From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by sourceware.org (Postfix) with ESMTPS id 514153858C41 for ; Wed, 10 Jan 2024 12:48:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 514153858C41 Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 514153858C41 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2a00:1450:4864:20::336 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704890890; cv=none; b=aunmQiaCbVgZBiMSprgfuVrrpgKxGuDT9yHgoBe0HjHA5lCblWsfBwFwmrguRBFL/BBFG3ln7VqbmekDbXMWQZ3HHCehcavWL/SsC/u4NiyPxkZMkfCFSnGTxrRLk09VfE1jpvRN+7m4bMY1Tmt59pY+jnq2GoUJvZ28Ufatl5k= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1704890890; c=relaxed/simple; bh=KRyKNn+9gM+Q3XjU0/XnU2xWRMBMdPAhK1FXWlXmt/E=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=BCSCc31+KJhT0PrzLXti85P5KUpV3FrMUXSgzVUw1hPHJ9TFFXv1XEbT1bH+rf/zutDTm+FxwLNWEgsy0n4qPpvuzA4B+b+83ZWgfPlbBuG95bn3FXFkKi50axJ2HFjeYGxmW9xxSbXkapIjVuXzQx4Bc+wGL5WRTJHOdJ8jD5g= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-40e552dfa5dso9334375e9.1 for ; Wed, 10 Jan 2024 04:48:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1704890887; x=1705495687; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:autocrypt:from:references:cc :to:content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=wEfiWanGSQ952OACIfF0QOBoHrJRC5ZJT/1q1p0qW9s=; b=GFzXi2jTSliebyMBcQbJcypqZt9Boj/VZxPtGHNpR1i0SET8wmjoruxfCcKq5AqqeB q4WgdhlC2CxsrdInBl7cSCETJIVNfEOylIMm+aZqPb9srOw5wV6e/p3ZQ3W+Bwo1GrSN 16cSEy3HN+3PgzdjR8NW9oDnj5E3bhIc+SQIz4dG6st5uwxIoLq8/+bU0iUnPiQf26B0 c7MAvYIkVCzb1wb5eSrm0f5rcRxhM2Wlb3QCTnzlKFuanBQZkmhIcNxTKGtU/x1cI4wf duqJxtccHBUmIRnGWZx5pu367kTVA/mXP9WRSlPyTx7yEKq+ydsxhJGoVkpJOoi274bU O/qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704890887; x=1705495687; h=content-transfer-encoding:in-reply-to:autocrypt:from:references:cc :to:content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wEfiWanGSQ952OACIfF0QOBoHrJRC5ZJT/1q1p0qW9s=; b=Ho6vJN3pL4GvXQQvZrSRjlkAGfnXVOVFbMcCIXXfn22xKijVIMu+bj9fuELp1trLb2 O0vWQk93ju8RKoZTS/oenYfBwlOUpKhI40o2O/HXK3trfIZaRAE14+wKXDDvEEiHoDUv ZN+qyMf+8y9wiTatJEY8e8EnJBoGzhnEB5+ER+mst9SB0bVuONzzoUqienu8RJKPDfun iNj/e9EXMxUaM7UxdgEefXGherU6qRWV4YTi1DncxRGavbplzmnkBctmXZM+1UeczDpg yrm+s2vpIc4R7KK3jfg6fplce5hu2ok88LBDk8OKMPQRoTtozTgGp8cR33i8/q/Zwhal 9djQ== X-Gm-Message-State: AOJu0YwA2/aiw6xS7tI4/LCvAYrFjXehxP5YOE5fqReQsmZ6s6KQGnLV 4BK7daRdqkJa8/3yv0O7Y1DhqDSfvJ1K X-Google-Smtp-Source: AGHT+IF/rX9QWKFUA/ySlsGKt684q0HvQFMhPbx2zis8eiKQ81Ju5UmqELxwlyuVJnsqiUki8oIqqw== X-Received: by 2002:a05:600c:22d2:b0:40e:43f5:b3b9 with SMTP id 18-20020a05600c22d200b0040e43f5b3b9mr543400wmg.140.1704890886973; Wed, 10 Jan 2024 04:48:06 -0800 (PST) Received: from [10.156.60.236] (ip-037-024-206-209.um08.pools.vodafone-ip.de. [37.24.206.209]) by smtp.gmail.com with ESMTPSA id j7-20020a05600c190700b0040e52cac976sm2061956wmq.29.2024.01.10.04.48.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Jan 2024 04:48:06 -0800 (PST) Message-ID: Date: Wed, 10 Jan 2024 13:47:57 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] bfd: make _bfd_section_size_insane part of the public API Content-Language: en-US To: Andrew Burgess Cc: binutils@sourceware.org References: <0c54069e-d907-4f03-8d7f-15374d4bfd6a@suse.com> <87frz58n7j.fsf@redhat.com> From: Jan Beulich Autocrypt: addr=jbeulich@suse.com; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL In-Reply-To: <87frz58n7j.fsf@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3025.