Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3985243pxb; Mon, 30 Aug 2021 15:36:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx8xFPqdk7AGim4uRVmJJjw6ugEg9ZJ+YR7TIAVbGpoq68AAZQVn3FtliA6frFU5my1LMjQ X-Received: by 2002:a05:6402:1a26:: with SMTP id be6mr25558275edb.278.1630362960756; Mon, 30 Aug 2021 15:36:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630362960; cv=none; d=google.com; s=arc-20160816; b=Excmc1sLywWzHrhN1n+2oClqJgy4OXpQz8LK1+JWcq53dMvAcZIDcjqN6dc00g0GUw Difn+leGjm5rr5na8kCWWLLXK5tA3DKcqAtGJG2ro8V8ydvnTaE40LaHaRg5kx5c6xI5 6dYXGTemGm/vfxcpHbotk8G4O3g4KNWNRo6sTjsEls32vzM80srpg4mCWVOKDqU4aH2a JPmdpfiPw4wLujp6Pv4yG1tYnOL/YIkx+tMeaiY14n6kWmRW+Cw40vghxz+t+vjuMHnP Oma4lBIFhKyFpkkzs8AZoxurBKBVJ1+9GFtE2h+TPRKLX3g84W56mwzkNeyOVdKTIp2U emkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=C1K89/GRflau61KvtpP2Z347/fYfeoaBoKAXNIK40Kc=; b=SrURzHcSCy2wN3CiGPYedoLhr25FnY+Fq4Dwid8CBmKsLl1hXyBmgIKn2TjmbilFL9 VydRx6Eo1wNShYTKCZu1kv2V36pte93HyxRz/oosKR39kWrTGGQZtgyKqE/6Iqlwtydi xcVOdC+PCwHDCWW7zpPnHQhzW8FF/FVVTlavq+zEeauFdylSzaGmCz7FwdGXVpwXkD9t ZjVPRrdQMqNNYFEoymG3i2jKF2DsAckkqqp1sGk6r4B1Iz97fz7+n7QTnKO6/Lp/8sAJ kigrXfGFun2BNheBS+273yUEixLtXT/BkrFr6dKG5bVAQl4pxvDlEnsohcIevC4Hpass hqag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=WvvNsgss; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n25si16139357ejg.73.2021.08.30.15.35.36; Mon, 30 Aug 2021 15:36:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=WvvNsgss; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238476AbhH3We7 (ORCPT + 99 others); Mon, 30 Aug 2021 18:34:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:44864 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230140AbhH3We6 (ORCPT ); Mon, 30 Aug 2021 18:34:58 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C1B5460E98; Mon, 30 Aug 2021 22:34:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1630362844; bh=wlr+0GYj5AofoT2qLGQnGAd0De8XaqzW9JKk9OfETXI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=WvvNsgssfkXqpGn/WQqRti1oOg9e3+5keyLeV+h/FY5iMBnW6NGD3RXQOThN5C+dd YmmaClMBnqiN0Jug1ruemGzaqGcTxHbCV/bXm0qRdBq8R8SlsXKnfsjWDo2LEK4Ok4 PZSZd5LgsAukrOFPqaDF7lUSO9NGEXYJ/ZIuiuwRHpjbxyKc4vj/gF5DZ79Ezwe9rZ cypetSnlmu3d80ml+4HhrjBuAnH8YQN3JGkTqOb73fnEdnZNJimUPhHTFvlbVRgdep LLNFLXEmPoxmlFgmk+Xn7WNxPHPdnNW2ezmTQZbv+XU4YTudIqgxHXmv583MViTvWd IDbDQRlDKgT5g== Date: Mon, 30 Aug 2021 15:34:01 -0700 From: Nathan Chancellor To: Kees Cook Cc: linux-kernel@vger.kernel.org, Arnd Bergmann , "Gustavo A. R. Silva" , Rasmus Villemoes , Keith Packard , Dan Williams , Daniel Vetter , clang-built-linux@googlegroups.com, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: Re: [PATCH v3 0/5] Enable -Warray-bounds and -Wzero-length-bounds Message-ID: References: <20210827163015.3141722-1-keescook@chromium.org> <202108301314.22B3CB015C@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202108301314.22B3CB015C@keescook> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 30, 2021 at 01:16:41PM -0700, Kees Cook wrote: > On Mon, Aug 30, 2021 at 11:44:54AM -0700, Nathan Chancellor wrote: > > arch/powerpc/kernel/signal_32.c:780:2: error: array index 3 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds] > > unsafe_put_sigset_t(&frame->uc.uc_sigmask, oldset, failed); > > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Or is this a Clang DCE failure? > > #define unsafe_put_compat_sigset(compat, set, label) do { \ > compat_sigset_t __user *__c = compat; \ > const sigset_t *__s = set; \ > \ > switch (_NSIG_WORDS) { \ > case 4: \ > unsafe_put_user(__s->sig[3] >> 32, &__c->sig[7], label); \ > unsafe_put_user(__s->sig[3], &__c->sig[6], label); \ > fallthrough; \ > case 3: \ > unsafe_put_user(__s->sig[2] >> 32, &__c->sig[5], label); \ > unsafe_put_user(__s->sig[2], &__c->sig[4], label); \ > fallthrough; \ > case 2: \ > unsafe_put_user(__s->sig[1] >> 32, &__c->sig[3], label); \ > unsafe_put_user(__s->sig[1], &__c->sig[2], label); \ > fallthrough; \ > case 1: \ > unsafe_put_user(__s->sig[0] >> 32, &__c->sig[1], label); \ > unsafe_put_user(__s->sig[0], &__c->sig[0], label); \ > } \ > } while (0) > > if "set" has only 1 element, then _NSIG_WORDS must be 1. The warnings > are coming from cases 4 and 3. (But why not 2, which would also access > beyond the end?) I trimmed the warnings down otherwise it would have been 400 lines long :) it did warn for the 2 case. Clang does not like the use of asm goto in unsafe_put_user on powerpc it seems: $ cat warray-bounds.c #define NSIG_WORDS 1 typedef struct { unsigned long sig[NSIG_WORDS]; } sigset_t; int handle_rt_signal32_bad(sigset_t *); int handle_rt_signal32_bad(sigset_t *oldset) { switch (NSIG_WORDS) { case 4: __asm__ goto("" : : "r"(oldset->sig[3] >> 32) : : failed); __asm__ goto("" : : "r"(oldset->sig[3]) : : failed); __attribute__((fallthrough)); case 3: __asm__ goto("" : : "r"(oldset->sig[2] >> 32) : : failed); __asm__ goto("" : : "r"(oldset->sig[2]) : : failed); __attribute__((fallthrough)); case 2: __asm__ goto("" : : "r"(oldset->sig[1] >> 32) : : failed); __asm__ goto("" : : "r"(oldset->sig[1]) : : failed); __attribute__((fallthrough)); case 1: __asm__ goto("" : : "r"(oldset->sig[0] >> 32) : : failed); __asm__ goto("" : : "r"(oldset->sig[0]) : : failed); } return 0; failed: return 1; } void normal_array_access(unsigned long); int handle_rt_signal32_good(sigset_t *); int handle_rt_signal32_good(sigset_t *oldset) { switch (NSIG_WORDS) { case 4: normal_array_access(oldset->sig[3] >> 32); normal_array_access(oldset->sig[3]); __attribute__((fallthrough)); case 3: normal_array_access(oldset->sig[2] >> 32); normal_array_access(oldset->sig[2]); __attribute__((fallthrough)); case 2: normal_array_access(oldset->sig[1] >> 32); normal_array_access(oldset->sig[1]); __attribute__((fallthrough)); case 1: normal_array_access(oldset->sig[0] >> 32); normal_array_access(oldset->sig[0]); } return 0; } $ clang -fsyntax-only -Weverything warray-bounds.c warray-bounds.c:12:27: warning: array index 3 is past the end of the array (which contains 1 element) [-Warray-bounds] __asm__ goto("" : : "r"(oldset->sig[3] >> 32) : : failed); ^ ~ warray-bounds.c:4:2: note: array 'sig' declared here unsigned long sig[NSIG_WORDS]; ^ warray-bounds.c:16:27: warning: array index 2 is past the end of the array (which contains 1 element) [-Warray-bounds] __asm__ goto("" : : "r"(oldset->sig[2] >> 32) : : failed); ^ ~ warray-bounds.c:4:2: note: array 'sig' declared here unsigned long sig[NSIG_WORDS]; ^ warray-bounds.c:20:27: warning: array index 1 is past the end of the array (which contains 1 element) [-Warray-bounds] __asm__ goto("" : : "r"(oldset->sig[1] >> 32) : : failed); ^ ~ warray-bounds.c:4:2: note: array 'sig' declared here unsigned long sig[NSIG_WORDS]; ^ 3 warnings generated. $ gcc -fsyntax-only -Wall -Wextra -Wpedantic warray-bounds.c godbolt link: https://godbolt.org/z/8xYojs1WY I've reported this on LLVM's bug tracker to see what the clang developers can do with you on CC: https://bugs.llvm.org/show_bug.cgi?id=51682 Cheers, Nathan