This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: Security patch for printf - please no! (Was: Re: Patch to add__builtin_printf)
- To: Horst von Brand <vonbrand at sleipnir dot valparaiso dot cl>
- Subject: Re: Security patch for printf - please no! (Was: Re: Patch to add__builtin_printf)
- From: Kamil Iskra <kamil at wins dot uva dot nl>
- Date: Fri, 22 Sep 2000 21:09:57 +0200 (MET DST)
- cc: gcc-patches at gcc dot gnu dot org
On Thu, 21 Sep 2000, Horst von Brand wrote:
> > Implementing this idea will result in:
> >
> > 1. HUGE amounts of false positives for most code.
> What "false positives"? printf(3) with a variable format is fishy.
Sure, but so is C language in general. It has lots of features that can
easily be abused. If we start warning about printf, we could just as well
put an unconditional warning at the beginning of the compilation:
"warning: fishy programming language (C) encountered" :-).
> > 2. false sense of security, because in fact only one category of format
> > string problems will be patched.
> Better catching one than none, IMVHO...
I would agree, if it wasn't for the false positives.
> > Basically, you can't fix such format string problems this way. Given the
> > large noise raitio which must result from such a patch, and the minimal
> > improvements it results in, I strongly suggest that the GCC maintainers
> > reject it. It just isn't worth the trouble it causes.
> Code wich uses the above is broken in my book.
By your book, then, just about every piece of code on this planet is
broken. Take all the language-localised software: it is full of variable
printf formats. Sure, provisions are made to make suid-root software less
vulnerable, but that's essentially a crutch.
Don't get me wrong, I'm all for a compiler that gives me useful warnings
when I do something stupid (I don't agree with Linus' "The programmer
knows better"). I just don't believe that this particular case qualifies
as such.
Even then, I do understand that there are people who would like to be
warned, particularly when performing source code audit. I just don't think
that a general-purpose compiler is the right tool to warn about such
issues, and certainly not at the default warning level. Warning that is
most of the time wrong and can't easily be avoided mostly irritates
people, not helps them.
I think that is essentially what Mark Mitchell says, if I understood him
correctly, and I agree with him.
--
/ Kamil Iskra kamil@wins.uva.nl \
| Section Computational Science, Faculty FNWI, Universiteit van Amsterdam |
| tel. +31 20 525 75 35 fax. +31 20 525 74 90 |
\ Kruislaan 403 room F.202 1098 SJ Amsterdam (NL) /