Re: [RFC] Mitigating unexpected arithmetic overflow

From: Kees Cook
Date: Thu May 16 2024 - 09:31:30 EST

Next message: Lukas Hruska: "[PATCH v2 5/6] documentation: Update on livepatch elf format"
Previous message: Lukas Hruska: "[PATCH v2 2/6] livepatch: Add klp-convert tool"
In reply to: Peter Zijlstra: "Re: [RFC] Mitigating unexpected arithmetic overflow"
Next in thread: Peter Zijlstra: "Re: [RFC] Mitigating unexpected arithmetic overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On May 15, 2024 12:36:36 AM PDT, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
>On Wed, May 08, 2024 at 04:47:25PM -0700, Linus Torvalds wrote:
>> For example, the most common case of overflow we've ever had has very
>> much been array indexing. Now, sometimes that has actually been actual
>> undefined behavior, because it's been overflow in signed variables,
>> and those are "easy" to find in the sense that you just say "no, can't
>> do that". UBSAN finds them, and that's good.
>
>We build with -fno-strict-overflow, which implies -fwrapv, which removes
>the UB from signed overflow by mandating 2s complement.

I am a broken record. :) This is _not_ about undefined behavior.

This is about finding a way to make the intent of C authors unambiguous. That overflow wraps is well defined. It is not always _desired_. C has no way to distinguish between the two cases.

-Kees

--
Kees Cook

Next message: Lukas Hruska: "[PATCH v2 5/6] documentation: Update on livepatch elf format"
Previous message: Lukas Hruska: "[PATCH v2 2/6] livepatch: Add klp-convert tool"
In reply to: Peter Zijlstra: "Re: [RFC] Mitigating unexpected arithmetic overflow"
Next in thread: Peter Zijlstra: "Re: [RFC] Mitigating unexpected arithmetic overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]