linux-toolchains.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: David Malcolm <dmalcolm@redhat.com>
To: Martin Sebor <msebor@gmail.com>,
	gcc-patches@gcc.gnu.org, linux-toolchains@vger.kernel.org
Subject: Re: [PATCH 1b/6] Add __attribute__((untrusted))
Date: Thu, 06 Jan 2022 10:10:21 -0500	[thread overview]
Message-ID: <3b1978c1d9954bfd3bfdcce7b634cb78422f69f3.camel@redhat.com> (raw)
In-Reply-To: <fea306bc-ff1b-9ba8-1661-fc7c337bb2d9@gmail.com>

On Thu, 2021-12-09 at 15:54 -0700, Martin Sebor wrote:
> On 11/13/21 1:37 PM, David Malcolm via Gcc-patches wrote:
> > This patch adds a new:
> > 
> >    __attribute__((untrusted))
> > 
> > for use by the C front-end, intended for use by the Linux kernel for
> > use with "__user", but which could be used by other operating system
> > kernels, and potentialy by other projects.
> 
> It looks like untrusted is a type attribute (rather than one
> that applies to variables and/or function return values or
> writeable by-reference arguments).  I find that quite surprising.

FWIW I initially tried implementing it on pointer types, but doing it
on the underlying type was much cleaner.

>   I'm used to thinking of trusted vs tainted as dynamic properties
> of data so I'm having trouble deciding what to think about
> the attribute applying to types.  Can you explain why it's
> useful on types?

A type system *is* a way of detecting problems involving dynamic
properties of data.  Ultimately all we have at runtime is a collection
of bits; the toolchain has the concept of types as a way to allow us to
reason about properies of those bits without requiring a full cross-TU
analysis (to try to figure out that e.g. x is, say, a 32 bit unsigned
integer), and to document these properties clearly to human readers of
the code.

I see this as working like a qualifier (rather like "const" and
"volatile"), in that an
  untrusted char *
when dereferenced gives you an
  untrusted char

The intent is to have a way of treating the values as "actively
hostile", so that code analyzers can assume the worst possible values
for such types (or more glibly, that we're dealing with data from Satan
rather than from Murphy).

Such types are also relevant to infoleaks: writing sensitive
information to an untrusted value can be detected relatively easily
with this approach, by checking the type of the value - the types
express the trust boundary

Doing this with qualifiers allows us to use the C type system to detect
these kinds of issues without having to add a full cross-TU
interprocedural analysis, and documents it to human readers of the
code.   Compare with const-correctness; we can have an analogous
"trust-correctness".

> 
> I'd expect the taint property of a type to be quickly lost as
> an object of the type is passed through existing APIs (e.g.,
> a char array manipulated by string functions like strchr).

FWIW you can't directly pass an attacker-controlled buffer to strchr:
strchr requires there to be a 0-terminator to the array; if the array's
content is untrusted then the attacker might not have 0-terminated it.

As implemented, the patch doesn't complain about this, though maybe it
should.

The main point here is to support the existing __user annotation used
by the Linux kernel, in particular, copy_from_user and copy_to_user.

> 
> (I usually look at tests to help me understand the design of
> a change but I couldn't find an answer to my question in those
> in the patch.)

The patch kit was rather unclear on this, due to the use of two
different approaches (custom address spaces vs this untrusted
attribute).  Sorry about this.

Patches 4a and 4b in the kit add test-uaccess.h (to
gcc/testsuite/gcc.dg/analyzer) which supplies "__user"; see the tests
that use "test-uaccess.h" in patch 3:
 [PATCH 3/6] analyzer: implement infoleak detection
    https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584377.html
and in patch 5:
 [PATCH 5/6] analyzer: use region::untrusted_p in taint detection
   https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584374.html

(sorry about messing up the order of the patches).

Patch 4a here:
 [PATCH 4a/6] analyzer: implement region::untrusted_p in terms of custom address spaces
   https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584371.html
implements "__user" as a custom address space, 

whereas patch 4b here:

 [PATCH 4b/6] analyzer: implement region::untrusted_p in terms of __attribute__((untrusted))
    https://gcc.gnu.org/pipermail/gcc-patches/2021-November/584373.html

implements "__user" to be __attribute__((untrusted)).

