Re: [PATCH 1b/6] Add __attribute__((untrusted))

[Martin Sebor <msebor@gmail.com>]

On 1/6/22 8:10 AM, David Malcolm wrote:
> On Thu, 2021-12-09 at 15:54 -0700, Martin Sebor wrote:
>> On 11/13/21 1:37 PM, David Malcolm via Gcc-patches wrote:
>>> This patch adds a new:
>>>
>>>     __attribute__((untrusted))
>>>
>>> for use by the C front-end, intended for use by the Linux kernel for
>>> use with "__user", but which could be used by other operating system
>>> kernels, and potentialy by other projects.
>>
>> It looks like untrusted is a type attribute (rather than one
>> that applies to variables and/or function return values or
>> writeable by-reference arguments).  I find that quite surprising.
> 
> FWIW I initially tried implementing it on pointer types, but doing it
> on the underlying type was much cleaner.
> 
>>    I'm used to thinking of trusted vs tainted as dynamic properties
>> of data so I'm having trouble deciding what to think about
>> the attribute applying to types.  Can you explain why it's
>> useful on types?
> 
> A type system *is* a way of detecting problems involving dynamic
> properties of data.  Ultimately all we have at runtime is a collection
> of bits; the toolchain has the concept of types as a way to allow us to
> reason about properies of those bits without requiring a full cross-TU
> analysis (to try to figure out that e.g. x is, say, a 32 bit unsigned
> integer), and to document these properties clearly to human readers of
> the code.

I understand that relying on the type system is a way to do it.
It just doesn't seem like a very good way in a loosely typed
language like C (or C++).

> 
> I see this as working like a qualifier (rather like "const" and
> "volatile"), in that an
>    untrusted char *
> when dereferenced gives you an
>    untrusted char

Dereferencing a const char* yields a const char lvalue that
implicitly converts to an unqualified value of the referenced
object.  The qualifier is lost in the conversion, so modeling
taint/trust this way will also lose the property in the same
contexts.  It sounds to me like the concept you're modeling
might be more akin to a type specifier (maybe like _Atomic,
although that still converts to the underlying type).

> 
> The intent is to have a way of treating the values as "actively
> hostile", so that code analyzers can assume the worst possible values
> for such types (or more glibly, that we're dealing with data from Satan
> rather than from Murphy).
> 
> Such types are also relevant to infoleaks: writing sensitive
> information to an untrusted value can be detected relatively easily
> with this approach, by checking the type of the value - the types
> express the trust boundary
> 
> Doing this with qualifiers allows us to use the C type system to detect
> these kinds of issues without having to add a full cross-TU
> interprocedural analysis, and documents it to human readers of the
> code.   Compare with const-correctness; we can have an analogous
> "trust-correctness".

The problem with const-correctness in C is that it's so easily
lost (like with strchr, or in the lvalue-rvalue conversion).
This is also why I'm skeptical of the type-based approach here.

> 
>>
>> I'd expect the taint property of a type to be quickly lost as
>> an object of the type is passed through existing APIs (e.g.,
>> a char array manipulated by string functions like strchr).
> 
> FWIW you can't directly pass an attacker-controlled buffer to strchr:
> strchr requires there to be a 0-terminator to the array; if the array's
> content is untrusted then the attacker might not have 0-terminated it.

strchr is just an example of the many functions that in my mind
make the type-based approach less than ideal.  If the untrusted
string was known to be nul-teminated, strchr still couldn't be
used without losing the property.  Ditto for memchr.  It seems
that all sanitization would either have to be written from
scratch, without relying on existing utility functions, or by
providing wrappers that called the common utility functions
after removing the qualifier from the tainted data even before
the santization was complete.  That would obviously be error-
prone, but it's something that would be made much more robust
by tracking the taint independently of the data type.

Martin

> 
> As implemented, the patch doesn't complain about this, though maybe it
> should.
> 
> The main point here is to support the existing __user annotation used
> by the Linux kernel, in particular, copy_from_user and copy_to_user.
> 
>>
>> (I usually look at tests to help me understand the design of
>> a change but I couldn't find an answer to my question in those
>> in the patch.)
> 
> The patch kit was rather unclear on this, due to the use of two
> different approaches (custom address spaces vs this untrusted
> attribute).  Sorry about this.
> 
> Patches 4a and 4b in the kit add test-uaccess.h (to
> gcc/testsuite/gcc.dg/analyzer) which supplies "__user"; see the tests
> that use "test-uaccess.h" in patch 3:
>   [PATCH 3/6] analyzer: implement infoleak detection
>      https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584377.html
> and in patch 5:
>   [PATCH 5/6] analyzer: use region::untrusted_p in taint detection
>     https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584374.html
> 
> (sorry about messing up the order of the patches).
> 
> Patch 4a here:
>   [PATCH 4a/6] analyzer: implement region::untrusted_p in terms of custom address spaces
>     https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584371.html
> implements "__user" as a custom address space,
> 
> whereas patch 4b here:
> 
>   [PATCH 4b/6] analyzer: implement region::untrusted_p in terms of __attribute__((untrusted))
>      https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584373.html
> 
> implements "__user" to be __attribute__((untrusted)).
> 
> Perhaps I should drop the custom address space versions of the patches
> and post a version of the kit that simply uses the attribute?
> 
> Dave
> 
> 
>>
>> Thanks
>> Martin
>>
>> PS I found one paper online that discusses type-based taint
>> analysis in Java but not much more.  I only quickly skimmed
>> the paper and although it conceptually makes sense I'm still
>> having difficulties seeing how it would be useful in C.
>>
>>>
>>> Known issues:
>>> - at least one TODO in handle_untrusted_attribute
>>> - should it be permitted to dereference an untrusted pointer?  The
>>> patch
>>>     currently allows this
>>>
>>> gcc/c-family/ChangeLog:
>>>          * c-attribs.c (c_common_attribute_table): Add "untrusted".
>>>          (build_untrusted_type): New.
>>>          (handle_untrusted_attribute): New.
>>>          * c-pretty-print.c (pp_c_cv_qualifiers): Handle
>>>          TYPE_QUAL_UNTRUSTED.
>>>
>>> gcc/c/ChangeLog:
>>>          * c-typeck.c (convert_for_assignment): Complain if the trust
>>>          levels vary when assigning a non-NULL pointer.
>>>
>>> gcc/ChangeLog:
>>>          * doc/extend.texi (Common Type Attributes): Add "untrusted".
>>>          * print-tree.c (print_node): Handle TYPE_UNTRUSTED.
>>>          * tree-core.h (enum cv_qualifier): Add TYPE_QUAL_UNTRUSTED.
>>>          (struct tree_type_common): Assign one of the spare bits to a
>>> new
>>>          "untrusted_flag".
>>>          * tree.c (set_type_quals): Handle TYPE_QUAL_UNTRUSTED.
>>>          * tree.h (TYPE_QUALS): Likewise.
>>>          (TYPE_QUALS_NO_ADDR_SPACE): Likewise.
>>>          (TYPE_QUALS_NO_ADDR_SPACE_NO_ATOMIC): Likewise.
>>>
>>> gcc/testsuite/ChangeLog:
>>>          * c-c++-common/attr-untrusted-1.c: New test.
>>>
>>> Signed-off-by: David Malcolm <dmalcolm@redhat.com>
>>> ---
>>>    gcc/c-family/c-attribs.c                      |  59 +++++++
>>>    gcc/c-family/c-pretty-print.c                 |   2 +
>>>    gcc/c/c-typeck.c                              |  64 +++++++
>>>    gcc/doc/extend.texi                           |  25 +++
>>>    gcc/print-tree.c                              |   3 +
>>>    gcc/testsuite/c-c++-common/attr-untrusted-1.c | 165
>>> ++++++++++++++++++
>>>    gcc/tree-core.h                               |   6 +-
>>>    gcc/tree.c                                    |   1 +
>>>    gcc/tree.h                                    |  11 +-
>>>    9 files changed, 332 insertions(+), 4 deletions(-)
>>>    create mode 100644 gcc/testsuite/c-c++-common/attr-untrusted-1.c
>>>
>>> diff --git a/gcc/c-family/c-attribs.c b/gcc/c-family/c-attribs.c
>>> index 007b928c54b..100c2dabab2 100644
>>> --- a/gcc/c-family/c-attribs.c
>>> +++ b/gcc/c-family/c-attribs.c
>>> @@ -136,6 +136,7 @@ static tree handle_warn_unused_result_attribute
>>> (tree *, tree, tree, int,
>>>                                                   bool *);
>>>    static tree handle_access_attribute (tree *, tree, tree, int, bool
>>> *);
>>>    
>>> +static tree handle_untrusted_attribute (tree *, tree, tree, int,
>>> bool *);
>>>    static tree handle_sentinel_attribute (tree *, tree, tree, int,
>>> bool *);
>>>    static tree handle_type_generic_attribute (tree *, tree, tree, int,
>>> bool *);
>>>    static tree handle_alloc_size_attribute (tree *, tree, tree, int,
>>> bool *);
>>> @@ -536,6 +537,8 @@ const struct attribute_spec
>>> c_common_attribute_table[] =
>>>                                handle_special_var_sec_attribute,
>>> attr_section_exclusions },
>>>      { "access",               1, 3, false, true, true, false,
>>>                                handle_access_attribute, NULL },
>>> +  { "untrusted",             0, 0, false,  true, false, true,
>>> +                             handle_untrusted_attribute, NULL },
>>>      /* Attributes used by Objective-C.  */
>>>      { "NSObject",                     0, 0, true, false, false,
>>> false,
>>>                                handle_nsobject_attribute, NULL },
>>> @@ -5224,6 +5227,62 @@ build_attr_access_from_parms (tree parms, bool
>>> skip_voidptr)
>>>      return build_tree_list (name, attrargs);
>>>    }
>>>    
>>> +/* Build (or reuse) a type based on BASE_TYPE, but with
>>> +   TYPE_QUAL_UNTRUSTED.  */
>>> +
>>> +static tree
>>> +build_untrusted_type (tree base_type)
>>> +{
>>> +  int base_type_quals = TYPE_QUALS (base_type);
>>> +  return build_qualified_type (base_type,
>>> +                              base_type_quals |
>>> TYPE_QUAL_UNTRUSTED);
>>> +}
>>> +
>>> +/* Handle an "untrusted" attribute; arguments as in
>>> +   struct attribute_spec.handler.  */
>>> +
>>> +static tree
>>> +handle_untrusted_attribute (tree *node, tree ARG_UNUSED (name),
>>> +                           tree ARG_UNUSED (args), int ARG_UNUSED
>>> (flags),
>>> +                           bool *no_add_attrs)
>>> +{
>>> +  if (TREE_CODE (*node) == POINTER_TYPE)
>>> +    {
>>> +      tree base_type = TREE_TYPE (*node);
>>> +      tree untrusted_base_type = build_untrusted_type (base_type);
>>> +      *node = build_pointer_type (untrusted_base_type);
>>> +      *no_add_attrs = true; /* OK */
>>> +      return NULL_TREE;
>>> +    }
>>> +  else if (TREE_CODE (*node) == FUNCTION_TYPE)
>>> +    {
>>> +      tree return_type = TREE_TYPE (*node);
>>> +      if (TREE_CODE (return_type) == POINTER_TYPE)
>>> +       {
>>> +         tree base_type = TREE_TYPE (return_type);
>>> +         tree untrusted_base_type = build_untrusted_type
>>> (base_type);
>>> +         tree untrusted_return_type = build_pointer_type
>>> (untrusted_base_type);
>>> +         tree fn_type = build_function_type (untrusted_return_type,
>>> +                                             TYPE_ARG_TYPES
>>> (*node));
>>> +         *node = fn_type;
>>> +         *no_add_attrs = true; /* OK */
>>> +         return NULL_TREE;
>>> +       }
>>> +      else
>>> +       {
>>> +         gcc_unreachable (); // TODO
>>> +       }
>>> +    }
>>> +  else
>>> +    {
>>> +      tree base_type = *node;
>>> +      tree untrusted_base_type = build_untrusted_type (base_type);
>>> +      *node = untrusted_base_type;
>>> +      *no_add_attrs = true; /* OK */
>>> +      return NULL_TREE;
>>> +    }
>>> +}
>>> +
>>>    /* Handle a "nothrow" attribute; arguments as in
>>>       struct attribute_spec.handler.  */
>>>    
>>> diff --git a/gcc/c-family/c-pretty-print.c b/gcc/c-family/c-pretty-
>>> print.c
>>> index a987da46d6d..120e1e6d167 100644
>>> --- a/gcc/c-family/c-pretty-print.c
>>> +++ b/gcc/c-family/c-pretty-print.c
>>> @@ -191,6 +191,8 @@ pp_c_cv_qualifiers (c_pretty_printer *pp, int
>>> qualifiers, bool func_type)
>>>      if (qualifiers & TYPE_QUAL_RESTRICT)
>>>        pp_c_ws_string (pp, (flag_isoc99 && !c_dialect_cxx ()
>>>                           ? "restrict" : "__restrict__"));
>>> +  if (qualifiers & TYPE_QUAL_UNTRUSTED)
>>> +    pp_c_ws_string (pp, "__attribute__((untrusted))");
>>>    }
>>>    
>>>    /* Pretty-print T using the type-cast notation '( type-name )'.  */
>>> diff --git a/gcc/c/c-typeck.c b/gcc/c/c-typeck.c
>>> index 782414f8c8c..44de82b99ba 100644
>>> --- a/gcc/c/c-typeck.c
>>> +++ b/gcc/c/c-typeck.c
>>> @@ -7284,6 +7284,70 @@ convert_for_assignment (location_t location,
>>> location_t expr_loc, tree type,
>>>            return error_mark_node;
>>>          }
>>>    
>>> +      /* Untrusted vs trusted pointers, but allowing NULL to be used
>>> +        for everything.  */
>>> +      if (TYPE_UNTRUSTED (ttl) != TYPE_UNTRUSTED (ttr)
>>> +         && !null_pointer_constant_p (rhs))
>>> +       {
>>> +         auto_diagnostic_group d;
>>> +         bool diagnosed = true;
>>> +         switch (errtype)
>>> +           {
>>> +           case ic_argpass:
>>> +             {
>>> +               const char msg[] = G_("passing argument %d of %qE
>>> from "
>>> +                                     "pointer with different trust
>>> level");
>>> +               if (warnopt)
>>> +                 diagnosed
>>> +                   = warning_at (expr_loc, warnopt, msg, parmnum,
>>> rname);
>>> +               else
>>> +                 error_at (expr_loc, msg, parmnum, rname);
>>> +             break;
>>> +             }
>>> +           case ic_assign:
>>> +             {
>>> +               const char msg[] = G_("assignment from pointer with "
>>> +                                     "different trust level");
>>> +               if (warnopt)
>>> +                 warning_at (location, warnopt, msg);
>>> +               else
>>> +                 error_at (location, msg);
>>> +               break;
>>> +             }
>>> +           case ic_init:
>>> +             {
>>> +               const char msg[] = G_("initialization from pointer
>>> with "
>>> +                                     "different trust level");
>>> +               if (warnopt)
>>> +                 warning_at (location, warnopt, msg);
>>> +               else
>>> +                 error_at (location, msg);
>>> +               break;
>>> +             }
>>> +           case ic_return:
>>> +             {
>>> +               const char msg[] = G_("return from pointer with "
>>> +                                     "different trust level");
>>> +               if (warnopt)
>>> +                 warning_at (location, warnopt, msg);
>>> +               else
>>> +                 error_at (location, msg);
>>> +               break;
>>> +             }
>>> +           default:
>>> +             gcc_unreachable ();
>>> +           }
>>> +         if (diagnosed)
>>> +           {
>>> +             if (errtype == ic_argpass)
>>> +               inform_for_arg (fundecl, expr_loc, parmnum, type,
>>> rhstype);
>>> +             else
>>> +               inform (location, "expected %qT but pointer is of
>>> type %qT",
>>> +                       type, rhstype);
>>> +           }
>>> +         return error_mark_node;
>>> +       }
>>> +
>>>          /* Check if the right-hand side has a format attribute but
>>> the
>>>           left-hand side doesn't.  */
>>>          if (warn_suggest_attribute_format
>>> diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
>>> index 6e6c580e329..e9f47519df2 100644
>>> --- a/gcc/doc/extend.texi
>>> +++ b/gcc/doc/extend.texi
>>> @@ -8770,6 +8770,31 @@ pid_t wait (wait_status_ptr_t p)
>>>    @}
>>>    @end smallexample
>>>    
>>> +@item untrusted
>>> +@cindex @code{untrusted} type attribute
>>> +Types marked with this attribute are treated as being ``untrusted''
>>> -
>>> +values should be treated as under attacker control.
>>> +
>>> +The C front end will issue an error diagnostic on attempts to assign
>>> +pointer values between untrusted and trusted pointer types without
>>> +an explicit cast.
>>> +
>>> +For example, when implementing an operating system kernel, one
>>> +might write
>>> +
>>> +@smallexample
>>> +#define __kernel
>>> +#define __user    __attribute__ ((untrusted))
>>> +void __kernel *p_kernel;
>>> +void __user *p_user;
>>> +
>>> +/* With the above, the following assignment should be diagnosed as
>>> an error.  */
>>> +p_user = p_kernel;
>>> +@end smallexample
>>> +
>>> +The NULL pointer is treated as being usable with both trusted and
>>> +untrusted pointers.
>>> +
>>>    @item unused
>>>    @cindex @code{unused} type attribute
>>>    When attached to a type (including a @code{union} or a
>>> @code{struct}),
>>> diff --git a/gcc/print-tree.c b/gcc/print-tree.c
>>> index d1fbd044c27..e5123807521 100644
>>> --- a/gcc/print-tree.c
>>> +++ b/gcc/print-tree.c
>>> @@ -640,6 +640,9 @@ print_node (FILE *file, const char *prefix, tree
>>> node, int indent,
>>>          if (TYPE_RESTRICT (node))
>>>          fputs (" restrict", file);
>>>    
>>> +      if (TYPE_UNTRUSTED (node))
>>> +       fputs (" untrusted", file);
>>> +
>>>          if (TYPE_LANG_FLAG_0 (node))
>>>          fputs (" type_0", file);
>>>          if (TYPE_LANG_FLAG_1 (node))
>>> diff --git a/gcc/testsuite/c-c++-common/attr-untrusted-1.c
>>> b/gcc/testsuite/c-c++-common/attr-untrusted-1.c
>>> new file mode 100644
>>> index 00000000000..84a217fc59f
>>> --- /dev/null
>>> +++ b/gcc/testsuite/c-c++-common/attr-untrusted-1.c
>>> @@ -0,0 +1,165 @@
>>> +#define __kernel
>>> +#define __user __attribute__((untrusted))
>>> +#define __iomem
>>> +#define __percpu
>>> +#define __rcu
>>> +
>>> +void *p;
>>> +void __kernel *p_kernel;
>>> +void __user *p_user;
>>> +void __iomem *p_iomem;
