On Thu, Mar 22, 2018 at 2:54 AM, Daniel Vetter daniel@ffwll.ch wrote:
On Thu, Mar 22, 2018 at 9:03 AM, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
On Thu, Mar 22, 2018 at 07:59:59AM +0100, Daniel Vetter wrote:
Does anyone working on overflow-proof integers? That would make a lot of this code so much simpler if we could just ask the compiler to carry the oferflow bit around for a given expression and then check that and bail with -EINVAL.
That would be nice, but no, I don't think that's part of any C standard work that I have heard of :(
Well we have refcount_t already, stitching something together that would work and not suck too badly with performance should be possible. But yeah direct compiler support would be better (and would allow optimizing the carry flag checks I guess). I kinda hoped Kees&team would be working on this eventually.
refcount_t could be used if it happens to match the needed semantics.
Adding Kees+kernel-hardening, maybe he'll grow fond of this :-)
Yeah, general integer overflow is on the list of things to get fixed in the kernel. It's a bit of a long road, though.
Clang has -fsanitize=integer (and sub-options) which could be added for specific object or trees: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#ubsan-checks
GCC seems to only support manual marking of overflow detections: https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
grsecurity/PaX has a gcc plugin for overflow detection, though it hasn't been upstreamed and comes with various caveats: http://forums.grsecurity.net/viewtopic.php?f=7&t=3043 https://github.com/ephox-gcc-plugins/size_overflow
-Kees