lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKwvOdnSSY0jexXioDTZOWSTi0fkaudZbgSjigPr5uzTRmA_Rg@mail.gmail.com>
Date:   Wed, 8 Jun 2022 12:35:27 -0700
From:   Nick Desaulniers <ndesaulniers@...gle.com>
To:     Al Viro <viro@...iv.linux.org.uk>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Justin Stitt <jstitt007@...il.com>,
        Nathan Chancellor <nathan@...nel.org>,
        Tom Rix <trix@...hat.com>, linux-kernel@...r.kernel.org,
        llvm@...ts.linux.dev, Richard Smith <richardsmith@...gle.com>
Subject: Re: [PATCH] include/uapi/linux/swab.h: add __u16 cast to __swab16 conditional

On Tue, Jun 7, 2022 at 9:54 PM Al Viro <viro@...iv.linux.org.uk> wrote:
>
> On Tue, Jun 07, 2022 at 04:21:28PM -0700, Andrew Morton wrote:
>
> > > 6.5.15/5
> > > >> If both the second and third operands have arithmetic type, the result type that would be determined by the usual arithmetic conversions, were they applied to those two operands, is the type of the result.
> > > 6.3.1.8/1
> > > >> Otherwise, the integer promotions are performed on both operands.
> > > 6.3.1.1/2
> > > >> If an int can represent all values of the original type (as restricted by the width, for a bit-field), the value is converted to an int; otherwise, it is converted to an unsigned int. These are called the integer promotions.
> >
> > Geeze.  Can we please turn this into English and add it to the changelog?
> >
> > Is it saying that an expression
> >
> >       int ? u16 : u16
> >
> > has type int?  Or something else?  What did we do wrong here and is it
> > possible to correct our types rather than adding a cast?
>
> Not quite.  Same rules as u16 + u16 - on architectures where int is wider
> than 16 bits it's (int)u16 + (int)u16 and yields int, on 16bit ones it's
> (unsigned int)u16 + (unsigned int)u16 and yields unsigned int.
>
> You *can't* get smaller-than-int out of ? :, same as you can't get it
> out of addition, etc.

Exactly, and well put. More concise than I was able to express.  I
think that description will satisfy Andrew's request for additional
context, so I'll recommend Justin add a blurb derived from what you
said when sending a v3.

>
> __builtin_choose_expr() would do it, but I would take a cast over that
> ugliness.
>
> FWIW, it might make sense for clang to keep track of the following
> property: expression has the same value as it would if integer promotions
> in it had been replaced with integer promotion of result.

I'm not sure that's precisely the same issue here.

The issue we're facing is more so that `ntohs` is being used in
printf-like expressions; clang's -Wformat warns about default argument
promotion so we need to clean up cases where smaller-than-int format
flags are being used for promoted-to-int params.  While looking at
that, Nathan noticed that __swab16 will return either a __u16 or an
int based on whether __HAVE_BUILTIN_BSWAP16__ is defined, which
depends on BOTH the compiler being used and target architecture.  This
patch from Justin just cleans that up.

>
> Example: with
>         unsigned short x, y, mask;
>
> expresion "x & y" is interpreted as and_int((int)x, (int)y), which is equal
> to (int)and_u16(x, y), so that expression has the property in question.
> "x != 12 ? x : y" has the same property.  "x + y", OTOH, doesn't - if x and y
> are both 32768, x + y is add_int((int)x, (int)y), i.e. 65536, while
> (int)add_u16(x, y) would be 0.
>
> For a somewhat more subtle example,
>         (x & ~mask) | (y & mask)
> is interpreted as
>         or_int(and_int((int)x, not_int((int)mask)), and_int((int)y, (int)mask))
> which is equal to
>         (int)or_u16(and_u16(x,not_u16(mask)), and_u16(y, mask))
> IOW, the property in question holds for that one, despite having a subexpression
> (~mask) that does *NOT* have that property.  (int)not_u16(0) is 0xffff and
> not_int((int)0) is (assuming 32bit int) 0xffffffff.  Upper 16 bits get fouled;
> applying & with known-16bit launders them off...
>
> That predicate is behind the handling of small bitwise types in sparse;
> otherwise all operations on __be16 would trigger warnings due to promotions
> from __be16 to int.  And aforementioned subtle example is common enough, so we
> had to deal with it.  See commit d24967cb847b "[PATCH] handle fouled-bitwise"
> in sparse git...

https://git.kernel.org/pub/scm/devel/sparse/sparse.git/commit/?id=d24967cb847b7a04920698a9053ea8195046a831
(For others' reference)
-- 
Thanks,
~Nick Desaulniers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