From: Szabolcs Nagy <nsz@port70.net>
To: musl@lists.openwall.com
Subject: Re: Possible infinite loop in qsort()
Date: Tue, 12 Jan 2016 17:22:44 +0100 [thread overview]
Message-ID: <20160112162243.GC13558@port70.net> (raw)
In-Reply-To: <56950E43.60508@openwall.com>
* Alexander Cherepanov <ch3root@openwall.com> [2016-01-12 17:31:31 +0300]:
> On 2016-01-12 15:48, Szabolcs Nagy wrote:
> >in musl things are documented in the git log for now, e.g.:
> >http://git.musl-libc.org/cgit/musl/commit/?id=3cd6f5229f079f892411e82fce3fe15c78eef4d8
>
> IMHO such things should be documented in user-facing documentation, not in
> source code comments, git log or email posts.
>
yes, that would be a useful project
> >i think if an implementation does not give this guarantee
> >that should be considered a bug.
>
> Some consider it a bug, others -- a feature.
>
> But if you want to provide this guarantee it's not that easy. Compilers are
> not under your control. Even with gcc (which tries to provide this
> guarantee) you can create VLA 2.5GB in size and run it with `ulimit -s
> unlimited` (at least as a 32-bit binary on a 64-bit host).
>
large vla sounds like a problem, the libc can guard against that
by placing a guard page in the way on the main thread.
but stack allocations are kind of outside the c language:
stack limits are not admitted in the standard causing technical
issues around correctness proofs.
> Then, a user can create an object of any size via mmap with MAP_FIXED flag,
> right?
creating a single object by two mmaps that happen to be
adjacent sounds like a grey area (not sure if that's strictly
conforming in posix/c).
the user can get a large object behind the libc (e.g. by using
raw syscalls) but the portable ways are controlled by the libc.
> >(glibc does not guarantee this and indeed it is full of invalid
> >pointer arithmetics,
>
> Care to provide examples?
>
this is what i did: went to the glibc string directory
looked for pointer - operations, there are already several
in various argz_* functions so i didnt have to go further
than the letter 'a' to find
char *match = strstr (arg, str);
...
size_t to_len = match - arg;
in argz_replace, if arg is a large object and str only
matches near the end, then match - arg is ub.
i think the argz buffer is internally allocated by
the libc so it could protect against large objects but
i don't see such protection.
the first obvious example i see is in memccpy
void *p = memchr (src, c, n);
...
return __mempcpy (dest, src, p - src + 1);
again p - src can be ub.
> >but more importantly a huge number of
> >existing libraries depend on this)
> >
> >>BTW the support in compilers for working with objects larger than half the
> >>address space is buggy -- see
> >>https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67999 . The same situation --
> >>it neither works nor documented. Somewhat puzzling...
> >
> >yes, but it's not possible to support reasonably
>
> Why is that?
i guess it can be supported but you lose some useful
transformations
e.g. p < q can be transformed to p-q < 0
in the compiler if the diff cannot overflow
i don't know how much this matters for optimization
and how much harder it is to implement, but i do
think there are easy mistakes to be made if p-q can
overflow.
next prev parent reply other threads:[~2016-01-12 16:22 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-09 8:21 Markus Wichmann
2016-01-09 9:07 ` Felix Janda
2016-01-10 4:05 ` Rich Felker
2016-01-10 10:33 ` Szabolcs Nagy
2016-01-10 11:38 ` Alexander Monakov
2016-01-10 11:38 ` Markus Wichmann
2016-01-10 12:15 ` Szabolcs Nagy
2016-01-12 12:25 ` Alexander Cherepanov
2016-01-12 12:48 ` Szabolcs Nagy
2016-01-12 14:31 ` Alexander Cherepanov
2016-01-12 16:22 ` Szabolcs Nagy [this message]
2016-01-14 22:21 ` Rich Felker
2016-01-14 22:17 ` Rich Felker
2016-01-10 16:35 ` Morten Welinder
2016-01-10 16:45 ` Jens Gustedt
2016-01-12 10:30 ` Alexander Cherepanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160112162243.GC13558@port70.net \
--to=nsz@port70.net \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).