lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 21 Sep 2021 08:51:53 +0200
From:   Rasmus Villemoes <>
To:     Kees Cook <>
Cc:     "Gustavo A . R . Silva" <>,
        Nathan Chancellor <>,
        Jason Gunthorpe <>,
        Nick Desaulniers <>,
        Leon Romanovsky <>,
        Keith Busch <>, Len Baker <>,,
Subject: Re: [PATCH 1/2] overflow: Implement size_t saturating arithmetic

On 20/09/2021 20.08, Kees Cook wrote:

> + * Internal logic for size_mul(). Takes variable names from UNIQUE_ID
> + * so that the local variables here will never collide with other local
> + * variables (for example, with itself).
> + */
> +#define __size_mul(factor1, factor2, __factor1, __factor2, __product)	\
> +({									\
> +	size_t __product;						\
> +	size_t __factor1 = (factor1);					\
> +	size_t __factor2 = (factor2);					\
> +	if (check_mul_overflow(__factor1, __factor2, &__product))	\
> +		__product = SIZE_MAX;					\
> +	__product;							\
> +})
> +

Why can't this just be a static inline taking and returning size_ts,
avoiding all the unique_id ritual and triple layers of macros?

> -static inline __must_check size_t array_size(size_t a, size_t b)
> -{
> -	size_t bytes;
> -
> -	if (check_mul_overflow(a, b, &bytes))
> -		return SIZE_MAX;
> -
> -	return bytes;
> -}
> +#define array_size(a, b)	size_mul(a, b)

For example, it could be the very function that you remove here and then
add a compat alias. IDGI, if you want that functionality by another
name, just rename array_size, or let size_mul be a #define for array_size.

And we don't have a size_add, but that could just as well be a static
inline that has the __must_check itself.

Not that I can see that the __must_check matters much for these anyway;
if anybody does

  size_mul(foo, bar);

that's just a statement with no side effects, so probably the compiler
would warn anyway, or at least nobody can then go on to do anything
"wrong". Unlike the check_*_overflow(), which have the (possibly
wrapped) result in a output-pointer and the "did it overflow" as the
return value, so you can do

  check_mul_overflow(a, b, &d);

were it not for the __must_check wrapper.

[Reminder: __must_check is a bit of a misnomer, the attribute is really
warn_unused_result, and there's no requirement that the result is part
of the controlling expression of an if() or while() - just passing the
result on directly to some other function counts as a "use", which is
indeed what we do with the size wrappers.]


Powered by blists - more mailing lists