Received: by 10.223.185.116 with SMTP id b49csp9049804wrg; Fri, 2 Mar 2018 12:23:09 -0800 (PST) X-Google-Smtp-Source: AG47ELtk6IEg2gVJLRlm5maoz4N4QU4oQhblk3YKc7l51BfS2Nm98IwPtp5gO19WytRms4NryS15 X-Received: by 10.101.65.5 with SMTP id w5mr5484319pgp.214.1520022189641; Fri, 02 Mar 2018 12:23:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520022189; cv=none; d=google.com; s=arc-20160816; b=cLjNlfaJgjQKrwS3dHZxF7qJZpt5oGPcsapSwHgFTch8E7QTARfk5qodMTIh69TFWS X+3NOrh+jU6p9xYNrl3XrmOL25iwa+VXVHnbIqwH0NEK9DZmEy0wzqXsBjOOLoATvA4b vV7l4IFoR2BoCe1w9mXYLhIHI0lfs1mytSGmCDHpsz28w4NgCaKgjOO026VDXjQgEUsS 5SGOeXeqXmRg28T0W8+QJJTAsp5XojqPn6j3PxxRZ9FoYeOPBFtFN8JUARk1orZn6aMs nlCZh8LkGw8PBpep0vPSCgaecY9HUKDAqHxp1Z63GFlh1KMr83DgZcfSB0BTu0mjPKNV vllQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=a/d5ZSwSas72Lj5n7kKBo2D7kvDqC4f/9CxmbUyUndA=; b=csXF6ZFKhixY14QOgEsNtkh+/YNZ0Rso3TDQfIvkc7d0dhhwVm/Ct0eUDFCTj71+uT N8DATqEIuDIt+gWzPfKc+NUXER8JF4xF45W9yN7GG4yu+/YuPOAgNmkoR3T7xph5GmaA XpZoVOev0z9H/2+tqapGHl2PnGNaVvqFgDrN6cSMZU/zAJLfkhnIl9m60b7/juB77q8Q 7HY5TGfrnWVGxI2wR/s/nk1PGDBIg79R5sFsZl2rf6EVE9DNbN+JFWa0r4C3D0fwGczQ vazuzoq35LM0K5MOF2wuFptRemJEXwzR2t9Kx80tl1TEBnB6K5qZ/z9dnJybmdEf8olL +ttA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VAlw3IP0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w27si5434803pfl.142.2018.03.02.12.22.55; Fri, 02 Mar 2018 12:23:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VAlw3IP0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1946699AbeCBRhA (ORCPT + 99 others); Fri, 2 Mar 2018 12:37:00 -0500 Received: from mail-qk0-f180.google.com ([209.85.220.180]:39111 "EHLO mail-qk0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1946676AbeCBRg5 (ORCPT ); Fri, 2 Mar 2018 12:36:57 -0500 Received: by mail-qk0-f180.google.com with SMTP id z197so12891886qkb.6 for ; Fri, 02 Mar 2018 09:36:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=a/d5ZSwSas72Lj5n7kKBo2D7kvDqC4f/9CxmbUyUndA=; b=VAlw3IP0Q183xaFPD963gszn0v5QpvH7V2w7HVg15tOspzHCFOwz8wVMSUTagHgEd+ K55HNkJGiLgtyuW0gFbetAQxt+qrA496SWprAr0CyEHfQF81vHBiqgIDOIsChL4N64cL 1CqEuijle0QD+znHnH6gf6LLWi72ZwHFrPROj5Rd1xX0EzEDjayW3KKwQ3GS1J8fZV5X i8RMYle1mR+U1xTXjK5o/3iCYVM4UG7r9bw75MJ/AInB0N++dQclDrnQoMXHYdVo/JCF kikRO/lMfUFnp+NM8Xa4KfUM8JalQAh1ahTwwLfFpjkLG7TuzQ+auex3q4WHsYb61ckx JsCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=a/d5ZSwSas72Lj5n7kKBo2D7kvDqC4f/9CxmbUyUndA=; b=PIpG40glAQLyWsvbuhRp+KtjPPU/M0DbQdcL2Kmj9PQAItWivFGY76yANx5rqaLvJq B8sUVN0VWaYJHF0yRneCOpqu/lkzPQtWdPO427d8cKUiozEVFU5goSlJtmqmonQ5dP9U Y/ya7vQGtOC32ywj02hrEnge6zgjbd4twtHeUtD9/BNfoJPrtDYmoNGOLdzmZUbpWOPR xsJPGuyc6ekBwJgAIpQs12JQuJEjoQtYVDtqnE7k4BkM+TAzFKkahr2Kbh9LbqaNs2SB Vs88ylUQw9EUmYLA7aPx6FszU/PFNyNOB6kDIOV/ZwKNB3+RrEUulwzRVMSiSGPc5920 N05w== X-Gm-Message-State: AElRT7GGMB0tg3qeVBAx1/iKp1ksR3ARfnVid9CH9AMjSTm9jVEYxjeP pMurXIVmemzp6/k4DWod+O8CSdljDBhpxCGQtZE= X-Received: by 10.55.105.6 with SMTP id e6mr9641648qkc.192.1520012216307; Fri, 02 Mar 2018 09:36:56 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.52.247 with HTTP; Fri, 2 Mar 2018 09:36:35 -0800 (PST) In-Reply-To: References: <20180217191035.gol4woxsgzpo4bfq@gmail.com> From: Miguel Ojeda Date: Fri, 2 Mar 2018 18:36:35 +0100 Message-ID: Subject: Re: [PATCH] Support the nonstring variable attribute (gcc >= 8) To: Arnd Bergmann Cc: David Rientjes , Ingo Molnar , Josh Poimboeuf , Kees Cook , Andrew Morton , Thomas Gleixner , Geert Uytterhoeven , Greg KH , "Lendacky, Thomas" , Will Deacon , linux-kernel , Willy Tarreau , Xiongfeng Wang , Martin Sebor Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 1, 2018 at 10:57 AM, Arnd Bergmann wrote: > On Mon, Feb 19, 2018 at 1:01 AM, Miguel Ojeda > wrote: >> On Mon, Feb 19, 2018 at 12:20 AM, David Rientjes wrote: >>> On Sat, 17 Feb 2018, Miguel Ojeda wrote: >>> >>>> From the GCC manual: >>>> >>>> The nonstring variable attribute specifies that an object or member >>>> declaration with type array of char or pointer to char is intended to >>>> store character arrays that do not necessarily contain a terminating NUL >>>> character. This is useful in detecting uses of such arrays or pointers >>>> with functions that expect NUL-terminated strings, and to avoid warnings >>>> when such an array or pointer is used as an argument to a bounded string >>>> manipulation function such as strncpy. >>>> >>>> https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html >>>> >>>> Some reports are already coming to the LKML regarding these >>>> warnings. When they are false positives, we can use __nonstring to let >>>> gcc know a NUL character is not required; like in this case: >>>> >>>> https://lkml.org/lkml/2018/1/16/135 >>>> >>>> Signed-off-by: Miguel Ojeda >>>> Cc: Ingo Molnar >>>> Cc: Josh Poimboeuf >>>> Cc: Kees Cook >>>> Cc: Andrew Morton >>>> Cc: Geert Uytterhoeven >>>> Cc: Will Deacon >>>> Cc: Greg Kroah-Hartman >>>> Cc: David Rientjes >>> >>> I would have expected to have seen __nonstring used somewhere as part of >>> this patch. >> >> Do you mean to expand the commit message with an actual code example >> instead of the links to the docs and the discussion about the report? >> Otherwise, if you mean in the actual commit, I think in that case it >> should be a patch series, not a single commit. >> >> In any case, the key point here is to agree on the short-term policy: >> i.e. whether we want to disable the upcoming warning or try to take >> advantage of it (which not *necessarily* implies using __nonstring, >> there are other workarounds; though where applicable, __nonstring is >> probably the right thing to use). > > What David was asking for is to have a couple of users of the > __nonstring attribute in places for which it is the right solution. > I understood :-) My question was regarding where he was asking to see it. > I would suggest making it a patch series, with patch 1/x introducing > the attribute (i.e. your patch), and followed by additional patches > that add the attribute to individual header files or drivers for which > it is the right solution. Yep, that is what I suggested too. > > When I looked at the warning, I found that we have around 120 file > for which we warn. The majority of them are actually questionable > uses of strncpy() that probably should have been strscpy(), but > most of those do not actually cause undefined behavior. Then it looks like enabling the warning by default is useful and not too noisy (at least for just char). > > A smaller number like the example from ext4 are nonstrings > (i.e. character arrays without nul-termination) that would benefit > from the nonstring attribute. About half of those are actually > arrays of u8/__u8/uint8_t/__uint8_t for which the currently > implemented nonstring attribute is invalid, and it seems odd > to convert those to 'char', e.g. > > struct ext4_super_block { > __le32 s_first_error_time; /* first time an error happened */ > __le32 s_first_error_ino; /* inode involved in first error */ > __le64 s_first_error_block; /* block involved of first error */ > - __u8 s_first_error_func[32]; /* function where the error happened */ > + char s_first_error_func[32] __nonstring; /* function > where the error happened */ > __le32 s_first_error_line; /* line number where error happened */ > __le32 s_last_error_time; /* most recent time of an error */ > __le32 s_last_error_ino; /* inode involved in last error */ > __le32 s_last_error_line; /* line number where error happened */ > __le64 s_last_error_block; /* block involved of last error */ > - __u8 s_last_error_func[32]; /* function where the error happened */ > + char s_last_error_func[32] __nonstring; /* function > where the error happened */ > > doesn't feel right. Maybe we can extend gcc to also accept > the attribute on arrays of other 8-bit types. Hum... On one hand, the warning is meant to protect against misuses of the typical string handling functions, and those take pointers to char. Therefore, one could argue that using signed or unsigned char already marks an array/pointer as "not a string" (for the purposes of the attribute). On the other hand, people *will* call string handling functions with signed and unsigned char, and for those cases, it is useful to have the warning nevertheless and being able to annotate those arrays with nonstring, which is also good documentation-wise. On top of that, C specifies char as equivalent to either signed or unsigned char (even if it is a distinct type), so one could argue it should work for the three types anyway. Given that 1) this is a warning that can disabled just fine and that 2) we already have real life cases using nonstring, non-char arrays calling typical string handling functions, I would favor supporting the warning and the attribute for all the three types. > >> [By the way, CC'ing Xiongfeng, Willy and Arnd, since they were >> involved in the example report; sorry guys!]. > > Martin Sebor also asked me about this, he's the one that worked on > the gcc code that introduced the warning. Sorry for not replying earlier. > Maybe you can pass this to him? (maybe open a bug in gcc's bugzilla?) > For a complete list of affected files, see https://pastebin.com/eWFQf58i > this is what I come up with by doing randconfig builds, but I have not > tried to submit additional patches here, since I'm sure that a lot of > those are wrong -- they need a much closer inspection to decide which > ones are actual bugs vs harmless warnings, and which ones should > use strscpy()/strlcpy() vs a nonstring annotation or a rewrite of that > function. Indeed -- nice work anyway finding those. If we agree on getting the nonstring attribute, maybe you can send that patch as an RFC to ping the respective maintainers? Thanks, Miguel