lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130729025523.GJ26694@linux.vnet.ibm.com>
Date:	Sun, 28 Jul 2013 19:55:23 -0700
From:	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	linux-kernel@...r.kernel.org, john.stultz@...aro.org,
	davem@...emloft.net, arnd@...db.de, mingo@...nel.org,
	torvalds@...ux-foundation.org
Subject: Re: [PATCH jiffies] Avoid undefined behavior from signed overflow

On Sun, Jul 28, 2013 at 11:46:59AM -0700, Eric Dumazet wrote:
> On Sat, 2013-07-27 at 15:58 -0700, Paul E. McKenney wrote:
> > According to the C standard 3.4.3p3, overflow of a signed integer results
> > in undefined behavior.  This commit therefore changes the definitions
> > of time_after() and time_after_eq() to avoid this undefined behavior.
> > The trick is that the subtraction is done using unsigned arithmetic,
> > which according to 6.2.5p9 cannot overflow because it is defined as
> > modulo arithmetic.  This has the added (though admittedly quite small)
> > benefit of shortening two lines of code by four characters each.
> > 
> > Note that the C standard considers the cast from signed to
> > unsigned to be implementation-defined, see 6.3.1.3p3.  However, on a
> > two-complement system, an implementation that defines anything other
> > than a reinterpretation of the bits is free come to me, and I will be
> > happy to act as a witness for its being committed to an insane asylum.
> > (Although I have nothing against saturating arithmetic or signals in
> > some cases, these things really should not be the default.)
> > 
> > Signed-off-by: Paul E. McKenney <paulmck@...ux.vnet.ibm.com>
> > Cc: John Stultz <john.stultz@...aro.org>
> > Cc: "David S. Miller" <davem@...emloft.net>
> > Cc: Arnd Bergmann <arnd@...db.de>
> > Cc: Ingo Molnar <mingo@...nel.org>
> > Cc: Linus Torvalds <torvalds@...ux-foundation.org>
> > 
> > diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
> > index 97ba4e7..97967ba 100644
> > --- a/include/linux/jiffies.h
> > +++ b/include/linux/jiffies.h
> > @@ -101,13 +101,13 @@ static inline u64 get_jiffies_64(void)
> >  #define time_after(a,b)		\
> >  	(typecheck(unsigned long, a) && \
> >  	 typecheck(unsigned long, b) && \
> > -	 ((long)(b) - (long)(a) < 0))
> > +	 ((long)((b) - (a)) < 0))
> >  #define time_before(a,b)	time_after(b,a)
> >  
> >  #define time_after_eq(a,b)	\
> >  	(typecheck(unsigned long, a) && \
> >  	 typecheck(unsigned long, b) && \
> > -	 ((long)(a) - (long)(b) >= 0))
> > +	 ((long)((a) - (b)) >= 0))
> >  #define time_before_eq(a,b)	time_after_eq(b,a)
> 
> time_after64() & time_after_eq64() probably need the same.

It looks that way to me, too, good catch!  Updated patch below.

							Thanx, Paul

------------------------------------------------------------------------

jiffies: Avoid undefined behavior from signed overflow

According to the C standard 3.4.3p3, overflow of a signed integer results
in undefined behavior.  This commit therefore changes the definitions
of time_after(), time_after_eq(), time_after64(), and time_after_eq64()
to avoid this undefined behavior.  The trick is that the subtraction
is done using unsigned arithmetic, which according to 6.2.5p9 cannot
overflow because it is defined as modulo arithmetic.  This has the added
(though admittedly quite small) benefit of shortening two lines of code
by four characters each.

Note that the C standard considers the cast from signed to
unsigned to be implementation-defined, see 6.3.1.3p3.  However, on a
two-complement system, an implementation that defines anything other
than a reinterpretation of the bits is free come to me, and I will be
happy to act as a witness for its being committed to an insane asylum.
(Although I have nothing against saturating arithmetic or signals in
some cases, these things really should not be the default.)

Signed-off-by: Paul E. McKenney <paulmck@...ux.vnet.ibm.com>
Cc: John Stultz <john.stultz@...aro.org>
Cc: "David S. Miller" <davem@...emloft.net>
Cc: Arnd Bergmann <arnd@...db.de>
Cc: Ingo Molnar <mingo@...nel.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Eric Dumazet <eric.dumazet@...il.com>
[ paulmck: Included time_after64() and time_after_eq64(), as suggested
  by Eric Dumazet.]

diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
index 97ba4e7..d235e88 100644
--- a/include/linux/jiffies.h
+++ b/include/linux/jiffies.h
@@ -101,13 +101,13 @@ static inline u64 get_jiffies_64(void)
 #define time_after(a,b)		\
 	(typecheck(unsigned long, a) && \
 	 typecheck(unsigned long, b) && \
-	 ((long)(b) - (long)(a) < 0))
+	 ((long)((b) - (a)) < 0))
 #define time_before(a,b)	time_after(b,a)
 
 #define time_after_eq(a,b)	\
 	(typecheck(unsigned long, a) && \
 	 typecheck(unsigned long, b) && \
-	 ((long)(a) - (long)(b) >= 0))
+	 ((long)((a) - (b)) >= 0))
 #define time_before_eq(a,b)	time_after_eq(b,a)
 
 /*
@@ -130,13 +130,13 @@ static inline u64 get_jiffies_64(void)
 #define time_after64(a,b)	\
 	(typecheck(__u64, a) &&	\
 	 typecheck(__u64, b) && \
-	 ((__s64)(b) - (__s64)(a) < 0))
+	 ((__s64)((b) - (a)) < 0))
 #define time_before64(a,b)	time_after64(b,a)
 
 #define time_after_eq64(a,b)	\
 	(typecheck(__u64, a) && \
 	 typecheck(__u64, b) && \
-	 ((__s64)(a) - (__s64)(b) >= 0))
+	 ((__s64)((a) - (b)) >= 0))
 #define time_before_eq64(a,b)	time_after_eq64(b,a)
 
 #define time_in_range64(a, b, c) \

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