From: Kees Cook <keescook@chromium.org>
To: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Cc: Miguel Ojeda <ojeda@kernel.org>,
Siddhesh Poyarekar <siddhesh@gotplt.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Nathan Chancellor <nathan@kernel.org>, Tom Rix <trix@redhat.com>,
llvm@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] Compiler Attributes: Introduce __access_*() function attribute
Date: Sat, 24 Sep 2022 07:58:54 -0700 [thread overview]
Message-ID: <202209240757.3AC47AC6@keescook> (raw)
In-Reply-To: <CANiq72n6zK=sXn2j71bAEUUYwRse2dT9f8kLrYzncnPjN1XTow@mail.gmail.com>
On Sat, Sep 24, 2022 at 12:06:31PM +0200, Miguel Ojeda wrote:
> On Sat, Sep 24, 2022 at 1:54 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > are specified. While it is legal to provide only the pointer argument
> > position and access type, design the kernel macros to require also the
> > bounds (element count) argument position: if a function has no bounds
> > argument, refactor the code to include one.
>
> Should this bit be included in the comment of the attribute? (since it
> is specific to the kernel)
Sure; good idea!
>
> > These can be used multiple times. For example:
> >
> > __access_wo(2, 3) __access_ro(4, 5)
> > int copy_something(struct context *ctx, u32 *dst, size_t dst_count,
> > u8 *src, int src_len);
> >
> > (And if "dst" will also be read, it could use __access_rw(2, 3) instead.)
>
> Also maybe the example could be nice there too, since it uses the
> syntax for the kernel and you took the time to write it :)
>
> By the way, shouldn't `src` typically be `const u8 *`? Given it is an
> example, I would qualify it.
Yeah, I will update this.
>
> > +#if __has_attribute(__access__)
> > +#define __access_rw(ptr, count) __attribute__((__access__(read_write, ptr, count)))
> > +#define __access_ro(ptr, count) __attribute__((__access__(read_only, ptr, count)))
> > +#define __access_wo(ptr, count) __attribute__((__access__(write_only, ptr, count)))
> > +#else
> > +#define __access_rw(ptr, count)
> > +#define __access_ro(ptr, count)
> > +#define __access_wo(ptr, count)
> > +#endif
>
> If you do a v2 for the above, please take the chance to indent with a
> single space after the `#` (like `# define`) for consistency.
Fixed! I will send a v2.
--
Kees Cook
prev parent reply other threads:[~2022-09-24 14:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-23 23:54 [PATCH] Compiler Attributes: Introduce __access_*() function attribute Kees Cook
2022-09-24 0:17 ` Gustavo A. R. Silva
2022-09-24 10:06 ` Miguel Ojeda
2022-09-24 14:58 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202209240757.3AC47AC6@keescook \
--to=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ojeda@kernel.org \
--cc=siddhesh@gotplt.org \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.