Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <587E65E9.17691.D9E2212@pageexec.freemail.hu>
Date: Tue, 17 Jan 2017 19:43:53 +0100
From: "PaX Team" <pageexec@...email.hu>
To: Kees Cook <keescook@...omium.org>
CC: "AKASHI, Takahiro" <takahiro.akashi@...aro.org>,
        Mark Rutland <mark.rutland@....com>,
        park jinbum <jinb.park7@...il.com>,
        "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: Introduction

On 17 Jan 2017 at 9:32, Kees Cook wrote:

> On Sat, Jan 14, 2017 at 2:10 AM, PaX Team <pageexec@...email.hu> wrote:
> > On 13 Jan 2017 at 15:15, Kees Cook wrote:
> >
> >> On Fri, Jan 13, 2017 at 3:09 PM, PaX Team <pageexec@...email.hu> wrote:
> >> >> fs/read_write.c: In function ‘new_sync_write’:
> >> >> fs/read_write.c:490:15: note: userspace variable will be forcibly initialized
> >> >>   struct iovec iov = { .iov_base = (void __user *)buf, .iov_len = len };
> >> >
> >> > this is a designated initializer which doesn't match the object constructor
> >> > the plugin looks for.
> >>
> >> What would an object constructor look like?
> >
> > as you can see it in the plugin source, it has a specific TREE_CODE.
> 
> Right, I meant on the C side. The gimple get produced several ways, it
> seems, and it wasn't clear under which conditions it spat out a
> constructor vs individual assignments.

it's what your example shows, a normal variable initialization. the reason
it's not a constructor in gcc is due to the C rule that we've been discussing
in another sub-thread: a full object initializer doesn't have to care about
padding and thus gcc in such cases omits the "= {}" constructor and only does
per-field assignments as described by the initializer. you could say that the
plugin could detect this case but then it'd also have to take into account
whether the type in question has padding, etc. like i said, there're many ways
to refine the pattern matching.

> > a designated initializer is modeled as a constructor and per-field assignments
> > by the compiler (both are subject to optimizations so you won't necessarily see
> > all of them in the dumps of later passes).
> 
> It sounds like the plugin would need to walk every field of the target
> variable and check that it got an assignment.

yes, that's the kind of data flow analysis that can discover these assignments
and take them into account when deciding about forced initialization.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.