From: Aaron Ballman <aaron@aaronballman.com>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: Jonathan Wakely <jwakely.gcc@gmail.com>,
Zack Weinberg <zack@owlfolio.org>,
c-std-porting@lists.linux.dev, autoconf@gnu.org,
gcc@gcc.gnu.org, cfe-commits@lists.llvm.org,
Gnulib bugs <bug-gnulib@gnu.org>
Subject: Re: How can Autoconf help with the transition to stricter compilation defaults?
Date: Tue, 15 Nov 2022 15:57:49 -0500 [thread overview]
Message-ID: <CAAt6xTtfqGfw7YO2c5130acpnz6dZSfP+J5EzS-523KSQGJCMA@mail.gmail.com> (raw)
In-Reply-To: <06a5d2cd-44eb-7404-17f3-ff64dd505427@cs.ucla.edu>
On Tue, Nov 15, 2022 at 3:27 PM Paul Eggert <eggert@cs.ucla.edu> wrote:
>
> On 2022-11-15 11:27, Jonathan Wakely wrote:
> > Another perspective is that autoconf shouldn't get in the way of
> > making the C and C++ toolchain more secure by default.
>
> Can you cite any examples of a real-world security flaw what would be
> found by Clang erroring out because 'char foo(void);' is the wrong
> prototype? Is it plausible that any such security flaw exists?
CVE-2006-1174 is a possibly reasonable example. That one is
specifically about the K&R C open() interface, but the reason the CVE
happened was because a required argument was not passed which is
exactly the kind of problem you'd get from a prototype mismatch.
I think autoconf's usage pattern is well outside of common C coding
practices. Most folks who call a function expect the call to plausibly
happen at runtime (rather than do so just to see if the linker will
complain or not), and I don't know of another context in which anyone
expects calling a function with an incorrect signature will lead to
good outcomes.
> On the contrary, it's more likely that Clang's erroring out here would
> *introduce* a security flaw, because it would cause 'configure' to
> incorrectly infer that an important security-relevant function is
> missing and that a flawed substitute needs to be used.
>
> Let's focus on real problems rather than worrying about imaginary ones.
If the symbol exists and `configure` says it does not, that's the bug
and it's not with the host compiler. You can run into that same bug
with use of `-Werror`, as others have pointed out. So strengthening
warnings doesn't introduce any NEW problems into autoconf, it
exacerbates existing ones.
~Aaron
next prev parent reply other threads:[~2022-11-15 20:58 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-10 17:16 Zack Weinberg
2022-11-10 17:52 ` Nick Bowler
2022-11-10 17:58 ` Jonathan Wakely
2022-11-10 18:12 ` Jonathan Wakely
2022-11-10 18:44 ` Aaron Ballman
2022-11-12 2:56 ` Zack Weinberg
2022-11-10 18:05 ` Rich Felker
2022-11-10 21:44 ` Florian Weimer
2022-11-12 3:22 ` Zack Weinberg
2022-11-10 18:08 ` Florian Weimer
2022-11-12 3:40 ` Zack Weinberg
2022-11-12 3:43 ` Sam James
2022-11-12 14:27 ` Zack Weinberg
2022-11-12 3:45 ` Joseph Myers
2022-11-12 15:59 ` Wookey
2022-11-12 16:12 ` Zack Weinberg
2022-11-10 18:19 ` Aaron Ballman
2022-11-10 21:05 ` Paul Eggert
2022-11-11 15:11 ` Aaron Ballman
2022-11-13 0:43 ` Paul Eggert
2022-11-14 12:41 ` Aaron Ballman
2022-11-14 18:14 ` Paul Eggert
2022-11-14 18:30 ` Florian Weimer
2022-11-14 18:35 ` Aaron Ballman
2022-11-15 14:50 ` Jonathan Wakely
2022-11-15 19:08 ` Paul Eggert
2022-11-15 19:27 ` Jonathan Wakely
2022-11-15 20:27 ` Paul Eggert
2022-11-15 20:57 ` Aaron Ballman [this message]
2022-11-15 23:09 ` Paul Eggert
2022-11-15 23:43 ` Ben Boeckel
2022-11-16 14:26 ` Michael Matz
2022-11-16 14:40 ` Alexander Monakov
2022-11-16 15:01 ` Michael Matz
2022-11-16 15:27 ` Richard Biener
2022-11-16 15:35 ` Sam James
2022-11-16 15:59 ` Michael Matz
2022-11-16 16:20 ` Jonathan Wakely
2022-11-16 16:34 ` Michael Matz
2022-11-16 16:46 ` Jonathan Wakely
2022-11-16 18:17 ` Paul Eggert
2022-11-16 18:40 ` Jeffrey Walton
2022-11-17 18:45 ` Paul Eggert
2022-11-16 18:59 ` Zack Weinberg
2022-11-17 18:58 ` Paul Eggert
2022-11-17 21:35 ` Bruno Haible
2022-11-17 22:27 ` Paul Eggert
2022-11-17 13:30 ` Michael Matz
2022-11-15 20:36 ` Aaron Ballman
2022-11-15 5:03 ` Sam James
2022-11-15 13:30 ` Zack Weinberg
2022-11-15 13:34 ` Sam James
2022-11-16 0:08 ` Bob Friesenhahn
2022-11-13 0:43 ` Paul Eggert
2022-11-17 13:57 ` Jason Merrill
2022-11-10 20:19 ` Paul Eggert
[not found] ` <d785b19371e8419f5a5817d7cdb429db91614a3a.camel@orlitzky.com>
2022-11-11 3:08 ` Sam James
2022-11-11 3:33 ` Zack Weinberg
2022-11-11 8:40 ` Sam James
2022-11-11 9:02 ` Paul Eggert
2022-11-12 14:09 ` Zack Weinberg
2022-11-11 23:25 ` Sam James
2022-11-12 0:53 ` Paul Eggert
2022-11-12 4:00 ` Sam James
2022-11-11 9:15 ` Sam James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAt6xTtfqGfw7YO2c5130acpnz6dZSfP+J5EzS-523KSQGJCMA@mail.gmail.com \
--to=aaron@aaronballman.com \
--cc=autoconf@gnu.org \
--cc=bug-gnulib@gnu.org \
--cc=c-std-porting@lists.linux.dev \
--cc=cfe-commits@lists.llvm.org \
--cc=eggert@cs.ucla.edu \
--cc=gcc@gcc.gnu.org \
--cc=jwakely.gcc@gmail.com \
--cc=zack@owlfolio.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).