Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Mar 2018 04:05:55 +0100
From: Miguel Ojeda <>
To: Kees Cook <>
Cc: Linus Torvalds <>, 
	Andrew Morton <>, Josh Poimboeuf <>, 
	Rasmus Villemoes <>, Randy Dunlap <>, 
	Ingo Molnar <>, David Laight <>, 
	Ian Abbott <>, linux-input <>, 
	linux-btrfs <>, Network Development <>, 
	Linux Kernel Mailing List <>, 
	Kernel Hardening <>
Subject: Re: [PATCH v4 1/2] kernel.h: Introduce const_max() for VLA removal

On Fri, Mar 16, 2018 at 12:49 AM, Kees Cook <> wrote:
> On Thu, Mar 15, 2018 at 4:46 PM, Linus Torvalds
> <> wrote:
>> What I'm *not* so much ok with is "const_max(5,sizeof(x))" erroring
>> out, or silently causing insane behavior due to hidden subtle type
>> casts..
> Yup! I like it as an explicit argument. Thanks!

What about something like this?

typedef int64_t intmax_t;

#define const_max(x, y)                                               \
        __builtin_choose_expr(                                        \
                !__builtin_constant_p(x) || !__builtin_constant_p(y), \
                __error_not_const_arg(),                              \
                __builtin_choose_expr(                                \
                        (x) > INTMAXT_MAX || (y) > INTMAXT_MAX,       \
                        __error_too_big(),                            \
                        __builtin_choose_expr(                        \
                                (intmax_t)(x) >= (intmax_t)(y),       \
                                (x),                                  \
                                (y)                                   \
                        )                                             \
                )                                                     \

Works for different types, allows to mix negatives and positives and
returns the original type, e.g.:

  const_max(-1, sizeof(char));

is of type 'long unsigned int', but:

  const_max(2, sizeof(char));

is of type 'int'. While I am not a fan that the return type depends on
the arguments, it is useful if you are going to use the expression in
something that needs expects a precise (a printk() for instance?).

The check against the INTMAXT_MAX is there to avoid complexity (if we
do not handle those cases, it is safe to use intmax_t for the
comparison; otherwise you have to have another compile time branch for
the case positive-positive using uintmax_t) and also avoids odd
warnings for some cases above LLONG_MAX about comparisons with 0 for
unsigned expressions being always true. On the positive side, it
prevents using the macro for thing like "(size_t)-1".


Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.