From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Z2/D=CY=tugraz.at=uecker@sourceware.org>
Received: from mailrelay.tugraz.at (mailrelay.tugraz.at [129.27.2.202])
	by sourceware.org (Postfix) with ESMTPS id 9BE753858426
	for <gcc-patches@gcc.gnu.org>; Thu,  6 Jul 2023 21:11:00 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9BE753858426
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=tugraz.at
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tugraz.at
Received: from [192.168.0.221] (84-115-220-241.cable.dynamic.surfer.at [84.115.220.241])
	by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4Qxq254LJZz1LM0S;
	Thu,  6 Jul 2023 23:10:53 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4Qxq254LJZz1LM0S
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at;
	s=mailrelay; t=1688677855;
	bh=Fa3KY3bhu26bHOpGfvkhOSSZfOJAjRh3wj+TtkWZEDY=;
	h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
	b=RvWisVkVoTyGCdQohMz1i319jOw8Dv7WWi6nZ6soW0VzAyUiCI8wzY4zmd3dgoF3P
	 U5mkPnSEvM3ls4YDa3DAO00zvKoSh/NaXYLSP6cW5XrJH28RnSYB2HN4mpQiaVwcBQ
	 3Pa1L6ivINJc429c23NyoSR1uYHQlxAWZGxk6mnM=
Message-ID: <848196d4808cb2293b216d9cbffafa409f70e462.camel@tugraz.at>
Subject: Re: [V1][PATCH 0/3] New attribute "element_count" to annotate
 bounds for C99 FAM(PR108896)
From: Martin Uecker <uecker@tugraz.at>
To: Qing Zhao <qing.zhao@oracle.com>, Kees Cook <keescook@chromium.org>
Cc: "joseph@codesourcery.com" <joseph@codesourcery.com>, 
	"richard.guenther@gmail.com"
	 <richard.guenther@gmail.com>, "jakub@redhat.com" <jakub@redhat.com>, 
	"gcc-patches@gcc.gnu.org"
	 <gcc-patches@gcc.gnu.org>, "siddhesh@gotplt.org" <siddhesh@gotplt.org>, 
	"isanbard@gmail.com"
	 <isanbard@gmail.com>
Date: Thu, 06 Jul 2023 23:10:53 +0200
In-Reply-To: <C917A06D-2CCC-4EEB-BAEC-80FE1CDA64A0@oracle.com>
References: <20230525161450.3704901-1-qing.zhao@oracle.com>
	 <202305261218.2420AB8E0@keescook>
	 <C917A06D-2CCC-4EEB-BAEC-80FE1CDA64A0@oracle.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.3-1+deb11u2 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TUG-Backscatter-control: G/VXY7/6zeyuAY/PU2/0qw
X-Spam-Scanner: SpamAssassin 3.003001 
X-Spam-Score-relay: -0.4
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,BODY_8BITS,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

Am Donnerstag, dem 06.07.2023 um 18:56 +0000 schrieb Qing Zhao:
> Hi, Kees,
> 
> I have updated my V1 patch with the following changes:
> A. changed the name to "counted_by"
> B. changed the argument from a string to an identifier
> C. updated the documentation and testing cases accordingly.
> 
> And then used this new gcc to test https://github.com/kees/kernel-tools/blob/trunk/fortify/array-bounds.c (with the following change)
> [opc@qinzhao-ol8u3-x86 Kees]$ !1091
> diff array-bounds.c array-bounds.c.org
> 32c32
> < # define __counted_by(member)	__attribute__((counted_by (member)))
> ---
> > # define __counted_by(member)	__attribute__((__element_count__(#member)))
> 34c34
> < # define __counted_by(member)   __attribute__((counted_by (member)))
> ---
> > # define __counted_by(member)	/* __attribute__((__element_count__(#member))) */
> 
> Then I got the following result:
> [opc@qinzhao-ol8u3-x86 Kees]$ ./array-bounds 2>&1 | grep -v ^'#'
> TAP version 13
> 1..12
> ok 1 global.fixed_size_seen_by_bdos
> ok 2 global.fixed_size_enforced_by_sanitizer
> not ok 3 global.unknown_size_unknown_to_bdos
> not ok 4 global.unknown_size_ignored_by_sanitizer
> ok 5 global.alloc_size_seen_by_bdos
> ok 6 global.alloc_size_enforced_by_sanitizer
> not ok 7 global.element_count_seen_by_bdos
> ok 8 global.element_count_enforced_by_sanitizer
> not ok 9 global.alloc_size_with_smaller_element_count_seen_by_bdos
> not ok 10 global.alloc_size_with_smaller_element_count_enforced_by_sanitizer
> ok 11 global.alloc_size_with_bigger_element_count_seen_by_bdos
> ok 12 global.alloc_size_with_bigger_element_count_enforced_by_sanitizer
> 
> The same as your previous results. Then I took a look at all the failed testing: 3, 4, 7, 9, and 10. And studied the reasons for all of them.
> 
>  in a summary, there are two major issues:
> 1.  The reason for the failed testing 7 is the same issue as I observed in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109557
> Which is not a bug, it’s an expected behavior. 
> 
> 2. The common issue for  the failed testing 3, 4, 9, 10 is:
> 
> for the following annotated structure: 
> 
> ====
> struct annotated {
>         unsigned long flags;
>         size_t foo;
>         int array[] __attribute__((counted_by (foo)));
> };
> 
> 
> struct annotated *p;
> int index = 16;
> 
> p = malloc(sizeof(*p) + index * sizeof(*p->array));  // allocated real size 
> 
> p->foo = index + 2;  // p->foo was set by a different value than the real size of p->array as in test 9 and 10
> or
> p->foo was not set to any value as in test 3 and 4
> 
> ====
> 
> i.e, the value of p->foo is NOT synced with the number of elements allocated for the array p->array.  
> 
> I think that this should be considered as an user error, and the documentation of the attribute should include
> this requirement.  (In the LLVM’s RFC, such requirement was included in the programing model: 
> https://discourse.llvm.org/t/rfc-enforcing-bounds-safety-in-c-fbounds-safety/70854#maintaining-correctness-of-bounds-annotations-18)
> 
> We can add a new warning option -Wcounted-by to report such user error if needed.
> 
> What’s your opinion on this?


