Detect pointer math wrap-around (overflow and underflow) #344

kees · 2023-09-15T00:35:21Z

Much like issue #26 and issue #27, we must mitigate pointer arithmetic wrap-around (overflow/underflow). This should be possible via -fsanitize=pointer-overflow but it has similar problems as the other issues, namely -fwrapv-pointer.

make sanitizer work with -fwrapv-pointer (and -fno-strict-overflow)
fix sanitizer to work at all on Clang: Sanitizer pointer-overflow does not appear to function llvm/llvm-project#66451
create "expected pointer overflow" helper inline functions marked with attribute((no_sanitize("pointer-overflow"))).
find all true positives and replace with helper calls.
add note to "deprecated.rst" with something like "open coded pointer math wrap around without a helper".
add pointer overflow as a UBSan Kconfig

The text was updated successfully, but these errors were encountered:

JustinStitt · 2023-09-29T05:06:08Z

As for bullet point 2: fix sanitizer to work at all on Clang: https://github.com/llvm/llvm-project/issues/66451 it looks like this sanitizer DOES work... just not for void* 😕

demo: https://godbolt.org/z/Ef3Kvqq1x

~~What's going on here?~~

Update: I triaged and nikic fixed here: llvm/llvm-project#67772

In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Switch to a more regular type for a 64-bit value and refactor the open-coded wrap-around addition test to use subtraction from the type max (since add_would_overflow() may not be defined in early boot code). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: KSPP#26 [2] Link: KSPP#27 [3] Link: KSPP#344 [4] Cc: Nick Terrell <[email protected]> Cc: Paul Jones <[email protected]> Cc: Sedat Dilek <[email protected]> Cc: Oleksandr Natalenko <[email protected]> Cc: Xin Gao <[email protected]> Signed-off-by: Kees Cook <[email protected]>

In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Switch to a more regular type for a 64-bit value and refactor the open-coded wrap-around addition test to use subtraction from the type max (since add_would_overflow() may not be defined in early boot code). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: KSPP/linux#26 [2] Link: KSPP/linux#27 [3] Link: KSPP/linux#344 [4] Cc: Nick Terrell <[email protected]> Cc: Paul Jones <[email protected]> Cc: Sedat Dilek <[email protected]> Cc: Oleksandr Natalenko <[email protected]> Cc: Xin Gao <[email protected]> Signed-off-by: Kees Cook <[email protected]>

In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Switch to a more regular type for a 64-bit value and refactor the open-coded wrap-around addition test to use subtraction from the type max (since add_would_overflow() may not be defined in early boot code). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: KSPP#26 [2] Link: KSPP#27 [3] Link: KSPP#344 [4] Cc: Nick Terrell <[email protected]> Cc: Paul Jones <[email protected]> Cc: Sedat Dilek <[email protected]> Cc: Oleksandr Natalenko <[email protected]> Cc: Xin Gao <[email protected]> Signed-off-by: Kees Cook <[email protected]>

kees mentioned this issue Sep 15, 2023

Mitigate arithmetic wrap-around (overflow and underflow) #345

Open

3 tasks

kees changed the title ~~Detect pointer overflow~~ Detect pointer overflows Sep 15, 2023

kees changed the title ~~Detect pointer overflows~~ Detect pointer math wrap-around (overflow and underflow) Sep 25, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Detect pointer math wrap-around (overflow and underflow) #344

Detect pointer math wrap-around (overflow and underflow) #344

kees commented Sep 15, 2023 •

edited

Loading

JustinStitt commented Sep 29, 2023 •

edited

Loading

Detect pointer math wrap-around (overflow and underflow) #344

Detect pointer math wrap-around (overflow and underflow) #344

Comments

kees commented Sep 15, 2023 • edited Loading

JustinStitt commented Sep 29, 2023 • edited Loading

kees commented Sep 15, 2023 •

edited

Loading

JustinStitt commented Sep 29, 2023 •

edited

Loading