This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Security vulernarability or security feature? VU#162289

From: "Robert C. Seacord" <rcs at cert dot org>
To: Ralph Loader <suckfish at ihug dot co dot nz>
Cc: cert at cert dot org, crd at cert dot org, gcc at gnu dot org
Date: Thu, 24 Apr 2008 20:37:43 -0400
Subject: Re: Security vulernarability or security feature? VU#162289
References: <20080425085640.707e9a56@ihug.co.nz> <4810F65C.3090705@cert.org> <20080425092059.5442435c@ihug.co.nz> <4811020A.1010505@cert.org> <20080425101227.5fed749a@ihug.co.nz> <481118FF.1020901@cert.org> <20080425121500.2efa8515@ihug.co.nz>

Ralph,

Comments below.

Length-checks are directly related to security, because they protect
against buffer-overruns which are often directly exploited by attackers.
It is much harder to see how reliance on wrap-around could contribute to the security of an application.

The original impetus for this came from a check in a sprint() function from Plan 9. Because of the API, there was no way to test if the len was out of bounds, but the developers wanted to make sure they weren't wrapping the stack on some architectures that have their stacks in high memory.

It seems like a reasonable test to make, the code used to work, and they got burned on the silent change in behavior.

But it is hard to see what reason you have for picking on this particular feature of this particular compiler.

This may not have been the poster child issue to go after, but we were responding to the report.

What features of which compilers do you think we should be reporting on?

Yes, you have dramatically improved the wording from previous
versions.  However, you still say:
"avoid using compiler implementations that perform the offending optimization"

I agree this is worded badly, we'll correct this.

I must admit, given the problems that have been identified with the advisory (how many versions has it been through?),

we've only revised it once so far, but we'll change it as many times as we need to.

I would be far happier if you subjected it to independent third-party expert review,

we are an independent third party. who else would we ask?

and withdrew the advisory until that is completed in a satisfactory manner (rather than repeatedly incrementally tweaks).

withdrawing vulnerability notes (this is not an advisory that is emailed out) is not as good a solution as you might think, as this usually draws more attention to the vulnerability note than just about anything else you can do.

rCs

Follow-Ups:
- Re: Security vulernarability or security feature? VU#162289
  - From: Joe Buck
- Re: Security vulernarability or security feature? VU#162289
  - From: Ian Lance Taylor

References:
- Security vulernarability or security feature?
  - From: Ralph Loader
- Re: Security vulernarability or security feature?
  - From: Robert C. Seacord
- Re: Security vulernarability or security feature?
  - From: Ralph Loader
- Re: Security vulernarability or security feature?
  - From: Ralph Loader
- Re: Security vulernarability or security feature? VU#162289
  - From: Robert C. Seacord
- Re: Security vulernarability or security feature? VU#162289
  - From: Ralph Loader

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]