<div dir="ltr"><div dir="auto"><div><div class="gmail_quote"><div dir="ltr">On Sun, Apr 22, 2018, 5:11 AM David Chisnall via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>> wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I disagree, because it depends on what you mean by dereference.  If it is safe to dereference NULL, then that means that it is also safe to hoist the null dereference above the check.  For example:<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Nope. The intent is that NULL is <i>potentially</i> dereferenceable, just as any other address would be. Not that it's known to<span style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="font-style:normal"> </span><i>always</i></span><span style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> be </span>dereferenceable.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
        if (x == NULL)<br>
                return;<br>
        y = *x;<br>
<br>
Is safe to transform into:<br>
<br>
        y = *x;<br>
        if (x == NULL)<br>
                return;<br>
<br>
The load is guaranteed not to trap by the fact that NULL a dereferencable address.</blockquote><div><br></div><div>That transform is still not safe with the new flag, because you do not know that address 0 is dereferenceable in that code. You also don't know that it's definitely _not_ dereferenceable, however -- which is the new behavior.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Any code that is loading or storing from null prior to a null check probably doesn’t mind if the null check is then elided, because it’s going to trap anyway (supporting C code that allows loads and stores from an address with a bit pattern of 0 when interpreted as an integer is incredibly hard, as our friends at IBM can attest).  <br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">No -- the kernel <i>does</i> mind exactly this, because in some circumstances, dereferencing null <i>does not trap</i> in kernel context. So you end up with both no trap and no check, and a security vulnerability. That's less true now, with the various other protections e.g. min_mmap_address sysctl, SMAP, and others, but still, the desire is to keep this from happening.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><div>Here is the commit which started using the flag in the kernel:</div><div><br></div><div>




<span></span>





<p class="m_6878967827536388805gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(175,173,36);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures">commit a3ca86aea507904148870946d599e07a340b39bf</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures">Author: Eugene Teo <<a href="mailto:eteo@redhat.com" target="_blank">eteo@redhat.com</a>></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures">Date: <span class="m_6878967827536388805gmail-Apple-converted-space">  </span>Wed Jul 15 14:59:10 2009 +0800</span></p>
<p class="m_6878967827536388805gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255);min-height:13px"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>Add '-fno-delete-null-pointer-checks' to gcc CFLAGS</span></p>
<p class="m_6878967827536388805gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255);min-height:13px"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>Turning on this flag could prevent the compiler from optimising away</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>some "useless" checks for null pointers.<span class="m_6878967827536388805gmail-Apple-converted-space">  </span>Such bugs can sometimes become</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>exploitable at compile time because of the -O2 optimisation.</span></p>
<p class="m_6878967827536388805gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255);min-height:13px"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>See <a href="http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html" target="_blank">http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html</a></span></p>
<p class="m_6878967827536388805gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255);min-height:13px"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>An example that clearly shows this 'problem' is commit 6bf67672.</span></p>
<p class="m_6878967827536388805gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255);min-height:13px"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">     </span>static void __devexit agnx_pci_remove(struct pci_dev *pdev)</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">     </span>{</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">         </span>struct ieee80211_hw *dev = pci_get_drvdata(pdev);</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>-<span class="m_6878967827536388805gmail-Apple-converted-space">    </span>struct agnx_priv *priv = dev->priv;</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>+<span class="m_6878967827536388805gmail-Apple-converted-space">    </span>struct agnx_priv *priv;</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">         </span>AGNX_TRACE;</span></p>
<p class="m_6878967827536388805gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255);min-height:13px"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">         </span>if (!dev)</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">             </span>return;</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>+<span class="m_6878967827536388805gmail-Apple-converted-space">    </span>priv = dev->priv;</span></p>
<p class="m_6878967827536388805gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255);min-height:13px"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>By reverting this patch, and compile it with and without</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>-fno-delete-null-pointer-checks flag, we can see that the check for dev</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>is compiled away.</span></p>
<p class="m_6878967827536388805gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255);min-height:13px"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">        </span>call<span class="m_6878967827536388805gmail-Apple-converted-space">    </span>printk<span class="m_6878967827536388805gmail-Apple-converted-space">  </span>#</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>- <span class="m_6878967827536388805gmail-Apple-converted-space">  </span>testq <span class="m_6878967827536388805gmail-Apple-converted-space">  </span>%r12, %r12<span class="m_6878967827536388805gmail-Apple-converted-space">  </span># dev</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>- <span class="m_6878967827536388805gmail-Apple-converted-space">  </span>je<span class="m_6878967827536388805gmail-Apple-converted-space">  </span>.L94<span class="m_6878967827536388805gmail-Apple-converted-space">    </span>#,</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">        </span>movq<span class="m_6878967827536388805gmail-Apple-converted-space">    </span>%r12, %rdi<span class="m_6878967827536388805gmail-Apple-converted-space">  </span># dev,</span></p>
<p class="m_6878967827536388805gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255);min-height:13px"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>Clearly the 'fix' is to stop using dev before it is tested, but building</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>with -fno-delete-null-pointer-checks flag at least makes it harder to</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>abuse.</span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">                                                                                                                                </span>Signed-off-by: Eugene Teo <<a href="mailto:eugeneteo@kernel.sg" target="_blank">eugeneteo@kernel.sg</a>></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>Acked-by: Eric Paris <<a href="mailto:eparis@redhat.com" target="_blank">eparis@redhat.com</a>></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>Acked-by: Wang Cong <<a href="mailto:amwang@redhat.com" target="_blank">amwang@redhat.com</a>></span></p>
<p class="m_6878967827536388805gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="m_6878967827536388805gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_6878967827536388805gmail-Apple-converted-space">    </span>Signed-off-by: Linus Torvalds <<a href="mailto:torvalds@linux-foundation.org" target="_blank">torvalds@linux-foundation.org</a>></span></p>


<br></div><div> </div></div></div></div></div>