Perhaps I should drop the custom address space versions of the patches
and post a version of the kit that simply uses the attribute?

Dave


> 
> Thanks
> Martin
> 
> PS I found one paper online that discusses type-based taint
> analysis in Java but not much more.  I only quickly skimmed
> the paper and although it conceptually makes sense I'm still
> having difficulties seeing how it would be useful in C.
> 
> > 
> > Known issues:
> > - at least one TODO in handle_untrusted_attribute
> > - should it be permitted to dereference an untrusted pointer?  The
> > patch
> >    currently allows this
> > 
> > gcc/c-family/ChangeLog:
> >         * c-attribs.c (c_common_attribute_table): Add "untrusted".
> >         (build_untrusted_type): New.
> >         (handle_untrusted_attribute): New.
> >         * c-pretty-print.c (pp_c_cv_qualifiers): Handle
> >         TYPE_QUAL_UNTRUSTED.
> > 
> > gcc/c/ChangeLog:
> >         * c-typeck.c (convert_for_assignment): Complain if the trust
> >         levels vary when assigning a non-NULL pointer.
> > 
> > gcc/ChangeLog:
> >         * doc/extend.texi (Common Type Attributes): Add "untrusted".
> >         * print-tree.c (print_node): Handle TYPE_UNTRUSTED.
> >         * tree-core.h (enum cv_qualifier): Add TYPE_QUAL_UNTRUSTED.
> >         (struct tree_type_common): Assign one of the spare bits to a
> > new
> >         "untrusted_flag".
> >         * tree.c (set_type_quals): Handle TYPE_QUAL_UNTRUSTED.
> >         * tree.h (TYPE_QUALS): Likewise.
> >         (TYPE_QUALS_NO_ADDR_SPACE): Likewise.
> >         (TYPE_QUALS_NO_ADDR_SPACE_NO_ATOMIC): Likewise.
> > 
> > gcc/testsuite/ChangeLog:
> >         * c-c++-common/attr-untrusted-1.c: New test.
> > 
> > Signed-off-by: David Malcolm <dmalcolm@redhat.com>
> > ---
> >   gcc/c-family/c-attribs.c                      |  59 +++++++
> >   gcc/c-family/c-pretty-print.c                 |   2 +
> >   gcc/c/c-typeck.c                              |  64 +++++++
> >   gcc/doc/extend.texi                           |  25 +++
> >   gcc/print-tree.c                              |   3 +
> >   gcc/testsuite/c-c++-common/attr-untrusted-1.c | 165
> > ++++++++++++++++++
> >   gcc/tree-core.h                               |   6 +-
> >   gcc/tree.c                                    |   1 +
> >   gcc/tree.h                                    |  11 +-
> >   9 files changed, 332 insertions(+), 4 deletions(-)
> >   create mode 100644 gcc/testsuite/c-c++-common/attr-untrusted-1.c
> > 
> > diff --git a/gcc/c-family/c-attribs.c b/gcc/c-family/c-attribs.c
> > index 007b928c54b..100c2dabab2 100644
> > --- a/gcc/c-family/c-attribs.c
> > +++ b/gcc/c-family/c-attribs.c
> > @@ -136,6 +136,7 @@ static tree handle_warn_unused_result_attribute
> > (tree *, tree, tree, int,
> >                                                  bool *);
> >   static tree handle_access_attribute (tree *, tree, tree, int, bool
> > *);
> >   
> > +static tree handle_untrusted_attribute (tree *, tree, tree, int,
> > bool *);
> >   static tree handle_sentinel_attribute (tree *, tree, tree, int,
> > bool *);
> >   static tree handle_type_generic_attribute (tree *, tree, tree, int,
> > bool *);
> >   static tree handle_alloc_size_attribute (tree *, tree, tree, int,
> > bool *);
> > @@ -536,6 +537,8 @@ const struct attribute_spec
> > c_common_attribute_table[] =
> >                               handle_special_var_sec_attribute,
> > attr_section_exclusions },
> >     { "access",               1, 3, false, true, true, false,
> >                               handle_access_attribute, NULL },
> > +  { "untrusted",             0, 0, false,  true, false, true,
> > +                             handle_untrusted_attribute, NULL },
> >     /* Attributes used by Objective-C.  */
> >     { "NSObject",                     0, 0, true, false, false,
> > false,
> >                               handle_nsobject_attribute, NULL },
> > @@ -5224,6 +5227,62 @@ build_attr_access_from_parms (tree parms, bool
> > skip_voidptr)
> >     return build_tree_list (name, attrargs);
> >   }
> >   
> > +/* Build (or reuse) a type based on BASE_TYPE, but with
> > +   TYPE_QUAL_UNTRUSTED.  */
> > +
> > +static tree
> > +build_untrusted_type (tree base_type)
> > +{
> > +  int base_type_quals = TYPE_QUALS (base_type);
> > +  return build_qualified_type (base_type,
> > +                              base_type_quals |
> > TYPE_QUAL_UNTRUSTED);
> > +}
> > +
> > +/* Handle an "untrusted" attribute; arguments as in
> > +   struct attribute_spec.handler.  */
> > +
> > +static tree
> > +handle_untrusted_attribute (tree *node, tree ARG_UNUSED (name),
> > +                           tree ARG_UNUSED (args), int ARG_UNUSED
> > (flags),
> > +                           bool *no_add_attrs)
> > +{
> > +  if (TREE_CODE (*node) == POINTER_TYPE)
> > +    {
> > +      tree base_type = TREE_TYPE (*node);
> > +      tree untrusted_base_type = build_untrusted_type (base_type);
> > +      *node = build_pointer_type (untrusted_base_type);
> > +      *no_add_attrs = true; /* OK */
> > +      return NULL_TREE;
> > +    }
> > +  else if (TREE_CODE (*node) == FUNCTION_TYPE)
> > +    {
> > +      tree return_type = TREE_TYPE (*node);
> > +      if (TREE_CODE (return_type) == POINTER_TYPE)
> > +       {
> > +         tree base_type = TREE_TYPE (return_type);
> > +         tree untrusted_base_type = build_untrusted_type
> > (base_type);
> > +         tree untrusted_return_type = build_pointer_type
> > (untrusted_base_type);
> > +         tree fn_type = build_function_type (untrusted_return_type,
> > +                                             TYPE_ARG_TYPES
> > (*node));
> > +         *node = fn_type;
> > +         *no_add_attrs = true; /* OK */
> > +         return NULL_TREE;
> > +       }
> > +      else
> > +       {
> > +         gcc_unreachable (); // TODO
> > +       }
> > +    }
> > +  else
> > +    {
> > +      tree base_type = *node;
> > +      tree untrusted_base_type = build_untrusted_type (base_type);
> > +      *node = untrusted_base_type;
> > +      *no_add_attrs = true; /* OK */
> > +      return NULL_TREE;
> > +    }
> > +}
> > +
> >   /* Handle a "nothrow" attribute; arguments as in
> >      struct attribute_spec.handler.  */
> >   
> > diff --git a/gcc/c-family/c-pretty-print.c b/gcc/c-family/c-pretty-
> > print.c
> > index a987da46d6d..120e1e6d167 100644
> > --- a/gcc/c-family/c-pretty-print.c
> > +++ b/gcc/c-family/c-pretty-print.c
> > @@ -191,6 +191,8 @@ pp_c_cv_qualifiers (c_pretty_printer *pp, int
> > qualifiers, bool func_type)
> >     if (qualifiers & TYPE_QUAL_RESTRICT)
> >       pp_c_ws_string (pp, (flag_isoc99 && !c_dialect_cxx ()
> >                          ? "restrict" : "__restrict__"));
> > +  if (qualifiers & TYPE_QUAL_UNTRUSTED)
> > +    pp_c_ws_string (pp, "__attribute__((untrusted))");
> >   }
> >   
> >   /* Pretty-print T using the type-cast notation '( type-name )'.  */
> > diff --git a/gcc/c/c-typeck.c b/gcc/c/c-typeck.c
> > index 782414f8c8c..44de82b99ba 100644
> > --- a/gcc/c/c-typeck.c
> > +++ b/gcc/c/c-typeck.c
> > @@ -7284,6 +7284,70 @@ convert_for_assignment (location_t location,
> > location_t expr_loc, tree type,
> >           return error_mark_node;
> >         }
> >   
> > +      /* Untrusted vs trusted pointers, but allowing NULL to be used
> > +        for everything.  */
> > +      if (TYPE_UNTRUSTED (ttl) != TYPE_UNTRUSTED (ttr)
> > +         && !null_pointer_constant_p (rhs))
> > +       {
> > +         auto_diagnostic_group d;
> > +         bool diagnosed = true;
> > +         switch (errtype)
> > +           {
> > +           case ic_argpass:
> > +             {
