Received: by 10.223.185.116 with SMTP id b49csp5347744wrg; Wed, 7 Mar 2018 10:11:58 -0800 (PST) X-Google-Smtp-Source: AG47ELtuVKokk+8VD8SdsUXGM9z3iuzIA3ENZWi8rdhbMImQn2Z5euJXHcWAc1UBpfdviy0GINY+ X-Received: by 2002:a17:902:5401:: with SMTP id d1-v6mr21526929pli.176.1520446318423; Wed, 07 Mar 2018 10:11:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520446318; cv=none; d=google.com; s=arc-20160816; b=ugH8RWLQnvZF+W4b+mGvstiRqBtkv1lKb4qjrGQtKRwO0cboFxdz9+yjR8iJ/L7/p9 suRNH8svKKC49npvkLUyfXB28unp5S5XYdzlesZRUywBoY8v6dPYvA9HssNzO8etPugV Oz7YjNSCvUSTYyVvYK6+XCSaCv6RWJH4ZZrgB6VLy4ozBbXUL/Ea1Sfa4xo58rgPM9eP KgpnCvvsYxj4lWpXEi/JfSdRYpMkihRj9pNXKlzKVjbHVHDJzIfULRnsbvqqaVFqlS9s 6PmgEUYARSCuzrMC7SFgI3qMbNIdSnZYEZuElb0SiUnCpI2hmZIv30IDzHWDjZDyZpTM 21Xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:dkim-signature:arc-authentication-results; bh=ErqPBS5FANjdsyGXmsKdh88KV7uymDFWL6R/rKOUmiY=; b=rR+4tc2/S3iSuKTdgoAGrxlrs9ssQn7IzHIECPwtd2AGD0vx15bq3fp0jMS2cgpU9C snnvwUNOfXWaFzKtgPz7uMHAGfVeCu1q9g/djfBRB/CQIbU7vLMg+J20YltXq5F8qpRU CbFJiplaCHdZQY2P+n7jU1bu+K7v8bxUPeu0ztwsJO29+dtGsCNaYm63vWQOufka7Hev XEjEmqit1wIIPKOJD/i7db/E1FkOnSR64E00s8vAZhVcK1Wlum5hG3//anlV4usOD3nM hLE0IatxY98X9D2LGiEfvr6+rT3JZF021TTPZt3r47H2B3RTvsulEvQWtafPcbQkMsEt wF7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=aswWMdDA; dkim=fail header.i=@linux-foundation.org header.s=google header.b=UTgiR0Nv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j9si11735793pgc.72.2018.03.07.10.11.43; Wed, 07 Mar 2018 10:11:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=aswWMdDA; dkim=fail header.i=@linux-foundation.org header.s=google header.b=UTgiR0Nv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933858AbeCGSKE (ORCPT + 99 others); Wed, 7 Mar 2018 13:10:04 -0500 Received: from mail-io0-f196.google.com ([209.85.223.196]:46668 "EHLO mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933491AbeCGSJ5 (ORCPT ); Wed, 7 Mar 2018 13:09:57 -0500 Received: by mail-io0-f196.google.com with SMTP id p78so4013232iod.13 for ; Wed, 07 Mar 2018 10:09:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=ErqPBS5FANjdsyGXmsKdh88KV7uymDFWL6R/rKOUmiY=; b=aswWMdDA0KedwlN5ZboGJAfK7rnOM0jMEhlgqNqozdwTTcUdHff7bYSHJsX5BVQ6RC gNLPWbblKeO6jD24hLhCjtX3ilHEof/Y8Xe7R2wY25KpRkwo1KyeUWuVYmOKAcPKXPWo zVuCzY+bBXzAMVrZJD2uKbNCUMZJ6LBBceHvHMurFlDq1AlQI/nbb1LA66umkVZdoEGf u0upH4jgWx73fO5qkBISw30DdLt6JxZ9TyZsGC85tn/cztnpyEza8doUv5V5XUggU+2D 93DshqNszpFUImyiM/H8BW0jDCV+pq1Xq4O2nG/yGOvvyBUE15jhuDJYShngfNq5J8qP IjeA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=ErqPBS5FANjdsyGXmsKdh88KV7uymDFWL6R/rKOUmiY=; b=UTgiR0Nvb9c37hQq9Qq/JUAQU+I2B3KzXYm+L4hquS9131uLU02LGKADxvHXTsiD9p QBb4cClPeqv37GVgBBBRGWFIE7Rg32Gi3ktggY9v5HKWYlqkNvjrI2MC4FEbnNFzmKjV 4KP9c06wHENrtv6v6fpEWUEiYmhgfGhdkI7bw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=ErqPBS5FANjdsyGXmsKdh88KV7uymDFWL6R/rKOUmiY=; b=tqz9HQlVlDeiqMqeLrLWlvIRUDH6XiprwAEy+PCfyqG3RHccNAePIuzjhxpGBp2hyc