logo

Flexible Array Transformations and Array-bounds Checking

2022-09-15

Authors:   Gustavo A. R. Silva


Summary

The presentation discusses the importance of removing ambiguity from the kernel and adopting the use of flexible array members to improve security. The speaker shares their experience with transforming one-element arrays to flexible array members and the challenges they faced.
  • Flexible array members should be used instead of one-element arrays to prevent vulnerabilities
  • Transforming one-element arrays to flexible array members is time-consuming and requires careful verification
  • Sanity checking can be added to all trailing arrays through the use of a fortified main copy
  • Monitoring code check-ins can help prevent the introduction of one-element arrays
The speaker shares their experience with monitoring code check-ins and receiving email notifications when offending code is detected. They initially feared it would be noisy, but found it to be a useful tool over time.

Abstract

Having a dynamically-sized trailing array at the end of a structure is a useful code construct in the Linux kernel. However, the lack of proper bounds-checking on such objects is concerning and worth making an effort to remediate it. This presentation is about the different strategies we, in the Kernel Self-Protection Project, have been following along the last couple of years to transform trailing zero-length and one-element arrays into modern C99 flexible-array members, and the problems we have run into in the process. We will touch on how this work is closely related and helpful to the most recent efforts to hardening key APIs like memcpy() and globally enabling options like -Warray-bounds. We will explain how we've been addressing the particularly challenging one-element array into flexible-array member transformations in UAPI. Also, we'll see how the fact that compilers like GCC have historically treated all trailing arrays, no matter what their size, as flexible-sized arrays, is problematic and causes trouble when it comes to perform proper array-bounds checking on such objects, and how the introduction of a new option like -fstrict-flex-arrays could help.

Materials: