Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2299474ybf; Mon, 2 Mar 2020 06:01:43 -0800 (PST) X-Google-Smtp-Source: ADFU+vvQ2O0VA7aP5k38P6MWLABY0eYEoBAUFALASu6kfqYKiT64mPzuTvbGtsyiEZPlCVjqeR1V X-Received: by 2002:aca:3544:: with SMTP id c65mr2804203oia.160.1583157696059; Mon, 02 Mar 2020 06:01:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583157695; cv=none; d=google.com; s=arc-20160816; b=ct+A3sI6jFcU5z3sRVCL6NwoFuFUTVto17KSFiQqXRXtibLlpMe65e6Coy5tQITjEU PwdkBquxkgYMPqRDdsvy40NVP+4xSqGYwQwBPB2R7fkrjSBYoiPA0jvFvLrU7xoiActF flke56LsBOm/W5+c85pzs1ZByJZl0f6LTiIfM3JB+Orl2ykV+WeSROLGvYoPHaKGm9Lf +RRm2kLfd5zUaQ2wcjOQxpx7cE2L0BTfu77mKtH1P7zDDNoZh5fp1rD76VVNQizUk5Ff 7lArV1r3jQszoK6JoqhfKSnwDabmTvPL8UI6XfMOFOF0mFUZ3yPoFIQbVED12jcr9286 N7Gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=pzyiLRQDDeI7FzsmPIzwnjNdKApX9wMTwiVsJYdIwXw=; b=Phbzy3OvHTXpocu5m+2b+h+BJdiMT3itMIet7bDlEf2WXjIun6JzEctncMY0BAjCwU sJhZRMEblDTsY64qnq1kqJipTVTYZzcgR9fLknav9TPRYjUxZAVyUerBesd7LpUOaQwT o5UyHP9i1RRcqwC+2NAuZxJQ9Og/DsvZ5HMMsWZj4vDB5u/cxbQnGrL0MmPVqkT0gBZL ithfKRAY1Q4XpbB3MMXGFP5cKgB6QQN/anyF8D15chpVgAVU7xRlOawUngzJ1jgaBQdq 1yRH35sFGAU4I/6HF+ECv86lc902KPd/F74RyVVJ+pUm9SYb8Z48CsHSXaxgBytN3+5b 9eeQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k23si548507otb.210.2020.03.02.06.01.21; Mon, 02 Mar 2020 06:01:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727113AbgCBOAI (ORCPT + 99 others); Mon, 2 Mar 2020 09:00:08 -0500 Received: from smtprelay0208.hostedemail.com ([216.40.44.208]:60038 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726204AbgCBOAI (ORCPT ); Mon, 2 Mar 2020 09:00:08 -0500 Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay07.hostedemail.com (Postfix) with ESMTP id 25330181D2FC2; Mon, 2 Mar 2020 14:00:07 +0000 (UTC) X-Session-Marker: 6A6F6540706572636865732E636F6D X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,joe@perches.com,,RULES_HIT:41:355:379:599:800:960:973:988:989:1260:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:1801:2393:2553:2559:2562:2828:3138:3139:3140:3141:3142:3353:3622:3865:3867:3870:3871:3872:3874:4321:4605:5007:6119:7903:10004:10400:11026:11232:11473:11658:11914:12296:12297:12438:12740:12760:12895:13019:13069:13311:13357:13439:14096:14097:14181:14659:14721:21080:21220:21433:21611:21627:21990:30012:30054:30090:30091,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:,MSBL:0,DNSBL:none,Custom_rules:0:0:0,LFtime:1,LUA_SUMMARY:none X-HE-Tag: bite50_580e7f13ad457 X-Filterd-Recvd-Size: 3161 Received: from XPS-9350.home (unknown [47.151.143.254]) (Authenticated sender: joe@perches.com) by omf05.hostedemail.com (Postfix) with ESMTPA; Mon, 2 Mar 2020 14:00:04 +0000 (UTC) Message-ID: <4cac10d3e2c03e4f21f1104405a0a62a853efb4e.camel@perches.com> Subject: Re: [PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user() From: Joe Perches To: Alexander Potapenko Cc: Todd Kjos , Kees Cook , Greg Kroah-Hartman , Arve =?ISO-8859-1?Q?Hj=F8nnev=E5g?= , Ingo Molnar , Dmitriy Vyukov , Jann Horn , "open list:ANDROID DRIVERS" , Peter Zijlstra , LKML Date: Mon, 02 Mar 2020 05:58:33 -0800 In-Reply-To: References: <20200302130430.201037-1-glider@google.com> <20200302130430.201037-2-glider@google.com> <0eaac427354844a4fcfb0d9843cf3024c6af21df.camel@perches.com> Content-Type: text/plain; charset="ISO-8859-1" User-Agent: Evolution 3.34.1-2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2020-03-02 at 14:25 +0100, Alexander Potapenko wrote: > On Mon, Mar 2, 2020 at 2:11 PM Joe Perches wrote: > > On Mon, 2020-03-02 at 14:04 +0100, glider@google.com wrote: > > > Certain copy_from_user() invocations in binder.c are known to > > > unconditionally initialize locals before their first use, like e.g. in > > > the following case: > > [] > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > [] > > > @@ -3788,7 +3788,7 @@ static int binder_thread_write(struct binder_proc *proc, > > > > > > case BC_TRANSACTION_SG: > > > case BC_REPLY_SG: { > > > - struct binder_transaction_data_sg tr; > > > + struct binder_transaction_data_sg tr __no_initialize; > > > > > > if (copy_from_user(&tr, ptr, sizeof(tr))) > > > > I fail to see any value in marking tr with __no_initialize > > when it's immediately written to by copy_from_user. > > This is being done exactly because it's immediately written to by copy_to_user() > Clang is currently unable to figure out that copy_to_user() initializes memory. > So building the kernel with CONFIG_INIT_STACK_ALL=y basically leads to > the following code: > > struct binder_transaction_data_sg tr; > memset(&tr, 0xAA, sizeof(tr)); > if (copy_from_user(&tr, ptr, sizeof(tr))) {...} > > This unnecessarily slows the code down, so we add __no_initialize to > prevent the compiler from emitting the redundant initialization. So? CONFIG_INIT_STACK_ALL by design slows down code. This marking would likely need to be done for nearly all 3000+ copy_from_user entries. Why not try to get something done on the compiler side to mark the function itself rather than the uses?