Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp223351rdb; Mon, 22 Jan 2024 18:41:58 -0800 (PST) X-Google-Smtp-Source: AGHT+IGOhnKLgq+7NGamSgOQllWvb9nVdh6vkCjuA3XoPe+01W1bJKwQlI133TdBPBCN5fNZ6rbL X-Received: by 2002:a05:6402:30ad:b0:55c:383f:851 with SMTP id df13-20020a05640230ad00b0055c383f0851mr265754edb.33.1705977718421; Mon, 22 Jan 2024 18:41:58 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705977718; cv=pass; d=google.com; s=arc-20160816; b=Q2vdt7OEL5HYjSjpVRxw8plsRHDKhNpCLfzpJ1739b96rXYxKdzPC0ICZKGK/6ZEJj 0DP7sKCH6dmyPWWUXslQRKXM0g+CUWR5CGjPCTvzfi9HGpRevJo3lLcIPg0gNHN4+PDc H/QTLLUZcUrj9Ck/ByrmkUWNy4TsCIpQBuryNfTQjj9VBcTZ24JsLCZCPS/aCjryQp4d cz9UfFM7gIPaFMQzqeeoH5n4RGxz4E08DM8Za8c4jdBqG5uHT031qtH+Up5m7ex8YnME f1POEe1NgjDfh4csMUpDgXMfnQGLnDP4bqigp35pon60wGymOt7nV1D/OPjLb3zOSGjU 4PXQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=dfZDEtG54xzX28Ty/2ZvVAS2C5pIV77WvIG0X10672I=; fh=eeXu+AqHcs5FphKERyzRELAy+g7gUPx4hxNKU5intII=; b=MLaVrrreQHgZoX6AXeibcV0dGwriCP0oQMLq1fG76SusSN51FaH/kz5lacRd85ueDj o/KR/9SJqqle0HufHFKPFModfFtYRmnN1WXpH1MknWJKzxTsS+QGUapKZUUWQ+avXxOt AsTTrqeOvPQvWRn+vO/2jYGaHGoU5RRhPaOF/RO4at5S9rtkkBt56WffeP/vNX9K8e9y haeIu6uzla+PYGjg2czWMpOxDATutPCSSrL6PaBGaR88uWba1T+OhaJgePaBdCxX49vN z321JT0Ri1K4+sA5B7F4eApatdPAjxfCEYZRDNEk3dMAERrp7Z2oqvj5VGflSlyab9uG h6gg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="Tn/MxDQm"; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-34633-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34633-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id r13-20020a056402234d00b00559c0797f40si4999489eda.451.2024.01.22.18.41.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 18:41:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-34633-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="Tn/MxDQm"; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-34633-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34633-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id E60591F28F93 for ; Tue, 23 Jan 2024 02:41:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 732A3D30E; Tue, 23 Jan 2024 02:24:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Tn/MxDQm" Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com [209.85.128.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44B3C1FB2; Tue, 23 Jan 2024 02:24:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705976668; cv=none; b=pUdOP4gioeQl51+f5AVZavcyVuU/jF6HAhL2Nl5S/LOBgsHbnRYbTOX3zhpuyJ8y6PrEEzmzKr9ptLPETWVKqyX4GSasWoW/NSESZ6z0U071zhhS4jG31lX0BPh0iD9BgV/KK8eHv9mxQ0mLrmfgkO4TczJc4yj5I1/iNnZiNSk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705976668; c=relaxed/simple; bh=JpLyWnNjAbZijVmS7FvtjpdHKaRYNF4q3guoZRuW/3A=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=JxOcdFrceNuyckzD3UYzrnwgqRkCR63qiSZTHd0sSeHfAeLBZ7rsaedqdDU4IVYrF2QRrYmMMRMWwuLALvr7cTFd6cLTo+akvjr3uz4yT+zKvwFbjn3AmZ9tvB3b/kwX7N0ngJ7pUYqjKT+Lte17YoDaH+GL5umwgewdWEt6eTk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Tn/MxDQm; arc=none smtp.client-ip=209.85.128.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-yw1-f178.google.com with SMTP id 00721157ae682-5ffb528dc8dso18199857b3.1; Mon, 22 Jan 2024 18:24:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705976666; x=1706581466; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=dfZDEtG54xzX28Ty/2ZvVAS2C5pIV77WvIG0X10672I=; b=Tn/MxDQmDkO7WI/j8EThySlHELdBDaOol/kZv//wPlqtsqfYCKWApY2hZhSlMtxezQ wgkJiwMHbQlA+DbGN9Rm5buNbYBE+bDoitalW/O3Yczca8fWk/aGPviECvV9PG5NTOa5 Q8zlJbLmqm5nophVM2HnkVPWck1PMw8KKgvPtv/tfrC2grZmWImMjYJwNqSJj268ozjM 0n2lcLh+D4NZrReqpR4LCiCKUzO9wnAstBdwlOrDqNruGBo071c+0LO6kIYCuyTp/FOM