Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 31 Jan 2018 14:13:45 +0000
From: "Van De Ven, Arjan" <arjan.van.de.ven@...el.com>
To: Ingo Molnar <mingo@...nel.org>
CC: "Williams, Dan J" <dan.j.williams@...el.com>, Linus Torvalds
	<torvalds@...ux-foundation.org>, Thomas Gleixner <tglx@...utronix.de>,
	linux-arch <linux-arch@...r.kernel.org>, Cyril Novikov <cnovikov@...x.com>,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>, Peter Zijlstra
	<peterz@...radead.org>, Catalin Marinas <catalin.marinas@....com>, X86 ML
	<x86@...nel.org>, Will Deacon <will.deacon@....com>, Russell King
	<linux@...linux.org.uk>, Ingo Molnar <mingo@...hat.com>, Greg KH
	<gregkh@...uxfoundation.org>, "H. Peter Anvin" <hpa@...or.com>, Alan Cox
	<alan@...ux.intel.com>, Linux Kernel Mailing List
	<linux-kernel@...r.kernel.org>, Peter Zijlstra <a.p.zijlstra@...llo.nl>
Subject: RE: [PATCH v5 02/12] array_idx: sanitize speculative array
 de-references

> > short term there was some extremely rudimentary static analysis done. clearly
> > that has extreme limitations both in insane rate of false positives, and missing
> > cases.
> 
> What was the output roughly, how many suspect places that need
> array_idx_nospec()
> handling: a few, a few dozen, a few hundred or a few thousand?
> 
> I'm guessing 'static tool emitted hundreds of sites with many false positives
> included, but the real sites are probably a few dozen' - but that's really just a
> very, very wild guess.

your guess is pretty accurate; we ended up with some 15 or so places (the first patch kit Dan mailed out)


> 
> - If it's more than a few dozen then intuitively I'd also be very much in favor of
>   compiler help: for example trickle down __user annotations that Sparse uses
> some
>   more and let the compiler sanitize indices or warn about them - without hurting
>   performance of in-kernel array handling.

we need this kind of help even if it's only for the static analysis tool


 
> Also, IMHO any tooling should very much be open source: this isn't the kind of
> bug
> that can be identified via code review, so there's no fall-back detection method
> like we have for buffer overflows.

we absolutely need some good open source tooling; my personal preference will be a compiler plugin; that way you can use all the fancy logic inside the compilers for analysis, and you can make a "I don't care just fix it" option in addition to flagging for human inspection as the kernel would.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.