lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 18 Jan 2008 13:45:21 +0100 (CET)
From:	ecolbus@...la.fr
To:	linux-kernel@...r.kernel.org
Subject: Re: Why is the kfree() argument const?

Giacomo Catenazzi wrote:

> const No writes through this lvalue. In the absence of this qualifier, writes may occur
> through this lvalue.
> 
> volatile No cacheing through this lvalue: each operation in the abstract semantics must
> be performed (that is, no cacheing assumptions may be made, since the location
> is not guaranteed to contain any previous value). In the absence of this qualifier,
> the contents of the designated location may be assumed to be unchanged except
> for possible aliasing.

Well, I'm still wondering if there is not something dangerous or weird about
declaring the argument of kfree() to be const... 

Since the content of the referenced object is unlikely to be declared volatile, the
compiler should be allowed to assume that its content was not changed, except
for possible aliasing. But what happens if the compiler can also prove there is 
no aliasing? In that case, he should be allowed to assume that the content
pointed to was not modified at all, right?

Consider the following code : 

struct something {
        int i;
};

...

struct something *s1, *s2;
extern int val;

s1 = kmalloc(sizeof(*s1), SOME_FLAGS);
if (s1 == NULL)
        return -ENOMEM;

s1->i = do_something();
do_some_other_thing();

s2 = kmalloc(sizeof(*s2), SOME_FLAGS);
if (s2 == NULL){
        val = s1->i; /* XXX */
        kfree(s1);
        return -ENOMEM;
}

Fortunately, kmalloc is not declared with attribute malloc in the kernel,
so there should be no problem, but if it were (and, actually, I've not found
why it wasn't), the compiler would be able to tell that *s1 *cannot* 
be aliased, and therefore decide to move val = s1->i *after* having
called kfree(). In that case, we would clearly have a bug...

So, although this should currently work, code which breaks if you do
a legitimate modification somewere else looks quite dangerous to me.

Or maybe there is a rationale for never declaring kmalloc to have the
attribute malloc in the first place...

Or is there simply something that I still don't understand, Giacomo?

Cheers,

Emmanuel Colbus


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