lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 18 May 2014 13:46:15 +0000
From:	"Joseph S. Myers" <joseph@...esourcery.com>
To:	"H. Peter Anvin" <hpa@...or.com>
CC:	Arnd Bergmann <arnd@...db.de>,
	Chung-Lin Tang <cltang@...esourcery.com>,
	John Stultz <john.stultz@...aro.org>,
	Geert Uytterhoeven <geert@...ux-m68k.org>,
	Christoph Hellwig <hch@...radead.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ley Foon Tan <lftan@...era.com>,
	Linux-Arch <linux-arch@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	LeyFoon Tan <lftan.linux@...il.com>
Subject: Re: [PATCH 00/25] Change time_t and clock_t to 64 bit

On Sat, 17 May 2014, H. Peter Anvin wrote:

> > Adding snseconds_t to POSIX seems pointless when there is no need for this 
> > field to store values that can't fit in "long".  Even if it were added, 
> > good practice would say that implementations should keep using "long" 
> > whenever possible for compatibility with existing applications (just like 
> > the ISO C recommendation "The types used for size_t and ptrdiff_t should 
> > not have an integer conversion rank greater than that of signed long int 
> > unless the implementation supports objects large enough to make this 
> > necessary.").
> 
> That is a very different thing, though.

It's advising against breaking compatibility with existing applications 
(in that case, C90 applications that assume sizes can be cast to unsigned 
long for printing, etc.) unless necessary.

Rich Felker suggests 
<https://sourceware.org/bugzilla/show_bug.cgi?id=16438> there are similar 
security risks from various types in the x32 ABI being wider than size_t.  
That seems entirely plausible, if unconfirmed; I don't think there's been 
much effort to look for such issues where applications expect types to be 
no wider than size_t when there's no use to them being wider than size_t.  
Most of those choices are valid but may be risky to existing software much 
as IL32LLP64 can be risky to existing software.

> > If you were designing from scratch, no doubt a typedef such as snseconds_t 
> > would be there, but with real-world APIs that have accumulated over time, 
> > deviating from "long" now is a bad idea.
> 
> Given that you already have a long long member of the same structure, it
> seems unlikely that adding another long long to this is a problem.
> 
> Anyway, this was discussed back in 2011:
> 
> https://lkml.org/lkml/2011/8/31/244

Just because one buggy port (I consider this quite clearly a bug at the 
glibc level, whatever the kernel does, agreeing with Rich Felker in 
<https://sourceware.org/bugzilla/show_bug.cgi?id=16437>) managed to get 
into glibc does not mean any more should be added.  glibc's function is to 
provide POSIX (and other) interfaces on top of the underlying kernel, 
which includes fixing any mismatch between the kernel and POSIX interfaces 
(such as converting from userspace POSIX struct timespec to the form in 
which times are passed to the kernel, by copying and zeroing padding, if 
necessary).  That's just like implementing POSIX threads on top of clone - 
or, if future POSIX disallows newlines in filenames (something that's been 
discussed for some time but doesn't seem to have seen much action lately) 
but the Linux kernel doesn't follow, making such checks on filenames 
before passing them to the kernel.  Of course, one would hope that the 
underlying kernel interfaces are designed to make it straightforward to 
implement POSIX on top of them (as well as other things not envisaged by 
POSIX).

The userspace ABI for struct timespec with 64-bit time_t and 32-bit long 
should use long tv_nsec in any future ports, with appropriate conversion 
code in glibc if the kernel interface is different (for ports that started 
out with 32-bit time_t, conversion code will be needed anyway to convert 
to the 32-bit structure if the new syscalls are unavailable at runtime and 
so the old syscalls need to be used, but if the kernel's structure with 
64-bit time_t is different from that in userspace then both old and new 
kernels need conversion code).  Given Rich Felker's bug reports, it seems 
reasonable to suppose that musl will wish to do this as well as glibc.

-- 
Joseph S. Myers
joseph@...esourcery.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