From: Kees Cook <kees@kernel.org>
To: Jann Horn <jannh@google.com>
Cc: Eric Biggers <ebiggers@kernel.org>,
Justin Stitt <justinstitt@google.com>,
linux-hardening@vger.kernel.org, oe-lkp@lists.linux.dev,
lkp@intel.com, linux-kernel@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-arm-kernel@lists.infradead.org, loongarch@lists.linux.dev,
linux-s390@vger.kernel.org, linux-crypto@vger.kernel.org,
kernel test robot <oliver.sang@intel.com>,
Arnd Bergmann <arnd@arndb.de>,
llvm@lists.linux.dev, Masahiro Yamada <masahiroy@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nicolas Schier <nicolas@fjasle.eu>,
linux-kbuild@vger.kernel.org
Subject: Re: [linus:master] [crypto] 40b9969796: UBSAN:unsigned-integer-overflow_in_lib/crypto/chacha20poly1305-selftest.c
Date: Wed, 28 May 2025 10:41:32 -0700 [thread overview]
Message-ID: <202505281040.C8E022E@keescook> (raw)
In-Reply-To: <CAG48ez3i37DYjM+SjBjC-VKQOiJs7-YVdLEQ7aqXQwxWs-rS9Q@mail.gmail.com>
On Wed, May 28, 2025 at 07:15:18PM +0200, Jann Horn wrote:
> On Wed, May 28, 2025 at 6:46 PM Kees Cook <kees@kernel.org> wrote:
> > On Tue, May 27, 2025 at 11:14:27PM -0700, Eric Biggers wrote:
> > > If this new sanitizer is going to move forward, is there any sort of plan or
> > > guide for how to update code to be compatible with it? Specifically considering
> > > common situations where unsigned wraparound (which is defined behavior in C) can
> > > be intentionally relied on, like calculating the distance from the next N-byte
> > > boundary. What are the best practices now?
> >
> > Hi, yes, this is still under development. I tried to make it hard to
> > enable accidentally (not via COMPILE_TEST, not UBSAN-default, etc), but
> > we (still) don't have a way to disable configs for randconfigs. :(
> >
> > We're hoping to see Clang 21 with the more versatile Overflow Behavior Types:
> > https://discourse.llvm.org/t/rfc-v2-clang-introduce-overflowbehaviortypes-for-wrapping-and-non-wrapping-arithmetic/86507
> >
> > and our current testing is showing many fewer false positives. (Having
> > run syzkaller for weeks now.)
> >
> > > Documentation/dev-tools/ubsan.rst says nothing about this and only mentions
> > > "undefined behavior", which this is not.
> >
> > Right -- this will get extensive documentation before we move it out of
> > its development phase.
> >
> > I'm not sure how to enforce "don't enable this unless you're developing
> > the Overflow Behavior Types" with current Kconfig, given the randconfig
> > gap... I have some memory of Arnd doing something special with his
> > randconfigs to avoid these kinds of things, but I can't find it now.
>
> You could depend on CONFIG_BROKEN, the canonical "if you enable this
> and stuff breaks, it's your fault" flag?
Yeah. Talking with Justin out of band, he suggested the same. It's
easier to carry a 1 line patch downstream while we're testing to enable
this feature, so I'll send a patch to add CONFIG_BROKEN for now.
-Kees
--
Kees Cook
prev parent reply other threads:[~2025-05-28 17:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-28 5:15 [linus:master] [crypto] 40b9969796: UBSAN:unsigned-integer-overflow_in_lib/crypto/chacha20poly1305-selftest.c kernel test robot
2025-05-28 6:14 ` Eric Biggers
2025-05-28 16:45 ` Kees Cook
2025-05-28 16:58 ` Arnd Bergmann
2025-05-28 17:15 ` Jann Horn
2025-05-28 17:41 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202505281040.C8E022E@keescook \
--to=kees@kernel.org \
--cc=arnd@arndb.de \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=jannh@google.com \
--cc=justinstitt@google.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=lkp@intel.com \
--cc=llvm@lists.linux.dev \
--cc=loongarch@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=nathan@kernel.org \
--cc=nicolas@fjasle.eu \
--cc=oe-lkp@lists.linux.dev \
--cc=oliver.sang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).