>>> +void __percpu *p_percpu;
>>> +void __rcu *p_rcu;
>>> +
>>> +#define NULL ((void *)0)
>>> +
>>> +extern void accepts_p (void *); /* { dg-message "24: expected 'void
>>> \\*' but argument is of type '__attribute__\\(\\(untrusted\\)\\) void
>>> \\*'" "" { target c } } */
>>> +/* { dg-message "24:  initializing argument 1 of 'void
>>> accepts_p\\(void\\*\\)'" "" { target c++ } .-1 } */
>>> +extern void accepts_p_kernel (void __kernel *);
>>> +extern void accepts_p_user (void __user *);
>>> +
>>> +void test_argpass_to_p (void)
>>> +{
>>> +  accepts_p (p);
>>> +  accepts_p (p_kernel);
>>> +  accepts_p (p_user); /* { dg-error "passing argument 1 of
>>> 'accepts_p' from pointer with different trust level" "" { target c }
>>> } */
>>> +  /* { dg-error "invalid conversion from
>>> '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
>>> target c++ } .-1 } */
>>> +}
>>> +
>>> +void test_init_p (void)
>>> +{
>>> +  void *local_p_1 = p;
>>> +  void *local_p_2 = p_kernel;
>>> +  void *local_p_3 = p_user; /* { dg-error "initialization from
>>> pointer with different trust level" "" { target c } } */
>>> +  /* { dg-message "expected 'void \\*' but pointer is of type
>>> '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
>>> */
>>> +  /* { dg-error "invalid conversion from
>>> '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
>>> target c++ } .-2 } */
>>> +}
>>> +
>>> +void test_init_p_kernel (void)
>>> +{
>>> +  void __kernel *local_p_1 = p;
>>> +  void __kernel *local_p_2 = p_kernel;
>>> +  void __kernel *local_p_3 = p_user; /* { dg-error "initialization
>>> from pointer with different trust level" "" { target c } } */
>>> +  /* { dg-message "expected 'void \\*' but pointer is of type
>>> '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
>>> */
>>> +  /* { dg-error "invalid conversion from
>>> '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
>>> target c++ } .-2 } */
>>> +}
>>> +
>>> +void test_init_p_user (void)
>>> +{
>>> +  void __user *local_p_1 = p; /* { dg-error "initialization from
>>> pointer with different trust level" "" { target c } } */
>>> +  /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\) void
>>> \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
>>> +  void __user *local_p_2 = p_kernel; /* { dg-error "initialization
>>> from pointer with different trust level" "" { target c } } */
>>> +  /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\) void
>>> \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
>>> +  void __user *local_p_3 = p_user;
>>> +  void __user *local_p_4 = NULL;
>>> +}
>>> +
>>> +void test_assign_to_p (void)
>>> +{
>>> +  p = p;
>>> +  p = p_kernel;
>>> +  p = p_user; /* { dg-error "assignment from pointer with different
>>> trust level" "" { target c } } */
>>> +  /* { dg-message "expected 'void \\*' but pointer is of type
>>> '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
>>> */
>>> +  /* { dg-error "invalid conversion from
>>> '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
>>> target c++ } .-2 } */
>>> +  // etc
>>> +}
>>> +
>>> +void test_assign_to_p_kernel (void)
>>> +{
>>> +  p_kernel = p;
>>> +  p_kernel = p_kernel;
>>> +  p_kernel = p_user; /* { dg-error "assignment from pointer with
>>> different trust level" "" { target c } } */
>>> +  /* { dg-message "expected 'void \\*' but pointer is of type
>>> '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
>>> */
>>> +  /* { dg-error "invalid conversion from
>>> '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
>>> target c++ } .-2 } */
>>> +  // etc
>>> +}
>>> +
>>> +void test_assign_to_p_user (void)
>>> +{
>>> +  p_user = p;  /* { dg-error "assignment from pointer with different
>>> trust level" "" { target c } } */
>>> +  /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\) void
>>> \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
>>> +  p_user = p_kernel;  /* { dg-error "assignment from pointer with
>>> different trust level" "" { target c } } */
>>> +  /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\) void
>>> \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
>>> +  p_user = p_user;
>>> +  p_user = NULL;
>>> +  // etc
>>> +}
>>> +
>>> +void *test_return_p (int i)
>>> +{
>>> +  switch (i)
>>> +    {
>>> +    default:
>>> +    case 0:
>>> +      return p;
>>> +    case 1:
>>> +      return p_kernel;
>>> +    case 2:
>>> +      return p_user; /* { dg-error "return from pointer with
>>> different trust level" "" { target c } } */
>>> +      /* { dg-message "expected 'void \\*' but pointer is of type
>>> '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
>>> */
>>> +      /* { dg-error "invalid conversion from
>>> '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
>>> target c++ } .-2 } */
>>> +    }
>>> +}
>>> +
>>> +void __kernel *test_return_p_kernel (int i)
>>> +{
>>> +  switch (i)
>>> +    {
>>> +    default:
>>> +    case 0:
>>> +      return p;
>>> +    case 1:
>>> +      return p_kernel;
>>> +    case 2:
>>> +      return p_user; /* { dg-error "return from pointer with
>>> different trust level" "" { target c } } */
>>> +      /* { dg-message "expected 'void \\*' but pointer is of type
>>> '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
>>> */
>>> +      /* { dg-error "invalid conversion from
>>> '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
>>> target c++ } .-2 } */
>>> +    }
>>> +}
>>> +
>>> +void __user *
>>> +test_return_p_user (int i)
>>> +{
>>> +  switch (i)
>>> +    {
>>> +    default:
>>> +    case 0:
>>> +      return p; /* { dg-error "return from pointer with different
>>> trust level" "" { target c } } */
>>> +      /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\)
>>> void \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
>>> +    case 1:
>>> +      return p_kernel; /* { dg-error "return from pointer with
>>> different trust level" "" { target c } } */
>>> +      /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\)
>>> void \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
>>> +    case 2:
>>> +      return p_user;
>>> +    case 3:
>>> +      return NULL;
>>> +    }
>>> +}
>>> +
>>> +void test_cast_k_to_u (void)
>>> +{
>>> +  p_user = (void __user *)p_kernel;
>>> +}
>>> +
>>> +void test_cast_u_to_k (void)
>>> +{
>>> +  p_kernel = (void __kernel *)p_user;
>>> +}
>>> +
>>> +int test_deref_read (int __user *p)
>>> +{
>>> +  return *p; // FIXME: should this be allowed directly?
>>> +}
>>> +
>>> +void test_deref_write (int __user *p, int i)
>>> +{
>>> +  *p = i; // FIXME: should this be allowed directly?
>>> +}
>>> +
>>> +typedef struct foo { int i; } __user *foo_ptr_t;
>>> +
>>> +void __user *
>>> +test_pass_through (void __user *ptr)
>>> +{
>>> +  return ptr;
>>> +}
>>> diff --git a/gcc/tree-core.h b/gcc/tree-core.h
>>> index 8ab119dc9a2..35a7f50c06c 100644
>>> --- a/gcc/tree-core.h
>>> +++ b/gcc/tree-core.h
>>> @@ -604,7 +604,8 @@ enum cv_qualifier {
>>>      TYPE_QUAL_CONST    = 0x1,
>>>      TYPE_QUAL_VOLATILE = 0x2,
>>>      TYPE_QUAL_RESTRICT = 0x4,
>>> -  TYPE_QUAL_ATOMIC   = 0x8
