noOverflow: An effort to fight integer overflow for security and correctness

[nh2]

This is an overflow issue coordinating and summarising multiple activities.

Goal

To build a hardened nixpkgs overlay in which integer overflow is forbidden and fails loudly.

Fix as many packages as possible and submit as many fixes upstream as possible.

Rationale

Accidental integer overflow has been a security and correctness nightmare for ages, and is becoming ever more frequent.

If we continue like this, humanity isn't going to make it far. :rocket: :boom:

New programming languages like Rust already improve a lot on this by making all non-explicit integer overflows hard errors -- at least during developer (non-release) builds and runs.

But this is not enough: Even modern programming languages rely on many existing, older libraries (written e.g. in C) and some very modern and otherwise safe programming languages default to programmers throwing around non-explicit integer conversion constructs (like Haskell's fromIntegral, which has caused many bugs).

We strive to find and fix non-explicit overflow and make the results available.

We hope that nixpkgs' advanced tooling, programmable package set, and ease-of-community-contribution will make this feasible.

People interested

@nh2 @dtzWill

Add yourself here or ping to be added, or subscribe.

Useful terms

• narrowing: converting a numeric type into one that has smaller domain (not all values fit into the target type), like 64-bit int -> 32-bit int

Items

Build an overlay to provide:

• Compilers overridden to emit as many overflow-related warnings as possible
  • [ ] gcc
  • [ ] clang
• C
  • [ ] Add compiler flags (or write compiler patch) that turn integer overflow into runtime panic
  • [ ] Build and test as much of nixpkgs as possible with it, add patches or exceptions on the way
• Haskell
  • [ ] Ensure that integer primops that error out on overflow, and those that explicitly allow it, are implemented
  • [ ] Write GHC option or patch that enables them
  • [ ] Build and test as much of haskellPackages (or the Stackage subset) as possible with it, add patches or exceptions on the way
• Rust
  • [ ] Enable overflow checking also in release mode

This list will get updated as progress is made.

You can add items here or ask for them to be added in the discussion below.

[vcunat]

I don't expect this will be easy. In C code I suspect it's very often not expressed whether an overflow (or lossy narrowing) is intentional or not. You might consider focusing on a smaller package set and wider set of problems than just integer overflow.

[stale[bot]]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.