Re: VLAs and security
From: Uecker, Martin
Date: Tue Sep 04 2018 - 02:33:04 EST
Am Montag, den 03.09.2018, 14:28 -0700 schrieb Linus Torvalds:
> On Mon, Sep 3, 2018 at 12:40 AM Uecker, Martin
> <Martin.Uecker@xxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > But if the true bound is smaller, then IMHO it is really bad advise
> > to tell programmers to use
> >
> > char buf[MAX_SIZE]
> >
> > instead of something like
> >
> > assert(N <= MAX_SIZE);
> > char buf[N]
>
> No.
>
> First off, we don't use asserts in the kernel. Not acceptable. You
> handle errors, you don't crash.
Ofcourse. But this is unrelated to my point.
> Secondly, the compiler is usually very stupid, and will generate
> horrible code for VLA's.
>
> Third, there's no guarantee that the compiler will actually even
> realize that the size is limited, and guarantee that it won't screw up
> the stack.
If this is about the quality of the generated code, ok.Â
I just don't buy the idea that removing precise type-based
information about the size of objects from the source code
is good long-term strategy for improving security.
> So no. VLA's are not acceptable in the kernel. Don't do them. We're
> getting rid of them.
All right then.
Martin