> > short term there was some extremely rudimentary static analysis done. > > clearly > > that has extreme limitations both in insane rate of false positives, and > > missing > > cases. > > What was the output roughly, how many suspect places that need > array_idx_nospec() > handling: a few, a few dozen, a few hundred or a few thousand? > > I'm guessing 'static tool emitted hundreds of sites with many false positives > included, but the real sites are probably a few dozen' - but that's really > just a > very, very wild guess.
your guess is pretty accurate; we ended up with some 15 or so places (the first patch kit Dan mailed out) > > - If it's more than a few dozen then intuitively I'd also be very much in > favor of > compiler help: for example trickle down __user annotations that Sparse uses > some > more and let the compiler sanitize indices or warn about them - without > hurting > performance of in-kernel array handling. we need this kind of help even if it's only for the static analysis tool > Also, IMHO any tooling should very much be open source: this isn't the kind of > bug > that can be identified via code review, so there's no fall-back detection > method > like we have for buffer overflows. we absolutely need some good open source tooling; my personal preference will be a compiler plugin; that way you can use all the fancy logic inside the compilers for analysis, and you can make a "I don't care just fix it" option in addition to flagging for human inspection as the kernel would.
