From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=4Cc5=NK=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 90B93C4338F
	for <linux-mm@archiver.kernel.org>; Thu, 19 Aug 2021 14:19:06 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 2994661100
	for <linux-mm@archiver.kernel.org>; Thu, 19 Aug 2021 14:19:06 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 2994661100
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id B84458D0001; Thu, 19 Aug 2021 10:19:05 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B0CF16B0071; Thu, 19 Aug 2021 10:19:05 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9D4B38D0001; Thu, 19 Aug 2021 10:19:05 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0129.hostedemail.com [216.40.44.129])
	by kanga.kvack.org (Postfix) with ESMTP id 7FD616B006C
	for <linux-mm@kvack.org>; Thu, 19 Aug 2021 10:19:05 -0400 (EDT)
Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 21E75230EB
	for <linux-mm@kvack.org>; Thu, 19 Aug 2021 14:19:05 +0000 (UTC)
X-FDA: 78492037050.27.57B7CAF
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45])
	by imf04.hostedemail.com (Postfix) with ESMTP id 698205007BDE
	for <linux-mm@kvack.org>; Thu, 19 Aug 2021 14:19:04 +0000 (UTC)
Received: by mail-wr1-f45.google.com with SMTP id r7so9482133wrs.0
        for <linux-mm@kvack.org>; Thu, 19 Aug 2021 07:19:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=m7+BP1bcT0EhLLn/h4/nBsVXxgUv4mRHVL2f79asbyo=;
        b=sJy0lKg4BujeOZG0aEbYvf4mp/tF9x+Df2SvQ9OkbJh504JB91e3TnLbF5pWafsRB9
         qTa3Vh1S3B+Uo75DbUR4dUF8Xvo+ggTL8faS9fN8zfe3vaM7d1oVs238noo4X3zgx6Rg
         hhUmG7sb27ka01VNC8ZeoVKag8AuEpRQFMG9dzCtRywDlYtQOAe1Alza2XyPZv0FS+OY
         GeSam7wB44VJgkyn0QPFrabVwZM4goVDKFZgPqTwpuV+oswgHlgU+fvDn+xjz7Hm6XQh
         LJvptuVExrPI2LiHYfX+vGeik2BDciC5ulfQeGtOTspVxHq49dSnoRHeAXPI5UQi+SHB
         iyTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=m7+BP1bcT0EhLLn/h4/nBsVXxgUv4mRHVL2f79asbyo=;
        b=DXxts2ucpDzjzwhiEv/1d0X2bCNjhqXaAymDHkSVfTZ7Xpqb/2f3Hanvv+dLhTx7D2
         Zg3ImTjQD/IatGvk3T7qxbij6aaF2XS4cxQhIt9mkXcjmviyzcbUvgbcQmk+mgH72Z48
         u8AddrKumCOJaAOyZoyJErBUQDr+XhWwfe1g3b1XtCAgMHSK/P6lg1RQfsv1CO2C+4xS
         QYBLQS+766nOU7pT5YA34GGcKzCm/GrnHxQfjWklDFNA8zD1bvIwpkVQKi/BosVVSpX6
         nx/0WoyGMSnWq03CdiSq79/ZEHHPdf4VC0SBRRm0yMLYqnbegx5KBH5ToEXTxuNcaWtl
         WDJw==
X-Gm-Message-State: AOAM530a1KcMs4FWemu6r6u2QYk8CAP7T/MTigrvy2UgM87HM3a6FL2J
	MvbPNuaE8xZcqxt22olTmFjcaeyyiY4vystRLG8=
X-Google-Smtp-Source: ABdhPJyN6zYenSjVuAKWPnzofP6Qn3wLKEzMdJkZP/gyaa1Ge6UdNlqJBnLJorYcQ+Ks4iJmZS7uMzovp9cRb3CzaEA=
X-Received: by 2002:adf:a29c:: with SMTP id s28mr4132793wra.318.1629382743247;
 Thu, 19 Aug 2021 07:19:03 -0700 (PDT)
MIME-Version: 1.0
References: <20210818050841.2226600-1-keescook@chromium.org> <YR4frlpfJQonPuKp@infradead.org>
In-Reply-To: <YR4frlpfJQonPuKp@infradead.org>
From: Daniel Micay <danielmicay@gmail.com>
Date: Thu, 19 Aug 2021 10:18:47 -0400
Message-ID: <CA+DvKQL6pLfK1vRzaOkEWR7DQLgTh=WZTka2L5yuS8Lf_1ZmoA@mail.gmail.com>
Subject: Re: [PATCH 0/5] Add __alloc_size() for better bounds checking
To: Christoph Hellwig <hch@infradead.org>
Cc: Kees Cook <keescook@chromium.org>, kernel list <linux-kernel@vger.kernel.org>, 
	Andrew Morton <akpm@linux-foundation.org>, Miguel Ojeda <ojeda@kernel.org>, 
	Nathan Chancellor <nathan@kernel.org>, Nick Desaulniers <ndesaulniers@google.com>, 
	Christoph Lameter <cl@linux.com>, Pekka Enberg <penberg@kernel.org>, David Rientjes <rientjes@google.com>, 
	Joonsoo Kim <iamjoonsoo.kim@lge.com>, Vlastimil Babka <vbabka@suse.cz>, Dennis Zhou <dennis@kernel.org>, 
	Tejun Heo <tj@kernel.org>, Masahiro Yamada <masahiroy@kernel.org>, 
	Michal Marek <michal.lkml@markovi.net>, clang-built-linux@googlegroups.com, 
	Linux-MM <linux-mm@kvack.org>, linux-kbuild <linux-kbuild@vger.kernel.org>, 
	linux-hardening@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 698205007BDE
Authentication-Results: imf04.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20161025 header.b=sJy0lKg4;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf04.hostedemail.com: domain of danielmicay@gmail.com designates 209.85.221.45 as permitted sender) smtp.mailfrom=danielmicay@gmail.com
X-Rspamd-Server: rspam04
X-Stat-Signature: 5px3yqf5h7si33rtxefhuwpsdoe4ewia
X-HE-Tag: 1629382744-213380
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

It tells the compiler the function will either return NULL or an
allocation of the size specific by the parameter referenced by
alloc_size. It could also be used for functions resembling allocation
functions which aren't actually allocating. The compiler will use it
for optimization so it's extremely important that it's only used
correctly. It only really has a use on the top-level API used
externally.

The compiler uses it for __builtin_object_size which is primarily used
by FORTIFY_SOURCE and also internally by -fsanitize=object-size which
will be available for the kernel via UBSan to find bugs or as
hardening in the trapping mode. There are currently compatibility
issues (undefined out-of-bounds accesses) blocking using
-fsanitize=object-size beyond fixing those relatively benign issues to
allow using it elsewhere.

For example, it will know that kmalloc(n) returns either NULL or an
allocation of size n. A simple sample program with calloc in
userspace:

    #include <stdlib.h>
    #include <stdio.h>

    int main(void) {
        char *p = calloc(64, 1);
        if (!p) {
            return 1;
        }
        printf("%zu\n", __builtin_object_size(p, 1));
        return 0;
    }

It will also detect an out-of-bounds access via the allocation with
-fsanitize=object-size including with a runtime value as the index.

It's not as useful as it should be yet because __builtin_object_size
must return a compile-time constant. Clang has a new
__builtin_dynamic_object_size that's allowed to return a value that's
not a compile-time constant so it can work for kmalloc(n) where n is a
runtime value. It might not be quite ready for use yet but it should
be able to make it a lot more useful. GCC also seems open to adding it
too.