From: Peter Zijlstra <peterz@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Will Deacon <will@kernel.org>, Boqun Feng <boqun.feng@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Jakub Kicinski <kuba@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Arnd Bergmann <arnd@arndb.de>,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Uros Bizjak <ubizjak@gmail.com>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-arch@vger.kernel.org,
netdev@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH 1/4] locking/atomic/x86: Silence intentional wrapping addition
Date: Thu, 25 Apr 2024 11:17:52 +0200 [thread overview]
Message-ID: <20240425091752.GA21980@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <202404241602.276D4ADA@keescook>
On Wed, Apr 24, 2024 at 04:20:20PM -0700, Kees Cook wrote:
> > This is arse-about-face. Signed stuff wraps per -fno-strict-overflow.
> > We've been writing code for years under that assumption.
>
> Right, which is why this is going to take time to roll out. :) What we
> were really doing with -fno-strict-overflow was getting rid of undefined
> behavior. That was really really horrible; we don't need the compiler
> hallucinating.
Right, but that then got us well defined semantics for signed overflow.
> > You want to mark the non-wrapping case.
>
> What we want is lack of ambiguity. Having done these kinds of things in
> the kernel for a while now, I have strong evidence that we get much better
> results with the "fail safe" approach, but start by making it non-fatal.
> That way we get full coverage, but we don't melt the world for anyone
> that doesn't want it, and we can shake things out over a few years. For
> example, it has worked well for CONFIG_FORTIFY, CONFIG_UBSAN_BOUNDS,
> KCFI, etc.
The non-fatal argument doesn't have bearing on the mark warp or mark
non-wrap argument though.
> The riskier condition is having something wrap when it wasn't expected
> (e.g. allocations, pointer offsets, etc), so we start by defining our
> regular types as non-wrapping, and annotate the wrapping types (or
> specific calculations or functions).
But but most of those you mention are unsigned. Are you saying you're
making all unsigned variables non-wrap by default too? That's bloody
insane.
> For signed types in particular, wrapping is overwhelmingly the
> uncommon case, so from a purely "how much annotations is needed"
> perspective, marking wrapping is also easiest. Yes, there are cases of
> expected wrapping, but we'll track them all down and get them marked
> unambiguously.
But I am confused now, because above you seem to imply you're making
unsigned non-wrap too, and there wrapping is *far* more common, and I
must say I hate this wrapping_add() thing with a passion.
> One thing on the short list is atomics, so here we are. :)
Well, there are wrapping and non-wrapping users of atomic. If only C had
generics etc.. (and yeah, _Generic doesn't really count).
next prev parent reply other threads:[~2024-04-25 9:18 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-24 19:17 [PATCH 0/4] Annotate atomics for signed integer wrap-around Kees Cook
2024-04-24 19:17 ` [PATCH 1/4] locking/atomic/x86: Silence intentional wrapping addition Kees Cook
2024-04-24 22:41 ` Peter Zijlstra
2024-04-24 22:45 ` Kees Cook
2024-04-24 22:54 ` Peter Zijlstra
2024-04-24 23:05 ` Peter Zijlstra
2024-04-24 23:30 ` Kees Cook
2024-04-25 9:28 ` Peter Zijlstra
2024-04-25 10:19 ` Mark Rutland
2024-04-24 23:20 ` Kees Cook
2024-04-25 9:17 ` Peter Zijlstra [this message]
2024-04-25 17:39 ` Kees Cook
2024-04-25 10:15 ` Mark Rutland
2024-04-25 17:19 ` Kees Cook
2024-04-24 22:51 ` Peter Zijlstra
2024-04-26 7:40 ` David Howells
2024-05-02 14:57 ` Kees Cook
2024-04-24 19:17 ` [PATCH 2/4] arm64: atomics: lse: " Kees Cook
2024-05-02 11:21 ` Will Deacon
2024-05-02 15:00 ` Kees Cook
2024-04-24 19:17 ` [PATCH 3/4] locking/atomic: Annotate generic atomics with wrapping Kees Cook
2024-04-24 19:17 ` [PATCH 4/4] ipv4: Silence intentional wrapping addition Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240425091752.GA21980@noisy.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=boqun.feng@gmail.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=paulmck@kernel.org \
--cc=tglx@linutronix.de \
--cc=ubizjak@gmail.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).