Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp544266lqo; Thu, 16 May 2024 13:52:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU8iHhGdAIV8wFZPT11WTvl2cK55ht0uMLXFClSF3EePk1DOdJ/xa/eA02JcfzJUyWqWq8RhyHLZNdeQdFifMpdIA0upNYGuv4n+Uz3Sw== X-Google-Smtp-Source: AGHT+IGp6MlMFF4SfmGbAqK9XkvA1oFuLb37ZmlEnI29wx9bzf0epPcffSy+g8ESbZuGEZSq0XBc X-Received: by 2002:a17:907:7d8b:b0:a5a:669c:286b with SMTP id a640c23a62f3a-a5a669c290emr1015517366b.19.1715892754796; Thu, 16 May 2024 13:52:34 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715892754; cv=pass; d=google.com; s=arc-20160816; b=J8yVJxsyo3voLPcgq1cZsdUyDb4qrPZXhGnj258xG8RYbLxayVrDumD9sgxubWDBKd NzprQ/q+usgIe3wldcIA5d7if69EFQq5zxecDKB7IttbVb1fb5eYm7S5hkEXQagkCrDB Vr0sONZ012NBokP1MnW7hdQe1IeF/o89b679usHXOb2P1WwJDjZFucre7k74qAvMwWXA h5EqZ+9z8PzTXTc4oSFWutVBKOik5ih5HOKkf9GqtI/dl/T0Vsg/lK2RK7DRsjWeNcyu ugqvItrlWC1Q094+O2TGaA633p/OV9yPtgH31O6MgUcNk7+7yC7Tyki4nHCG/R3CSph7 lwOw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=SOtluD1PaXHX4aLfHVPP7s3eptH002zErJfg39HNDSk=; fh=syBSG7i19UWwmJ7Y4+oS2GNfSkjjYPE0rQXLcCSAOqM=; b=Aqyptb85QZWzeVplghyFG6IZEbuEvJMn5d5uugIlnXdI1ycdFYhRPj6aN+f9JVxoa7 7L6juCTKWNX6m4b2LE9iC2fog4Arn2+bfsMvc8klLoq+h5wyTPoOHE7adOXJsXh5RsX8 VxXKwUAhheyQ7PT9mGqrKiEY9XPxEj6b/JbQwqf92ii7jn8pdmpahP2cbdwFp21u2u8x 9KvQsRMFtLdYwBCvDkfdRPsB0YmUkOzDHloCf9Mgrl0IqSk0K/XzD+VQy8f3SlMnBeS8 cGgjj41QfhRmo6hHj3upH+/3N1x3RnrCvMQbfkm8Pirj00ugGRgSRlpSS6DVZu8aUdXr VFLw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@mit.edu header.s=outgoing header.b=LAL413as; arc=pass (i=1 spf=pass spfdomain=mit.edu dkim=pass dkdomain=mit.edu dmarc=pass fromdomain=mit.edu); spf=pass (google.com: domain of linux-kernel+bounces-181578-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181578-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a5cdb938ad6si158835366b.873.2024.05.16.13.52.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 May 2024 13:52:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-181578-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@mit.edu header.s=outgoing header.b=LAL413as; arc=pass (i=1 spf=pass spfdomain=mit.edu dkim=pass dkdomain=mit.edu dmarc=pass fromdomain=mit.edu); spf=pass (google.com: domain of linux-kernel+bounces-181578-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181578-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 592811F2255D for ; Thu, 16 May 2024 20:52:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 26A8A157E73; Thu, 16 May 2024 20:52:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b="LAL413as" Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA6B415CB for ; Thu, 16 May 2024 20:52:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=18.9.28.11 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715892745; cv=none; b=rSQLnfssFU9dVC3JJF+kj+xI/j1kUnWeb0dFTtv5Xb7oU49qRK/3cgbXgxhPHNmnm4YXmpZM/FhX45Gjr0lt9eFaTRgRCI8zfBOMmuQHTVWtbFpnVT/fX86nchb/OqpaezwcOfNtaZDLpXdzlnz8/78WCXXh1UpOnIa3HfnUeFo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715892745; c=relaxed/simple; bh=tVODxaTXe1VJWK72M3wkpqVogEldieF3m7bSsMs8jIM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=XNVpk1ksJnWYqqU85id2A4vh8zQjIuBjvv5CHjXfOW90NHmkp4sZep/PF1bYDVGHdKqRBJZ8yzbWUMHhzNhLRAeZVMsKNF8v7NuxIZsLKgH5HOUFL0MqKDkFKVAObl3yBceb2bvSiXh6m/AKsV0dbggIOz1kJ190QstTa4+/FXQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu; spf=pass smtp.mailfrom=mit.edu; dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b=LAL413as; arc=none smtp.client-ip=18.9.28.