From: Kees Cook <keescook@chromium.org>
To: Martin Uecker <uecker@tugraz.at>
Cc: Qing Zhao <qing.zhao@oracle.com>,
joseph@codesourcery.com, richard.guenther@gmail.com,
jakub@redhat.com, gcc-patches@gcc.gnu.org, siddhesh@gotplt.org,
isanbard@gmail.com
Subject: Re: [V2][PATCH 0/3] New attribute "counted_by" to annotate bounds for C99 FAM(PR108896)
Date: Tue, 8 Aug 2023 12:58:52 -0700 [thread overview]
Message-ID: <202308080954.C658ED3D@keescook> (raw)
In-Reply-To: <5f76638c8cfca7611e955ef9fadacfd7f8dca0fb.camel@tugraz.at>
On Tue, Aug 08, 2023 at 04:54:46PM +0200, Martin Uecker wrote:
>
>
> I am sure this has been discussed before, but seeing that you
> test for a specific formula, let me point out the following:
>
> There at least three different size expression which could
> make sense. Consider
>
> short foo { int a; short b; char t[]; };
>
> Most people seem to use
>
> sizeof(struct foo) + N * sizeof(foo->t);
I think this contains a typo. The above should be:
sizeof(struct foo) + N * sizeof(*foo->t);
> which for N == 3 yields 11 bytes on x86-64 because the formula
> adds the padding of the original struct. There is an example
> in the C standard that uses this formula.
>
>
> But he minimum size of an object which stores N elements is
>
> max(sizeof (struct s), offsetof(struct s, t[n]))
>
> which is 9 bytes.
>
> This is what clang uses for statically allocated objects with
> initialization, while GCC uses the rule above (11 bytes). But
> bdos / bos then returns the smaller size of 9 which is a bit
> confusing.
>
> https://godbolt.org/z/K1hvaK1ns
And to add to the mess here, Clang used to get this wrong for statically
initialized flexible array members (returning 8):
https://godbolt.org/z/Tee96dazs
But that was fixed recently when I noticed it a few weeks ago.
> https://github.com/llvm/llvm-project/issues/62929
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109956
>
>
> Then there is also the size of a similar array where the FAM
> is replaced with an array of static size:
>
> struct foo { int a; short b; char t[3]; };
>
> This would make the most sense to me, but it has 12 bytes
> because the padding is according to the usual alignment
> rules.
Hm, in my thinking, FAMs are individually padded, so since they don't
"count" to the struct size, I think this is "as expected".
Note that the Linux kernel explicitly chooses to potentially over-estimate
for FAM allocations since there has been inconsistent sizes used depend
on the style of the prior fake FAM usage, the use of unions, etc.
i.e. our macro is, effectively:
#define struct_size(ptr, member, count) \
(sizeof(*ptr) + (count) * sizeof(*ptr->member))
since the other case can lead to truncated sizes:
#define struct_size(ptr, member, count) \
(offsetof(typeof(*ptr), member) + (count) * sizeof(*ptr->member))
struct foo {
int a, b, c;
int count;
union {
struct {
char small;
char char_fam[];
};
struct {
int large;
int int_fam[];
};
};
};
https://godbolt.org/z/b1v74Mzhd
i.e.:
struct_size(x, char_fam, 1) < sizeof(*x)
so accessing "large" fails, etc. Yes, it's all horrible, but we have to
deal with this kind of thing in the kernel. :(
--
Kees Cook
next prev parent reply other threads:[~2023-08-08 19:58 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-04 19:44 Qing Zhao
2023-08-04 19:44 ` [V2][PATCH 1/3] Provide counted_by attribute to flexible array member field (PR108896) Qing Zhao
2023-08-04 19:44 ` [V2][PATCH 2/3] Use the counted_by atribute info in builtin object size [PR108896] Qing Zhao
2023-08-04 19:44 ` [V2][PATCH 3/3] Use the counted_by attribute information in bound sanitizer[PR108896] Qing Zhao
2023-08-07 16:16 ` [V2][PATCH 0/3] New attribute "counted_by" to annotate bounds for C99 FAM(PR108896) Kees Cook
2023-08-07 16:33 ` Qing Zhao
2023-08-09 19:17 ` Kees Cook
2023-08-08 14:54 ` Martin Uecker
2023-08-08 16:18 ` Michael Matz
2023-08-08 19:58 ` Kees Cook [this message]
2023-08-09 16:05 ` Qing Zhao
2023-08-09 16:21 ` Michael Matz
2023-08-09 20:10 ` Qing Zhao
2023-08-10 6:58 ` Martin Uecker
2023-08-10 13:59 ` Qing Zhao
2023-08-10 14:38 ` Martin Uecker
2023-08-10 14:42 ` Jakub Jelinek
2023-08-10 14:47 ` Martin Uecker
2023-08-10 14:58 ` Siddhesh Poyarekar
2023-08-10 15:18 ` Martin Uecker
2023-08-10 16:28 ` Qing Zhao
2023-08-10 16:30 ` Siddhesh Poyarekar
2023-08-10 16:39 ` Jakub Jelinek
2023-08-10 17:06 ` Siddhesh Poyarekar
2023-08-16 21:42 ` Qing Zhao
2023-08-10 18:18 ` Qing Zhao
2023-08-10 14:02 ` Michael Matz
2023-08-10 13:54 ` Michael Matz
2023-08-09 20:34 ` Qing Zhao
2023-08-17 5:31 ` Kees Cook
2023-08-17 6:38 ` Kees Cook
2023-08-17 13:44 ` Qing Zhao
2023-08-17 16:54 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308080954.C658ED3D@keescook \
--to=keescook@chromium.org \
--cc=gcc-patches@gcc.gnu.org \
--cc=isanbard@gmail.com \
--cc=jakub@redhat.com \
--cc=joseph@codesourcery.com \
--cc=qing.zhao@oracle.com \
--cc=richard.guenther@gmail.com \
--cc=siddhesh@gotplt.org \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).