From: Kees Cook <keescook@chromium.org>
To: Yury Norov <yury.norov@gmail.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
Steven Rostedt <rostedt@goodmis.org>
Subject: Re: [PATCH] find: Do not read beyond variable boundaries on small sizes
Date: Wed, 8 Dec 2021 11:19:52 -0800 [thread overview]
Message-ID: <202112081104.958EC2E6@keescook> (raw)
In-Reply-To: <20211207233930.GA3955@lapt>
On Tue, Dec 07, 2021 at 03:39:30PM -0800, Yury Norov wrote:
> Bitmap functions work identically for all sizes from 0 to INT_MAX - 1.
> Users don't 'choose between functions based on the size of their target'.
> [...]
> for_each_*_bit() requires a pointer to an array of unsigned longs. If
> it's provided with something else, this is an error on a caller side.
I have a sense we're both talking past each other. Let me try to show
what I'm seeing: the code in the bitmap API chooses one of two paths:
- if "size" is a constant expression and is sizeof(unsigned long) or
smaller, mask to "size" and call into ff*() built-ins.
- else, use a dynamic sized loop against a series of unsigned longs.
For the dynamic size case, yes, absolutely, things must stay unsigned
long aligned, etc, that makes sense. I don't want to change anything
there.
For the constant-expression size, this requirement does not hold. Every
helper performs a constant expression sized mask of the argument before
using ff*(), for example:
unsigned long val;
if (unlikely(offset >= size))
return size;
val = *addr & GENMASK(size - 1, offset);
return val ? __ffs(val) : size;
In this case, the argument does _not_ need to be a pointer to native
unsigned long. And this is seen in the many many places in the kernel
using non-unsigned-long arguments with a constant-expression size. (e.g.
an int with size 32).
--
Kees Cook
next prev parent reply other threads:[~2021-12-08 19:19 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 10:08 [PATCH] find: Do not read beyond variable boundaries on small sizes Kees Cook
2021-12-03 12:30 ` Andy Shevchenko
2021-12-03 16:37 ` Kees Cook
2021-12-03 19:16 ` Yury Norov
2021-12-03 22:43 ` Kees Cook
2021-12-03 18:26 ` Yury Norov
2021-12-03 20:48 ` Steven Rostedt
2021-12-03 23:01 ` Kees Cook
2021-12-07 23:39 ` Yury Norov
2021-12-08 5:25 ` Yury Norov
2021-12-08 10:22 ` Andy Shevchenko
2021-12-08 13:07 ` David Laight
2021-12-08 19:19 ` Kees Cook [this message]
2021-12-08 19:34 ` Kees Cook
2021-12-08 23:23 ` Rasmus Villemoes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202112081104.958EC2E6@keescook \
--to=keescook@chromium.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=rostedt@goodmis.org \
--cc=wsa+renesas@sang-engineering.com \
--cc=yury.norov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.