Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp459658lqo; Wed, 8 May 2024 05:23:22 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWNwc42S7K86qOGrIKf+UVdhdxdMCz1tKfazF5cwPLbBGZRtL8CARzhqSvVVg4xg/vWeIhH+ULH7BvzEdMUMLErBbFqBWgloEihjOhkmQ== X-Google-Smtp-Source: AGHT+IEVUPmqnnOXcWiOsJp0YrwZVn2SpZe8TKih3warfmCk9i+/k28xWc/6PRWd6pZGG34kzQvi X-Received: by 2002:a67:fc58:0:b0:47b:b820:e735 with SMTP id ada2fe7eead31-47f3c372678mr2023237137.32.1715171001766; Wed, 08 May 2024 05:23:21 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715171001; cv=pass; d=google.com; s=arc-20160816; b=GaB1w7tZfCb248e1iQBVBcbxHzX+v0qzPnKWPUMBu4H6sa8h/X2E83qgouLcoKoM22 ZueD3hCnGVx8rfhXG0V4Cp+yK4wQp1F1iPfzIhenNYEdmfPLwsa6uEBuqL4zEsoIOWc3 A4zKOUyNDbeqK3XTckpYpqdARZ0a0ZzKeZiHWBEj1J/EZFLCFQ8+LQ2Wwg22ua2fADZI CdS07GCAgYIKBdoJt7YHVotcCn322bYNhyGviJ3o4vOQ6t7R1TVlCnneeLl/8N29wVN/ NDy/Wqq7bKtC0vUnftFTLiclti/U6t7nbmBzLHeGSkejNd2Iokwdmi9Q0poGAmrd4Qzd OF4Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:accept-language :in-reply-to:references:message-id:date:thread-index:thread-topic :subject:cc:to:from; bh=SCE5JWU4nqxphECUgDgRgi0LtZaDC5XX2+xe9FqzcBs=; fh=Gqn5sELZiqu2IrqVjE8vC6N4lHZDF0BhCqwk+Q8F0Yk=; b=F8VJTuI5JZBEVe03/9w0F11q/eo7f+RnyaOl3GXhW1QwnQSYdW4QXS+u1n+rcpAbEC s8Vt+UjlbZXPK7w1AH3+Mr0zdWkS9839AFam0MGJEPEmzla4lrUho3ACDDJNJroUQdlo QgZcY6TAEvodTjT+n0Q52fSnSgiP6k6sSVISJ9zPFS9hFg9QxerJs/TnRdxTSKlw6RDu 9vm81tGAGZbdm8AvNi3UhlZfzfAYAthQcYrE3QZ216vMiiFO2/ft43GMdr3vHGMOf/48 OZWdj0j96OFRhpl5sKgoAisORWk7A9vDWy/ib1ron9ptS5yOtKoLpUZBwIItwUC3ImPx Vj3g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=aculab.com dmarc=pass fromdomain=aculab.com); spf=pass (google.com: domain of linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id iw14-20020a0562140f2e00b0069b0b59d115si49596qvb.269.2024.05.08.05.23.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 May 2024 05:23:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=aculab.com dmarc=pass fromdomain=aculab.com); spf=pass (google.com: domain of linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 684281C21E9B for ; Wed, 8 May 2024 12:23:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 32CC784A28; Wed, 8 May 2024 12:23:14 +0000 (UTC) Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.85.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13F0545024 for ; Wed, 8 May 2024 12:23:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.58.85.151 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715170993; cv=none; b=r7MlpKHdI4NGpQsahEhtZC8ACNQnTDbHmMiBgOo9yhFIlHqYzSwe/0TvH3i+KJWH8ydH2Emf9yj+jJfPIakGLG9155JyFXPo9ztCPG28OmuSp2Fdk3W0tPGreLkfvB5adA+H/qTQcwJ0+t1ozY3fMKW3uDIZw1QBj3dIIs29SjM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715170993; c=relaxed/simple; bh=SCE5JWU4nqxphECUgDgRgi0LtZaDC5XX2+xe9FqzcBs=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: MIME-Version:Content-Type; b=cSwSg5LfrfcN9yEqvJVfPg5cQ78z+bxLLwf0bAgebzJv73utPbodRoI4BECFjUjVfGIjwbtXjACp2Y4VUIUGZReHshjT28eFuvsa+KdQrzvMqTdu96fLg8rFVnWVf5TO+4meYfwpAInV8Cwt48CtnubpcYHEKK2Oo4uYkB4CWlw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ACULAB.COM; spf=pass smtp.mailfrom=aculab.com; arc=none smtp.client-ip=185.58.85.151 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ACULAB.COM Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aculab.com Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by relay.mimecast.com with ESMTP with both STARTTLS and AUTH (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id uk-mta-172-HAljp3vRPtmBU0n87pTUDQ-1; Wed, 08 May 2024 13:23:09 +0100 X-MC-Unique: HAljp3vRPtmBU0n87pTUDQ-1 Received: from AcuMS.Aculab.com (10.202.163.4) by AcuMS.aculab.com (10.202.163.4) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Wed, 8 May 2024 13:22:38 +0100 Received: from AcuMS.Aculab.com ([::1]) by AcuMS.aculab.com ([::1]) with mapi id 15.00.1497.048; Wed, 8 May 2024 13:22:38 +0100 From: David Laight To: 'Kees Cook' , Linus Torvalds CC: Justin Stitt , Peter Zijlstra , Mark Rutland , "linux-hardening@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "llvm@lists.linux.dev" Subject: RE: [RFC] Mitigating unexpected arithmetic overflow Thread-Topic: [RFC] Mitigating unexpected arithmetic overflow Thread-Index: AQHaoNrkK91jQ1nmYEmzGISNIfAGlrGNP8bg Date: Wed, 8 May 2024 12:22:38 +0000 Message-ID: References: <202404291502.612E0A10@keescook> In-Reply-To: <202404291502.612E0A10@keescook> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable From: Kees Cook > Sent: 08 May 2024 00:28 >=20 > Over the last decade or so, our work hardening against weaknesses > in various kernel APIs and eliminating the ambiguities in C language > semantics have traditionally been somewhat off in one corner or another > of the Linux codebase. This topic is going to be much different as > it is ultimately about the C type system, which is rather front and > center. So, hold on to your hats while I try to explain what's desired > here. Please try to reserve judgement until the end; as we've explored > the topic we've found a lot of nuances, which I've tried to touch on > below. I'm hoping folks can have an open mind about all this and not > jump to any conclusions without first hearing me out. :) >=20 >=20 > Problem to Solve > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > The Linux kernel has consistently suffered from unexpected arithmetic > overflow bugs. These lead to any number of exploitable conditions[0]. > Our continuing efforts to improve things (refcount_t, alloc_size(), > etc) have helped in some specific areas, but on the whole, we've had a > relatively unchanged count of serious arithmetic overflow flaws over the > life of the project[1]. This is not tolerable, and we should, all of us, > make the effort needed to put an end to it in a systematic way. Is it April 1? Have you estimated the performance cost of checking the result of all integer arithmetic. If you have a cpu with 'signed/unsigned add(etc) with trap on overflow' instructions then maybe you could use them to panic the kernel. But otherwise you'll need a conditional branch after pretty much every arithmetic instruction. As well as the code bloat there is likely to be a 50% chance they are mis-predicted slowing things down a lot more. IIRC at least some x86 cpu do not default to static prediction (eg backwards taken forwards not) but always use data from the branch prediction logic - so the first time a branch is seen it is predicted randomly. =09David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1= PT, UK Registration No: 1397386 (Wales)