Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2960698imu;
        Sun, 9 Dec 2018 13:40:47 -0800 (PST)
X-Google-Smtp-Source: AFSGD/WSL+CUIfO7ZL55VJzzH7iM+JPQkglfwkS5b1Rf8XYF7Q+bI0ieOcnspGPumxMNfIsLzc/f
X-Received: by 2002:a17:902:2862:: with SMTP id e89mr9971141plb.158.1544391647497;
        Sun, 09 Dec 2018 13:40:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544391647; cv=none;
        d=google.com; s=arc-20160816;
        b=jc5QCjQ7C2l/1eN5q+2DhRfPZMZSu7EGcYCTpxZQhCphU/VJ7uU/QAeofoEvCqARUK
         k5vbKq5KCudKqn6GuOEJHZEcfKgY/tVeIy0BvrukEEUBvyxVU8JDbnwfwDqJFw1NJXH4
         DkphAgjkPDciiQusxTi7oAnO4sx5SZ/BCMM6za+HNSprsCls/PeWR/8FSh2HszVUt8mV
         6QaEFVYueuNW+H7ccdOyn/EaUTZEE+lCxHXkkIGAwNSMOijy240x6Upc4rguZd7WTs2T
         cyEsPBluLPc50VpJt5iCi5lpdd7pQl7KjdXu7kzIJDr03T/CqZ3DjhT74knVnbEz3Wn9
         00NA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=uyTQPtdr4A9r4ZS9ejdDwDv7qvc9S6X+6S/2ik1R/lo=;
        b=eHtXJn3ICizXrQWoPDQnHTYTGgtJ7NwS1kd4NSXoBb6QorGkdxmS2BXt7WHE3gCquZ
         80MeJP+XqILr1Afc/9s5bKMWIVJYezI33/T/Gcxqf+zjI+9t20WefQFx+H2W9pB987VH
         XroGeVE9HdTBFiWp0HvglNqeON/0RmBwJY385qDq8cFxmSpF0gt3mMKKu/DUQ5Aal4Qn
         g/Uw1QkgtvQOcsTtwvEiW/BL5VfWwii9q7jdwkANkApag9TIZ8OJlw9bj158X1jfFZri
         ucBc0nK2YIdx3ycKpWUcxprtNvt947r4HaJRN+heE0gNcQprL2iMDfNvxhAbuY1zKNPs
         8z6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=B3S94tZ7;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h6si8538062plk.231.2018.12.09.13.40.31;
        Sun, 09 Dec 2018 13:40:47 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=B3S94tZ7;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726299AbeLIVj5 (ORCPT <rfc822;atom.tux.beastie@gmail.com>
        + 99 others); Sun, 9 Dec 2018 16:39:57 -0500
Received: from mail-ed1-f66.google.com ([209.85.208.66]:37018 "EHLO
        mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726194AbeLIVj4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 9 Dec 2018 16:39:56 -0500
Received: by mail-ed1-f66.google.com with SMTP id h15so7887645edb.4;
        Sun, 09 Dec 2018 13:39:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=uyTQPtdr4A9r4ZS9ejdDwDv7qvc9S6X+6S/2ik1R/lo=;
        b=B3S94tZ7y6ibRZWivqrtYxfDTov5hazUY1A1HFbIuRmqwYQjJwxKpuEa4CjrFAUmBM
         KH17EmkZByOKPqC7d32AKf91geP3R6xKbTt1z/pzIabU6JQKDywTFNQXoITrXMeWnOWW
         LOuc2xP5igt2i5Q53bpz2zRszpEvkiqN0y0MLDocqgVnlGQltaehdMPlB0OQ3XML0Bg0
         2qd4iiRhPCypZgBFUbiSvoPN9WS+2zGsFkBhTl7Zn5/rITSvCkYaDoTPcBer6MUhtXV+
         hmU4tgYhKDyyYEgsRCvyMU+Ojfn2y7idY8YxmenhQt2u9o9HBFZsxWHhi/5DciHOg7Gn
         aLqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=uyTQPtdr4A9r4ZS9ejdDwDv7qvc9S6X+6S/2ik1R/lo=;
        b=uWTU701i4AABSXZXpEEionuyah2Me27/9RebTt9I0rVdxjzai4w9JOZnkpzOkuyqFH
         geVXETmqTYYNQcSdLPIRGfuwfkchPi/V6gviBaVtCLNrgw0F3tXUftstjavBog8MzHAO
         dJwRuZMnPb5UdTIBKZSyk68fR0qzRBETfVMI5LR63saNQjG4PCiuYoXQF7dnGxPUiHwH
         Bm7uI57bp18EwcTU9KBq7699EY2K0/5zRIv7ZY2toHpryy7CH7UyhGFPMvZZ6/BEK9ax
         iU6TNvcT/OpXqXRvVt1ZtzbuXJrwMNvQYM8DT7S3I2vFDJ9SKmTEd6eZnKcFQKPWSDDI
         amew==
