Re: drivers: random: Shift out-of-bounds in _mix_pool_bytes

From: One Thousand Gnomes
Date: Fri Oct 24 2014 - 17:06:42 EST


On Fri, 24 Oct 2014 19:10:49 +0400
Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:

> On Fri, Oct 24, 2014 at 7:04 PM, Sasha Levin <sasha.levin@xxxxxxxxxx> wrote:
> > On 10/24/2014 09:42 AM, Peter Zijlstra wrote:
> >> On Fri, Oct 24, 2014 at 09:23:35AM -0400, Sasha Levin wrote:
> >>>
> >>> i >> 32 may happen to be "i", but is there anything that prevents the compiler
> >>> from returning, let's say, 42?
> >>
> >> Not really, although gcc seems to opt for the 'sane' option and emit the
> >> instruction and let the arch figure out how to deal with it. Hence the
> >> 'fun' difference between x86 and ARM.
> >
> > It's interesting how many different views on undefined behaviour there are between
> > kernel folks.
> >
> > Everything between Ted Ts'o saying that GCC can launch nethack on oversized shifts,
> > to DaveM saying he will file a GCC bug if the behaviour isn't sane w.r.t to memcpy().
>
> One of the benefits of fixing such issues (or not letting them into
> code in the first place) is just saving numerous hours of top-notch
> engineers spent on disputes like this.

Also it means when someone quietly changes the default behaviour next
year in the compiler they won't spend months trying to work out why it
broke.

gcc has one behaviour but people also try and build the kernel with icc
and with llvm. In addition in some cases you risk the compiler simply
generating an undefined in hardware operation and the hardware behaviour
changing. If x >> 32 is undefined then generating "load Y with the
shift, shift X left by Y" is fine. What happens in future silicon - who
knows.

Most of the kernel is already very careful about the >> 32 problem.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/