From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=NU55=GC=tugraz.at=uecker@sourceware.org>
Received: from mailrelay.tugraz.at (mailrelay.tugraz.at [129.27.2.202])
	by sourceware.org (Postfix) with ESMTPS id 394EE3858D1E
	for <gcc-patches@gcc.gnu.org>; Fri, 20 Oct 2023 09:50:17 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 394EE3858D1E
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=tugraz.at
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tugraz.at
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 394EE3858D1E
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=129.27.2.202
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697795419; cv=none;
	b=svQywqCjKfZKQjqd567/QyUzLXYVEmCbzgdDh90rro9EkjUXhSB5amk8bXHBQYh42UvBSKWfxjYg0essXUgV4P3vnE5ir//2o3bMokRrSfmwhMPK2PrOfdYs2h49ahnf2QRmZfmDdtzX7VL5Rj1bfpARN2hBao7/AnkalhL/TUo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1697795419; c=relaxed/simple;
	bh=LmuTcVMJddhTJarGKjb2OCUMHk8gXbeLzmmgWV9sha8=;
	h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=U4ZLq7R4ieX2yWG2QKU0qNUcWjxtMYGsTy7rehg2TNzhDcwKT0MGtAaL5wzIkcfSsiA03AmK52EJWbVbwdkcTAV0k9CcThGlvMOW2DZ37D2tQtK9oHEFgouc3ZAyAgOveJ5oHBQvU1yIZI0AcQmOfa1ySU5oP6LwLT2XKYi1O0o=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from fbmtpc21.tugraz.at (fbmtpc21.tugraz.at [129.27.144.40])
	by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4SBfvl5WV3z1LM0F;
	Fri, 20 Oct 2023 11:50:11 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4SBfvl5WV3z1LM0F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at;
	s=mailrelay; t=1697795413;
	bh=J5aGdrsemnLa9Nudm4UL58stTGh/DpuNnhydnDVKx5Y=;
	h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
	b=HJ+si1UWUwY1oiBBvWd03dFnbXZ5RQlWKjfP0XF4X34slJir4h8HMoLeOD4JmMB8+
	 JkddnUFqdchdvAMogCJXO9dwB9/lgym/TcwQwdLqmahkwOFwjbM4Fa8aw6Ug928qvh
	 frdSY3nYmRzEqYzetTjjLUkmQBEYzAfWAtAha+QI=
Message-ID: <56fae6f212cab1130cd27cee46a19446e9d92dab.camel@tugraz.at>
Subject: Re: [V3][PATCH 0/3] New attribute "counted_by" to annotate bounds
 for C99 FAM(PR108896)
From: Martin Uecker <uecker@tugraz.at>
To: Kees Cook <keescook@chromium.org>, Qing Zhao <qing.zhao@oracle.com>
Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>, richard Biener
 <richard.guenther@gmail.com>, Joseph Myers <joseph@codesourcery.com>, Jakub
 Jelinek <jakub@redhat.com>, gcc Patches <gcc-patches@gcc.gnu.org>,
 "isanbard@gmail.com" <isanbard@gmail.com>
Date: Fri, 20 Oct 2023 11:50:11 +0200
In-Reply-To: <202310191631.C57B952@keescook>
References: <20230825152425.2417656-1-qing.zhao@oracle.com>
	 <d8858981-05fa-a063-6681-e723205b8969@gotplt.org>
	 <B810BDD7-A937-4D48-A38B-32D0A661023A@oracle.com>
	 <202310191631.C57B952@keescook>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4-2 
MIME-Version: 1.0
X-TUG-Backscatter-control: G/VXY7/6zeyuAY/PU2/0qw
X-Spam-Scanner: SpamAssassin 3.003001 
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

Am Donnerstag, dem 19.10.2023 um 16:33 -0700 schrieb Kees Cook:
> On Wed, Oct 18, 2023 at 09:11:43PM +0000, Qing Zhao wrote:
> > As I replied to Martin in another email, I plan to do the following to =
resolve this issue:
> >=20
> > 1. No specification for signed or unsigned for counted_by field.
> > 2. Add a sanitizer option -fsanitize=3Dcounted-by-bound to catch the ca=
ses when the size of the counted-by is not positive.
>=20
> I don't understand why this needs to be a runtime sanitizer. The
> signedness is known at compile time, so I would expect a -W option.

The signedness of the type but not of the value.

But I would not want to have a warning for signed=C2=A0
counter=C2=A0 types by default because I would prefer
to use signed types (for various reasons including
better overflow detection).

>  Or
> do you mean you'd split up -fsanitize=3Dbounds between unsigned and signe=
d
> indexes? I'd find that kind of awkward for the kernel... but I feel like
> I've misunderstood something. :)
>=20
> -Kees

The idea would be to detect at run-time the case
if  x->buf  is used at a time where   x->counter=C2=A0
is negative and also when x->counter * sizeof(x->buf[0])
overflows or is too big.

This would be similar to

int a[n];

where it is detected at run-time if n is not-positive.

Martin