On Thu, Oct 22, 2020 at 12:25 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > On Thu, Oct 22, 2020 at 12:04:52PM -0700, Nick Desaulniers wrote: > > > Passing an `unsigned long` as an `unsigned int` does no such > > narrowing: https://godbolt.org/z/TvfMxe (same vice-versa, just tail > > calls, no masking instructions). > > So if rw_copy_check_uvector() is inlined into import_iovec() (looking > > at the mainline@1028ae406999), then children calls of > > `rw_copy_check_uvector()` will be interpreting the `nr_segs` register > > unmodified, ie. garbage in the upper 32b. > > FWIW, > > void f(unsinged long v) > { > if (v != 1) > printf("failed\n"); > } > > void g(unsigned int v) > { > f(v); > } > > void h(unsigned long v) > { > g(v); > } > > main() > { > h(0x100000001); > } A good/analogous example, but things get weird when the leaf node in the call chain is inline asm: https://godbolt.org/z/s19TY5 (I'm not sure that's precisely what's going on here; I'll need to dive more into the calls rw_copy_check_uvector() makes to see if there's inline asm somewhere, pretty sure calls to get_user with `nr_regs` exist). > > must not produce any output on a host with 32bit int and 64bit long, regardless of > the inlining, having functions live in different compilation units, etc. > > Depending upon the calling conventions, compiler might do truncation in caller or > in a callee, but it must be done _somewhere_. -- Thanks, ~Nick Desaulniers
