| Message ID | 20250307041914.937329-3-kees@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ubsan/overflow: Enable pattern exclusions | expand |
Hi, On Thu, Mar 06, 2025 at 08:19:11PM -0800, Kees Cook wrote: > Limit integer wrap-around mitigation to only the "size_t" type (for > now). Notably this covers all special functions/builtins that return > "size_t", like sizeof(). This remains an experimental feature and is > likely to be replaced with type annotations. For future travelers, track the progress of type annotations over at [1]. There's still discussion on how these will be implemented in Clang. > > Signed-off-by: Kees Cook <kees@kernel.org> > --- > Cc: Justin Stitt <justinstitt@google.com> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: Marco Elver <elver@google.com> > Cc: Andrey Konovalov <andreyknvl@gmail.com> > Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Masahiro Yamada <masahiroy@kernel.org> > Cc: Nathan Chancellor <nathan@kernel.org> > Cc: Nicolas Schier <nicolas@fjasle.eu> > Cc: kasan-dev@googlegroups.com > Cc: linux-hardening@vger.kernel.org > Cc: linux-kbuild@vger.kernel.org > --- > lib/Kconfig.ubsan | 1 + > scripts/Makefile.ubsan | 3 ++- > scripts/integer-wrap-ignore.scl | 3 +++ > 3 files changed, 6 insertions(+), 1 deletion(-) > create mode 100644 scripts/integer-wrap-ignore.scl > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > index 888c2e72c586..4216b3a4ff21 100644 > --- a/lib/Kconfig.ubsan > +++ b/lib/Kconfig.ubsan > @@ -125,6 +125,7 @@ config UBSAN_INTEGER_WRAP > depends on $(cc-option,-fsanitize=unsigned-integer-overflow) > depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) > depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation) > + depends on $(cc-option,-fsanitize-ignorelist=/dev/null) > help > This option enables all of the sanitizers involved in integer overflow > (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow, > diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan > index 233379c193a7..9e35198edbf0 100644 > --- a/scripts/Makefile.ubsan > +++ b/scripts/Makefile.ubsan > @@ -19,5 +19,6 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ > -fsanitize=signed-integer-overflow \ > -fsanitize=unsigned-integer-overflow \ > -fsanitize=implicit-signed-integer-truncation \ > - -fsanitize=implicit-unsigned-integer-truncation > + -fsanitize=implicit-unsigned-integer-truncation \ > + -fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl > export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) > diff --git a/scripts/integer-wrap-ignore.scl b/scripts/integer-wrap-ignore.scl > new file mode 100644 > index 000000000000..431c3053a4a2 > --- /dev/null > +++ b/scripts/integer-wrap-ignore.scl > @@ -0,0 +1,3 @@ > +[{unsigned-integer-overflow,signed-integer-overflow,implicit-signed-integer-truncation,implicit-unsigned-integer-truncation}] > +type:* > +type:size_t=sanitize Hi again future travelers, sanitizer special case list support for overflow/truncation sanitizers as well as the "=sanitize" comes from a new Clang 20 feature allowing SCL's to specify sanitize categories, see [2]. > -- > 2.34.1 > > The plumbing looks correct, Reviewed-by: Justin Stitt <justinstitt@google.com> [1]: https://discourse.llvm.org/t/rfc-clang-canonical-wrapping-and-non-wrapping-types/84356 [2]: https://github.com/llvm/llvm-project/pull/107332 Thanks Justin
On Thu, Mar 06, 2025 at 08:19:11PM -0800, Kees Cook wrote: > Limit integer wrap-around mitigation to only the "size_t" type (for > now). Notably this covers all special functions/builtins that return > "size_t", like sizeof(). This remains an experimental feature and is > likely to be replaced with type annotations. > > Signed-off-by: Kees Cook <kees@kernel.org> > --- > Cc: Justin Stitt <justinstitt@google.com> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: Marco Elver <elver@google.com> > Cc: Andrey Konovalov <andreyknvl@gmail.com> > Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Masahiro Yamada <masahiroy@kernel.org> > Cc: Nathan Chancellor <nathan@kernel.org> > Cc: Nicolas Schier <nicolas@fjasle.eu> > Cc: kasan-dev@googlegroups.com > Cc: linux-hardening@vger.kernel.org > Cc: linux-kbuild@vger.kernel.org > --- > lib/Kconfig.ubsan | 1 + > scripts/Makefile.ubsan | 3 ++- > scripts/integer-wrap-ignore.scl | 3 +++ > 3 files changed, 6 insertions(+), 1 deletion(-) > create mode 100644 scripts/integer-wrap-ignore.scl > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > index 888c2e72c586..4216b3a4ff21 100644 > --- a/lib/Kconfig.ubsan > +++ b/lib/Kconfig.ubsan > @@ -125,6 +125,7 @@ config UBSAN_INTEGER_WRAP > depends on $(cc-option,-fsanitize=unsigned-integer-overflow) > depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) > depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation) > + depends on $(cc-option,-fsanitize-ignorelist=/dev/null) > help > This option enables all of the sanitizers involved in integer overflow > (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow, > diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan > index 233379c193a7..9e35198edbf0 100644 > --- a/scripts/Makefile.ubsan > +++ b/scripts/Makefile.ubsan > @@ -19,5 +19,6 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ > -fsanitize=signed-integer-overflow \ > -fsanitize=unsigned-integer-overflow \ > -fsanitize=implicit-signed-integer-truncation \ > - -fsanitize=implicit-unsigned-integer-truncation > + -fsanitize=implicit-unsigned-integer-truncation \ > + -fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl > export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) > diff --git a/scripts/integer-wrap-ignore.scl b/scripts/integer-wrap-ignore.scl > new file mode 100644 > index 000000000000..431c3053a4a2 > --- /dev/null > +++ b/scripts/integer-wrap-ignore.scl > @@ -0,0 +1,3 @@ > +[{unsigned-integer-overflow,signed-integer-overflow,implicit-signed-integer-truncation,implicit-unsigned-integer-truncation}] > +type:* > +type:size_t=sanitize Forgot to mention this in my intial reply but we have to be careful with what types are added here. Kees, I know we're on the same page from offline chats but for others: using sanitizer case lists to discriminate against types for the purposes of sanitizer instrumentation may not work properly through various arithmetic conversions. Mainly, implicit promotions which tend to break this particular approach. Now, for size_t we got kind of "lucky" because there are no implicit promotions with size_t, it doesn't get promoted. This is not the case for other types. This further necessitates the need for canonical wrapping types backed by in-source annotations/qualification -- coming soon in Clang. > -- > 2.34.1 > Justin
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 888c2e72c586..4216b3a4ff21 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -125,6 +125,7 @@ config UBSAN_INTEGER_WRAP depends on $(cc-option,-fsanitize=unsigned-integer-overflow) depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation) + depends on $(cc-option,-fsanitize-ignorelist=/dev/null) help This option enables all of the sanitizers involved in integer overflow (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow, diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 233379c193a7..9e35198edbf0 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -19,5 +19,6 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ -fsanitize=signed-integer-overflow \ -fsanitize=unsigned-integer-overflow \ -fsanitize=implicit-signed-integer-truncation \ - -fsanitize=implicit-unsigned-integer-truncation + -fsanitize=implicit-unsigned-integer-truncation \ + -fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) diff --git a/scripts/integer-wrap-ignore.scl b/scripts/integer-wrap-ignore.scl new file mode 100644 index 000000000000..431c3053a4a2 --- /dev/null +++ b/scripts/integer-wrap-ignore.scl @@ -0,0 +1,3 @@ +[{unsigned-integer-overflow,signed-integer-overflow,implicit-signed-integer-truncation,implicit-unsigned-integer-truncation}] +type:* +type:size_t=sanitize
Limit integer wrap-around mitigation to only the "size_t" type (for now). Notably this covers all special functions/builtins that return "size_t", like sizeof(). This remains an experimental feature and is likely to be replaced with type annotations. Signed-off-by: Kees Cook <kees@kernel.org> --- Cc: Justin Stitt <justinstitt@google.com> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: Marco Elver <elver@google.com> Cc: Andrey Konovalov <andreyknvl@gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nicolas Schier <nicolas@fjasle.eu> Cc: kasan-dev@googlegroups.com Cc: linux-hardening@vger.kernel.org Cc: linux-kbuild@vger.kernel.org --- lib/Kconfig.ubsan | 1 + scripts/Makefile.ubsan | 3 ++- scripts/integer-wrap-ignore.scl | 3 +++ 3 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 scripts/integer-wrap-ignore.scl