public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "aaron at aaronballman dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c++/110848] Consider enabling -Wvla by default in non-GNU C++ modes
Date: Sun, 22 Oct 2023 16:56:08 +0000 [thread overview]
Message-ID: <bug-110848-4-ecsdYD4gyy@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-110848-4@http.gcc.gnu.org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110848
--- Comment #19 from Aaron Ballman <aaron at aaronballman dot com> ---
(In reply to Andrew Pinski from comment #18)
> (In reply to Aaron Ballman from comment #17)
> > In the time I opened this request, a new CVE related to VLAs came out:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-4039
>
> Everything is a security risk. Seriously it is. Everything can and will be
> abused; does not mean it is always right to warn about it. Also
> -fstack-protector should never be a CVE. CVEs will get to the point where
> they will be ignored because how they are now pointing out non-security
> issues.
My point is that this was a case where the developer used the language feature
and tried to do what they could to protect against security issues and still
ran into the security issue which resulted in a CVE. That's pretty different
from "everything can be abused". (I wasn't suggesting there's an issue with
using -fstack-protector or that it's a security issue itself)
next prev parent reply other threads:[~2023-10-22 16:56 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 20:02 [Bug c++/110848] New: Consider enabling -Wvla by default in " aaron at aaronballman dot com
2023-07-28 20:10 ` [Bug c++/110848] " pinskia at gcc dot gnu.org
2023-07-28 20:18 ` pinskia at gcc dot gnu.org
2023-07-28 20:25 ` aaron at aaronballman dot com
2023-07-28 20:35 ` pinskia at gcc dot gnu.org
2023-07-28 22:34 ` muecker at gwdg dot de
2023-07-29 11:19 ` aaron at aaronballman dot com
2023-07-31 8:18 ` [Bug c++/110848] Consider enabling -Wvla by default in non-GNU " rguenth at gcc dot gnu.org
2023-07-31 12:40 ` aaron at aaronballman dot com
2023-08-01 12:33 ` redi at gcc dot gnu.org
2023-08-01 13:01 ` aaron at aaronballman dot com
2023-08-04 5:49 ` egallager at gcc dot gnu.org
2023-08-04 12:22 ` aaron at aaronballman dot com
2023-10-21 14:45 ` aaron at aaronballman dot com
2023-10-22 4:45 ` egallager at gcc dot gnu.org
2023-10-22 4:57 ` egallager at gcc dot gnu.org
2023-10-22 9:03 ` muecker at gwdg dot de
2023-10-22 13:20 ` aaron at aaronballman dot com
2023-10-22 16:14 ` pinskia at gcc dot gnu.org
2023-10-22 16:56 ` aaron at aaronballman dot com [this message]
2023-10-22 17:45 ` muecker at gwdg dot de
2023-10-23 8:23 ` redi at gcc dot gnu.org
2023-10-23 10:30 ` muecker at gwdg dot de
2023-10-23 10:46 ` redi at gcc dot gnu.org
2023-10-23 10:50 ` redi at gcc dot gnu.org
2023-10-23 11:58 ` muecker at gwdg dot de
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-110848-4-ecsdYD4gyy@http.gcc.gnu.org/bugzilla/ \
--to=gcc-bugzilla@gcc.gnu.org \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).