On Mon, Jun 17, 2024 at 10:19:15AM -0700, Kees Cook wrote: > On Fri, Jun 14, 2024 at 12:17:08PM +0200, Peter Zijlstra wrote: > > On Wed, Jun 12, 2024 at 04:23:31PM -0700, Kees Cook wrote: > > > On Thu, Jun 13, 2024 at 12:08:21AM +0200, Peter Zijlstra wrote: > > > > On Wed, Jun 12, 2024 at 12:01:19PM -0700, Kees Cook wrote: > > > > > I'm happy to take patches. And for this bikeshed, this would be better > > > > > named under the size_*() helpers which are trying to keep size_t > > > > > calculations from overflowing (by saturating). i.e.: > > > > > > > > > > size_add_mult(sizeof(*p), sizeof(*p->member), num) > > > > > > > > Fine I suppose, but what if we want something not size_t? Are we waiting > > > > for the type system extension? > > > > > > Because of C's implicit promotion/truncation, we can't do anything > > > sanely with return values of arbitrary type size; we have to capture the > > > lvalue type somehow so the checking can happen without C doing silent > > > garbage. > > > > So sizeof() returns the native (built-in) size_t, right? If that type > > the nooverflow qualifier on, then: > > > > sizeof(*p) + num*sizeof(p->foo[0]) > > > > should all get the nooverflow semantics right? Because size_t is > > effectively 'nooverflow unsigned long' the multiplication should promote > > 'num' to some 'long'. > > Hmmm. This is an interesting point. I'll see what Justin has found as > he's been working on limiting the overflow sanitizer to specific types. > > It doesn't help this (unfortunately common) code pattern, though: > > int size; > > size = sizeof(*p) + num*sizeof(p->foo[0]); > p = kmalloc(size, GFP_KERNEL); > > But that was going to be a problem either way.
Well, you can add a warning on implicitly casting away nooverflow. New qualifier, we get to make up the rules etc.. it probably means we need to change the signature of the allocator functions to take a 'nooverflow' type, otherwise those will trigger this new warning, but that should not be a problem. > > Now, I've re-read the rules and I don't see qualifiers mentioned, so > > can't we state that the overflow/nooverflow qualifiers are to be > > preserved on (implicit) promotion and when nooverflow and overflow are > > combined the 'safe' nooverflow takes precedence? > > > > I mean, when we're adding qualifiers we can make up rules about them > > too, right? > > Yup, that is the design of the "wraps" attribute (though it is the > reverse: it _allows_ for wrap-around, since we want to the default state > to be mitigation). Yeah, I feel strongly about that (just mailed you in the other sub-thread) that this is the wrong way around. > > If 'people' don't want to adorn the built-in size_t, we can always do > > something like: > > > > #define sizeof(x) ((nooverflow unsigned long)(sizeof(x))) > > > > and 'fix' it ourselves. > > Right, though my hope is still we get the result of "nooverflow" by > marking that which was expected to overflow. You cannot sell that as a proper language extension because it will break world+dog.
