Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20240718173129.GP10433@brightrain.aerifal.cx>
Date: Thu, 18 Jul 2024 13:31:30 -0400
From: Rich Felker <dalias@...c.org>
To: Thorsten Glaser <tg@...bsd.de>
Cc: musl@...ts.openwall.com
Subject: Re: [PATCH 1/1] FD_SET() and FD_ISSET() warn on
 -Wsign-conversion

On Thu, Jul 18, 2024 at 04:54:23PM +0000, Thorsten Glaser wrote:
> Rich Felker dixit:
> 
> >What's really frustrating about these kinds of garbage warnings is
> >that they encourage (as in the proposed patch) writing casts that
> >*remove type-safety* and make very-wrong code silently compile "fine",
> >for the purpose of suppressing a warning that's supposedly about a
> >type-safety issue.
> 
> The warning *can* be useful, though.

Yes, it can, but empirically this kind of warning leads to people
writing wrong casts that either suppress other useful diagnostics or
outright introduce bugs.

> You could always hide a cast-y version behind __extension__({…})
> if GCC or compatible is detected (ugh).

How about nope. :-)

> For *this* specific case, it might be sufficient to instead cast
> the constant term to signed (I can’t believe I found a case where
> using signed ints, despite the UB danger, is the possible fix):
> 
> #define FD_SET(d,s)	((s)->fds_bits[(d) / (int)(8 * sizeof(long))] |= \
> 			    (1UL << ((d) % (int)(8 * sizeof(long)))))

Use of signed ints generates worse code (not just bitshift/mask, needs
fixup for C's wrong definition of signed integer division) and has
more-dangerous behavior in the event of a negative input (small
negative offset likely to clobber data in an exploitable way rather
than giant positive offset likely to crash).

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.