[CC -= Jens] Hi Chris,
On Tue, Oct 08, 2024 at 03:13:11PM GMT, Chris Bazley wrote:
> > Because I don't like the paper that has been voted into the standard.
> > I kind of presented that paper against my will. I wish GCC merged the
> > feature with a different name, and forced the standard to reconsider
> > what they merged, which I consider to be a security problem.
> >
> > Alternatively, I wish GCC decided to do nothing, wait for Graz, where
> > I'll try to convince WG14 to change what was voted.
> >
> > But merging what was voted into the standard would be nefarious, IMO.
>
> I don't understand this security problem that you are referring to.
>
> The vast majority of strings use 'char' as the element type.
>
> Existing code might look something like this:
>
> #define A "foo"
> #define B "bar"
> #define STRING_LEN(s) (sizeof(s) - 1)
>
> char *c = malloc(STRING_LEN(A) + STRING_LEN(B) + 1);
> if (c) {
> strcpy(c, A);
> strcat(c, B);
> }
>
> Supposing that _Length gets support in GCC, the equivalent source code would
> be almost
> identical and the compiled code would be identical:
>
> #define A "foo"
> #define B "bar"
> #define STRING_LEN(s) (_Lengthof(s) - 1)
>
> char *c = malloc(STRING_LEN(A) + STRING_LEN(B) + 1);
> if (c) {
> strcpy(c, A);
> strcat(c, B);
> }
>
> Are you concerned that people will start writing new code that does something
> like the following?
>
> #define A "foo"
> #define B "bar"
>
> char *c = malloc(_Lengthof(A) + _Lengthof(B));
> if (c) {
> strcpy(c, A);
> strcat(c, B);
> }
>
> If they do, the only consequence will be that the string buffer is longer
> than it needs to be; not shorter.
Yes, off-by-one bugs on the safe side are more frequent than on the
unsafe side in this case. However, I expect unsafe off-by-ones too.
And even in the safe side, there's the chance of secondary problems like
the following:
Let's say the maximum supported size is limited by a system limit.
For example, sysconf(_SC_LOGIN_NAME_MAX) or LOGIN_NAME_MAX. If you try
to allocate one extra byte, so sysconf(_SC_LOGIN_NAME_MAX)+1, you may
overflow something somewhere, or cause some other important issues in
your system if you manage to create a user with such a long username.
Or your program will just crash and cause a DoS.
Or another combination of events that may cause another class of bugs.
In all cases, there's an off-by-one somewhere, but will result in a
different bug type.
I'm not fabricating, BTW. Here's a list of off-by-one bugs in login
code, precisely due to this size-length naming issue:
<https://github.com/shadow-maint/shadow/commit/6551709e96b2bc6f084fdf170ad5bcc11f0038ab>
<https://github.com/shadow-maint/shadow/commit/15882a5f904b3c277d73254a6953c1051db55df4>
Have a lovely day!
Alex
>
> Best regards,
> --
> Christopher Bazley
> Staff Software Engineer, GPU team, Central Engineering Group
> ARM Ltd, 110 Fulbourn Road, Cambridge, CB1 9NJ, UK.
> Web: http://www.arm.com/
--
<https://www.alejandro-colomar.es/>
signature.asc
Description: PGP signature
