From nobody Fri May 3 12:32:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1518719807856813.9893246066088; Thu, 15 Feb 2018 10:36:47 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 2A50F21E0B9FA; Thu, 15 Feb 2018 10:30:53 -0800 (PST) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4F4F4220F33C2 for ; Thu, 15 Feb 2018 10:30:51 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B63444023141; Thu, 15 Feb 2018 18:36:43 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-84.rdu2.redhat.com [10.10.120.84]) by smtp.corp.redhat.com (Postfix) with ESMTP id A4DB02017DE3; Thu, 15 Feb 2018 18:36:42 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 15 Feb 2018 19:36:35 +0100 Message-Id: <20180215183638.18578-2-lersek@redhat.com> In-Reply-To: <20180215183638.18578-1-lersek@redhat.com> References: <20180215183638.18578-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 15 Feb 2018 18:36:43 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 15 Feb 2018 18:36:43 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 1/4] MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Sub() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The subtraction in the assignment SignedResult =3D Minuend - Subtrahend; is performed with unchecked INT64 operands. According to ISO C, if the mathematical result of signed integer subtraction cannot be represented in the result type, the behavior is undefined. (Refer to ISO C99 6.5p5. 6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply because it treats the conversion of integers that have been successfully evaluated first.) Replace the after-the-fact result checking with checks on the operands, and only perform the subtraction if it is safe. Cc: Bret Barkelew Cc: Liming Gao Cc: Michael D Kinney Cc: Sean Brogan Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Ard Biesheuvel Tested-by: Michael D Kinney --- MdePkg/Library/BaseSafeIntLib/SafeIntLib.c | 50 +++++++++++++++----- 1 file changed, 39 insertions(+), 11 deletions(-) diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c b/MdePkg/Library/Ba= seSafeIntLib/SafeIntLib.c index d846160ba0d1..8e857927b067 100644 --- a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c +++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c @@ -3837,27 +3837,55 @@ SafeInt64Sub ( ) { RETURN_STATUS Status; - INT64 SignedResult; =20 if (Result =3D=3D NULL) { return RETURN_INVALID_PARAMETER; } =20 - SignedResult =3D Minuend - Subtrahend; - // - // Subtracting a positive number from a positive number never overflows. - // Subtracting a negative number from a negative number never overflows. - // If you subtract a negative number from a positive number, you expect = a positive result. - // If you subtract a positive number from a negative number, you expect = a negative result. - // Overflow if inputs vary in sign and the output does not have the same= sign as the first input. + // * A Subtrahend of zero can never cause underflow or overflow. // - if (((Minuend < 0) !=3D (Subtrahend < 0)) && - ((Minuend < 0) !=3D (SignedResult < 0))) { + // * A positive Subtrahend can only cause underflow. The underflow condi= tion + // is: + // + // (Minuend - Subtrahend) < MIN_INT64 + // + // Adding Subtrahend to both sides yields + // + // Minuend < (MIN_INT64 + Subtrahend) + // + // This condition can be coded directly in C because the RHS will neit= her + // underflow nor overflow. That is due to the starting condition: + // + // 0 < Subtrahend <=3D MAX_INT64 + // + // Adding MIN_INT64 to all three sides yields + // + // MIN_INT64 < (MIN_INT64 + Subtrahend) <=3D (MIN_INT64 + MAX_INT64)= =3D -1 + // + // * A negative Subtrahend can only cause overflow. The overflow conditi= on is + // + // (Minuend - Subtrahend) > MAX_INT64 + // + // Adding Subtrahend to both sides yields + // + // Minuend > (MAX_INT64 + Subtrahend) + // + // This condition can be coded directly in C because the RHS will neit= her + // underflow nor overflow. That is due to the starting condition: + // + // MIN_INT64 <=3D Subtrahend < 0 + // + // Adding MAX_INT64 to all three sides yields + // + // -1 =3D (MAX_INT64 + MIN_INT64) <=3D (MAX_INT64 + Subtrahend) < MA= X_INT64 + // + if (((Subtrahend > 0) && (Minuend < (MIN_INT64 + Subtrahend))) || + ((Subtrahend < 0) && (Minuend > (MAX_INT64 + Subtrahend)))) { *Result =3D INT64_ERROR; Status =3D RETURN_BUFFER_TOO_SMALL; } else { - *Result =3D SignedResult; + *Result =3D Minuend - Subtrahend; Status =3D RETURN_SUCCESS; } =20 --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Fri May 3 12:32:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1518719810100271.2305641380643; Thu, 15 Feb 2018 10:36:50 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id A203F21F0DA4A; Thu, 15 Feb 2018 10:30:55 -0800 (PST) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A71F921CF1D09 for ; Thu, 15 Feb 2018 10:30:52 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 24DF08182D27; Thu, 15 Feb 2018 18:36:45 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-84.rdu2.redhat.com [10.10.120.84]) by smtp.corp.redhat.com (Postfix) with ESMTP id 07060200BC16; Thu, 15 Feb 2018 18:36:43 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 15 Feb 2018 19:36:36 +0100 Message-Id: <20180215183638.18578-3-lersek@redhat.com> In-Reply-To: <20180215183638.18578-1-lersek@redhat.com> References: <20180215183638.18578-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 15 Feb 2018 18:36:45 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 15 Feb 2018 18:36:45 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 2/4] MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Add() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The addition in the assignment SignedResult =3D Augend + Addend; is performed with unchecked INT64 operands. According to ISO C, if the mathematical result of signed integer addition cannot be represented in the result type, the behavior is undefined. (Refer to ISO C99 6.5p5. 6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply because it treats the conversion of integers that have been successfully evaluated first.) Replace the after-the-fact result checking with checks on the operands, and only perform the addition if it is safe. Cc: Bret Barkelew Cc: Liming Gao Cc: Michael D Kinney Cc: Sean Brogan Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Ard Biesheuvel Tested-by: Michael D Kinney --- MdePkg/Library/BaseSafeIntLib/SafeIntLib.c | 56 ++++++++++++++++---- 1 file changed, 46 insertions(+), 10 deletions(-) diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c b/MdePkg/Library/Ba= seSafeIntLib/SafeIntLib.c index 8e857927b067..56d97cf65601 100644 --- a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c +++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c @@ -3631,26 +3631,62 @@ SafeInt64Add ( ) { RETURN_STATUS Status; - INT64 SignedResult; =20 if (Result =3D=3D NULL) { return RETURN_INVALID_PARAMETER; } =20 - SignedResult =3D Augend + Addend; - // - // Adding positive to negative never overflows. - // If you add two positive numbers, you expect a positive result. - // If you add two negative numbers, you expect a negative result. - // Overflow if inputs are the same sign and output is not that sign. + // * An Addend of zero can never cause underflow or overflow. // - if (((Augend < 0) =3D=3D (Addend < 0)) && - ((Augend < 0) !=3D (SignedResult < 0))) { + // * A positive Addend can only cause overflow. The overflow condition is + // + // (Augend + Addend) > MAX_INT64 + // + // Subtracting Addend from both sides yields + // + // Augend > (MAX_INT64 - Addend) + // + // This condition can be coded directly in C because the RHS will neit= her + // underflow nor overflow. That is due to the starting condition: + // + // 0 < Addend <=3D MAX_INT64 + // + // Multiplying all three sides by (-1) yields + // + // 0 > (-Addend) >=3D (-MAX_INT64) + // + // Adding MAX_INT64 to all three sides yields + // + // MAX_INT64 > (MAX_INT64 - Addend) >=3D 0 + // + // * A negative Addend can only cause underflow. The underflow condition= is + // + // (Augend + Addend) < MIN_INT64 + // + // Subtracting Addend from both sides yields + // + // Augend < (MIN_INT64 - Addend) + // + // This condition can be coded directly in C because the RHS will neit= her + // underflow nor overflow. That is due to the starting condition: + // + // MIN_INT64 <=3D Addend < 0 + // + // Multiplying all three sides by (-1) yields + // + // (-MIN_INT64) >=3D (-Addend) > 0 + // + // Adding MIN_INT64 to all three sides yields + // + // 0 >=3D (MIN_INT64 - Addend) > MIN_INT64 + // + if (((Addend > 0) && (Augend > (MAX_INT64 - Addend))) || + ((Addend < 0) && (Augend < (MIN_INT64 - Addend)))) { *Result =3D INT64_ERROR; Status =3D RETURN_BUFFER_TOO_SMALL; } else { - *Result =3D SignedResult; + *Result =3D Augend + Addend; Status =3D RETURN_SUCCESS; } =20 --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Fri May 3 12:32:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1518719812864810.077679460497; Thu, 15 Feb 2018 10:36:52 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 11BC021F0DA6F; Thu, 15 Feb 2018 10:30:56 -0800 (PST) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 63E40220F33F9 for ; Thu, 15 Feb 2018 10:30:54 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DAB2A4023141; Thu, 15 Feb 2018 18:36:46 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-84.rdu2.redhat.com [10.10.120.84]) by smtp.corp.redhat.com (Postfix) with ESMTP id 703192024CB0; Thu, 15 Feb 2018 18:36:45 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 15 Feb 2018 19:36:37 +0100 Message-Id: <20180215183638.18578-4-lersek@redhat.com> In-Reply-To: <20180215183638.18578-1-lersek@redhat.com> References: <20180215183638.18578-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 15 Feb 2018 18:36:46 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 15 Feb 2018 18:36:46 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 3/4] MdePkg/BaseSafeIntLib: clean up parentheses in MIN_INT64_MAGNITUDE X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The definition of the MIN_INT64_MAGNITUDE macro is correct, but it's harder to read than necessary: the sub-expression (( (UINT64) - (MIN_INT64 + 1) )) is doubly parenthesized. Reusing one pair of the outer parens, rewrite the sub-expression (without change in meaning) so that the minus sign cannot be mistaken for subtraction: ( (UINT64)(- (MIN_INT64 + 1)) ) The resultant macro definition matches the following expressions in SafeInt64Mult(): > // > // Avoid negating the most negative number. > // > UnsignedMultiplicand =3D ((UINT64)(- (Multiplicand + 1))) + 1; and > // > // Avoid negating the most negative number. > // > UnsignedMultiplier =3D ((UINT64)(- (Multiplier + 1))) + 1; Cc: Bret Barkelew Cc: Liming Gao Cc: Michael D Kinney Cc: Sean Brogan Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Ard Biesheuvel Tested-by: Michael D Kinney --- MdePkg/Library/BaseSafeIntLib/SafeIntLib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c b/MdePkg/Library/Ba= seSafeIntLib/SafeIntLib.c index 56d97cf65601..de91ffeca2a5 100644 --- a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c +++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c @@ -33,7 +33,7 @@ // // Magnitude of MIN_INT64 as expressed by a UINT64 number. // -#define MIN_INT64_MAGNITUDE ((((UINT64) - (MIN_INT64 + 1))) + 1) +#define MIN_INT64_MAGNITUDE (((UINT64)(- (MIN_INT64 + 1))) + 1) =20 // // Conversion functions --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Fri May 3 12:32:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 151871981545917.479441912574657; Thu, 15 Feb 2018 10:36:55 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 7D4F922161169; Thu, 15 Feb 2018 10:30:57 -0800 (PST) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 3373B22161150 for ; Thu, 15 Feb 2018 10:30:56 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 99E9D4072467; Thu, 15 Feb 2018 18:36:48 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-84.rdu2.redhat.com [10.10.120.84]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2B4AE200BC16; Thu, 15 Feb 2018 18:36:47 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 15 Feb 2018 19:36:38 +0100 Message-Id: <20180215183638.18578-5-lersek@redhat.com> In-Reply-To: <20180215183638.18578-1-lersek@redhat.com> References: <20180215183638.18578-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 15 Feb 2018 18:36:48 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 15 Feb 2018 18:36:48 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 4/4] MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Mult() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" If we have to negate UnsignedResult (due to exactly one of Multiplicand and Multiplier being negative), and UnsignedResult is exactly MIN_INT64_MAGNITUDE (value 2^63), then the statement *Result =3D - ((INT64)UnsignedResult); invokes both implementation-defined behavior and undefined behavior. First, MIN_INT64_MAGNITUDE is not representable as INT64, therefore the result of the (inner) conversion (INT64)MIN_INT64_MAGNITUDE is implementation-defined, or an implementation-defined signal is raised, according to ISO C99 6.3.1.3p3. Second, if we assume that the C language implementation defines the conversion to INT64 simply as reinterpreting the bit pattern 0x8000_0000_0000_0000 as a signed integer in two's complement representation, then the conversion immediately produces the negative value MIN_INT64 (value -(2^63)). In turn, the (outer) negation -(MIN_INT64) invokes undefined behavior, because the mathematical result of the negation, namely 2^63, cannot be represented in an INT64 object. (Not even mentioning the fact that the mathematical result would be incorrect.) In practice, the undefined negation of MIN_INT64 happens to produce an unchanged, valid-looking result on x86, i.e. (-(MIN_INT64)) =3D=3D MIN_INT6= 4. We can summarize this as the undefined -- effectless -- negation canceling out the botched -- auto-negating -- implementation-defined conversion. Instead of relying on such behavior, dedicate a branch to this situation: assign MIN_INT64 directly. The branch can be triggered e.g. by multiplying (2^62) by (-2). Cc: Bret Barkelew Cc: Liming Gao Cc: Michael D Kinney Cc: Sean Brogan Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Ard Biesheuvel Tested-by: Michael D Kinney --- MdePkg/Library/BaseSafeIntLib/SafeIntLib.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c b/MdePkg/Library/Ba= seSafeIntLib/SafeIntLib.c index de91ffeca2a5..c5f13d7e0828 100644 --- a/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c +++ b/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c @@ -4143,6 +4143,8 @@ SafeInt64Mult ( if (UnsignedResult > MIN_INT64_MAGNITUDE) { *Result =3D INT64_ERROR; Status =3D RETURN_BUFFER_TOO_SMALL; + } else if (UnsignedResult =3D=3D MIN_INT64_MAGNITUDE) { + *Result =3D MIN_INT64; } else { *Result =3D - ((INT64)UnsignedResult); } --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel