Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 Mar 2018 09:25:02 +0100
From: Rasmus Villemoes <linux@...musvillemoes.dk>
To: Kees Cook <keescook@...omium.org>,
 Andrew Morton <akpm@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org, corbet@....net, gustavo@...eddedor.com,
 rostedt@...dmis.org, Chris Mason <clm@...com>, Josef Bacik <jbacik@...com>,
 David Sterba <dsterba@...e.com>, "David S. Miller" <davem@...emloft.net>,
 Alexey Kuznetsov <kuznet@....inr.ac.ru>,
 Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, Ingo Molnar <mingo@...nel.org>,
 Peter Zijlstra <peterz@...radead.org>, Thomas Gleixner <tglx@...utronix.de>,
 Masahiro Yamada <yamada.masahiro@...ionext.com>, Borislav Petkov
 <bp@...e.de>, Josh Poimboeuf <jpoimboe@...hat.com>,
 Randy Dunlap <rdunlap@...radead.org>, Ian Abbott <abbotti@....co.uk>,
 "Tobin C. Harding" <me@...in.cc>,
 Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>,
 Petr Mladek <pmladek@...e.com>,
 Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
 Pantelis Antoniou <pantelis.antoniou@...sulko.com>,
 linux-btrfs@...r.kernel.org, netdev@...r.kernel.org,
 kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v2 1/3] vsprintf: Remove accidental VLA usage

On 2018-03-08 04:30, Kees Cook wrote:
> In the quest to remove all stack VLAs from the kernel[1], this introduces
> a new "simple max" macro, and changes the "sym" array size calculation to
> use it. The value is actually a fixed size, but since the max() macro uses
> some extensive tricks for safety, it ends up looking like a variable size
> to the compiler.
> 
> [1] https://lkml.org/lkml/2018/3/7/621
> 
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
>  include/linux/kernel.h | 11 +++++++++++
>  lib/vsprintf.c         |  4 ++--
>  2 files changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/kernel.h b/include/linux/kernel.h
> index 3fd291503576..1da554e9997f 100644
> --- a/include/linux/kernel.h
> +++ b/include/linux/kernel.h
> @@ -820,6 +820,17 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { }
>  	      x, y)
>  
>  /**
> + * SIMPLE_MAX - return maximum of two values without any type checking
> + * @x: first value
> + * @y: second value
> + *
> + * This should only be used in stack array sizes, since the type-checking
> + * from max() confuses the compiler into thinking a VLA is being used.
> + */
> +#define SIMPLE_MAX(x, y)	((size_t)(x) > (size_t)(y) ? (size_t)(x) \
> +							   : (size_t)(y))

This will be abused at some point, leading to the usual double
evaluation etc. etc. problems. The name is also too long (and in general
we should avoid adjectives like "simple", "safe", people reading the
code won't know what is simple or safe about it). I think this should work

#define MAX(x, y) (__builtin_choose_expr((x) > (y), x, y))

That forces (x)>(y) to be a compile-time constant, so x and y must also
be; hence there can be no side effects. The MIN version of this could
replace the custom __const_min in fs/file.c, and probably other places
as well.

I tested that this at least works in the vsprintf case, -Wvla no longer
complains. fs/file.c also compiles with the MIN version of this.

I suppose MIN and MAX will collide with other uses in the tree. Hmm.

Rasmus

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.