Am Donnerstag, dem 19.10.2023 um 16:33 -0700 schrieb Kees Cook: > On Wed, Oct 18, 2023 at 09:11:43PM +0000, Qing Zhao wrote: > > As I replied to Martin in another email, I plan to do the following to > > resolve this issue: > > > > 1. No specification for signed or unsigned for counted_by field. > > 2. Add a sanitizer option -fsanitize=counted-by-bound to catch the cases > > when the size of the counted-by is not positive. > > I don't understand why this needs to be a runtime sanitizer. The > signedness is known at compile time, so I would expect a -W option.
The signedness of the type but not of the value. But I would not want to have a warning for signed counter types by default because I would prefer to use signed types (for various reasons including better overflow detection). > Or > do you mean you'd split up -fsanitize=bounds between unsigned and signed > indexes? I'd find that kind of awkward for the kernel... but I feel like > I've misunderstood something. :) > > -Kees The idea would be to detect at run-time the case if x->buf is used at a time where x->counter is negative and also when x->counter * sizeof(x->buf[0]) overflows or is too big. This would be similar to int a[n]; where it is detected at run-time if n is not-positive. Martin