dYd28Ns+74orvYqHZ7xCl/U9IeeW5ZsRZXsdF9FzK94M2m9B+NdAPDmuJFHxViUjganS wOJrhvarxzSHk2TdLIScwReL5QKVKh9H9aFwMBWUJUNkZf/JVgf6OaTyNT7oXhTNSc0Q gDzKq9M8KMZKdiopnnwQq8MsAGuzAl/ELGhAPu8bNGg/hdqMYIeWBNU11NARjQpCiwA0 57vtPvchkSr3+UQlIP3faVZ/uKRWZvNZ80JEtknIyE9bJKUuVQqbj/fuU352nrkXFcM/ uGLA== X-Gm-Message-State: AElRT7HtXT0ZRhs3PfwSiiU9sG6Z3Ff2dYQUazV7blF848hLO2W8WwZp flcXiO8SnRAGsWukT0ggY8g4q+fsm+rUr/uBx261++zd X-Received: by 10.107.82.1 with SMTP id g1mr28668441iob.203.1520446196554; Wed, 07 Mar 2018 10:09:56 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Wed, 7 Mar 2018 10:09:56 -0800 (PST) In-Reply-To: References: From: Linus Torvalds Date: Wed, 7 Mar 2018 10:09:56 -0800 X-Google-Sender-Auth: evU0AfsZgupTNjR34z4hlfES2ZA Message-ID: Subject: Re: VLA removal (was Re: [RFC 2/2] lustre: use VLA_SAFE) To: Kees Cook , Joern Engel Cc: "Tobin C. Harding" , "Tobin C. Harding" , Kernel Hardening , Tycho Andersen , Oleg Drokin , Andreas Dilger , James Simmons , Greg Kroah-Hartman , LKML , Herbert Xu , Peter Zijlstra , Ingo Molnar , "Gustavo A. R. Silva" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 7, 2018 at 9:37 AM, Kees Cook wrote: > > Building with -Wvla, I see 209 unique locations reported in 60 directorie= s: > http://paste.ubuntu.com/p/srQxwPQS9s/ Ok, that's not so bad. Maybe Greg could even add it to one of those things he encourages new people to do? Because at least *some* of them are pretty trivial. For example, looking at the core code, I was surprised to see something in lib/btree.c And that is just garbage: it uses unsigned long key[geo->keylen]; which looks really dangerous, but that "struct btree_geo" is internal to that file, and there are exactly three instances of it, with 32, 64 and 128 bit keys respectively. Note that "keylen" isn't actually number of hits, but how many long-words you need. So in actual fact, that array is limited to that 128 bits - just 16 bytes. So keylen is at most 4 (on 32-bit architectures) or 2 (on 64-bit ones). Using #define MAXKEYLEN BITS_TO_LONGS(128) or something like that would be trivial. AND USING VLA'S IS ACTIVELY STUPID! It generates much more code, and much _slower_ code (and more fragile code), than just using a fixed key size would have done. Ok, so lib/btree.c looks more core (by being in lib/) than it actually is - I don't see the 128-bit btree being used *anywhere*, and the others are only used by two drivers: the qla2xxx scsi driver and the bcm2835-camera driver in staging. Anyway, some of these are definitely easy to just fix, and using VLA's is actively bad not just for security worries, but simply because VLA's are a really horribly bad idea in general in the kernel. Added J=C3=B6rn Engel to the cc, since I looked at that lib/btree.c thing. But that is just three of the 209 instances. Some of the others might be slightly more painful to fix. Linus