From: "H. Peter Anvin" <hpa@zytor.com>
To: Martin Uecker <uecker@tugraz.at>,
Dan Carpenter <dan.carpenter@linaro.org>
Cc: Greg KH <gregkh@linuxfoundation.org>,
Boqun Feng <boqun.feng@gmail.com>,
Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
Christoph Hellwig <hch@infradead.org>,
rust-for-linux <rust-for-linux@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
David Airlie <airlied@gmail.com>,
linux-kernel@vger.kernel.org, ksummit@lists.linux.dev,
Justin Stitt <justinstitt@google.com>,
Kees Cook <keescook@chromium.org>
Subject: Re: Rust kernel policy
Date: Thu, 20 Feb 2025 06:38:20 -0800 [thread overview]
Message-ID: <58959F5F-2207-4FE0-A077-273493F2D9EF@zytor.com> (raw)
In-Reply-To: <1f31a16d3898e0e9b5d94f9bcc12a1b73ac97982.camel@tugraz.at>
On February 20, 2025 6:09:21 AM PST, Martin Uecker <uecker@tugraz.at> wrote:
>Am Donnerstag, dem 20.02.2025 um 16:46 +0300 schrieb Dan Carpenter:
>> On Thu, Feb 20, 2025 at 09:57:29AM +0100, Martin Uecker wrote:
>> > In particulary, I have a relatively concrete plan to have a memory safe
>> > mode for C that can be toggled for some region of code and would make
>> > sure there is no UB or memory safety issues left (I am experimenting with
>> > this in the GCC FE). So the idea is that one could start to activate this
>> > for certain critical regions of code to make sure there is no signed
>> > integer overflow or OOB access in it.
>>
>> I don't think diferentiating between signed and unsigned integer
>> overflows is useful. In the kernel, most security issues from integer
>> overflows are from unsigned integer overflows. Kees says that we
>> should warn about "Unexpected" behavior instead of "Undefined". In fact,
>> Justin Stitt has done the opposite of what you're doing and only checks
>> for unsigned overflows. He created a sanitizer that warns about integer
>> overflows involving size_t type (which is unsigned), because sizes are
>> so important. (Checking only size_t avoids probably the largest source
>> of harmless integer overflows which is dealing with time).
>
>I agree with you. We were also discussing an attribute that
>can be attached to certain unsigned types to indicate that
>wrapping is an error.
>
>My more limited aim (because my personal time is very limited)
>is to define a memory safe subset and in such a subset you can
>not have UB. Hence, I am more focussed on signed overflow at
>the moment, but I agree that safety in general must go beyond
>this.
>
>But this is why I want the kernel community to be more involved,
>to get more resources and more experience into these discussions.
>
>>
>> The sanitizer has a list of exceptions like if (a < a + b) where the
>> integer overflow is idiomatic. But the concern was that there might be
>> other deliberate integer overflows which aren't in the exception list so
>> Justin also created a macro to turn off the santizer.
>>
>> x = wrapping_ok(a + b);
>
>Indeed. This is the main issue with unsigned wraparound. Exactly
>because it was always defined, simply screening for wraparound
>yields many false positives.
>
>(BTW: Rust is also not perfectly immune to such errors:
>https://rustsec.org/advisories/RUSTSEC-2023-0080.html)
>
>
>>
>> What I would like is a similar macro so we could write code like:
>>
>> x = saturate_math(a + b + c + d * d_size);
>>
>> If anything overflowed the result would be ULONG_MAX. In the kernel,
>> we have the size_add() and size_mul() macros which do saturation math
>> instead of wrapping math but we'd have to say:
>>
>> x = size_add(a, size_add(b, size_add(c, size_add(size_mul(d, d_size)))));
>>
>> Which is super ugly. Maybe we could create something like this macro?
>>
>> #define saturate_math(x) ({ \
>> unsigned long res; \
>> __trap_overflow(label_name)); \
>> res = (x); \
>> if (0) { \
>> lable_name: \
>> res = ULONG_MAX; \
>> } \
>> res; \
>> })
>>
>
>We added checked arhithmetic to C23, we could add saturating
>math to C2Y if this is needed. (although I admit I do not fully
>understand the use case of saturating math, a saturated value
>still seems to be an error? Statistics, where it does not matter?)
>
>In general, if people have good ideas what compilers or the language
>standard can do to help, please talk to us. It is possible to
>improve compilers and/or the language itself.
