Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFdMc-3BM=i8F+4pCDc6dGLeajzpmSBnc9YH8durpp2O0jezPQ@mail.gmail.com>
Date: Thu, 15 Mar 2018 16:42:41 -0300
From: "dgutson ." <danielgutson@...il.com>
To: musl@...ts.openwall.com
Subject: Re: Re: #define __MUSL__ in features.h

On Thu, Mar 15, 2018 at 4:37 PM, Rich Felker <dalias@...c.org> wrote:

> On Thu, Mar 15, 2018 at 04:00:37PM -0300, dgutson . wrote:
> > On Thu, Mar 15, 2018 at 3:53 PM, Rich Felker <dalias@...c.org> wrote:
> >
> > > On Thu, Mar 15, 2018 at 03:48:32PM -0300, Martin Galvan wrote:
> > > > 2018-03-15 15:39 GMT-03:00 Rich Felker <dalias@...c.org>:
> > > > >> (e.g. the FD* issue reported by Martin Galvan).
> > > > >
> > > > > That's not a bug. It's compiler warnings being wrongly produced
> for a
> > > > > system header, probably because someone added -I/usr/include or
> > > > > similar (normally GCC suppresses these).
> > > >
> > > > I'm certain we didn't add -I/usr/include or something similar. Could
> > > > you test this yourself to confirm it's not a bug?
> > >
> > > In any case it's not a bug in musl. The code is perfectly valid C. If
> > > the compiler is producing a warning for it, either ignore it or ask
> > > the compiler to stop.
> > >
> > > > The compiler warnings aren't being wrongly produced. musl will indeed
> > > > perform a signed-to-unsigned conversion here.
> > >
> > > Because that's how the C language works.
> > >
> >
> > it is a potential vulnerability:
> > https://cwe.mitre.org/data/definitions/195.html
> > https://wiki.sei.cmu.edu/confluence/display/c/INT31-C.+
> Ensure+that+integer+conversions+do+not+result+in+
> lost+or+misinterpreted+data
> > https://wiki.sei.cmu.edu/confluence/display/c/INT30-C.+
> Ensure+that+unsigned+integer+operations+do+not+wrap
> >
> > Can you ensure it is rocksolid and the signed integer will NEVER be a
> > negative value?
>
> FD_* have undefined behavior if the argument is outside the range of
> FD_SETSIZE. We could trap this (and if you use fortify headers, they
> do) but doing so breaks applications that wrongly allocate larger
> space for fd_set buffers for the sake of intentionally using larger fd
> values than are possible with the select API.
>
> The behavior of the code with or without the cast to unsigned added is
> _exactly the same_. There is no bug here that is fixed by the proposed
> patch. The warning is telling you that, if you don't understand how
>

You are talking to the wrong guy. I did not propose the patch and I did not
propose the cast.


> integer promotions work in C, the code might not do what you expected
> it to do. The fact that you seem to think adding a cast "fixes a bug"



> is demonstrating how harmful the whole cult around compiler warnings
> is: it's not about using them as hints to check your code and make
> sure it's doing what you want, but instead about making the warning go
> away without actually changing anything.
>
> Rich
>



-- 
Who’s got the sweetest disposition?
One guess, that’s who?
Who’d never, ever start an argument?
Who never shows a bit of temperament?
Who's never wrong but always right?
Who'd never dream of starting a fight?
Who get stuck with all the bad luck?

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.