| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Apr 2024 07:28:45 -0700 From: Boqun Feng <boqun.feng@...il.com> To: Andreas Hindborg <nmi@...aspace.dk> Cc: Alice Ryhl <aliceryhl@...gle.com>, Thomas Gleixner <tglx@...utronix.de>, Miguel Ojeda <ojeda@...nel.org>, John Stultz <jstultz@...gle.com>, Stephen Boyd <sboyd@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, Wedson Almeida Filho <wedsonaf@...il.com>, Gary Guo <gary@...yguo.net>, bjorn3_gh@...tonmail.com, Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...sung.com>, rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] rust: time: Use wrapping_sub() for Ktime::sub() On Thu, Apr 25, 2024 at 11:00:31AM +0200, Andreas Hindborg wrote: > Alice Ryhl <aliceryhl@...gle.com> writes: > > > On Fri, Apr 12, 2024 at 3:18 PM Boqun Feng <boqun.feng@...il.com> wrote: > >> > >> On Fri, Apr 12, 2024 at 10:36:05AM +0200, Alice Ryhl wrote: > >> > On Fri, Apr 12, 2024 at 1:08 AM Boqun Feng <boqun.feng@...il.com> wrote: > >> > > > >> > > Currently since Rust code is compiled with "-Coverflow-checks=y", so a > >> > > normal substraction may be compiled as an overflow checking and panic > >> > > if overflow happens: > >> > > > >> > > subq %rsi, %rdi > >> > > jo .LBB0_2 > >> > > movq %rdi, %rax > >> > > retq > >> > > .LBB0_2: > >> > > pushq %rax > >> > > leaq str.0(%rip), %rdi > >> > > leaq .L__unnamed_1(%rip), %rdx > >> > > movl $33, %esi > >> > > callq *core::panicking::panic::h59297120e85ea178@...PCREL(%rip) > >> > > > >> > > although overflow detection is nice to have, however this makes > >> > > `Ktime::sub()` behave differently than `ktime_sub()`, moreover it's not > >> > > clear that the overflow checking is helpful, since for example, the > >> > > current binder usage[1] doesn't have the checking. > >> > > >> > I don't think this is a good idea at all. Any code that triggers an > >> > overflow in Ktime::sub is wrong, and anyone who enables > >> > CONFIG_RUST_OVERFLOW_CHECKS does so because they want such bugs to be > >> > caught. You may have been able to find one example of a subtraction > >> > that doesn't have a risk of overflow, but overflow bugs really do > >> > >> The point is you won't panic the kernel because of an overflow. I > >> agree that overflow is something we want to catch, but currently > >> ktime_t doesn't panic if overflow happens. > > > > What the CONFIG_RUST_OVERFLOW_CHECKS option does is enable panics on > > overflow. So I don't understand how "it panics on overflow" is an > > argument for removing the overflow check. That's what you asked for! > > One could perhaps argue about whether CONFIG_RUST_OVERFLOW_CHECKS is a > > good idea (I think it is), but that is orthogonal. When > > CONFIG_RUST_OVERFLOW_CHECKS is enabled, you should respect the flag. > > I would agree. If users do not want panics on overflow, they disable > RUST_OVERFLOW_CHECKS. If the config is enabled, overflows in ktime sub > should panic, even if it does not do so in equivalent C code. > What's reason then? If we think a piece of API should have a different semantics than its C counterpart, that suggests we also need to change the C side for the same reason. Don't keep good stuffs only to ourselves ;-) Plus, what if users don't want to panic on ktime API but still want overflow checks for other parts? Using RUST_OVERFLOW_CHECKS to determine whether ktime should perform overflow checkings seems a bad to me regardless of what semantics we end up with. For reference, the Rust std `Duration` performs always overflow checking: https://doc.rust-lang.org/src/std/time.rs.html#429-435 We shouldn't define that overflow checking of ktime follows the general rule of overflow checking of any i64, instead, we should have a clear rule for it. Regards, Boqun > BR Andreas
Powered by blists - more mailing lists