X-Gm-Message-State: AA+aEWYS0mGkkGfNByj8ju/fSfDZuFZsTPVev5SG3Tk1ibAAd2YEOTV9
        wxaFW4Ahx8mzr1/YVAikkXXHNpkM
X-Received: by 2002:a17:906:4d41:: with SMTP id b1-v6mr7911326ejv.171.1544391594861;
        Sun, 09 Dec 2018 13:39:54 -0800 (PST)
Received: from ltop.local ([2a02:a03f:40bc:4d00:e8b1:47b5:cae1:da95])
        by smtp.gmail.com with ESMTPSA id w28sm2977744edd.38.2018.12.09.13.39.54
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 09 Dec 2018 13:39:54 -0800 (PST)
Date:   Sun, 9 Dec 2018 22:39:52 +0100
From:   Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
To:     Tycho Andersen <tycho@tycho.ws>
Cc:     Al Viro <viro@zeniv.linux.org.uk>, linux-sparse@vger.kernel.org,
        kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org
Subject: Re: [RFC v1] copy_{to,from}_user(): only inline when !__CHECKER__
Message-ID: <20181209213951.kumz33u6prb2seqz@ltop.local>
References: <20181209204449.18906-1-tycho@tycho.ws>
 <20181209210220.GB2217@ZenIV.linux.org.uk>
 <20181209212523.GE30796@cisco>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20181209212523.GE30796@cisco>
User-Agent: NeoMutt/20180622
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Dec 09, 2018 at 02:25:23PM -0700, Tycho Andersen wrote:
> Hi Al,
> 
> On Sun, Dec 09, 2018 at 09:02:21PM +0000, Al Viro wrote:
> > On Sun, Dec 09, 2018 at 01:44:49PM -0700, Tycho Andersen wrote:
> > > While working on some additional copy_to_user() checks for sparse, I
> > > noticed that sparse's current copy_to_user() checks are not triggered. This
> > > is because copy_to_user() is declared as __always_inline, and sparse
> > > specifically looks for a call instruction to copy_to_user() when it tries
> > > to apply the checks.
> > > 
> > > A quick fix is to explicitly not inline when __CHECKER__ is defined, so
> > > that sparse will be able to analyze all the copy_{to,from}_user calls.
> > > There may be some refactoring in sparse that we can do to fix this,
> > > although it's not immediately obvious to me how, hence the RFC-ness of this
> > > patch.
> > 
> > Which sparse checks do not trigger?  Explain, please - as it is, I had been
> > unable to guess what could "specifically looks for a call instruction" refer
> > to.
> 
> In sparse.c there's check_call_instruction(), which is triggered when
> there's an instruction of OP_CALL type in the basic block. This simply
> compares against the name of the call target to determine whether or
> not to call check_ctu().
> 
> I think what's happening here is that the call is getting inlined, and
> so the OP_CALL goes away, and check_call_instruction() never gets
> called.

Yes, it's what's happening.

There are several more or less bad/good solutions, like:
* add raw_copy_{to,from}_user() in the list of checked function
  (not inlined in most archs).
* add a new annotation to force sparse to check the byte count
  (I'm thinking about __range__/OP_RANGE or something similar).
* do these checks before functions are inlined (but then some
  constant count could not yet be seen as constant).
* ...

Wasn't there some plan to remove all these __always_inline
because of the future 'asm inline'?

-- Luc