| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <kfkku4rjsktgkufkuehliojv3izxdutc55inmv3yvenu33zr7e@lluedzjnqnki>
Date: Sat, 8 Feb 2025 20:19:22 +0100
From: Alejandro Colomar <alx@...nel.org>
To: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
Cc: DJ Delorie <dj@...hat.com>, Eric Blake <eblake@...hat.com>,
Will Newton <will.newton@...aro.org>, Paul Eggert <eggert@...ucla.edu>, linux-man@...r.kernel.org,
Danilo Krummrich <dakr@...nel.org>, Tamir Duberstein <tamird@...il.com>,
Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>,
Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>, Benno Lossin <benno.lossin@...ton.me>,
Andreas Hindborg <a.hindborg@...nel.org>, Alice Ryhl <aliceryhl@...gle.com>,
Trevor Gross <tmgross@...ch.edu>, rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] rust: alloc: satisfy `aligned_alloc` requirements
[CC += DJ, Eric, Will, Paul, linux-man@]
Hi Miguel,
On Thu, Feb 06, 2025 at 08:37:07PM +0100, Miguel Ojeda wrote:
> On Thu, Feb 6, 2025 at 7:58 PM Danilo Krummrich <dakr@...nel.org> wrote:
> >
> > What makes you think so?
> >
> > AFAICS, the man page applies for posix_memalign, aligned_alloc, memalign,
> > valloc and pvalloc.
> >
> > In case behavior differs between the functions, this is stated explicitly, e.g.
> > in the "RETURN VALUE" section.
> >
> > The "ERRORS" setion does not differentiate, hence it should apply to all the
> > functions above, including aligned_alloc.
> >
> > Do I miss anything?
>
> The explanation of the requirements (in the Linux man page) mention
> different requirements for each function.
>
> Moreover, in practice, glibc seemed to allow almost any alignment up
> to 2023, and since then they have this:
>
> +/* Similar to memalign, but starting with ISO C17 the standard
> + requires an error for alignments that are not supported by the
> + implementation. Valid alignments for the current implementation
> + are non-negative powers of two. */
> + if (!powerof2 (alignment) || alignment == 0)
> + {
> + __set_errno (EINVAL);
> + return 0;
> + }
>
> Including a test that does not fail for a degenerate alignment (1).
> Thus I don't think the "multiple of sizeof" part applies today or in
> the past for that implementation (again, in practice).
>
> But I don't know how those sections are formally supposed to work or
> what requirements (and/or behavior) the man pages are supposed to be
> documenting -- Cc'ing Alejandro. It seems clarifying the page would
> help.
Here's my understanding after reading these pages in the Linux man-pages
project, the POSIX description, and doing some experiments:
- memalign()
It doesn't validate the input. It over-aligns the pointer
silently if necessary. The text doesn't seem to match reality;
I think the following diff would fix the description to match
reality:
diff --git i/man/man3/posix_memalign.3 w/man/man3/posix_memalign.3
index b760cf271..a4da60eb3 100644
--- i/man/man3/posix_memalign.3
+++ w/man/man3/posix_memalign.3
@@ -77,14 +77,13 @@ .SH DESCRIPTION
The obsolete function
.BR memalign ()
allocates
.I size
bytes and returns a pointer to the allocated memory.
The memory address will be a multiple of
-.IR alignment ,
-which must be a power of two.
+.IR alignment .
.\" The behavior of memalign() for size==0 is as for posix_memalign()
.\" but no standards govern this.
.P
.BR aligned_alloc ()
is the same as
.BR memalign (),
That text might have been true in some ancient C library. I
don't know. It just doesn't seem true now.
- aligned_alloc()
It seems to be like memalign(), with *some* input validation.
It makes sure that the input is a power of two, or it fails.
However, it doesn't check that the input is multiple of
_Alignof(void*). That requirement is implementation-defined;
neither POSIX nor ISO C impose any specific requirements, so the
requirements that the input is a power of two are imposed by
glibc. The documentation matches the experimental behavior.
- posix_memalign()
This function is similar to aligned_alloc(), with an unfortunate
prototype (it returns the new memory via an output parameter,
which makes it a bit unsafer in C --you can't apply the
[[gnu::malloc()]] attribute, for example; and static analyzers
might be confused if the pointer is uninitialized--), but with
stricter requirements. It requires that the input is power of
two, and multiple of _Alignof(void*), and those requirements are
mandated by POSIX.
Below is a text program that shows all of this.
