Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp1414654lqo; Sun, 12 May 2024 01:11:12 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCX1iWNix7A+Kjr00dZpVUj992mCZuQVPot0s0OyDSE/M8OoZKjpfRtb0B2cQ4MzhQxdJ9WhLzUIB/Ellbw6UhHo/mMwUnGSg5TjWl4Tbg== X-Google-Smtp-Source: AGHT+IExOY8H5irB/00xTAm8Rr2AYJLq1wCPEfxrAGBPYL8i9y4YiEjtbyWVLhuK5V/CI8ASQHVG X-Received: by 2002:a17:906:31d7:b0:a59:ab0a:a170 with SMTP id a640c23a62f3a-a5a2d18a9c2mr564520966b.1.1715501472674; Sun, 12 May 2024 01:11:12 -0700 (PDT) Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a5a179462f7si366886166b.43.2024.05.12.01.11.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 May 2024 01:11:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-176820-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@tugraz.at header.s=mailrelay header.b=rNg9kYmX; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-176820-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-176820-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=NONE dis=NONE) header.from=tugraz.at Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 399101F2135B for ; Sun, 12 May 2024 08:11:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BDB2717588; Sun, 12 May 2024 08:11:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=tugraz.at header.i=@tugraz.at header.b="rNg9kYmX" Received: from mailrelay.tugraz.at (mailrelay.tugraz.at [129.27.2.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 117EA14AAD; Sun, 12 May 2024 08:11:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=129.27.2.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715501464; cv=none; b=OK+Ndy7cCSlI+QXgK/fBSSb/U0NMbzDxMYSaO8HC8LjQGMicq86xognNzXnBbwdf2JbqlRdnu4wjijLGrdJDh9DuxJEK0HlInSsjG9GGAIJgyou1FEkytCEEgJAHryimx18EYO+jfiGEWNSSlm8RdYtajnGBwa2OMqEwBCoRAIE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715501464; c=relaxed/simple; bh=cBSa91IUA31x5n1Tk1msmI9aJm9T9z5OoASH+Lzq6HM=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=lD1IT/h3RPHLYJwqt9MrwfWW6A9obVCpDyERGJEsLftyLxvJOh/QnFQDbMnk/0VnL5wj7KT4ynWR2GCB6ktSlZeMbRl8x6AIzSEsFNmyixII3fcUN1YOXH5eryqymQzERC8Mign+lXq/KojCkWHlsSLry12zIhbIEvP9gYuxnUc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tugraz.at; spf=pass smtp.mailfrom=tugraz.at; dkim=pass (1024-bit key) header.d=tugraz.at header.i=@tugraz.at header.b=rNg9kYmX; arc=none smtp.client-ip=129.27.2.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tugraz.at Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=tugraz.at Received: from [192.168.0.221] (84-115-223-216.cable.dynamic.surfer.at [84.115.223.216]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4VcZr31J1pz3wGD; Sun, 12 May 2024 10:03:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1715501012; bh=8wKF3K1/gl/lH7BcMOVIXNsu0KRDMkF4mJrrwAUkDLg=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=rNg9kYmXyzo63IZjtvX3G5h14CNg1OLPp4PDyztzbnWPiEiNhWWwsaXmugrpO510o ph04ITw5+J2TpDrP8YeD9MEvJjmqb+dDljz539cstMwIbj+4aKTPDRlGmYeiUWrhw+ 5OSCu34jwCJ1Lmv/68J2j3xW4Oa3c+ULLrqjQ9XY= Message-ID: <59f731ab619673afec4956fce6832a1cd5324fb8.camel@tugraz.at> Subject: Re: [RFC] Mitigating unexpected arithmetic overflow From: Martin Uecker To: Linus Torvalds , Kees Cook Cc: Justin Stitt , Peter Zijlstra , Mark Rutland , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Date: Sun, 12 May 2024 10:03:30 +0200 In-Reply-To: References: <202404291502.612E0A10@keescook> <202405081144.D5FCC44A@keescook> <202405081354.B0A8194B3C@keescook> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TUG-Backscatter-control: G/VXY7/6zeyuAY/PU2/0qw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116 Am Mittwoch, dem 08.05.2024 um 16:47 -0700 schrieb Linus Torvalds: > On Wed, 8 May 2024 at 15:54, Kees Cook wrote: > >=20 .. >=20 > No, the only point where that actually failed was then when a > (non-overflowing, non-wrapping) final value was assigned to a 16-bit > field, ie the problem only ever happened at the final assignment: >=20 > event->read_size =3D size; >=20 > where no overflow had ever happened before that. >=20 > So in *that* case, you actually have a much more interesting > situation. Not wrap-around, not overflow, but "implicit cast drops > significant bits". >=20 > And yes, I do think implicit integer casts are dangerous. Often *more* > dangerous than arithmetic overflow and wrapping. We've had absolutely > tons of them. Some of our most traditional bugs have very much been > about implicit casting losing bits and causing problems as a result. In principle, GCC has -Wconversions which looks like that it is meant to catch this. It seems not entirely stupid, e.g. it warns=C2=A0 about=C2=A0 the first assignment and not the second (x86): void f(int i) { unsigned short y =3D i; unsigned short x =3D i & 0xFFF; } But I guess it still could be smarter. Or does it have to be a sanitizer because compile-time will always have too many false=C2=A0 positives? Martin