RE: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

From: Kees Cook > Sent: 13 March 2018 22:15 ... > I'll send a "const_max()" which will refuse to work on > non-constant-values (so it doesn't get accidentally used on variables > that could be exposed to double-evaluation), and will work for stack > array declarations (to avoid the

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Tue, Mar 13, 2018 at 2:02 PM, Andrew Morton wrote: > On Mon, 12 Mar 2018 21:28:57 -0700 Kees Cook wrote: > >> On Mon, Mar 12, 2018 at 4:57 PM, Linus Torvalds >> wrote: >> > On Mon, Mar 12, 2018 at 3:55 PM,

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Mon, 12 Mar 2018 21:28:57 -0700 Kees Cook wrote: > On Mon, Mar 12, 2018 at 4:57 PM, Linus Torvalds > wrote: > > On Mon, Mar 12, 2018 at 3:55 PM, Andrew Morton > > wrote: > >> > >> Replacing the

RE: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

The amount of replicated defined could also be reduced by passing > or < to a min_max() macro. So you start off with something like: #define min(x, y) __min_max(x, <, y) #define max(x, y) __min_max(x, >, y) then have: #define __min_max(x, cond, y) ((x) cond (y) ? (x) : (y)) in all its associated

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Mon, Mar 12, 2018 at 4:57 PM, Linus Torvalds wrote: > On Mon, Mar 12, 2018 at 3:55 PM, Andrew Morton > wrote: >> >> Replacing the __builtin_choose_expr() with ?: works of course. > > Hmm. That sounds like the right thing to do. We were

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Mon, Mar 12, 2018 at 3:55 PM, Andrew Morton wrote: > > Replacing the __builtin_choose_expr() with ?: works of course. Hmm. That sounds like the right thing to do. We were so myopically staring at the __builtin_choose_expr() problem that we overlooked the obvious

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, 9 Mar 2018 17:30:15 -0800 Kees Cook wrote: > > It's one reason why I wondered if simplifying the expression to have > > just that single __builtin_constant_p() might not end up working.. > > Yeah, it seems like it doesn't bail out as "false" for complex >

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 09, 2018 at 01:10:30PM -0800, Linus Torvalds wrote: > On Fri, Mar 9, 2018 at 12:05 PM, Kees Cook wrote: > > When max() is used in stack array size calculations from literal values > > (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]", the compiler > >

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Sun, Mar 11, 2018 at 4:05 AM, Ingo Molnar wrote: > > BTW., while I fully agree with everything you said, it's not entirely correct > to > claim that if a C compiler can generate VLA code it is necessarily able to > parse > and evaluate constant array sizes "just fine". > >

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

* Linus Torvalds wrote: > So an error message like > >warning: ISO C90 requires array sizes to be constant-expressions > > would be technically correct and useful from a portability angle. It > tells you when you're doing something non-portable, and should

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Sat, Mar 10, 2018 at 6:51 PM, Linus Torvalds wrote: > > So in *historical* context - when a compiler didn't do variable length > arrays at all - the original semantics of C "constant expressions" > actually make a ton of sense. > > You can basically think of a

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Sat, Mar 10, 2018 at 9:34 AM, Miguel Ojeda wrote: > > So the warning is probably implemented to just trigger whenever VLAs > are used but the given standard does not allow them, for all > languages. The problem is why the ISO C90 frontend is not giving an >

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Sat, Mar 10, 2018 at 5:30 PM, Linus Torvalds wrote: > On Sat, Mar 10, 2018 at 7:33 AM, Kees Cook wrote: >> >> Alright, I'm giving up on fixing max(). I'll go back to STACK_MAX() or >> some other name for the simple macro. Bleh. > > Oh, and

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Sat, Mar 10, 2018 at 7:33 AM, Kees Cook wrote: > > Alright, I'm giving up on fixing max(). I'll go back to STACK_MAX() or > some other name for the simple macro. Bleh. Oh, and I'm starting to see the real problem. It's not that our current "min/max()" are broiken. It's

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Sat, Mar 10, 2018 at 7:33 AM, Kees Cook wrote: > > And sparse freaks out too: > >drivers/net/ethernet/via/via-velocity.c:97:26: sparse: incorrect > type in initializer (different address spaces) @@expected void > *addr @@got struct mac_regs [noderef]

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 9, 2018 at 11:03 PM, Miguel Ojeda wrote: > > Just compiled 4.9.0 and it seems to work -- so that would be the > minimum required. > > Sigh... > > Some enterprise distros are either already shipping gcc >= 5 or will > probably be shipping it soon (e.g.

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 9, 2018 at 10:10 PM, Miguel Ojeda wrote: > On Sat, Mar 10, 2018 at 4:11 AM, Randy Dunlap wrote: >> On 03/09/2018 04:07 PM, Andrew Morton wrote: >>> On Fri, 9 Mar 2018 12:05:36 -0800 Kees Cook wrote: >>>

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Sat, Mar 10, 2018 at 7:10 AM, Miguel Ojeda wrote: > On Sat, Mar 10, 2018 at 4:11 AM, Randy Dunlap wrote: >> On 03/09/2018 04:07 PM, Andrew Morton wrote: >>> On Fri, 9 Mar 2018 12:05:36 -0800 Kees Cook wrote: >>>

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Sat, Mar 10, 2018 at 4:11 AM, Randy Dunlap wrote: > On 03/09/2018 04:07 PM, Andrew Morton wrote: >> On Fri, 9 Mar 2018 12:05:36 -0800 Kees Cook wrote: >> >>> When max() is used in stack array size calculations from literal values >>> (e.g. "char

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On 03/09/2018 04:07 PM, Andrew Morton wrote: > On Fri, 9 Mar 2018 12:05:36 -0800 Kees Cook wrote: > >> When max() is used in stack array size calculations from literal values >> (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]", the compiler >> thinks this is a

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 9, 2018 at 5:31 PM, Kees Cook wrote: > > WTF, gmail just blasted HTML into my explicitly plain-text email?! > Apologies... There's more now in your email, I think maybe it's triggered by your signature file and some gmail web interface bug. Or it just tries to

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 9, 2018 at 5:30 PM, Kees Cook wrote: > -- > Kees Cook > Pixel SecurityOn > [...] WTF, gmail just blasted HTML into my explicitly plain-text email?! Apologies... -- Kees Cook Pixel SecurityOn Fri, Mar 9, 2018 at 5:30 PM, Kees Cook mailto:keesc...@chromium.org;

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 9, 2018 at 4:38 PM, Linus Torvalds wrote: > On Fri, Mar 9, 2018 at 4:32 PM, Andrew Morton > wrote: >> >> I wonder which gcc versions actually accept Kees's addition. Ah, my old nemesis, gcc 4.4.4. *sob* > Note that we

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 9, 2018 at 4:32 PM, Andrew Morton wrote: > > I wonder which gcc versions actually accept Kees's addition. Note that we already do have this pattern, as seen by: git grep -2 __builtin_choose_expr | grep -2 __builtin_constant_p which show

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, 9 Mar 2018 16:28:51 -0800 Linus Torvalds wrote: > On Fri, Mar 9, 2018 at 4:07 PM, Andrew Morton > wrote: > > > > A brief poke failed to reveal a workaround - gcc-4.4.4 doesn't appear > > to know that __builtin_constant_p(x) is

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 9, 2018 at 4:07 PM, Andrew Morton wrote: > > A brief poke failed to reveal a workaround - gcc-4.4.4 doesn't appear > to know that __builtin_constant_p(x) is a constant. Or something. LOL. I suspect it might be that it wants to evaluate

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, 9 Mar 2018 12:05:36 -0800 Kees Cook wrote: > When max() is used in stack array size calculations from literal values > (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]", the compiler > thinks this is a dynamic calculation due to the single-eval logic, which >

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 9, 2018 at 1:10 PM, Linus Torvalds wrote: > On Fri, Mar 9, 2018 at 12:05 PM, Kees Cook wrote: >> When max() is used in stack array size calculations from literal values >> (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]",

Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max()

On Fri, Mar 9, 2018 at 12:05 PM, Kees Cook wrote: > When max() is used in stack array size calculations from literal values > (e.g. "char foo[max(sizeof(struct1), sizeof(struct2))]", the compiler > thinks this is a dynamic calculation due to the single-eval logic, which >