From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AG47ELsZaabGGy+SwGxcqil8ve8f0FQlZ7ap6YfDB8nlQijicIGago0RrdXzf6QbZeVhBaEfgBcu ARC-Seal: i=1; a=rsa-sha256; t=1521312749; cv=none; d=google.com; s=arc-20160816; b=Qs80MwQjzIgsXiijJMIjwwbDs6/cSek+RLrjqeynwO76EooY4uFRl4s21ZXtH3hZzm UcqyVWlsCKqqLOIKUaNyKjIykG+MD4jLlTsQlPygHY+JleAGwOhIQjMd2YCvBr1uuaBC Mmz+QMC4lKhn6W2kTWQEOsagS+rS5hwjboszIzlBZ1cG4UwTr+Yb0eBr/7sR/bGgWmFY ry7xTM6N51hRq20YaSjGHhUastRa313pzpFuuWWR7FqwBAjxLKrxaOt3KtiRSEhIGD5X 4RgNGck7z793bdttCvGkMezxpUAhTZlKevhs0xvvYCzjhZp0WehNwwPyoTbdbdGTiXWj kAzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:sender:mime-version:dkim-signature :dkim-signature:delivered-to:list-id:list-subscribe:list-unsubscribe :list-help:list-post:precedence:mailing-list :arc-authentication-results; bh=+VUZe5SRHX0nX0XLfC1IVdj9HVpNUAxJVe8p0zHzO+4=; b=Wv5CmNxLYrUQHaMMHJt9AmwctCwyWIj6cDa+O0upmx8faO3dtayR5aj07YGdZIbQkt YbtQFf1MYES23NgL1v7BtgVaK6W3KVs0zNwEKMCAy366Q6KeAwme9yIDJZgZDO7eTGDE C3r6g2plLKolKqC73D6U++sNGm5BUIKxu6E33QEqfRtPDdJCjZ5ydRMNKU23+/NNKwRt iPXVFcyN/9v8WWpR8J11efS2/roqrVRvHX4+M04eBb4mYEbENZWlZ4GzSPH6Xg10+qfg CCseTIaec/ASsWRNDlFMgzHJAe9s22+3S6/M1Se7aBh0dbzBG7Rgxu2Smgg75eaUX+M7 Oj/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=iVrNjtI5; dkim=pass header.i=@linux-foundation.org header.s=google header.b=AZAWb12O; spf=pass (google.com: domain of kernel-hardening-return-12686-gregkh=linuxfoundation.org@lists.openwall.com designates 195.42.179.200 as permitted sender) smtp.mailfrom=kernel-hardening-return-12686-gregkh=linuxfoundation.org@lists.openwall.com Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=iVrNjtI5; dkim=pass header.i=@linux-foundation.org header.s=google header.b=AZAWb12O; spf=pass (google.com: domain of kernel-hardening-return-12686-gregkh=linuxfoundation.org@lists.openwall.com designates 195.42.179.200 as permitted sender) smtp.mailfrom=kernel-hardening-return-12686-gregkh=linuxfoundation.org@lists.openwall.com Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: MIME-Version: 1.0 Sender: linus971@gmail.com In-Reply-To: References: <1521174359-46392-1-git-send-email-keescook@chromium.org> <20180316175502.GE30522@ZenIV.linux.org.uk> From: Linus Torvalds Date: Sat, 17 Mar 2018 11:52:09 -0700 X-Google-Sender-Auth: dn6k--1NHbCqY0P87KYODVgZrmk Message-ID: Subject: Re: [PATCH v5 0/2] Remove false-positive VLAs when using max() To: Kees Cook Cc: Al Viro , Florian Weimer , Andrew Morton , Josh Poimboeuf , Rasmus Villemoes , Randy Dunlap , Miguel Ojeda , Ingo Molnar , David Laight , Ian Abbott , linux-input , linux-btrfs , Network Development , Linux Kernel Mailing List , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1595034368078500739?= X-GMAIL-MSGID: =?utf-8?q?1595212037299976036?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On Sat, Mar 17, 2018 at 12:27 AM, Kees Cook wrote: > > Unfortunately my 4.4 test fails quickly: > > ./include/linux/jiffies.h: In function =E2=80=98jiffies_delta_to_clock_t= =E2=80=99: > ./include/linux/jiffies.h:444: error: first argument to > =E2=80=98__builtin_choose_expr=E2=80=99 not a constant Ok, so it really looks like that same "__builtin_constant_p() doesn't return a constant". Which is really odd, but there you have it. I wonder if you can use that "sizeof()" to force evaluation of it, because sizeof() really does end up being magical when it comes to "integer constant expression". So instead of this: #define __no_side_effects(a,b) \ (__builtin_constant_p(a)&&__builtin_constant_p(b)) that just assumes that __builtin_constant_p() itself always counts as a constant expression, what happens if you do #define __is_constant(a) \ (sizeof(char[__builtin_constant_p(a)])) #define __no_side_effects(a,b) \ (__is_constant(a) && __is_constant(b)) I realize that the above looks completely insane: the whole point is to *not* have VLA's, and we know that __builtin_constant_p() isn't always evaliated as a constant. But hear me out: if the issue is that there's some evaluation ordering between the two builtins, and the problem is that the __builtin_choose_expr() part of the expression is expanded *before* the __builtin_constant_p() has been expanded, then just hiding it inside that bat-shit-crazy sizeof() will force that to be evaluated first (because a sizeof() is defined to be a integer constant expression. So the above is completely insane, bit there is actually a chance that using that completely crazy "x -> sizeof(char[x])" conversion actually helps, because it really does have a (very odd) evaluation-time change. sizeof() has to be evaluated as part of the constant expression evaluation, in ways that "__builtin_constant_p()" isn't specified to be done. But it is also definitely me grasping at straws. If that doesn't work for 4.4, there's nothing else I can possibly see. Linus