User: Password:
|
|
Subscribe / Log in / New account

A zero pointer is not a null pointer

A zero pointer is not a null pointer

Posted Jul 24, 2009 22:06 UTC (Fri) by nix (subscriber, #2304)
In reply to: A zero pointer is not a null pointer by giraffedata
Parent article: Fun with NULL pointers, part 1

GCC certainly doesn't insert code checking if a pointer is NULL before
every pointer dereference. Considering how common pointer dereferencing is
in C and related languages, this would be a substantial slowdown for no
real gain, given that multiuser OSes invariably trap such things, and
non-multiuser OSes are specialist environments in which attacks by hostile
local users are not so common (yet).

That kernel space has to work when the lower part of its address space is
effectively under the control of a hostile attacker is a unique problem
which it is really not worth changing the C standard for, nor imposing
vast overheads on all userspace code. -fno-delete-null-pointer-checks does
the job.


(Log in to post comments)

A zero pointer is not a null pointer

Posted Jul 25, 2009 2:51 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

GCC certainly doesn't insert code checking if a pointer is NULL before every pointer dereference.

Sure, but that wouldn't improve standards compliance anyway. I asked if GCC generates extra code to comply with the C99 requirement that a null pointer not be equal to any non-null one (while still allowing the existence of pointers to a data structure that resides at address 0). Thinking about it now, though, I don't see how any such code is possible since a null pointer still has to compare equal to another null pointer.

That kernel space has to work when the lower part of its address space is effectively under the control of a hostile attacker is a unique problem which it is really not worth changing the C standard for,

There has been no proposal to deal with this by changing the standard, which GCC apparently ignores anyhow. And objection to GCC's conflation of null pointers and zero-address pointers wasn't that it's a security problem but that it's a basic correctness problem. Even without a hostile page 0, unless you proclaim data structures at address 0 don't exist, this optimization breaks code.

A zero pointer is not a null pointer

Posted Jul 25, 2009 12:49 UTC (Sat) by nix (subscriber, #2304) [Link]

GCC doesn't ignore the standard: you simply can't have data structures
that reside at address zero. Shaving off 1/2^32 or less of the address
space, and disabling an optimization in the one place that cares about
this (the kernel) does not seem like a terrible cost to me.

Data structures at address zero do not exist on any sane C platform.

A zero pointer is not a null pointer

Posted Jul 25, 2009 23:18 UTC (Sat) by PaXTeam (guest, #24616) [Link]

> Data structures at address zero do not exist on any sane C platform.

so platforms without an MMU are not sane?

A zero pointer is not a null pointer

Posted Jul 26, 2009 18:27 UTC (Sun) by nix (subscriber, #2304) [Link]

Well, you can't access a structure at address zero on such a platform
without either disabling all optimizations that involve knowing which
pointers are null (as the kernel now is) and taking great care to ensure
that you never need anything that can point to said structure to be NULL
at any time, or defining the null pointer to be other than all-bits-zero
(allowed, but weird, about as rare as platforms with strange word sizes).

I'd say that trying to access structures at address zero, MMU or no MMU,
is extremely unusual and not really sane to handle in a general-purpose
compiler. (GCC goes further than I would expect in actually having a
switch that makes it possible to use such a barmy thing.)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds