Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2533772ybf; Mon, 2 Mar 2020 10:31:50 -0800 (PST) X-Google-Smtp-Source: ADFU+vvq8MbERcSjH65k5RkCUNayqVKIfrnqquL7ENz5joRIBD+XHcbNtyp0d/D7ii73oedl3Hml X-Received: by 2002:a05:6830:1e46:: with SMTP id e6mr361039otj.257.1583173910244; Mon, 02 Mar 2020 10:31:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583173910; cv=none; d=google.com; s=arc-20160816; b=mH2FbRtGULGRAAagMNioCOTfGtf5Qr4WT/v4616iiZXHg/KL0LpnQN0GLVR5ay6PsS 0u6sz8tVu7qjGWwvSgg5O9dBYuRXXgnm+htCD9PLgYf0XdIS4JnroSaoV0u7ADugjurg ctQaSRTzmkRW36TNtBMiKbX/lMqAjnZvMZsR8qHjt2uozHw/vkaNB5YVqEU7IftT7DxK TbAwe8DNBcGEfDfeDCNTxTfZz/xW2/eqr0ou/BT2yeVs0wAHez7t+zlCmnTVgnl1J7Tf e5Ef2/QllM00jKYNNOm2o3YvBwWPlMmqcMZO3cP76hFKNUCBnwPUVaf/7kWisnf7ULnR 3DAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=l5zc76Fdz+bJVXzSQGbzBzVXZNM5xUhVIZ7ZJyJk0S0=; b=h2NEOf70t3XTQ3Mo4It46FJzJOapyzAuvHHpactgq/TkVWkLGuubyFcAhLMHCHuyZ9 gsDg5fbEQKZOOf0c7AfjZwe1mjenuaZPWSEqVM5WfKGjQ8x9T8pe5xLUllUMIsG0PtFv QybUL9yHLUITzwvva41r4gRs8Qsl15eBK6pFdyD5yqO6ehYpQtHaVdFbU3k8npuK2ysa g5SklLRjpDkkiRyE3rkU/IzyVHFoSC+++Z1dCNvOCkkFd7XdwUn+XFblaCh2SLiME+md eBoE0eUGeRqIWhAghp5GMJJSNaQ5diFIoXFswuDewv7M7DGcJpie2k9khRg/dIKWQ9Td EvZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Uga3wDMU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l17si6681335otq.59.2020.03.02.10.31.38; Mon, 02 Mar 2020 10:31:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Uga3wDMU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727427AbgCBSb2 (ORCPT + 99 others); Mon, 2 Mar 2020 13:31:28 -0500 Received: from mail-oi1-f193.google.com ([209.85.167.193]:33859 "EHLO mail-oi1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726451AbgCBSb2 (ORCPT ); Mon, 2 Mar 2020 13:31:28 -0500 Received: by mail-oi1-f193.google.com with SMTP id g6so255950oiy.1 for ; Mon, 02 Mar 2020 10:31:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l5zc76Fdz+bJVXzSQGbzBzVXZNM5xUhVIZ7ZJyJk0S0=; b=Uga3wDMUkWwXE5tHNv2a97Zp6mCHgCe+1C1PTkbrKQrGI8tfVoqqyE26+m+VkLoJ01 KXxSiHthuMwAeAk+rDcUV62fNAU+IvOj4Xfmiq5/+Wtu5IIxSxXAsrHquQOWyR4MflVx yZiYJ3zW8/CLEvontWYfzsmNfghJXgqEm2gHbnjPysUxalCops1zC/DNXUNs3d2AEBxH ZjYWh2TlFhsBLJKyFNo95Fu6ItoYeZyPLhBTKNHPUedndktiLNvn7ThHegA30BQDePW0 eaQmnX1IITDRRwkEAiVzvCjRjOWSf0eBTrLez0iLFV/3biPe9ckSAUOQj/KfDzvmSZnY bnnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l5zc76Fdz+bJVXzSQGbzBzVXZNM5xUhVIZ7ZJyJk0S0=; b=X/NnxknbPFocYrjNwtoP6pV7Z/nhcLYc936ghdqUIAeBH+tTe81qLQLm2WQ68BDIwq YXPBiA2gzdVgOHuR2WjNnaT8bpPWneDlo6xtLgQ+It0hpNjIdlR84NZxaQXBGniAedfB 6mvR2ef14snwt2+Ib/M2ju1Qu8K/JxO6u6JBBvDDQWeAudLMd7TS0NUGfcI3OXq2meKr Vzg542FMKN499KaAz/IeWVxPtslhKZsBFXvu2SHi60TJfUvolX81v+lAronU/J42oszb caWcUZC1vvO8Z856MtbuvRh4GE08HniLgG6t6pnQNo8TWy3MmYMso8pdT84i0Df0L5xJ MPTw== X-Gm-Message-State: ANhLgQ2WErPXbbSQrpnBcopZajNRHUshG5Pv3ePZJq41IuS7RUTqoGMn o8MJ0cQGBdFWiKu/w+at5ECyzAha+TWDCLoBKQ85jA== X-Received: by 2002:aca:b187:: with SMTP id a129mr290744oif.175.1583173887129; Mon, 02 Mar 2020 10:31:27 -0800 (PST) MIME-Version: 1.0 References: <20200302130430.201037-1-glider@google.com> <20200302130430.201037-2-glider@google.com> <0eaac427354844a4fcfb0d9843cf3024c6af21df.camel@perches.com> <4cac10d3e2c03e4f21f1104405a0a62a853efb4e.camel@perches.com> In-Reply-To: From: Jann Horn Date: Mon, 2 Mar 2020 19:31:01 +0100 Message-ID: Subject: Re: [PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user() To: Alexander Potapenko Cc: Joe Perches , Todd Kjos , Kees Cook , Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Ingo Molnar , Dmitriy Vyukov , "open list:ANDROID DRIVERS" , Peter Zijlstra , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 2, 2020 at 7:17 PM Alexander Potapenko wrote: > On Mon, Mar 2, 2020 at 3:00 PM Joe Perches wrote: > > On Mon, 2020-03-02 at 14:25 +0100, Alexander Potapenko wrote: > > > On Mon, Mar 2, 2020 at 2:11 PM Joe Perches wrote: > > > > On Mon, 2020-03-02 at 14:04 +0100, glider@google.com wrote: > > > > > Certain copy_from_user() invocations in binder.c are known to > > > > > unconditionally initialize locals before their first use, like e.g. in > > > > > the following case: > > > > [] > > > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > > > [] > > > > > @@ -3788,7 +3788,7 @@ static int binder_thread_write(struct binder_proc *proc, > > > > > > > > > > case BC_TRANSACTION_SG: > > > > > case BC_REPLY_SG: { > > > > > - struct binder_transaction_data_sg tr; > > > > > + struct binder_transaction_data_sg tr __no_initialize; > > > > > > > > > > if (copy_from_user(&tr, ptr, sizeof(tr))) > > > > > > > > I fail to see any value in marking tr with __no_initialize > > > > when it's immediately written to by copy_from_user. > > > > > > This is being done exactly because it's immediately written to by copy_to_user() > > > Clang is currently unable to figure out that copy_to_user() initializes memory. > > > So building the kernel with CONFIG_INIT_STACK_ALL=y basically leads to > > > the following code: > > > > > > struct binder_transaction_data_sg tr; > > > memset(&tr, 0xAA, sizeof(tr)); > > > if (copy_from_user(&tr, ptr, sizeof(tr))) {...} > > > > > > This unnecessarily slows the code down, so we add __no_initialize to > > > prevent the compiler from emitting the redundant initialization. > > > > So? CONFIG_INIT_STACK_ALL by design slows down code. > Correct. > > > This marking would likely need to be done for nearly all > > 3000+ copy_from_user entries. > Unfortunately, yes. I was just hoping to do so for a handful of hot > cases that we encounter, but in the long-term a compiler solution must > supersede them. > > > Why not try to get something done on the compiler side > > to mark the function itself rather than the uses? > This is being worked on in the meantime as well (see > http://lists.llvm.org/pipermail/cfe-dev/2020-February/064633.html) > Do you have any particular requisitions about how this should look on > the source level? Just thinking out loud: Should this be a function attribute, or should it be a builtin - something like __builtin_assume_initialized(ptr, len)? That would make it also work for macros, and it might simplify the handling of inlining in the compiler. And you wouldn't need such a complicated attribute that refers to function arguments by index and such. The downside would be that it wouldn't work for non-inlined functions without creating inline wrappers around them...