Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp259913rdb; Mon, 22 Jan 2024 20:45:31 -0800 (PST) X-Google-Smtp-Source: AGHT+IEFjMyu4AR0ju5zWSc45qmQ1fNL6A3MGdEfguGx+bExU49nzSuBS/mXFoMw/I6ppkHJx1o3 X-Received: by 2002:a05:620a:370c:b0:783:6de8:e61b with SMTP id de12-20020a05620a370c00b007836de8e61bmr11014407qkb.62.1705985131691; Mon, 22 Jan 2024 20:45:31 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705985131; cv=pass; d=google.com; s=arc-20160816; b=pukKVR6N7VAL45s0oFbREpcsFwLTaqyOhLJH6bR5gjcj8zT+fyvdQaUmU5EYlvtjWl tlMCnKL6YzcDmYQxIQUq67HDiEawCZVPSQpxEgPW4hWfAimHTJWGyulbaAq02bjcsGov 43EOee5OozwmC6R+hMDwL3UckLY8msOGQfLlJkavO+QGAbDrvkSUBG/Hg+t42hAa7Gt/ hfm4e6Mrxl3CcvwIkAjBiXShi11wYhmbY9bUjj0kl6lHQDswoGmZCQ6RKPfWmSoSP9YE zQ1R1vH4Q5g5Fxcu3UPaAUpZhSvIpIdOmQ/Gqatd86StSeuCZcvuqUVACbw7LtO8UD30 rs/A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:references:in-reply-to :user-agent:subject:cc:to:from:date:dkim-signature; bh=jEMu7JJq8rAcILRbCFIayZwxsWnbSCDBJ4A+MUd8hMA=; fh=veIZuISjO0FNtFh0brl7DFtFlDJPuFzFpYEQQwq9GoY=; b=uzz68CSaisCh1aWiOk22Q8/OOqGkLx+czoDST2Nd5aeyBbS0meDseyuCjDdgAumE8p QuWnL1aN4zmeGUA/bjeXNJkRhcbX2MSyx5YePfkDWPArTO+kAIXZ0a03qdU8vU1U+/98 HvghqFtKvXvkvtNYmXCy7x5NrTJSlyUgqUUesDWJFQcW7YgnSyy86hRtFVcFNgtU+wJr zO4C1WRAjWpcQ1VT/KibnDx4/BpCnez1350TehwQ2XOg3sHgJhx2NPSQxNpR+qD7scwm 0NqT3G0ilo1hRomft6DbWRPnWD/YTQD/VhOjoxy1iGZ2eT8SYAVgTTiYHCoOdojhY40m kFIw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XblnXFyU; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-34706-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34706-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id h9-20020a37c449000000b007839e7034dcsi3842342qkm.96.2024.01.22.20.45.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 20:45:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-34706-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XblnXFyU; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-34706-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34706-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 722741C248BE for ; Tue, 23 Jan 2024 04:45:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5F5781FDB; Tue, 23 Jan 2024 04:45:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="XblnXFyU" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 831431FA5; Tue, 23 Jan 2024 04:45:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705985123; cv=none; b=c5Q3HvfLGClXmrSOlODQQmHgoUJczy0Fj8Gg5XnQYTZXFIu5I4b3Ej5phPNaMW3QzoJ8fw7ve03gShVLjJ/hNLBR48hdVZyE30TdekinNh4FIDd/f40jAn7IMzn38R62OAts3Ar5D3uA75pohCxRLptiI9WbEJ4BLVL9Dq5WuWk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705985123; c=relaxed/simple; bh=iyV0NGmjSVcLNXBLniYpL0ErfhS2sfgENEZaUZo7d+Q=; h=Date:From:To:CC:Subject:In-Reply-To:References:Message-ID: MIME-Version:Content-Type; b=ZxeX5z1M66uOJ+uOZUl+NwFD8VlE/uf6XK9gPt85uAAMJPGPqwa+tNu/1+65znxCDphLuKedDe32mH0rJ7j3runo2vjXEbP03UI2j48nnNJ8YMvOUyb4SxVOK+cJxrU/j3oXhuHZkeohvIqqNCPdqI9K3pF4g6+I/MZk/2qq9oI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=XblnXFyU; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id DCC43C433F1; Tue, 23 Jan 2024 04:45:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1705985123; bh=iyV0NGmjSVcLNXBLniYpL0ErfhS2sfgENEZaUZo7d+Q=; h=Date:From:To:CC:Subject:In-Reply-To:References:From; b=XblnXFyUhNJ3q3GAUJNNH9L7hrvU/MuaSwBaQ0AtNRF3288YlhVcSNqVdSWhMjZcd myFhrDulhP1lbtP67REK8cV/5EPy5HyIImjz0m1rq3McgoaQG/8wwIXNTCGcrFcjUh 9EbW5exvEa6a4s8IWZ9O1e5yruKfapThTFiqeaUc5/+8A4qPR8o42Rha/L7Ga7MK54 bpWxdYW7auZ+WYr/FLeTLHXAjmA3CZjlUyH3Hzv5o3SdZQAfevO1WfiNlfZdbqgCzJ IsNj7iQJiZmWriXTNfiHxuhYg1ehHgY7NzGiCdLmin1ZtrC3aqJgVw2B/bJXkBaqQP h+6Aj+XWEuX3A== Date: Mon, 22 Jan 2024 20:45:22 -0800 From: Kees Cook To: Miguel Ojeda , Kees Cook CC: linux-hardening@vger.kernel.org, Justin Stitt , Miguel Ojeda , Nathan Chancellor , Nick Desaulniers , Peter Zijlstra , Marco Elver , Hao Luo , Przemek Kitszel , "Gustavo A. R. Silva" , Bill Wendling , linux-kernel@vger.kernel.org Subject: =?US-ASCII?Q?Re=3A_=5BPATCH_06/82=5D_overflow=3A_Reintroduce?= =?US-ASCII?Q?_signed_and_unsigned_overflow_sanitizers?= User-Agent: K-9 Mail for Android In-Reply-To: References: <20240122235208.work.748-kees@kernel.org> <20240123002814.1396804-6-keescook@chromium.org> Message-ID: <14B4D24C-4CBA-401E-8111-CF74482CA956@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On January 22, 2024 6:24:14 PM PST, Miguel Ojeda wrote: >On Tue, Jan 23, 2024 at 1:28=E2=80=AFAM Kees Cook wrote: >> >> Because the kernel is built with -fno-strict-overflow, signed and point= er >> arithmetic is defined to always wrap around instead of "overflowing" >> (which would either be elided due to being undefined behavior or would >> wrap around, which led to very weird bugs in the kernel)=2E > >By elided I guess you also mean assumed to not happen and thus the >usual chain-of-logic magic? Yes=2E We removed this bad behavior by using -fno-strict-overflow, and we = will want to keep it enabled=2E > >> So, the config options are added back as CONFIG_UBSAN_SIGNED_WRAP and >> CONFIG_UBSAN_UNSIGNED_WRAP=2E Since the kernel has several places that >> explicitly depend on wrap-around behavior (e=2Eg=2E counters, atomics, = etc), >> also introduce the __signed_wrap and __unsigned_wrap function attribute= s >> for annotating functions where wrapping is expected and should not >> be caught=2E This will allow us to distinguish in the kernel between >> intentional and unintentional cases of arithmetic wrap-around=2E > >Sounds good -- it seems to go in the direction of Rust, i=2Ee=2E to have = a >way to mark expected wrap-arounds so that we can start catching the >unintended ones=2E Yup! That's the plan=2E > >> + depends on !COMPILE_TEST >> + depends on $(cc-option,-fsanitize=3Dsigned-integer-overflow) > >Maybe this line goes above the other, to be consistent with the >unsigned case? (or the other way around) Sure, I can move it around=2E > >> + depends on !X86_32 # avoid excessive stack usage on x86-32/clan= g >> + depends on !COMPILE_TEST >> + help >> + This option enables -fsanitize=3Dunsigned-integer-overflow wh= ich checks >> + for wrap-around of any arithmetic operations with unsigned in= tegers=2E This >> + currently causes x86 to fail to boot=2E > >Is it related to the excessive stack usage? In that case, users would >not reach the point to see this description, right? If so, I guess it >could be removed from the `help` and moved into the comment above or >similar=2E The stack usage is separate=2E (This may even be fixed in modern Clang; th= is comes from the original version of this Kconfig=2E) The not booting part= is separate and has not been tracked down yet=2E > >> +static void test_ubsan_sub_overflow(void) >> +{ >> + volatile int val =3D INT_MIN; >> + volatile unsigned int uval =3D 0; >> + volatile int val2 =3D 2; > >In the other tests you use a constant instead of `val2`, I am curious >if there is a reason for it? I wondered the same -- they were this way when they were removed, so I jus= t restored them as they were=2E :) -Kees --=20 Kees Cook