>>> +  TYPE_QUAL_ATOMIC   = 0x8,
>>> +  TYPE_QUAL_UNTRUSTED = 0x10
>>>    };
>>>    
>>>    /* Standard named or nameless data types of the C compiler.  */
>>> @@ -1684,7 +1685,8 @@ struct GTY(()) tree_type_common {
>>>      unsigned typeless_storage : 1;
>>>      unsigned empty_flag : 1;
>>>      unsigned indivisible_p : 1;
>>> -  unsigned spare : 16;
>>> +  unsigned untrusted_flag : 1;
>>> +  unsigned spare : 15;
>>>    
>>>      alias_set_type alias_set;
>>>      tree pointer_to;
>>> diff --git a/gcc/tree.c b/gcc/tree.c
>>> index 845228a055b..3600639d985 100644
>>> --- a/gcc/tree.c
>>> +++ b/gcc/tree.c
>>> @@ -5379,6 +5379,7 @@ set_type_quals (tree type, int type_quals)
>>>      TYPE_VOLATILE (type) = (type_quals & TYPE_QUAL_VOLATILE) != 0;
>>>      TYPE_RESTRICT (type) = (type_quals & TYPE_QUAL_RESTRICT) != 0;
>>>      TYPE_ATOMIC (type) = (type_quals & TYPE_QUAL_ATOMIC) != 0;
>>> +  TYPE_UNTRUSTED (type) = (type_quals & TYPE_QUAL_UNTRUSTED) != 0;
>>>      TYPE_ADDR_SPACE (type) = DECODE_QUAL_ADDR_SPACE (type_quals);
>>>    }
>>>    
>>> diff --git a/gcc/tree.h b/gcc/tree.h
>>> index f62c00bc870..caab575b210 100644
>>> --- a/gcc/tree.h
>>> +++ b/gcc/tree.h
>>> @@ -2197,6 +2197,10 @@ extern tree vector_element_bits_tree
>>> (const_tree);
>>>       the term.  */
>>>    #define TYPE_RESTRICT(NODE) (TYPE_CHECK (NODE)-
>>>> type_common.restrict_flag)
>>>    
>>> +/* Nonzero in a type considered "untrusted" - values should be
>>> treated as
>>> +   under attacker control.  */
>>> +#define TYPE_UNTRUSTED(NODE) (TYPE_CHECK (NODE)-
>>>> type_common.untrusted_flag)
>>> +
>>>    /* If nonzero, type's name shouldn't be emitted into debug info.
>>> */
>>>    #define TYPE_NAMELESS(NODE) (TYPE_CHECK (NODE)-
>>>> base.u.bits.nameless_flag)
>>>    
>>> @@ -2221,6 +2225,7 @@ extern tree vector_element_bits_tree
>>> (const_tree);
>>>            | (TYPE_VOLATILE (NODE) * TYPE_QUAL_VOLATILE)         \
>>>            | (TYPE_ATOMIC (NODE) * TYPE_QUAL_ATOMIC)             \
>>>            | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)         \
>>> +         | (TYPE_UNTRUSTED (NODE) * TYPE_QUAL_UNTRUSTED)       \
>>>            | (ENCODE_QUAL_ADDR_SPACE (TYPE_ADDR_SPACE (NODE)))))
>>>    
>>>    /* The same as TYPE_QUALS without the address space
>>> qualifications.  */
>>> @@ -2228,14 +2233,16 @@ extern tree vector_element_bits_tree
>>> (const_tree);
>>>      ((int) ((TYPE_READONLY (NODE) * TYPE_QUAL_CONST)            \
>>>            | (TYPE_VOLATILE (NODE) * TYPE_QUAL_VOLATILE)         \
>>>            | (TYPE_ATOMIC (NODE) * TYPE_QUAL_ATOMIC)             \
>>> -         | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)))
>>> +         | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)         \
>>> +         | (TYPE_UNTRUSTED (NODE) * TYPE_QUAL_UNTRUSTED)))
>>>    
>>>    /* The same as TYPE_QUALS without the address space and atomic
>>>       qualifications.  */
>>>    #define TYPE_QUALS_NO_ADDR_SPACE_NO_ATOMIC(NODE)              \
>>>      ((int) ((TYPE_READONLY (NODE) * TYPE_QUAL_CONST)            \
>>>            | (TYPE_VOLATILE (NODE) * TYPE_QUAL_VOLATILE)         \
>>> -         | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)))
>>> +         | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)         \
>>> +         | (TYPE_UNTRUSTED (NODE) * TYPE_QUAL_UNTRUSTED)))
>>>    
>>>    /* These flags are available for each language front end to use
>>> internally.  */
>>>    #define TYPE_LANG_FLAG_0(NODE) (TYPE_CHECK (NODE)-
>>>> type_common.lang_flag_0)
>>>
>>
> 
>