Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 26 Mar 2018 10:26:46 +0200
From: Daniel Vetter <>
To: Kees Cook <>
Cc: Daniel Vetter <>,
	Greg Kroah-Hartman <>,
	Kernel Hardening <>,
	David Airlie <>,
	dri-devel <>,
	Sean Paul <>,
	Cihangir Akturk <>, Ingo Molnar <>,
	Krzysztof Kozlowski <>,
	Tom Lendacky <>,
	Eyal Itkin <>,
	Daniel Micay <>
Subject: Re: [PATCH] drm: udl: Properly check framebuffer mmap offsets

On Thu, Mar 22, 2018 at 05:14:40PM -0700, Kees Cook wrote:
> On Thu, Mar 22, 2018 at 2:54 AM, Daniel Vetter <> wrote:
> > On Thu, Mar 22, 2018 at 9:03 AM, Greg Kroah-Hartman
> > <> wrote:
> >> On Thu, Mar 22, 2018 at 07:59:59AM +0100, Daniel Vetter wrote:
> >>> Does anyone working on overflow-proof integers? That would make a lot of
> >>> this code so much simpler if we could just ask the compiler to carry the
> >>> oferflow bit around for a given expression and then check that and bail
> >>> with -EINVAL.
> >>
> >> That would be nice, but no, I don't think that's part of any C standard
> >> work that I have heard of :(
> >
> > Well we have refcount_t already, stitching something together that
> > would work and not suck too badly with performance should be possible.
> > But yeah direct compiler support would be better (and would allow
> > optimizing the carry flag checks I guess). I kinda hoped Kees&team
> > would be working on this eventually.
> refcount_t could be used if it happens to match the needed semantics.
> > Adding Kees+kernel-hardening, maybe he'll grow fond of this :-)
> Yeah, general integer overflow is on the list of things to get fixed
> in the kernel. It's a bit of a long road, though.
> Clang has -fsanitize=integer (and sub-options) which could be added
> for specific object or trees:

I expect that a bunch of folks will scream about checking all interger
math for overflows

> GCC seems to only support manual marking of overflow detections:

And this sounds _very_ verbose. What I have in mind is something like

	result = overflow_checked(expr, &overflow)
	if (overflow)
		return -EINVAL;

and expr could be any expression at all (except calling functions ofc, or
whatever the correct verbiage from the C standard for this is). I don't
want to annotate each compuation individually at least, that's too much
typing :-) Even neater would be an entire block:

	while {
		/* compute stuff except function calls, but allow inlining */
	} has_overflow {
		return -EINVAL;

Anyway, yay for this being somewhere on the future plans!

> grsecurity/PaX has a gcc plugin for overflow detection, though it
> hasn't been upstreamed and comes with various caveats:

Yeah this looks fairly fragile to me, also can't use the overflow bits
instructions sets have I think.
Daniel Vetter
Software Engineer, Intel Corporation

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.