Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp514721lqo; Thu, 16 May 2024 12:49:09 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU8qQEi66Cp0hL/xVC5Mtrc4/L6J9iNNiVvblKHksTDNs3WgFnHelF3Fdc5P+AwhzpijlH0NgAVeL3pt2NCT8icYV3U1Bgl44Rs8juhRg== X-Google-Smtp-Source: AGHT+IFt16RSBkGwTc7Yr11Pp0gCLlIMCJYgml7+wG45DcwawaxLDSxposdzMKeEFFp7w3kpAJnQ X-Received: by 2002:a05:651c:1251:b0:2e2:72a7:8440 with SMTP id 38308e7fff4ca-2e52028a885mr150507101fa.41.1715888949747; Thu, 16 May 2024 12:49:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715888949; cv=pass; d=google.com; s=arc-20160816; b=Wkz/VRawV1MCLLuN9PZ+3Iaxf0owW6HLnSnBhuHNwNs1OFR20/wozQFN52RS4H7cql IGodNA35O3F3lNFJCN4A/FHu+wPJjQYU6/yuS5qPMvbUwZyEli2sXvIsK7YNHwtVIZbF /fLfK7gF5VBkamg2FzpJGK+n4/4K3KggjheMqIRrjNbJkWmYIN5yS02rzP0D7BF+L6Mk 5LdOXDRH6rRQaWwKOSLr2Ax6P6LR88O9unoZS25tIUGwhuCBGWV+DGSlaFAlZA2BLVTA 4o3UmDkuBU2QYHBnQxyqt3EtGGM8hPN9Qyl43zHTPwwAQyGYkx8MnFBCM9HtbjIPDD0X maow== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=OnX7TnYfvl3uumb2LydyuGYxZJ5YcwNFgjrDTi8iz+g=; fh=08X9hJ8xXH0lfwrAm+Hh878t1+4dVwX1VCepbz6UiwQ=; b=y5HLiYuVZWLYva/mKpwx8+vI4r5Lpeu58pwkAz+Xqeez6RDQrxoGc88VsfHkDvas4I g5K1xT9/2crfAgQKn6pCTNz4cKJ25x2KHT+o9UMNQkqlBXRsfsPEIKy3Q7cZgWiNmGqA 8mJaZQJfXy8EuyWtpuYXKABi6E5UPkmpmf1LJBplPxTuu+fq13c8WH5NiltcCpr44YnV c0Rn5yBorF8Hfi94bj9BwaKUpLS6juOyBaq8/PQTF8h4dmyzlK2A2eB3O6WOaDsiwYyW 7oETq9BUaewAOr9V96xHwh1kN5FMfFB+Q9EzJ3OD7GM3QBK5Zb7Rl3RnkvXkHIfDTIY9 GI4w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=YQ5yDQWv; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-181543-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181543-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a5a179462aasi861534266b.104.2024.05.16.12.49.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 May 2024 12:49:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-181543-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=YQ5yDQWv; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-181543-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181543-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 4C0E31F22468 for ; Thu, 16 May 2024 19:49:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 601E7157483; Thu, 16 May 2024 19:49:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="YQ5yDQWv" Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F66A282E1 for ; Thu, 16 May 2024 19:48:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715888941; cv=none; b=eJsNZhFutUBKSmZu0FkKACKx/pPHGH/r+qA2wtUJ+LJe43trjYUhXpW4eJo0tw1UsrU2mCYzjG3dG8IAB2j0dGvhRr/OyGxsbiq2KxP877lZOVPyJxlBwZC/sqvV8H5zH0tcyDX2oEaYZmA89bxh/m+rxPEswh/k8eNgAvh61DU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715888941; c=relaxed/simple; bh=OnX7TnYfvl3uumb2LydyuGYxZJ5YcwNFgjrDTi8iz+g=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=FE794ZVjbXwtaZqFGpL1Wg1rvC9tF24o7K9qN6nWT48uoDNdy15xIZBQFLWtK0wb+KUwcQpPwd6R96KbuyV0YLpqEmMiLeZel+AIk9kfLLJ0PpRYH1dFRXIgMVnlAIwucYcaR8pySf5JcND0O5oykNV+sml04adRqVgh+/4zujM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=YQ5yDQWv; arc=none smtp.client-ip=209.85.217.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-vs1-f47.google.com with SMTP id ada2fe7eead31-47eee2af758so4881320137.1 for ; Thu, 16 May 2024 12:48:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1715888939; x=1716493739; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=OnX7TnYfvl3uumb2LydyuGYxZJ5YcwNFgjrDTi8iz+g=; b=YQ5yDQWvjZV9vZI77vEo0PtG4+3gXrJ9/uoY8K1KHwCwzlQAPQ9eCCAbY2ic3hc1cR Ukg0GwhoqLDrAX/ZGkxFoCr9bJm2zQFTfeKt+QBM1Tf74Wil8n78iMYA6G++bYRAqQH7 5Kph3NGE+lLnwwBtKfWC+t7kisr15VkXIAIJIptQU02fdKV8vADxP0uDK68L5KOBvFmH bbDy2pK23/iRy5SyvASoC6XVhBEB/zvgzD8f9tglNL0GPg/2GXxUAu/83YkV0qz/CGSy FFWahm4QkDnEuOUDS2s4gPCLy4YipIZ0eEYHqJQeWpyeOg4ARZzzra9j8EkrVBNoU8hZ bfMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715888939; x=1716493739; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OnX7TnYfvl3uumb2LydyuGYxZJ5YcwNFgjrDTi8iz+g=; b=aR3nRs4Xs2RgNbErXB4NiKzcPBphNOKbXo+JWKwRHnUHc//TxR7a+FPfUWaWfRiCRC 1Nh5BBSNCVBUa+Yvvu3Jv6ay57OA9nvI5kQrfogUeKkABiPj33S0Abh7tMgIRD/QoOf6 qgSVZEKqEAKQ0xyk9j0+rQz78D8zoN1oLuxB0KpCCed3SSG/EHJdkp2p2SkRHIPpZGmG Z1NTum/Nz39m5eyzok8j42MP0VQCjL83fX2HVyOTJZx5svhNt7yBowxN4kC0R8CWBF0j GDNPyuNzIyFOyNB06qvKTgK6MPnuQD4XRPD2vsq+MCKYn2I78DKhoER8vQQPwSa3GEbG 544A== X-Forwarded-Encrypted: i=1; AJvYcCWp4dBtD2CJGwAL7JAl8tqKSKlXy8K54I9WcCTqczTTg5nWOMb9WVu3t+x5zwitp4gkccljQL+gLboHP4nwtd5PjMleIMkWDLtn612J X-Gm-Message-State: AOJu0YxqiGMYuXv/QQm2a48Bj53bSduiz/13YdJLV8+zv4aJ+8+zDxWj vDYd22ZqmG4MZUeZU4zmyiKjjntyiDwBQ2Nti5vnkoHcOh7lkvtm/2a3xshQnM2EMl1KpQdxv81 AlDwjdhoPLpqIfLA/mAnV5VKZZSqdLTEO3myi X-Received: by 2002:a05:6102:dd1:b0:480:70d2:34c9 with SMTP id ada2fe7eead31-48070d242f7mr22514069137.15.1715888938839; Thu, 16 May 2024 12:48:58 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <202404291502.612E0A10@keescook> <202405081144.D5FCC44A@keescook> <202405081354.B0A8194B3C@keescook> <20240515073636.GY40213@noisy.programming.kicks-ass.net> <25882715-FE44-44C0-BB9B-57F2E7D1F0F9@kernel.org> <20240516140951.GK22557@noisy.programming.kicks-ass.net> In-Reply-To: <20240516140951.GK22557@noisy.programming.kicks-ass.net> From: Justin Stitt Date: Thu, 16 May 2024 12:48:47 -0700 Message-ID: Subject: Re: [RFC] Mitigating unexpected arithmetic overflow To: Peter Zijlstra Cc: Kees Cook , Linus Torvalds , Kees Cook , Mark Rutland , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, On Thu, May 16, 2024 at 7:09=E2=80=AFAM Peter Zijlstra wrote: > > On Thu, May 16, 2024 at 06:30:32AM -0700, Kees Cook wrote: > > > > I am a broken record. :) This is _not_ about undefined behavior. > > And yet you introduced CONFIG_UBSAN_SIGNED_WRAP... *UB*san, get it? We should think of UBSAN as an "Unexpected Behavior" Sanitizer. Clang has evolved to provide instrumentation for things that are not *technically* undefined behavior. Go to [1] and grep for some phrases like "not undefined behavior" and see that we have quite a few sanitizers that aren't *technically* handling undefined behavior. > > > This is about finding a way to make the intent of C authors > > unambiguous. That overflow wraps is well defined. It is not always > > _desired_. C has no way to distinguish between the two cases. > > The current semantics are (and have been for years, decades at this > point) that everything wraps nicely and code has been assuming this. You > cannot just change this. Why not :>) Lots and lots of exploits are caused by unintentional arithmetic overflow [= 2]. > > So what you do is do a proper language extension and add a type > qualifier that makes overflows trap and annotate all them cases where > people do not expect overflows (so that we can put the > __builtin_*_overflow() things where the sun don't shine). It is incredibly important that the exact opposite approach is taken; we need to be annotating (or adding type qualifiers to) the _expected_ overflow cases. The omniscience required to go and properly annotate all the spots that will cause problems would suggest that we should just fix the bug outright. If only it was that easy. I don't think we're capable of identifying every single problematic overflow/wraparound case in the kernel, this is pretty obvious considering we've had decades to do so. Instead, it seems much more feasible that we annotate (very, very minimally so as not to disrupt code readability and style) the spots where we _know_ overflow should happen. [1]: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#ubsan-chec= ks [2]: https://cwe.mitre.org/data/definitions/190.html Thanks Justin