From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 984EC3858401 for ; Wed, 12 Oct 2022 17:07:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 984EC3858401 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1665594461; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to; bh=prQ+xPLglCo4m6SfJTu3arYSSB25ZCTi1ncsczAZvDs=; b=CdW8UdZxb4Qw9JZY98nTGqiKx9StShvTJys03GPgT6LOadtTsage9w/p1HXHSyf/EfZ0Nd kzRD4SPoZ0ooJoMLv7GNzecfmxbEfeMoCSTnGHPNdy+BNPr2r79DnHyMLmPj3/lGSpzFAG a81RbehIwjbkv86Kfg0dHRrIOfUZbLQ= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-659-aooCgs3dMK66LU1XwBE85g-1; Wed, 12 Oct 2022 13:07:40 -0400 X-MC-Unique: aooCgs3dMK66LU1XwBE85g-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D0D63811E67 for ; Wed, 12 Oct 2022 17:07:39 +0000 (UTC) Received: from greed.delorie.com (unknown [10.22.8.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BB178492B05; Wed, 12 Oct 2022 17:07:39 +0000 (UTC) Received: from greed.delorie.com.redhat.com (localhost [127.0.0.1]) by greed.delorie.com (8.15.2/8.15.2) with ESMTP id 29CH7S09143523; Wed, 12 Oct 2022 13:07:28 -0400 From: DJ Delorie To: Florian Weimer Cc: libc-alpha@sourceware.org Subject: Re: [PATCH] malloc: Switch global_max_fast to uint8_t In-Reply-To: <87bkqhywbg.fsf@oldenburg.str.redhat.com> Date: Wed, 12 Oct 2022 13:07:28 -0400 Message-ID: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: set_max_fast() doesn't itself check the value passed to it, but it's only ever called twice: once at startup with a constant, and once from tunables where the value is checked. so we're only concerned with malicious overwriting, ok. The wiki agrees that the maximum value on current targets is 160. 0..255 still allows corruption, but limits the corruption. I suppose with a 32 bit or 64 bit value we could currupt things to the point where we could generate arbitrary addresses. So I see how this limits the attack surface. I suspect with today's processors, reading an 8-bit value into a 32-bit register adds no overhead. Both INTERNAL_SIZE_T and uint8_t are unsigned, so there's no logic changes there. LGTM Reviewed-by: DJ Delorie