Received: by 2002:a89:413:0:b0:1fd:dba5:e537 with SMTP id m19csp1455944lqs; Sat, 15 Jun 2024 09:21:23 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXciIyO/qK2As7w4iClB2uDbuGvS/GqP2deWghLclqwq4ngDHut/jHPQgItm3GKxBtdN7aMuuM3EITWDKPWyoBITh+ZjLYB5kaUHeS04g== X-Google-Smtp-Source: AGHT+IHgPqQO3b+3/kkTh3dsMZVMKpLAWQO/nzxOyhGVjmHa6YaEeWN2Mb7T9+BK5sP0DRI4YJGo X-Received: by 2002:a17:906:31c5:b0:a6e:feb5:14a8 with SMTP id a640c23a62f3a-a6f60d45658mr339635566b.39.1718468483010; Sat, 15 Jun 2024 09:21:23 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718468482; cv=pass; d=google.com; s=arc-20160816; b=pYBjX3gFEByXtpqOBKHXAil4r8FaYi6Y9g77X0DNU2W94gGdTj4p+pXYWVjsns5mas Xi5RDUvqgtJ1GjBvY3x4B6bp+qxrmlBS2Ldl58daUFVjel6MNYSI+Jx0aCRmluLjyCBm oPdiYLGZtzH5OHrDi9EffLHmizt1G9Ll/U04K1kyBSXfPENlzp10yXEVyOejEPx+19D7 DZXAO9712ezq1+IQRRrJZRFazK/cPNkD+vW/32M/p7W8W2hBTMAPNT+EvdY4pyRmA672 xFRfP6+c0QGG48RSQ02/2s7bu2jenks9DbD94goS/okBD5ss4Jn5i+i7iu5Lwb5PEGkG BK0w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:content-transfer-encoding:references:in-reply-to:date:cc :to:from:subject:message-id:dkim-signature; bh=Igjx9GfiOHGZFSH3MO+mk+/P1QADm/jiDsEmEwOLM6A=; fh=he5LViZsLYWKXhYQ+l6BG+qXdzna+mGXEWVjyfHdWSQ=; b=dp6iO94maJxQXkVFrNEllq8V36zJ3iHuRat1CNszouxFlUpPul5lxL2Qyl7s8O9hTP PE7bykhKYHjcINdx9YPDg68frz06rQ4dVw5C7GK6T5/pkfVqej89Lcrh5Epc1VMxwL0H n6ap+PaOFdkOXVhgDAxm3DR0BPT9j9UPOR+FvB0aYETmFMQcIu1BpzsL5Z0s2LbJigNh GH1VuiX7xgkuMFgeUMpKJc5TKwiBo9qvdKjU3jcnvsvKexn6xRKYtU38etHUPTEPhRh2 dN9McSTh46SHeM/x/NayJRI5mUlobqFfFiSp1nKbupjW9Wf/9/RMmHvtATNO5883ENqj MYtQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tugraz.at header.s=mailrelay header.b=JcExtjxI; arc=pass (i=1 spf=pass spfdomain=tugraz.at dkim=pass dkdomain=tugraz.at dmarc=pass fromdomain=tugraz.at); spf=pass (google.com: domain of linux-kernel+bounces-215932-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-215932-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=tugraz.at Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a6f6dafc903si108580966b.740.2024.06.15.09.21.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 15 Jun 2024 09:21:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-215932-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@tugraz.at header.s=mailrelay header.b=JcExtjxI; arc=pass (i=1 spf=pass spfdomain=tugraz.at dkim=pass dkdomain=tugraz.at dmarc=pass fromdomain=tugraz.at); spf=pass (google.com: domain of linux-kernel+bounces-215932-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-215932-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=tugraz.at Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A64751F219DE for ; Sat, 15 Jun 2024 16:21:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 550F649629; Sat, 15 Jun 2024 16:21:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=tugraz.at header.i=@tugraz.at header.b="JcExtjxI" Received: from mailrelay.tugraz.at (mailrelay.tugraz.at [129.27.2.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 411F41DFED; Sat, 15 Jun 2024 16:21:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=129.27.2.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718468470; cv=none; b=PdIHYTWLDOEUEMrFJO0TW8TnJ5mA0L1L567ZsK4d/yXaGXjbcfaiS31i4Sgy5gmj+havklJW9LiWZL539zT2Yj40bzRdjOi4XGigPZ4lL3Nz6iHxsdNQrZl04N+jnZMZfjp8N6jPttBZN0A0tplpdCzxv5DZAg/qovaG1m6baQY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718468470; c=relaxed/simple; bh=/6ch+qcDo2MnkoBjVji3kQHm7RQTr+qczYnFfSjaNGI=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=nABw1rw8rLHatipeFN5FcFY8F9bA/8RcidapYuHeRtB1m/B4bB7AYwhyYmKK3OdsrIdMD3upEQWznGaHE8CQAwdcsqD/c/ZULLX8sH62wYEBVfe3UxQfrb12UJ/9t+fGZyFYlCh7f2bgTFLA5BZAZs/Mfe79XrZySULJJG3c/X4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tugraz.at; spf=pass smtp.mailfrom=tugraz.at; dkim=pass (1024-bit key) header.d=tugraz.at header.i=@tugraz.at header.b=JcExtjxI; arc=none smtp.client-ip=129.27.2.