I wonder why glibc silently overaligns aligned_alloc() without reporting
an error for an alignment of 2, while it reports an error for an
alignment of 3. It doesn't make much sense at first glance. No
standard seems to require that, so it looks like an arbitrary choice.
alx@...uan:~/tmp/gcc$ cat m.c
#define _GNU_SOURCE
#include <errno.h>
#include <malloc.h>
#include <stdlib.h>
#include <string.h>
int
main(void)
{
int i;
void *p;
puts("prime number");
errno = 0;
i = posix_memalign(&p, 3, 3);
printf("posix_memalign(, 3, 3): %s; %#m\n", strerrorname_np(i));
errno = 0;
p = aligned_alloc(3, 3);
printf("aligned_alloc(3, 3): %p; %#m\n", p);
errno = 0;
p = valloc(3);
printf("valloc(3): %p; %#m\n", p);
errno = 0;
p = memalign(3, 3);
printf("memalign(3, 3): %p; %#m\n", p);
errno = 0;
p = pvalloc(3);
printf("pvalloc(3): %p; %#m\n", p);
puts("");
puts("Power of two, but not alignof(void*)");
errno = 0;
i = posix_memalign(&p, 2, 2);
printf("posix_memalign(, 2, 2): %s; %#m\n", strerrorname_np(i));
errno = 0;
p = aligned_alloc(2, 2);
printf("aligned_alloc(2, 2): %p; %#m\n", p);
errno = 0;
p = valloc(2);
printf("valloc(2): %p; %#m\n", p);
errno = 0;
p = memalign(2, 2);
printf("memalign(2, 2): %p; %#m\n", p);
errno = 0;
p = pvalloc(2);
printf("pvalloc(2): %p; %#m\n", p);
puts("");
puts("non-power of two, alignof(void*)");
errno = 0;
i = posix_memalign(&p, 24, 24);
printf("posix_memalign(, 24, 24): %s; %#m\n", strerrorname_np(i));
errno = 0;
p = aligned_alloc(24, 24);
printf("aligned_alloc(24, 24): %p; %#m\n", p);
errno = 0;
p = valloc(24);
printf("valloc(24): %p; %#m\n", p);
errno = 0;
p = memalign(24, 24);
printf("memalign(24, 24): %p; %#m\n", p);
errno = 0;
p = pvalloc(24);
printf("pvalloc(24): %p; %#m\n", p);
puts("");
puts("Power of two, alignof(void*)");
errno = 0;
i = posix_memalign(&p, 8, 8);
printf("posix_memalign(, 8, 8): %s; %#m\n", strerrorname_np(i));
errno = 0;
p = aligned_alloc(8, 8);
printf("aligned_alloc(8, 8): %p; %#m\n", p);
errno = 0;
p = valloc(8);
printf("valloc(8): %p; %#m\n", p);
errno = 0;
p = memalign(8, 8);
printf("memalign(8, 8): %p; %#m\n", p);
errno = 0;
p = pvalloc(8);
printf("pvalloc(8): %p; %#m\n", p);
puts("");
puts("Zero");
errno = 0;
i = posix_memalign(&p, 0, 0);
printf("posix_memalign(, 0, 0): %s; %#m\n", strerrorname_np(i));
errno = 0;
p = aligned_alloc(0, 0);
printf("aligned_alloc(0, 0): %p; %#m\n", p);
errno = 0;
p = valloc(0);
printf("valloc(0): %p; %#m\n", p);
errno = 0;
p = memalign(0, 0);
printf("memalign(0, 0): %p; %#m\n", p);
errno = 0;
p = pvalloc(0);
printf("pvalloc(0): %p; %#m\n", p);
}
alx@...uan:~/tmp/gcc$ cc m.c
alx@...uan:~/tmp/gcc$ ./a.out
prime number
posix_memalign(, 3, 3): EINVAL; 0
aligned_alloc(3, 3): (nil); EINVAL
valloc(3): 0x55c7f4d9a000; 0
memalign(3, 3): 0x55c7f4d996b0; 0
pvalloc(3): 0x55c7f4d9b000; 0
Power of two, but not alignof(void*)
posix_memalign(, 2, 2): EINVAL; 0
aligned_alloc(2, 2): 0x55c7f4d996d0; 0
valloc(2): 0x55c7f4d9d000; 0
memalign(2, 2): 0x55c7f4d996f0; 0
pvalloc(2): 0x55c7f4d9e000; 0
non-power of two, alignof(void*)
posix_memalign(, 24, 24): EINVAL; 0
aligned_alloc(24, 24): (nil); EINVAL
valloc(24): 0x55c7f4da0000; 0
memalign(24, 24): 0x55c7f4d99740; 0
pvalloc(24): 0x55c7f4da1000; 0
Power of two, alignof(void*)
posix_memalign(, 8, 8): 0; 0
aligned_alloc(8, 8): 0x55c7f4d99760; 0
valloc(8): 0x55c7f4da3000; 0
memalign(8, 8): 0x55c7f4d99780; 0
pvalloc(8): 0x55c7f4da4000; 0
Zero
posix_memalign(, 0, 0): EINVAL; 0
aligned_alloc(0, 0): (nil); EINVAL
valloc(0): 0x55c7f4da6000; 0
memalign(0, 0): 0x55c7f4d997a0; 0
pvalloc(0): 0x55c7f4da7000; 0
Have a lovely night!
Alex
--
<https://www.alejandro-colomar.es/>
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists