Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp459658lqo;
        Wed, 8 May 2024 05:23:22 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWNwc42S7K86qOGrIKf+UVdhdxdMCz1tKfazF5cwPLbBGZRtL8CARzhqSvVVg4xg/vWeIhH+ULH7BvzEdMUMLErBbFqBWgloEihjOhkmQ==
X-Google-Smtp-Source: AGHT+IEVUPmqnnOXcWiOsJp0YrwZVn2SpZe8TKih3warfmCk9i+/k28xWc/6PRWd6pZGG34kzQvi
X-Received: by 2002:a67:fc58:0:b0:47b:b820:e735 with SMTP id ada2fe7eead31-47f3c372678mr2023237137.32.1715171001766;
        Wed, 08 May 2024 05:23:21 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715171001; cv=pass;
        d=google.com; s=arc-20160816;
        b=GaB1w7tZfCb248e1iQBVBcbxHzX+v0qzPnKWPUMBu4H6sa8h/X2E83qgouLcoKoM22
         ZueD3hCnGVx8rfhXG0V4Cp+yK4wQp1F1iPfzIhenNYEdmfPLwsa6uEBuqL4zEsoIOWc3
         A4zKOUyNDbeqK3XTckpYpqdARZ0a0ZzKeZiHWBEj1J/EZFLCFQ8+LQ2Wwg22ua2fADZI
         CdS07GCAgYIKBdoJt7YHVotcCn322bYNhyGviJ3o4vOQ6t7R1TVlCnneeLl/8N29wVN/
         NDy/Wqq7bKtC0vUnftFTLiclti/U6t7nbmBzLHeGSkejNd2Iokwdmi9Q0poGAmrd4Qzd
         OF4Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:accept-language
         :in-reply-to:references:message-id:date:thread-index:thread-topic
         :subject:cc:to:from;
        bh=SCE5JWU4nqxphECUgDgRgi0LtZaDC5XX2+xe9FqzcBs=;
        fh=Gqn5sELZiqu2IrqVjE8vC6N4lHZDF0BhCqwk+Q8F0Yk=;
        b=F8VJTuI5JZBEVe03/9w0F11q/eo7f+RnyaOl3GXhW1QwnQSYdW4QXS+u1n+rcpAbEC
         s8Vt+UjlbZXPK7w1AH3+Mr0zdWkS9839AFam0MGJEPEmzla4lrUho3ACDDJNJroUQdlo
         QgZcY6TAEvodTjT+n0Q52fSnSgiP6k6sSVISJ9zPFS9hFg9QxerJs/TnRdxTSKlw6RDu
         9vm81tGAGZbdm8AvNi3UhlZfzfAYAthQcYrE3QZ216vMiiFO2/ft43GMdr3vHGMOf/48
         OZWdj0j96OFRhpl5sKgoAisORWk7A9vDWy/ib1ron9ptS5yOtKoLpUZBwIItwUC3ImPx
         Vj3g==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=aculab.com dmarc=pass fromdomain=aculab.com);
       spf=pass (google.com: domain of linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com
Return-Path: <linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id iw14-20020a0562140f2e00b0069b0b59d115si49596qvb.269.2024.05.08.05.23.21
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 08 May 2024 05:23:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=aculab.com dmarc=pass fromdomain=aculab.com);
       spf=pass (google.com: domain of linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173211-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 684281C21E9B
	for <linux.lists.archive@gmail.com>; Wed,  8 May 2024 12:23:21 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 32CC784A28;
	Wed,  8 May 2024 12:23:14 +0000 (UTC)
Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.85.151])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13F0545024
	for <linux-kernel@vger.kernel.org>; Wed,  8 May 2024 12:23:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.58.85.151
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715170993; cv=none; b=r7MlpKHdI4NGpQsahEhtZC8ACNQnTDbHmMiBgOo9yhFIlHqYzSwe/0TvH3i+KJWH8ydH2Emf9yj+jJfPIakGLG9155JyFXPo9ztCPG28OmuSp2Fdk3W0tPGreLkfvB5adA+H/qTQcwJ0+t1ozY3fMKW3uDIZw1QBj3dIIs29SjM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715170993; c=relaxed/simple;
	bh=SCE5JWU4nqxphECUgDgRgi0LtZaDC5XX2+xe9FqzcBs=;
	h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To:
	 MIME-Version:Content-Type; b=cSwSg5LfrfcN9yEqvJVfPg5cQ78z+bxLLwf0bAgebzJv73utPbodRoI4BECFjUjVfGIjwbtXjACp2Y4VUIUGZReHshjT28eFuvsa+KdQrzvMqTdu96fLg8rFVnWVf5TO+4meYfwpAInV8Cwt48CtnubpcYHEKK2Oo4uYkB4CWlw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ACULAB.COM; spf=pass smtp.mailfrom=aculab.com; arc=none smtp.client-ip=185.58.85.151
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ACULAB.COM
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aculab.com
Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by
 relay.mimecast.com with ESMTP with both STARTTLS and AUTH (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 uk-mta-172-HAljp3vRPtmBU0n87pTUDQ-1; Wed, 08 May 2024 13:23:09 +0100
X-MC-Unique: HAljp3vRPtmBU0n87pTUDQ-1
Received: from AcuMS.Aculab.com (10.202.163.4) by AcuMS.aculab.com
 (10.202.163.4) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Wed, 8 May
 2024 13:22:38 +0100
Received: from AcuMS.Aculab.com ([::1]) by AcuMS.aculab.com ([::1]) with mapi
 id 15.00.1497.048; Wed, 8 May 2024 13:22:38 +0100
From: David Laight <David.Laight@ACULAB.COM>
To: 'Kees Cook' <keescook@chromium.org>, Linus Torvalds
	<torvalds@linux-foundation.org>
CC: Justin Stitt <justinstitt@google.com>, Peter Zijlstra
	<peterz@infradead.org>, Mark Rutland <mark.rutland@arm.com>,
	"linux-hardening@vger.kernel.org" <linux-hardening@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"llvm@lists.linux.dev" <llvm@lists.linux.dev>
Subject: RE: [RFC] Mitigating unexpected arithmetic overflow
Thread-Topic: [RFC] Mitigating unexpected arithmetic overflow
Thread-Index: AQHaoNrkK91jQ1nmYEmzGISNIfAGlrGNP8bg
Date: Wed, 8 May 2024 12:22:38 +0000
Message-ID: <e777a057e8d246efbc90381c2988b9b2@AcuMS.aculab.com>
References: <202404291502.612E0A10@keescook>
In-Reply-To: <202404291502.612E0A10@keescook>
Accept-Language: en-GB, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: aculab.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

From: Kees Cook
> Sent: 08 May 2024 00:28
>=20
> Over the last decade or so, our work hardening against weaknesses
> in various kernel APIs and eliminating the ambiguities in C language
> semantics have traditionally been somewhat off in one corner or another
> of the Linux codebase. This topic is going to be much different as
> it is ultimately about the C type system, which is rather front and
> center. So, hold on to your hats while I try to explain what's desired
> here. Please try to reserve judgement until the end; as we've explored
> the topic we've found a lot of nuances, which I've tried to touch on
> below. I'm hoping folks can have an open mind about all this and not
> jump to any conclusions without first hearing me out. :)
>=20
>=20
> Problem to Solve
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> The Linux kernel has consistently suffered from unexpected arithmetic
> overflow bugs. These lead to any number of exploitable conditions[0].
> Our continuing efforts to improve things (refcount_t, alloc_size(),
> etc) have helped in some specific areas, but on the whole, we've had a
> relatively unchanged count of serious arithmetic overflow flaws over the
> life of the project[1]. This is not tolerable, and we should, all of us,
> make the effort needed to put an end to it in a systematic way.

Is it April 1?

Have you estimated the performance cost of checking the result of
all integer arithmetic.

If you have a cpu with 'signed/unsigned add(etc) with trap on overflow'
instructions then maybe you could use them to panic the kernel.
But otherwise you'll need a conditional branch after pretty much
every arithmetic instruction.
As well as the code bloat there is likely to be a 50% chance they
are mis-predicted slowing things down a lot more.
IIRC at least some x86 cpu do not default to static prediction (eg
backwards taken forwards not) but always use data from the branch
prediction logic - so the first time a branch is seen it is predicted
randomly.

=09David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1=
PT, UK
Registration No: 1397386 (Wales)