Received: by 10.213.65.68 with SMTP id h4csp971208imn;
        Wed, 4 Apr 2018 10:15:51 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+XCSd2gqFHxt+TFfAl7mP8AMXnOh/wkgwehrbnPh7pGbbgsKH9IGNIquIg1pq9IXux6hz6
X-Received: by 10.99.125.19 with SMTP id y19mr12541678pgc.125.1522862151790;
        Wed, 04 Apr 2018 10:15:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522862151; cv=none;
        d=google.com; s=arc-20160816;
        b=B4wMB/FvlrReXZdgjITuJ2wOF12QaLqw6ZFn0x33hSwHDNbhwYo6eXgJM2Yj8SMyoa
         PUOwbT91ZJr7b/+/ww5t9y7GmlCwtP20XHowkcARtUWkbcuE0D8yoSamZHj1Lh3MlnZJ
         7a/Auk5rP32lD3K2RteZGzV06vVnxtJIUpag29D+nRHyko4b4DzSlHNVhfYREiclkJlL
         30Fn/8AOzN3ZS+df0ez+dcERwSA6bjv4oQeaakiR30OIYEJdX6eBxC267xVG6FrI1PGT
         pRJwSZkqfIgaIhps1I506X5t2aPxQNUNTLXZtQ+j0gSbs52DAS1i4owd2kPc3frGvyBO
         QZdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=uLBES9rVO65pBo26Z3dg65RT+Ate0Kli9koibkvUH7k=;
        b=m4Li8GKUlJ8KHXDZ0TcberBiMuSWNL51rnJ+4y+pnjJVHFjYy9IYKLpBn7/mwEfKlE
         Ny39lVwExiEBvvNFnhjnrYZcAf0IxfKNRD1lVsMzEJjX7dS+w2s5VvPcLxefcI2OGlrR
         J1K9f7vFD/E/Z0jVgqnDE458j9ilTjYsnl9eP1v+m/CrWMx5Ox0UTpvOpqeFT5qSQv8b
         AXr/LNdrl7LHGyoxn0OJImclLlZpFDdfZA+/uQo1ECSxiiK+xf/r16qCuLazRb7kFc7I
         ww8O0E5GcpDCrsNXNNUHqeS9EB7Ja+yObLIheyrOzMo8cn3UOwgtPcwJjMFk3cR5i3cD
         pAOA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=HOv4R2wC;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=AJ5/uyRn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l63-v6si5970546plb.466.2018.04.04.10.15.37;
        Wed, 04 Apr 2018 10:15:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=HOv4R2wC;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=AJ5/uyRn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752786AbeDDRNP (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Wed, 4 Apr 2018 13:13:15 -0400
Received: from mail-it0-f65.google.com ([209.85.214.65]:51733 "EHLO
        mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752421AbeDDRNN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Apr 2018 13:13:13 -0400
Received: by mail-it0-f65.google.com with SMTP id b5-v6so18315643itj.1
        for <linux-kernel@vger.kernel.org>; Wed, 04 Apr 2018 10:13:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=uLBES9rVO65pBo26Z3dg65RT+Ate0Kli9koibkvUH7k=;
        b=HOv4R2wCCVKCE8BoOk5uU8PgoGCzy+9Q4ta4zVK+v4B7In8M0fwfMRkZcvKZCtPu7A
         QURL5nkRKR45f36W1NxOQZJU1hKP45RfQPUs/HEi+mm6Eah/KGpZF45QKGGljljYfeLK
         Snv93ZVR0SsK39ZdSJzQ43DaSHny5g88bb44kQ+UDZNwtJ36Q+l+4YDAWHI/64XgLGn0
         UrHD7QdMbXYciS0I9Cp5p6kGKjSNovr/ViXuGOgWUb/TWSGDOL6WoZH68JhGtZDG/rzt
         UBVw4OFbTpyQh3BoWLkYCDKWkckIGXGm87+HSAGQ4cq8TlF/NTJU9mr1pwiaW2g3d+3w
         eOOw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=uLBES9rVO65pBo26Z3dg65RT+Ate0Kli9koibkvUH7k=;
        b=AJ5/uyRnCsKBG87l2jhhX4VkXaX4gzF06f/lQaeitnVnfg2ar2ZUX1MsndaCIcc33J
         jzFq7xdl9jH7Lq5oM4w8P3dUEcWL0nN2n8T/64JiR2c+f6NlAZqqLl+jO267yhhcbwEi
         jFStCKIJQqFwdZMUdUNmFDvoL5rb2KVUNWIlQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=uLBES9rVO65pBo26Z3dg65RT+Ate0Kli9koibkvUH7k=;
        b=ckU1MH5RWQZ/72aUTQhkTs5FX4SqFlo5LyuD+xlsN//oWtk+ZZWLyK8bU7opEFQMIs
         OANdYx2JD9QMWIp0Z54IuuGQKcyNSaIIeMTaalBJkYcK+llJmnAXr5TcBfXcgrYd4pEA
         9pucf2x6alXMWP+2ULgn5fbYZZf9GuVSzZZYGVFaueyfNZPdMP/WNABJuvBtBsGvjgz9
         GA1cKl8gClNR0/4Fw1WU+zhjw+nmy3biy5bHgMIHKoixRHYBKLPXPCGyUn/xHc1EgOUg
         keh7X/pXHk194G0sG3kxaCuVmambzTkzPiagKatKceimASTKThqDLjwcAbdaRCvxxwRU
         9GPg==
X-Gm-Message-State: ALQs6tDVl42FkOeO0VENKkOCHG+V15iBINOguk3NZJCISkQ/YpNw8Qo+
        L3apmba3nrC8PDPZw4n6bMkMZ7KDdT2pimvEzjg=
X-Received: by 2002:a24:5b02:: with SMTP id g2-v6mr10506134itb.100.1522861992976;
 Wed, 04 Apr 2018 10:13:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.95.15 with HTTP; Wed, 4 Apr 2018 10:13:12 -0700 (PDT)
In-Reply-To: <CAKwvOdkjB2LGXGn-9chPDtGyVmw9JF1FZ1ZBjSKEtK7BqbwF2g@mail.gmail.com>
References: <20180402095033.nfzcrmxvpm46dhbl@gmail.com> <CA+55aFzV8L-uv9706ryJ2mP9VGBuzqFVPu1cgYY+sZAtDAroqg@mail.gmail.com>
 <20180403085904.GY4082@hirez.programming.kicks-ass.net> <20180403095118.rpf7tj577dppvx7d@gmail.com>
 <20180403180658.GE87376@google.com> <CAKwvOdkaBNTyNjackJcWYkdfwyR2wjAruMFqN8LuYqC8V0ii_A@mail.gmail.com>
 <20180404093823.GC25996@kroah.com> <CAKwvOdkjB2LGXGn-9chPDtGyVmw9JF1FZ1ZBjSKEtK7BqbwF2g@mail.gmail.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed, 4 Apr 2018 10:13:12 -0700
X-Google-Sender-Auth: yvxERTsyduEGpPz8Iu_eTaWzgRs
Message-ID: <CA+55aFyZA5t-+OyzSDDPGjDoaKsh=Erz8zuoEdDo7hOCBU6ZfQ@mail.gmail.com>
Subject: Re: [GIT PULL] x86/build changes for v4.17
To:     Nick Desaulniers <ndesaulniers@google.com>
Cc:     Greg KH <gregkh@linuxfoundation.org>,
        Matthias Kaehlcke <mka@chromium.org>,
        Ingo Molnar <mingo@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Andrew Morton <akpm@linux-foundation.org>,
        James Y Knight <jyknight@google.com>,
        Chandler Carruth <chandlerc@google.com>,
        Stephen Hines <srhines@google.com>,
        Kees Cook <keescook@google.com>, groeck@chromium.org,
        Greg Hackmann <ghackmann@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 4, 2018 at 9:49 AM, Nick Desaulniers
<ndesaulniers@google.com> wrote:
>
> It's definitely something curious that I'll need to sit down and investigate
> more.  If there are other known instances, it would be good to let me know.

Note that we explicitly use "-fno-delete-null-pointer-checks" because
we do *not* want NULL pointer check removal even in the case of a bug.

See commit a3ca86aea507 ("Add '-fno-delete-null-pointer-checks' to gcc
CFLAGS") for the reason: we had buggy code that accessed a pointer
before the NULL pointer check, but the bug was "benign" as long as the
compiler didn't actually remove the check.

And note how the buggy code *looked* safe. It was doing the right
check, it was just that the check was hidden and disabled by another
bug.

Removing the NULL pointer check turned a benign bug into a trivially
exploitable one by just mapping user space data at NULL (which avoided
the kernel oops, and then made the kernel use the user value!).

Now, admittedly we have a ton of other security features in place to
avoid these kinds of issues - SMAP helps on the hardware side, and not
allowing users to mmap() NULL in the first place helps with most
distributions, but the point remains: the kernel generally really
doesn't want optimizations that are perhaps allowed by the standard,
but that result in code generation that doesn't match the source code.

The NULL pointer removal is one such thing: don't remove checks in the
kernel based on "standard says". It's ok to do optimizations that are
based on "hardware does the exact same thing", but not on "the
standard says this is undefined so we can remove it".

Other examples of where the kernel doesn't want the compiler to do
"the standard says this is undefined so I can take shortcuts" include:

 -fno-strict-aliasing: the standard is just wrong and full of shit,
and the misguided type-based aliasing can cause serious problems for
the kernel (but also other code)

 -fno-strict-overflow: again, this is a stupid optimization that
purely depends on the compiler generating faster code by generating
incorrect code.

The one I'm actually upset about is when a compiler goes even
*further* and does things that are NOT EVEN allowed by the paper
standard, much less by real code.

The fact that clang by default enables "-fmerge-all-constants"
behavior is just inexcusable. That's not just "let's do invalid
optimizations based on undefined behavior". That's an actual "let's do
known invalid optimizations that are explicitly disallowed even by the
standard".

             Linus