From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) by sourceware.org (Postfix) with ESMTPS id 74B0A3858C53 for ; Sat, 22 Oct 2022 10:21:52 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 74B0A3858C53 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lj1-x22e.google.com with SMTP id bs14so6817114ljb.9 for ; Sat, 22 Oct 2022 03:21:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WRcO7ay1uM1W28bzgSzDINHsaekaRBt/PsNfVHijnrE=; b=nX/ra7lrmg7nXNIXcp/Sl1zGtelJwLw08+tVXTvgJJ4QCm7DEfDJeY3J4wHGb06sAY a89aLrCwF+fKEaYpbuZiWK9rCnlY1qTsSIsTt5rIomeYfP31OHLvNUcEV3rZZNynA6Vm 3R5tbEBLwwVpM0ipMVad3BcrC9T3ISzs2PF3nLJeIE4XecExwGaJ0+HNlMyQ7wZTdVqn +uHkiFXBCXPhrh2L0Cp7tOdHFdzQByYF+j8VA/DF6ZV8nqzQBj3TdgA5/l5XMgp63Spu q6UARxRI2PfXpUwJqeMhgsPO4FdzJebFiQBWyjd3HvSa661bPqnG4T7uf8yTWtTGIykX VMSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WRcO7ay1uM1W28bzgSzDINHsaekaRBt/PsNfVHijnrE=; b=GRTYHSMAXvf0c3axQZ8ZveuAwwmE6DROqFVaCVkldyxDqBgg2igLbM8UKj8bZ3a6G5 M/p8auKQ/XxfY2tYbo3wAnSi+ZhW/mLQmSUyiYbkhZk9J/vlo0662Qw5QMiL2CBrV2VB BxcC/hy/lkXTBmiNihUO2C5M5z4TyOQjX534yogzeZHMrCMNcqOCHgN+P8Y/QxbEH7S5 +NmFCs/H/Uxm9j2IAP1ri6osHloZct8xM+NE9NBd3FVKZcfXKQ9rPYRUjhh9b32uemZs IXt+/jC/XteMFO5aR9wwzSs5kLdbTzyvCEScJDgtQqyk07zxiLr6MN6+kSXswaRI9JiT fMTA== X-Gm-Message-State: ACrzQf1TAiKZPw5JoDHw2+9aeFLawZJYSzHkmlXbUedgm3p+TulEXLys 4kgrL1hUwu6NEj4RCPItk4MBF356rMbQN/E6QsY= X-Google-Smtp-Source: AMsMyM540jc6o2ED3lzw0dDFM8/4T6WWL0xadFKrn7SpBwgq9pvTtOfZayUR/93a9lS9+KNhIYaFOemUYd05B1JgY6g= X-Received: by 2002:a2e:8719:0:b0:26e:b9:31a9 with SMTP id m25-20020a2e8719000000b0026e00b931a9mr9047575lji.111.1666434110966; Sat, 22 Oct 2022 03:21:50 -0700 (PDT) MIME-Version: 1.0 References: <199C1200-40AC-4AD2-89D4-24E172CBA353@catenacyber.fr> <20221021132253.GD24703@redhat.com> <5321B467-3B16-4E7F-A854-98EC8AD6B2C1@catenacyber.fr> In-Reply-To: <5321B467-3B16-4E7F-A854-98EC8AD6B2C1@catenacyber.fr> From: Evgeny Vereshchagin Date: Sat, 22 Oct 2022 13:21:39 +0300 Message-ID: Subject: Re: Fuzzing elfutils To: Philippe Antoine Cc: "Frank Ch. Eigler" , elfutils-devel@sourceware.org, david korczynski , izzeem@google.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > Could you explain to me why you think it is a false positive ? As far as I can tell the idea behind that sanitizer is to mostly flag suspicious attempts to pass file names that haven't been sanitized in any away and I agree that in some cases depending on what happens after those files are opened it can lead to various issues (and for that reason there are a lot of static analyzers for example complaining about "tainted" strings, uncontrolled spheres and stuff like that). In this particular case files go through __libdw_open_file and their build ids are checked (which makes it kind of hard to read passwords, tokens and so on and then expose them). Thanks, Evgeny Vereshchagin