Stable kernels 2.6.27.27 and 2.6.30.2

[Posted July 20, 2009 by corbet]

The 2.6.27.27 and 2.6.30.2 stable kernel updates are available. There are a number of fixes in these releases, several of which are security-related. Among other things, the -fno-delete-null-pointer-checks compiler flag has been added and setuid programs lose the ability to map page zero.

Update: some users are reporting boot failures with both kernel updates; there may be yet another set of updates coming in the near future.

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 13:47 UTC (Mon) by kragil (guest, #34373) [Link]

Please release 2.6.27.28 12:34:56 7.8.9 (d.m.y)

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 14:05 UTC (Mon) by qg6te2 (guest, #52587) [Link] (13 responses)

Eugene Teo (1): Add '-fno-delete-null-pointer-checks' to gcc CFLAGS

I sincerely hope this isn't a permanent solution.

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 14:10 UTC (Mon) by proski (subscriber, #104) [Link] (4 responses)

Why?

By the way, it would be interesting to see which object files change if this option is enabled.

Perhaps future version of gcc should warn if they encounter NULL pointer checks that can be eliminated.

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 16:58 UTC (Mon) by vonbrand (subscriber, #4458) [Link] (3 responses)

Because leaving (unnecesary) checks in the generated code makes it worse?

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 18:46 UTC (Mon) by xorbe (guest, #3165) [Link] (2 responses)

Because 12 months from now, some new coder will come through and modify/enhance the functionality, and then accidentally break some key assumption, leading to a NULL pointer (or other condition). Or, perhaps it could be key in catching a memory corruption bug. I really hate when the compiler removes safety check (as I coded a "safety"/debug STL library once.) Sometimes you want the *#$^ compiler to do as you say, and not to second-guess the coder.

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 23:21 UTC (Mon) by qg6te2 (guest, #52587) [Link] (1 responses)

Say someone wants to compile the kernel with a compiler other than GCC -- what if the compiler doesn't have an equivalent to "-fno-delete-null-pointer-checks" ?

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 22, 2009 15:30 UTC (Wed) by nix (subscriber, #2304) [Link]

Add one, or fix the makefiles? The kernel pretty much depends on your compiler, whatever compiler it is, acting like GCC. This includes supporting similar language extensions (especially weird ones like the statement expression extension), and supporting command-line arguments which at least do the same thing, even if their names aren't the same.

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 15:10 UTC (Mon) by zorro (subscriber, #45643) [Link] (3 responses)

I agree with the sentiment. If there are no cases in which it makes sense to check a pointer for NULL after dereferencing it, why not make the compilation fail and remove the "-fno-delete-null-pointer-checks" option altogether?

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 15:40 UTC (Mon) by nybble41 (subscriber, #55106) [Link]

There are some cases where this pattern makes sense. For example, you might dereference a pointer which you know to be non-NULL by design, and then pass it to a generic macro intended to work where that isn't always the case. As things are, the compiler reasonably takes the dereference as a sign that the programmer knows the pointer to be non-NULL, and thus optimizes away the presumably redundant test.

With the recent changes this optimization is no longer performed, which--as a fix for a single obvious logic error in the code--will lead to less efficient code in general without solving the core issue, which is the failure to test for NULL before dereferencing a potentially-NULL pointer. It would make more sense to either guarantee that execution will not continue following a NULL dereference or classify all NULL dereferences as exploitable vulnerabilities (or both).

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 16:33 UTC (Mon) by luto (guest, #39314) [Link]

Because optimizers can be clever and might determine that knowing that something is non-NULL can allow some (legit) optimization, but the programmer shouldn't be obligated to do that optimization by hand to get the code to compile.

The reason that the kernel wants this option but userspace doesn't is because, in kernel space, an attacker might map something into address 0, so assuming that null pointer dereferences always crash is dangerous. In userspace, on the other hand, you've already been owned by the time someone maps something at address 0.

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 19:25 UTC (Mon) by stevenb (guest, #11536) [Link]

If there are no such cases, of course.

But examples abound. Simple one from http://lwn.net/Articles/342226/:

inline char foo(char *p) { if (p == 0) return 0; else return *p; }
char bar(char *p) { *p = 2; return foo(p); }
int main() { char c = 0; return bar(&c); }

I already see GCC bugzilla fill with complaints when it would no longer compile this (perfectly valid) piece of code with a redundant NULL pointer check...

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 16:27 UTC (Mon) by MisterIO (guest, #36192) [Link] (3 responses)

IMO the removal of "useless" checks for NULL is a legitimate but quite useless optimization. At most it'll just erase an if and that at the risk of more exploitable bugs?! No, thanks!

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 17:10 UTC (Mon) by cbcbcb (subscriber, #10350) [Link]

Although this optimisation looks useless ("why would a programmer write a NULL check where it was obvious the value couldn't be NULL anyway?"), this sort of thing actually occurs all the time.

Consider this: When a programmer writes a function, lets call it f(), it is good practice to validate all inputs and return an error code if they are not correct. If the programmer calls f() in a loop, and the compiler decides to inline f(), then these checks for parameters may be done repeatedly and cost significant time.

This is very important for C++ where inline functions are used more often than in C (eg when small functions are placed inside class definitions)

[Side note: in Java it is particularly important (for performance) to remove unneeded null pointer checks, because every pointer dereference implies a null pointer and array bounds check.]

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 20, 2009 19:28 UTC (Mon) by stevenb (guest, #11536) [Link] (1 responses)

Stop being so kernel-minded. The rest of the world would laugh at any compiler that doesn't do this optimization for their user space code. And even for the kernel it is a useful optimization in principle. What is missing, is a static checker to catch these mistakes, and/or a warning from GCC somehow when this happens within a function.

Stable kernels 2.6.27.27 and 2.6.30.2

Posted Jul 21, 2009 4:56 UTC (Tue) by MisterIO (guest, #36192) [Link]

I meant that it seems irrelevant and dangerous for the kernel, I didn't mean to say that it should be removed altogether. I doubt you'll see any noticeable differenct on the kernel performance without this optimization.