From: Peter Zijlstra <peterz@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Will Deacon <will@kernel.org>, Boqun Feng <boqun.feng@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Jakub Kicinski <kuba@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Arnd Bergmann <arnd@arndb.de>,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Uros Bizjak <ubizjak@gmail.com>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-arch@vger.kernel.org,
netdev@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH 1/4] locking/atomic/x86: Silence intentional wrapping addition
Date: Thu, 25 Apr 2024 11:28:12 +0200 [thread overview]
Message-ID: <20240425092812.GB21980@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <202404241621.8286B8A@keescook>
On Wed, Apr 24, 2024 at 04:30:50PM -0700, Kees Cook wrote:
> > That is, anything that actively warns about signed overflow when build
> > with -fno-strict-overflow is a bug. If you want this warning you have to
> > explicitly mark things.
>
> This is confusing UB with "overflow detection". We're doing the latter.
Well, all of this is confusing to me because it is not presented
coherently.
The traditional 'must not let signed overflow' is because of the UB
nonsense, which we fixed.
> > Signed overflow is not UB, is not a bug.
> >
> > Now, it might be unexpected in some places, but fundamentally we run on
> > 2s complement and expect 2s complement. If you want more, mark it so.
>
> Regular C never provided us with enough choice in types to be able to
> select the overflow resolution strategy. :( So we're stuck mixing
> expectations into our types.
Traditionally C has explicit wrapping for unsigned and UB on signed. We
fixed the UB, so now expect wrapping for everything.
You want to add overflow, so you should make that a special and preserve
semantics for existing code.
Also I would very strongly suggest you add an overflow qualifier to the
type system and please provide sane means of qualifier manipulation --
stripping qualifiers is painful :/
> Regardless, yes, someone intent on wrapping gets their expected 2s
> complement results, but in the cases were a few values started collecting
> in some dark corner of protocol handling, having a calculation wrap around
> is at best a behavioral bug and at worst a total system compromise.
> Wrapping is the uncommon case here, so we mark those.
Then feel free to sprinkle copious amounts of 'overflow' qualifiers in
the protocol handling code.
next prev parent reply other threads:[~2024-04-25 9:28 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-24 19:17 [PATCH 0/4] Annotate atomics for signed integer wrap-around Kees Cook
2024-04-24 19:17 ` [PATCH 1/4] locking/atomic/x86: Silence intentional wrapping addition Kees Cook
2024-04-24 22:41 ` Peter Zijlstra
2024-04-24 22:45 ` Kees Cook
2024-04-24 22:54 ` Peter Zijlstra
2024-04-24 23:05 ` Peter Zijlstra
2024-04-24 23:30 ` Kees Cook
2024-04-25 9:28 ` Peter Zijlstra [this message]
2024-04-25 10:19 ` Mark Rutland
2024-04-24 23:20 ` Kees Cook
2024-04-25 9:17 ` Peter Zijlstra
2024-04-25 17:39 ` Kees Cook
2024-04-25 10:15 ` Mark Rutland
2024-04-25 17:19 ` Kees Cook
2024-04-24 22:51 ` Peter Zijlstra
2024-04-26 7:40 ` David Howells
2024-05-02 14:57 ` Kees Cook
2024-04-24 19:17 ` [PATCH 2/4] arm64: atomics: lse: " Kees Cook
2024-05-02 11:21 ` Will Deacon
2024-05-02 15:00 ` Kees Cook
2024-04-24 19:17 ` [PATCH 3/4] locking/atomic: Annotate generic atomics with wrapping Kees Cook
2024-04-24 19:17 ` [PATCH 4/4] ipv4: Silence intentional wrapping addition Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240425092812.GB21980@noisy.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=boqun.feng@gmail.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=paulmck@kernel.org \
--cc=tglx@linutronix.de \
--cc=ubizjak@gmail.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox