lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250220135149.GB31486@1wt.eu>
Date: Thu, 20 Feb 2025 14:51:49 +0100
From: Willy Tarreau <w@....eu>
To: "H. Peter Anvin" <hpa@...or.com>
Cc: Greg KH <gregkh@...uxfoundation.org>, Jan Engelhardt <ej@...i.de>,
        Boqun Feng <boqun.feng@...il.com>,
        Miguel Ojeda <miguel.ojeda.sandonis@...il.com>,
        Christoph Hellwig <hch@...radead.org>,
        rust-for-linux <rust-for-linux@...r.kernel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        David Airlie <airlied@...il.com>, linux-kernel@...r.kernel.org,
        ksummit@...ts.linux.dev
Subject: Re: Rust kernel policy

On Thu, Feb 20, 2025 at 05:23:54AM -0800, H. Peter Anvin wrote:
> In the NASM codebase I long ago started using nasm_new() and nasm_zero()
> macros for this purpose, and structure copies really can just be aasignment
> statements. People writing C seem to have a real aversion for using
> structures as values (arguments, return values or assignments) even though
> that has been valid since at least C90 and can genuinely produce better code
> in some cases.

I do use them in some of my code, particularly dual-value return types.
They have the benefit of often working with a register pair and coming
at zero cost, while allowing to support both a status and a value. I've
even made a strings library ("ist") that uses (ptr,len) and passes that
as arguments and returns that. That's super convenient because you can
chain your operations on a single line (e.g. to concat elements) and
the resulting code remains efficient and compact.

The real issue with structure assignment (in the kernel) is that the
compiler knows what to copy and will usually not do anything of holes
so that's how we can easily leak uninitialized data to userland. But
outsize of this specific case that could be instrumented, I like and
encourage this practice!

Willy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