[CC -= Jens]

Hi Chris,

On Tue, Oct 08, 2024 at 03:13:11PM GMT, Chris Bazley wrote:
> > ​Because I don't like the paper that has been voted into the standard.
> > I kind of presented that paper against my will.  I wish GCC merged the
> > feature with a different name, and forced the standard to reconsider
> > what they merged, which I consider to be a security problem.
> >
> > Alternatively, I wish GCC decided to do nothing, wait for Graz, where
> > I'll try to convince WG14 to change what was voted.
> >
> > But merging what was voted into the standard would be nefarious, IMO.
> 
> I don't understand this security problem that you are referring to.
> 
> The vast majority of strings use 'char' as the element type.
> 
> Existing code might look something like this:
> 
> #define A "foo"
> #define B "bar"
> #define STRING_LEN(s) (sizeof(s) - 1)
> 
> char *c = malloc(STRING_LEN(A) + STRING_LEN(B) + 1);
> if (c) {
>   strcpy(c, A);
>   strcat(c, B);
> }
> 
> Supposing that _Length gets support in GCC, the equivalent source code would 
> be almost
> identical and the compiled code would be identical:
> 
> #define A "foo"
> #define B "bar"
> #define STRING_LEN(s) (_Lengthof(s) - 1)
> 
> char *c = malloc(STRING_LEN(A) + STRING_LEN(B) + 1);
> if (c) {
>   strcpy(c, A);
>   strcat(c, B);
> }
> 
> Are you concerned that people will start writing new code that does something 
> like the following?
> 
> #define A "foo"
> #define B "bar"
> 
> char *c = malloc(_Lengthof(A) + _Lengthof(B));
> if (c) {
>   strcpy(c, A);
>   strcat(c, B);
> }
> 
> If they do, the only consequence will be that the string buffer is longer 
> than it needs to be; not shorter.

Yes, off-by-one bugs on the safe side are more frequent than on the
unsafe side in this case.  However, I expect unsafe off-by-ones too.
And even in the safe side, there's the chance of secondary problems like
the following:

Let's say the maximum supported size is limited by a system limit.
For example, sysconf(_SC_LOGIN_NAME_MAX) or LOGIN_NAME_MAX.  If you try
to allocate one extra byte, so sysconf(_SC_LOGIN_NAME_MAX)+1, you may
overflow something somewhere, or cause some other important issues in
your system if you manage to create a user with such a long username.
Or your program will just crash and cause a DoS.

Or another combination of events that may cause another class of bugs.
In all cases, there's an off-by-one somewhere, but will result in a
different bug type.


I'm not fabricating, BTW.  Here's a list of off-by-one bugs in login
code, precisely due to this size-length naming issue:
<https://github.com/shadow-maint/shadow/commit/6551709e96b2bc6f084fdf170ad5bcc11f0038ab>
<https://github.com/shadow-maint/shadow/commit/15882a5f904b3c277d73254a6953c1051db55df4>


Have a lovely day!
Alex

> 
> Best regards,
> --
> Christopher Bazley
> Staff Software Engineer, GPU team, Central Engineering Group
> ARM Ltd, 110 Fulbourn Road, Cambridge, CB1 9NJ, UK.
> Web:   http://www.arm.com/

-- 
<https://www.alejandro-colomar.es/>

Attachment: signature.asc
Description: PGP signature

Reply via email to