lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 9 Apr 2018 10:32:53 -0700
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Sebastian Ott <sebott@...ux.ibm.com>
Cc:     Kees Cook <keescook@...omium.org>,
        Sebastian Ott <sebott@...ux.vnet.ibm.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Heiko Carstens <heiko.carstens@...ibm.com>,
        Martin Uecker <Martin.Uecker@....uni-goettingen.de>,
        Ingo Molnar <mingo@...nel.org>,
        Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
Subject: Re: [bisected] 3c8ba0d61d04ced9f8d9ff93977995a9e4e96e91 oopses on s390

On Mon, Apr 9, 2018 at 10:14 AM, Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
>
> Ugh, I find that really nasty to read, but it was obviously done
> because we hit this before.

Side note, we have a *lof* of those "__x" and "__y" names in the helper macros.

Clearly min/max was the only one we really had ever hit (because it
used to have that UNIQUE_ID thing), and the patch I sent hopefully
fixes the only real problem, but it would be good to perhaps look at
this in general.

And no, -Wshadow still isn't the right answer, because while it warns
about this, it also warns about a lot of perfectly normal cases where
we have shadowing of names but it doesn't really matter.

Maybe "make __UNIQUE_ID easier to use and encourage that model" is the
right answer.

Right now "__UNIQUE_ID" is actually really nasty in several ways:

 (1) the already mentioned "the fallback is broken for same-line use"

   This doesn't really matter because both gcc and clang have _true_
unique macros, but we should probably remove the fallback as "know
broken and not really guaranteed to give a unique ID"

 (2) The argument you give to __UNIQUE_ID() is pointless. The only
reason it exists is because the broken fallback case is so broken and
by definition __LINE__ will be the same not only if two different
macros are used on the same line, but for trivial and common case of
*one* macro using it.

That second problem is a problem only because it encourages crazy
naming. For example, in the patch I sent I used "__UNIQUE_ID(__x)". If
we actually just wanted a prefix, it would be more logical to just use
"__UNIQUE_ID(x)" instead, but then macro arghument expansion means
that you don't really get "x" as the prefix, but whatever the
_arghument_ x was.

So then I have to use "__x" or something just to avoid argument
expansion. Maybe I should just have used a plain number (which cannot
have the argument expansion issue), but that doesn't work because the
prefix is directly attached to the unique number, so using
__UNIQUE_ID(1) and __UNIQUE_ID(2) is actually unsafe _too_, because
the numbers can end up not being unique at all.

I really do dislike __UNIQUE_ID() for all these reasons. It has
various really subtle problems that make it unnecessarily hard to use
and/or have odd nasty issues.

I think there's a reason why __UNIQUE_ID() really isn't used much.

               Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