> > +               const char msg[] = G_("passing argument %d of %qE
> > from "
> > +                                     "pointer with different trust
> > level");
> > +               if (warnopt)
> > +                 diagnosed
> > +                   = warning_at (expr_loc, warnopt, msg, parmnum,
> > rname);
> > +               else
> > +                 error_at (expr_loc, msg, parmnum, rname);
> > +             break;
> > +             }
> > +           case ic_assign:
> > +             {
> > +               const char msg[] = G_("assignment from pointer with "
> > +                                     "different trust level");
> > +               if (warnopt)
> > +                 warning_at (location, warnopt, msg);
> > +               else
> > +                 error_at (location, msg);
> > +               break;
> > +             }
> > +           case ic_init:
> > +             {
> > +               const char msg[] = G_("initialization from pointer
> > with "
> > +                                     "different trust level");
> > +               if (warnopt)
> > +                 warning_at (location, warnopt, msg);
> > +               else
> > +                 error_at (location, msg);
> > +               break;
> > +             }
> > +           case ic_return:
> > +             {
> > +               const char msg[] = G_("return from pointer with "
> > +                                     "different trust level");
> > +               if (warnopt)
> > +                 warning_at (location, warnopt, msg);
> > +               else
> > +                 error_at (location, msg);
> > +               break;
> > +             }
> > +           default:
> > +             gcc_unreachable ();
> > +           }
> > +         if (diagnosed)
> > +           {
> > +             if (errtype == ic_argpass)
> > +               inform_for_arg (fundecl, expr_loc, parmnum, type,
> > rhstype);
> > +             else
> > +               inform (location, "expected %qT but pointer is of
> > type %qT",
> > +                       type, rhstype);
> > +           }
> > +         return error_mark_node;
> > +       }
> > +
> >         /* Check if the right-hand side has a format attribute but
> > the
> >          left-hand side doesn't.  */
> >         if (warn_suggest_attribute_format
> > diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
> > index 6e6c580e329..e9f47519df2 100644
> > --- a/gcc/doc/extend.texi
> > +++ b/gcc/doc/extend.texi
> > @@ -8770,6 +8770,31 @@ pid_t wait (wait_status_ptr_t p)
> >   @}
> >   @end smallexample
> >   
> > +@item untrusted
> > +@cindex @code{untrusted} type attribute
> > +Types marked with this attribute are treated as being ``untrusted''
> > -
> > +values should be treated as under attacker control.
> > +
> > +The C front end will issue an error diagnostic on attempts to assign
> > +pointer values between untrusted and trusted pointer types without
> > +an explicit cast.
> > +
> > +For example, when implementing an operating system kernel, one
> > +might write
> > +
> > +@smallexample
> > +#define __kernel
> > +#define __user    __attribute__ ((untrusted))
> > +void __kernel *p_kernel;
> > +void __user *p_user;
> > +
> > +/* With the above, the following assignment should be diagnosed as
> > an error.  */
> > +p_user = p_kernel;
> > +@end smallexample
> > +
> > +The NULL pointer is treated as being usable with both trusted and
> > +untrusted pointers.
> > +
> >   @item unused
> >   @cindex @code{unused} type attribute
> >   When attached to a type (including a @code{union} or a
> > @code{struct}),
> > diff --git a/gcc/print-tree.c b/gcc/print-tree.c
> > index d1fbd044c27..e5123807521 100644
> > --- a/gcc/print-tree.c
> > +++ b/gcc/print-tree.c
> > @@ -640,6 +640,9 @@ print_node (FILE *file, const char *prefix, tree
