mailing list of musl libc
 help / color / mirror / code / Atom feed
* [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
@ 2023-02-21  5:26 Ralph Little
  2023-02-21 16:04 ` Markus Wichmann
  0 siblings, 1 reply; 11+ messages in thread
From: Ralph Little @ 2023-02-21  5:26 UTC (permalink / raw)
  To: musl

Hi,
I have been picking up some old pending issues related to the SANE project.
One of our CI builds is on Alpine and it is generating warnings for 
ioctl() calls from the musl library:

|error: overflow in conversion from 'long unsigned int' to 'int' changes 
value from '2147577985' to '-2147389311' [-Werror=overflow]
|
||ioctl (fd, PPRSTATUS, &status);

||I see that Olaf Meeuwissen raised this issue a couple of years ago and 
the discussion petered out somewhat and I don't believe that the issue 
was ever really resolved:

https://www.openwall.com/lists/musl/2020/01/20/2

Is there any possibility that this could be addressed in the near future?
I see that Alpine have closed their issue and are not interested in 
patching their downstream musl:

https://gitlab.alpinelinux.org/alpine/aports/-/issues/7580#note_287168

Cheers,
Ralph Little






^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-21  5:26 [musl] Re: [BUG] ioctl: overflow in implicit constant conversion Ralph Little
@ 2023-02-21 16:04 ` Markus Wichmann
  2023-02-21 16:42   ` Florian Weimer
                     ` (2 more replies)
  0 siblings, 3 replies; 11+ messages in thread
From: Markus Wichmann @ 2023-02-21 16:04 UTC (permalink / raw)
  To: musl

On Mon, Feb 20, 2023 at 09:26:05PM -0800, Ralph Little wrote:
> Hi,
> I have been picking up some old pending issues related to the SANE project.
> One of our CI builds is on Alpine and it is generating warnings for ioctl()
> calls from the musl library:
>
> |error: overflow in conversion from 'long unsigned int' to 'int' changes
> value from '2147577985' to '-2147389311' [-Werror=overflow]
> |
> ||ioctl (fd, PPRSTATUS, &status);
>
> ||I see that Olaf Meeuwissen raised this issue a couple of years ago and the
> discussion petered out somewhat and I don't believe that the issue was ever
> really resolved:
>
> https://www.openwall.com/lists/musl/2020/01/20/2
>
> Is there any possibility that this could be addressed in the near future?
> I see that Alpine have closed their issue and are not interested in patching
> their downstream musl:
>
> https://gitlab.alpinelinux.org/alpine/aports/-/issues/7580#note_287168
>
> Cheers,
> Ralph Little
>
>
>
>
>

So, I had a look at it. As far as I can tell, the issue is that musl
declares ioctl()'s second argument to be an int. Together with the other
defintions, this means that any _IOC_READ constant will overflow and
generate those warnings. Also, this is technically undefined behavior,
as value bits are shifted into the sign bit of a signed integer.

Linux itself defines the ioctl syscall to have a second argument of type
unsigned int.

So this issue could be resolved by simply making the second argument of
the ioctl() function unsigned. Does that create ABI issues? To my
knowledge, all ABIs pass ints and unsigned ints the same way. Even if on
some 64-bit arch there was a sign extension at the top, only the low
32 bits are defined.

Ciao,
Markus

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-21 16:04 ` Markus Wichmann
@ 2023-02-21 16:42   ` Florian Weimer
  2023-02-21 16:53     ` alice
  2023-02-21 16:57   ` Jeffrey Walton
  2023-02-22  3:17   ` Rich Felker
  2 siblings, 1 reply; 11+ messages in thread
From: Florian Weimer @ 2023-02-21 16:42 UTC (permalink / raw)
  To: Markus Wichmann; +Cc: musl

* Markus Wichmann:

> So this issue could be resolved by simply making the second argument of
> the ioctl() function unsigned. Does that create ABI issues?

POSIX mandates the int type.

Thanks,
Florian


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-21 16:42   ` Florian Weimer
@ 2023-02-21 16:53     ` alice
  0 siblings, 0 replies; 11+ messages in thread
From: alice @ 2023-02-21 16:53 UTC (permalink / raw)
  To: musl, Markus Wichmann

On Tue Feb 21, 2023 at 5:42 PM CET, Florian Weimer wrote:
> * Markus Wichmann:
>
> > So this issue could be resolved by simply making the second argument of
> > the ioctl() function unsigned. Does that create ABI issues?
>
> POSIX mandates the int type.

it does, but as it has been mentioned, how is one meant to use the _IOC*
thingies then without leading to UB?

at the end of the day, the libc is on linux only, and so if linux does not
use "int" itself for the api, ...

>
> Thanks,
> Florian


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-21 16:04 ` Markus Wichmann
  2023-02-21 16:42   ` Florian Weimer
@ 2023-02-21 16:57   ` Jeffrey Walton
  2023-02-21 18:25     ` Ralph Little
  2023-02-21 21:28     ` Markus Wichmann
  2023-02-22  3:17   ` Rich Felker
  2 siblings, 2 replies; 11+ messages in thread
From: Jeffrey Walton @ 2023-02-21 16:57 UTC (permalink / raw)
  To: musl

On Tue, Feb 21, 2023 at 11:05 AM Markus Wichmann <nullplan@gmx.net> wrote:
> On Mon, Feb 20, 2023 at 09:26:05PM -0800, Ralph Little wrote:
> > I have been picking up some old pending issues related to the SANE project.
> > One of our CI builds is on Alpine and it is generating warnings for ioctl()
> > calls from the musl library:
> >
> > |error: overflow in conversion from 'long unsigned int' to 'int' changes
> > value from '2147577985' to '-2147389311' [-Werror=overflow]
> > |
> > ||ioctl (fd, PPRSTATUS, &status);
> >
> > ||I see that Olaf Meeuwissen raised this issue a couple of years ago and the
> > discussion petered out somewhat and I don't believe that the issue was ever
> > really resolved:
> >
> > https://www.openwall.com/lists/musl/2020/01/20/2
> >
> > Is there any possibility that this could be addressed in the near future?
> > I see that Alpine have closed their issue and are not interested in patching
> > their downstream musl:
> >
> > https://gitlab.alpinelinux.org/alpine/aports/-/issues/7580#note_287168
> [...]
> So, I had a look at it. As far as I can tell, the issue is that musl
> declares ioctl()'s second argument to be an int. Together with the other
> defintions, this means that any _IOC_READ constant will overflow and
> generate those warnings. Also, this is technically undefined behavior,
> as value bits are shifted into the sign bit of a signed integer.
>
> Linux itself defines the ioctl syscall to have a second argument of type
> unsigned int.
>
> So this issue could be resolved by simply making the second argument of
> the ioctl() function unsigned. Does that create ABI issues? To my
> knowledge, all ABIs pass ints and unsigned ints the same way. Even if on
> some 64-bit arch there was a sign extension at the top, only the low
> 32 bits are defined.

In this case, I think the best course of action is to cast a,b,c to
unsigned, then perform the shifts, and finally cast back to int. That
is what the C standard requires. And it should not mess with the ABI.

If the code remains undefined, then it is subject to removal by the
compiler. The casts, while ugly, keep the code in well defined
territory. Also, if anyone ever performs testing with
-fsantize=undefined, then the code will trigger real findings that
could keep the code from passing through a security gate (for those
folks who have to work in that kind of environment).

I've had to work bug reports that were a result of the missing casts
during shifts and rotates. It is not fun. I was able to track all of
them down with -fsantize=undefined .

Jeff

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-21 16:57   ` Jeffrey Walton
@ 2023-02-21 18:25     ` Ralph Little
  2023-02-21 21:28     ` Markus Wichmann
  1 sibling, 0 replies; 11+ messages in thread
From: Ralph Little @ 2023-02-21 18:25 UTC (permalink / raw)
  To: musl

[-- Attachment #1: Type: text/plain, Size: 3089 bytes --]

Hi,

On Tue, Feb 21, 2023 at 8:58 AM Jeffrey Walton <noloader@gmail.com> wrote:

> On Tue, Feb 21, 2023 at 11:05 AM Markus Wichmann <nullplan@gmx.net> wrote:
> > On Mon, Feb 20, 2023 at 09:26:05PM -0800, Ralph Little wrote:
> > > I have been picking up some old pending issues related to the SANE
> project.
> > > One of our CI builds is on Alpine and it is generating warnings for
> ioctl()
> > > calls from the musl library:
> > >
> > > |error: overflow in conversion from 'long unsigned int' to 'int'
> changes
> > > value from '2147577985' to '-2147389311' [-Werror=overflow]
> > > |
> > > ||ioctl (fd, PPRSTATUS, &status);
> > >
> > > ||I see that Olaf Meeuwissen raised this issue a couple of years ago
> and the
> > > discussion petered out somewhat and I don't believe that the issue was
> ever
> > > really resolved:
> > >
> > > https://www.openwall.com/lists/musl/2020/01/20/2
> > >
> > > Is there any possibility that this could be addressed in the near
> future?
> > > I see that Alpine have closed their issue and are not interested in
> patching
> > > their downstream musl:
> > >
> > > https://gitlab.alpinelinux.org/alpine/aports/-/issues/7580#note_287168
> > [...]
> > So, I had a look at it. As far as I can tell, the issue is that musl
> > declares ioctl()'s second argument to be an int. Together with the other
> > defintions, this means that any _IOC_READ constant will overflow and
> > generate those warnings. Also, this is technically undefined behavior,
> > as value bits are shifted into the sign bit of a signed integer.
> >
> > Linux itself defines the ioctl syscall to have a second argument of type
> > unsigned int.
> >
> > So this issue could be resolved by simply making the second argument of
> > the ioctl() function unsigned. Does that create ABI issues? To my
> > knowledge, all ABIs pass ints and unsigned ints the same way. Even if on
> > some 64-bit arch there was a sign extension at the top, only the low
> > 32 bits are defined.
>
> In this case, I think the best course of action is to cast a,b,c to
> unsigned, then perform the shifts, and finally cast back to int. That
> is what the C standard requires. And it should not mess with the ABI.
>
> If the code remains undefined, then it is subject to removal by the
> compiler. The casts, while ugly, keep the code in well defined
> territory. Also, if anyone ever performs testing with
> -fsantize=undefined, then the code will trigger real findings that
> could keep the code from passing through a security gate (for those
> folks who have to work in that kind of environment).
>
> I've had to work bug reports that were a result of the missing casts
> during shifts and rotates. It is not fun. I was able to track all of
> them down with -fsantize=undefined .
>
> Jeff
>

That would be cool by me. I hate making macros complicated but I also
understand the POSIX issue.
Seems a shame that POSIX is so out of step these days with actual
implementations. Perhaps that will change in the future....

Cool to be reminded of the GCC santize settings. I had forgotten about
those.

Cheers,
Ralph

[-- Attachment #2: Type: text/html, Size: 4131 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-21 16:57   ` Jeffrey Walton
  2023-02-21 18:25     ` Ralph Little
@ 2023-02-21 21:28     ` Markus Wichmann
  2023-02-22  6:33       ` NRK
  1 sibling, 1 reply; 11+ messages in thread
From: Markus Wichmann @ 2023-02-21 21:28 UTC (permalink / raw)
  To: musl

On Tue, Feb 21, 2023 at 11:57:50AM -0500, Jeffrey Walton wrote:
> In this case, I think the best course of action is to cast a,b,c to
> unsigned, then perform the shifts, and finally cast back to int. That
> is what the C standard requires. And it should not mess with the ABI.
>

Actually I messed up. That mostly happens already. The directions are
defined as unsigned, and the conversion to int happens implicitly. So
there is no undefined behavior. The compiler is merely warning about
nothing. That also means the only thing missing to silence the warning
would be a cast back to int. However, we have in the past never added
code just to shut up overeager warnings. Should the compiler not
suppress warnings that come from system headers?

Ciao,
Markus


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-21 16:04 ` Markus Wichmann
  2023-02-21 16:42   ` Florian Weimer
  2023-02-21 16:57   ` Jeffrey Walton
@ 2023-02-22  3:17   ` Rich Felker
  2023-02-22  4:23     ` Markus Wichmann
  2 siblings, 1 reply; 11+ messages in thread
From: Rich Felker @ 2023-02-22  3:17 UTC (permalink / raw)
  To: Markus Wichmann; +Cc: musl

On Tue, Feb 21, 2023 at 05:04:55PM +0100, Markus Wichmann wrote:
> On Mon, Feb 20, 2023 at 09:26:05PM -0800, Ralph Little wrote:
> > Hi,
> > I have been picking up some old pending issues related to the SANE project.
> > One of our CI builds is on Alpine and it is generating warnings for ioctl()
> > calls from the musl library:
> >
> > |error: overflow in conversion from 'long unsigned int' to 'int' changes
> > value from '2147577985' to '-2147389311' [-Werror=overflow]
> > |
> > ||ioctl (fd, PPRSTATUS, &status);
> >
> > ||I see that Olaf Meeuwissen raised this issue a couple of years ago and the
> > discussion petered out somewhat and I don't believe that the issue was ever
> > really resolved:
> >
> > https://www.openwall.com/lists/musl/2020/01/20/2
> >
> > Is there any possibility that this could be addressed in the near future?
> > I see that Alpine have closed their issue and are not interested in patching
> > their downstream musl:
> >
> > https://gitlab.alpinelinux.org/alpine/aports/-/issues/7580#note_287168
> >
> > Cheers,
> > Ralph Little
> >
> >
> >
> >
> >
> 
> So, I had a look at it. As far as I can tell, the issue is that musl
> declares ioctl()'s second argument to be an int. Together with the other
> defintions, this means that any _IOC_READ constant will overflow and
> generate those warnings. Also, this is technically undefined behavior,
> as value bits are shifted into the sign bit of a signed integer.

Unless you're seeing something I'm not, there's no UB. The shifts take
place on the unsigned type, and the conversion from unsigned to signed
is implementation-defined, not undefined. The implementation-defined
definition relevant to us is modular reduction.

I'm not sure if there's anything reasonable that can be done here on
our side to be more friendly while still conformant, but getting rid
of -Werror=overflow (which is treating well-defined code as an error)
will solve the problem.

Rich

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-22  3:17   ` Rich Felker
@ 2023-02-22  4:23     ` Markus Wichmann
  2023-02-22 15:53       ` Rich Felker
  0 siblings, 1 reply; 11+ messages in thread
From: Markus Wichmann @ 2023-02-22  4:23 UTC (permalink / raw)
  To: musl

On Tue, Feb 21, 2023 at 10:17:31PM -0500, Rich Felker wrote:
> Unless you're seeing something I'm not, there's no UB. The shifts take
> place on the unsigned type, and the conversion from unsigned to signed
> is implementation-defined, not undefined. The implementation-defined
> definition relevant to us is modular reduction.
>

Yeah, sorry, I had missed that the directions are defined as unsigned
constants. That turns any shift that might have been undefined into an
unsigned shift, where it is defined. As I said in the other mail, the
compiler is just warning about nothing here, and it should probably not
warn for system header files, anyway.

We may be able to silence the compiler by adding an explicit int
conversion to the _IOC macro. But I'm not sure if we want to set a
precedent that we will add code just to shut up overeager warnings.

Ciao,
Markus

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-21 21:28     ` Markus Wichmann
@ 2023-02-22  6:33       ` NRK
  0 siblings, 0 replies; 11+ messages in thread
From: NRK @ 2023-02-22  6:33 UTC (permalink / raw)
  To: musl

On Tue, Feb 21, 2023 at 10:28:42PM +0100, Markus Wichmann wrote:
> Should the compiler not suppress warnings that come from system
> headers?

As far as I see, the warning isn't coming "from system headers". The
header is only defining those constants, the user is the one who's
using that constant in an `int` context.

This isn't much different than the user trying to put `ULONG_MAX` into
an `char` for example. And I don't see how the compiler can "fix" it
unless you introduce some sort of "this constant is OK to be converted
to an int" attribute (which would still require musl having to put the
attribute in from their side).

> Linux itself defines the ioctl syscall to have a second argument of
> type unsigned int.

My local ioctl(2) manpage says it's unsigned _long_ (not `int`).

- NRK

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [musl] Re: [BUG] ioctl: overflow in implicit constant conversion
  2023-02-22  4:23     ` Markus Wichmann
@ 2023-02-22 15:53       ` Rich Felker
  0 siblings, 0 replies; 11+ messages in thread
From: Rich Felker @ 2023-02-22 15:53 UTC (permalink / raw)
  To: Markus Wichmann; +Cc: musl

On Wed, Feb 22, 2023 at 05:23:12AM +0100, Markus Wichmann wrote:
> On Tue, Feb 21, 2023 at 10:17:31PM -0500, Rich Felker wrote:
> > Unless you're seeing something I'm not, there's no UB. The shifts take
> > place on the unsigned type, and the conversion from unsigned to signed
> > is implementation-defined, not undefined. The implementation-defined
> > definition relevant to us is modular reduction.
> >
> 
> Yeah, sorry, I had missed that the directions are defined as unsigned
> constants. That turns any shift that might have been undefined into an
> unsigned shift, where it is defined. As I said in the other mail, the
> compiler is just warning about nothing here, and it should probably not
> warn for system header files, anyway.
> 
> We may be able to silence the compiler by adding an explicit int
> conversion to the _IOC macro. But I'm not sure if we want to set a
> precedent that we will add code just to shut up overeager warnings.

I think it's reasonably arguable that the ioctl command macros should
have the right type matching the type the ioctl function takes. But
it's possible there could be places where sign extension bites you
then. As a stupid example, if someone bypassed the libc function and
tried to make the ioctl syscall directly, having the macros be of
signed type would cause the kernel to receive them with a bunch of
ones in the high bits, and possibly reject them as a result. I'm not
sure if there's any reasonable usage that would be impacted, though.

Rich

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2023-02-22 15:54 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-21  5:26 [musl] Re: [BUG] ioctl: overflow in implicit constant conversion Ralph Little
2023-02-21 16:04 ` Markus Wichmann
2023-02-21 16:42   ` Florian Weimer
2023-02-21 16:53     ` alice
2023-02-21 16:57   ` Jeffrey Walton
2023-02-21 18:25     ` Ralph Little
2023-02-21 21:28     ` Markus Wichmann
2023-02-22  6:33       ` NRK
2023-02-22  3:17   ` Rich Felker
2023-02-22  4:23     ` Markus Wichmann
2023-02-22 15:53       ` Rich Felker

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).