Solving arithmetic overflow flaws in C is especially difficult since the language standard is unpredictable about handling such math. Without overloadable operators (as in C++), developers have no semantics nor types to explicitly select an overflow resolution strategy. The common choices are: undefined behavior (thankfully not present any more), wrap-around (the current behavior), trap (using sanitizers), or saturate (e.g. refcount_t). Marking all arithmetic in the Linux kernel will be a difficult problem since deciphering whether a calculation was expecting to wrap around is rarely clear. Luckily there are a handful of distinct code patterns that the compiler can recognize, eliminating some of the human work. We'll explore the plans to extend the existing arithmetic overflow sanitizers to express overflow resolution strategies for a given typedef, and another proposal that would provide a generalized way to overload operators for specific types (the _Operator statement). Either method would allow for the creation of types that have an unambiguous expectation for their overflow resolution (e.g. "int_wrap", "u32_trap"), and lead us away from unexpected arithmetic outcomes.
Kees Cook has been working with Free Software since 1994, has been a Debian Developer since 2007, and has been a member of the Linux Kernel Technical Advisory Board since 2019. He is currently employed as a Linux kernel security engineer by Google, focusing on upstream kernel security... Read More →