On Thu, Oct 05, 2023 at 04:08:52PM -0400, Siddhesh Poyarekar wrote:
> 2. How would you handle signedness of the size field? The size gets
> converted to sizetype everywhere it is used and overflows/underflows may
> produce interesting results. Do you want to limit the types to unsigned or
> do you want to add a disclaimer in the docs? The former seems like the
> *right* thing to do given that it is a new feature; best to enforce the
> cleaner habit at the outset.
The Linux kernel has a lot of "int" counters, so the goal is to catch
negative offsets just like too-large offsets at runtime with the sanitizer
and report 0 for __bdos. Refactoring all these to be unsigned is going
to take time since at least some of them use the negative values as
special values unrelated to array indexing. :(
So, perhaps if unsigned counters are worth enforcing, can this be a
separate warning the kernel can turn off initially?
On 05-Oct-2023 18:35, Kees Cook <keesc...@chromium.org> wrote:
That should be fine, I just want to be sure we're thinking about this during the design. In that case we should probably add negative offset tests to ensure that we're actually catching these issues with __bdos.
Thanks,
Sid
- Re: [V3][PATCH 0/3] New attribute "counted_by"... Siddhesh Poyarekar
- Re: [V3][PATCH 0/3] New attribute "counted_by... Kees Cook
- Re: [V3][PATCH 0/3] New attribute "counte... Siddhesh Poyarekar
- Re: [V3][PATCH 0/3] New attribute "counte... Martin Uecker
- Re: [V3][PATCH 0/3] New attribute "co... Siddhesh Poyarekar
- Re: [V3][PATCH 0/3] New attribute &quo... Martin Uecker
- Re: [V3][PATCH 0/3] New attribute... Siddhesh Poyarekar
- Re: [V3][PATCH 0/3] New attribute... Qing Zhao
- Re: [V3][PATCH 0/3] New attribute "counted_by... Qing Zhao
- Re: [V3][PATCH 0/3] New attribute "counte... Kees Cook
- Re: [V3][PATCH 0/3] New attribute "co... Martin Uecker
- Re: [V3][PATCH 0/3] New attribute &quo... Kees Cook
- Re: [V3][PATCH 0/3] New attribute... Qing Zhao