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mit.edu Received: from macsyma.thunk.org (99-196-128-135.cust.exede.net [99.196.128.135] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 44GKpaRr012754 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 May 2024 16:51:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1715892707; bh=SOtluD1PaXHX4aLfHVPP7s3eptH002zErJfg39HNDSk=; h=Date:From:Subject:Message-ID:MIME-Version:Content-Type; b=LAL413asy4CTYAoR3vtKjzRUe9/Y5ZKBHnX4D7QBrLySjGcmNL/TA6b/3nF4L7OW6 auGZzHOYkeWzK33jCS14SqF32HnyLSwxPfpglAASB8vbXfv7A2zObdTAjV2nzCq0gk m3CWrF5/sUKerMQeqpL1UlyPsZg2cRQOfjRfMox85NiCHzApmIyP4rbralHvruTPzb s9EMU8horV31wPgD29MyYcikq36S0G1/t/YZk4eJPIO63PqEU2KOY7H6gWiWbv8Vwt CspH+ti7/1rz0YO7O8w8MOiyu1S1gXy7FSoB+hB49nwfI7z+rpRsp4dnDz6sPrhubc eVS++1v7+PG0A== Received: by macsyma.thunk.org (Postfix, from userid 15806) id F15DF3403E6; Thu, 16 May 2024 14:51:34 -0600 (MDT) Date: Thu, 16 May 2024 14:51:34 -0600 From: "Theodore Ts'o" To: Justin Stitt Cc: Peter Zijlstra , Kees Cook , Linus Torvalds , Kees Cook , Mark Rutland , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: Re: [RFC] Mitigating unexpected arithmetic overflow Message-ID: <20240516205134.GC287325@mit.edu> References: <202404291502.612E0A10@keescook> <202405081144.D5FCC44A@keescook> <202405081354.B0A8194B3C@keescook> <20240515073636.GY40213@noisy.programming.kicks-ass.net> <25882715-FE44-44C0-BB9B-57F2E7D1F0F9@kernel.org> <20240516140951.GK22557@noisy.programming.kicks-ass.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Thu, May 16, 2024 at 12:48:47PM -0700, Justin Stitt wrote: > > It is incredibly important that the exact opposite approach is taken; > we need to be annotating (or adding type qualifiers to) the _expected_ > overflow cases. The omniscience required to go and properly annotate > all the spots that will cause problems would suggest that we should > just fix the bug outright. If only it was that easy. It certainly isn't easy, yes. But the problem is when you dump a huge amount of work and pain onto kernel developers, when they haven't signed up for it, when they don't necessarily have the time to do all of the work themselves, and when their corporate overlords won't given them the headcount to handle unfunded mandates which folks who are looking for a bright new wonderful future --- don't be surprised if kernel developers push back hard. One of the big problems that we've seen with many of these security initiatives is that the teams create these unfunded mandates get their performance reviews based on how many "bug reports" that they file, regardless of whether they are real problems or not. This has been a problem with syzkaller, and with clusterfuzz. Let's not make this problem worse with new and fancy sanitizers, please. Unfortunately, I don't get funding from my employer to clear these kinds of reports, so when I do the work, it happens on the weekends or late at night, on my own time, which is probably why I am so grumpy about this. Whether you call this "sharpening our focus", or "year of efficiency", or pick your corporate buzzwords, it really doesn't matter. The important thing is that the figure of merit must NOT be "how many security bugs that are found", but how much bullsh*t noise do these security features create, and how do you decrease overhead by upstream developers to deal with the fuzzing/ubsan/security tools find. Cheers, - Ted