Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp188846pxk; Wed, 16 Sep 2020 23:40:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy90e/EcAfVYxIPIti3AV4IsVFkqR+OfGCgDr0vTaMiQAuU1zUdyMNItEpgYEN0wzWatEPm X-Received: by 2002:aa7:cb44:: with SMTP id w4mr31697832edt.139.1600324820910; Wed, 16 Sep 2020 23:40:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600324820; cv=none; d=google.com; s=arc-20160816; b=bRcNfUx3biemFslBKz767OdrqyeYEFndASCTjd/qiltg1mtt4EjEJEIUzizbrQigGW RV2XsFHEbOhwMI/IFDVrAjfduoorowZxyUiRHCQ8nblrog7VRKW0gyYlUasIW6YCsKpb CNbUo755U5xVOhBfH5qcf3RxA2STHz9+N7Lo95p5+hWT5SEQQrTvmOqLwMy55hU1hrhG SRJBEN2noHKf3EWHg3WQIqZlrKgQslmgdohbn7KCB91XDHXwQPbhp3ZwGVQC9XIoyhfT 4gl6rhxkb0Z2nbfN31VyOE9wBkzUEeZ739Qhv+wLNgi0ifPaIMXzJ7wpyhs0/ILVycGx NtIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=DmH7lVb417eXI2VeqeItQgKBp0xKHSxQ9iYZKyDox1E=; b=l/2r/HhefCQ3hCnRQWPwaXR69Gi/azAUHVMSRRPqKw2IKUgbIOlwcP2g7Hx6WT/ZeB BR5iizgO7aS9HEuhHwRCzdn7pyih4u1Uw6/0I9oxeG+qYq/KULsAj2DeMOk/Hz1kE3iD Eoay1oXX9MenPKYTjZD4BbQtuVK9GveCf4qIGE5O5ZBQbIldCpbzLspS5SEvyf/koaO1 lWuZ3bXPzmQI/GwvVYaV6X0N/Xw31fjXNQN51/7StWBmNb0XnIAggUb/0+M2TC9lGp// YpzzvQMDTDcXizq12703ODLEfNa1oY8mgunkkYr34rYt8Mq9XfCHIDxCpniNclj30QH1 hBzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dyKzxUO8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l8si14037368edr.396.2020.09.16.23.39.56; Wed, 16 Sep 2020 23:40:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dyKzxUO8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726153AbgIQGhY (ORCPT + 99 others); Thu, 17 Sep 2020 02:37:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726106AbgIQGhV (ORCPT ); Thu, 17 Sep 2020 02:37:21 -0400 Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6ED52C06174A for ; Wed, 16 Sep 2020 23:37:20 -0700 (PDT) Received: by mail-oi1-x243.google.com with SMTP id x69so1243960oia.8 for ; Wed, 16 Sep 2020 23:37:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DmH7lVb417eXI2VeqeItQgKBp0xKHSxQ9iYZKyDox1E=; b=dyKzxUO8iJ6MybLJ52ubrLm+liYaOMZR++Y5xaNiwrDBw/iA3Nut6Yn841d9KubXm4 Q/Hnp7VOy43qKf+4ZlHubvF2Hdp9iphzEQCUzgi9oCE+cpXws2VNr6dYgd1yt+hcf7RQ ovD/bqaoaPuu0pb0BMYefZ2SPU7qCJy0sih2cTdUHk8AAGVDcnMfHgFBt8oqfzwr2Tu/ 39Gb2P8mjacNiJ31cgYTzquiQCF5rabvKIYewuU8dFzVNMdaMOQ4ZY3kN4zf5tdfOPvX yop7vE70Lw2Nlbx3pGduzbVq+QT8e+Xb6ko5Nl4aOdowhMgtb+NGMkJvWPP3h+N08sRH J4kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DmH7lVb417eXI2VeqeItQgKBp0xKHSxQ9iYZKyDox1E=; b=Cq2GjLbc+qxN3p0/joEyf9gF9uZG4UTJlzWR+ZQ6TwuHAS8/XEYJO5oTyP7fkdH8AV hUTwQNpoG9BfiWEmk/H7dc2G99jvmPnQrVySWTcPX0TCHyWWicZSfyJTAaSwDJFGPT2F rirJYybbv9SCJFd4rn+VhAnY3YKK7KTRrKqB67f4E1/2mfuSIjrdfeRAmTuVYVL+sxTf AMBYULfdu6F7hEsBZweJa8B7aRYpIMVJ729a8FJS39gWciVCCy4vzhyKs7cBAPonTWnY VYPUfPq3DoQ6qJA5fbjPk9uZKMuWQIhXbi5rQ/Y0+t1bwj0hQjnyG8i5VXGbQaN5GKAE ZAzw== X-Gm-Message-State: AOAM530d2RQojnryyw9QyeVtKeB+FpVV5qREbVjnJsfQIoyNpz/JuzV8 M9KVfzIgJoazEmkw6IkZ2p8DJB6DJzqLz4lg1MPeog== X-Received: by 2002:aca:5158:: with SMTP id f85mr5592894oib.121.1600324639579; Wed, 16 Sep 2020 23:37:19 -0700 (PDT) MIME-Version: 1.0 References: <20200914172750.852684-1-georgepope@google.com> <20200914172750.852684-7-georgepope@google.com> <202009141509.CDDC8C8@keescook> <20200915102458.GA1650630@google.com> <20200915120105.GA2294884@google.com> <20200916074027.GA2946587@google.com> <20200916121401.GA3362356@google.com> <20200916134029.GA1146904@elver.google.com> In-Reply-To: <20200916134029.GA1146904@elver.google.com> From: Marco Elver Date: Thu, 17 Sep 2020 08:37:07 +0200 Message-ID: Subject: Re: [PATCH 06/14] Fix CFLAGS for UBSAN_BOUNDS on Clang To: George Popescu Cc: Kees Cook , maz@kernel.org, Catalin Marinas , Will Deacon , Masahiro Yamada , Michal Marek , Linux ARM , kvmarm@lists.cs.columbia.edu, LKML , Linux Kbuild mailing list , clang-built-linux , james.morse@arm.com, julien.thierry.kdev@gmail.com, suzuki.poulose@arm.com, Nathan Chancellor , Nick Desaulniers , David Brazdil , broonie@kernel.org, Fangrui Song , Andrew Scull , Andrew Morton , Dmitry Vyukov , Thomas Gleixner , Arnd Bergmann , kasan-dev , Andrey Konovalov , Alexander Potapenko Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 16 Sep 2020 at 15:40, Marco Elver wrote: > On Wed, Sep 16, 2020 at 12:14PM +0000, George Popescu wrote: > > On Wed, Sep 16, 2020 at 10:32:40AM +0200, Marco Elver wrote: > > > On Wed, 16 Sep 2020 at 09:40, George Popescu wrote: > > > > On Tue, Sep 15, 2020 at 07:32:28PM +0200, Marco Elver wrote: > > > > > On Tue, 15 Sep 2020 at 14:01, George Popescu wrote: > > > > > > On Tue, Sep 15, 2020 at 01:18:11PM +0200, Marco Elver wrote: > > > > > > > On Tue, 15 Sep 2020 at 12:25, George Popescu wrote: > > > > > > > > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > > > > > > > > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > > > > > > > > > From: George Popescu > > > > > > > > > > > > > > > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > > > > > > > > > the handler call, preventing it from printing any information processed > > > > > > > > > > inside the buffer. > > > > > > > > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > > > > > > > > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > > > > > > > > > call > > > > > > > > > > > > > > > > > This would mean losing the local-bounds coverage. I tried to test it without > > > > > > > > local-bounds and with a locally defined array on the stack and it works fine > > > > > > > > (the handler is called and the error reported). For me it feels like > > > > > > > > --array-bounds and --local-bounds are triggered for the same type of > > > > > > > > undefined_behaviours but they are handling them different. > > > > > > > > > > > > > > Does -fno-sanitize-trap=bounds help? > [...] > > > Your full config would be good, because it includes compiler version etc. > > My full config is: > > Thanks. Yes, I can reproduce, and the longer I keep digging I start > wondering why we have local-bounds at all. > > It appears that local-bounds finds a tiny subset of the issues that > KASAN finds: > > http://lists.llvm.org/pipermail/cfe-commits/Week-of-Mon-20131021/091536.html > http://llvm.org/viewvc/llvm-project?view=revision&revision=193205 > > fsanitize=undefined also does not include local-bounds: > > https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#available-checks > > And the reason is that we do want to enable KASAN and UBSAN together; > but local-bounds is useless overhead if we already have KASAN. > > I'm inclined to say that what you propose is reasonable (but the commit > message needs to be more detailed explaining the relationship with > KASAN) -- but I have no idea if this is going to break somebody's > usecase (e.g. find some OOB bugs, but without KASAN -- but then why not > use KASAN?!) So, it seems that local-bounds can still catch some rare OOB accesses, where KASAN fails to catch it because the access might skip over the redzone. The other more interesting bit of history is that -fsanitize=local-bounds used to be -fbounds-checking, and meant for production use as a hardening feature: http://lists.llvm.org/pipermail/llvm-dev/2012-May/049972.html And local-bounds just does not behave like any other sanitizer as a result, it just traps. The fact that it's enabled via -fsanitize=local-bounds (or just bounds) but hasn't much changed in behaviour is a little unfortunate. I suppose there are 3 options: 1. George implements trap handling somehow. Is this feasible? If not, why not? Maybe that should also have been explained in the commit message. 2. Only enable -fsanitize=local-bounds if UBSAN_TRAP was selected, at least for as long as Clang traps for local-bounds. I think this makes sense either way, because if we do not expect UBSAN to trap, it really should not trap! 3. Change the compiler. As always, this will take a while to implement and then to reach whoever should have that updated compiler. Preferences? Thanks, -- Marco