Hi,
On Wed, May 8, 2024 at 11:31 PM Jiri Slaby <jirislaby@xxxxxxxxxx> wrote:
>
>
> And what is actually broken, given signed overflow is well defined under
> the -fwrapv wings?
>
well-defined code can still be broken.
We want to better safeguard against accidental overflow as this is the
root cause of many bugs/vulnerabilities. So, in this spirit, we
recently enhanced the signed-integer-overflow sanitizer and its
ability to function with -fwrapv enabled [1]. On the Kernel side of
things, Kees' tree [2] has done a lot of the groundwork to get this
sanitizer enabled and less noisy.
WIth all that being said, my solution to this problem in this
particular instance is not the most elegant, as you rightly pointed
out.
> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> > index 9b5b98dfc8b4..b4768336868e 100644
> > --- a/drivers/tty/vt/vt.c
> > +++ b/drivers/tty/vt/vt.c
> > @@ -308,7 +308,14 @@ static inline void scrolldelta(int lines)
> > /* FIXME */
> > /* scrolldelta needs some kind of consistency lock, but the BKL was
> > and still is not protecting versus the scheduled back end */
> > - scrollback_delta += lines;
> > +
> > + /* saturate scrollback_delta so that it never wraps around */
> > + if (lines > 0 && unlikely(INT_MAX - lines < scrollback_delta))
> > + scrollback_delta = INT_MAX;
> > + else if (lines < 0 && unlikely(INT_MIN - lines > scrollback_delta))
> > + scrollback_delta = INT_MIN;
> > + else
> > + scrollback_delta += lines;
>
> NACK, this is horrid.
Agreed.
Does an implementation like this look any better?
static inline void scrolldelta(int lines)
{
...
/* saturate scrollback_delta so that it never wraps around */
if (lines > 0)
scrollback_delta = min(scrollback_delta, INT_MAX -
lines) + lines;
else
scrollback_delta = max(scrollback_delta, INT_MIN -
lines) + lines;
schedule_console_callback();
}
Accounting for the possibility of both underflow and overflow is what
is making this code a bit bloated but if this new approach looks good
enough I can send a v2.
>
> Introduce a helper for this in overflow.h if we have none yet.
We have these but for unsigned (size_t) types. I'm open to adding
signed_saturating_add(addend1, addend2, ceiling, floor) or something
similar.
>
> thanks,
> --
> js
> suse labs
>
[1]: https://github.com/llvm/llvm-project/pull/82432
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=dev/v6.8-rc2/signed-overflow-sanitizer
Thanks
Justin
