Re: VLAs and security

From: Uecker, Martin
Date: Tue Sep 04 2018 - 02:33:04 EST

Next message: Yang, Bin: "Re: [PATCH v3 5/5] x86/mm: add WARN_ON_ONCE() for wrong large page mapping"
Previous message: çæå: "POSIX violation by writeback error"
In reply to: Linus Torvalds: "Re: VLAs and security"
Next in thread: Dmitry Vyukov: "Re: VLAs and security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Montag, den 03.09.2018, 14:28 -0700 schrieb Linus Torvalds:
> On Mon, Sep 3, 2018 at 12:40 AM Uecker, Martin
> <Martin.Uecker@xxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > But if the true bound is smaller, then IMHO it is really bad advise
> > to tell programmers to use
> >
> > char buf[MAX_SIZE]
> >
> > instead of something like
> >
> > assert(N <= MAX_SIZE);
> > char buf[N]
>
> No.
>
> First off, we don't use asserts in the kernel. Not acceptable. You
> handle errors, you don't crash.

Ofcourse. But this is unrelated to my point.

> Secondly, the compiler is usually very stupid, and will generate
> horrible code for VLA's.
>
> Third, there's no guarantee that the compiler will actually even
> realize that the size is limited, and guarantee that it won't screw up
> the stack.

If this is about the quality of the generated code, ok.Â

I just don't buy the idea that removing precise type-based
information about the size of objects from the source code
is good long-term strategy for improving security.

> So no. VLA's are not acceptable in the kernel. Don't do them. We're
> getting rid of them.

All right then.

Martin

Next message: Yang, Bin: "Re: [PATCH v3 5/5] x86/mm: add WARN_ON_ONCE() for wrong large page mapping"
Previous message: çæå: "POSIX violation by writeback error"
In reply to: Linus Torvalds: "Re: VLAs and security"
Next in thread: Dmitry Vyukov: "Re: VLAs and security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]