lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202109211204.75043CDF@keescook>
Date:   Tue, 21 Sep 2021 12:07:35 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Rasmus Villemoes <linux@...musvillemoes.dk>
Cc:     "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Jason Gunthorpe <jgg@...pe.ca>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Leon Romanovsky <leon@...nel.org>,
        Keith Busch <kbusch@...nel.org>, Len Baker <len.baker@....com>,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH 1/2] overflow: Implement size_t saturating arithmetic
 helpers

On Tue, Sep 21, 2021 at 08:51:53AM +0200, Rasmus Villemoes wrote:
> On 20/09/2021 20.08, Kees Cook wrote:
> 
> > + * Internal logic for size_mul(). Takes variable names from UNIQUE_ID
> > + * so that the local variables here will never collide with other local
> > + * variables (for example, with itself).
> > + */
> > +#define __size_mul(factor1, factor2, __factor1, __factor2, __product)	\
> > +({									\
> > +	size_t __product;						\
> > +	size_t __factor1 = (factor1);					\
> > +	size_t __factor2 = (factor2);					\
> > +	if (check_mul_overflow(__factor1, __factor2, &__product))	\
> > +		__product = SIZE_MAX;					\
> > +	__product;							\
> > +})
> > +
> 
> Why can't this just be a static inline taking and returning size_ts,
> avoiding all the unique_id ritual and triple layers of macros?

*hold face* Yeah. I've been doing so much type-agnostic macro work
lately that I completely looked past the characteristics I was
describing for this macro are ... in fact ... how functions actually
work. *sigh* Yes, I'll change all of these to just be static inlines.
If we ever need them as constant expressions, we can fix them then.

> Not that I can see that the __must_check matters much for these anyway;
> if anybody does
> 
>   size_mul(foo, bar);
> 
> that's just a statement with no side effects, so probably the compiler
> would warn anyway, or at least nobody can then go on to do anything
> "wrong". Unlike the check_*_overflow(), which have the (possibly
> wrapped) result in a output-pointer and the "did it overflow" as the
> return value, so you can do
> 
>   check_mul_overflow(a, b, &d);
>   do_stuff_with(d);
> 
> were it not for the __must_check wrapper.
> 
> [Reminder: __must_check is a bit of a misnomer, the attribute is really
> warn_unused_result, and there's no requirement that the result is part
> of the controlling expression of an if() or while() - just passing the
> result on directly to some other function counts as a "use", which is
> indeed what we do with the size wrappers.]

Yeah, all a good point. My knee-jerk reaction is to include __must_check
just because it's "free" here.

Thanks!

-Kees

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