| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9d9567dbdaf39688bbd0d240e29dec826a5931ee.camel@gwdg.de>
Date: Sun, 8 Dec 2024 00:52:07 +0100
From: Martin Uecker <muecker@...g.de>
To: Linus Torvalds <torvalds@...ux-foundation.org>
CC: David Laight <David.Laight@...lab.com>, Vincent Mailhol
<mailhol.vincent@...adoo.fr>, Luc Van Oostenryck
<luc.vanoostenryck@...il.com>, Nathan Chancellor <nathan@...nel.org>, "Nick
Desaulniers" <ndesaulniers@...gle.com>, Bill Wendling <morbo@...gle.com>,
Justin Stitt <justinstitt@...gle.com>, Yury Norov <yury.norov@...il.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>, Kees Cook <kees@...nel.org>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>, Jani Nikula
<jani.nikula@...ux.intel.com>, Joonas Lahtinen
<joonas.lahtinen@...ux.intel.com>, Rodrigo Vivi <rodrigo.vivi@...el.com>,
Tvrtko Ursulin <tursulin@...ulin.net>, David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>, Suzuki K Poulose <suzuki.poulose@....com>,
Mike Leach <mike.leach@...aro.org>, James Clark <james.clark@...aro.org>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Rikard Falkeborn
<rikard.falkeborn@...il.com>, "linux-sparse@...r.kernel.org"
<linux-sparse@...r.kernel.org>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, "llvm@...ts.linux.dev"
<llvm@...ts.linux.dev>, "linux-hardening@...r.kernel.org"
<linux-hardening@...r.kernel.org>, "intel-gfx@...ts.freedesktop.org"
<intel-gfx@...ts.freedesktop.org>, "dri-devel@...ts.freedesktop.org"
<dri-devel@...ts.freedesktop.org>, "coresight@...ts.linaro.org"
<coresight@...ts.linaro.org>, "linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH 02/10] compiler.h: add is_const() as a replacement of
__is_constexpr()
Am Samstag, dem 07.12.2024 um 12:28 -0800 schrieb Linus Torvalds:
> On Sat, 7 Dec 2024 at 11:19, Martin Uecker <muecker@...g.de> wrote:
> >
> > But that all seem solvable issues on the compiler side.
>
[... Itanium, value range analysis, no assertions in kernel...]
> Now, would we want to have proper value *static* range analysis in the
> kernel for other reasons? Oh yes. It would often be very nice to have
> the ability to state "this value is trusted and is in this range", and
> have it percolate all the way down, both for optimization purposes but
> also for various sanity check purposes.
__bos should give you some access to it, but it seems not as
good as it could be (relative to what the optimizer knows)
and then the information is also not available in the front-end.
>
> But it's simply not sanely available in the generic case.
I was not talking about future still-to-be-invented compiler
technology, but about things that work today.
While the compiler can not automatically prove every use
of VLA bounded, it can reliably diagnose the cases where it
can *not* see that it is bounded. Consider this example:
void oob(int n, char p[n]);
void f(unsigned int n)
{
char buf[MIN(n, 100)]; // bounded
oob(n + 10, buf); // warning
}
void h(unsigned int n)
{
char buf[100]; // static with worst case size
oob(n + 10, buf); // no warning
}
void i(unsigned int n)
{
char buf[n]; // warning!
oob(n + 10, buf);
}
void test_f() { f(50); }
void test_h() { h(50); }
void test_i() { i(50); }
https://godbolt.org/z/b15ajTPda
For both 'f' and 'h' stack is bounded and generally smaller in 'f'.
Also any worst-case stack size analysis that applies to 'h' also
applies to 'f' (and could potentially be improved).
In 'f' one gets a warning because 'oob' will try to do an OOB
access. This is only possibly because the compiler sees the true
size of the array. (One can also get precise information
about the size with __bdos.)
In 'h' the error can not be detected. The information is lost.
One can get a warning only when the static worst-case size is
exceeded, but otherwise the error remains hidden.
In 'i' one gets the warning about the OOB access and with
-Wvla-larget-than=100 one gets a warning that the VLA size may
be unbounded. These case should then not be allowed of course.
Note that this works today in GCC and seems to have better
information than __bos available (not sure why though).
>
> > a) this is not guaranteed in a specific situation (-Wvla-larher-than)
>
> We'd either get horrendous numbers of false positives that we then
> have to manually add special code for, or
>
> > b) transform the array automatically to fixed size array
> > of size X *or* something smaller when it can show this.
>
> we'd just do this by hand *once* and for all, and say "VLA's didn't work out".
>
> So yeah. We did (b) by hand.
>
> We used to have VLA's in the kernel. It was a disaster. We got rid of
> them, because the (big) pain wasn't worth the (few) places it was
> actually useful.
Can you point me to some horror stories?
> So we have been VLA-free for the last five years, and it's been good.
> Simplify.
These macro discussions I get CC-ed on sometimes leave a different
impression ;-)
Martin
Powered by blists - more mailing lists