From: Qing Zhao <qing.zhao@oracle.com>
To: Martin Uecker <uecker@tugraz.at>
Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>,
Kees Cook <keescook@chromium.org>,
"joseph@codesourcery.com" <joseph@codesourcery.com>,
"richard.guenther@gmail.com" <richard.guenther@gmail.com>,
"jakub@redhat.com" <jakub@redhat.com>,
"gcc-patches@gcc.gnu.org" <gcc-patches@gcc.gnu.org>,
"isanbard@gmail.com" <isanbard@gmail.com>
Subject: Re: [V3][PATCH 0/3] New attribute "counted_by" to annotate bounds for C99 FAM(PR108896)
Date: Wed, 18 Oct 2023 19:35:10 +0000 [thread overview]
Message-ID: <1985E87F-2334-4D79-9A2D-B43C710F389E@oracle.com> (raw)
In-Reply-To: <1f0e32201a97f31e17323e3038a852eb0c5c6209.camel@tugraz.at>
> On Oct 6, 2023, at 4:01 PM, Martin Uecker <uecker@tugraz.at> wrote:
>
> Am Freitag, dem 06.10.2023 um 06:50 -0400 schrieb Siddhesh Poyarekar:
>> On 2023-10-06 01:11, Martin Uecker wrote:
>>> Am Donnerstag, dem 05.10.2023 um 15:35 -0700 schrieb Kees Cook:
>>>> On Thu, Oct 05, 2023 at 04:08:52PM -0400, Siddhesh Poyarekar wrote:
>>>>> 2. How would you handle signedness of the size field? The size gets
>>>>> converted to sizetype everywhere it is used and overflows/underflows may
>>>>> produce interesting results. Do you want to limit the types to unsigned or
>>>>> do you want to add a disclaimer in the docs? The former seems like the
>>>>> *right* thing to do given that it is a new feature; best to enforce the
>>>>> cleaner habit at the outset.
>>>>
>>>> The Linux kernel has a lot of "int" counters, so the goal is to catch
>>>> negative offsets just like too-large offsets at runtime with the sanitizer
>>>> and report 0 for __bdos. Refactoring all these to be unsigned is going
>>>> to take time since at least some of them use the negative values as
>>>> special values unrelated to array indexing. :(
>>>>
>>>> So, perhaps if unsigned counters are worth enforcing, can this be a
>>>> separate warning the kernel can turn off initially?
>>>>
>>>
>>> I think unsigned counters are much more problematic than signed ones
>>> because wraparound errors are more difficult to find.
>>>
>>> With unsigned you could potentially diagnose wraparound, but only if we
>>> add -fsanitize=unsigned-overflow *and* add mechanism to mark intentional
>>> wraparound *and* everybody adds this annotation after carefully screening
>>> their code *and* rewriting all operations such as (counter - 3) + 5
>>> where the wraparound in the intermediate expression is harmless.
>>>
>>> For this reason, I do not think we should ever enforce some rule that
>>> the counter has to be unsigned.
>>>
>>> What we could do, is detect *storing* negative values into the
>>> counter at run-time using UBSan. (but if negative values are
>>> used for special cases, one also should be able to turn this
>>> off).
>>
>> All of the object size detection relies on object sizes being sizetype.
>> The closest we could do with that is detect (sz != SIZE_MAX && sz >
>> size_t / 2), since allocators typically cannot allocate more than
>> SIZE_MAX / 2.
>
> I was talking about the counter in:
>
> struct {
> int counter;
> char buf[] __counted_by__((counter))
> };
>
> which could be checked to be positive either when stored to or
> when buf is used.
>
> And yes, we could also check the size of buf. Not sure what is
> done for VLAs now, but I guess it could be similar.
>
For VLAs, the bounds expression could be both signed or unsigned.
But we have added a sanitizer option -fsanitize=vla-bound to catch the cases when the size of the VLA is not positive.
For example:
opc@qinzhao-ol8u3-x86 Martin]$ cat t3.c
#include <stdio.h>
size_t foo(int m)
{
char t[m];
return sizeof(t);
}
int main()
{
printf ("the sizeof flexm is %lu \n", foo(-100000000));
return 0;
}
[opc@qinzhao-ol8u3-x86 Martin]$ sh t
/home/opc/Install/latest-d/bin/gcc -fsanitize=undefined -O2 -Wall -Wpedantic t3.c
t3.c:4:8: runtime error: variable length array bound evaluates to non-positive value -100000000
the sizeof flexm is 18446744073609551616
We can do the same thing for “counted_by”. i.e:
1. No specification for signed or unsigned for counted_by field.
2. Add an sanitizer option -fsanitize=counted-by-bound to catch the cases when the size of the counted-by is not positive.
Is this good enough?
Qing
> Best,
> Martin
>
>
>
>>
>> Sid
next prev parent reply other threads:[~2023-10-18 19:35 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-25 15:24 Qing Zhao
2023-08-25 15:24 ` [V3][PATCH 1/3] Provide counted_by attribute to flexible array member field (PR108896) Qing Zhao
2023-09-08 14:12 ` Qing Zhao
2023-09-20 13:44 ` Ping * 2: " Qing Zhao
2023-10-05 18:51 ` Siddhesh Poyarekar
2023-10-05 19:31 ` Siddhesh Poyarekar
2023-10-18 14:51 ` Qing Zhao
2023-10-18 15:18 ` Siddhesh Poyarekar
2023-10-18 15:37 ` Qing Zhao
2023-10-18 14:41 ` Qing Zhao
2023-08-25 15:24 ` [V3][PATCH 2/3] Use the counted_by atribute info in builtin object size [PR108896] Qing Zhao
2023-09-08 14:12 ` Qing Zhao
2023-09-20 13:44 ` PING *2: " Qing Zhao
2023-10-05 20:01 ` Siddhesh Poyarekar
2023-10-18 20:39 ` Qing Zhao
2023-08-25 15:24 ` [V3][PATCH 3/3] Use the counted_by attribute information in bound sanitizer[PR108896] Qing Zhao
2023-09-08 14:12 ` Qing Zhao
2023-09-20 13:45 ` PING * 2: " Qing Zhao
2023-08-25 19:51 ` [V3][PATCH 0/3] New attribute "counted_by" to annotate bounds for C99 FAM(PR108896) Kees Cook
2023-09-08 14:11 ` Qing Zhao
2023-09-20 13:43 ` PING * 2: " Qing Zhao
2023-10-05 20:08 ` Siddhesh Poyarekar
2023-10-05 22:35 ` Kees Cook
2023-10-06 5:11 ` Martin Uecker
2023-10-06 10:50 ` Siddhesh Poyarekar
2023-10-06 20:01 ` Martin Uecker
2023-10-18 15:37 ` Siddhesh Poyarekar
2023-10-18 19:35 ` Qing Zhao [this message]
2023-10-18 21:11 ` Qing Zhao
2023-10-19 23:33 ` Kees Cook
2023-10-20 9:50 ` Martin Uecker
2023-10-20 18:34 ` Kees Cook
2023-10-20 18:48 ` Qing Zhao
2023-10-20 19:54 ` Martin Uecker
2023-10-23 18:17 ` Qing Zhao
2023-10-23 19:52 ` Kees Cook
2023-10-23 19:57 ` Martin Uecker
2023-10-23 22:03 ` Kees Cook
2023-10-20 17:08 ` HELP: Will the reordering happen? " Qing Zhao
2023-10-20 18:22 ` Richard Biener
2023-10-20 18:38 ` Qing Zhao
2023-10-20 19:10 ` Siddhesh Poyarekar
2023-10-20 20:41 ` Qing Zhao
2023-10-23 7:57 ` Richard Biener
