Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1221253lqo; Fri, 17 May 2024 15:04:45 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW+wCwxr/tQJlmr1bPpBTj+7JsRqgLRuBXsX6K99tDAWteh60E+C9g6GaNfKQDEgKTlpYauRfX2nborL8+xisptTuCxsb49FUh6TjCPhw== X-Google-Smtp-Source: AGHT+IEwMENgeaqXdJ4FpGTq8ML1l1TIKA8m9+a7TKIhMv08xOnRwQkiKlQEXPlDCaWTdZqH4uXG X-Received: by 2002:a50:c30b:0:b0:574:eb80:3305 with SMTP id 4fb4d7f45d1cf-574eb80345fmr7868394a12.11.1715983485531; Fri, 17 May 2024 15:04:45 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715983485; cv=pass; d=google.com; s=arc-20160816; b=CgHop0ZPGolXTJEKIV20+bhWWx4zb5kuNGV3HH6m9qzzPtteXHFeT9jQFYU3AOpip+ sWSFQ75AaDAO18enydvLple1BhRlIqqqpz/PE8MEG9B8YBpXJjny2NLeMESirhIXl0LC mQWbfLXvU2KWOUjFvZrYpB1jH76ZBtxYINaZryRazFmoQloEo9WUWxuK+ipETRwnyfly S2D2mS2xdBDCYUHDLmJSc2E8UZzMROrWV4kOBzVeV6wbYxNtPYWuGMA0NHPdoildN9V5 SqtC4N5G7OPDZW1a92jBxTJNS4woQqgOLfjvEsl4YxF9ELPf0811Lu+Z2D8sv+vaAdks ZIig== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=LPcNSrh3uuZ5e6UcUtMkeuMK0XXETcsLkcdKBYaf5FE=; fh=Z3DwCRx6YwceLtnbdqaMG2bq97V8E11sC1fSrSz1e7o=; b=aTfu/eUApBxLp4IzVc0xgS5fE35nbz8H2X7mGbKISRhIV6zajXmb3n50bpNqtMsf6k Wt3LPCGpppDLmh10DagPeuyP9PdC5qn/aMBBNOAriO8CX+4aEUdBQTJRPfc7pyxg5nog 41JuzSSs5h1tX9MrL26RtOZVWQK0kXiWCy3kxgcjVtoyAPYyrNjitbb9Qq9oohMUnyGI yh/fcElJqOxjgAdamDtQLijnF34XiP3sgC38v5e5FwX1HCEA5BZJxF4gQRhXkKzZMNwa HqKM+mIM1SJ0gzYUTAjM8MgMH+RGAa4glhFR3nHyk7p82F4rg+lxDquxbyBrHGALOBfG vhbw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=FfIx+HD5; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-182666-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182666-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-574d1ad6826si6301123a12.166.2024.05.17.15.04.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 15:04:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-182666-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=FfIx+HD5; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-182666-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182666-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 20E011F2427D for ; Fri, 17 May 2024 22:04:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B40461419A2; Fri, 17 May 2024 22:04:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="FfIx+HD5" Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0DBA01411D1 for ; Fri, 17 May 2024 22:04:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715983476; cv=none; b=YVEAgKKhln4lxPEMB1576ItYdfz+Ae+dc/lGOpeuLZAMDPmJ1oa1Eqh1VmSn5OQO/E/LKG6wgNaMzJL2W1Jbd9h9Nm1wwja5w8Rnly3nDSkhPTzEigmfZ4wPs3+3xpy4Lx1Q6Os6QTZn2+5ExgHHcUGpu0qVE3+titBYimSLQJM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715983476; c=relaxed/simple; bh=BdhITRnNU+REXc7LnQZeK8vjGpGDGI/srKqx0YLNYAk=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=AFQTd4CkyFzoKBK35h8pSdKhLm4asgAFGI923ZyVtvwroQvKypcPEXmSX53tFNaPQWPaJy0iugOfizwNrUv6QSv4XY3qL2DL34gX9gX2xttW42dVm3aeRWibVz1imk6u6b5+uKZirpqeC1Js6kS+CHsAtcGcqQoBpY56WVQo/lo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=FfIx+HD5; arc=none smtp.client-ip=209.85.208.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-572f6c56cdaso1018a12.0 for ; Fri, 17 May 2024 15:04:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1715983473; x=1716588273; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LPcNSrh3uuZ5e6UcUtMkeuMK0XXETcsLkcdKBYaf5FE=; b=FfIx+HD5VxCqbtJM9KXjjvO9XI5GzPZfAlDQf8RnsSIzu4Gb0lS1x2IV0/4+gdpbUW 4AsagMwj2YWrrTEGahhJlKxihFXGewmN5Qk7DL/eHo+y+QYRFR8hA0JdyCrAsClOcmzZ RGxZZOwWZlJVb5r+C9QQu93QNrh6DmXY/6RbOIN16oERqLOm+jf/HUMkWv9hKFE0nDuR IZn5nYhBIm/edSol7rdhqz6LlHYXbNpBK5uNnUMs0Ip/R26hGFdyte59muCdzW2dQhCV vV4RyJ1bE2efqPJ8SgZAClF6llkEY3LYgxYAWjYbTV9wH/S+1ZUyZk+25lGEaYQtVGZ0 FM3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715983473; x=1716588273; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LPcNSrh3uuZ5e6UcUtMkeuMK0XXETcsLkcdKBYaf5FE=; b=l/JvNbP9YWMaK+GpS2saGvd0i4apT+sxA1cdSsKj9Xa4vt8s7dp80pyCBtkIGIIY4z /O7xF7XCRT/7KZsEtY+uqAd48WjhDX2wvp2gCzmEQlkpXo4atTQ/bwT6vvO/b21AAkVY LQqOfevSpZxHDTIGHMT8HJ6oL7eksUIvvTfzL/zyF6qjH1FOG2HrlMHOFyy3fLXceQ1T yC9O7tGjYAZXml602uouC8/VHa/Ad2/lJgOBadMSf0246bErUSg6wu+4DdjCEftoyvsw ApXb9O9di6OZNQ/CKoD8MtBvp2AAEpEgD4rCisrvv/yuDZOhD+IjAEog7Sudy7sUDMfe 4ymA== X-Forwarded-Encrypted: i=1; AJvYcCUf0M3PipbCOR9I1it7OdBZSehxxRJ/BEKcSWIPLvS5ix8LdsL9ZntnjTrlYinM8yAT/ooO9IXI6s+3zUMgFdyUBBioMNvLLzg5b4/l X-Gm-Message-State: AOJu0YwVR0MwWFB3s9aDnbXk9JiANuAGckYEMS+wM+Y4WvRuvHXt0g03 taJRoXkWpd4SN/VfxQNvYnuyPRyRB/cN31MwM9wh2uDnFLs2It8ikXgaqWtJ8+lOwrmkMry2yWm b11pEP0upiVjYdDE2IWPBLOEHNijzCKP28TgD X-Received: by 2002:a05:6402:44b:b0:572:e6fb:ab07 with SMTP id 4fb4d7f45d1cf-5752c7d36e8mr24826a12.7.1715983473042; Fri, 17 May 2024 15:04:33 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <202404291502.612E0A10@keescook> <202405081144.D5FCC44A@keescook> <202405081354.B0A8194B3C@keescook> <20240515073636.GY40213@noisy.programming.kicks-ass.net> <25882715-FE44-44C0-BB9B-57F2E7D1F0F9@kernel.org> <20240516140951.GK22557@noisy.programming.kicks-ass.net> In-Reply-To: From: Fangrui Song Date: Fri, 17 May 2024 15:04:21 -0700 Message-ID: Subject: Re: [RFC] Mitigating unexpected arithmetic overflow To: Justin Stitt , Peter Zijlstra Cc: Kees Cook , Linus Torvalds , Kees Cook , Mark Rutland , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, May 16, 2024 at 12:49=E2=80=AFPM Justin Stitt wrote: > > Hi, > > On Thu, May 16, 2024 at 7:09=E2=80=AFAM Peter Zijlstra wrote: > > > > On Thu, May 16, 2024 at 06:30:32AM -0700, Kees Cook wrote: > > > > > > I am a broken record. :) This is _not_ about undefined behavior. > > > > And yet you introduced CONFIG_UBSAN_SIGNED_WRAP... *UB*san, get it? > > We should think of UBSAN as an "Unexpected Behavior" Sanitizer. Clang > has evolved to provide instrumentation for things that are not > *technically* undefined behavior. > > Go to [1] and grep for some phrases like "not undefined behavior" and > see that we have quite a few sanitizers that aren't *technically* > handling undefined behavior. > > > > > > This is about finding a way to make the intent of C authors > > > unambiguous. That overflow wraps is well defined. It is not always > > > _desired_. C has no way to distinguish between the two cases. > > > > The current semantics are (and have been for years, decades at this > > point) that everything wraps nicely and code has been assuming this. Yo= u > > cannot just change this. > > Why not :>) > > Lots and lots of exploits are caused by unintentional arithmetic overflow= [2]. > > > > > So what you do is do a proper language extension and add a type > > qualifier that makes overflows trap and annotate all them cases where > > people do not expect overflows (so that we can put the > > __builtin_*_overflow() things where the sun don't shine). > > It is incredibly important that the exact opposite approach is taken; > we need to be annotating (or adding type qualifiers to) the _expected_ > overflow cases. The omniscience required to go and properly annotate > all the spots that will cause problems would suggest that we should > just fix the bug outright. If only it was that easy. > > I don't think we're capable of identifying every single problematic > overflow/wraparound case in the kernel, this is pretty obvious > considering we've had decades to do so. Instead, it seems much more > feasible that we annotate (very, very minimally so as not to disrupt > code readability and style) the spots where we _know_ overflow should > happen. > > [1]: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#ubsan-ch= ecks > [2]: https://cwe.mitre.org/data/definitions/190.html > > Thanks > Justin FWIW I have made -fsanitize=3Dundefined -fwrapv not imply -fsanitize=3Dsigned-integer-overflow in https://github.com/llvm/llvm-project/pull/85501 . The change is not included in the LLVM 18.1.* releases. This might encourage projects using both -fwrapv and -fsanitize=3Dundefined to re-evaluate whether -fwrapv aligns with their needs. The description of #85501 contains more information about my understanding of kernel security folks' mind: > Linux kernel uses -fwrapv to change signed integer overflows from undefin= ed behaviors to defined behaviors. However, the security folks still want -= fsanitize=3Dsigned-integer-overflow diagnostics. Their intention can be exp= ressed with -fwrapv -fsanitize=3Dsigned-integer-overflow (#80089). This mod= e by default reports recoverable errors while still making signed integer o= verflows defined (most UBSan checks are recoverable by default: you get err= ors in stderr, but the program is not halted). --=20 =E5=AE=8B=E6=96=B9=E7=9D=BF