lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 25 Jan 2022 08:58:28 -0400
From:   Jason Gunthorpe <jgg@...pe.ca>
To:     Kees Cook <keescook@...omium.org>
Cc:     Rasmus Villemoes <linux@...musvillemoes.dk>,
        "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Leon Romanovsky <leon@...nel.org>,
        Keith Busch <kbusch@...nel.org>, Len Baker <len.baker@....com>,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH 1/2] overflow: Implement size_t saturating arithmetic
 helpers

On Mon, Jan 24, 2022 at 01:13:20PM -0800, Kees Cook wrote:
> *thread necromancy*
> 
> On Tue, Sep 21, 2021 at 08:51:53AM +0200, Rasmus Villemoes wrote:
> > Not that I can see that the __must_check matters much for these anyway;
> > if anybody does
> > 
> >   size_mul(foo, bar);
> > 
> > that's just a statement with no side effects, so probably the compiler
> > would warn anyway, or at least nobody can then go on to do anything
> > "wrong". Unlike the check_*_overflow(), which have the (possibly
> > wrapped) result in a output-pointer and the "did it overflow" as the
> > return value, so you can do
> > 
> >   check_mul_overflow(a, b, &d);
> >   do_stuff_with(d);
> > 
> > were it not for the __must_check wrapper.
> > 
> > [Reminder: __must_check is a bit of a misnomer, the attribute is really
> > warn_unused_result, and there's no requirement that the result is part
> > of the controlling expression of an if() or while() - just passing the
> > result on directly to some other function counts as a "use", which is
> > indeed what we do with the size wrappers.]
> 
> What I'd really like is a "store this in a size_t" check to catch dumb
> storage size problems (or related overflows). In other words:

Yes, this. The overflow things are nice, but quite often we need to
get things into a size_t to use with an allocator and the rigorous
type checking in the normal overflows is a problem.

Jason

Powered by blists - more mailing lists