Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250627193712.GS1827@brightrain.aerifal.cx>
Date: Fri, 27 Jun 2025 15:37:12 -0400
From: Rich Felker <dalias@...c.org>
To: Alejandro Colomar <alx@...nel.org>
Cc: Florian Weimer <fweimer@...hat.com>, libc-alpha@...rceware.org,
	bug-gnulib@....org, musl@...ts.openwall.com,
	наб <nabijaczleweli@...ijaczleweli.xyz>,
	Douglas McIlroy <douglas.mcilroy@...tmouth.edu>,
	Paul Eggert <eggert@...ucla.edu>,
	Robert Seacord <rcseacord@...il.com>,
	Elliott Hughes <enh@...gle.com>, Bruno Haible <bruno@...sp.org>,
	JeanHeyd Meneide <phdofthehouse@...il.com>,
	Adhemerval Zanella Netto <adhemerval.zanella@...aro.org>,
	Joseph Myers <josmyers@...hat.com>,
	Laurent Bercot <ska-dietlibc@...rnet.org>,
	Andreas Schwab <schwab@...e.de>, Thorsten Glaser <tg@...bsd.de>,
	Eric Blake <eblake@...hat.com>,
	Vincent Lefevre <vincent@...c17.net>,
	Mark Harris <mark.hsj@...il.com>,
	Collin Funk <collin.funk1@...il.com>,
	Wilco Dijkstra <Wilco.Dijkstra@....com>, DJ Delorie <dj@...hat.com>,
	Cristian Rodríguez <cristian@...riguez.im>,
	Siddhesh Poyarekar <siddhesh@...plt.org>,
	Sam James <sam@...too.org>, Mark Wielaard <mark@...mp.org>,
	"Maciej W. Rozycki" <macro@...hat.com>,
	Martin Uecker <ma.uecker@...il.com>,
	Christopher Bazley <chris.bazley.wg14@...il.com>,
	eskil@...ession.se,
	Daniel Krügler <daniel.kruegler@...glemail.com>,
	Kees Cook <keescook@...omium.org>,
	Valdis Klētnieks <valdis.kletnieks@...edu>
Subject: Re: Re: alx-0029r5 - Restore the traditional realloc(3)
 specification

On Fri, Jun 27, 2025 at 07:38:44PM +0200, Alejandro Colomar wrote:
> Hi Rich,
> 
> On Fri, Jun 27, 2025 at 01:22:17PM -0400, Rich Felker wrote:
> > On Fri, Jun 27, 2025 at 06:17:14PM +0200, Florian Weimer wrote:
> > > I think the wording still allows calloc (42, 0) to fail with EINVAL (or
> > > some other error code) because 0 is not a valid object size.
> > 
> > Since this is also a matter of confusion, I'd like to see it improved.
> > In addition to zero being unclear to some readers,
> 
> I've slightly tweaked the wording in alx-0029r6.  Please check.  I've
> asked Joseph to review that too.
> 
> The rules that prevent 0-sized objects don't trigger, because we never
> attempt to create a 0-sized object.  It works *as-if* the size was
> non-zero, except that the user is not allowed to access the object.

Yes, that's not what I'm talking about. That's all fine.

> > it's not clear to
> > some users (and even implementors) that it must fail if the
> > multiplication overflows.
> 
> This is off-topic for my proposal.

I actually largely agree, but at the same time, folks are wrongly
raising this matter as if it were on-topic for your proposal, because
the poor wording of the way calloc is specified seems to generate
confusion that semantics about zero-sized objects are involved when
they're not.

I don't necessarily think fixing this needs to or should be part of
your proposal.

> However, if that would be unclear, I'm willing to improve the wording in
> a separate paper.  However, I don't find the confusion.  The current
> wording for calloc(3), as of n3550, is:
> 
> <https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3550.pdf#subsubsection.0.7.25.4.3>
> 7.25.4.3p3 (Returns):
> 
> 	The calloc function returns
> 	either a pointer to the allocated space
> 	or a null pointer
> 	if the space cannot be allocated
> 	or if the product nmemb * size would wraparound size_t.
> 
> So, if n*size would wrap around, it must return a null pointer.  How is
> it unclear?

OK, I wasn't aware that it was finally clearly spelled out for the
folks who keep finding it surprising. But I was not so much proposing
adding a clarification as just making sure it would still be addressed
if calloc were just specified with malloc+memset(size*nmemb) without
talking about array-like usage.

Sorry if this has been a distraction. I know we have way too many of
those already...

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.