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 10.01.2024 12:03, Andrew Burgess wrote: > Jan Beulich writes: >> On 06.12.2023 17:15, Andrew Burgess wrote: >>> If a BFD user is making use of a function like >>> bfd_get_section_contents to read a section into a pre-allocated >>> buffer, then that BFD user might also want to make use of >>> _bfd_section_size_insane prior to allocating the buffer they intend to >>> use in order to validate that the buffer size that plan to allocate is >>> sane. >>> >>> This commit makes _bfd_section_size_insane public, by renaming it to >>> bfd_section_size_insane. >>> >>> I've updated the existing uses within bfd/, I don't believe this >>> function is used outside of bfd/ currently. >>> >>> One place that I plan to make use of this function is in >>> gdb/gdb_bfd.c, in the function gdb_bfd_get_full_section_contents. >>> This change isn't included in this commit, but will come later if/when >>> this has been merged into bfd. >> >> Having seen your ping (and no other response), let me share my view: >> This function implements a certain policy, internal to the library. >> By exposing it, you would make external users dependent upon this >> specific policy. What if later we change our view on what's "insane"? > > I would expect and want external users to get the updated definition. And then break if we decide to lower the limit of "insane"? > The function name of "insane" is a little unfortunate. I think if the > function had a better name then this change would seem far less > contentious. Consider a name of: > > validate_section_size_against_other_bfd_infernal_properties_of_the_elf_to_ensure_that_the_requested_size_is_likely_valid() > >> IOW external consumers want to implement their own, independent policy >> (if so desired). > > Sure, consumers _could_ implement their own policy, but IMHO, this would > be far worse than exposing the *_insane() function. > > What I (as a consumer) want is to check if the size that the BFD library > is reporting is valid or not. To do that I need to check details of the > ELF that I, as a BFD users, shouldn't have to bother with. (I thought) > the point of BFD was to abstract details of the file format. Well, your wording (correctly) makes an important distinction: "valid" != "sane". If this was a validity check, no question would arise about it being okay to expose. >> Taking your intended usage example, things would be different if e.g. >> bfd_get_full_section_contents() itself used this check unconditionally. >> Then I could see a desire to have a way of checking up front whether >> allocating a buffer makes sense at all. And really I consider it >> questionable for bfd_get_full_section_contents(), when asked to >> allocate a buffer, to actually enforce such a library-internal policy. >> Like with exposing bfd_section_size_insane(), any change to the policy >> may affect external users in unexpected ways. > > I don't understand this paragraph at all. I'm sure I must be reading it > wrong, but it feels like you're saying we shouldn't use > bfd_section_size_insane(), which would mean we don't check for this one > particular error case, but I'm not sure why you'd feel that way. Like I > said, I'm sure that's _not_ what you're suggesting, I just don't see > what it is you are trying to say. > > You start this paragraph by saying "Taking your intended usage example, > ..." but don't really offer an alternative solution. I'd be interested > if you did have some thoughts. The only alternative I can think about is for every component to enforce its own view of "sane". > Maybe a better solution is to change bfd_get_section_size() so that this > function doesn't always just return the recorded section size, but > instead returns 0 (or maybe -1 to indicate an error?) based on calling > bfd_section_size_insane()? This feels far more risky as there's likely > many calls to bfd_section_size() in the wild that don't expect to get > back a size of 0.... but maybe that's a cleaner solution? Indeed, this risk makes such a change undesirable. Plus when merely dumping headers, for example, the true value will want returning (and displaying) anyway. I was rather thinking the other way around, to perhaps drop the "insane" checking, for being purely heuristic and prone to break at some (hopefully distant) future point. A reasonably well implemented allocation function ought to be able to fail without first trying hard to free up memory, when enough cannot be made available anyway. Jan