On Thu, Apr 15, 2021 at 3:38 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > Before anything else: yay! I'm really glad to see this RFC officially > hit LKML. :) Thanks! :) > When originally learning Rust I was disappointed to see that (by default) > Rust similarly ignores the overflow problem, but I'm glad to see the > very intentional choices in the Rust-in-Linux design to deal with it > directly. I think the default behavior should be saturate-with-WARN > (this will match the ultimate goals of the UBSAN overflow support[1][2] > in the C portions of the kernel). Rust code wanting wrapping/checking > can expressly use those. The list of exploitable overflows is loooong, > and this will remain a weakness in Rust unless we get it right from > the start. What's not clear to me is if it's better to say "math with > undeclared overflow expectation" will saturate" or to say "all math must > declare its overflow expectation". +1 Agreed, we need to get this right (and ideally make both the C and Rust sides agree...). Cheers, Miguel