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tugraz.at Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=tugraz.at Received: from vra-174-141.tugraz.at (vra-174-141.tugraz.at [129.27.174.141]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4W1h0h32dlz3wV6; Sat, 15 Jun 2024 18:09:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1718467750; bh=Igjx9GfiOHGZFSH3MO+mk+/P1QADm/jiDsEmEwOLM6A=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=JcExtjxIcH4p61MtHvpDIteBnwfOz51tS8q5VDIYZI+NpJKKdBykTD9MF+auMH0gv nRpGkZ8wiqt21vJ92fMlv2TD3fQC7DD0VpoTzbPNocoCPNvnvWiCaaMcQRcSwRThCk mT/+fqYdLYEQgJHJizSid5Nle80AsJ519MKqmu88= Message-ID: Subject: Re: [PATCH v4 0/3] Hardening perf subsystem From: Martin Uecker To: Peter Zijlstra , Kees Cook Cc: Erick Archer , Ingo Molnar , Arnaldo Carvalho de Melo , Namhyung Kim , Mark Rutland , Alexander Shishkin , Jiri Olsa , Ian Rogers , Adrian Hunter , "Liang, Kan" , Thomas Gleixner , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , "Gustavo A. R. Silva" , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , Christophe JAILLET , Matthew Wilcox , x86@kernel.org, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Date: Sat, 15 Jun 2024 18:09:07 +0200 In-Reply-To: <20240614101708.GO8774@noisy.programming.kicks-ass.net> References: <202406101010.E1C77AE9D@keescook> <20240610200544.GY8774@noisy.programming.kicks-ass.net> <202406101438.BC43514F@keescook> <20240611075542.GD8774@noisy.programming.kicks-ass.net> <202406121148.688240B@keescook> <20240612220821.GA18881@noisy.programming.kicks-ass.net> <202406121530.D9DB956C8@keescook> <20240614101708.GO8774@noisy.programming.kicks-ass.net> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TUG-Backscatter-control: G/VXY7/6zeyuAY/PU2/0qw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 Am Freitag, dem 14.06.2024 um 12:17 +0200 schrieb Peter Zijlstra: > On Wed, Jun 12, 2024 at 04:23:31PM -0700, Kees Cook wrote: > > On Thu, Jun 13, 2024 at 12:08:21AM +0200, Peter Zijlstra wrote: > > > On Wed, Jun 12, 2024 at 12:01:19PM -0700, Kees Cook wrote: > > > > I'm happy to take patches. And for this bikeshed, this would be bet= ter > > > > named under the size_*() helpers which are trying to keep size_t > > > > calculations from overflowing (by saturating). i.e.: > > > >=20 > > > > size_add_mult(sizeof(*p), sizeof(*p->member), num) > > >=20 > > > Fine I suppose, but what if we want something not size_t? Are we wait= ing > > > for the type system extension? > >=20 > > Because of C's implicit promotion/truncation, we can't do anything > > sanely with return values of arbitrary type size; we have to capture th= e > > lvalue type somehow so the checking can happen without C doing silent > > garbage. What is the specific problem here? >=20 > So sizeof() returns the native (built-in) size_t, right? If that type > the nooverflow qualifier on, then: >=20 > sizeof(*p) + num*sizeof(p->foo[0]) >=20 > should all get the nooverflow semantics right? Because size_t is > effectively 'nooverflow unsigned long' the multiplication should promote > 'num' to some 'long'. >=20 > Now, I've re-read the rules and I don't see qualifiers mentioned, so > can't we state that the overflow/nooverflow qualifiers are to be > preserved on (implicit) promotion and when nooverflow and overflow are > combined the 'safe' nooverflow takes precedence? >=20 > I mean, when we're adding qualifiers we can make up rules about them > too, right? It should probably be a type attribute. >=20 > If 'people' don't want to adorn the built-in size_t, we can always do > something like: >=20 > #define sizeof(x) ((nooverflow unsigned long)(sizeof(x))) >=20 > and 'fix' it ourselves. This is likely a stupid question, but making it signed=C2=A0 wouldn't work? Or is a signed size_t too small=C2=A0=C2=A0 or some architectures? Or would this change break too much? Martin >=20 > > > But none of that is showing me generated asm for the various cases. A= s > > > such, I don't consider myself informed enough. > >=20 > > Gotcha. For the compile-time stuff it's all just looking at > > known-at-compile-time sizes. So for something like this, we get a > > __compiletime_warning() emitted: > >=20 > > const char src[] =3D "Hello there"; > > char dst[10]; > >=20 > > strscpy(dst, src); /* Compiler yells since src is bigger than dst. */ > >=20 > > For run-time checks it's basically just using the regular WARN() > > infrastructure with __builtin_dynamic_object_size(). Here's a simplifie= d > > userspace example with assert(): > >=20 > > https://godbolt.org/z/zMrKnMxn5 > >=20 > > The kernel's FORTIFY_SOURCE is much more complex in how it does the > > checking, how it does the reporting (for helping people figure out what= 's > > gone weird), etc. >=20 > Thanks, I'll go have a look at that.