RE: [PATCH 00/13] [RFC] Rust support

From: David Laight
Date: Thu Apr 15 2021 - 04:26:30 EST

Next message: Ikjoon Jang: "Re: [PATCH] mtd: spi-nor: macronix: Add block protection support to mx25u6435f"
Previous message: Paolo Bonzini: "Re: [PATCH 2/2] tools: do not include scripts/Kbuild.include"
In reply to: Kees Cook: "Re: [PATCH 00/13] [RFC] Rust support"
Next in thread: Kees Cook: "Re: [PATCH 00/13] [RFC] Rust support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

...
> Besides just FP, 128-bit, etc, I remain concerned about just basic
> math operations. C has no way to describe the intent of integer
> overflow, so the kernel was left with the only "predictable" result:
> wrap around. Unfortunately, this is wrong in most cases, and we're left
> with entire classes of vulnerability related to such overflows.

I'm not sure any of the alternatives (except perhaps panic)
are much better.
Many years ago I used a COBOL system that skipped the assignment
if ADD X to Y (y += x) would overflow.
That gave a very hard to spot error when the sump of a long list
way a little too large.
If it had wrapped the error would be obvious.

There are certainly places where saturate is good.
Mostly when dealing with analogue samples.

I guess the problematic code is stuff that checks:
if (foo->size + constant > limit) goto error;
instead of:
if (foo->size > limit - constant) goto error;

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Next message: Ikjoon Jang: "Re: [PATCH] mtd: spi-nor: macronix: Add block protection support to mx25u6435f"
Previous message: Paolo Bonzini: "Re: [PATCH 2/2] tools: do not include scripts/Kbuild.include"
In reply to: Kees Cook: "Re: [PATCH 00/13] [RFC] Rust support"
Next in thread: Kees Cook: "Re: [PATCH 00/13] [RFC] Rust support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]