From: Jakub Jelinek <jakub@redhat.com>
To: Dave Paris <dparis@w3works.com>
Cc: linux-kernel@vger.kernel.org, rspchan@starhub.net.sg
Subject: Re: [CRYPTO]: Miscompiling sha256.c by gcc 3.2.3 and arch pentium3,4
Date: Fri, 30 Jan 2004 10:28:35 -0500 [thread overview]
Message-ID: <20040130152835.GN31589@devserv.devel.redhat.com> (raw)
In-Reply-To: <PLEIIGNDLGEDDKABPLHBAECPCHAA.dparis@w3works.com>
On Fri, Jan 30, 2004 at 10:04:00AM -0500, Dave Paris wrote:
> Has this been demonstrated on *any* system/arch using GCC 3.2.3 (or other
> 3.2 series) or is it limited in scope to the description below? Does it
> seem to do this with other implementations (other than sha256.c) or other
> kernels? Just trying to get an idea if this is a complier optimization bug
> or something much more limited in scope.
>
> My personal lab is currently being unboxed and I won't be able to run my own
> tests for another week or so. (apologies in advance)
>
> In any case, this is *extremely* serious from a number of angles.
GCC handling of automatic const variables with initializers is very fragile.
There have been numerous bugs in it in the past and last one has been fixed
just yesterday (on GCC trunk only for the time being). It will be
eventually backported once it gets some more testing on GCC mainline.
The problematic line in sha256.c is:
static void sha256_final(void* ctx, u8 *out)
{
...
const u8 padding[64] = { 0x80, };
where if you are unlucky, scheduler will with various different GCC versions
on various architectures reorder instructions so that store of 0x80 into the
struct is before clearing of the 64 bytes.
On the other side, doing this in sha256.c seems quite inefficient, IMHO much
better would be to have there static u8 padding[64] = { 0x80 };
because that will not mean clearing 64 bytes and writing another one on top
of it every time the routine is executed.
Jakub
next prev parent reply other threads:[~2004-01-30 15:29 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-30 3:21 [CRYPTO]: Miscompiling sha256.c by gcc 3.2.3 and arch pentium3,4 R CHAN
2004-01-30 14:39 ` James Morris
2004-01-30 15:04 ` Dave Paris
2004-01-30 15:24 ` R Chan
2004-01-30 15:28 ` Jakub Jelinek [this message]
2004-01-30 16:35 ` James Morris
2004-01-30 17:14 ` Andy Isaacson
2004-01-30 19:49 ` Jakub Jelinek
2004-02-01 21:17 ` Bill Davidsen
2004-01-30 21:14 ` David S. Miller
2004-02-01 21:18 ` Bill Davidsen
2004-02-01 23:22 ` David S. Miller
2004-02-02 1:00 ` Linus Torvalds
2004-02-02 18:55 ` Bill Davidsen
2004-01-30 17:26 ` Jean-Luc Cooke
-- strict thread matches above, loose matches on Subject: below --
2004-01-30 15:43 Arnd Bergmann
2004-01-30 16:57 ` James Morris
2004-01-30 18:02 ` Randy.Dunlap
2004-01-30 18:35 ` James Morris
2004-01-30 18:53 ` James Morris
2004-02-02 4:08 linux
2004-02-05 19:40 ` Jean-Luc Cooke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040130152835.GN31589@devserv.devel.redhat.com \
--to=jakub@redhat.com \
--cc=dparis@w3works.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rspchan@starhub.net.sg \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox