| Message ID | 20230517232801.never.262-kees@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | kbuild: Enable -fstrict-flex-arrays=3 | expand |
On Wed, May 17, 2023 at 04:28:04PM -0700, Kees Cook wrote: > The -fstrict-flex-arrays=3 option is now available with the release > of GCC 13[1] and Clang 16[2]. This feature instructs the compiler to > treat only C99 flexible arrays as dynamically sized for the purposes of > object size calculations. In other words, the ancient practice of using > 1-element arrays, or the GNU extension of using 0-sized arrays, as a > dynamically sized array is disabled. This allows CONFIG_UBSAN_BOUNDS, > CONFIG_FORTIFY_SOURCE, and other object-size aware features to behave > unambiguously in the face of trailing arrays: only C99 flexible arrays > are considered to be dynamically sized. It's happening! :'-) > > Enabling this will help track down any outstanding cases of fake > flexible arrays that need attention in kernel code. > > [1] https://gcc.gnu.org/onlinedocs/gcc/C-Dialect-Options.html#index-fstrict-flex-arrays > [2] https://clang.llvm.org/docs/ClangCommandLineReference.html#cmdoption-clang-fstrict-flex-arrays > > Cc: Masahiro Yamada <masahiroy@kernel.org> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: Nathan Chancellor <nathan@kernel.org> > Cc: Nick Desaulniers <ndesaulniers@google.com> > Cc: Nicolas Schier <nicolas@fjasle.eu> > Cc: linux-kbuild@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org> Thanks! -- Gustavo > --- > Makefile | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/Makefile b/Makefile > index f836936fb4d8..07e5aec1daf5 100644 > --- a/Makefile > +++ b/Makefile > @@ -1026,6 +1026,12 @@ KBUILD_CFLAGS += -Wno-pointer-sign > # globally built with -Wcast-function-type. > KBUILD_CFLAGS += $(call cc-option, -Wcast-function-type) > > +# To gain proper coverage for CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE, > +# the kernel uses only C99 flexible arrays for dynamically sized trailing > +# arrays. Enforce this for everything that may examine structure sizes and > +# perform bounds checking. > +KBUILD_CFLAGS += $(call cc-option, -fstrict-flex-arrays=3) > + > # disable stringop warnings in gcc 8+ > KBUILD_CFLAGS += $(call cc-disable-warning, stringop-truncation) > > -- > 2.34.1 >
Kees Cook <keescook@chromium.org> writes: > The -fstrict-flex-arrays=3 option is now available with the release > of GCC 13[1] and Clang 16[2]. This feature instructs the compiler to > treat only C99 flexible arrays as dynamically sized for the purposes of > object size calculations. In other words, the ancient practice of using > 1-element arrays, or the GNU extension of using 0-sized arrays, as a > dynamically sized array is disabled. This allows CONFIG_UBSAN_BOUNDS, > CONFIG_FORTIFY_SOURCE, and other object-size aware features to behave > unambiguously in the face of trailing arrays: only C99 flexible arrays > are considered to be dynamically sized. > > Enabling this will help track down any outstanding cases of fake > flexible arrays that need attention in kernel code. > > [1] https://gcc.gnu.org/onlinedocs/gcc/C-Dialect-Options.html#index-fstrict-flex-arrays > [2] https://clang.llvm.org/docs/ClangCommandLineReference.html#cmdoption-clang-fstrict-flex-arrays > Maybe link to https://people.kernel.org/kees/bounded-flexible-arrays-in-c as well just in case some confused soul ends up bisecting to this but doesn't get the problem? Not really required though, just a thought I had.
On Thu, May 18, 2023 at 12:47:41AM +0100, Sam James wrote: > > Kees Cook <keescook@chromium.org> writes: > > > The -fstrict-flex-arrays=3 option is now available with the release > > of GCC 13[1] and Clang 16[2]. This feature instructs the compiler to > > treat only C99 flexible arrays as dynamically sized for the purposes of > > object size calculations. In other words, the ancient practice of using > > 1-element arrays, or the GNU extension of using 0-sized arrays, as a > > dynamically sized array is disabled. This allows CONFIG_UBSAN_BOUNDS, > > CONFIG_FORTIFY_SOURCE, and other object-size aware features to behave > > unambiguously in the face of trailing arrays: only C99 flexible arrays > > are considered to be dynamically sized. > > > > Enabling this will help track down any outstanding cases of fake > > flexible arrays that need attention in kernel code. > > > > [1] https://gcc.gnu.org/onlinedocs/gcc/C-Dialect-Options.html#index-fstrict-flex-arrays > > [2] https://clang.llvm.org/docs/ClangCommandLineReference.html#cmdoption-clang-fstrict-flex-arrays > > > > Maybe link to https://people.kernel.org/kees/bounded-flexible-arrays-in-c as well > just in case some confused soul ends up bisecting to this but doesn't > get the problem? > > Not really required though, just a thought I had. Ah yeah, good idea! :)
diff --git a/Makefile b/Makefile index f836936fb4d8..07e5aec1daf5 100644 --- a/Makefile +++ b/Makefile @@ -1026,6 +1026,12 @@ KBUILD_CFLAGS += -Wno-pointer-sign # globally built with -Wcast-function-type. KBUILD_CFLAGS += $(call cc-option, -Wcast-function-type) +# To gain proper coverage for CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE, +# the kernel uses only C99 flexible arrays for dynamically sized trailing +# arrays. Enforce this for everything that may examine structure sizes and +# perform bounds checking. +KBUILD_CFLAGS += $(call cc-option, -fstrict-flex-arrays=3) + # disable stringop warnings in gcc 8+ KBUILD_CFLAGS += $(call cc-disable-warning, stringop-truncation)
The -fstrict-flex-arrays=3 option is now available with the release of GCC 13[1] and Clang 16[2]. This feature instructs the compiler to treat only C99 flexible arrays as dynamically sized for the purposes of object size calculations. In other words, the ancient practice of using 1-element arrays, or the GNU extension of using 0-sized arrays, as a dynamically sized array is disabled. This allows CONFIG_UBSAN_BOUNDS, CONFIG_FORTIFY_SOURCE, and other object-size aware features to behave unambiguously in the face of trailing arrays: only C99 flexible arrays are considered to be dynamically sized. Enabling this will help track down any outstanding cases of fake flexible arrays that need attention in kernel code. [1] https://gcc.gnu.org/onlinedocs/gcc/C-Dialect-Options.html#index-fstrict-flex-arrays [2] https://clang.llvm.org/docs/ClangCommandLineReference.html#cmdoption-clang-fstrict-flex-arrays Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Nicolas Schier <nicolas@fjasle.eu> Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- Makefile | 6 ++++++ 1 file changed, 6 insertions(+)