Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 22 Mar 2018 17:14:40 -0700
From: Kees Cook <keescook@...omium.org>
To: Daniel Vetter <daniel@...ll.ch>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>, David Airlie <airlied@...ux.ie>, 
	dri-devel <dri-devel@...ts.freedesktop.org>, Sean Paul <seanpaul@...omium.org>, 
	Cihangir Akturk <cakturk@...il.com>, Ingo Molnar <mingo@...nel.org>, 
	Krzysztof Kozlowski <krzk@...nel.org>, Tom Lendacky <thomas.lendacky@....com>, 
	Eyal Itkin <eyalit@...ckpoint.com>, Daniel Micay <danielmicay@...il.com>
Subject: Re: [PATCH] drm: udl: Properly check framebuffer mmap offsets

On Thu, Mar 22, 2018 at 2:54 AM, Daniel Vetter <daniel@...ll.ch> wrote:
> On Thu, Mar 22, 2018 at 9:03 AM, Greg Kroah-Hartman
> <gregkh@...uxfoundation.org> wrote:
>> On Thu, Mar 22, 2018 at 07:59:59AM +0100, Daniel Vetter wrote:
>>> Does anyone working on overflow-proof integers? That would make a lot of
>>> this code so much simpler if we could just ask the compiler to carry the
>>> oferflow bit around for a given expression and then check that and bail
>>> with -EINVAL.
>>
>> That would be nice, but no, I don't think that's part of any C standard
>> work that I have heard of :(
>
> Well we have refcount_t already, stitching something together that
> would work and not suck too badly with performance should be possible.
> But yeah direct compiler support would be better (and would allow
> optimizing the carry flag checks I guess). I kinda hoped Kees&team
> would be working on this eventually.

refcount_t could be used if it happens to match the needed semantics.

> Adding Kees+kernel-hardening, maybe he'll grow fond of this :-)

Yeah, general integer overflow is on the list of things to get fixed
in the kernel. It's a bit of a long road, though.

Clang has -fsanitize=integer (and sub-options) which could be added
for specific object or trees:
https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#ubsan-checks

GCC seems to only support manual marking of overflow detections:
https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html

grsecurity/PaX has a gcc plugin for overflow detection, though it
hasn't been upstreamed and comes with various caveats:
http://forums.grsecurity.net/viewtopic.php?f=7&t=3043
https://github.com/ephox-gcc-plugins/size_overflow

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.