From: Joe Perches <joe@perches.com>
To: Alexander Potapenko <glider@google.com>
Cc: "Todd Kjos" <tkjos@google.com>,
"Kees Cook" <keescook@chromium.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Ingo Molnar" <mingo@redhat.com>,
"Dmitriy Vyukov" <dvyukov@google.com>,
"Jann Horn" <jannh@google.com>,
"open list:ANDROID DRIVERS" <devel@driverdev.osuosl.org>,
"Peter Zijlstra" <peterz@infradead.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user()
Date: Mon, 02 Mar 2020 05:58:33 -0800 [thread overview]
Message-ID: <4cac10d3e2c03e4f21f1104405a0a62a853efb4e.camel@perches.com> (raw)
In-Reply-To: <CAG_fn=VNnxjD6qdkAW_E0v3faBQPpSsO=c+h8O=yvNxTZowuBQ@mail.gmail.com>
On Mon, 2020-03-02 at 14:25 +0100, Alexander Potapenko wrote:
> On Mon, Mar 2, 2020 at 2:11 PM Joe Perches <joe@perches.com> wrote:
> > On Mon, 2020-03-02 at 14:04 +0100, glider@google.com wrote:
> > > Certain copy_from_user() invocations in binder.c are known to
> > > unconditionally initialize locals before their first use, like e.g. in
> > > the following case:
> > []
> > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > []
> > > @@ -3788,7 +3788,7 @@ static int binder_thread_write(struct binder_proc *proc,
> > >
> > > case BC_TRANSACTION_SG:
> > > case BC_REPLY_SG: {
> > > - struct binder_transaction_data_sg tr;
> > > + struct binder_transaction_data_sg tr __no_initialize;
> > >
> > > if (copy_from_user(&tr, ptr, sizeof(tr)))
> >
> > I fail to see any value in marking tr with __no_initialize
> > when it's immediately written to by copy_from_user.
>
> This is being done exactly because it's immediately written to by copy_to_user()
> Clang is currently unable to figure out that copy_to_user() initializes memory.
> So building the kernel with CONFIG_INIT_STACK_ALL=y basically leads to
> the following code:
>
> struct binder_transaction_data_sg tr;
> memset(&tr, 0xAA, sizeof(tr));
> if (copy_from_user(&tr, ptr, sizeof(tr))) {...}
>
> This unnecessarily slows the code down, so we add __no_initialize to
> prevent the compiler from emitting the redundant initialization.
So? CONFIG_INIT_STACK_ALL by design slows down code.
This marking would likely need to be done for nearly all
3000+ copy_from_user entries.
Why not try to get something done on the compiler side
to mark the function itself rather than the uses?
WARNING: multiple messages have this Message-ID (diff)
From: Joe Perches <joe@perches.com>
To: Alexander Potapenko <glider@google.com>
Cc: "open list:ANDROID DRIVERS" <devel@driverdev.osuosl.org>,
"Kees Cook" <keescook@chromium.org>,
"Jann Horn" <jannh@google.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
LKML <linux-kernel@vger.kernel.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Ingo Molnar" <mingo@redhat.com>,
"Dmitriy Vyukov" <dvyukov@google.com>,
"Todd Kjos" <tkjos@google.com>
Subject: Re: [PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user()
Date: Mon, 02 Mar 2020 05:58:33 -0800 [thread overview]
Message-ID: <4cac10d3e2c03e4f21f1104405a0a62a853efb4e.camel@perches.com> (raw)
In-Reply-To: <CAG_fn=VNnxjD6qdkAW_E0v3faBQPpSsO=c+h8O=yvNxTZowuBQ@mail.gmail.com>
On Mon, 2020-03-02 at 14:25 +0100, Alexander Potapenko wrote:
> On Mon, Mar 2, 2020 at 2:11 PM Joe Perches <joe@perches.com> wrote:
> > On Mon, 2020-03-02 at 14:04 +0100, glider@google.com wrote:
> > > Certain copy_from_user() invocations in binder.c are known to
> > > unconditionally initialize locals before their first use, like e.g. in
> > > the following case:
> > []
> > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > []
> > > @@ -3788,7 +3788,7 @@ static int binder_thread_write(struct binder_proc *proc,
> > >
> > > case BC_TRANSACTION_SG:
> > > case BC_REPLY_SG: {
> > > - struct binder_transaction_data_sg tr;
> > > + struct binder_transaction_data_sg tr __no_initialize;
> > >
> > > if (copy_from_user(&tr, ptr, sizeof(tr)))
> >
> > I fail to see any value in marking tr with __no_initialize
> > when it's immediately written to by copy_from_user.
