually worth
the effort (by uncovering a heap of bugs), one could offer this kind of
check as an opt-in.
Best wishes,
jonas
Powered by blists - more mailing lists