> > node, int indent,
> >         if (TYPE_RESTRICT (node))
> >         fputs (" restrict", file);
> >   
> > +      if (TYPE_UNTRUSTED (node))
> > +       fputs (" untrusted", file);
> > +
> >         if (TYPE_LANG_FLAG_0 (node))
> >         fputs (" type_0", file);
> >         if (TYPE_LANG_FLAG_1 (node))
> > diff --git a/gcc/testsuite/c-c++-common/attr-untrusted-1.c
> > b/gcc/testsuite/c-c++-common/attr-untrusted-1.c
> > new file mode 100644
> > index 00000000000..84a217fc59f
> > --- /dev/null
> > +++ b/gcc/testsuite/c-c++-common/attr-untrusted-1.c
> > @@ -0,0 +1,165 @@
> > +#define __kernel
> > +#define __user __attribute__((untrusted))
> > +#define __iomem
> > +#define __percpu
> > +#define __rcu
> > +
> > +void *p;
> > +void __kernel *p_kernel;
> > +void __user *p_user;
> > +void __iomem *p_iomem;
> > +void __percpu *p_percpu;
> > +void __rcu *p_rcu;
> > +
> > +#define NULL ((void *)0)
> > +
> > +extern void accepts_p (void *); /* { dg-message "24: expected 'void
> > \\*' but argument is of type '__attribute__\\(\\(untrusted\\)\\) void
> > \\*'" "" { target c } } */
> > +/* { dg-message "24:  initializing argument 1 of 'void
> > accepts_p\\(void\\*\\)'" "" { target c++ } .-1 } */
> > +extern void accepts_p_kernel (void __kernel *);
> > +extern void accepts_p_user (void __user *);
> > +
> > +void test_argpass_to_p (void)
> > +{
> > +  accepts_p (p);
> > +  accepts_p (p_kernel);
> > +  accepts_p (p_user); /* { dg-error "passing argument 1 of
> > 'accepts_p' from pointer with different trust level" "" { target c }
> > } */
> > +  /* { dg-error "invalid conversion from
> > '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
> > target c++ } .-1 } */
> > +}
> > +
> > +void test_init_p (void)
> > +{
> > +  void *local_p_1 = p;
> > +  void *local_p_2 = p_kernel;
> > +  void *local_p_3 = p_user; /* { dg-error "initialization from
> > pointer with different trust level" "" { target c } } */
> > +  /* { dg-message "expected 'void \\*' but pointer is of type
> > '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
> > */
> > +  /* { dg-error "invalid conversion from
> > '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
> > target c++ } .-2 } */
> > +}
> > +
> > +void test_init_p_kernel (void)
> > +{
> > +  void __kernel *local_p_1 = p;
> > +  void __kernel *local_p_2 = p_kernel;
> > +  void __kernel *local_p_3 = p_user; /* { dg-error "initialization
> > from pointer with different trust level" "" { target c } } */
> > +  /* { dg-message "expected 'void \\*' but pointer is of type
> > '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
> > */
> > +  /* { dg-error "invalid conversion from
> > '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
> > target c++ } .-2 } */
> > +}
> > +
> > +void test_init_p_user (void)
> > +{
> > +  void __user *local_p_1 = p; /* { dg-error "initialization from
> > pointer with different trust level" "" { target c } } */
> > +  /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\) void
> > \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
> > +  void __user *local_p_2 = p_kernel; /* { dg-error "initialization
> > from pointer with different trust level" "" { target c } } */
> > +  /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\) void
> > \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
> > +  void __user *local_p_3 = p_user;
> > +  void __user *local_p_4 = NULL;
> > +}
> > +
> > +void test_assign_to_p (void)
> > +{
> > +  p = p;
> > +  p = p_kernel;
> > +  p = p_user; /* { dg-error "assignment from pointer with different
> > trust level" "" { target c } } */
> > +  /* { dg-message "expected 'void \\*' but pointer is of type
> > '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
> > */
> > +  /* { dg-error "invalid conversion from
> > '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
> > target c++ } .-2 } */
> > +  // etc
> > +}
> > +
> > +void test_assign_to_p_kernel (void)
> > +{
> > +  p_kernel = p;
> > +  p_kernel = p_kernel;
> > +  p_kernel = p_user; /* { dg-error "assignment from pointer with
> > different trust level" "" { target c } } */
> > +  /* { dg-message "expected 'void \\*' but pointer is of type
> > '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
> > */
> > +  /* { dg-error "invalid conversion from
> > '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
> > target c++ } .-2 } */
> > +  // etc
> > +}
> > +
> > +void test_assign_to_p_user (void)
> > +{
> > +  p_user = p;  /* { dg-error "assignment from pointer with different
> > trust level" "" { target c } } */
> > +  /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\) void
> > \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
> > +  p_user = p_kernel;  /* { dg-error "assignment from pointer with
> > different trust level" "" { target c } } */
> > +  /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\) void
> > \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
> > +  p_user = p_user;
> > +  p_user = NULL;
> > +  // etc
> > +}
> > +
> > +void *test_return_p (int i)
> > +{
> > +  switch (i)
> > +    {
> > +    default:
> > +    case 0:
> > +      return p;
> > +    case 1:
> > +      return p_kernel;
> > +    case 2:
> > +      return p_user; /* { dg-error "return from pointer with
> > different trust level" "" { target c } } */
> > +      /* { dg-message "expected 'void \\*' but pointer is of type
> > '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
> > */
> > +      /* { dg-error "invalid conversion from
> > '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
> > target c++ } .-2 } */
> > +    }
> > +}
> > +
> > +void __kernel *test_return_p_kernel (int i)
> > +{
> > +  switch (i)
> > +    {
> > +    default:
> > +    case 0:
> > +      return p;
> > +    case 1:
> > +      return p_kernel;
> > +    case 2:
> > +      return p_user; /* { dg-error "return from pointer with
> > different trust level" "" { target c } } */
> > +      /* { dg-message "expected 'void \\*' but pointer is of type
> > '__attribute__\\(\\(untrusted\\)\\) void \\*'" "" { target c } .-1 }
> > */
> > +      /* { dg-error "invalid conversion from
> > '__attribute__\\(\\(untrusted\\)\\) void\\*' to 'void\\*'" "" {
> > target c++ } .-2 } */
> > +    }
> > +}
> > +
> > +void __user *
> > +test_return_p_user (int i)
> > +{
> > +  switch (i)
> > +    {
> > +    default:
> > +    case 0:
> > +      return p; /* { dg-error "return from pointer with different
> > trust level" "" { target c } } */
> > +      /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\)
> > void \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
> > +    case 1:
> > +      return p_kernel; /* { dg-error "return from pointer with
> > different trust level" "" { target c } } */
> > +      /* { dg-message "expected '__attribute__\\(\\(untrusted\\)\\)
> > void \\*' but pointer is of type 'void \\*'" "" { target c } .-1 } */
> > +    case 2:
> > +      return p_user;
> > +    case 3:
> > +      return NULL;
> > +    }
> > +}
> > +
> > +void test_cast_k_to_u (void)
> > +{
> > +  p_user = (void __user *)p_kernel;
> > +}
> > +
> > +void test_cast_u_to_k (void)
> > +{
> > +  p_kernel = (void __kernel *)p_user;
> > +}
> > +
> > +int test_deref_read (int __user *p)
> > +{
> > +  return *p; // FIXME: should this be allowed directly?
> > +}
> > +
> > +void test_deref_write (int __user *p, int i)
> > +{
> > +  *p = i; // FIXME: should this be allowed directly?
> > +}
> > +
> > +typedef struct foo { int i; } __user *foo_ptr_t;
> > +
> > +void __user *
> > +test_pass_through (void __user *ptr)
> > +{
> > +  return ptr;
> > +}
