[PATCH] Make strlen range computations more conservative
Jeff Law
law@redhat.com
Mon Aug 6 15:34:00 GMT 2018
On 07/27/2018 12:48 AM, Bernd Edlinger wrote:
> I have one more example similar to PR86259, that resembles IMHO real world code:
>
> Consider the following:
>
>
> int fun (char *p)
> {
> char buf[16];
>
> assert(strlen(p) < 4); //here: security relevant check
>
> sprintf(buf, "echo %s - %s", p, p); //here: security relevant code
> return system(buf);
> }
>
>
> What is wrong with the assertion?
>
> Nothing, except it is removed, when this function is called from untrusted code:
>
> untrused_fun ()
> {
> char b[2] = "ab";
> fun(b);
> }
>
> !!!! don't try to execute that: after "ab" there can be "; rm -rF / ;" on your stack!!!!
But this code is fundamentally broken and catering to this kind of crap
is well, dumb. At the point where we call strlen we've invoked
undefined behavior.
These aren't security checks in my mind, they're bandaids for idiot code
and are not suitable justification for making any changes for how we
generate code in GCC.
You could use them as an argument for improving warnings though.
Jeff
More information about the Gcc-patches
mailing list