From: Dmitry Vyukov <dvyukov@google.com>
To: "Uecker, Martin" <Martin.Uecker@med.uni-goettingen.de>
Cc: "torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
"keescook@chromium.org" <keescook@chromium.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: VLAs and security
Date: Tue, 4 Sep 2018 10:00:16 +0200 [thread overview]
Message-ID: <CACT4Y+bBPRfjpWFXoZmruuot37_KTemZ0PHUNrFfOPW5+6JD7w@mail.gmail.com> (raw)
In-Reply-To: <1536042474.25086.1.camel@med.uni-goettingen.de>
On Tue, Sep 4, 2018 at 8:27 AM, Uecker, Martin
<Martin.Uecker@med.uni-goettingen.de> wrote:
> Am Montag, den 03.09.2018, 14:28 -0700 schrieb Linus Torvalds:
>> On Mon, Sep 3, 2018 at 12:40 AM Uecker, Martin
>> <Martin.Uecker@med.uni-goettingen.de> wrote:
>> >
>> > But if the true bound is smaller, then IMHO it is really bad advise
>> > to tell programmers to use
>> >
>> > char buf[MAX_SIZE]
>> >
>> > instead of something like
>> >
>> > assert(N <= MAX_SIZE);
>> > char buf[N]
>>
>> No.
>>
>> First off, we don't use asserts in the kernel. Not acceptable. You
>> handle errors, you don't crash.
>
> Ofcourse. But this is unrelated to my point.
>
>> Secondly, the compiler is usually very stupid, and will generate
>> horrible code for VLA's.
>>
>> Third, there's no guarantee that the compiler will actually even
>> realize that the size is limited, and guarantee that it won't screw up
>> the stack.
>
> If this is about the quality of the generated code, ok.
>
> I just don't buy the idea that removing precise type-based
> information about the size of objects from the source code
> is good long-term strategy for improving security.
>
>> So no. VLA's are not acceptable in the kernel. Don't do them. We're
>> getting rid of them.
>
> All right then.
Hi Martin,
Compiler and KASAN should still be able to do checking against the
static array size.
If you mean that there is some smaller dynamic logical bound n (<N)
and we are not supposed to use memory beyond that, then KMSAN [1] can
detect uses of the uninitialized part of the array. So we have some
coverage on the checking side too.
[1] https://github.com/google/kmsan#kmsan-kernelmemorysanitizer
next prev parent reply other threads:[~2018-09-04 8:00 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-02 8:08 VLAs and security Uecker, Martin
2018-09-02 17:40 ` Kees Cook
2018-09-03 7:39 ` Uecker, Martin
2018-09-03 21:28 ` Linus Torvalds
2018-09-04 6:27 ` Uecker, Martin
2018-09-04 8:00 ` Dmitry Vyukov [this message]
2018-09-04 18:22 ` Uecker, Martin
2018-09-05 7:35 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+bBPRfjpWFXoZmruuot37_KTemZ0PHUNrFfOPW5+6JD7w@mail.gmail.com \
--to=dvyukov@google.com \
--cc=Martin.Uecker@med.uni-goettingen.de \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).