From: Kees Cook <keescook@chromium.org>
To: Martin Uecker <uecker@tugraz.at>
Cc: Qing Zhao <qing.zhao@oracle.com>, gcc-patches@gcc.gnu.org
Subject: Re: [V3][PATCH 0/3] New attribute "counted_by" to annotate bounds for C99 FAM(PR108896)
Date: Mon, 23 Oct 2023 15:03:23 -0700 [thread overview]
Message-ID: <202310231501.3FCE176C@keescook> (raw)
In-Reply-To: <2cb8c622ec414303679f73bedee7aa083760f460.camel@tugraz.at>
On Mon, Oct 23, 2023 at 09:57:45PM +0200, Martin Uecker wrote:
> Am Montag, dem 23.10.2023 um 12:52 -0700 schrieb Kees Cook:
> > On Fri, Oct 20, 2023 at 09:54:05PM +0200, Martin Uecker wrote:
> > > Am Freitag, dem 20.10.2023 um 18:48 +0000 schrieb Qing Zhao:
> > > >
> > > > > On Oct 20, 2023, at 2:34 PM, Kees Cook <keescook@chromium.org> wrote:
> > > > >
> > > > > On Fri, Oct 20, 2023 at 11:50:11AM +0200, Martin Uecker wrote:
> > > > > > Am Donnerstag, dem 19.10.2023 um 16:33 -0700 schrieb Kees Cook:
> > > > > > > On Wed, Oct 18, 2023 at 09:11:43PM +0000, Qing Zhao wrote:
> > > > > > > > As I replied to Martin in another email, I plan to do the following to resolve this issue:
> > > > > > > >
> > > > > > > > 1. No specification for signed or unsigned for counted_by field.
> > > > > > > > 2. Add a sanitizer option -fsanitize=counted-by-bound to catch the cases when the size of the counted-by is not positive.
> > > > > > >
> > > > > > > I don't understand why this needs to be a runtime sanitizer. The
> > > > > > > signedness is known at compile time, so I would expect a -W option.
> > > > > >
> > > > > > The signedness of the type but not of the value.
> > > > > >
> > > > > > But I would not want to have a warning for signed
> > > > > > counter types by default because I would prefer
> > > > > > to use signed types (for various reasons including
> > > > > > better overflow detection).
> > > > > >
> > > > > > > Or
> > > > > > > do you mean you'd split up -fsanitize=bounds between unsigned and signed
> > > > > > > indexes? I'd find that kind of awkward for the kernel... but I feel like
> > > > > > > I've misunderstood something. :)
> > > > > > >
> > > > > > > -Kees
> > > > > >
> > > > > > The idea would be to detect at run-time the case
> > > > > > if x->buf is used at a time where x->counter
> > > > > > is negative and also when x->counter * sizeof(x->buf[0])
> > > > > > overflows or is too big.
> > > > > >
> > > > > > This would be similar to
> > > > > >
> > > > > > int a[n];
> > > > > >
> > > > > > where it is detected at run-time if n is not-positive.
> > > > >
> > > > > Right. I guess what I mean to say is that I would expect this case to
> > > > > already be caught by -fsanitize=bounds -- I don't see a reason to add an
> > > > > additional sanitizer option.
> > > > >
> > > > > struct foo {
> > > > > int count;
> > > > > int array[] __counted_by(count);
> > > > > };
> > > > >
> > > > > foo->count = 5;
> > > > > foo->array[0] = 1; // ok
> > > > > foo->array[10] = 1; // -fsanitize=bounds will catch this
> > > > > foo->array[-10] = 1; // -fsanitize=bounds will catch this too
> > > > >
> > > > >
> > > >
> > > > just checked this testing case with my GCC, and YES, -fsanitize=bounds indeed caught this error:
> > > >
> > > > ttt_1.c:31:12: runtime error: index 10 out of bounds for type 'char [*]'
> > > > ttt_1.c:32:12: runtime error: index -10 out of bounds for type 'char [*]’
> > > >
> > >
> > > Yes, but I thought we were discussing the case where count is
> > > set to a negative value:
> > >
> > > foo->count = -1;
> > > int x = foo->array[3]; // UBSan should diagnose this
> >
> > Oh right, I keep thinking about it backwards.
> >
> > Yeah, we can't trap the "count" assignment, because it may be getting used
> > for other purposes. But yeah, access to "array" should trap if "count"
> > is negative.
> >
> > > And also the case when foo->array becomes too big.
> >
> > How do you mean?
>
> count * sizeof(member) could overflow or otherwise be
> bigger than allowed.
Ah! Yes.
foo->count = SIZE_MAX;
foo->array[0]; // UBSan diagnose:
// SIZE_MAX * sizeof(int) is larger than can be represented
>
> Martin
>
>
--
Kees Cook
next prev parent reply other threads:[~2023-10-23 22:03 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-25 15:24 Qing Zhao
2023-08-25 15:24 ` [V3][PATCH 1/3] Provide counted_by attribute to flexible array member field (PR108896) Qing Zhao
2023-09-08 14:12 ` Qing Zhao
2023-09-20 13:44 ` Ping * 2: " Qing Zhao
2023-10-05 18:51 ` Siddhesh Poyarekar
2023-10-05 19:31 ` Siddhesh Poyarekar
2023-10-18 14:51 ` Qing Zhao
2023-10-18 15:18 ` Siddhesh Poyarekar
2023-10-18 15:37 ` Qing Zhao
2023-10-18 14:41 ` Qing Zhao
2023-08-25 15:24 ` [V3][PATCH 2/3] Use the counted_by atribute info in builtin object size [PR108896] Qing Zhao
2023-09-08 14:12 ` Qing Zhao
2023-09-20 13:44 ` PING *2: " Qing Zhao
2023-10-05 20:01 ` Siddhesh Poyarekar
2023-10-18 20:39 ` Qing Zhao
2023-08-25 15:24 ` [V3][PATCH 3/3] Use the counted_by attribute information in bound sanitizer[PR108896] Qing Zhao
2023-09-08 14:12 ` Qing Zhao
2023-09-20 13:45 ` PING * 2: " Qing Zhao
2023-08-25 19:51 ` [V3][PATCH 0/3] New attribute "counted_by" to annotate bounds for C99 FAM(PR108896) Kees Cook
2023-09-08 14:11 ` Qing Zhao
2023-09-20 13:43 ` PING * 2: " Qing Zhao
2023-10-05 20:08 ` Siddhesh Poyarekar
2023-10-05 22:35 ` Kees Cook
2023-10-06 5:11 ` Martin Uecker
2023-10-06 10:50 ` Siddhesh Poyarekar
2023-10-06 20:01 ` Martin Uecker
2023-10-18 15:37 ` Siddhesh Poyarekar
2023-10-18 19:35 ` Qing Zhao
2023-10-18 21:11 ` Qing Zhao
2023-10-19 23:33 ` Kees Cook
2023-10-20 9:50 ` Martin Uecker
2023-10-20 18:34 ` Kees Cook
2023-10-20 18:48 ` Qing Zhao
2023-10-20 19:54 ` Martin Uecker
2023-10-23 18:17 ` Qing Zhao
2023-10-23 19:52 ` Kees Cook
2023-10-23 19:57 ` Martin Uecker
2023-10-23 22:03 ` Kees Cook [this message]
2023-10-20 17:08 ` HELP: Will the reordering happen? " Qing Zhao
2023-10-20 18:22 ` Richard Biener
2023-10-20 18:38 ` Qing Zhao
2023-10-20 19:10 ` Siddhesh Poyarekar
2023-10-20 20:41 ` Qing Zhao
2023-10-23 7:57 ` Richard Biener
2023-10-23 11:27 ` Siddhesh Poyarekar
2023-10-23 12:34 ` Richard Biener
