Linus is not very good at conversational skills.
Announcement
Collapse
No announcement yet.
Torvalds Voices Thoughts On Linux Mitigating Unexpected Arithmetic Overflows/Underflows
Collapse
X
-
IOW, exactly the same as "a+b < a". Yes, "a+b" might wrap around, but if the use is to then compare it with one of the addends, then clearly such a wrap-around is fine.
- Likes 4
Comment
-
Wrap-around arithmetic has been a standard behaviour for at least 40+ years, likely a lot longer. It is not the problem. The problem is with ignorant people who are incompetent at programming, but want to write kernel code. When they cannot write secure code, but need help from sanitisers not to overrun a buffer or to catch overflows, then they have no business writing kernel code. We did not need these tools 40 years ago, and we now only use them as a quality-of-life feature. What we do not need are people who insist on needing protection from their own mistakes. Incompetent people are the security risk, always have been and always will be, no matter the hardware, software, or methodology.
- Likes 16
Comment
-
Just my own hot take, without having extensively studied the issue or worked inside the kernel:- Define a function or special operator which indicates that overflow is expected/acceptable. I believe these cases are far more the exception than the norm.
- For everything else, if the compiler can't ensure, via static analysis, that overflow is impossible, emit a sanitizer to check for it. Someone not wanting the runtime overhead of these sanitizers can either promise the compiler it won't overflow (i.e. via some builtin or attribute) or simply compile without them.
- Likes 6
Comment
-
Originally posted by sdack View PostThe problem is with ignorant people who are incompetent at programming, but want to write kernel code. When they cannot write secure code, but need help from sanitisers not to overrun a buffer or to catch overflows, then they have no business writing kernel code.
Originally posted by sdack View PostWe did not need these tools 40 years ago,
Originally posted by sdack View PostWhat we do not need are people who insist on needing protection from their own mistakes.
Originally posted by sdack View PostIncompetent people are the security risk, always have been and always will be, no matter the hardware, software, or methodology.
- Likes 11
Comment
-
Unsigned wrap around is part of the language definition, and often taken advantage of when optimizing code. You may have a different opinion about whether that is a good idea, but it may be that you just have little experience with situations where it is used (intentionally).
Maybe it is just me, but lately I see a lot of disregard for false positives in compiler warnings. False positives are a big problem, especially for those who do like to use strict compiler warnings (and maybe also make warnings be errors).
- Likes 15
Comment
-
Originally posted by AdelKS View Postunsigned arithmetic being well defined is a no brainer for most devs I hope.
Originally posted by indepe View PostUnsigned wrap around is part of the language definition, and often taken advantage of when optimizing code.
Even in your code, I'm sure it's much more the exception than the rule that you actually expect arithmetic overflows/underflows. When you write such code, you know in your head when you expect that possibility, so why not just be explicit about it?
Originally posted by indepe View PostMaybe it is just me, but lately I see a lot of disregard for false positives in compiler warnings. False positives are a big problem, especially for those who do like to use strict compiler warnings (and maybe also make warnings be errors).Last edited by coder; 12 May 2024, 04:00 AM.
- Likes 5
Comment
-
The practical solution, I think, is not in compilers but in code. It would be very useful to have a library of "safe math" functions that report errors for overflows and wraparounds. Use this library when you're doing arbitrary math with arbitrary values. Linus is right that sometimes overflows are a feature. But ... in many cases they are a bug and even a security risk. A bug that is very common, even for experienced programmers, and one that's hard to test against unless you're specifically testing for it.
I imagine that there are many places in the kernel where arbitrary math happens and that safe math functions would be a boon.
- Likes 5
Comment
-
Originally posted by ssokolow View Post
I disagree. Without additional context on what a and b are, we can't say whether it's fine.
And so it wouldn't be just "fine", but in the absence of more context, most likely a fully correct and intentional use of the feature guaranteed by the language definition?
- Likes 9
Comment
Comment