On Thu, Apr 15, 2021 at 08:26:21AM +0000, David Laight wrote: > ... > > Besides just FP, 128-bit, etc, I remain concerned about just basic > > math operations. C has no way to describe the intent of integer > > overflow, so the kernel was left with the only "predictable" result: > > wrap around. Unfortunately, this is wrong in most cases, and we're left > > with entire classes of vulnerability related to such overflows. > > I'm not sure any of the alternatives (except perhaps panic) > are much better. > Many years ago I used a COBOL system that skipped the assignment > if ADD X to Y (y += x) would overflow. > That gave a very hard to spot error when the sump of a long list > way a little too large. > If it had wrapped the error would be obvious. > > There are certainly places where saturate is good. > Mostly when dealing with analogue samples. > > I guess the problematic code is stuff that checks: > if (foo->size + constant > limit) goto error; > instead of: > if (foo->size > limit - constant) goto error; Right. This and alloc(size * count) are the primary offenders. :) -- Kees Cook
