Received: by 10.223.185.116 with SMTP id b49csp2939597wrg; Mon, 5 Mar 2018 11:06:46 -0800 (PST) X-Google-Smtp-Source: AG47ELs1uF4RiAEfLTtoxk3/mVSZUfGKq11dsnDuUVsGg+6ly0/P2DPQ91QUoWPpXlUIhg+l3x8v X-Received: by 2002:a17:902:8b88:: with SMTP id ay8-v6mr14171738plb.197.1520276806220; Mon, 05 Mar 2018 11:06:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520276806; cv=none; d=google.com; s=arc-20160816; b=q7cjulhtR4wMcQV3aG374l0mmtCN5zCeyrRd8YriQdstbcZr1kcuTdqqMlFpT5cvfJ fUx8jSy9ySq4kFb6Nqo9FGwUKGX+HyQbSu/IEK5acFNAzQsaWcsskBkzWR93SgOObXnp 6ilzTqVaBPKsGgk8Xxv2P5IprV9lIGgcFC0Y/z3X9Uf7Zr1xNFXrpBE7+7PQl6PbnOTL j+bbrjquf/VIG8u5FYEDL7Cf9H0KOJdUHcNdfojREKzOFgQeQ2uNMTrJPhMZPCBu6+rq 3Hvi9EyUemFc/e/cWF90B/JTWk5wvjClHgEu/qUOs+SSM+qE+uACbNiijhMUWO/4a9hQ sxEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject:dkim-signature:arc-authentication-results; bh=pniLxOrhwMAG0kPJ33kQigGEpdRMZYJwM4BwBXo+TeQ=; b=HpYa3A6BmZ49Q37rgT4fCjZ/eaFfkswLhS/h0ZLH/fIW6Vj3hZsipgIMzaoE+A0/bR 1Fkih2kiT5ufRl1kmczitlh60dDytBHI2Mp1RF1WtPdnQucFKGFliFB0zIaD9tSW9lkQ U5eJbz1ocQghlDyGulUCjHH9bluOmzc4zcc5x9gl7U32zmHSI70Z+YI2Ae2MUkrWcuyD VXcA32vpJhZfi6cZNqrVIplBkKx9yTvYNNxLdVpZZX+kHLq/O7SFo+WczB0zUAg52sIE L5TRm7j0P6ZWl+hoTLaxwDeCVYMgLV0gLOI6R/yCB6QpXMsRhJ+OuK/QreV/GmD7SbvN twIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KAsQp5Zh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i9si10653770pfi.150.2018.03.05.11.06.31; Mon, 05 Mar 2018 11:06:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KAsQp5Zh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752719AbeCETF1 (ORCPT + 99 others); Mon, 5 Mar 2018 14:05:27 -0500 Received: from mail-ot0-f174.google.com ([74.125.82.174]:39411 "EHLO mail-ot0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751462AbeCETF0 (ORCPT ); Mon, 5 Mar 2018 14:05:26 -0500 Received: by mail-ot0-f174.google.com with SMTP id h8so15956889oti.6 for ; Mon, 05 Mar 2018 11:05:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=pniLxOrhwMAG0kPJ33kQigGEpdRMZYJwM4BwBXo+TeQ=; b=KAsQp5Zhp7/DHqSHTNbAInGXPBoTEIFxyAbr4qihPIhU8UipMMzvAZE+LP0TslLbFu QAH61p0iKGEJ9Yl0JNwgWugHIdafCxv20VFjjpQn9qHY/ZeoQvjG9MekaE6ASH/LmlDL GRJfEO8NOvf2Ck6Yu2jDtlkBNV9eci/5a+vCcNfrhCSeCa9CRbglI1DPQ08Zh9SzlqO2 SmlNdxpf0k7us1PRFKTCM0idnGRhUm8Fg0wVYusHR1MdB7DckYHHiKvI1v180H1UTKbO hGkQpcJdy6Udr2SbZ76fdsOY3UHClzjw3pJtJtXK4ubcrXHcXVjMkkqF6iYlsrLiHqoD dc9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=pniLxOrhwMAG0kPJ33kQigGEpdRMZYJwM4BwBXo+TeQ=; b=klCOz4cIvYyoFjrkt0BM5sOy5O6TH4D5+3dbvngxtA1TbSdQ8p5NFkWdKMhIV47NWf PItcdP5S/Kl/F/ctXQkviTxy9W2VazpGB/DjDuzuXDFIpnU3hvYrR8uXZzIhNjV5uNJ3 9gl9KBRXNZ65kC+KqkGQJy7KQsANhN+bnkhNJlZMY0ZqcTCsAnOqqm2P1RRLZMtx0q4t JkCohOoEUw5/pna4qdOW7kmi/SRvSug6F9QwBqeTw5D70VMimmjXQvAqSK3ymH1qRCeC cCyma7bsA4h1Ps2iSSlbaABYOkk+nOEkJ5WGozM0+tCWMzRg1Z8pfzvVaXAD0S7KdGGm /fuw== X-Gm-Message-State: APf1xPDIW7uWKReYZ0mqNy+qXr1IlqR7NujfSgrAoA+thCg591iV4YU8 vM/KMh50nbEqWfx/2qPFzB8= X-Received: by 10.157.29.185 with SMTP id y54mr10463153otd.367.1520276725408; Mon, 05 Mar 2018 11:05:25 -0800 (PST) Received: from localhost.localdomain (71-218-18-146.hlrn.qwest.net. [71.218.18.146]) by smtp.gmail.com with ESMTPSA id j5sm4823860otc.45.2018.03.05.11.05.