>
> This is being done exactly because it's immediately written to by copy_to_user()
> Clang is currently unable to figure out that copy_to_user() initializes memory.
> So building the kernel with CONFIG_INIT_STACK_ALL=y basically leads to
> the following code:
>
> struct binder_transaction_data_sg tr;
> memset(&tr, 0xAA, sizeof(tr));
> if (copy_from_user(&tr, ptr, sizeof(tr))) {...}
>
> This unnecessarily slows the code down, so we add __no_initialize to
> prevent the compiler from emitting the redundant initialization.
So? CONFIG_INIT_STACK_ALL by design slows down code.
This marking would likely need to be done for nearly all
3000+ copy_from_user entries.
Why not try to get something done on the compiler side
to mark the function itself rather than the uses?
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
next prev parent reply other threads:[~2020-03-02 14:00 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-02 13:04 [PATCH v2 1/3] compiler.h: define __no_initialize glider
2020-03-02 13:04 ` glider
2020-03-02 13:04 ` [PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user() glider
2020-03-02 13:04 ` glider
2020-03-02 13:09 ` Joe Perches
2020-03-02 13:09 ` Joe Perches
2020-03-02 13:25 ` Alexander Potapenko
2020-03-02 13:25 ` Alexander Potapenko
2020-03-02 13:52 ` Dan Carpenter
2020-03-02 13:52 ` Dan Carpenter
2020-03-02 13:58 ` Joe Perches [this message]
2020-03-02 13:58 ` Joe Perches
2020-03-02 18:17 ` Alexander Potapenko
2020-03-02 18:17 ` Alexander Potapenko
2020-03-02 18:31 ` Jann Horn
2020-03-02 18:31 ` Jann Horn
2020-03-05 9:03 ` Rasmus Villemoes
2020-03-05 9:03 ` Rasmus Villemoes
2020-03-05 12:45 ` Jann Horn
2020-03-05 12:45 ` Jann Horn
2020-03-06 2:29 ` Al Viro
2020-03-06 2:29 ` Al Viro
2020-03-02 18:50 ` Joe Perches
2020-03-02 18:50 ` Joe Perches
2020-03-03 9:14 ` Alexander Potapenko
2020-03-03 9:14 ` Alexander Potapenko
2020-03-03 9:38 ` Dan Carpenter
2020-03-03 9:38 ` Dan Carpenter
2020-03-03 13:56 ` Joe Perches
2020-03-03 13:56 ` Joe Perches
2020-03-03 14:15 ` Dan Carpenter
2020-03-03 14:15 ` Dan Carpenter
2020-03-04 18:13 ` Kees Cook
2020-03-04 18:13 ` Kees Cook
2020-03-05 8:07 ` Dan Carpenter
2020-03-05 8:07 ` Dan Carpenter
2020-03-05 8:26 ` Kees Cook
2020-03-05 8:26 ` Kees Cook
2020-03-05 8:33 ` Alexander Potapenko
2020-03-05 8:33 ` Alexander Potapenko
2020-03-02 17:38 ` Greg KH
2020-03-02 17:38 ` Greg KH
2020-03-02 18:28 ` Alexander Potapenko
2020-03-02 18:28 ` Alexander Potapenko
2020-03-02 13:04 ` [PATCH v2 3/3] sched/wait: avoid double initialization in ___wait_event() glider
2020-03-02 13:04 ` glider
2020-03-02 16:56 ` Todd Kjos
2020-03-02 16:56 ` Todd Kjos
2020-03-02 18:03 ` Alexander Potapenko
2020-03-02 18:03 ` Alexander Potapenko
2020-03-02 18:39 ` Greg Kroah-Hartman
2020-03-02 18:39 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4cac10d3e2c03e4f21f1104405a0a62a853efb4e.camel@perches.com \
--to=joe@perches.com \
--cc=arve@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.