From: Rainer Weikusat <rainer.weikusat@sncag.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Rainer Weikusat <rweikusat@sncag.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
torvalds@osdl.org, akpm@osdl.org
Subject: Re: Implementation defined behaviour in read_write.c
Date: Wed, 22 Sep 2004 13:58:06 +0800 [thread overview]
Message-ID: <87k6umetg1.fsf@farside.sncag.com> (raw)
In-Reply-To: <1095764243.30748.55.camel@localhost.localdomain> (Alan Cox's message of "Tue, 21 Sep 2004 11:57:48 +0100")
Alan Cox <alan@lxorguk.ukuu.org.uk> writes:
> On Llu, 2004-09-20 at 16:54, Rainer Weikusat wrote:
>> The following code is in the function do_readv_writev in the file
>> fs/read_write.c (2.6.8.1):
>
> The 2.4.x kernel has part of this fixed. In particular it does the
> overflow check differently because gcc 3.x in some forms did appear to
> be making use of the undefined nature of the test and that was a
> potential security hole. ("its undefined lets say its always
> false.."). The initial cast and test should be fine.
I assume you mean the cast at the beginning of the loop. According to
the C-standard, both cases are exactly the same (they are both
conversions of potentially nonrepresentable values).
6.3.1.3 Signed and unsigned integers
When a value with integer type is converted to another integer
type other than _Bool, if the value can be represented by the
new type, it is unchanged.
[...]
Otherwise, the new type is signed and the value cannot be
represented in it; either the result is implementation-defined
or an implementation-defined signal is raised.
The requirement for implementation defined is that the implementation
documents the behaviour (which gcc at least up to 3.4.4 doesn't). This
not a problem with the current compiler, but I happen to know by
coincedence that some people of unknown relations to the gcc team
(like the person who wrote this advisory:
<URL:http://cert.uni-stuttgart.de/advisories/c-integer-overflow.php>)
would like to turn it into a problem, because they strongly believe it
is "the right thing to do", so it may be unwise to rely on gcc for
treating this sanely, ie so that it doesn't break idioms which are in
rather common use.
next prev parent reply other threads:[~2004-09-22 5:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-20 15:54 Implementation defined behaviour in read_write.c Rainer Weikusat
2004-09-21 5:43 ` Rainer Weikusat
2004-09-21 10:57 ` Alan Cox
2004-09-22 5:58 ` Rainer Weikusat [this message]
2004-09-22 14:41 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k6umetg1.fsf@farside.sncag.com \
--to=rainer.weikusat@sncag.com \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=rweikusat@sncag.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.