Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2261788imm;
        Tue, 4 Sep 2018 01:02:41 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdYQggWcWqot52rJmyvtzsguV3zX0RQjsZPV7bUOty4JEnILo2Q1NL/hcb/pLISLBMrGmFRU
X-Received: by 2002:a17:902:32f:: with SMTP id 44-v6mr32093898pld.15.1536048161018;
        Tue, 04 Sep 2018 01:02:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536048160; cv=none;
        d=google.com; s=arc-20160816;
        b=jfj6u9l0y3YbvqIuKm/wB9PqnvyV7hZk5mzOpXvzx5rNfRSczoT2YA49baHu5jdNU1
         thx4jKKRVMpijY1QjI4pgCLw3l5254O1pgsfwYYtMKJi5lUutdwZeIlK6IrgxfLyGAHK
         J7/MNQD6Fl9FZ48+uikavQvugBfIbUOuq+HHcb3NYKEIkkDWpb4SGOWOV8sUuEtSMQxl
         uGWYTp6/SqVA4KQEqpsDHGxe15GoMNxRAHDWRy94hmUX3enin0rQvWehgO7pikWNXkSW
         Fak+ADxyp6jTHXfjCd1Ut+c3fo4fIDa5feEbdD5JKZXmxAw7TpjP2pxzSV/+YbgYlfyl
         QgYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=gWqyMGf/XZ3NzFmcHJxupslVZet5mNzpfcJyocI+nVk=;
        b=oAwhIJj4H076f5MUytaB0oriQmq+0dxwFJGftXFkO0VrT0kDa8ndUcisT0D+hZ/N4m
         XUmB9xnjD0OGAnGnh7AEKdG0kI6tbc/zE/tWC7spB0Q+ZOyfMjjyOvgPefWi7XBYKZpO
         So+UX8LQh948zjhaRDLnO0yA60fcwZU4sujyOFezTFxcybqV0iPITeKPgbjjW6Diaqkk
         DKfG/E40uPbl9SBIudcQQZopMFpmEE/bPyMWbZRh4LJ5TvEvFuKS/VKlN7Dhf68OmoNY
         sFb6v8P+inYU5Mtnnqqu310rFMLRUAt4aq/4wwGWhI+IAqDB9V+nL2efiyCndCXPHVgD
         DU7g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="o/AH2cYq";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p7-v6si22468460pll.42.2018.09.04.01.02.25;
        Tue, 04 Sep 2018 01:02:40 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="o/AH2cYq";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726327AbeIDMYg (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Tue, 4 Sep 2018 08:24:36 -0400
Received: from mail-pf1-f193.google.com ([209.85.210.193]:44339 "EHLO
        mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725990AbeIDMYg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 4 Sep 2018 08:24:36 -0400
Received: by mail-pf1-f193.google.com with SMTP id k21-v6so1279529pff.11
        for <linux-kernel@vger.kernel.org>; Tue, 04 Sep 2018 01:00:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=gWqyMGf/XZ3NzFmcHJxupslVZet5mNzpfcJyocI+nVk=;
        b=o/AH2cYqcFFOk458XBeyuP77/rLXrQinlc4ezcuVEa/GBBG5vWMgtBC+8R7REOWnCx
         ljE+7HzQcua1A6zy68FwMo24Tjf2d4j3QSRuFN1IV8U1amaArRgDeZQbq78ZcIPZvIDh
         GbuvGby1zzoSNOB0ZtWBWak3zxOhJON+DquN7wAiRS7pxe0iCgVuqBYNRINgw2mi1wZA
         OB2qktFxRSN2EQ22nXFlLo8g2vU8Jz7gSwYutnAX+8HaS+9ZauAhwQkGBfo2w+X5UynU
         eMVjqxcc08gsrk6BAK8AS8EHaybzIN7GdBeNaNH36DZUz1relaLY/685V75Y4wz+YhUF
         QENw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=gWqyMGf/XZ3NzFmcHJxupslVZet5mNzpfcJyocI+nVk=;
        b=rCyXjib1GMpSxLFrPqt995RES7szEihALF7lTA7VoNhBTxUKdivbhvR1wmwA1rYbne
         E79L8t5NxhrnXF7p/Rfnj6lhLlDnj7H6PoTKvZaEM6Pv7PBrXijJFKZVtct4xSCgRtOE
         5MUwbCsxr9PWQutOSXfU4LUSfNqoqXJ3cP3Dh1y/67M6KS8stGS5WvrleH9PSrzHVw9G
         IXG6oHLf6nU6BUfzp6X4ed3aKDjdshjz11CMwbyZ37EZ/mY+3A2YVsQ+DtnVUHe45zRR
         Lhj0hWwXcv/LdCIPIsxRnP4C8paJtXQ14C/pMioc6mQwJZkNnj2M1vZo66CfVrGyepaI
         uW0g==
X-Gm-Message-State: APzg51CNEiJ6S6rCd0du3GoSPJhYMe7YupHq21nR0fa1xxB0vN7p+t6V
        qWDkMygKGyNOijYgTyKXDONlFi6Yb+/+bwTCcHFAhA==
X-Received: by 2002:a62:71c4:: with SMTP id m187-v6mr5654232pfc.232.1536048037447;
 Tue, 04 Sep 2018 01:00:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:ac14:0:0:0:0 with HTTP; Tue, 4 Sep 2018 01:00:16
 -0700 (PDT)
In-Reply-To: <1536042474.25086.1.camel@med.uni-goettingen.de>
References: <1535875700.17858.3.camel@med.uni-goettingen.de>
 <CAGXu5jJ7kGm-DGUB8uwwhd-Hv7i4WEcSKumTf2MBsj_-yzWcqg@mail.gmail.com>
 <1535960372.32005.1.camel@med.uni-goettingen.de> <CA+55aFy=T6TmG_VcLvSTb02RyKTacxVCxwUALRn8_7cdoic0pA@mail.gmail.com>
 <1536042474.25086.1.camel@med.uni-goettingen.de>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Tue, 4 Sep 2018 10:00:16 +0200
Message-ID: <CACT4Y+bBPRfjpWFXoZmruuot37_KTemZ0PHUNrFfOPW5+6JD7w@mail.gmail.com>
Subject: Re: VLAs and security
To:     "Uecker, Martin" <Martin.Uecker@med.uni-goettingen.de>
Cc:     "torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
        "keescook@chromium.org" <keescook@chromium.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Sep 4, 2018 at 8:27 AM, Uecker, Martin
<Martin.Uecker@med.uni-goettingen.de> wrote:
> Am Montag, den 03.09.2018, 14:28 -0700 schrieb Linus Torvalds:
>> On Mon, Sep 3, 2018 at 12:40 AM Uecker, Martin
>> <Martin.Uecker@med.uni-goettingen.de> wrote:
>> >
>> > But if the true bound is smaller, then IMHO it is really bad advise
>> > to tell programmers to use
>> >
>> > char buf[MAX_SIZE]
>> >
>> > instead of something like
>> >
>> > assert(N <= MAX_SIZE);
>> > char buf[N]
>>
>> No.
>>
>> First off, we don't use asserts in the kernel. Not acceptable. You
>> handle errors, you don't crash.
>
> Ofcourse. But this is unrelated to my point.
>
>> Secondly, the compiler is usually very stupid, and will generate
>> horrible code for VLA's.
>>
>> Third, there's no guarantee that the compiler will actually even
>> realize that the size is limited, and guarantee that it won't screw up
>> the stack.
>
> If this is about the quality of the generated code, ok.
>
> I just don't buy the idea that removing precise type-based
> information about the size of objects from the source code
> is good long-term strategy for improving security.
>
>> So no. VLA's are not acceptable in the kernel. Don't do them. We're
>> getting rid of them.
>
> All right then.

Hi Martin,

Compiler and KASAN should still be able to do checking against the
static array size.
If you mean that there is some smaller dynamic logical bound n (<N)
and we are not supposed to use memory beyond that, then KMSAN [1] can
detect uses of the uninitialized part of the array. So we have some
coverage on the checking side too.

[1] https://github.com/google/kmsan#kmsan-kernelmemorysanitizer