Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp188846pxk;
        Wed, 16 Sep 2020 23:40:21 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy90e/EcAfVYxIPIti3AV4IsVFkqR+OfGCgDr0vTaMiQAuU1zUdyMNItEpgYEN0wzWatEPm
X-Received: by 2002:aa7:cb44:: with SMTP id w4mr31697832edt.139.1600324820910;
        Wed, 16 Sep 2020 23:40:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600324820; cv=none;
        d=google.com; s=arc-20160816;
        b=bRcNfUx3biemFslBKz767OdrqyeYEFndASCTjd/qiltg1mtt4EjEJEIUzizbrQigGW
         RV2XsFHEbOhwMI/IFDVrAjfduoorowZxyUiRHCQ8nblrog7VRKW0gyYlUasIW6YCsKpb
         CNbUo755U5xVOhBfH5qcf3RxA2STHz9+N7Lo95p5+hWT5SEQQrTvmOqLwMy55hU1hrhG
         SRJBEN2noHKf3EWHg3WQIqZlrKgQslmgdohbn7KCB91XDHXwQPbhp3ZwGVQC9XIoyhfT
         4gl6rhxkb0Z2nbfN31VyOE9wBkzUEeZ739Qhv+wLNgi0ifPaIMXzJ7wpyhs0/ILVycGx
         NtIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=DmH7lVb417eXI2VeqeItQgKBp0xKHSxQ9iYZKyDox1E=;
        b=l/2r/HhefCQ3hCnRQWPwaXR69Gi/azAUHVMSRRPqKw2IKUgbIOlwcP2g7Hx6WT/ZeB
         BR5iizgO7aS9HEuhHwRCzdn7pyih4u1Uw6/0I9oxeG+qYq/KULsAj2DeMOk/Hz1kE3iD
         Eoay1oXX9MenPKYTjZD4BbQtuVK9GveCf4qIGE5O5ZBQbIldCpbzLspS5SEvyf/koaO1
         lWuZ3bXPzmQI/GwvVYaV6X0N/Xw31fjXNQN51/7StWBmNb0XnIAggUb/0+M2TC9lGp//
         YpzzvQMDTDcXizq12703ODLEfNa1oY8mgunkkYr34rYt8Mq9XfCHIDxCpniNclj30QH1
         hBzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=dyKzxUO8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l8si14037368edr.396.2020.09.16.23.39.56;
        Wed, 16 Sep 2020 23:40:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=dyKzxUO8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726153AbgIQGhY (ORCPT <rfc822;chenl.lei@gmail.com> + 99 others);
        Thu, 17 Sep 2020 02:37:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41960 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726106AbgIQGhV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Sep 2020 02:37:21 -0400
Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6ED52C06174A
        for <linux-kernel@vger.kernel.org>; Wed, 16 Sep 2020 23:37:20 -0700 (PDT)
Received: by mail-oi1-x243.google.com with SMTP id x69so1243960oia.8
        for <linux-kernel@vger.kernel.org>; Wed, 16 Sep 2020 23:37:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=DmH7lVb417eXI2VeqeItQgKBp0xKHSxQ9iYZKyDox1E=;
        b=dyKzxUO8iJ6MybLJ52ubrLm+liYaOMZR++Y5xaNiwrDBw/iA3Nut6Yn841d9KubXm4
         Q/Hnp7VOy43qKf+4ZlHubvF2Hdp9iphzEQCUzgi9oCE+cpXws2VNr6dYgd1yt+hcf7RQ
         ovD/bqaoaPuu0pb0BMYefZ2SPU7qCJy0sih2cTdUHk8AAGVDcnMfHgFBt8oqfzwr2Tu/
         39Gb2P8mjacNiJ31cgYTzquiQCF5rabvKIYewuU8dFzVNMdaMOQ4ZY3kN4zf5tdfOPvX
         yop7vE70Lw2Nlbx3pGduzbVq+QT8e+Xb6ko5Nl4aOdowhMgtb+NGMkJvWPP3h+N08sRH
         J4kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=DmH7lVb417eXI2VeqeItQgKBp0xKHSxQ9iYZKyDox1E=;
        b=Cq2GjLbc+qxN3p0/joEyf9gF9uZG4UTJlzWR+ZQ6TwuHAS8/XEYJO5oTyP7fkdH8AV
         hUTwQNpoG9BfiWEmk/H7dc2G99jvmPnQrVySWTcPX0TCHyWWicZSfyJTAaSwDJFGPT2F
         rirJYybbv9SCJFd4rn+VhAnY3YKK7KTRrKqB67f4E1/2mfuSIjrdfeRAmTuVYVL+sxTf
         AMBYULfdu6F7hEsBZweJa8B7aRYpIMVJ729a8FJS39gWciVCCy4vzhyKs7cBAPonTWnY
