From: Kees Cook <kees@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Kees Cook <kees@kernel.org>,
Justin Stitt <justinstitt@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Marco Elver <elver@google.com>, Jonathan Corbet <corbet@lwn.net>,
Nathan Chancellor <nathan@kernel.org>,
Nicolas Schier <nsc@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Miguel Ojeda <ojeda@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
linux-hardening@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kbuild@vger.kernel.org, llvm@lists.linux.dev
Subject: [PATCH 0/5] Introduce Overflow Behavior Types
Date: Tue, 31 Mar 2026 09:37:18 -0700 [thread overview]
Message-ID: <20260331163716.work.696-kees@kernel.org> (raw)
Hi,
This is the spiritual successor to the "Mitigating unexpected arithmetic
overflow" thread from 2024[1]. After a long discussion there, and
subsequent discussions with Peter at Linux Plumbers, Justin went off to
build a type-based solution. After more than a year of RFCs and feedback
from compiler folks and with an eye toward potentially making this part
of the C Standard in the future, what has evolved is Overflow Behavior
Types[2], which are first-class native types that mirror the existing
native scalar types in C. They are created using a type qualifier
("__ob_trap" and "__ob_wrap"), but they are their own distinct
types. e.g. "int" and "int __ob_trap" are different types, though
they are mostly interchangable (e.g. format strings, implicit casts,
etc), with some specific instrumentation in cases where wrap-around or
truncation is possible.
This series provides support for building with them enabled, adds
documentation, adds tests, and proposes the new typedefs (see the last
patch in the series) for the corresponding kernel scalar types. With this,
we can start converting variables (and types) that are never supposed
to overflow/underflow to these new types[3]. (Or types that are always
supposed to overflow/underflow.)
Enjoy! :)
-Kees
Link: https://lore.kernel.org/lkml/202404291502.612E0A10@keescook/ [1]
Link: https://clang.llvm.org/docs/OverflowBehaviorTypes.html [2]
Justin Stitt (2):
hardening: Introduce Overflow Behavior Types support
compiler_attributes: Add overflow_behavior macros __ob_trap and
__ob_wrap
Kees Cook (3):
refcount: Remove unused __signed_wrap function annotations
lkdtm/bugs: Add basic Overflow Behavior Types test
types: Add standard __ob_trap and __ob_wrap scalar types
lib/Kconfig.ubsan | 18 -
security/Kconfig.hardening | 50 ++-
Makefile | 1 +
scripts/basic/Makefile | 2 +-
scripts/Makefile.lib | 7 +-
scripts/Makefile.obt | 28 ++
scripts/Makefile.ubsan | 10 -
scripts/Makefile.warn | 7 +
scripts/integer-wrap-ignore.scl | 3 +-
Documentation/dev-tools/ubsan.rst | 13 +
Documentation/process/arithmetic-overflow.rst | 323 ++++++++++++++++++
Documentation/process/deprecated.rst | 39 +++
Documentation/process/index.rst | 1 +
include/linux/compiler-version.h | 2 +-
include/linux/compiler_attributes.h | 12 +
include/linux/compiler_types.h | 9 +-
include/linux/refcount.h | 10 +-
include/linux/sched.h | 3 +-
include/linux/types.h | 24 ++
include/linux/ubsan.h | 12 +-
drivers/misc/lkdtm/bugs.c | 253 ++++++++++++++
lib/ubsan.c | 17 +-
MAINTAINERS | 10 +
kernel/configs/hardening.config | 1 -
tools/testing/selftests/lkdtm/tests.txt | 10 +
25 files changed, 807 insertions(+), 58 deletions(-)
create mode 100644 scripts/Makefile.obt
create mode 100644 Documentation/process/arithmetic-overflow.rst
--
2.34.1
next reply other threads:[~2026-03-31 16:37 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-31 16:37 Kees Cook [this message]
2026-03-31 16:37 ` [PATCH 1/5] refcount: Remove unused __signed_wrap function annotations Kees Cook
2026-03-31 16:37 ` [PATCH 2/5] hardening: Introduce Overflow Behavior Types support Kees Cook
2026-03-31 16:37 ` [PATCH 3/5] compiler_attributes: Add overflow_behavior macros __ob_trap and __ob_wrap Kees Cook
2026-03-31 17:01 ` Miguel Ojeda
2026-03-31 17:09 ` Miguel Ojeda
2026-03-31 17:09 ` Justin Stitt
2026-03-31 17:14 ` Miguel Ojeda
2026-03-31 17:17 ` Justin Stitt
2026-03-31 19:52 ` Kees Cook
2026-04-01 9:08 ` Peter Zijlstra
2026-04-01 20:21 ` Kees Cook
2026-04-01 20:30 ` Peter Zijlstra
2026-04-01 20:55 ` Kees Cook
2026-04-01 23:42 ` Justin Stitt
2026-04-02 9:13 ` David Laight
2026-03-31 17:16 ` Linus Torvalds
2026-03-31 17:18 ` Linus Torvalds
2026-04-01 7:19 ` Vincent Mailhol
2026-04-01 9:20 ` Peter Zijlstra
2026-04-01 19:43 ` Kees Cook
2026-04-01 19:42 ` Kees Cook
2026-03-31 16:37 ` [PATCH 4/5] lkdtm/bugs: Add basic Overflow Behavior Types test Kees Cook
2026-03-31 17:16 ` Justin Stitt
2026-03-31 16:37 ` [PATCH 5/5] types: Add standard __ob_trap and __ob_wrap scalar types Kees Cook
2026-03-31 17:10 ` Linus Torvalds
2026-03-31 17:47 ` Miguel Ojeda
2026-03-31 18:02 ` Linus Torvalds
2026-03-31 18:25 ` Linus Torvalds
2026-03-31 18:59 ` Kees Cook
2026-03-31 20:01 ` Linus Torvalds
2026-03-31 18:32 ` Kees Cook
2026-03-31 18:36 ` Linus Torvalds
2026-03-31 18:16 ` Kees Cook
2026-03-31 20:03 ` Kees Cook
2026-03-31 20:11 ` Linus Torvalds
2026-03-31 20:18 ` Linus Torvalds
2026-03-31 20:31 ` Kees Cook
2026-03-31 20:58 ` Linus Torvalds
2026-03-31 21:50 ` Justin Stitt
2026-03-31 23:49 ` Kees Cook
2026-03-31 23:50 ` Linus Torvalds
2026-04-01 8:31 ` Peter Zijlstra
2026-04-01 20:52 ` Kees Cook
2026-04-02 5:38 ` Peter Zijlstra
2026-04-01 8:57 ` Peter Zijlstra
2026-04-01 20:23 ` Kees Cook
2026-04-01 9:38 ` Peter Zijlstra
2026-04-01 21:41 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260331163716.work.696-kees@kernel.org \
--to=kees@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=elver@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=nsc@kernel.org \
--cc=ojeda@kernel.org \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox