You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Background: Many vulnerabilities in C/C++ programs are caused by a read or write outside of a buffer, which can't happen by default in other languages. C++ developers can often prevent this by using various data types, but C can't use those C++ data types, and C++ may, for various reasons, use the C subset. In C, what you have usually is an array. The bounds information typically exists, but there has been no standard way to indicate the bounds nor to automatically check the bounds.
There are emerging attributes in GCC & LLVM/clang to record the active bounds of buffers in a common way, along with mechanisms to check them. Clang has an experimental set of mechanisms which they intend to use to implement checks, and the Linux kernel has started using some of those mechanisms.
Per the LLVM docs, "The bounds annotations are C type attributes appertaining to pointer types. If an attribute is added to the position of a declaration attribute, e.g., int *ptr __counted_by(size), the attribute appertains to the outermost pointer type of the declaration (int *)." Note in this example __counted_by is a macro that expands to attribute((counted_by(T))) which is the standard syntax for all attributes in clang and gcc.
I understand that GCC 12 implements a __counted_by with some significant restrictions, but for some situations that may be enough.
I focused on "counted_by" here, but there are many other annotations being developed to allow direct expressions of bounds. For example:
__sized_by(N) : The pointer points to memory that contains N bytes....
__ended_by(P) : The pointer has the upper bound of value P, which is one past the last element of the pointer.
__null_terminated : The pointer or array is terminated by NULL or 0.
__terminated_by(T) : The pointer or array is terminated by T which is a constant expression.
This is probably separate from the "C/C++ Compiler Hardening Guide" but I think many of the same group should be involved.
I don't know if this is "too soon" to create a recommendation, as work is still ongoing. However, the fact that the Linux kernel is adding this for flexible structures suggests that it might be useful to create a guide for early adopters.
The text was updated successfully, but these errors were encountered:
Background: Many vulnerabilities in C/C++ programs are caused by a read or write outside of a buffer, which can't happen by default in other languages. C++ developers can often prevent this by using various data types, but C can't use those C++ data types, and C++ may, for various reasons, use the C subset. In C, what you have usually is an array. The bounds information typically exists, but there has been no standard way to indicate the bounds nor to automatically check the bounds.
There are emerging attributes in GCC & LLVM/clang to record the active bounds of buffers in a common way, along with mechanisms to check them. Clang has an experimental set of mechanisms which they intend to use to implement checks, and the Linux kernel has started using some of those mechanisms.
Per the LLVM docs, "The bounds annotations are C type attributes appertaining to pointer types. If an attribute is added to the position of a declaration attribute, e.g., int *ptr __counted_by(size), the attribute appertains to the outermost pointer type of the declaration (int *)." Note in this example __counted_by is a macro that expands to attribute((counted_by(T))) which is the standard syntax for all attributes in clang and gcc.
https://lore.kernel.org/lkml/[email protected]/T/
https://clang.llvm.org/docs/BoundsSafetyImplPlans.html
https://clang.llvm.org/docs/BoundsSafety.html
https://lwn.net/Articles/946041/
I understand that GCC 12 implements a __counted_by with some significant restrictions, but for some situations that may be enough.
I focused on "counted_by" here, but there are many other annotations being developed to allow direct expressions of bounds. For example:
This is probably separate from the "C/C++ Compiler Hardening Guide" but I think many of the same group should be involved.
I don't know if this is "too soon" to create a recommendation, as work is still ongoing. However, the fact that the Linux kernel is adding this for flexible structures suggests that it might be useful to create a guide for early adopters.
The text was updated successfully, but these errors were encountered: