LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A zero pointer is not a null pointer

A zero pointer is not a null pointer

Posted Jul 21, 2009 10:57 UTC (Tue) by epa (subscriber, #39769)
Parent article: Fun with NULL pointers, part 1

Since the zero page can be mapped and therefore 0x0 is a valid address, the zero bit pattern should not be used for the null pointer. The null pointer is supposed to be an invalid pointer that never points to any addressable memory. From the C99 standard:

If a null pointer constant is converted to a pointer type, the resulting pointer, called a null pointer, is guaranteed to compare unequal to a pointer to any object or function.
The C runtime should use some other magic value to represent the null pointer - and the kernel should promise never to map any addressable memory there.

(Log in to post comments)

A zero pointer is not a null pointer

Posted Jul 21, 2009 11:07 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

Now why would you want people to spill coffee all over their keyboards?

A zero pointer is not a null pointer

Posted Jul 22, 2009 9:02 UTC (Wed) by epa (subscriber, #39769) [Link]

It would be possible to keep 0x0 for the null pointer while respecting the C99 standard: the compiler would need to put in a couple of extra instructions for every pointer comparison making sure that 0x0 != P for any value of P. Optionally, it could also put in a check before every pointer dereference making sure the pointer is not 0x0 and causing a SIGSEGV if it is (since the memory layout can no longer be relied on to guarantee that).

A zero pointer is not a null pointer

Posted Jul 24, 2009 20:38 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

It would be possible to keep 0x0 for the null pointer while respecting the C99 standard: the compiler would need to put in a couple of extra instructions for every pointer comparison making sure that 0x0 != P for any value of P.

Do we know Gcc doesn't do this? Seems like it would have to, to be C99 compliant.

Optionally, it could also put in a check before every pointer dereference making sure the pointer is not 0x0 and causing a SIGSEGV if it is (since the memory layout can no longer be relied on to guarantee that).

But then how would you represent a pointer to a data structure that resides at address 0? A pointer should be able to do that.

It would of course be unrealistically expensive on typical machines to represent a pointer with anything but a simple address, but pointer comparisons are rare enough that a few extra instructions for them seems worthwhile to maintain the null pointer concept.

Regardless of how the compiler chooses to represent pointers (null or otherwise), the optimization in question is logically sound. C99 says a dereference of a null pointer causes undefined behavior, so either a) tun is non-null and !tun must be false or b) tun is null and !tun can be anything, including false.

A zero pointer is not a null pointer

Posted Jul 24, 2009 22:06 UTC (Fri) by nix (subscriber, #2304) [Link]

GCC certainly doesn't insert code checking if a pointer is NULL before
every pointer dereference. Considering how common pointer dereferencing is
in C and related languages, this would be a substantial slowdown for no
real gain, given that multiuser OSes invariably trap such things, and
non-multiuser OSes are specialist environments in which attacks by hostile
local users are not so common (yet).

That kernel space has to work when the lower part of its address space is
effectively under the control of a hostile attacker is a unique problem
which it is really not worth changing the C standard for, nor imposing
vast overheads on all userspace code. -fno-delete-null-pointer-checks does
the job.

A zero pointer is not a null pointer

Posted Jul 25, 2009 2:51 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

GCC certainly doesn't insert code checking if a pointer is NULL before every pointer dereference.

Sure, but that wouldn't improve standards compliance anyway. I asked if GCC generates extra code to comply with the C99 requirement that a null pointer not be equal to any non-null one (while still allowing the existence of pointers to a data structure that resides at address 0). Thinking about it now, though, I don't see how any such code is possible since a null pointer still has to compare equal to another null pointer.

That kernel space has to work when the lower part of its address space is effectively under the control of a hostile attacker is a unique problem which it is really not worth changing the C standard for,

There has been no proposal to deal with this by changing the standard, which GCC apparently ignores anyhow. And objection to GCC's conflation of null pointers and zero-address pointers wasn't that it's a security problem but that it's a basic correctness problem. Even without a hostile page 0, unless you proclaim data structures at address 0 don't exist, this optimization breaks code.

A zero pointer is not a null pointer

Posted Jul 25, 2009 12:49 UTC (Sat) by nix (subscriber, #2304) [Link]

GCC doesn't ignore the standard: you simply can't have data structures
that reside at address zero. Shaving off 1/2^32 or less of the address
space, and disabling an optimization in the one place that cares about
this (the kernel) does not seem like a terrible cost to me.

Data structures at address zero do not exist on any sane C platform.

A zero pointer is not a null pointer

Posted Jul 25, 2009 23:18 UTC (Sat) by PaXTeam (subscriber, #24616) [Link]

> Data structures at address zero do not exist on any sane C platform.

so platforms without an MMU are not sane?

A zero pointer is not a null pointer

Posted Jul 26, 2009 18:27 UTC (Sun) by nix (subscriber, #2304) [Link]

Well, you can't access a structure at address zero on such a platform
without either disabling all optimizations that involve knowing which
pointers are null (as the kernel now is) and taking great care to ensure
that you never need anything that can point to said structure to be NULL
at any time, or defining the null pointer to be other than all-bits-zero
(allowed, but weird, about as rare as platforms with strange word sizes).

I'd say that trying to access structures at address zero, MMU or no MMU,
is extremely unusual and not really sane to handle in a general-purpose
compiler. (GCC goes further than I would expect in actually having a
switch that makes it possible to use such a barmy thing.)

A zero pointer is not a null pointer

Posted Jul 25, 2009 9:37 UTC (Sat) by spitzak (guest, #4593) [Link]

That won't work, plenty of code assumes that comparing two NULL pointers for equality will return
true.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds