lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Sep 2021 08:51:53 +0200 From: Rasmus Villemoes <linux@...musvillemoes.dk> To: Kees Cook <keescook@...omium.org> Cc: "Gustavo A . R . Silva" <gustavoars@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Jason Gunthorpe <jgg@...pe.ca>, Nick Desaulniers <ndesaulniers@...gle.com>, Leon Romanovsky <leon@...nel.org>, Keith Busch <kbusch@...nel.org>, Len Baker <len.baker@....com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH 1/2] overflow: Implement size_t saturating arithmetic helpers On 20/09/2021 20.08, Kees Cook wrote: > + * Internal logic for size_mul(). Takes variable names from UNIQUE_ID > + * so that the local variables here will never collide with other local > + * variables (for example, with itself). > + */ > +#define __size_mul(factor1, factor2, __factor1, __factor2, __product) \ > +({ \ > + size_t __product; \ > + size_t __factor1 = (factor1); \ > + size_t __factor2 = (factor2); \ > + if (check_mul_overflow(__factor1, __factor2, &__product)) \ > + __product = SIZE_MAX; \ > + __product; \ > +}) > + Why can't this just be a static inline taking and returning size_ts, avoiding all the unique_id ritual and triple layers of macros? > -static inline __must_check size_t array_size(size_t a, size_t b) > -{ > - size_t bytes; > - > - if (check_mul_overflow(a, b, &bytes)) > - return SIZE_MAX; > - > - return bytes; > -} > +#define array_size(a, b) size_mul(a, b) For example, it could be the very function that you remove here and then add a compat alias. IDGI, if you want that functionality by another name, just rename array_size, or let size_mul be a #define for array_size. And we don't have a size_add, but that could just as well be a static inline that has the __must_check itself. Not that I can see that the __must_check matters much for these anyway; if anybody does size_mul(foo, bar); that's just a statement with no side effects, so probably the compiler would warn anyway, or at least nobody can then go on to do anything "wrong". Unlike the check_*_overflow(), which have the (possibly wrapped) result in a output-pointer and the "did it overflow" as the return value, so you can do check_mul_overflow(a, b, &d); do_stuff_with(d); were it not for the __must_check wrapper. [Reminder: __must_check is a bit of a misnomer, the attribute is really warn_unused_result, and there's no requirement that the result is part of the controlling expression of an if() or while() - just passing the result on directly to some other function counts as a "use", which is indeed what we do with the size wrappers.] Rasmus
Powered by blists - more mailing lists