From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) by sourceware.org (Postfix) with ESMTPS id 149D83939C30 for ; Tue, 15 Nov 2022 20:58:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 149D83939C30 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=aaronballman.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=aaronballman.com Received: by mail-qt1-x836.google.com with SMTP id c15so9538325qtw.8 for ; Tue, 15 Nov 2022 12:58:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaronballman.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GcAmh+kHZxbeYT6A1XrrXKtQJuobVJcW4JDAa/L+/xo=; b=iKZJhfxmOSMwNvvh/5641W0SJfFJz8RgC+wUR78OlGYZqE/V3RYmWO1fm1PWSNG6xb EyKMpx2eHCWDK39JGQTYfeyrD8RP4rqRIzjnbh2MVTcTwDyqYSWgD9aPd4WXabAD/U4h kHpv6GYGgeZStvLRSCnl/Uv4Fy53MRxuIEQgUWIvQDFwfj08ubndQ6wcbWFfwlbWKm6X SGVFKl5frRwEFntFXRPbOnd3/+hqJbiAwkyUsgI1V2axNTu7JPzgEO0RJBSFSsuzGWct gB4wkXUkhkoLPTaxq/ZSBIsSqfPJr2JRtOIYA5b2t4Tl6kDq2r/hFni4NQgAEBX1qL2S R16Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GcAmh+kHZxbeYT6A1XrrXKtQJuobVJcW4JDAa/L+/xo=; b=3KbhGuYHOK2YmP2uOqbqeTXtiClMB+BBKSsJX9bRs0Y7OjPn7WVSenAsLmjCgajE2d 6WAu7TD0vPEKgP4NBxOVp6vkdrKTuMNNAlWnkhHZFVCl9fcIlCcjktGsuamCwg8lpAMy TLd5KQcboHqd3EWMm1UsF6z4ir03MLyCvaU6xTYto2x5n0TzHDqXECsbzQSfoSzZlZdB r1jGKzyousG1oWeXkRJInX+va/wlSl7aMRlkwzsNq1TEPZ973o0Ln4dvY/jau3jH21SA 3e0Z7EZW+pGY13r4fzSzM0B4zz0KIt8/phC2N2jNziKrJX9rSBDsX7rq5pSAao3Ax1AD 6ULQ== X-Gm-Message-State: ANoB5pmRIdqlreb0BoeslUSnEuf+Jaj3om/2x/GXJoLXut52OCfPARcE if7GZTJBQ2ifQy06P8FgfuQD+eHpupwVveMy X-Google-Smtp-Source: AA0mqf6BWfLe2PuSQFBBeieIz4C0pHTeeERWqSuBTsuj3IGa3OX7BxdVF6JK3d+hhWC1IX38m9p6pg== X-Received: by 2002:ac8:59c6:0:b0:3a5:ce0:e990 with SMTP id f6-20020ac859c6000000b003a50ce0e990mr18072639qtf.642.1668545888234; Tue, 15 Nov 2022 12:58:08 -0800 (PST) Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com. [209.85.128.169]) by smtp.gmail.com with ESMTPSA id he31-20020a05622a601f00b00397b1c60780sm7740209qtb.61.2022.11.15.12.58.06 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 15 Nov 2022 12:58:06 -0800 (PST) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-382f0906929so57480117b3.10 for ; Tue, 15 Nov 2022 12:58:06 -0800 (PST) X-Received: by 2002:a81:1786:0:b0:351:4187:c35d with SMTP id 128-20020a811786000000b003514187c35dmr19017687ywx.24.1668545886026; Tue, 15 Nov 2022 12:58:06 -0800 (PST) MIME-Version: 1.0 References: <24ed5604-305a-4343-a1b6-a789e4723849@app.fastmail.com> <251923e7-57be-1611-be10-49c3067adf0d@cs.ucla.edu> <7ef0ce03-d908-649a-a6ee-89fea374d2b1@cs.ucla.edu> <9cb106e9-16ff-65ec-6a44-6567c77521dc@cs.ucla.edu> <06a5d2cd-44eb-7404-17f3-ff64dd505427@cs.ucla.edu> In-Reply-To: <06a5d2cd-44eb-7404-17f3-ff64dd505427@cs.ucla.edu> From: Aaron Ballman Date: Tue, 15 Nov 2022 15:57:49 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: How can Autoconf help with the transition to stricter compilation defaults? To: Paul Eggert Cc: Jonathan Wakely , Zack Weinberg , c-std-porting@lists.linux.dev, autoconf@gnu.org, gcc@gcc.gnu.org, cfe-commits@lists.llvm.org, Gnulib bugs Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Tue, Nov 15, 2022 at 3:27 PM Paul Eggert wrote: > > On 2022-11-15 11:27, Jonathan Wakely wrote: > > Another perspective is that autoconf shouldn't get in the way of > > making the C and C++ toolchain more secure by default. > > Can you cite any examples of a real-world security flaw what would be > found by Clang erroring out because 'char foo(void);' is the wrong > prototype? Is it plausible that any such security flaw exists? CVE-2006-1174 is a possibly reasonable example. That one is specifically about the K&R C open() interface, but the reason the CVE happened was because a required argument was not passed which is exactly the kind of problem you'd get from a prototype mismatch. I think autoconf's usage pattern is well outside of common C coding practices. Most folks who call a function expect the call to plausibly happen at runtime (rather than do so just to see if the linker will complain or not), and I don't know of another context in which anyone expects calling a function with an incorrect signature will lead to good outcomes. > On the contrary, it's more likely that Clang's erroring out here would > *introduce* a security flaw, because it would cause 'configure' to > incorrectly infer that an important security-relevant function is > missing and that a flawed substitute needs to be used. > > Let's focus on real problems rather than worrying about imaginary ones. If the symbol exists and `configure` says it does not, that's the bug and it's not with the host compiler. You can run into that same bug with use of `-Werror`, as others have pointed out. So strengthening warnings doesn't introduce any NEW problems into autoconf, it exacerbates existing ones. ~Aaron