>
>
>Martin
>
>
>
>
This is exactly the sort of things quick is quite easy to do with C++ but requires ad hoc compiler extensions for C.
next prev parent reply other threads:[~2025-02-20 14:38 UTC|newest]
Thread overview: 186+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CANiq72m-R0tOakf=j7BZ78jDHdy=9-fvZbAT8j91Je2Bxy0sFg@mail.gmail.com>
2025-02-18 16:08 ` Christoph Hellwig
2025-02-18 16:35 ` Jarkko Sakkinen
2025-02-18 16:39 ` Jarkko Sakkinen
2025-02-18 18:08 ` Jarkko Sakkinen
2025-02-18 21:22 ` Boqun Feng
2025-02-19 6:20 ` Jarkko Sakkinen
2025-02-19 6:35 ` Dave Airlie
2025-02-19 11:37 ` Jarkko Sakkinen
2025-02-19 13:25 ` Geert Uytterhoeven
2025-02-19 13:40 ` Jarkko Sakkinen
2025-02-19 7:05 ` Boqun Feng
2025-02-19 11:32 ` Jarkko Sakkinen
2025-02-18 17:36 ` Jiri Kosina
2025-02-20 6:33 ` Christoph Hellwig
2025-02-20 18:40 ` Alexei Starovoitov
2025-02-18 18:46 ` Miguel Ojeda
2025-02-18 21:49 ` H. Peter Anvin
2025-02-18 22:38 ` Dave Airlie
2025-02-18 22:54 ` Miguel Ojeda
2025-02-19 0:58 ` H. Peter Anvin
2025-02-19 3:04 ` Boqun Feng
2025-02-19 5:07 ` NeilBrown
2025-02-19 5:39 ` Greg KH
2025-02-19 15:05 ` Laurent Pinchart
2025-02-20 20:49 ` Lyude Paul
2025-02-21 19:24 ` Laurent Pinchart
2025-02-20 7:03 ` Martin Uecker
2025-02-20 7:10 ` Greg KH
2025-02-20 8:57 ` Martin Uecker
2025-02-20 13:46 ` Dan Carpenter
2025-02-20 14:09 ` Martin Uecker
2025-02-20 14:38 ` H. Peter Anvin [this message]
2025-02-20 15:25 ` Dan Carpenter
2025-02-20 15:49 ` Willy Tarreau
2025-02-22 15:30 ` Kent Overstreet
2025-02-20 14:53 ` Greg KH
2025-02-20 15:40 ` Martin Uecker
2025-02-21 0:46 ` Miguel Ojeda
2025-02-21 9:48 ` Dan Carpenter
2025-02-21 16:28 ` Martin Uecker
2025-02-21 17:43 ` Steven Rostedt
2025-02-21 18:07 ` Linus Torvalds
2025-02-21 18:19 ` Steven Rostedt
2025-02-21 18:31 ` Martin Uecker
2025-02-21 19:30 ` Linus Torvalds
2025-02-21 19:59 ` Martin Uecker
2025-02-21 20:11 ` Linus Torvalds
2025-02-22 7:20 ` Martin Uecker
2025-02-21 22:24 ` Steven Rostedt
2025-02-21 23:04 ` Linus Torvalds
2025-02-22 17:53 ` Kent Overstreet
2025-02-22 18:44 ` Linus Torvalds
2025-02-23 16:42 ` David Laight
2025-02-21 23:37 ` Martin Uecker
2025-02-25 22:49 ` David Laight
2025-02-22 18:42 ` Linus Torvalds
2025-02-22 9:45 ` Dan Carpenter
2025-02-22 10:25 ` Martin Uecker
2025-02-22 11:07 ` Greg KH
2025-02-21 18:23 ` Martin Uecker
2025-02-21 22:14 ` Steven Rostedt
2025-03-01 13:22 ` Askar Safin
2025-03-01 13:55 ` Martin Uecker
2025-03-02 6:50 ` Kees Cook
2025-02-21 18:11 ` Theodore Ts'o
2025-02-24 8:12 ` Dan Carpenter
2025-02-20 22:08 ` Paul E. McKenney
2025-02-22 23:42 ` Piotr Masłowski
2025-02-23 8:10 ` Martin Uecker
2025-02-23 23:31 ` comex
2025-02-24 9:08 ` Ventura Jack
2025-02-24 18:03 ` Martin Uecker
2025-02-20 12:28 ` Jan Engelhardt
2025-02-20 12:37 ` Greg KH
2025-02-20 13:23 ` H. Peter Anvin
2025-02-20 13:51 ` Willy Tarreau
2025-02-20 15:17 ` C aggregate passing (Rust kernel policy) Jan Engelhardt
2025-02-20 16:46 ` Linus Torvalds
2025-02-20 20:34 ` H. Peter Anvin
2025-02-21 8:31 ` HUANG Zhaobin
2025-02-21 18:34 ` David Laight
2025-02-21 19:12 ` Linus Torvalds
2025-02-21 20:07 ` comex
2025-02-21 21:45 ` David Laight
2025-02-22 6:32 ` Willy Tarreau
2025-02-22 6:37 ` Willy Tarreau
2025-02-22 8:41 ` David Laight
2025-02-22 9:11 ` Willy Tarreau
2025-02-21 20:06 ` Jan Engelhardt
2025-02-21 20:23 ` Laurent Pinchart
2025-02-21 20:24 ` Laurent Pinchart
2025-02-21 22:02 ` David Laight
2025-02-21 22:13 ` Bart Van Assche
2025-02-22 5:56 ` comex
2025-02-21 20:26 ` Linus Torvalds
2025-02-21 22:19 ` henrychurchill
2025-02-21 22:52 ` henrychurchill
2025-02-20 22:13 ` Rust kernel policy Paul E. McKenney
2025-02-21 5:19 ` Felipe Contreras
2025-02-21 5:36 ` Boqun Feng
2025-02-21 5:59 ` Felipe Contreras
2025-02-21 7:04 ` Dave Airlie
2025-02-24 20:27 ` Felipe Contreras
2025-02-24 20:37 ` Boqun Feng
2025-02-26 2:42 ` Felipe Contreras
2025-02-22 16:04 ` Kent Overstreet
2025-02-22 17:10 ` Ventura Jack
2025-02-22 17:34 ` Kent Overstreet
2025-02-23 2:08 ` Bart Van Assche
2025-02-19 5:53 ` Alexey Dobriyan
2025-02-19 5:59 ` Dave Airlie
2025-02-22 18:46 ` Kent Overstreet
2025-02-19 12:37 ` Miguel Ojeda
2025-02-20 11:26 ` Askar Safin
2025-02-20 12:33 ` vpotach
2025-02-19 18:52 ` Kees Cook
2025-02-19 19:08 ` Steven Rostedt
2025-02-19 19:17 ` Kees Cook
2025-02-19 20:27 ` Jason Gunthorpe
2025-02-19 20:46 ` Steven Rostedt
2025-02-19 20:52 ` Bart Van Assche
2025-02-19 21:07 ` Steven Rostedt
2025-02-20 16:05 ` Jason Gunthorpe
2025-02-20 8:13 ` Jarkko Sakkinen
2025-02-20 8:16 ` Jarkko Sakkinen
2025-02-20 11:57 ` Fiona Behrens
2025-02-20 14:07 ` Jarkko Sakkinen
2025-02-21 10:19 ` Jarkko Sakkinen
2025-02-22 12:10 ` Miguel Ojeda
2025-03-04 11:17 ` Fiona Behrens
2025-03-04 17:48 ` Jarkko Sakkinen
2025-02-20 9:55 ` Leon Romanovsky
2025-02-19 19:33 ` H. Peter Anvin
2025-02-20 6:32 ` Alexey Dobriyan
2025-02-20 6:53 ` Greg KH
2025-02-20 8:44 ` Alexey Dobriyan
2025-02-20 13:53 ` Willy Tarreau
2025-02-20 16:04 ` Jason Gunthorpe
2025-02-20 12:01 ` H. Peter Anvin
2025-02-20 12:13 ` H. Peter Anvin
2025-02-20 23:42 ` Miguel Ojeda
2025-02-22 15:21 ` Kent Overstreet
2025-02-20 6:42 ` Christoph Hellwig
2025-02-20 23:44 ` Miguel Ojeda
2025-02-21 15:24 ` Simona Vetter
2025-02-22 12:10 ` Miguel Ojeda
2025-02-26 13:17 ` Fiona Behrens
2025-02-21 0:39 ` Linus Torvalds
2025-02-21 12:16 ` Danilo Krummrich
2025-02-21 15:59 ` Steven Rostedt
2025-02-23 18:03 ` Laurent Pinchart
2025-02-23 18:31 ` Linus Torvalds
2025-02-26 16:05 ` Jason Gunthorpe
2025-02-26 19:32 ` Linus Torvalds
2025-02-19 8:05 ` Dan Carpenter
2025-02-19 14:14 ` James Bottomley
2025-02-19 14:30 ` Geert Uytterhoeven
2025-02-19 14:46 ` Martin K. Petersen
2025-02-19 14:51 ` Bartosz Golaszewski
2025-02-19 15:15 ` James Bottomley
2025-02-19 15:33 ` Willy Tarreau
2025-02-19 15:45 ` Laurent Pinchart
2025-02-19 15:46 ` James Bottomley
2025-02-19 15:56 ` Willy Tarreau
2025-02-19 16:07 ` Laurent Pinchart
2025-02-19 16:15 ` Willy Tarreau
2025-02-19 16:32 ` Laurent Pinchart
2025-02-19 16:34 ` Willy Tarreau
2025-02-19 16:33 ` Steven Rostedt
2025-02-19 16:47 ` Andrew Lunn
2025-02-19 18:22 ` Jarkko Sakkinen
2025-02-20 6:26 ` Alexey Dobriyan
2025-02-20 15:37 ` Steven Rostedt
2025-02-19 17:00 ` Martin K. Petersen
2025-02-19 15:13 ` Steven Rostedt
2025-02-19 14:05 ` James Bottomley
2025-02-19 15:08 ` Miguel Ojeda
2025-02-19 16:03 ` James Bottomley
2025-02-19 16:44 ` Miguel Ojeda
2025-02-19 17:06 ` Theodore Ts'o
2025-02-20 23:40 ` Miguel Ojeda
2025-02-22 15:03 ` Kent Overstreet
2025-02-20 16:03 ` James Bottomley
2025-02-20 23:47 ` Miguel Ojeda
2025-02-20 6:48 ` Christoph Hellwig
2025-02-20 12:56 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58959F5F-2207-4FE0-A077-273493F2D9EF@zytor.com \
--to=hpa@zytor.com \
--cc=airlied@gmail.com \
--cc=boqun.feng@gmail.com \
--cc=dan.carpenter@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=ksummit@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=rust-for-linux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox