| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1BF6F8B6-BD06-4300-8BD6-6827DCE24A5C@collabora.com>
Date: Tue, 26 Aug 2025 11:11:06 -0300
From: Daniel Almeida <daniel.almeida@...labora.com>
To: Lyude Paul <lyude@...hat.com>
Cc: rust-for-linux@...r.kernel.org,
linux-kernel@...r.kernel.org,
Thomas Gleixner <tglx@...utronix.de>,
Andreas Hindborg <a.hindborg@...nel.org>,
FUJITA Tomonori <fujita.tomonori@...il.com>,
Boqun Feng <boqun.feng@...il.com>,
Frederic Weisbecker <frederic@...nel.org>,
Anna-Maria Behnsen <anna-maria@...utronix.de>,
John Stultz <jstultz@...gle.com>,
Stephen Boyd <sboyd@...nel.org>,
Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>,
Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <lossin@...nel.org>,
Alice Ryhl <aliceryhl@...gle.com>,
Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>
Subject: Re: [PATCH v3 1/2] rust: time: Implement Add<Delta>/Sub<Delta> for
Instant
Hi Lyude,
> On 20 Aug 2025, at 17:26, Lyude Paul <lyude@...hat.com> wrote:
>
> In order to copy the behavior rust currently follows for basic arithmetic
> operations and panic if the result of an addition or subtraction results in
> a value that would violate the invariants of Instant, but only if the
> kernel has overflow checking for rust enabled.
>
> Signed-off-by: Lyude Paul <lyude@...hat.com>
>
> ---
>
> V2:
> * Change behavior in ops::{Add,Sub}<Delta> so that we panic on overflows
> under the same conditions that arithmetic operations in rust would panic
> by default.
> V3:
> * Don't forget to update the commit message this time!
>
> rust/kernel/time.rs | 43 ++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 42 insertions(+), 1 deletion(-)
>
> diff --git a/rust/kernel/time.rs b/rust/kernel/time.rs
> index 64c8dcf548d63..4bd7a8a009f3e 100644
> --- a/rust/kernel/time.rs
> +++ b/rust/kernel/time.rs
> @@ -25,6 +25,7 @@
> //! C header: [`include/linux/ktime.h`](srctree/include/linux/ktime.h).
>
> use core::marker::PhantomData;
> +use core::ops;
>
> pub mod delay;
> pub mod hrtimer;
> @@ -202,7 +203,7 @@ pub(crate) fn as_nanos(&self) -> i64 {
> }
> }
>
> -impl<C: ClockSource> core::ops::Sub for Instant<C> {
> +impl<C: ClockSource> ops::Sub for Instant<C> {
> type Output = Delta;
>
> // By the type invariant, it never overflows.
> @@ -214,6 +215,46 @@ fn sub(self, other: Instant<C>) -> Delta {
> }
> }
>
> +impl<T: ClockSource> ops::Add<Delta> for Instant<T> {
> + type Output = Self;
> +
> + #[inline]
> + fn add(self, rhs: Delta) -> Self::Output {
> + // INVARIANT: With arithmetic over/underflow checks enabled, this will panic if we overflow
> + // (e.g. go above `KTIME_MAX`)
> + let res = self.inner + rhs.nanos;
Shouldn’t we clamp here instead of..
> +
> + // INVARIANT: With overflow checks enabled, we verify here that the value is >= 0
> + #[cfg(CONFIG_RUST_OVERFLOW_CHECKS)]
> + assert!(res >= 0);
..relying on this?
> +
> + Self {
> + inner: res,
> + _c: PhantomData,
> + }
> + }
> +}
> +
> +impl<T: ClockSource> ops::Sub<Delta> for Instant<T> {
> + type Output = Self;
> +
> + #[inline]
> + fn sub(self, rhs: Delta) -> Self::Output {
> + // INVARIANT: With arithmetic over/underflow checks enabled, this will panic if we overflow
> + // (e.g. go above `KTIME_MAX`)
> + let res = self.inner - rhs.nanos;
> +
> + // INVARIANT: With overflow checks enabled, we verify here that the value is >= 0
> + #[cfg(CONFIG_RUST_OVERFLOW_CHECKS)]
> + assert!(res >= 0);
Same here?
> +
> + Self {
> + inner: res,
> + _c: PhantomData,
> + }
> + }
> +}
> +
> /// A span of time.
> ///
> /// This struct represents a span of time, with its value stored as nanoseconds.
> --
> 2.50.0
>
>
Powered by blists - more mailing lists