Tone and correctness
Posted Jan 8, 2005 0:24 UTC (Sat) by BruceRamsay
Parent article: grsecurity 2.1.0 and kernel vulnerabilities
I'm sure there are valuable fixes in these patches. I look forward to their inclusion in a future kernel. However, it is good to keep things in perspective. The world did not collapse without these patches.
After a quick look at the bugs listed I have a few questions about some of the analysis. For example:
>> if(len > sizeof(moxaBuff))
> ^ signed int has only upper-bound checked
>> return -EINVAL;
On all systems I know of, sizeof() produces an unsigned number. In C, comparisons between unsigned numbers and signed numbers are done as unsigned comparisons. In fact, -1 > sizeof(moxaBuff) is true. Therefore the comment "signed int has only upper-bound checked" is incorrect. After the test we are guaranteed that 0 <= len <= sizeof(moxaBuff). (I am speaking about real world C implementations and not theoretically possible C compilers.)
A quick look at Linux source code shows me that, at least on some architectures, PAGE_SIZE is an unsigned number. So tests like "len < PAGE_SIZE" also check for negative values of len.
It is hard to put a high priority on something which also includes incorrect analysis.
Still, I applaud the use automatic code analysis for producing clean and correct code. The more bugs removed the better.
to post comments)