lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 28 Nov 2017 12:34:51 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Thomas Gleixner <tglx@...utronix.de>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Alan Cox <gnomes@...rguk.ukuu.org.uk>,
        "Gustavo A. R. Silva" <garsilva@...eddedor.com>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        "the arch/x86 maintainers" <x86@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] x86/syscalls: Mark expected switch fall-throughs

On Tue, Nov 28, 2017 at 12:08 PM, Thomas Gleixner <tglx@...utronix.de> wrote:
> On Tue, 28 Nov 2017, Linus Torvalds wrote:
>
>> On Tue, Nov 28, 2017 at 11:00 AM, Alan Cox <gnomes@...rguk.ukuu.org.uk> wrote:
>> >
>> > The notation in question has been standard in tools like lint since the
>> > end of the 1970s
>>
>> Yes.
>>
>> That said, maybe one option would be to annotate the "case:" and
>> "default:" statements if that makes people happier.
>>
>> IOW, we could do something like
>>
>>     #define fallthrough __atttibute__((fallthrough))
>>
>> and then write
>>
>>     fallthrough case 1:
>>         ...
>>
>> which while absolutely not traditional, might look and read a bit more
>> logical to people. I mean, it literally _is_ a "fallthrough case", so
>> it makes semantic sense.
>>
>> Or maybe people hate that kind of "making up new syntax" too?
>
> Fine with me. Better than any comment.

One of the strong reasons to do this with comments is because it lets
us leverage existing static analyzers. The long-standard method of
marking fall-through has been with comments, and that's what the
kernel should be (and has been) doing. If we invent another method,
we'll be shooting ourselves in the foot by making it harder to spot
these cases using existing tools. Fall-through is uncommon, and it's
not a big price to carry these comments when the gain is so clear.

The most "ugly" cases of these are when the switch statement is
_entirely_ fall-through (usually for bit-width processing of some
kind), but again, they're rare in the grand scheme of things.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