         VYPUfPq3DoQ6qJA5fbjPk9uZKMuWQIhXbi5rQ/Y0+t1bwj0hQjnyG8i5VXGbQaN5GKAE
         ZAzw==
X-Gm-Message-State: AOAM530d2RQojnryyw9QyeVtKeB+FpVV5qREbVjnJsfQIoyNpz/JuzV8
        M9KVfzIgJoazEmkw6IkZ2p8DJB6DJzqLz4lg1MPeog==
X-Received: by 2002:aca:5158:: with SMTP id f85mr5592894oib.121.1600324639579;
 Wed, 16 Sep 2020 23:37:19 -0700 (PDT)
MIME-Version: 1.0
References: <20200914172750.852684-1-georgepope@google.com>
 <20200914172750.852684-7-georgepope@google.com> <202009141509.CDDC8C8@keescook>
 <20200915102458.GA1650630@google.com> <CANpmjNOTcS_vvZ1swh1iHYaRbTvGKnPAe4Q2DpR1MGhk_oZDeA@mail.gmail.com>
 <20200915120105.GA2294884@google.com> <CANpmjNPpq7LfTHYesz2wTVw6Pqv0FQ2gc-vmSB6Mdov+XWPZiw@mail.gmail.com>
 <20200916074027.GA2946587@google.com> <CANpmjNMT9-a8qKZSvGWBPAb9x9y1DkrZMSvHGq++_TcEv=7AuA@mail.gmail.com>
 <20200916121401.GA3362356@google.com> <20200916134029.GA1146904@elver.google.com>
In-Reply-To: <20200916134029.GA1146904@elver.google.com>
From:   Marco Elver <elver@google.com>
Date:   Thu, 17 Sep 2020 08:37:07 +0200
Message-ID: <CANpmjNOfgeR0zpL-4AtOt0FL56BFZ_sud-mR3CrYB7OCMg0PaA@mail.gmail.com>
Subject: Re: [PATCH 06/14] Fix CFLAGS for UBSAN_BOUNDS on Clang
To:     George Popescu <georgepope@google.com>
Cc:     Kees Cook <keescook@chromium.org>, maz@kernel.org,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>,
        Masahiro Yamada <masahiroy@kernel.org>,
        Michal Marek <michal.lkml@markovi.net>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        kvmarm@lists.cs.columbia.edu, LKML <linux-kernel@vger.kernel.org>,
        Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>,
        clang-built-linux <clang-built-linux@googlegroups.com>,
        james.morse@arm.com, julien.thierry.kdev@gmail.com,
        suzuki.poulose@arm.com,
        Nathan Chancellor <natechancellor@gmail.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        David Brazdil <dbrazdil@google.com>, broonie@kernel.org,
        Fangrui Song <maskray@google.com>,
        Andrew Scull <ascull@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Dmitry Vyukov <dvyukov@google.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Arnd Bergmann <arnd@arndb.de>,
        kasan-dev <kasan-dev@googlegroups.com>,
        Andrey Konovalov <andreyknvl@google.com>,
        Alexander Potapenko <glider@google.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 16 Sep 2020 at 15:40, Marco Elver <elver@google.com> wrote:
> On Wed, Sep 16, 2020 at 12:14PM +0000, George Popescu wrote:
> > On Wed, Sep 16, 2020 at 10:32:40AM +0200, Marco Elver wrote:
> > > On Wed, 16 Sep 2020 at 09:40, George Popescu <georgepope@google.com> wrote:
> > > > On Tue, Sep 15, 2020 at 07:32:28PM +0200, Marco Elver wrote:
> > > > > On Tue, 15 Sep 2020 at 14:01, George Popescu <georgepope@google.com> wrote:
> > > > > > On Tue, Sep 15, 2020 at 01:18:11PM +0200, Marco Elver wrote:
> > > > > > > On Tue, 15 Sep 2020 at 12:25, George Popescu <georgepope@google.com> wrote:
> > > > > > > > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote:
> > > > > > > > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote:
> > > > > > > > > > From: George Popescu <georgepope@google.com>
> > > > > > > > > >
> > > > > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after
> > > > > > > > > > the handler call, preventing it from printing any information processed
> > > > > > > > > > inside the buffer.
> > > > > > > > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and
> > > > > > > > > > -fsanitize=local-bounds, and the latter adds a brk after the handler
> > > > > > > > > > call
> > > > > > > > >
> > > > > > > > This would mean losing the local-bounds coverage. I tried to  test it without
> > > > > > > > local-bounds and with a locally defined array on the stack and it works fine
> > > > > > > > (the handler is called and the error reported). For me it feels like
> > > > > > > > --array-bounds and --local-bounds are triggered for the same type of
> > > > > > > > undefined_behaviours but they are handling them different.
> > > > > > >
> > > > > > > Does -fno-sanitize-trap=bounds help?
> [...]
> > > Your full config would be good, because it includes compiler version etc.
> > My full config is:
>
> Thanks. Yes, I can reproduce, and the longer I keep digging I start
> wondering why we have local-bounds at all.
>
> It appears that local-bounds finds a tiny subset of the issues that
> KASAN finds:
>
>         http://lists.llvm.org/pipermail/cfe-commits/Week-of-Mon-20131021/091536.html
>         http://llvm.org/viewvc/llvm-project?view=revision&revision=193205
>
> fsanitize=undefined also does not include local-bounds:
>
>         https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#available-checks
>
> And the reason is that we do want to enable KASAN and UBSAN together;
> but local-bounds is useless overhead if we already have KASAN.
>
> I'm inclined to say that what you propose is reasonable (but the commit
> message needs to be more detailed explaining the relationship with
> KASAN) -- but I have no idea if this is going to break somebody's
> usecase (e.g. find some OOB bugs, but without KASAN -- but then why not
> use KASAN?!)

So, it seems that local-bounds can still catch some rare OOB accesses,
where KASAN fails to catch it because the access might skip over the
redzone.

The other more interesting bit of history is that
-fsanitize=local-bounds used to be -fbounds-checking, and meant for
production use as a hardening feature:
http://lists.llvm.org/pipermail/llvm-dev/2012-May/049972.html

And local-bounds just does not behave like any other sanitizer as a
result, it just traps. The fact that it's enabled via
-fsanitize=local-bounds (or just bounds) but hasn't much changed in
behaviour is a little unfortunate.

I suppose there are 3 options:

1. George implements trap handling somehow. Is this feasible? If not,
why not? Maybe that should also have been explained in the commit
message.

2. Only enable -fsanitize=local-bounds if UBSAN_TRAP was selected, at
least for as long as Clang traps for local-bounds. I think this makes
sense either way, because if we do not expect UBSAN to trap, it really
should not trap!

3. Change the compiler. As always, this will take a while to implement
and then to reach whoever should have that updated compiler.

Preferences?

Thanks,
-- Marco