On Mon, 1 Apr 2024 17:06:17 +0200
Mark Wielaard wrote:
> We should discuss what we have been doing and should do more to
> mitigate and prevent the next xz-backdoor.
Since we're working on a compiler, "On Trusting Trust" comes to mind.
Russ Cox posted some thoughts last year that might be appli
Hi -
>This is very true, however a few words of caution: IME this is a
>maintainability nightmare. Fixing patches that forgot to regenerate,
>regenerating on rebase, confirming everything is up-to-date before
>merge, etc etc. It can be handled, I have, but it was painful and
>t
Hi Joel,
On Wed, Apr 03, 2024 at 08:53:21AM -0500, Joel Sherrill wrote:
> On Wed, Apr 3, 2024, 3:09 AM Florian Weimer via Gdb
> wrote:
>
> > * Guinevere Larsen via Overseers:
> >
> > > Beyond that, we (GDB) are already experimenting with approved-by, and
> > > I think glibc was doing the same.
>
> Yes, for regular function calls,
> but at least in the case of NetBSD,
> not for syscalls.
Those are the registers Linux uses for system calls on MIPS.
They are documented as such here:
https://www.man7.org/linux/man-pages/man2/syscall.2.html
> The second table shows the registers used
> to pa
Hi -
> In Autotools, `make dist` produces a tarball that contains many
> files not present in the source respoitory, it includes build system
> core files and this fact was used for the xz attack. In contrast,
> for newer build systems the "release tarball" is purely a snapshot
> of the source rep
> because the portable c api layer and syscall abi layer
> has a large enough gap that applications can break
> libc internals by doing raw syscalls.
I think that problem cannot really be fixed.
System call users just have to be aware of it.
It's true that using certain system calls can clobber l
> On Apr 9, 2024, at 9:48 PM, Matheus Afonso Martins Moreira via Gcc
> wrote:
>
> ...
> MIPS calling conventions work like this:
>
>> mips/n32,64 a0 a1 a2 a3 a4 a5
>> mips/o32a0 a1 a2 a3 ...
>> mips/o32args5-8 are passed on the stack
Yes, for regular function calls, but at least in
The 04/09/2024 23:59, Matheus Afonso Martins Moreira via Gcc wrote:
> > and using raw syscalls outside of the single runtime the
> > application is using is problematic (at least on linux).
>
> Why do you say they are problematic on Linux though? Please elaborate.
because the portable c api layer
On 09/04/2024 18:57, Andreas Schwab wrote:
> On Apr 09 2024, anderson.jonath...@gmail.com wrote:
>
>> - This xz backdoor injection unpacked attacker-controlled files and ran them
>> during `configure`. Newer build systems implement a build abstraction (aka
>> DSL) that acts similar to a sandbo
