lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 26 Oct 2022 11:26:27 -0700
From:   Nick Desaulniers <ndesaulniers@...gle.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     linux-hardening@...r.kernel.org,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fortify: Do not cast to "unsigned char"

On Tue, Oct 25, 2022 at 4:17 PM Kees Cook <keescook@...omium.org> wrote:
>
> Do not cast to "unsigned char", as this needlessly creates type problems
> when attempting builds without -Wno-pointer-sign[1]. The intent of the
> cast is to drop possible "const" types.
>
> [1] https://lore.kernel.org/lkml/CAHk-=wgz3Uba8w7kdXhsqR1qvfemYL+OFQdefJnkeqXG8qZ_pA@mail.gmail.com/
>
> Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Fixes: 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths")
> Cc: Nick Desaulniers <ndesaulniers@...gle.com>
> Cc: linux-hardening@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
>  include/linux/fortify-string.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> index f3dd5d1a6a25..09a032f6ce6b 100644
> --- a/include/linux/fortify-string.h
> +++ b/include/linux/fortify-string.h
> @@ -18,7 +18,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
>
>  #define __compiletime_strlen(p)                                        \
>  ({                                                             \
> -       unsigned char *__p = (unsigned char *)(p);              \
> +       char *__p = (char *)(p);                                \

If the intent of __p is to avoid repeated application of side effects
from the evaluation of the macro parameter p, this could also be:

__auto_type __p = (p);

I think this is nice because it doesn't strip potential const
qualifiers from the macro parameter.

>         size_t __ret = SIZE_MAX;                                \
>         size_t __p_size = __member_size(p);                     \
>         if (__p_size != SIZE_MAX &&                             \
> --
> 2.34.1
>


-- 
Thanks,
~Nick Desaulniers

Powered by blists - more mailing lists