Re: [PATCH v4 0/3] Hardening perf subsystem

From: Kees Cook
Date: Wed Jun 12 2024 - 15:01:28 EST

Next message: Sean Christopherson: "Re: [PATCH 2/2] selftests: kvm: replace exit() with ksft_exit_fail_msg()"
Previous message: Isaku Yamahata: "Re: [PATCH v2 15/15] KVM: x86/tdp_mmu: Add a helper function to walk down the TDP MMU"
In reply to: Peter Zijlstra: "Re: [PATCH v4 0/3] Hardening perf subsystem"
Next in thread: Peter Zijlstra: "Re: [PATCH v4 0/3] Hardening perf subsystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 11, 2024 at 09:55:42AM +0200, Peter Zijlstra wrote:
> On Mon, Jun 10, 2024 at 02:46:09PM -0700, Kees Cook wrote:
>
> > > I really detest this thing because it makes what was trivially readable
> > > into something opaque. Get me that type qualifier that traps on overflow
> > > and write plain C. All this __builtin_overflow garbage is just that,
> > > unreadable nonsense.
> >
> > It's more readable than container_of(),
>
> Yeah, no. container_of() is absolutely trivial and very readable.
> container_of_const() a lot less so.

I mean, we have complex macros in the kernel. This isn't uncommon. Look
at cleanup.h. ;)

But that's why we write kern-doc:

* struct_size() - Calculate size of structure with trailing flexible
* array.
* @p: Pointer to the structure.
* @member: Name of the array member.
* @count: Number of elements in the array.

> #define struct_size(p, member, num) \
> mult_add_no_overflow(num, sizeof(p->member), sizeof(*p))
>
> would be *FAR* more readable. And then I still think struct_size() is
> less readable than its expansion. ]]

I'm happy to take patches. And for this bikeshed, this would be better
named under the size_*() helpers which are trying to keep size_t
calculations from overflowing (by saturating). i.e.:

size_add_mult(sizeof(*p), sizeof(*p->member), num)

Generalized overflow handing (check_add/sub/mul_overflow()) helpers
already exist and requires a destination variable to determine type
sizes. It is not safe to allow C semantics to perform
promotion/truncation, so we have to be explicit.

> Some day I'll have to look at this FORTIFY_SOURCE and see what it
> actually does I suppose :/

LOL. It's basically doing compile-time (__builtin_object_size) and
run-time (__builtin_dynamic_object_size) bounds checking on destination
(and source) object sizes, mainly driven by the mentioned builtins:
https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html

> I coulnd't quickly find a single instance in the code I care about. So
> nothing is sailing afaict.

I have to care about all of Linux's code. :P We generally don't have to
defend the kernel from perf, so the hardening changes tend to end up in
core APIs along with compiler improvements.

Anyway! What about the patch that takes the 2 allocations down to 1?
That seems like an obvious improvement.

-Kees

--
Kees Cook

Next message: Sean Christopherson: "Re: [PATCH 2/2] selftests: kvm: replace exit() with ksft_exit_fail_msg()"
Previous message: Isaku Yamahata: "Re: [PATCH v2 15/15] KVM: x86/tdp_mmu: Add a helper function to walk down the TDP MMU"
In reply to: Peter Zijlstra: "Re: [PATCH v4 0/3] Hardening perf subsystem"
Next in thread: Peter Zijlstra: "Re: [PATCH v4 0/3] Hardening perf subsystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]