> > diff --git a/gcc/tree-core.h b/gcc/tree-core.h
> > index 8ab119dc9a2..35a7f50c06c 100644
> > --- a/gcc/tree-core.h
> > +++ b/gcc/tree-core.h
> > @@ -604,7 +604,8 @@ enum cv_qualifier {
> >     TYPE_QUAL_CONST    = 0x1,
> >     TYPE_QUAL_VOLATILE = 0x2,
> >     TYPE_QUAL_RESTRICT = 0x4,
> > -  TYPE_QUAL_ATOMIC   = 0x8
> > +  TYPE_QUAL_ATOMIC   = 0x8,
> > +  TYPE_QUAL_UNTRUSTED = 0x10
> >   };
> >   
> >   /* Standard named or nameless data types of the C compiler.  */
> > @@ -1684,7 +1685,8 @@ struct GTY(()) tree_type_common {
> >     unsigned typeless_storage : 1;
> >     unsigned empty_flag : 1;
> >     unsigned indivisible_p : 1;
> > -  unsigned spare : 16;
> > +  unsigned untrusted_flag : 1;
> > +  unsigned spare : 15;
> >   
> >     alias_set_type alias_set;
> >     tree pointer_to;
> > diff --git a/gcc/tree.c b/gcc/tree.c
> > index 845228a055b..3600639d985 100644
> > --- a/gcc/tree.c
> > +++ b/gcc/tree.c
> > @@ -5379,6 +5379,7 @@ set_type_quals (tree type, int type_quals)
> >     TYPE_VOLATILE (type) = (type_quals & TYPE_QUAL_VOLATILE) != 0;
> >     TYPE_RESTRICT (type) = (type_quals & TYPE_QUAL_RESTRICT) != 0;
> >     TYPE_ATOMIC (type) = (type_quals & TYPE_QUAL_ATOMIC) != 0;
> > +  TYPE_UNTRUSTED (type) = (type_quals & TYPE_QUAL_UNTRUSTED) != 0;
> >     TYPE_ADDR_SPACE (type) = DECODE_QUAL_ADDR_SPACE (type_quals);
> >   }
> >   
> > diff --git a/gcc/tree.h b/gcc/tree.h
> > index f62c00bc870..caab575b210 100644
> > --- a/gcc/tree.h
> > +++ b/gcc/tree.h
> > @@ -2197,6 +2197,10 @@ extern tree vector_element_bits_tree
> > (const_tree);
> >      the term.  */
> >   #define TYPE_RESTRICT(NODE) (TYPE_CHECK (NODE)-
> > >type_common.restrict_flag)
> >   
> > +/* Nonzero in a type considered "untrusted" - values should be
> > treated as
> > +   under attacker control.  */
> > +#define TYPE_UNTRUSTED(NODE) (TYPE_CHECK (NODE)-
> > >type_common.untrusted_flag)
> > +
> >   /* If nonzero, type's name shouldn't be emitted into debug info. 
> > */
> >   #define TYPE_NAMELESS(NODE) (TYPE_CHECK (NODE)-
> > >base.u.bits.nameless_flag)
> >   
> > @@ -2221,6 +2225,7 @@ extern tree vector_element_bits_tree
> > (const_tree);
> >           | (TYPE_VOLATILE (NODE) * TYPE_QUAL_VOLATILE)         \
> >           | (TYPE_ATOMIC (NODE) * TYPE_QUAL_ATOMIC)             \
> >           | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)         \
> > +         | (TYPE_UNTRUSTED (NODE) * TYPE_QUAL_UNTRUSTED)       \
> >           | (ENCODE_QUAL_ADDR_SPACE (TYPE_ADDR_SPACE (NODE)))))
> >   
> >   /* The same as TYPE_QUALS without the address space
> > qualifications.  */
> > @@ -2228,14 +2233,16 @@ extern tree vector_element_bits_tree
> > (const_tree);
> >     ((int) ((TYPE_READONLY (NODE) * TYPE_QUAL_CONST)            \
> >           | (TYPE_VOLATILE (NODE) * TYPE_QUAL_VOLATILE)         \
> >           | (TYPE_ATOMIC (NODE) * TYPE_QUAL_ATOMIC)             \
> > -         | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)))
> > +         | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)         \
> > +         | (TYPE_UNTRUSTED (NODE) * TYPE_QUAL_UNTRUSTED)))
> >   
> >   /* The same as TYPE_QUALS without the address space and atomic
> >      qualifications.  */
> >   #define TYPE_QUALS_NO_ADDR_SPACE_NO_ATOMIC(NODE)              \
> >     ((int) ((TYPE_READONLY (NODE) * TYPE_QUAL_CONST)            \
> >           | (TYPE_VOLATILE (NODE) * TYPE_QUAL_VOLATILE)         \
> > -         | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)))
> > +         | (TYPE_RESTRICT (NODE) * TYPE_QUAL_RESTRICT)         \
> > +         | (TYPE_UNTRUSTED (NODE) * TYPE_QUAL_UNTRUSTED)))
> >   
> >   /* These flags are available for each language front end to use
> > internally.  */
> >   #define TYPE_LANG_FLAG_0(NODE) (TYPE_CHECK (NODE)-
> > >type_common.lang_flag_0)
> > 
> 



  reply	other threads:[~2022-01-06 15:10 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-13 20:37 [PATCH 0/6] RFC: adding support to GCC for detecting trust boundaries David Malcolm
2021-11-13 20:37 ` [PATCH 1a/6] RFC: Implement "#pragma GCC custom_address_space" David Malcolm
2021-11-13 20:37 ` [PATCH 1b/6] Add __attribute__((untrusted)) David Malcolm
2021-12-09 22:54   ` Martin Sebor
2022-01-06 15:10     ` David Malcolm [this message]
2022-01-06 18:59       ` Martin Sebor
2021-11-13 20:37 ` [PATCH 2/6] Add returns_zero_on_success/failure attributes David Malcolm
2021-11-15  7:03   ` Prathamesh Kulkarni
2021-11-15 14:45     ` Peter Zijlstra
2021-11-15 22:30       ` David Malcolm
2021-11-15 22:12     ` David Malcolm
2021-11-17  9:23       ` Prathamesh Kulkarni
2021-11-17 22:43         ` Joseph Myers
2021-11-18 20:08           ` Segher Boessenkool
2021-11-18 23:45             ` David Malcolm
2021-11-19 21:52               ` Segher Boessenkool
2021-11-18 23:34           ` David Malcolm
2021-12-06 18:34             ` Martin Sebor
2021-11-18 23:15         ` David Malcolm
2021-11-13 20:37 ` [PATCH 4a/6] analyzer: implement region::untrusted_p in terms of custom address spaces David Malcolm
2021-11-13 20:37 ` [PATCH 4b/6] analyzer: implement region::untrusted_p in terms of __attribute__((untrusted)) David Malcolm
2021-11-13 20:37 ` [PATCH 5/6] analyzer: use region::untrusted_p in taint detection David Malcolm
2021-11-13 20:37 ` [PATCH 6/6] Add __attribute__ ((tainted)) David Malcolm
2022-01-06 14:08   ` PING (C/C++): " David Malcolm
2022-01-10 21:36     ` PING^2 " David Malcolm
2022-01-12  4:36       ` Jason Merrill
2022-01-12 15:33         ` David Malcolm
2022-01-13 19:08           ` Jason Merrill
2022-01-14  1:25             ` [committed] Add __attribute__ ((tainted_args)) David Malcolm
2021-11-13 23:20 ` [PATCH 0/6] RFC: adding support to GCC for detecting trust boundaries Peter Zijlstra
2021-11-14  2:54   ` David Malcolm
2021-11-14 13:54 ` Miguel Ojeda
2021-12-06 18:12 ` Martin Sebor
2021-12-06 19:40   ` Segher Boessenkool
2021-12-09  0:06     ` David Malcolm
2021-12-09  0:41       ` Segher Boessenkool
2021-12-09 16:42     ` Martin Sebor
2021-12-09 23:40       ` Segher Boessenkool
2021-12-08 23:11   ` David Malcolm

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3b1978c1d9954bfd3bfdcce7b634cb78422f69f3.camel@redhat.com \
    --to=dmalcolm@redhat.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=linux-toolchains@vger.kernel.org \
    --cc=msebor@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).