Received: by 10.223.176.5 with SMTP id f5csp1074828wra;
        Wed, 31 Jan 2018 00:39:25 -0800 (PST)
X-Google-Smtp-Source: AH8x227rkBwUc9F7Hhy7o9ghQ/bcqICESPk21t2mFuI/jwQZQdWRTr7/YFeuKtY5KoPdBjtA0Dbq
X-Received: by 2002:a17:902:8349:: with SMTP id z9-v6mr7780814pln.164.1517387965881;
        Wed, 31 Jan 2018 00:39:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517387965; cv=none;
        d=google.com; s=arc-20160816;
        b=Lh1FQk2xOCBMdvLBRvDCq4cgkOvx2q2OcJq3qEMeh3yDP7XhOp6KXUS8lPZk0U9iuq
         7oIHvE8ZlJzDMD0n4+Vmq8W0httYuKiCa5BC30Q2bXVLEIAKks1LyeD+aIByd62qhXcI
         MYHclWXgXRSuA1cXZyGYDvvC2SNMaLuVEOmXiAVW0Vxd7+zwkNat6KCkQiM4yk2mmYft
         oVhLsNb9JZxO4dT1xPrH+MmifwlbFggNulgqOC5CgvOZ5fIIf20FRUX2wSi5EzhV0aS0
         L0++9e1GJMVrqEkyf1WjU+Qn9oFYV7X13x35i8Jk5WMKMZX0NB7sbf/ml4fe1Foa5OME
         Lm1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=FxG3ZOJqDeUjxQF08/Ie8mLTal2buNxAa6y3IajvuFQ=;
        b=g/+Aoc4xPFgUorwoQqbCV4ktwTVQJY3c8/q7qD52r5KaC0akEGFwP6TeOr603yaGyE
         eUZjESG+3pwNVxzf5Bs7ri29hA+2a7p2M7rKhb5rC5Jm1xHd8yxmN+NQ2NixZ/viYS8n
         U8ZXQ87J6GrFSbwCHizcAuF8Rrxj4n4vwKxKD27xKvwMo9SKD7IXOFGrL6Eil7rzSAHk
         /C58I9JhRlYQy/E/9z1yQxWAhdqDwYsYTfXVCBCDdY4IKGa38cHgSV2+rcf0C/AePNmu
         sKxHt7SDXBFvNFddZjKbBIJm8zf+JUp9qA7rgbBXkTrBtyDRd1AYOTWNZQtmRFc7YQYf
         qtBw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=aovO4b5R;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w13si10665095pgp.606.2018.01.31.00.39.11;
        Wed, 31 Jan 2018 00:39:25 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=aovO4b5R;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752448AbeAaIDR (ORCPT <rfc822;sujaykul91@gmail.com>
        + 99 others); Wed, 31 Jan 2018 03:03:17 -0500
Received: from mail-wm0-f50.google.com ([74.125.82.50]:40614 "EHLO
        mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751662AbeAaIDP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Jan 2018 03:03:15 -0500
Received: by mail-wm0-f50.google.com with SMTP id v123so6006401wmd.5;
        Wed, 31 Jan 2018 00:03:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=FxG3ZOJqDeUjxQF08/Ie8mLTal2buNxAa6y3IajvuFQ=;
        b=aovO4b5RUZiAehg/MxCTdbW6Gm1QGj7AJp3jgVTHDVrMVdL0s98/ut0LoNY9XeXbVQ
         zWYMfblkmRTDPVaRAFBz6xgl+vdhVmZArYWwxBZ9VkcbbcZbFzQD1JPVdddUc+wvaoRV
         qC81EE81YUlGft33dyfyYmfYHcpkqTh1KGYf6dC8lKw/VYwYh55jKnoSaFJjuIAfjU2G
         qRK26RTOKJmnSjo14F3oSBJaweWY6qItZF8uHHvFcjB3ZcBgEWYpbp8QAyvQN+ZLsQ0S
         rdpQOUv59q3srdWz8+uc/x6yU8sh2Sti4P10MnUPlm8gOmPzUgIM4IvH16LRjQqS4OJB
         QQfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
         :references:mime-version:content-disposition:in-reply-to:user-agent;
        bh=FxG3ZOJqDeUjxQF08/Ie8mLTal2buNxAa6y3IajvuFQ=;
        b=jCEO8TfNy5Lgl8mm5rUtRGcGeYJxBal4a8N1VB8VKhUR+tHnIZ4TT+Px7dzUJvbOvj
         hAib2ZJQ2ClgPpwmSjAlvY+/Xl7vUixxgQYXN/omFa8UnBYqC4Jlovx/aLLaWpa/NLQq
         OBozKOuUxgv2ujy9xEgh3DT8y7EAB2BTH3W2wSQFvOSzq0+qbDeeasWXr9rN+ZgpQACH
         +cVIdbySCxW7qv+1TL2ETJFi5mwfz1pv3Xvqx75kW1Xdraycu98TcCDQmgXvZO75vLyH
         XEwKzZYaokb1e4iFbAswxk/KhR/B5msmkElMSDkCQAdCEuT0jeeCAKu+ElQvNLhR0dln
         fKdw==
X-Gm-Message-State: AKwxytf5uv+VE0lUJw/mtx2q6avN1G5XF5Tczr/Ivj/dxiwgx2hXfpb1
        nSG7h6Gm1GcQCbFH9LqFFyM=
X-Received: by 10.28.71.198 with SMTP id m67mr25190965wmi.40.1517385793653;
        Wed, 31 Jan 2018 00:03:13 -0800 (PST)
Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213])
        by smtp.gmail.com with ESMTPSA id y19sm4197706wrd.93.2018.01.31.00.03.12
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 31 Jan 2018 00:03:13 -0800 (PST)
Date:   Wed, 31 Jan 2018 09:03:10 +0100
From:   Ingo Molnar <mingo@kernel.org>
To:     "Van De Ven, Arjan" <arjan.van.de.ven@intel.com>
Cc:     "Williams, Dan J" <dan.j.williams@intel.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        linux-arch <linux-arch@vger.kernel.org>,
        Cyril Novikov <cnovikov@lynx.com>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Catalin Marinas <catalin.marinas@arm.com>,
        X86 ML <x86@kernel.org>, Will Deacon <will.deacon@arm.com>,
        Russell King <linux@armlinux.org.uk>,
        Ingo Molnar <mingo@redhat.com>,
        Greg KH <gregkh@linuxfoundation.org>,
        "H. Peter Anvin" <hpa@zytor.com>, Alan Cox <alan@linux.intel.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [PATCH v5 02/12] array_idx: sanitize speculative array
 de-references
Message-ID: <20180131080310.ebqtxe5p7j54wglj@gmail.com>
References: <151703971300.26578.1185595719337719486.stgit@dwillia2-desk3.amr.corp.intel.com>
 <151703972396.26578.7326612698912543866.stgit@dwillia2-desk3.amr.corp.intel.com>
 <20180128085500.djlm5rlbhjlpfj4i@gmail.com>
 <CAPcyv4jTaskPT1qXhdCO2mWVkcaMDMBq12vUJ_hSfjOU49qvgQ@mail.gmail.com>
 <alpine.DEB.2.20.1801281931180.2126@nanos>
 <CAPcyv4hSZ7=+076s+fmJ0HQ293H4X8829-LTrbvd8ZqJygGV6A@mail.gmail.com>
 <CA+55aFxLEL+8YA4MYkeyeUH7K8rZwBmGe6Z9V8QS=TYCREWDTQ@mail.gmail.com>
 <CAPcyv4jTbH6As_SC2Po8j5mB6jKLcwMr3Yn=19aTN2yMgBR=iw@mail.gmail.com>
 <0575AF4FD06DD142AD198903C74E1CC87A6048F5@ORSMSX103.amr.corp.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0575AF4FD06DD142AD198903C74E1CC87A6048F5@ORSMSX103.amr.corp.intel.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


* Van De Ven, Arjan <arjan.van.de.ven@intel.com> wrote:

> > > IOW, is there some work on tooling/analysis/similar? Not asking for
> > > near-term, but more of a "big picture" question..
> 
> short term there was some extremely rudimentary static analysis done. clearly 
> that has extreme limitations both in insane rate of false positives, and missing 
> cases.

What was the output roughly, how many suspect places that need array_idx_nospec() 
handling: a few, a few dozen, a few hundred or a few thousand?

I'm guessing 'static tool emitted hundreds of sites with many false positives 
included, but the real sites are probably a few dozen' - but that's really just a 
very, very wild guess.

Our whole mindset and approach with these generic APIs obviously very much depends 
on the order of magnitude:

- For array users up to a few dozen per 20 MLOC code base accumulated over 20
  years, and with no more than ~1 new site per kernel release we can probably
  do what we do for buffer overflows: static analyze and fix via 
  array_idx_nospec().

- If it's more than a few dozen then intuitively I'd also be very much in favor of
  compiler help: for example trickle down __user annotations that Sparse uses some
  more and let the compiler sanitize indices or warn about them - without hurting 
  performance of in-kernel array handling.

- If it's "hundreds" then probably both the correctness and the maintenance
  aspects won't scale well to a 20+ MLOC kernel code base - in that case we _have_
  to catch the out of range values at a much earlier stage, at the system call and
  other system ABI level, and probably need to do it via a self-maintaining 
  approach such as annotations/types that also warns about 'unsanitized' uses. But 
  filtering earlier has its own problems as well: mostly the layering violations 
  (high level interfaces often don't know the safe array index range) can create 
  worse bugs and more fragility than what is being fixed ...

- If it's "thousands" then it _clearly_ won't scale and we probably need compiler 
  help: i.e. a compiler that tracks ranges and automatically sanitizes indices. 
  This will have some performance effect, but should result in almost immediate 
  correctness.

Also, IMHO any tooling should very much be open source: this isn't the kind of bug 
that can be identified via code review, so there's no fall-back detection method 
like we have for buffer overflows.

Anyway, the approach taken very much depends on the order of magnitude of such 
affected array users we are targeting ...

Thanks,

	Ingo