lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 23 Sep 2022 12:48:48 +0200
From:   "Jason A. Donenfeld" <Jason@...c4.com>
To:     Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Cc:     linux-kernel@...r.kernel.org,
        Andrew Morton <akpm@...ux-foundation.org>,
        Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH] minmax: clamp more efficiently by avoiding extra comparison

Hey again,

On Fri, Sep 23, 2022 at 12:40 PM Jason A. Donenfeld <Jason@...c4.com> wrote:
>
> Hi Andy,
>
> On Fri, Sep 23, 2022 at 12:36 PM Andy Shevchenko
> <andriy.shevchenko@...ux.intel.com> wrote:
> >
> > On Fri, Sep 23, 2022 at 12:06:21PM +0200, Jason A. Donenfeld wrote:
> > > Currently the clamp algorithm does:
> > >
> > >       if (val > hi)
> > >               val = hi;
> > >       if (val < lo)
> > >               val = lo;
> > >
> > > But since hi > lo by definition, this can be made more efficient with:
> >
> > It's strongly speaking, but we have to proof that, right?
> > So, while I haven't checked the code, this change should also
> > include (does it?) the corresponding compile-time checks (for
> > constant arguments) in similar way how it's done for GENMASK().
> >
> > Otherwise I have no objections.
>
> I think most cases are with compile time constants, but some cases are
> with variables. What should we do in that case? Checking variables at
> runtime incurs the same cost as the old code. I guess we could do this
> fast thing for constants and the slower old thing for non-constants?
> Or not do either, keep this commit as is, and just accept that if you
> pass bogus bounds to clamp, you're going to end up with something
> weird, which is already the case now so not a big deal?

Actually, yea, I think we should keep this commit as-is and not add
additional checking becauseeeee not only is hi>lo by definition, but
both for the old code and for the new code, the result of lo>hi is
total nonsense:

Assuming hi > lo, these snippets all yield the same result:

        if (val > hi)
                val = hi;
        if (val < lo)
                val = lo;

        if (val > hi)
                val = hi;
        else if (val < lo)
                val = lo;

        if (val < lo)
                val = lo;
        if (val > hi)
                val = hi;

        if (val < lo)
                val = lo;
        else if (val > hi)
                val = hi;

Assuming lo > hi, and the first condition triggers, these snippets all
yield different results, all of which are undefined nonsense:

        if (val > hi)
                val = hi;
        if (val < lo)
                val = lo;
--> val is lo

        if (val > hi)
                val = hi;
        else if (val < lo)
                val = lo;
--> val is hi

        if (val < lo)
                val = lo;
        if (val > hi)
                val = hi;
--> val is hi

        if (val < lo)
                val = lo;
        else if (val > hi)
                val = hi;
--> val is lo

Jason

Powered by blists - more mailing lists