lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5j+pO-LY0gnoVZCu6JWy2SCa5mz0JRxKN2xXrVeKu0+fPQ@mail.gmail.com>
Date:   Tue, 7 Feb 2017 12:57:33 -0800
From:   Kees Cook <keescook@...omium.org>
To:     "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
Cc:     Arnd Bergmann <arnd@...db.de>, LKML <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...nel.org>,
        Lai Jiangshan <jiangshanlai@...il.com>, dipankar@...ibm.com,
        Andrew Morton <akpm@...ux-foundation.org>,
        Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
        Josh Triplett <josh@...htriplett.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Peter Zijlstra <peterz@...radead.org>,
        Steven Rostedt <rostedt@...dmis.org>,
        David Howells <dhowells@...hat.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Darren Hart <dvhart@...ux.intel.com>,
        Frederic Weisbecker <fweisbec@...il.com>,
        Oleg Nesterov <oleg@...hat.com>,
        pranith kumar <bobby.prani@...il.com>
Subject: Re: [PATCH] bug: Switch data corruption check to __must_check

On Tue, Feb 7, 2017 at 12:39 PM, Paul E. McKenney
<paulmck@...ux.vnet.ibm.com> wrote:
> On Mon, Feb 06, 2017 at 12:45:47PM -0800, Kees Cook wrote:
>> The CHECK_DATA_CORRUPTION() macro was designed to have callers do
>> something meaningful/protective on failure. However, using "return false"
>> in the macro too strictly limits the design patterns of callers. Instead,
>> let callers handle the logic test directly, but make sure that the result
>> IS checked by forcing __must_check (which appears to not be able to be
>> used directly on macro expressions).
>>
>> Suggested-by: Arnd Bergmann <arnd@...db.de>
>> Signed-off-by: Kees Cook <keescook@...omium.org>
>> ---
>>  include/linux/bug.h | 12 +++++++-----
>>  lib/list_debug.c    | 45 ++++++++++++++++++++++++---------------------
>>  2 files changed, 31 insertions(+), 26 deletions(-)
>>
>> diff --git a/include/linux/bug.h b/include/linux/bug.h
>> index baff2e8fc8a8..5828489309bb 100644
>> --- a/include/linux/bug.h
>> +++ b/include/linux/bug.h
>> @@ -124,18 +124,20 @@ static inline enum bug_trap_type report_bug(unsigned long bug_addr,
>>
>>  /*
>>   * Since detected data corruption should stop operation on the affected
>> - * structures, this returns false if the corruption condition is found.
>> + * structures. Return value must be checked and sanely acted on by caller.
>>   */
>> +static inline __must_check bool check_data_corruption(bool v) { return v; }
>>  #define CHECK_DATA_CORRUPTION(condition, fmt, ...)                    \
>> -     do {                                                             \
>> -             if (unlikely(condition)) {                               \
>> +     check_data_corruption(({                                         \
>
> The definition of check_data_corruption() is in some other patch?  I don't
> see it in current mainline.  I am not seeing what it might be doing.

It's immediately before the #define line above. It's nothing more than
an inline argument pass-through, but since it's a _function_ I can
attach __must_check to it, which I can't do for a conditional
expression macro. And I gave it the meaningful name so when someone
fails to check CHECK_DATA_CORRUPTION, they'll get a gcc warning about
"check_data_corruption" which will lead them here.

>> +             bool corruption = unlikely(condition);                   \
>
> So corruption = unlikely(condition)?  Sounds a bit optimistic to me!  ;-)

It's true though! :) Nearly all calls to CHECK_DATA_CORRUPTION()
should end up with a false condition.

>
>> +             if (corruption) {                                        \
>>                       if (IS_ENABLED(CONFIG_BUG_ON_DATA_CORRUPTION)) { \
>>                               pr_err(fmt, ##__VA_ARGS__);              \
>>                               BUG();                                   \
>>                       } else                                           \
>>                               WARN(1, fmt, ##__VA_ARGS__);             \
>> -                     return false;                                    \
>>               }                                                        \
>> -     } while (0)
>> +             corruption;                                              \
>> +     }))
>>
>>  #endif       /* _LINUX_BUG_H */
>> diff --git a/lib/list_debug.c b/lib/list_debug.c
>> index 7f7bfa55eb6d..a34db8d27667 100644
>> --- a/lib/list_debug.c
>> +++ b/lib/list_debug.c
>> @@ -20,15 +20,16 @@
>>  bool __list_add_valid(struct list_head *new, struct list_head *prev,
>>                     struct list_head *next)
>>  {
>> -     CHECK_DATA_CORRUPTION(next->prev != prev,
>> -             "list_add corruption. next->prev should be prev (%p), but was %p. (next=%p).\n",
>> -             prev, next->prev, next);
>> -     CHECK_DATA_CORRUPTION(prev->next != next,
>> -             "list_add corruption. prev->next should be next (%p), but was %p. (prev=%p).\n",
>> -             next, prev->next, prev);
>> -     CHECK_DATA_CORRUPTION(new == prev || new == next,
>> -             "list_add double add: new=%p, prev=%p, next=%p.\n",
>> -             new, prev, next);
>> +     if (CHECK_DATA_CORRUPTION(next->prev != prev,
>> +                     "list_add corruption. next->prev should be prev (%p), but was %p. (next=%p).\n",
>> +                     prev, next->prev, next) ||
>> +         CHECK_DATA_CORRUPTION(prev->next != next,
>> +                     "list_add corruption. prev->next should be next (%p), but was %p. (prev=%p).\n",
>> +                     next, prev->next, prev) ||
>> +         CHECK_DATA_CORRUPTION(new == prev || new == next,
>> +                     "list_add double add: new=%p, prev=%p, next=%p.\n",
>> +                     new, prev, next))
>> +             return false;
>
> That -is- one ornate "if" condition, isn't it?

It is, yes. :)

> Still it is nice to avoid the magic return from out of the middle of the
> C-preprocessor macro.

Agreed. I had fun with indenting to make it passably readable. :P

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