* question about potential integer truncation in default_erasesize
@ 2015-09-26 13:18 PaX Team
2015-09-29 2:02 ` Brian Norris
0 siblings, 1 reply; 5+ messages in thread
From: PaX Team @ 2015-09-26 13:18 UTC (permalink / raw)
To: linux-mtd; +Cc: Brian Norris, David Woodhouse, re.emese, spender
hi all,
drivers/mtd/chips/map_rom.c:default_erasesize can truncate map_info.size
from unsigned long to unsigned int on 64 bit archs and i'm wondering if
this is intentional or should/could map_info.size be turned into an unsigned
int field? FTR, this issue was detected with the upcoming version of the
size overflow plugin we have in PaX/grsecurity and there're a handful of
similar cases in the tree where potentially unwanted or unnecessary integer
truncations occur, this being one of these. any opinion/help is welcome!
cheers,
PaX Team
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: question about potential integer truncation in default_erasesize
2015-09-26 13:18 question about potential integer truncation in default_erasesize PaX Team
@ 2015-09-29 2:02 ` Brian Norris
2015-09-29 20:56 ` PaX Team
0 siblings, 1 reply; 5+ messages in thread
From: Brian Norris @ 2015-09-29 2:02 UTC (permalink / raw)
To: PaX Team; +Cc: linux-mtd, David Woodhouse, re.emese, spender
On Sat, Sep 26, 2015 at 03:18:08PM +0200, PaX Team wrote:
> hi all,
>
> drivers/mtd/chips/map_rom.c:default_erasesize can truncate map_info.size
> from unsigned long to unsigned int on 64 bit archs and i'm wondering if
> this is intentional or should/could map_info.size be turned into an unsigned
> int field? FTR, this issue was detected with the upcoming version of the
> size overflow plugin we have in PaX/grsecurity and there're a handful of
> similar cases in the tree where potentially unwanted or unnecessary integer
> truncations occur, this being one of these. any opinion/help is welcome!
This is being assigned to the erasesize, which is 32-bit already, and
all of MTD expects a 32-bit erasesize, so it'd be a pretty big job to
"fix" the truncation. But really, we can't handle (and shouldn't;
there's really no need) >32-bit eraseblocks. That would be an
un-manageable flash geometry.
Regards,
Brian
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: question about potential integer truncation in default_erasesize
2015-09-29 2:02 ` Brian Norris
@ 2015-09-29 20:56 ` PaX Team
2015-09-29 21:02 ` Brian Norris
0 siblings, 1 reply; 5+ messages in thread
From: PaX Team @ 2015-09-29 20:56 UTC (permalink / raw)
To: Brian Norris; +Cc: linux-mtd, David Woodhouse, re.emese, spender
On 28 Sep 2015 at 19:02, Brian Norris wrote:
> On Sat, Sep 26, 2015 at 03:18:08PM +0200, PaX Team wrote:
> > hi all,
> >
> > drivers/mtd/chips/map_rom.c:default_erasesize can truncate map_info.size
> > from unsigned long to unsigned int on 64 bit archs and i'm wondering if
> > this is intentional or should/could map_info.size be turned into an unsigned
> > int field? FTR, this issue was detected with the upcoming version of the
> > size overflow plugin we have in PaX/grsecurity and there're a handful of
> > similar cases in the tree where potentially unwanted or unnecessary integer
> > truncations occur, this being one of these. any opinion/help is welcome!
>
> This is being assigned to the erasesize, which is 32-bit already, and
> all of MTD expects a 32-bit erasesize, so it'd be a pretty big job to
> "fix" the truncation.
to make sure i got this right, map_info.size in other uses can hold a
value larger than 4GB (so it has to stay 64 bit, at least on 64 bit
archs) but for erasesize it should never have such a big value? that'd
actually be fine for us since it means when the overflow plugin instruments
this code any runtime trigger means a real problem, not a false positive.
cheers,
PaX Team
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: question about potential integer truncation in default_erasesize
2015-09-29 20:56 ` PaX Team
@ 2015-09-29 21:02 ` Brian Norris
2015-09-29 21:37 ` PaX Team
0 siblings, 1 reply; 5+ messages in thread
From: Brian Norris @ 2015-09-29 21:02 UTC (permalink / raw)
To: PaX Team; +Cc: linux-mtd, David Woodhouse, re.emese, spender
On Tue, Sep 29, 2015 at 10:56:25PM +0200, PaX Team wrote:
> On 28 Sep 2015 at 19:02, Brian Norris wrote:
>
> > On Sat, Sep 26, 2015 at 03:18:08PM +0200, PaX Team wrote:
> > > hi all,
> > >
> > > drivers/mtd/chips/map_rom.c:default_erasesize can truncate map_info.size
> > > from unsigned long to unsigned int on 64 bit archs and i'm wondering if
> > > this is intentional or should/could map_info.size be turned into an unsigned
> > > int field? FTR, this issue was detected with the upcoming version of the
> > > size overflow plugin we have in PaX/grsecurity and there're a handful of
> > > similar cases in the tree where potentially unwanted or unnecessary integer
> > > truncations occur, this being one of these. any opinion/help is welcome!
> >
> > This is being assigned to the erasesize, which is 32-bit already, and
> > all of MTD expects a 32-bit erasesize, so it'd be a pretty big job to
> > "fix" the truncation.
>
> to make sure i got this right, map_info.size in other uses can hold a
> value larger than 4GB (so it has to stay 64 bit, at least on 64 bit
> archs) but for erasesize it should never have such a big value?
Correct.
> that'd
> actually be fine for us since it means when the overflow plugin instruments
> this code any runtime trigger means a real problem, not a false positive.
OK, good. As long as you aren't going to start complaining about
theoretical concerns we're OK, but a dynamic check is cool.
Brian
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: question about potential integer truncation in default_erasesize
2015-09-29 21:02 ` Brian Norris
@ 2015-09-29 21:37 ` PaX Team
0 siblings, 0 replies; 5+ messages in thread
From: PaX Team @ 2015-09-29 21:37 UTC (permalink / raw)
To: Brian Norris; +Cc: linux-mtd, David Woodhouse, re.emese, spender
On 29 Sep 2015 at 14:02, Brian Norris wrote:
> > that'd
> > actually be fine for us since it means when the overflow plugin instruments
> > this code any runtime trigger means a real problem, not a false positive.
>
> OK, good. As long as you aren't going to start complaining about
> theoretical concerns we're OK, but a dynamic check is cool.
we don't care about theoretical bugs but real ones too. the reason for asking
about this code is that while investigating a false positive report in some
other code (that turned out to be due to a limitation in how gcc represents
certain constructs at its gimple layer) we decided to check the underlying
cause in the whole tree so that we could decide how to fix the FP. the choice
is usually either changing the source code (so that gcc produces a different
representation) or disabling instrumentation for either the particular
expression or all similar constructs. the decision comes down to how many
potentially useful checks we'd omit vs. how many more false positives we'd
risk having. in this case the code construct was copying between structure
fields of different sizes and linux has fortunately a few of these only that
can be manually verified, save for a few cases i could not decide myself, hence
this email and few others elsewhere (some turned out to be real bugs or just
inefficient code in fact).
in short, if you ever hear from us again it'll be because there was a real
integer truncation/overflow/etc event (and we'll have precise source location
for it ;).
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-09-29 21:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-26 13:18 question about potential integer truncation in default_erasesize PaX Team
2015-09-29 2:02 ` Brian Norris
2015-09-29 20:56 ` PaX Team
2015-09-29 21:02 ` Brian Norris
2015-09-29 21:37 ` PaX Team
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).