| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMj1kXEYhP+5dM-Vx29aUPoxNeH4dsH_sYB8bzQ6h6iaB2ZO5Q@mail.gmail.com>
Date: Fri, 21 Nov 2025 12:03:56 +0100
From: Ard Biesheuvel <ardb@...nel.org>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Eric Biggers <ebiggers@...nel.org>,
Kees Cook <kees@...nel.org>, linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH libcrypto v2 2/3] compiler: introduce at_least parameter
decoration pseudo keyword
On Thu, 20 Nov 2025 at 02:11, Jason A. Donenfeld <Jason@...c4.com> wrote:
>
> Clang and recent gcc support warning if they are able to prove that the
> user is passing to a function an array that is too short in size. For
> example:
>
> void blah(unsigned char herp[at_least 7]);
> static void schma(void)
> {
> unsigned char good[] = { 1, 2, 3, 4, 5, 6, 7 };
> unsigned char bad[] = { 1, 2, 3, 4, 5, 6 };
> blah(good);
> blah(bad);
> }
>
> The notation here, `static 7`, which this commit makes explicit by
> allowing us to write it as `at_least 7`, means that it's incorrect to
> pass anything less than 7 elements. This is section 6.7.5.3 of C99:
>
> If the keyword static also appears within the [ and ] of the array
> type derivation, then for each call to the function, the value of
> the corresponding actual argument shall provide access to the first
> element of an array with at least as many elements as specified by
> the size expression.
>
> Here is the output from gcc 15:
>
> zx2c4@...nkpad /tmp $ gcc -c a.c
> a.c: In function ‘schma’:
> a.c:9:9: warning: ‘blah’ accessing 7 bytes in a region of size 6 [-Wstringop-overflow=]
> 9 | blah(bad);
> | ^~~~~~~~~
> a.c:9:9: note: referencing argument 1 of type ‘unsigned char[7]’
> a.c:2:6: note: in a call to function ‘blah’
> 2 | void blah(unsigned char herp[at_least 7]);
> | ^~~~
>
> And from clang 21:
>
> zx2c4@...nkpad /tmp $ clang -c a.c
> a.c:9:2: warning: array argument is too small; contains 6 elements, callee requires at least 7
> [-Warray-bounds]
> 9 | blah(bad);
> | ^ ~~~
> a.c:2:25: note: callee declares array parameter as static here
> 2 | void blah(unsigned char herp[at_least 7]);
> | ^ ~~~~~~~~~~
> 1 warning generated.
>
> So these are covered by, variously, -Wstringop-overflow and
> -Warray-bounds.
>
> Signed-off-by: Jason A. Donenfeld <Jason@...c4.com>
> ---
> include/linux/compiler.h | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
Acked-by: Ard Biesheuvel <ardb@...nel.org>
> diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> index 5b45ea7dff3e..cbd3b466fdb9 100644
> --- a/include/linux/compiler.h
> +++ b/include/linux/compiler.h
> @@ -379,6 +379,17 @@ static inline void *offset_to_ptr(const int *off)
> */
> #define prevent_tail_call_optimization() mb()
>
> +/*
> + * This designates the minimum number of elements a passed array parameter must
> + * have. For example:
> + *
> + * void some_function(u8 param[at_least 7]);
> + *
> + * If a caller passes an array with fewer than 7 elements, the compiler will
> + * emit a warning.
> + */
> +#define at_least static
> +
> #include <asm/rwonce.h>
>
> #endif /* __LINUX_COMPILER_H */
> --
> 2.52.0
>
Powered by blists - more mailing lists