MZPCQpxspTuqG7iWgFMPe39N763IWpv4cpZtx7XmuHBpSWETtFnKae3++B9NTHMxKK8Z zgkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705976666; x=1706581466; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dfZDEtG54xzX28Ty/2ZvVAS2C5pIV77WvIG0X10672I=; b=Ipct87Vqz3n3m0iqtsnTOzUgwExVWzwsLOSKdqd7tbN5dUVdENPlDNbLLC9TeXcmOd N835tIJrpU1sE8zRu8IuX4kSUL87k+ZsWrh7O8fosbnyiGUNk5UMS5DoRPLOV1tRkWg8 4wTp6mNZNFy9QLWf/s/gJicJVtOclsDqxFuPH2gf3pQNRqYlsqK9a1K+r9Vo+ydU0BI9 1ed/cMpAwpxJv7u4xh30NuvcwR+RkDOTKoR36TGyCYiOk3sEqk8pSzfgn/xXMUSPWB0q ZyNgWDp40TfN5YCiCM7+tEoIRIKsXSimGp1n/zZbpmPOjNeAwhU/0N72OMEtzqciAdez BevA== X-Gm-Message-State: AOJu0YzUYcOXzrp8OyGneLWb2UCODLxTHopNJyvvYPThA2uCuvwabYOy igkvBp6u4U6TKdMC78e7T4krAuPoS9LhdYaPrrQD6ppITCd7ua+qdMLDd2RFVzTCy5PIgY9RC5p KmFNtm3muGGJDzF2jx3RlEo/ahXg= X-Received: by 2002:a81:8a45:0:b0:5ff:96b6:a14c with SMTP id a66-20020a818a45000000b005ff96b6a14cmr4205779ywg.17.1705976666206; Mon, 22 Jan 2024 18:24:26 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240122235208.work.748-kees@kernel.org> <20240123002814.1396804-6-keescook@chromium.org> In-Reply-To: <20240123002814.1396804-6-keescook@chromium.org> From: Miguel Ojeda Date: Tue, 23 Jan 2024 03:24:14 +0100 Message-ID: Subject: Re: [PATCH 06/82] overflow: Reintroduce signed and unsigned overflow sanitizers To: Kees Cook Cc: linux-hardening@vger.kernel.org, Justin Stitt , Miguel Ojeda , Nathan Chancellor , Nick Desaulniers , Peter Zijlstra , Marco Elver , Hao Luo , Przemek Kitszel , "Gustavo A. R. Silva" , Bill Wendling , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Jan 23, 2024 at 1:28=E2=80=AFAM Kees Cook w= rote: > > Because the kernel is built with -fno-strict-overflow, signed and pointer > arithmetic is defined to always wrap around instead of "overflowing" > (which would either be elided due to being undefined behavior or would > wrap around, which led to very weird bugs in the kernel). By elided I guess you also mean assumed to not happen and thus the usual chain-of-logic magic? > So, the config options are added back as CONFIG_UBSAN_SIGNED_WRAP and > CONFIG_UBSAN_UNSIGNED_WRAP. Since the kernel has several places that > explicitly depend on wrap-around behavior (e.g. counters, atomics, etc), > also introduce the __signed_wrap and __unsigned_wrap function attributes > for annotating functions where wrapping is expected and should not > be caught. This will allow us to distinguish in the kernel between > intentional and unintentional cases of arithmetic wrap-around. Sounds good -- it seems to go in the direction of Rust, i.e. to have a way to mark expected wrap-arounds so that we can start catching the unintended ones. > + depends on !COMPILE_TEST > + depends on $(cc-option,-fsanitize=3Dsigned-integer-overflow) Maybe this line goes above the other, to be consistent with the unsigned case? (or the other way around) > + depends on !X86_32 # avoid excessive stack usage on x86-32/clang > + depends on !COMPILE_TEST > + help > + This option enables -fsanitize=3Dunsigned-integer-overflow whic= h checks > + for wrap-around of any arithmetic operations with unsigned inte= gers. This > + currently causes x86 to fail to boot. Is it related to the excessive stack usage? In that case, users would not reach the point to see this description, right? If so, I guess it could be removed from the `help` and moved into the comment above or similar. > +static void test_ubsan_sub_overflow(void) > +{ > + volatile int val =3D INT_MIN; > + volatile unsigned int uval =3D 0; > + volatile int val2 =3D 2; In the other tests you use a constant instead of `val2`, I am curious if there is a reason for it? Thanks! Cheers, Miguel