Additionally, we could also have a sanitizer that
checks this at run-time.


Personally, I am still not very happy that in the
following example the two 'n's refer to different
entities:

void f(int n)
{
    struct foo {
        int n;   
        int (*p[])[n] [[counted_by(n)]];
    };
}

But I guess it will be difficult to convince everybody
that it would be wise to use a new syntax for
disambiguation:

void f(int n)
{
    struct foo {
        int n;   
        int (*p[])[n] [[counted_by(.n)]];
    };
}

Martin


> 
> thanks.
> 
> Qing
> 
> 
> > On May 26, 2023, at 4:40 PM, Kees Cook <keescook@chromium.org> wrote:
> > 
> > On Thu, May 25, 2023 at 04:14:47PM +0000, Qing Zhao wrote:
> > > GCC will pass the number of elements info from the attached attribute to both 
> > > __builtin_dynamic_object_size and bounds sanitizer to check the out-of-bounds
> > > or dynamic object size issues during runtime for flexible array members.
> > > 
> > > This new feature will provide nice protection to flexible array members (which
> > > currently are completely ignored by both __builtin_dynamic_object_size and
> > > bounds sanitizers).
> > 
> > Testing went pretty well, though I think I found some bdos issues:
> > 
> > - some things that bdos can't know the size of, and correctly returned
> >  SIZE_MAX in the past, now thinks are 0-sized.
> > - while bdos correctly knows the size of an element_count-annotated
> >  flexible array, it doesn't know the size of the containing object
> >  (i.e. it returns SIZE_MAX).
> > 
> > Also, I think I found a precedence issue:
> > 
> > - if both __alloc_size and 'element_count' are in use, the _smallest_
> >  of the two is what I would expect to be enforced by the sanitizer
> >  and reported by __bdos. As is, alloc_size appears to be used when
> >  it is available, regardless of what 'element_count' shows.
> > 
> > I've updated my test cases to show it more clearly, but here is the
> > before/after:
> > 
> > 
> > GCC 13 (correctly does not implement "element_count"):
> > 
> > $ ./array-bounds 2>&1 | grep -v ^'#'
> > TAP version 13
> > 1..12
> > ok 1 global.fixed_size_seen_by_bdos
> > ok 2 global.fixed_size_enforced_by_sanitizer
> > ok 3 global.unknown_size_unknown_to_bdos
> > ok 4 global.unknown_size_ignored_by_sanitizer
> > ok 5 global.alloc_size_seen_by_bdos
> > ok 6 global.alloc_size_enforced_by_sanitizer
> > not ok 7 global.element_count_seen_by_bdos
> > not ok 8 global.element_count_enforced_by_sanitizer
> > not ok 9 global.alloc_size_with_smaller_element_count_seen_by_bdos
> > not ok 10 global.alloc_size_with_smaller_element_count_enforced_by_sanitizer
> > ok 11 global.alloc_size_with_bigger_element_count_seen_by_bdos
> > ok 12 global.alloc_size_with_bigger_element_count_enforced_by_sanitizer
> > 
> > 
> > ToT GCC + this element_count series:
> > 
> > $ ./array-bounds 2>&1 | grep -v ^'#'
> > TAP version 13
> > 1..12
> > ok 1 global.fixed_size_seen_by_bdos
> > ok 2 global.fixed_size_enforced_by_sanitizer
> > not ok 3 global.unknown_size_unknown_to_bdos
> > not ok 4 global.unknown_size_ignored_by_sanitizer
> > ok 5 global.alloc_size_seen_by_bdos
> > ok 6 global.alloc_size_enforced_by_sanitizer
> > not ok 7 global.element_count_seen_by_bdos
> > ok 8 global.element_count_enforced_by_sanitizer
> > not ok 9 global.alloc_size_with_smaller_element_count_seen_by_bdos
> > not ok 10 global.alloc_size_with_smaller_element_count_enforced_by_sanitizer
> > ok 11 global.alloc_size_with_bigger_element_count_seen_by_bdos
> > ok 12 global.alloc_size_with_bigger_element_count_enforced_by_sanitizer
> > 
> > 
> > Test suite is here:
> > https://github.com/kees/kernel-tools/blob/trunk/fortify/array-bounds.c
> > 
> > -- 
> > Kees Cook
>