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Mar 2018 11:05:24 -0800 (PST) Subject: Re: [PATCH] Support the nonstring variable attribute (gcc >= 8) To: Miguel Ojeda , Arnd Bergmann References: <20180217191035.gol4woxsgzpo4bfq@gmail.com> Cc: David Rientjes , Ingo Molnar , Josh Poimboeuf , Kees Cook , Andrew Morton , Thomas Gleixner , Geert Uytterhoeven , Greg KH , "Lendacky, Thomas" , Will Deacon , linux-kernel , Willy Tarreau , Xiongfeng Wang From: Martin Sebor Message-ID: Date: Mon, 5 Mar 2018 12:05:22 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/02/2018 10:36 AM, Miguel Ojeda wrote: > On Thu, Mar 1, 2018 at 10:57 AM, Arnd Bergmann wrote: >> On Mon, Feb 19, 2018 at 1:01 AM, Miguel Ojeda >> wrote: >>> On Mon, Feb 19, 2018 at 12:20 AM, David Rientjes wrote: >>>> On Sat, 17 Feb 2018, Miguel Ojeda wrote: >>>> >>>>> From the GCC manual: >>>>> >>>>> The nonstring variable attribute specifies that an object or member >>>>> declaration with type array of char or pointer to char is intended to >>>>> store character arrays that do not necessarily contain a terminating NUL >>>>> character. This is useful in detecting uses of such arrays or pointers >>>>> with functions that expect NUL-terminated strings, and to avoid warnings >>>>> when such an array or pointer is used as an argument to a bounded string >>>>> manipulation function such as strncpy. >>>>> >>>>> https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html >>>>> >>>>> Some reports are already coming to the LKML regarding these >>>>> warnings. When they are false positives, we can use __nonstring to let >>>>> gcc know a NUL character is not required; like in this case: >>>>> >>>>> https://lkml.org/lkml/2018/1/16/135 >>>>> >>>>> Signed-off-by: Miguel Ojeda >>>>> Cc: Ingo Molnar >>>>> Cc: Josh Poimboeuf >>>>> Cc: Kees Cook >>>>> Cc: Andrew Morton >>>>> Cc: Geert Uytterhoeven >>>>> Cc: Will Deacon >>>>> Cc: Greg Kroah-Hartman >>>>> Cc: David Rientjes >>>> >>>> I would have expected to have seen __nonstring used somewhere as part of >>>> this patch. >>> >>> Do you mean to expand the commit message with an actual code example >>> instead of the links to the docs and the discussion about the report? >>> Otherwise, if you mean in the actual commit, I think in that case it >>> should be a patch series, not a single commit. >>> >>> In any case, the key point here is to agree on the short-term policy: >>> i.e. whether we want to disable the upcoming warning or try to take >>> advantage of it (which not *necessarily* implies using __nonstring, >>> there are other workarounds; though where applicable, __nonstring is >>> probably the right thing to use). >> >> What David was asking for is to have a couple of users of the >> __nonstring attribute in places for which it is the right solution. >> > > I understood :-) My question was regarding where he was asking to see it. > >> I would suggest making it a patch series, with patch 1/x introducing >> the attribute (i.e. your patch), and followed by additional patches >> that add the attribute to individual header files or drivers for which >> it is the right solution. > > Yep, that is what I suggested too. > >> >> When I looked at the warning, I found that we have around 120 file >> for which we warn. The majority of them are actually questionable >> uses of strncpy() that probably should have been strscpy(), but >> most of those do not actually cause undefined behavior. > > Then it looks like enabling the warning by default is useful and not > too noisy (at least for just char). > >> >> A smaller number like the example from ext4 are nonstrings >> (i.e. character arrays without nul-termination) that would benefit >> from the nonstring attribute. About half of those are actually >> arrays of u8/__u8/uint8_t/__uint8_t for which the currently >> implemented nonstring attribute is invalid, and it seems odd >> to convert those to 'char', e.g. >> >> struct ext4_super_block { >> __le32 s_first_error_time; /* first time an error happened */ >> __le32 s_first_error_ino; /* inode involved in first error */ >> __le64 s_first_error_block; /* block involved of first error */ >> - __u8 s_first_error_func[32]; /* function where the error happened */ >> + char s_first_error_func[32] __nonstring; /* function >> where the error happened */ >> __le32 s_first_error_line; /* line number where error happened */ >> __le32 s_last_error_time; /* most recent time of an error */ >> __le32 s_last_error_ino; /* inode involved in last error */ >> __le32 s_last_error_line; /* line number where error happened */ >> __le64 s_last_error_block; /* block involved of last error */ >> - __u8 s_last_error_func[32]; /* function where the error happened */ >> + char s_last_error_func[32] __nonstring; /* function >> where the error happened */ >> >> doesn't feel right. Maybe we can extend gcc to also accept >> the attribute on arrays of other 8-bit types. > > Hum... On one hand, the warning is meant to protect against misuses of > the typical string handling functions, and those take pointers to > char. Therefore, one could argue that using signed or unsigned char > already marks an array/pointer as "not a string" (for the purposes of > the attribute). > > On the other hand, people *will* call string handling functions with > signed and unsigned char, and for those cases, it is useful to have > the warning nevertheless and being able to annotate those arrays with > nonstring, which is also good documentation-wise. On top of that, C > specifies char as equivalent to either signed or unsigned char (even > if it is a distinct type), so one could argue it should work for the > three types anyway. > > Given that 1) this is a warning that can disabled just fine and that > 2) we already have real life cases using nonstring, non-char arrays > calling typical string handling functions, I would favor supporting > the warning and the attribute for all the three types. > >> >>> [By the way, CC'ing Xiongfeng, Willy and Arnd, since they were >>> involved in the example report; sorry guys!]. >> >> Martin Sebor also asked me about this, he's the one that worked on >> the gcc code that introduced the warning. Sorry for not replying earlier. >> > > Maybe you can pass this to him? (maybe open a bug in gcc's bugzilla?) I've opened bug 84725 to extend attribute nonstring to the other two character types: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84725 Thanks Martin > >> For a complete list of affected files, see https://pastebin.com/eWFQf58i >> this is what I come up with by doing randconfig builds, but I have not >> tried to submit additional patches here, since I'm sure that a lot of >> those are wrong -- they need a much closer inspection to decide which >> ones are actual bugs vs harmless warnings, and which ones should >> use strscpy()/strlcpy() vs a nonstring annotation or a rewrite of that >> function. > > Indeed -- nice work anyway finding those. If we agree on getting the > nonstring attribute, maybe you can send that patch as an RFC to ping > the respective maintainers? > > Thanks, > Miguel >