lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20131031151551.675ab908@redhat.com>
Date:	Thu, 31 Oct 2013 15:15:51 +0100
From:	Jesper Dangaard Brouer <jbrouer@...hat.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	Jesper Dangaard Brouer <brouer@...hat.com>, netdev@...r.kernel.org,
	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
	Dave Taht <dave.taht@...il.com>
Subject: Re: [net-next PATCH] net: codel: Avoid undefined behavior from
 signed overflow

On Wed, 30 Oct 2013 11:01:44 -0700
Eric Dumazet <eric.dumazet@...il.com> wrote:

> On Wed, 2013-10-30 at 18:23 +0100, Jesper Dangaard Brouer wrote:
> > From: Jesper Dangaard Brouer <netoptimizer@...uer.com>
> > 
> > As described in commit 5a581b367 (jiffies: Avoid undefined
> > behavior from signed overflow), according to the C standard
> > 3.4.3p3, overflow of a signed integer results in undefined
> > behavior.
> > 
> > To fix this, do as the above commit, and do an unsigned
> > subtraction, and interpreting the result as a signed
> > two's-complement number.  This is based on the theory from
> > RFC 1982 and is nicely described in wikipedia here:
> >  https://en.wikipedia.org/wiki/Serial_number_arithmetic#General_Solution
> > 
> > A side-note, I have seen practical issues with the previous logic
> > when dealing with 16-bit, on a 64-bit machine (gcc version
> > 4.4.5). This were 32-bit, which I have not observed issues with.
> > 
> > Cc: Paul E. McKenney <paulmck@...ux.vnet.ibm.com>
> > Signed-off-by: Jesper Dangaard Brouer <netoptimizer@...uer.com>
> > ---
> > 
> >  include/net/codel.h |    8 ++++----
> >  1 files changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/include/net/codel.h b/include/net/codel.h
> > index 389cf62..700fcdf 100644
> > --- a/include/net/codel.h
> > +++ b/include/net/codel.h
> > @@ -72,10 +72,10 @@ static inline codel_time_t codel_get_time(void)
> >  	return ns >> CODEL_SHIFT;
> >  }
> >  
> > -#define codel_time_after(a, b)		((s32)(a) - (s32)(b) > 0)
> > -#define codel_time_after_eq(a, b)	((s32)(a) - (s32)(b) >= 0)
> > -#define codel_time_before(a, b)		((s32)(a) - (s32)(b) < 0)
> > -#define codel_time_before_eq(a, b)	((s32)(a) - (s32)(b) <= 0)
> > +#define codel_time_after(a, b)		((s32)((a) - (b)) > 0)
> > +#define codel_time_after_eq(a, b)	((s32)((a) - (b)) >= 0)
> > +#define codel_time_before(a, b) 	((s32)((a) - (b)) < 0)
> > +#define codel_time_before_eq(a, b)	((s32)((a) - (b)) <= 0)
> >  
> 
> I see nothing enforcing an unsigned subtraction as claimed in your
> changelog.
> 
> a / b could be signed.
> 
> Paul commit 5a581b367b5 was OK because of existing typecheck(unsigned
> long, ....)

Okay, I'll cook up another patch, after work.

Adding all the typecheck() stuff, just bloats the code.

Would it be better/okay just to do?:
 (s32)((u32)(a) - (u32)(b)) > 0)


-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Sr. Network Kernel Developer at Red Hat
  Author of http://www.iptv-analyzer.org
  LinkedIn: http://www.linkedin.com/in/brouer
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