| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXu5jKgDOezBGrYXCcy_UwM88rnT6pEpt9F062Q2qjf63KXBA@mail.gmail.com>
Date: Thu, 8 Mar 2018 12:39:58 -0800
From: Kees Cook <keescook@...omium.org>
To: Rasmus Villemoes <linux@...musvillemoes.dk>
Cc: Josh Poimboeuf <jpoimboe@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>,
Jonathan Corbet <corbet@....net>,
"Gustavo A. R. Silva" <gustavo@...eddedor.com>,
Steven Rostedt <rostedt@...dmis.org>, Chris Mason <clm@...com>,
Josef Bacik <jbacik@...com>, David Sterba <dsterba@...e.com>,
"David S. Miller" <davem@...emloft.net>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Ingo Molnar <mingo@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>,
Masahiro Yamada <yamada.masahiro@...ionext.com>,
Borislav Petkov <bp@...e.de>,
Randy Dunlap <rdunlap@...radead.org>,
Ian Abbott <abbotti@....co.uk>,
"Tobin C. Harding" <me@...in.cc>,
Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>,
Petr Mladek <pmladek@...e.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Pantelis Antoniou <pantelis.antoniou@...sulko.com>,
Linux Btrfs <linux-btrfs@...r.kernel.org>,
Network Development <netdev@...r.kernel.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH 0/3] Remove accidental VLA usage
On Thu, Mar 8, 2018 at 11:57 AM, Rasmus Villemoes
<linux@...musvillemoes.dk> wrote:
> On 2018-03-08 16:02, Josh Poimboeuf wrote:
>> On Wed, Mar 07, 2018 at 07:30:44PM -0800, Kees Cook wrote:
>>> This series adds SIMPLE_MAX() to be used in places where a stack array
>>> is actually fixed, but the compiler still warns about VLA usage due to
>>> confusion caused by the safety checks in the max() macro.
>>>
>>> I'm sending these via -mm since that's where I've introduced SIMPLE_MAX(),
>>> and they should all have no operational differences.
>>
>> What if we instead simplify the max() macro's type checking so that GCC
>> can more easily fold the array size constants? The below patch seems to
>> work:
>>
>
>> +extern long __error_incompatible_types_in_min_macro;
>> +extern long __error_incompatible_types_in_max_macro;
>> +
>> +#define __min(t1, t2, x, y) \
>> + __builtin_choose_expr(__builtin_types_compatible_p(t1, t2), \
>> + (t1)(x) < (t2)(y) ? (t1)(x) : (t2)(y), \
>> + (t1)__error_incompatible_types_in_min_macro)
>>
>> /**
>> * min - return minimum of two values of the same or compatible types
>> * @x: first value
>> * @y: second value
>> */
>> -#define min(x, y) \
>> - __min(typeof(x), typeof(y), \
>> - __UNIQUE_ID(min1_), __UNIQUE_ID(min2_), \
>> - x, y)
>> +#define min(x, y) __min(typeof(x), typeof(y), x, y) \
>>
>
> But this introduces the the-chosen-one-of-x-and-y-gets-evaluated-twice
> problem. Maybe we don't care? But until we get a
> __builtin_assert_this_has_no_side_effects() I think that's a little
> dangerous.
Eek, yes, we can't do the double-eval. The proposed change breaks
things badly. :)
a: 20
b: 40
max(a++, b++): 40
a: 21
b: 41
a: 20
b: 40
new_max(a++, b++): 41
a: 21
b: 42
However, this works for me:
#define __new_max(t1, t2, max1, max2, x, y) \
__builtin_choose_expr(__builtin_constant_p(x) && \
__builtin_constant_p(y) && \
__builtin_types_compatible_p(t1, t2), \
(t1)(x) > (t2)(y) ? (t1)(x) : (t2)(y), \
__max(t1, t2, max1, max2, x, y))
#define new_max(x, y) \
__new_max(typeof(x), typeof(y), \
__UNIQUE_ID(max1_), __UNIQUE_ID(max2_), \
x, y)
(pardon the whitespace damage...)
Let me spin a sane patch and test it...
-Kees
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists