From: Xi Ruoyao <xry111@xry111.site>
To: Vincent Lefevre <vincent@vinc17.net>
Cc: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>,
Turritopsis Dohrnii Teo En Ming <teo.en.ming@protonmail.com>,
"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>,
"ceo@teo-en-ming-corp.com" <ceo@teo-en-ming-corp.com>
Subject: Re: New GNU C Library (glibc) security flaw reported on 30 Jan 2024
Date: Thu, 01 Feb 2024 14:41:04 +0800 [thread overview]
Message-ID: <c3bb6b7ce260b36d3db627b3063e061369780264.camel@xry111.site> (raw)
In-Reply-To: <20240201005155.GF3044@qaa.vinc17.org>
On Thu, 2024-02-01 at 01:51 +0100, Vincent Lefevre wrote:
> On 2024-02-01 02:47:18 +0800, Xi Ruoyao wrote:
> > On Wed, 2024-01-31 at 12:52 -0300, Adhemerval Zanella Netto wrote:
> >
> > /* snip */
> >
> > >
> > > I see this is an manual issue rather than a GNU 'extension' to qsort semantic.
> > > And I think we should fix BZ#31322 by using a transitive comparison instead of
> > > trying to support such cases.
> >
> > To me the documentation is correct (though arguably in a very subtle
> > way):
> >
> > Here is an example of a comparison function which works with an array
> > of numbers of type ‘double’:
> >
> > int
> > compare_doubles (const void *a, const void *b)
> > {
> > const double *da = (const double *) a;
> > const double *db = (const double *) b;
> >
> > return (*da > *db) - (*da < *db);
> > }
> >
> > It says "numbers." But NaN literally means, "Not a Number."
>
> Yes, the point is to sort numbers. But since NaN may occur, the code
> must not yield undefined behavior in such a case. This is the goal
> of NaN: avoid undefined behavior for operations that do not make any
> sense, and be able to detect errors at the end.
When we sort *numbers* NaN cannot be passed to the comparator. The
standard disallows qsort to randomly construct a value not in the array
and compare it with the provided comparator:
The implementation shall ensure that the second argument of the
comparison function (when called from bsearch), or both arguments
(when called from qsort), are pointers to elements of the array. The
first argument when called from bsearch shall equal key.
If the Glibc qsort implementation really construct an NaN and then compare
it with something using the comparator, then this qsort implementation
would be completely wrong and we should assign a CVE number for Glibc. But
if I read the advisory correct this has not happened, at all.
So if the programmer knows for sure he's sorting an array of numbers,
this comparator is perfectly correct. It's only wrong when there is one
or multiple NaN in the array.
And I doubt if silently producing a NaN is really good for error
detection. Simply crashing when an invalid operation happens is easier
for debugging, IMO. And it's possible with "feenableexcept
(FE_INVALID)" (where FP exceptions are supported).
--
Xi Ruoyao <xry111@xry111.site>
School of Aerospace Science and Technology, Xidian University
next prev parent reply other threads:[~2024-02-01 6:41 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-31 14:08 Turritopsis Dohrnii Teo En Ming
2024-01-31 14:23 ` Xi Ruoyao
2024-01-31 14:55 ` Vincent Lefevre
2024-01-31 15:52 ` Adhemerval Zanella Netto
2024-01-31 16:23 ` Vincent Lefevre
2024-01-31 16:44 ` Siddhesh Poyarekar
2024-01-31 18:47 ` Xi Ruoyao
2024-02-01 0:51 ` Vincent Lefevre
2024-02-01 1:03 ` Vincent Lefevre
2024-02-01 6:41 ` Xi Ruoyao [this message]
2024-02-01 9:07 ` Vincent Lefevre
2024-02-01 19:55 ` Paul Eggert
2024-02-01 21:11 ` Siddhesh Poyarekar
2024-02-05 0:58 ` Paul Eggert
2024-02-06 15:00 ` Zack Weinberg
2024-02-06 21:30 ` Paul Eggert
2024-02-06 22:04 ` Xi Ruoyao
2024-02-07 17:07 ` Zack Weinberg
2024-02-07 19:55 ` Alexander Monakov
2024-02-07 20:45 ` Zack Weinberg
2024-02-07 21:53 ` Alexander Monakov
2024-02-07 22:56 ` Paul Eggert
2024-04-06 17:17 ` Paul Eggert
2024-04-08 8:28 ` Florian Weimer
2024-04-22 14:39 ` Zack Weinberg
2024-04-23 18:09 ` Paul Eggert
2024-04-23 18:26 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c3bb6b7ce260b36d3db627b3063e061369780264.camel@xry111.site \
--to=xry111@xry111.site \
--cc=adhemerval.zanella@linaro.org \
--cc=ceo@teo-en-ming-corp.com \
--cc=libc-alpha@sourceware.org \
--cc=teo.en.ming@protonmail.com \
--cc=vincent@vinc17.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).