2023-10-23 11:27 ` Siddhesh Poyarekar
2023-10-23 12:34 ` Richard Biener
2023-10-23 13:23 ` Siddhesh Poyarekar
2023-10-23 15:14 ` Qing Zhao
2023-10-23 14:56 ` Qing Zhao
2023-10-23 15:57 ` Richard Biener
2023-10-23 16:37 ` Qing Zhao
2023-10-23 18:06 ` Martin Uecker
2023-10-23 18:31 ` Martin Uecker
2023-10-23 19:00 ` Qing Zhao
2023-10-23 19:37 ` Martin Uecker
2023-10-23 20:33 ` Qing Zhao
2023-10-23 18:33 ` Qing Zhao
2023-10-23 18:43 ` Siddhesh Poyarekar
2023-10-23 18:55 ` Martin Uecker
2023-10-23 19:43 ` Qing Zhao
2023-10-23 22:48 ` Siddhesh Poyarekar
2023-10-24 20:30 ` Qing Zhao
2023-10-24 20:38 ` Martin Uecker
2023-10-24 21:09 ` Siddhesh Poyarekar
2023-10-24 22:51 ` Qing Zhao
2023-10-24 23:56 ` Siddhesh Poyarekar
2023-10-25 13:27 ` Qing Zhao
2023-10-25 14:50 ` Siddhesh Poyarekar
2023-10-25 15:38 ` Richard Biener
2023-10-25 19:03 ` Qing Zhao
2023-10-26 5:21 ` Jakub Jelinek
2023-10-26 8:56 ` Richard Biener
2023-10-26 14:58 ` Qing Zhao
2023-10-26 15:48 ` Richard Biener
2023-10-26 16:16 ` Martin Uecker
2023-10-26 14:41 ` Qing Zhao
2023-10-25 18:44 ` Qing Zhao
2023-10-25 22:06 ` Kees Cook
2023-10-25 22:27 ` Qing Zhao
2023-10-25 22:32 ` Kees Cook
2023-10-26 8:15 ` Martin Uecker
2023-10-26 16:13 ` Kees Cook
2023-10-26 16:45 ` Martin Uecker
2023-10-26 19:57 ` Qing Zhao
2023-10-27 7:21 ` Martin Uecker
2023-10-27 14:32 ` Qing Zhao
2023-10-27 14:53 ` Martin Uecker
2023-10-27 15:10 ` Qing Zhao
2023-10-27 17:19 ` Kees Cook
2023-10-27 18:13 ` Qing Zhao
2023-10-25 5:26 ` Martin Uecker
2023-10-25 6:43 ` Richard Biener
2023-10-25 8:16 ` Martin Uecker
2023-10-25 10:25 ` Richard Biener
2023-10-25 10:39 ` Martin Uecker
2023-10-25 18:06 ` Qing Zhao
2023-10-25 10:25 ` Siddhesh Poyarekar
2023-10-25 10:47 ` Martin Uecker
2023-10-25 11:13 ` Richard Biener
2023-10-25 18:16 ` Martin Uecker
2023-10-26 8:45 ` Richard Biener
2023-10-26 9:20 ` Martin Uecker
2023-10-26 10:14 ` Martin Uecker
2023-10-26 14:05 ` Richard Biener
2023-10-26 18:54 ` Qing Zhao
2023-10-27 16:43 ` Qing Zhao
2023-10-26 16:41 ` Qing Zhao
2023-10-26 17:05 ` Martin Uecker
2023-10-26 17:35 ` Richard Biener
2023-10-26 19:20 ` Qing Zhao
2023-10-25 18:17 ` Qing Zhao
2023-10-24 21:03 ` Siddhesh Poyarekar
2023-10-24 22:41 ` Qing Zhao
2023-10-24 23:51 ` Siddhesh Poyarekar
2023-10-25 21:59 ` Kees Cook
2023-10-23 18:10 ` Joseph Myers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1985E87F-2334-4D79-9A2D-B43C710F389E@oracle.com \
--to=qing.zhao@oracle.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=isanbard@gmail.com \
--cc=jakub@redhat.com \
--cc=joseph@codesourcery.com \
--cc=keescook@chromium.org \
--cc=richard.guenther@gmail.com \
--cc=siddhesh@gotplt.org \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).