From: Kees Cook <keescook@xxxxxxxxxxxx> Subject: Compiler Attributes: add __alloc_size() for better bounds checking Patch series "Add __alloc_size() for better bounds checking", v2. GCC and Clang both use the "alloc_size" attribute to assist with bounds checking around the use of allocation functions. Add the attribute, adjust the Makefile to silence needless warnings, and add the hints to the allocators where possible. These changes have been in use for a while now in GrapheneOS. This patch (of 2): GCC and Clang can use the "alloc_size" attribute to better inform the results of __builtin_object_size() (for compile-time constant values). Clang can additionally use alloc_size to inform the results of __builtin_dynamic_object_size() (for run-time values). Because GCC sees the frequent use of struct_size() as an allocator size argument, and notices it can return SIZE_MAX (the overflow indication), it complains about these call sites may overflow (since SIZE_MAX is greater than the default -Walloc-size-larger-than=PTRDIFF_MAX). This isn't helpful since we already know a SIZE_MAX will be caught at run-time (this was an intentional design). Instead, just disable this check as it is both a false positive and redundant. (Clang does not have this warning option.) [keescook@xxxxxxxxxxxx: adjust warning logic for pre-9.1 gcc behaviors] Link: https://lkml.kernel.org/r/20210827151327.2729736-1-keescook@xxxxxxxxxxxx Link: https://lkml.kernel.org/r/20210818214021.2476230-1-keescook@xxxxxxxxxxxx Link: https://lkml.kernel.org/r/20210818214021.2476230-2-keescook@xxxxxxxxxxxx Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Reviewed-by: Miguel Ojeda <ojeda@xxxxxxxxxx> Reviewed-by: Nathan Chancellor <nathan@xxxxxxxxxx> Tested-by: Randy Dunlap <rdunlap@xxxxxxxxxxxxx> Cc: Nick Desaulniers <ndesaulniers@xxxxxxxxxx> Cc: Andy Whitcroft <apw@xxxxxxxxxxxxx> Cc: Christoph Lameter <cl@xxxxxxxxx> Cc: Daniel Micay <danielmicay@xxxxxxxxx> Cc: David Rientjes <rientjes@xxxxxxxxxx> Cc: Dennis Zhou <dennis@xxxxxxxxxx> Cc: Dwaipayan Ray <dwaipayanray1@xxxxxxxxx> Cc: Joe Perches <joe@xxxxxxxxxxx> Cc: Joonsoo Kim <iamjoonsoo.kim@xxxxxxx> Cc: Lukas Bulwahn <lukas.bulwahn@xxxxxxxxx> Cc: Pekka Enberg <penberg@xxxxxxxxxx> Cc: Tejun Heo <tj@xxxxxxxxxx> Cc: Vlastimil Babka <vbabka@xxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- Makefile | 15 +++++++++++++++ include/linux/compiler_attributes.h | 6 ++++++ 2 files changed, 21 insertions(+) --- a/include/linux/compiler_attributes.h~compiler-attributes-add-__alloc_size-for-better-bounds-checking +++ a/include/linux/compiler_attributes.h @@ -54,6 +54,12 @@ #define __aligned_largest __attribute__((__aligned__)) /* + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-alloc_005fsize-function-attribute + * clang: https://clang.llvm.org/docs/AttributeReference.html#alloc-size + */ +#define __alloc_size(x, ...) __attribute__((__alloc_size__(x, ## __VA_ARGS__))) + +/* * Note: users of __always_inline currently do not write "inline" themselves, * which seems to be required by gcc to apply the attribute according * to its docs (and also "warning: always_inline function might not be --- a/Makefile~compiler-attributes-add-__alloc_size-for-better-bounds-checking +++ a/Makefile @@ -1014,6 +1014,21 @@ ifdef CONFIG_CC_IS_GCC KBUILD_CFLAGS += -Wno-maybe-uninitialized endif +ifdef CONFIG_CC_IS_GCC +# The allocators already balk at large sizes, so silence the compiler +# warnings for bounds checks involving those possible values. While +# -Wno-alloc-size-larger-than would normally be used here, earlier versions +# of gcc (<9.1) weirdly don't handle the option correctly when _other_ +# warnings are produced (?!). Using -Walloc-size-larger-than=SIZE_MAX +# doesn't work (as it is documented to), silently resolving to "0" prior to +# version 9.1 (and producing an error more recently). Numeric values larger +# than PTRDIFF_MAX also don't work prior to version 9.1, which are silently +# ignored, continuing to default to PTRDIFF_MAX. So, left with no other +# choice, we must perform a versioned check to disable this warning. +# https://lore.kernel.org/lkml/20210824115859.187f272f@xxxxxxxxxxxxxxxx +KBUILD_CFLAGS += $(call cc-ifversion, -ge, 0901, -Wno-alloc-size-larger-than) +endif + # disable invalid "can't wrap" optimizations for signed / pointers KBUILD_CFLAGS += -fno-strict-overflow _