| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240509140854.GF3620298@mit.edu>
Date: Thu, 9 May 2024 10:08:54 -0400
From: "Theodore Ts'o" <tytso@....edu>
To: Kees Cook <keescook@...omium.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Justin Stitt <justinstitt@...gle.com>,
Peter Zijlstra <peterz@...radead.org>,
Mark Rutland <mark.rutland@....com>, linux-hardening@...r.kernel.org,
linux-kernel@...r.kernel.org, llvm@...ts.linux.dev
Subject: Re: [RFC] Mitigating unexpected arithmetic overflow
On Wed, May 08, 2024 at 11:11:35PM -0700, Kees Cook wrote:
> > I think it would be interesting in general to have some kind of
> > warning for "implicit cast drops bits".
> >
> > I fear that we'd have an enormous about of them, and maybe they'd be
> > unsolvable without making the code *much* uglier (and sometimes the
> > fix might be to add an explicit cast to document intentionally dropped
> > bits, but explicit casts have their own issues).
Seapking of which, I recently had to work around an overactive
compiler UBSAN which complained about this:
struct ext2_super {
...
__u32 time_lo;
__u32 time_high;
...
}
time_t now;
sb->time_low = now;
sb->time_high = now >> 32;
This is obviously (to a human) correct, but because of stupid compiler
tricks, in order to silence compiler-level and ubsan complaints, this
got turned into:
sb->time_low = now & 0xffffffff;
#if (SIZEOF_TIME_T > 4)
sb->time_high = (now >> 32) & EXT4_EPOCH_MASK;
#else
sb->time_high = 0;
#endif
and in the opposite case, I was forced to write:
#if (SIZEOF_TIME_T == 4)
return *lo;
#else
return ((time_t)(*hi) << 32) | *lo;
#endif
... and this made me very sad. Grumble....
- Ted
Powered by blists - more mailing lists