lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 27 May 2016 14:46:05 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Arnd Bergmann <arnd@...db.de>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
	Andrzej Hajda <a.hajda@...sung.com>,
	"Rafael J. Wysocki" <rjw@...ysocki.net>,
	Maxime Ripard <maxime.ripard@...e-electrons.com>,
	David Airlie <airlied@...ux.ie>,
	Robin Murphy <robin.murphy@....com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Adrian Hunter <adrian.hunter@...el.com>,
	Srinivas Kandagatla <srinivas.kandagatla@...aro.org>,
	Russell King <linux@...linux.org.uk>,
	Bob Peterson <rpeterso@...hat.com>, linux-acpi@...r.kernel.org,
	iommu@...ts.linux-foundation.org, linux-media@...r.kernel.org,
	netdev@...r.kernel.org, linux-wireless@...r.kernel.org,
	v9fs-developer@...ts.sourceforge.net
Subject: Re: [PATCH] remove lots of IS_ERR_VALUE abuses

On Fri, 27 May 2016 23:23:25 +0200 Arnd Bergmann <arnd@...db.de> wrote:

> Most users of IS_ERR_VALUE() in the kernel are wrong, as they
> pass an 'int' into a function that takes an 'unsigned long'
> argument. This happens to work because the type is sign-extended
> on 64-bit architectures before it gets converted into an
> unsigned type.
> 
> However, anything that passes an 'unsigned short' or 'unsigned int'
> argument into IS_ERR_VALUE() is guaranteed to be broken, as are
> 8-bit integers and types that are wider than 'unsigned long'.
> 
> Andrzej Hajda has already fixed a lot of the worst abusers that
> were causing actual bugs, but it would be nice to prevent any
> users that are not passing 'unsigned long' arguments.
> 
> This patch changes all users of IS_ERR_VALUE() that I could find
> on 32-bit ARM randconfig builds and x86 allmodconfig. For the
> moment, this doesn't change the definition of IS_ERR_VALUE()
> because there are probably still architecture specific users
> elsewhere.

So you do plan to add some sort of typechecking into IS_ERR_VALUE()?

> Almost all the warnings I got are for files that are better off
> using 'if (err)' or 'if (err < 0)'.
> The only legitimate user I could find that we get a warning for
> is the (32-bit only) freescale fman driver, so I did not remove
> the IS_ERR_VALUE() there but changed the type to 'unsigned long'.
> For 9pfs, I just worked around one user whose calling conventions
> are so obscure that I did not dare change the behavior.
> 
> I was using this definition for testing:
> 
>  #define IS_ERR_VALUE(x) ((unsigned long*)NULL == (typeof (x)*)NULL && \
>        unlikely((unsigned long long)(x) >= (unsigned long long)(typeof(x))-MAX_ERRNO))
> 
> which ends up making all 16-bit or wider types work correctly with
> the most plausible interpretation of what IS_ERR_VALUE() was supposed
> to return according to its users, but also causes a compile-time
> warning for any users that do not pass an 'unsigned long' argument.
> 
> I suggested this approach earlier this year, but back then we ended
> up deciding to just fix the users that are obviously broken. After
> the initial warning that caused me to get involved in the discussion
> (fs/gfs2/dir.c) showed up again in the mainline kernel, Linus
> asked me to send the whole thing again.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