Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 3 Jul 2013 21:28:00 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: Use of size_t and ssize_t in mseek

On Sat, Jun 29, 2013 at 06:39:27PM +0200, Jens Gustedt wrote:
> Am Samstag, den 29.06.2013, 12:13 -0400 schrieb Rich Felker:
> > With that said, I'm not opposed to adding Annex K, but I think we
> > should look into how invasive it would be, i.e. whether most/all
> > interfaces can just be wrappers for the non-bounds-checking versions
> > or whether major internal changes would be required to some existing
> > interfaces.
> 
> I implemented quite a lot of them for P99, so I don't think that there
> would be major problems. Many of them are just some if/else clauses
> that check the run time constraints.
> 
> There are some additional functionalities, though, so these would
> demand extra coding and objects, especially the run time constraint
> handling, but I think these are quite limited and wouldn't require
> much effort.

The requirements for printf_s, scanf_s, and related functions look
quite invasive and would affect programs not using these interfaces.
Otherwise, the Annex K interfaces look like a considerable amount of
bloat with highly questionable usefulness, but mostly non-invasive. My
feeling is that we should hold off on a decision about them to see if
any applications actually start using them.

Personally, I'd much rather see a libc-agnostic implementation of
_FORTIFY_SOURCE as a set of include files installed in their own
special directory which use #include_next to get the libc versions,
then #undef all the functions and #define them to "fortify" versions,
using purely GCC features rather than any hooks into libc. This would
actually aid in security for real-world applications.

> Then some interfaces are clearly different such that they can't simply
> be copied over, notably bsearch and qsort functions, since they
> receive additional arguments to provide context to the object
> comparison.

These are much easier; the extra argument can be passed via TLS. It's
printf_s and scanf_s that are hard.

> IIRC, what I couldn't handle within P99 was checking of printf
> arguments, but from within musl this should be relatively straight
> forward.

Not really. There would need to be a way to convey to the printf core
that it's supposed to do this extra checking, and a way to make it
call the constraint handlers.

Rich


P.S. One other reason I hate Annex K is that the constraint handler
design is non-thread-safe and non-library-safe. There's only one
global constraint handler, shared by all threads and by all
libraries/modules that might be using Annex K functions. That means
there's really no valid way to write code that depends on a particular
constraint handler being installed. And the default handler is
implementation-defined, so it wouldn't even be reasonable to say
"leave the default handler there". The only thing reasonable code
using these interfaces can expect when a constraint is violated is
implementation-defined behavior, which is only a tiny step up from
undefined behavior...

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.