[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-kernel
Subject:    Re: [RFC] Mitigating unexpected arithmetic overflow
From:       "Theodore Ts'o" <tytso () mit ! edu>
Date:       2024-05-09 14:08:54
Message-ID: 20240509140854.GF3620298 () mit ! edu
[Download RAW message or body]

On Wed, May 08, 2024 at 11:11:35PM -0700, Kees Cook wrote:
> > I think it would be interesting in general to have some kind of
> > warning for "implicit cast drops bits".
> > 
> > I fear that we'd have an enormous about of them, and maybe they'd be
> > unsolvable without making the code *much* uglier (and sometimes the
> > fix might be to add an explicit cast to document intentionally dropped
> > bits, but explicit casts have their own issues).

Seapking of which, I recently had to work around an overactive
compiler UBSAN which complained about this:

struct ext2_super {
       ...
       __u32	time_lo;
       __u32	time_high;
       ...
}

	time_t	now;
	
	sb->time_low = now;
	sb->time_high = now >> 32;

This is obviously (to a human) correct, but because of stupid compiler
tricks, in order to silence compiler-level and ubsan complaints, this
got turned into:


	sb->time_low = now & 0xffffffff;
#if (SIZEOF_TIME_T > 4)
	sb->time_high = (now >> 32) & EXT4_EPOCH_MASK;
#else
	sb->time_high = 0;
#endif

and in the opposite case, I was forced to write:

#if (SIZEOF_TIME_T == 4)
	return *lo;
#else
	return ((time_t)(*hi) << 32) | *lo;
#endif

.. and this made me very sad.  Grumble....

				- Ted


[prev in list] [next in list] [prev in thread] [next in thread]