Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jLGLAWeQ28t3TiRswbfHM9F0odZia-f=-c5sVpYm+-0UA@mail.gmail.com>
Date: Wed, 8 Nov 2017 14:58:19 -0800
From: Kees Cook <keescook@...omium.org>
To: "Tobin C. Harding" <me@...in.cc>
Cc: kernel-hardening@...ts.openwall.com, 
	Nick Desaulniers <ndesaulniers@...gle.com>, Josh Poimboeuf <jpoimboe@...hat.com>
Subject: Re: [RFC] vla: add VLA macro and testing

On Wed, Nov 1, 2017 at 4:50 PM, Tobin C. Harding <me@...in.cc> wrote:
> Variable Length Arrays (VLA) pose a risk to the stack if the variable
> passed into the array declaration is too large. If the variable used can
> be controlled by a malicious party then this poses a security risk to
> the kernel.
>
> Add a macro for declaring VLA's. Macro includes a requested size and a
> maximum size, if requested size is larger than maximum size then
> requested size is capped at maximum. Requested size is passed by
> reference and updated by macro so caller has access to size of array
> after declaration.
>
> Signed-off-by: Tobin C. Harding <me@...in.cc>
>
> ---
>
> I was unable to get the test module to integrate with the kernel build system
> correctly. The attempt was to mirror the way `lib/test_printf.c` functions. This
> effort was unsuccessful, it is included in the patch in the hope of getting
> better suggestions. To test, the test module was built out of tree and all tests
> pass.
>
> The macro needs some work. It functions as intended but
>
> Checkpatch emits ERROR: Macros with multiple statements should be enclosed in a
> do - while loop.
>
> Also for each use of VLA() checkpatch emits WARNING: Missing a blank line after
> declarations.
>
> Also I was unsure where to put the macro definition, appreciate any suggestions.

While I'd certainly like to see SOME kind of sanity checking for VLAs,
my preference would be to entirely eliminate them at get -Werror=vla
added to the Makefile. Even Linus has expressed irritation over the
idea of VLAs in structs in the past:

https://lkml.org/lkml/2013/9/23/500

I imagine VLAs make Josh's life harder too. Would objtool have an
easier time if there were no VLAs?

Could we just fix the existing VLAs instead? How many are there really?

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.