lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 10 Sep 2021 13:06:42 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Nick Desaulniers <ndesaulniers@...gle.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Miguel Ojeda <ojeda@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Marco Elver <elver@...gle.com>, Will Deacon <will@...nel.org>,
        Arvind Sankar <nivedita@...m.mit.edu>,
        Masahiro Yamada <masahiroy@...nel.org>,
        "Peter Zijlstra (Intel)" <peterz@...radead.org>,
        Sami Tolvanen <samitolvanen@...gle.com>,
        Arnd Bergmann <arnd@...db.de>,
        Ard Biesheuvel <ardb@...nel.org>, llvm@...ts.linux.dev,
        Luc Van Oostenryck <luc.vanoostenryck@...il.com>,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] Compiler Attributes: Check GCC version for __alloc_size
 attribute

On Fri, Sep 10, 2021 at 12:05:03PM -0700, Nick Desaulniers wrote:
> On Fri, Sep 10, 2021 at 9:58 AM Kees Cook <keescook@...omium.org> wrote:
> >
> > Unfortunately, just version checking the use of -Wno-alloc-size-larger-than
> > is not sufficient to make the __alloc_size attribute behave correctly
> > under older GCC versions. The attribute itself must be disabled in those
> > situations too, as there appears to be no way to reliably silence the
> > SIZE_MAX constant expression cases for GCC versions less than 9.1:
> >
> > In file included from ./include/linux/resource_ext.h:11,
> >                  from ./include/linux/pci.h:40,
> >                  from drivers/net/ethernet/intel/ixgbe/ixgbe.h:9,
> >                  from drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c:4:
> > In function 'kmalloc_node',
> >     inlined from 'ixgbe_alloc_q_vector' at ./include/linux/slab.h:743:9:
> > ./include/linux/slab.h:618:9: error: argument 1 value '18446744073709551615' exceeds maximum object size 9223372036854775807 [-Werror=alloc-size-larger-than=]
> >   return __kmalloc_node(size, flags, node);
> >          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > ./include/linux/slab.h: In function 'ixgbe_alloc_q_vector':
> > ./include/linux/slab.h:455:7: note: in a call to allocation function '__kmalloc_node' declared here
> >  void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_slab_alignment __malloc;
> >        ^~~~~~~~~~~~~~
> >
> > Specifically:
> > -Wno-alloc-size-larger-than is not correctly handled by GCC < 9.1
> >   https://godbolt.org/z/hqsfG7q84 (doesn't disable)
> 
> (heh, clang has had similar bugs with command line flags with `=` seperators)
> 
> Reviewed-by: Nick Desaulniers <ndesaulniers@...gle.com>
> 
> Though some of the below examples don't make sense to me (the one
> above is fine).
> 
> >   https://godbolt.org/z/P9jdrPTYh (doesn't admit to not knowing about option)
> 
> ^ technically your first link demonstrates that. This link doesn't add
> anything new and makes it look like there are more issues that there
> are.

Yes, but it's messy. I wanted to show each part of it. The above shows
that given just "-Wno-alloc-size-larger-than" and no other errors, the
compiler happily takes the argument. (i.e. $(call cc-option,...) would
think it succeeded).

> >   https://godbolt.org/z/465TPMWKb (only warns when other warnings appear)
> 
> ^ this example doesn't make sense to me.  I couldn't reproduce what
> you're describing.

In this one, the only difference between it and the one above it is
having an unrelated warning present:

<source>: In function 'main':
<source>:8:9: warning: unused variable 'trigger_an_extra_warning'
[-Wunused-variable]
     int trigger_an_extra_warning;
         ^~~~~~~~~~~~~~~~~~~~~~~~

At which point it suddenly DOES admit to not knowing about
-Wno-alloc-size-larger-than:

<source>: At top level:
cc1: warning: unrecognized command line option '-Wno-alloc-size-larger-than'

> 
> >
> > -Walloc-size-larger-than=18446744073709551615 is not handled by GCC < 8
> >   https://godbolt.org/z/73hh1EPxz (ignores numeric value)
> 
> Should this be GCC < 8.2?

Yeah, that's true, the note here should say "8.2", but for the purposes
of this attempted it, everything below 9.1 is broken in various ways.
Better to just avoid everything. I wanted to document all the ways it is
broken, though, so folks don't go through my same pain. :P

> Some other feedback on the general use of godbolt.  Under Output,
> please always disable Intel Asm Syntax; it causes me physical pain.
> Also under output, usually disabling Execute the Output is what you
> want, too.

Good points, yes!

Thanks for checking this out. :)

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