This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Make strlen range computations more conservative


On 07/27/2018 12:48 AM, Bernd Edlinger wrote:
> I have one more example similar to PR86259, that resembles IMHO real world code:
> 
> Consider the following:
> 
> 
> int fun (char *p)
> {
>   char buf[16];
> 
>   assert(strlen(p) < 4); //here: security relevant check
> 
>   sprintf(buf, "echo %s - %s", p, p); //here: security relevant code
>   return system(buf);
> }
> 
> 
> What is wrong with the assertion?
> 
> Nothing, except it is removed, when this function is called from untrusted code:
> 
> untrused_fun ()
> {
>    char b[2] = "ab";
>    fun(b);
> }
> 
> !!!! don't try to execute that: after "ab" there can be "; rm -rF / ;" on your stack!!!!
But this code is fundamentally broken and catering to this kind of crap
is well, dumb.  At the point where we call strlen we've invoked
undefined behavior.

These aren't security checks in my mind, they're bandaids for idiot code
and are not suitable justification for making any changes for how we
generate code in GCC.

You could use them as an argument for improving warnings though.

Jeff


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]