Received: by 10.223.185.116 with SMTP id b49csp4972104wrg; Wed, 7 Mar 2018 04:21:49 -0800 (PST) X-Google-Smtp-Source: AG47ELs7N9ULKAHG/ehew7vOS5oSzCLhFsSNJq4LCLsXZhaqE0LqQO+7wt29BcqipcVOhytVHuxK X-Received: by 10.99.151.26 with SMTP id n26mr18113899pge.370.1520425309683; Wed, 07 Mar 2018 04:21:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520425309; cv=none; d=google.com; s=arc-20160816; b=HdE6RNqxqx1I+5PE2WCOQGG7pLSOd1Bu06hQ3j4M2a67wH20A1hNZ8ezBYAK8aTrLu RN6wSus5u2kdGLlCZ87FyowUj1z2O3teHrrggk8jhVtvGZT40/acTOnBgrv4XGVQI7x2 3zSXGXMKYa3OVHpVVn5DrLmJ0UUzaoxrHJ7bhzdA2URzT3TuYuZQj8jMlbF6HvkWp4Eu iB50JX4iA5xbTgKFLbbauS+JHCJOfXWuGBwMH3X6aVyDexuW+Q3KHdL1bCFGtgB7FJoY 6iD5xQzchjXPy1yf8JBTarlckP4vDz+n0eStQnBa01kgjBBG+p1o/EgaF7F39a+wDR3o idpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=apJ14rDiFQPESbYTqvS2UyPhvyMc7h8KErimryFnfxg=; b=W+htKw6gwMoF3DyD5uHpAoYHG6FXS719+kgNdzSSGVK+PXQcvnVsWKPYYufF2gm2IQ 0N0bdXUaUrehK9AgbNkXLwIfR1AlKh058ay9fpj4NDYu2fANcXVdMt5tm00PWAAIaSbc bXY8BfjaJzElFLVxJxqKRfY4fWqB4pR8SKfi5Y477M87ANBlcwd+ErqWccqFkvG0vsLH VIJL8PGVgpLE8HE37oGa0wxAp5u/prEYCu1hGpPuKrpetZC331ZOToInKohGGawtccT5 5C0bCrhtngfTKva9pZUTXq27BLNlfF8jkkuCyB9rjTMJQm1vlGAdzos+uMO5LqxYN/or lzpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=V3cC9siD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q87si13678902pfa.385.2018.03.07.04.21.35; Wed, 07 Mar 2018 04:21:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=V3cC9siD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754280AbeCGMUl (ORCPT + 99 others); Wed, 7 Mar 2018 07:20:41 -0500 Received: from mail-qt0-f170.google.com ([209.85.216.170]:42819 "EHLO mail-qt0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751150AbeCGMUj (ORCPT ); Wed, 7 Mar 2018 07:20:39 -0500 Received: by mail-qt0-f170.google.com with SMTP id t6so2304875qtn.9 for ; Wed, 07 Mar 2018 04:20:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=apJ14rDiFQPESbYTqvS2UyPhvyMc7h8KErimryFnfxg=; b=V3cC9siDrF7CwfIJ/THQKSTNMh1fXHdLul4PUJQwhtsXRlRVKVTlpJ5vH6yrvzt1c2 94yWdVEpU3B1sYg+lXZ7lWvhcXmkaQ/4DNuGh6kfplEX+wwuQ7G+8ImRZmXMC/BJSVLr 8jxe2rtt86U6V92fGqvWdwj6zLSYnH/rMXvhtg90zVRuMIkwIkpf0RuCzRq0k+JBD+1T pdESjsSZa3/BMFVMcR5+6Vg5ujmUun4wSKosRexYD24aa0U+rHEzl5ETw4I20JvvJVKK KX2gVdUp+O17bRFchFoCa+CuT8Rip0NlVtIc3BvkLY5juT/Xe7DLn1KLZcvc9YHOQAdQ NfWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=apJ14rDiFQPESbYTqvS2UyPhvyMc7h8KErimryFnfxg=; b=iMosAMiyARbT1nWjUEJyiB/GF8vvS7dFv6NIvyOe0hEt/6Z6XXbVSPyZ0iIyTXcuDJ eiC+H9M7+5Unjq/NoQeAuOYa47/6+nV7aVGsDILqiq9wcbzZAZn8A7eZD57S6w/BBSMZ NdKS0fvltuultN0euVmVPkIODECWAhhfEgsM8b18v0+Drmd+QQmchZY7PhznwECQA15j jScE0bZHXxjASqIn9cjpy8Og+uAp3pWzUXdom3+U/SeBTcsNnPGi2tO8lVxvMDdFTjo8 CWFXS9B1BX8lz3MOr+J26AUKiQDmp9kjqlD+hJh1yG0R3yK9XBC/Qfn+N1HSa8yhheFI gKTg== X-Gm-Message-State: AElRT7HHZrRX+LN+m3a7PeO2qwAvBPMOHAAMyj7JO9LU3uNZmOeaYveY gx5iQucDJc78meV3+C+gqVKZvL1sMtkqmSGNTrA= X-Received: by 10.237.36.170 with SMTP id t39mr34903612qtc.136.1520425238727; Wed, 07 Mar 2018 04:20:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.52.247 with HTTP; Wed, 7 Mar 2018 04:20:18 -0800 (PST) In-Reply-To: References: <20180217191035.gol4woxsgzpo4bfq@gmail.com> From: Miguel Ojeda Date: Wed, 7 Mar 2018 13:20:18 +0100 Message-ID: Subject: Re: [PATCH] Support the nonstring variable attribute (gcc >= 8) To: Martin Sebor Cc: Arnd Bergmann , David Rientjes , Ingo Molnar , Josh Poimboeuf , Kees Cook , Andrew Morton , Thomas Gleixner , Geert Uytterhoeven , Greg KH , "Lendacky, Thomas" , Will Deacon , linux-kernel , Willy Tarreau , Xiongfeng Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 5, 2018 at 8:05 PM, Martin Sebor wrote: > On 03/02/2018 10:36 AM, Miguel Ojeda wrote: >> >> On Thu, Mar 1, 2018 at 10:57 AM, Arnd Bergmann wrote: >>> >>> On Mon, Feb 19, 2018 at 1:01 AM, Miguel Ojeda >>> wrote: >>>> >>>> On Mon, Feb 19, 2018 at 12:20 AM, David Rientjes >>>> wrote: >>>>> >>>>> On Sat, 17 Feb 2018, Miguel Ojeda wrote: >>>>> >>>>>> From the GCC manual: >>>>>> >>>>>> The nonstring variable attribute specifies that an object or member >>>>>> declaration with type array of char or pointer to char is intended to >>>>>> store character arrays that do not necessarily contain a terminating >>>>>> NUL >>>>>> character. This is useful in detecting uses of such arrays or pointers >>>>>> with functions that expect NUL-terminated strings, and to avoid >>>>>> warnings >>>>>> when such an array or pointer is used as an argument to a bounded >>>>>> string >>>>>> manipulation function such as strncpy. >>>>>> >>>>>> https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html >>>>>> >>>>>> Some reports are already coming to the LKML regarding these >>>>>> warnings. When they are false positives, we can use __nonstring to let >>>>>> gcc know a NUL character is not required; like in this case: >>>>>> >>>>>> https://lkml.org/lkml/2018/1/16/135 >>>>>> >>>>>> Signed-off-by: Miguel Ojeda >>>>>> Cc: Ingo Molnar >>>>>> Cc: Josh Poimboeuf >>>>>> Cc: Kees Cook >>>>>> Cc: Andrew Morton >>>>>> Cc: Geert Uytterhoeven >>>>>> Cc: Will Deacon >>>>>> Cc: Greg Kroah-Hartman >>>>>> Cc: David Rientjes >>>>> >>>>> >>>>> I would have expected to have seen __nonstring used somewhere as part >>>>> of >>>>> this patch. >>>> >>>> >>>> Do you mean to expand the commit message with an actual code example >>>> instead of the links to the docs and the discussion about the report? >>>> Otherwise, if you mean in the actual commit, I think in that case it >>>> should be a patch series, not a single commit. >>>> >>>> In any case, the key point here is to agree on the short-term policy: >>>> i.e. whether we want to disable the upcoming warning or try to take >>>> advantage of it (which not *necessarily* implies using __nonstring, >>>> there are other workarounds; though where applicable, __nonstring is >>>> probably the right thing to use). >>> >>> >>> What David was asking for is to have a couple of users of the >>> __nonstring attribute in places for which it is the right solution. >>> >> >> I understood :-) My question was regarding where he was asking to see it. >> >>> I would suggest making it a patch series, with patch 1/x introducing >>> the attribute (i.e. your patch), and followed by additional patches >>> that add the attribute to individual header files or drivers for which >>> it is the right solution. >> >> >> Yep, that is what I suggested too. >> >>> >>> When I looked at the warning, I found that we have around 120 file >>> for which we warn. The majority of them are actually questionable >>> uses of strncpy() that probably should have been strscpy(), but >>> most of those do not actually cause undefined behavior. >> >> >> Then it looks like enabling the warning by default is useful and not >> too noisy (at least for just char). >> >>> >>> A smaller number like the example from ext4 are nonstrings >>> (i.e. character arrays without nul-termination) that would benefit >>> from the nonstring attribute. About half of those are actually >>> arrays of u8/__u8/uint8_t/__uint8_t for which the currently >>> implemented nonstring attribute is invalid, and it seems odd >>> to convert those to 'char', e.g. >>> >>> struct ext4_super_block { >>> __le32 s_first_error_time; /* first time an error happened >>> */ >>> __le32 s_first_error_ino; /* inode involved in first error >>> */ >>> __le64 s_first_error_block; /* block involved of first error >>> */ >>> - __u8 s_first_error_func[32]; /* function where the error >>> happened */ >>> + char s_first_error_func[32] __nonstring; /* function >>> where the error happened */ >>> __le32 s_first_error_line; /* line number where error >>> happened */ >>> __le32 s_last_error_time; /* most recent time of an error >>> */ >>> __le32 s_last_error_ino; /* inode involved in last error >>> */ >>> __le32 s_last_error_line; /* line number where error >>> happened */ >>> __le64 s_last_error_block; /* block involved of last error >>> */ >>> - __u8 s_last_error_func[32]; /* function where the error >>> happened */ >>> + char s_last_error_func[32] __nonstring; /* function >>> where the error happened */ >>> >>> doesn't feel right. Maybe we can extend gcc to also accept >>> the attribute on arrays of other 8-bit types. >> >> >> Hum... On one hand, the warning is meant to protect against misuses of >> the typical string handling functions, and those take pointers to >> char. Therefore, one could argue that using signed or unsigned char >> already marks an array/pointer as "not a string" (for the purposes of >> the attribute). >> >> On the other hand, people *will* call string handling functions with >> signed and unsigned char, and for those cases, it is useful to have >> the warning nevertheless and being able to annotate those arrays with >> nonstring, which is also good documentation-wise. On top of that, C >> specifies char as equivalent to either signed or unsigned char (even >> if it is a distinct type), so one could argue it should work for the >> three types anyway. >> >> Given that 1) this is a warning that can disabled just fine and that >> 2) we already have real life cases using nonstring, non-char arrays >> calling typical string handling functions, I would favor supporting >> the warning and the attribute for all the three types. >> >>> >>>> [By the way, CC'ing Xiongfeng, Willy and Arnd, since they were >>>> involved in the example report; sorry guys!]. >>> >>> >>> Martin Sebor also asked me about this, he's the one that worked on >>> the gcc code that introduced the warning. Sorry for not replying earlier. >>> >> >> Maybe you can pass this to him? (maybe open a bug in gcc's bugzilla?) > > > I've opened bug 84725 to extend attribute nonstring to the other > two character types: > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84725 > Thanks Martin! Please let us know whenever it is in the gcc trunk. Meanwhile I will send a v2 with the auxdisplay original use as an example for __nonstring in a second patch. Cheers, Miguel > Thanks > Martin > > >> >>> For a complete list of affected files, see https://pastebin.com/eWFQf58i >>> this is what I come up with by doing randconfig builds, but I have not >>> tried to submit additional patches here, since I'm sure that a lot of >>> those are wrong -- they need a much closer inspection to decide which >>> ones are actual bugs vs harmless warnings, and which ones should >>> use strscpy()/strlcpy() vs a nonstring annotation or a rewrite of that >>> function. >> >> >> Indeed -- nice work anyway finding those. If we agree on getting the >> nonstring attribute, maybe you can send that patch as an RFC to ping >> the respective maintainers? >> >> Thanks, >> Miguel >> >