2023-10-23 13:23 ` Siddhesh Poyarekar
2023-10-23 15:14 ` Qing Zhao
2023-10-23 14:56 ` Qing Zhao
2023-10-23 15:57 ` Richard Biener
2023-10-23 16:37 ` Qing Zhao
2023-10-23 18:06 ` Martin Uecker
2023-10-23 18:31 ` Martin Uecker
2023-10-23 19:00 ` Qing Zhao
2023-10-23 19:37 ` Martin Uecker
2023-10-23 20:33 ` Qing Zhao
2023-10-23 18:33 ` Qing Zhao
2023-10-23 18:43 ` Siddhesh Poyarekar
2023-10-23 18:55 ` Martin Uecker
2023-10-23 19:43 ` Qing Zhao
2023-10-23 22:48 ` Siddhesh Poyarekar
2023-10-24 20:30 ` Qing Zhao
2023-10-24 20:38 ` Martin Uecker
2023-10-24 21:09 ` Siddhesh Poyarekar
2023-10-24 22:51 ` Qing Zhao
2023-10-24 23:56 ` Siddhesh Poyarekar
2023-10-25 13:27 ` Qing Zhao
2023-10-25 14:50 ` Siddhesh Poyarekar
2023-10-25 15:38 ` Richard Biener
2023-10-25 19:03 ` Qing Zhao
2023-10-26 5:21 ` Jakub Jelinek
2023-10-26 8:56 ` Richard Biener
2023-10-26 14:58 ` Qing Zhao
2023-10-26 15:48 ` Richard Biener
2023-10-26 16:16 ` Martin Uecker
2023-10-26 14:41 ` Qing Zhao
2023-10-25 18:44 ` Qing Zhao
2023-10-25 22:06 ` Kees Cook
2023-10-25 22:27 ` Qing Zhao
2023-10-25 22:32 ` Kees Cook
2023-10-26 8:15 ` Martin Uecker
2023-10-26 16:13 ` Kees Cook
2023-10-26 16:45 ` Martin Uecker
2023-10-26 19:57 ` Qing Zhao
2023-10-27 7:21 ` Martin Uecker
2023-10-27 14:32 ` Qing Zhao
2023-10-27 14:53 ` Martin Uecker
2023-10-27 15:10 ` Qing Zhao
2023-10-27 17:19 ` Kees Cook
2023-10-27 18:13 ` Qing Zhao
2023-10-25 5:26 ` Martin Uecker
2023-10-25 6:43 ` Richard Biener
2023-10-25 8:16 ` Martin Uecker
2023-10-25 10:25 ` Richard Biener
2023-10-25 10:39 ` Martin Uecker
2023-10-25 18:06 ` Qing Zhao
2023-10-25 10:25 ` Siddhesh Poyarekar
2023-10-25 10:47 ` Martin Uecker
2023-10-25 11:13 ` Richard Biener
2023-10-25 18:16 ` Martin Uecker
2023-10-26 8:45 ` Richard Biener
2023-10-26 9:20 ` Martin Uecker
2023-10-26 10:14 ` Martin Uecker
2023-10-26 14:05 ` Richard Biener
2023-10-26 18:54 ` Qing Zhao
2023-10-27 16:43 ` Qing Zhao
2023-10-26 16:41 ` Qing Zhao
2023-10-26 17:05 ` Martin Uecker
2023-10-26 17:35 ` Richard Biener
2023-10-26 19:20 ` Qing Zhao
2023-10-25 18:17 ` Qing Zhao
2023-10-24 21:03 ` Siddhesh Poyarekar
2023-10-24 22:41 ` Qing Zhao
2023-10-24 23:51 ` Siddhesh Poyarekar
2023-10-25 21:59 ` Kees Cook
2023-10-23 18:10 ` Joseph Myers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202310231501.3FCE176C@keescook \
--to=keescook@chromium.org \
--cc=gcc-patches@gcc.gnu.org \
--cc=qing.zhao@oracle.com \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).