| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Jul 2013 06:54:11 -0700 From: "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com> To: caf@...rana.org Cc: linux-kernel@...r.kernel.org, john.stultz@...aro.org, davem@...emloft.net, arnd@...db.de, mingo@...nel.org, torvalds@...ux-foundation.org Subject: Re: [PATCH jiffies] Avoid undefined behavior from signed overflow On Mon, Jul 29, 2013 at 03:30:35PM +1000, caf@...rana.org wrote: > Quoting "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>: > > >According to the C standard 3.4.3p3, overflow of a signed integer results > >in undefined behavior. This commit therefore changes the definitions > >of time_after() and time_after_eq() to avoid this undefined behavior. > >The trick is that the subtraction is done using unsigned arithmetic, > >which according to 6.2.5p9 cannot overflow because it is defined as > >modulo arithmetic. This has the added (though admittedly quite small) > >benefit of shortening two lines of code by four characters each. > > > >Note that the C standard considers the cast from signed to > >unsigned to be implementation-defined, see 6.3.1.3p3. However, on a > >two-complement system, an implementation that defines anything other > >than a reinterpretation of the bits is free come to me, and I will be > >happy to act as a witness for its being committed to an insane asylum. > >(Although I have nothing against saturating arithmetic or signals in > >some cases, these things really should not be the default.) > > Don't worry, the case from signed to unsigned is actually well-defined - > the relevant part is 6.3.1.3p2 (in C99): > > >Otherwise, if the new type is unsigned, the value is converted by > >repeatedly adding or subtracting one more than the maximum value that > >can be represented in the new type until the value is in the range of > >the new type. Yep, but we are going in the other direction, from unsigned to signed. > ...which ends up just being reinterpretation of the bits on a two's > complement system, as you'd hope (after sign-extension to the width of > the target unsigned type, that is). This actually means if you were > mad enough to implement C on a sign-magnitude system, you'd be forced to > do a non-trivial conversion in this case. Fortunately, I never used signed-magnitude systems. And even when I used ones-complement systems back in my misguided youth, I didn't write C programs for them. ;-) Thanx, Paul -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists