Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170916171154.GC15263@port70.net>
Date: Sat, 16 Sep 2017 19:11:54 +0200
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: Wrong info in libc comparison

* Markus Wichmann <nullplan@....net> [2017-09-16 16:01:10 +0200]:
> On Sat, Sep 16, 2017 at 11:37:53AM +0200, Szabolcs Nagy wrote:
> > * Markus Wichmann <nullplan@....net> [2017-09-15 21:18:46 +0200]:
> > > On Wed, Sep 13, 2017 at 03:53:06PM -0400, Rich Felker wrote:
> > > > If you're considering big-O, where n->infinity (or at least to the
> > > > largest value that can fit in memory), malloc most certainly has
> > > > failed (because the array to be sorted already filled memory) and
> > > > you're looking at the "fallback" case.
> > > > 
> > > 
> > > I think we're getting sidetracked here. Every libc worth its salt uses a
                                              ^^^^^^^^^^
> > > loglinear sorting algorithm. Thus they are all equal in that regard.
      ^^^^^^^^^                         ^^^^^^^^^^^^^^^^^^
> > 
> > that is not true at all.
> > embedded libcs are often optimized for size, not worst case behaviour.
> > note that worst-case behaviour is not just big-O..
> > (e.g. glibc uses mergesort which uses malloc which means it's not as-safe,
> > may introduce arbitrary latency since malloc can be interposed, concurrent
> > mallocs can delay forward progress, large allocation may cause swapping,
> > cancellation or longjmp out of the cmp callback can leak memory etc.)
> > 
> 
> Did you even read what I wrote? Rich talked about big-O, i.e. complexity
> theory, to which I remarked that most algorithms in use are loglinear
> and thus equal _in_that_regard_.
> 

glibc, uclibc, dietlibc, newlib, netbsd, openbsd, freebsd
qsort are all O(n^2) worst-case, musl qsort is O(n log(n)).

i think this is not a sidetrack, but relevant detail
for a libc comparision page.
(the openbsd proof of concept stack clash exploit
relied on the unbounded stack use in qsort, that
would not work against musl, but all the other libcs
are affected.)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.