[CC -= Jens] Hi Chris,
On Tue, Oct 08, 2024 at 03:13:11PM GMT, Chris Bazley wrote: > > Because I don't like the paper that has been voted into the standard. > > I kind of presented that paper against my will. I wish GCC merged the > > feature with a different name, and forced the standard to reconsider > > what they merged, which I consider to be a security problem. > > > > Alternatively, I wish GCC decided to do nothing, wait for Graz, where > > I'll try to convince WG14 to change what was voted. > > > > But merging what was voted into the standard would be nefarious, IMO. > > I don't understand this security problem that you are referring to. > > The vast majority of strings use 'char' as the element type. > > Existing code might look something like this: > > #define A "foo" > #define B "bar" > #define STRING_LEN(s) (sizeof(s) - 1) > > char *c = malloc(STRING_LEN(A) + STRING_LEN(B) + 1); > if (c) { > strcpy(c, A); > strcat(c, B); > } > > Supposing that _Length gets support in GCC, the equivalent source code would > be almost > identical and the compiled code would be identical: > > #define A "foo" > #define B "bar" > #define STRING_LEN(s) (_Lengthof(s) - 1) > > char *c = malloc(STRING_LEN(A) + STRING_LEN(B) + 1); > if (c) { > strcpy(c, A); > strcat(c, B); > } > > Are you concerned that people will start writing new code that does something > like the following? > > #define A "foo" > #define B "bar" > > char *c = malloc(_Lengthof(A) + _Lengthof(B)); > if (c) { > strcpy(c, A); > strcat(c, B); > } > > If they do, the only consequence will be that the string buffer is longer > than it needs to be; not shorter. Yes, off-by-one bugs on the safe side are more frequent than on the unsafe side in this case. However, I expect unsafe off-by-ones too. And even in the safe side, there's the chance of secondary problems like the following: Let's say the maximum supported size is limited by a system limit. For example, sysconf(_SC_LOGIN_NAME_MAX) or LOGIN_NAME_MAX. If you try to allocate one extra byte, so sysconf(_SC_LOGIN_NAME_MAX)+1, you may overflow something somewhere, or cause some other important issues in your system if you manage to create a user with such a long username. Or your program will just crash and cause a DoS. Or another combination of events that may cause another class of bugs. In all cases, there's an off-by-one somewhere, but will result in a different bug type. I'm not fabricating, BTW. Here's a list of off-by-one bugs in login code, precisely due to this size-length naming issue: <https://github.com/shadow-maint/shadow/commit/6551709e96b2bc6f084fdf170ad5bcc11f0038ab> <https://github.com/shadow-maint/shadow/commit/15882a5f904b3c277d73254a6953c1051db55df4> Have a lovely day! Alex > > Best regards, > -- > Christopher Bazley > Staff Software Engineer, GPU team, Central Engineering Group > ARM Ltd, 110 Fulbourn Road, Cambridge, CB1 9NJ, UK. > Web: http://www.arm.com/ -- <https://www.alejandro-colomar.es/>
signature.asc
Description: PGP signature