On Fri, Aug 26, 2016 at 09:42:42AM -0400, Kees Cook wrote: > On Thu, Aug 25, 2016 at 11:27 PM, Josh Poimboeuf <jpoim...@redhat.com> wrote: > > On Thu, Aug 25, 2016 at 10:14:36PM -0400, Kees Cook wrote: > >> Okay, right. __builtin_object_size() is totally fine, I absolutely > >> misspoke: it's the resolution of const value ranges. I wouldn't expect > >> gcc to warn here, though, since "copy + 1" isn't a const value... > > > > Look at the code again :-) > > > > __copy_to_user_overflow(), which does the "provably correct" warning, is > > "called" when the copy size is non-const (and the object size is const). > > So "copy + 1" being non-const is consistent with the warning. > > Right, yes. Man, this is hard to read. All the names are the same. ;)
Yeah, agreed. The code is way too cryptic. > So this will trigger when the object size is known but the copy length > is non-const? Right. > When I played with re-enabling this in the past, I didn't hit very > many false positives. I sent a bunch of patches a few months back for > legitimate problems that this warning pointed out, so I'm a bit > cautious to just entirely drop it. Ah, I didn't realize that. We should definitely keep DEBUG_STRICT_USER_COPY_CHECKS then. Though it would be *really* nice to find a way to associate some kind of whitelist with it to separate the wheat from all the chaff. -- Josh
