lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <b97faef60ad24922b530241c5d7c933c@AcuMS.aculab.com>
Date:   Mon, 18 Sep 2023 08:14:40 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:     Linus Torvalds <torvalds@...ux-foundation.org>,
        'Andy Shevchenko' <andriy.shevchenko@...ux.intel.com>,
        'Andrew Morton' <akpm@...ux-foundation.org>,
        "'Matthew Wilcox (Oracle)'" <willy@...radead.org>,
        'Christoph Hellwig' <hch@...radead.org>,
        "'Jason A. Donenfeld'" <Jason@...c4.com>
Subject: [PATCH next v4 0/5] minmax: Relax type checks in min() and max().

The min() (etc) functions in minmax.h require that the arguments have
exactly the same types.

However when the type check fails, rather than look at the types and
fix the type of a variable/constant, everyone seems to jump on min_t().
In reality min_t() ought to be rare - when something unusual is being
done, not normality.

The orginal min() (added in 2.4.9) replaced several inline functions and
included the type - so matched the implicit casting of the function call.
This was renamed min_t() in 2.4.10 and the current min() added.
There is no actual indication that the conversion of negatve values
to large unsigned values has ever been an actual problem.

A quick grep shows 5734 min() and 4597 min_t().
Having the casts on almost half of the calls shows that something
is clearly wrong.

If the wrong type is picked (and it is far too easy to pick the type
of the result instead of the larger input) then significant bits can
get discarded.
Pretty much the worst example is in the derived clamp_val(), consider:
        unsigned char x = 200u;
        y = clamp_val(x, 10u, 300u);

I also suspect that many of the min_t(u16, ...) are actually wrong.
For example copy_data() in printk_ringbuffer.c contains:
        data_size = min_t(u16, buf_size, len);
Here buf_size is 'unsigned int' and len 'u16', pass a 64k buffer
(can you prove that doesn't happen?) and no data is returned.
Apparantly it did - and has since been fixed.

The only reason that most of the min_t() are 'fine' is that pretty
much all the values in the kernel are between 0 and INT_MAX.

Patch 1 adds umin(), this uses integer promotions to convert
both arguments to 'unsigned long long'. It can be used to compare a
signed type that is known to contain a non-negative value with an
unsigned type. The compiler typically optimises it all away.
Added first so that it can be referred to in patch 2.

Patch 2 replaces the 'same type' check with a 'same signedness' one.
This makes min(unsigned_int_var, sizeof()) be ok.
The error message is also improved and will contain the expanded
form of both arguments (useful for seeing how constants are defined).

Patch 3 just fixes some whitespace.

Patch 4 allows comparisons of 'unsigned char' and 'unsigned short'
to signed types. The integer promotion rules convert them both
to 'signed int' prior to the comparison so they can never cause
a negative value be converted to a large positive one.

Patch 5 (rewritted for v4) allows comparisons of unsigned values
against non-negative constant integer expressions.
This makes min(unsigned_int_var, 4) be ok.

The only common case that is still errored is the comparison of
signed values against unsigned constant integer expressions
below __INT_MAX__.
Typcally min(int_val, sizeof (foo)), the real fix for this is casting
the constant: min(int_var, (int)sizeof (foo)).

With all the patches applied pretty much all the min_t() could be
replaced by min(), and most of the rest by umin().
However they all need careful inspection due to code like:
        sz = min_t(unsigned char, sz - 1, LIM - 1) + 1;
which converts 0 to LIM.

v4: Patch 5 no longer allows min(int_var, 4u), only min(uint_var, 4).
    min_unsigned() rename umin().
    Rebased on 6.6-rc1.
v3: Fix more issues found by the build robot
v2: Fixes some issues found by the kernel build robot.

David Laight (5):
  minmax: Add umin(a, b) and umax(a, b)
  minmax: Allow min()/max()/clamp() if the arguments have the same
    signedness.
  minmax: Fix indentation of __cmp_once() and __clamp_once()
  minmax: Allow comparisons of 'int' against 'unsigned char/short'.
  minmax: Relax check to allow comparison between unsigned arguments and
    signed constants.

 include/linux/minmax.h | 103 +++++++++++++++++++++++++++--------------
 1 file changed, 68 insertions(+), 35 deletions(-)

-- 
2.17.1

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