| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Feb 2007 15:29:01 -0500
From: "linux-os \(Dick Johnson\)" <linux-os@...logic.com>
To: "Jan Engelhardt" <jengelh@...ux01.gwdg.de>
Cc: "Linus Torvalds" <torvalds@...ux-foundation.org>,
"David Rientjes" <rientjes@...gle.com>,
"Jeff Garzik" <jeff@...zik.org>,
"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
"Andrew Morton" <akpm@...ux-foundation.org>
Subject: Re: somebody dropped a (warning) bomb
On Fri, 9 Feb 2007, Jan Engelhardt wrote:
>
> On Feb 9 2007 08:16, linux-os (Dick Johnson) wrote:
>> On Fri, 9 Feb 2007, Jan Engelhardt wrote:
>>> On Feb 8 2007 16:42, Linus Torvalds wrote:
>>>>
>>> Further, giving again answer to the question whether they generate
>>> signed or unsigned comparisons: Have you ever seen a computer which
>>> addresses memory with negative numbers? Since the answer is most likely
>>> no, signed comparisons would
>>
>> Yes, most all do. Indexed memory operands are signed displacements. See
>> page 2-16, Intel486 Microprocessor Programmer's Reference Manual. This
>
> I was referring to "absolute memory", not the offset magic that assembler
> allows. After all, (reg+relativeOffset) will yield an absolute address.
> What I was out at: for machines that have more than 2 GB of memory, you
> don't call the address that is given by 0x80000000U actually "byte
> -2147483648", but "byte 2147483648".
Don't make any large bets on that!
char foo()
{
volatile char *p = (char *)0x80000000;
return *p;
}
Optimized....
.file "zzz.c"
.text
.p2align 2,,3
.globl foo
.type foo, @function
foo:
pushl %ebp
movb -2147483648, %al
movl %esp, %ebp
movsbl %al,%eax
leave
ret
.size foo, .-foo
.section .note.GNU-stack,"",@progbits
.ident "GCC: (GNU) 3.3.3 20040412 (Red Hat Linux 3.3.3-7)"
Not optimized...
.file "zzz.c"
.text
.globl foo
.type foo, @function
foo:
pushl %ebp
movl %esp, %ebp
subl $4, %esp
movl $-2147483648, -4(%ebp)
movl -4(%ebp), %eax
movb (%eax), %al
movsbl %al,%eax
leave
ret
.size foo, .-foo
.section .note.GNU-stack,"",@progbits
.ident "GCC: (GNU) 3.3.3 20040412 (Red Hat Linux 3.3.3-7)"
... Still negative numbers!
>
>> gets hidden by higher-level languages such as 'C'. It is also non-obvious
>> when using the AT&T (GNU) assembly language. However, the Intel documentation
>> shows it clearly:
>> MOV AL, [EBX+0xFFFFFFFF] ; -1
>
> It can be debated what exactly this is... negative offset or "using
> overflow to get where we want".
>
No debate at all, and no overflow. The construction is even used in
'C' to optimize memory access while unrolling loops:
/*-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
/*
* This converts an array of integers to an array of double floats.
*/
void int2float(double *fp, int *ip, size_t len)
{
while(len >= 0x10)
{
fp += 0x10;
ip += 0x10;
len -= 0x10;
fp[-0x10] = (double) ip[-0x10];
fp[-0x0f] = (double) ip[-0x0f];
fp[-0x0e] = (double) ip[-0x0e];
fp[-0x0d] = (double) ip[-0x0d];
fp[-0x0c] = (double) ip[-0x0c];
fp[-0x0b] = (double) ip[-0x0b];
fp[-0x0a] = (double) ip[-0x0a];
fp[-0x09] = (double) ip[-0x09];
fp[-0x08] = (double) ip[-0x08];
fp[-0x07] = (double) ip[-0x07];
fp[-0x06] = (double) ip[-0x06];
fp[-0x05] = (double) ip[-0x05];
fp[-0x04] = (double) ip[-0x04];
fp[-0x03] = (double) ip[-0x03];
fp[-0x02] = (double) ip[-0x02];
fp[-0x01] = (double) ip[-0x01];
}
while(len--)
*fp++ = (double) *ip++;
}
This makes certain that each memory access uses the same type
and the address-calculation for the next memory access can be done
in parallel with the current fetch. This is one of the methods
used to save a few machine cycles. Doesn't mean much until you
end up with large arrays such as used in image processing. Then,
it may be the difference that makes or breaks the project!
>
> Jan
> --
> ft: http://freshmeat.net/p/chaostables/
>
Cheers,
Dick Johnson
Penguin : Linux version 2.6.16.24 on an i686 machine (5592.61 BogoMips).
New book: http://www.AbominableFirebug.com/
_
..
****************************************************************
The information transmitted in this message is confidential and may be privileged. Any review, retransmission, dissemination, or other use of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify Analogic Corporation immediately - by replying to this message or by sending an email to DeliveryErrors@...logic.com - and destroy all copies of this information, including any attachments, without reading or disclosing them.
Thank you.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists