From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-kernel@vger.kernel.org, davej@redhat.com, price@mit.edu
Subject: Re: [PATCH] random: check for increase of entropy_count because of signed conversion
Date: Sat, 19 Jul 2014 08:20:11 +0200 [thread overview]
Message-ID: <1405750811.5052.2.camel@localhost> (raw)
In-Reply-To: <20140719054258.GH18775@thunk.org>
On Sa, 2014-07-19 at 01:42 -0400, Theodore Ts'o wrote:
> On Sat, Jul 19, 2014 at 01:35:48AM +0200, Hannes Frederic Sowa wrote:
> > > + nfrac = ibytes << (ENTROPY_SHIFT + 3);
> > > + if (entropy_count < 0) {
> >
> > Minor nit: maybe also add an unlikely() here?
>
> Yep, done.
>
> > > + if ((unsigned) entropy_count > nfrac)
> >
> > (unsigned) -> (size_t)
> >
> > size_t could also be (unsigned long) so the plain (unsigned) is
> > misleading.
>
> Good point, done.
>
> > (Maybe I wouldn't have done the cast at all, as we compile the kernel
> > with -Wno-sign-compare and we have the < 0 check right above, but I
> > don't have a strong opinion on that.)
>
> I also wanted to shut up other static code checkers like Coverity. :-)
>
> > > + nbytes = min_t(size_t, nbytes, INT_MAX >> ENTROPY_SHIFT);
> >
> > Hmm, not sure, nfracs unit is 1/8 bits, so don't we have to limit nbytes
> > to INT_MAX >> (ENTROPY_SHIFT + 3) here?
>
> Good catch, done.
>
> > And if we want to be even more correct here, we could switch from
> > INT_MAX to SIZE_MAX, as we do all nfrac calculations in the size_t
> > domain.
>
> The main reason why I used INT_MAX was as a further safety check to
> protect the:
>
> entropy_count -= nfrac;
>
> calculation, since nfrac is size_t and entropy_count is int.
>
> In fact I think this online change ("nbytes = min_t(size_t, nbytes,
> INT_MAX >> (ENTROPY_SHIFT + 3));") would have been enough to fix the
> problem all by itself, but the other changes results in code which is
> cleaner and easier to understand, and I'm a firm believer in multiple
> layers of protection. :-)
I see and can agree here. :)
I think the patch is good to go.
Thanks you,
Hannes
prev parent reply other threads:[~2014-07-19 6:20 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-12 15:42 perf: use after free in perf_remove_from_context Sasha Levin
2014-05-14 16:29 ` Peter Zijlstra
2014-05-14 16:32 ` Sasha Levin
2014-05-14 16:35 ` Peter Zijlstra
2014-05-14 16:38 ` Sasha Levin
2014-05-14 16:52 ` Peter Zijlstra
2014-05-14 17:09 ` Sasha Levin
2014-05-14 17:20 ` Dave Jones
2014-05-14 18:37 ` Peter Zijlstra
2014-05-28 23:52 ` Sasha Levin
2014-05-29 2:31 ` Sasha Levin
2014-05-29 7:59 ` Peter Zijlstra
2014-05-29 7:57 ` Peter Zijlstra
2014-05-29 14:47 ` Sasha Levin
2014-05-29 15:07 ` Peter Zijlstra
2014-05-29 16:44 ` Sasha Levin
2014-05-29 16:50 ` Peter Zijlstra
2014-05-29 16:52 ` Sasha Levin
2014-05-29 17:00 ` Peter Zijlstra
2014-05-29 22:37 ` Sasha Levin
2014-06-05 14:38 ` [tip:perf/core] perf: Fix use after free in perf_remove_from_context() tip-bot for Peter Zijlstra
2014-05-15 18:11 ` eventpoll __list_del_entry corruption (was: perf: use after free in perf_remove_from_context) Peter Zijlstra
2014-05-15 18:16 ` eventpoll __list_del_entry corruption Sasha Levin
2014-06-16 9:44 ` Eric Wong
2014-05-21 8:25 ` BUG at /usr/src/linux-2.6/mm/filemap.c:202 (was: perf: use after free in perf_remove_from_context) Peter Zijlstra
2014-05-21 13:02 ` BUG at /usr/src/linux-2.6/mm/filemap.c:202 Sasha Levin
2014-06-03 15:07 ` eventpoll __list_del_entry corruption Jason Baron
2014-06-03 15:11 ` Peter Zijlstra
2014-05-16 15:34 ` BUG_ON drivers/char/random.c:986 (Was: perf: use after free in perf_remove_from_context) Peter Zijlstra
2014-05-16 16:06 ` H. Peter Anvin
2014-05-16 16:21 ` Peter Zijlstra
2014-05-17 0:46 ` Hannes Frederic Sowa
2014-05-17 2:18 ` Theodore Ts'o
2014-05-17 16:24 ` Sasha Levin
2014-05-17 17:00 ` Peter Zijlstra
2014-07-15 4:36 ` BUG_ON drivers/char/random.c:986 Dave Jones
2014-07-15 20:29 ` Hannes Frederic Sowa
2014-07-16 8:33 ` Theodore Ts'o
2014-07-16 19:18 ` [PATCH] random: check for increase of entropy_count because of signed conversion Hannes Frederic Sowa
2014-07-18 21:25 ` Theodore Ts'o
2014-07-18 21:43 ` Hannes Frederic Sowa
2014-07-18 21:50 ` Theodore Ts'o
2014-07-18 22:07 ` Theodore Ts'o
2014-07-18 23:35 ` Hannes Frederic Sowa
2014-07-19 5:42 ` Theodore Ts'o
2014-07-19 6:20 ` Hannes Frederic Sowa [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1405750811.5052.2.camel@localhost \
--to=hannes@stressinduktion.org \
--cc=davej@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=price@mit.edu \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.