Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp1665612lqo; Sun, 12 May 2024 12:29:41 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV94Nzh+xwmsgDsd/0WJHdDI+NukPvKj2vMrAwNwXGtKcOlMvfbqu+RbqBxwEG0OcaFn47eB9RnoJIbHAXL0Paj7Nb13rATPY/Ks+7beg== X-Google-Smtp-Source: AGHT+IHUmADT7Q8rWG6iPnsLN4T/e0wV3okkguzo0esbU2k11uv+J49Zub063tvLGBYjpjB6lnov X-Received: by 2002:a05:6512:2398:b0:51d:67af:fa6a with SMTP id 2adb3069b0e04-5220fc7dcf4mr6494983e87.15.1715542181085; Sun, 12 May 2024 12:29:41 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715542181; cv=pass; d=google.com; s=arc-20160816; b=ZHu2hb2FbOmvAPLjYUvXq6udemM7hE5S98A4IoRPIH4asOkaTXwVnHTCR9I3UYcvsz 0JdQTAo1KbIueZV5KAqbLnidkiio++CDFTvBFR5QjcDi8a+WWl/8sQY87jZBd4DPKrra EaTTpd3S9oW2KN4FSLoho6kRagLd/l7PYBGnTvMCnABKYlQ4TVXuPxAZCjyCzXcckSe3 oZ/jnwcmChMRazIVla2Nn3jC4tNzt4c3mHSJ6gW/VkspHpnTUUoHDI0MCz57V3Ual1ni luza3QXx0fIdzNPPVSWJUgO89rBlpkrpAthXz1eUKjKRWOHDx9VH5dbxBXe6EcvbLky8 CCZg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:content-transfer-encoding:references:in-reply-to:date:cc :to:from:subject:message-id:dkim-signature:dkim-filter; bh=2vPSVIunDDlKuMQTdFhwiPn7E9OmRNU/PnrIG9JkJSM=; fh=iFdtXMpQYpJ3Yj7XEc/QVODryN769x/cHneo/wTG2a0=; b=fF+9DHM2fGVZ3EcC3xaH927QpoYsv1sdxLVHB/0VBCPYpBN+JKJpL2FOxAG+UXHzO9 xwPdk9xqOzSfSkjd6HV8VPFvZ/8IzMkEXfvsk+yz97zyJlhDzwIYm8PC8LsMlDL2F2bH UK0qxY1lN0j3fgwsy3vcQhELe9maPwVd1wMyH4HuXfbT4QQmXY/X1fAQ4LqtmD+Mutaz +ttCOICJvsJpbuGTxXABvVe9aKlgINUgqZUiySDvI21HiTcqNtInR+Y6Pp2Szdx7E5FI bTApUN0JoxQczgJIe8BwbGss77fPdrOcqzGVnQZG3yEKf7kBtnfIbfOFim7pQvARd8dt 7S8g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tugraz.at header.s=mailrelay header.b=lB6ZKZjZ; arc=pass (i=1 spf=pass spfdomain=tugraz.at dkim=pass dkdomain=tugraz.at dmarc=pass fromdomain=tugraz.at); spf=pass (google.com: domain of linux-kernel+bounces-176983-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-176983-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=tugraz.at Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-5733d36caa6si4159631a12.546.2024.05.12.12.29.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 May 2024 12:29:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-176983-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@tugraz.at header.s=mailrelay header.b=lB6ZKZjZ; arc=pass (i=1 spf=pass spfdomain=tugraz.at dkim=pass dkdomain=tugraz.at dmarc=pass fromdomain=tugraz.at); spf=pass (google.com: domain of linux-kernel+bounces-176983-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-176983-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=tugraz.at Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id C1A671F21F92 for ; Sun, 12 May 2024 19:29:40 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F36D8524A6; Sun, 12 May 2024 19:29:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=tugraz.at header.i=@tugraz.at header.b="lB6ZKZjZ" Received: from mailrelay.tugraz.at (mailrelay.tugraz.at [129.27.2.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F3D5D2E620; Sun, 12 May 2024 19:29:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=129.27.2.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715542172; cv=none; b=hzVr6fuPA3o5uab7U6KCNfWSzbZT4pixdg5zRbWVrObTjOmuiYYBsEGxcOBUkl0NMKW5MS69bfsg2PHidFAN4EjjYGvP+2tAuHvrg4EGgm9CrL+vJZIl2TAwvOeXakw+DWkvQJtBpy7AGQ/CgQpvbWGUtjihsPwYJqMMU6TsB8A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715542172; c=relaxed/simple; bh=0ExzLgblqzmDHiUjeSC2Nc/o1fm2eFgt9HoCEtCkHII=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=dQjtTFFO6f72ONcuGFqDYXeMWuMepd9gjB4DvOw6NE7weaPAKd/wRj9RNsZ2YZciu2yp8XOEZkBoYxhEsId4Kf9Da4jps0OEegrIGssKJfImzuIRSXy1TQMmw3tH2QTB+6BZnyhHRFSZ/wVHuL3n84VT4s87BkwtwpFRvDC3FFs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tugraz.at; spf=pass smtp.mailfrom=tugraz.at; dkim=pass (1024-bit key) header.d=tugraz.at header.i=@tugraz.at header.b=lB6ZKZjZ; arc=none smtp.client-ip=129.27.2.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tugraz.at Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=tugraz.at Received: from [192.168.0.221] (84-115-223-216.cable.dynamic.surfer.at [84.115.223.216]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4Vct3H6HvGz1LLyr; Sun, 12 May 2024 21:29:15 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4Vct3H6HvGz1LLyr DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1715542157; bh=2vPSVIunDDlKuMQTdFhwiPn7E9OmRNU/PnrIG9JkJSM=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=lB6ZKZjZVcastT2NMUDE3JNMNIOzAOPsWlh2wGaecybw8km35qIhLEIv/ULB4kyRU qzGl3Ls59VKxAY5FEej1zci2qRO4X/CFiYAaTzTdhMfY4v+nBmfRBXa0hsjk4OOWxs AevH302tCWA99T+2LWUmpyasOEmuHV0NBe1XH2oQ= Message-ID: Subject: Re: [RFC] Mitigating unexpected arithmetic overflow From: Martin Uecker To: Linus Torvalds Cc: Kees Cook , Justin Stitt , Peter Zijlstra , Mark Rutland , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Date: Sun, 12 May 2024 21:29:15 +0200 In-Reply-To: References: <202404291502.612E0A10@keescook> <202405081144.D5FCC44A@keescook> <202405081354.B0A8194B3C@keescook> <59f731ab619673afec4956fce6832a1cd5324fb8.camel@tugraz.at> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TUG-Backscatter-control: G/VXY7/6zeyuAY/PU2/0qw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116 Am Sonntag, dem 12.05.2024 um 09:09 -0700 schrieb Linus Torvalds: > On Sun, 12 May 2024 at 01:03, Martin Uecker wrote: > >=20 > > But I guess it still could be smarter. Or does it have to be a > > sanitizer because compile-time will always have too many false > > positives? >=20 > Yes, there will be way too many false positives. >=20 > I'm pretty sure there will be a ton of "intentional positives" too, > where we do drop bits, but it's very much intentional. I think > somebody already mentioned the "store little endian" kind of things > where code like >=20 > unsigned chat *p; > u32 val; >=20 > p[0] =3D val; > p[1] =3D val >> 8; > p[2] =3D val >> 16; > p[3] =3D val >> 24; >=20 > kind of code is both traditional and correct, but obviously drops bits > very much intentionally on each of those assignments. >=20 > Now, obviously, in a perfect world the compiler would see the above as > "not really dropping bits", but that's not the world we live in. >=20 > So the whole "cast drops bits" is not easy to deal with. >=20 > In the case of the above kind of byte-wise behavior, I do think that > we could easily make the byte masking explicit, and so in *some* cases > it might actually be a good thing to just make these things more > explicit, and write it as >=20 > p[0] =3D val & 0xff; > p[1] =3D (val >> 8) & 0xff; > ... >=20 > and the above doesn't make the source code worse: it arguably just > makes things more explicit both for humans and for the compiler, with > that explicit bitwise 'and' operation making it very clear that we're > just picking a particular set of bits out of the value. Adding versions of the -Wconversions warning which triggers only in very specific cases should not be too difficult, if something like this is useful, i.e. restricting the warning to assignments. >=20 > But I do suspect the "implicit cast truncates value" is _so_ common > that it might be very very painful. Even with a run-time sanitizer > check. >=20 > And statically I think it's entirely a lost cause - it's literally > impossible to avoid in C. Why? Because there are no bitfield > variables, only fields in structures/unions, so if you pass a value > around as an argument, and then end up finally assigning it to a > bitfield, there was literally no way to pass that value around as the > "right type" originally. The final assignment *will* drop bits from a > static compiler standpoint. >=20 If one wanted to, one could always pass bitfields inside a struct typedef struct { unsigned int v:12; } b12; int f(b12 x) { int i =3D x.v; return i & (1 << 13); } the compiler is then smart enough to know how many bits are relevant and track this to some degree inside the function. https://godbolt.org/z/o8P3adnEK But using this information for warnings would be more difficult because the information is not computed in the front end. (but=C2=A0 here also other warnings generated by the backend, so not impossible). And, of course, the=C2=A0additional wrapping and unwrapping makes the code more ugly (*) C23 then also has bit-precise integers. Martin (*) ...but compared to what some other languages require the programmer to write, even=C2=A0 this seems relatively benign.