From: Kees Cook <keescook@chromium.org>
To: Qing Zhao <qing.zhao@oracle.com>
Cc: "Richard Biener" <richard.guenther@gmail.com>,
"Arsen Arsenović" <arsen@aarsen.me>,
"Andrew Pinski" <pinskia@gmail.com>,
"Xi Ruoyao" <xry111@xry111.site>,
"gcc-patches@gcc.gnu.org" <gcc-patches@gcc.gnu.org>
Subject: Re: Question on -fwrapv and -fwrapv-pointer
Date: Fri, 15 Sep 2023 11:43:10 -0700 [thread overview]
Message-ID: <202309151137.E74C4AF740@keescook> (raw)
In-Reply-To: <16B5A126-7328-4D5F-8278-945A87A521AA@oracle.com>
On Fri, Sep 15, 2023 at 05:47:08PM +0000, Qing Zhao wrote:
>
>
> > On Sep 15, 2023, at 1:26 PM, Richard Biener <richard.guenther@gmail.com> wrote:
> >
> >
> >
> >> Am 15.09.2023 um 17:37 schrieb Qing Zhao <qing.zhao@oracle.com>:
> >>
> >>
> >>
> >>>> On Sep 15, 2023, at 11:29 AM, Richard Biener <richard.guenther@gmail.com> wrote:
> >>>>
> >>>>
> >>>>
> >>>>> Am 15.09.2023 um 17:25 schrieb Qing Zhao <qing.zhao@oracle.com>:
> >>>>
> >>>>
> >>>>
> >>>>> On Sep 15, 2023, at 8:41 AM, Arsen Arsenović <arsen@aarsen.me> wrote:
> >>>>>
> >>>>>
> >>>>> Qing Zhao <qing.zhao@oracle.com> writes:
> >>>>>
> >>>>>> Even though unsigned integer overflow is well defined, it might be
> >>>>>> unintentional, shall we warn user about this?
> >>>>>
> >>>>> This would be better addressed by providing operators or functions that
> >>>>> do overflow checking in the language, so that they can be explicitly
> >>>>> used where overflow is unexpected.
> >>>>
> >>>> Yes, that will be very helpful to prevent unexpected overflow in the program in general.
> >>>> However, this will mainly benefit new codes.
> >>>>
> >>>> For the existing C codes, especially large applications, we still need to identify all the places
> >>>> Where the overflow is unexpected, and fix them.
> >>>>
> >>>> One good example is linux kernel.
> >>>>
> >>>>> One could easily imagine a scenario
> >>>>> where overflow is not expected in some region of code but is in the
> >>>>> larger application.
> >>>>
> >>>> Yes, that’s exactly the same situation Linux kernel faces now, the unexpected Overflow and
> >>>> expected wrap-around are mixed together inside one module.
> >>>> It’s hard to detect the unexpected overflow under such situation based on the current GCC.
> >>>
> >>> But that’s hardly GCCs fault nor can GCC fix that in any way. Only the programmer can distinguish both cases.
> >>
> >> Right, compiler cannot fix this.
> >> But can provide some tools to help the user to detect this more conveniently.
> >>
> >> Right now, GCC provides two set of options for different types:
> >>
> >> A. Turn the overflow to expected wrap-around (remove UB);
> >> B. Detect overflow;
> >>
> >> A B
> >> remove UB -fsanitize=…
> >> signed -fwrapv signed-integer-overflow
> >> pointer -fwrapv-pointer pointer-overflow (broken in Clang)
> >>
> >> However, Options in A and B excluded with each other. They cannot mix together for a single file.
> >>
> >> What’s requested from Kernel is:
> >>
> >> compiler needs to provide a functionality that can mix these two together for a file.
> >>
> >> i.e, apply A (convert UB to defined behavior WRAP-AROUND) only to part of the program. And then add -fsnaitize=*overflow to detect all other
> >> Unexpected overflows in the program.
> >>
> >> This is currently missing from GCC, I guess?
> >
> > How can GCC know which part of the program wants wrapping and which sanitizing?
>
> GCC doesn’t know, but the user knows.
>
> Then just provide the user a way to mark part of the program to be wrapping around and excluded from sanitizing?
>
> Currently, GCC provides
>
> __attribute__(optimize ("wrapv"))
>
> To mark the specific function to be wrapped around.
>
> However, this attribute does not work for linux kernel due to the following reason:
>
> Attribute optimize should be only used for debugging purpose;
> The kernel has banned its usage;
>
> So, a new attribute was requested from Linux kernel security:
>
> request wrap-around behavior for specific function (PR102317)
> __attribute__((wrapv))
>
> Is this request reasonable?
After working through this discussion, I'd say it's likely more helpful
to have a way to disable the sanitizers for a given function (or
variable). i.e. The goal for the kernel would that untrapped wrap-around
would be the very rare exception. e.g. our refcount_t implementation:
https://elixir.bootlin.com/linux/v6.5/source/include/linux/refcount.h#L200
Then we can continue to build the kernel with -fno-strict-overflow (to
avoid UB), but gain sanitizer coverage for all run-time wraps, except
for the very few places where we depend on it. Getting there will also
take some non-trivial refactoring on our end, but without the sanitizers
we're unlikely to find them all.
--
Kees Cook
next prev parent reply other threads:[~2023-09-15 18:43 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-14 13:41 Qing Zhao
2023-09-14 14:06 ` Richard Biener
2023-09-14 15:01 ` Qing Zhao
2023-09-14 15:12 ` Richard Biener
2023-09-14 15:57 ` Qing Zhao
2023-09-14 16:18 ` Xi Ruoyao
2023-09-14 20:48 ` Qing Zhao
2023-09-14 20:57 ` Andrew Pinski
2023-09-14 21:41 ` Qing Zhao
2023-09-15 7:43 ` Xi Ruoyao
2023-09-15 15:12 ` Qing Zhao
2023-09-15 15:18 ` Andrew Pinski
2023-09-15 18:34 ` Kees Cook
2023-09-15 12:41 ` Arsen Arsenović
2023-09-15 15:24 ` Qing Zhao
2023-09-15 15:29 ` Richard Biener
2023-09-15 15:37 ` Qing Zhao
2023-09-15 16:53 ` Xi Ruoyao
2023-09-15 17:56 ` Qing Zhao
2023-09-15 17:26 ` Richard Biener
2023-09-15 17:47 ` Qing Zhao
2023-09-15 18:43 ` Kees Cook [this message]
2024-02-15 8:32 ` Fangrui Song
2024-02-15 23:31 ` Kees Cook
2023-09-15 0:23 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202309151137.E74C4AF740@keescook \
--to=keescook@chromium.org \
--cc=arsen@aarsen.me \
--cc=gcc-patches@gcc.gnu.org \
--cc=pinskia@gmail.com \
--cc=qing.zhao@oracle.com \
--cc=richard.guenther@gmail.com \
--cc=xry111@xry111.site \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).