From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bee.tesarici.cz (bee.tesarici.cz [77.93.223.253]) by sourceware.org (Postfix) with ESMTPS id DC63B3858D20 for ; Fri, 14 Apr 2023 15:25:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DC63B3858D20 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=tesarici.cz Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tesarici.cz Received: from meshulam.tesarici.cz (dynamic-2a00-1028-83b8-1e7a-4427-cc85-6706-c595.ipv6.o2.cz [IPv6:2a00:1028:83b8:1e7a:4427:cc85:6706:c595]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bee.tesarici.cz (Postfix) with ESMTPSA id 67A3C153CFF; Fri, 14 Apr 2023 17:25:40 +0200 (CEST) Authentication-Results: mail.tesarici.cz; dmarc=fail (p=none dis=none) header.from=tesarici.cz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tesarici.cz; s=mail; t=1681485940; bh=YxGqyWz/q0UZgSPp5RQP+9W5s7ZKnw+Jqw/mbKuC1ok=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=eDc+f+HkQ5qrwwiDPNRWAECteLoUa9/0YZXRAH/z3GVikxTvfiIkLkglM+Sdcv0ud 3J5e3T9EO2geUn4uoNQsyDhwP3f5+ICXJohEh08u8ezsFc1WzuOY6QCGQrTmxQV7zU aN8c+9v0ZqsFToy1+BwPHY/BA0UEfVCQBUHnedqujMTr4RSmMS+Hbge6ravFEdYLij 6jQ/rWzg7V2Dso1iDnc/IwUDBusw759pFF1WGszzDBnNdFdynNvpYTG0qNK3lIAGf/ JDHPdXU+o/YKnPh3tNyzikL5ksq9Z7GuU4WZuxGnAJzqkDP27IrrcNbNh8pQRbYmq3 pCuhvesvmV4pA== Date: Fri, 14 Apr 2023 17:25:38 +0200 From: Petr =?UTF-8?B?VGVzYcWZw61r?= To: gdb@sourceware.org Cc: Richard Earnshaw Subject: Re: Threat model for GNU Binutils Message-ID: <20230414172538.1ddee8d5@meshulam.tesarici.cz> In-Reply-To: <5947697c-274f-58a7-af02-00618691021d@foss.arm.com> References: <032c1307-c143-3f2c-0502-683d966f0257@foss.arm.com> <78f3e6a6-dec2-3aa2-d1b6-935d842add1e@gotplt.org> <5947697c-274f-58a7-af02-00618691021d@foss.arm.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-suse-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Fri, 14 Apr 2023 15:41:38 +0100 Richard Earnshaw via Gdb wrote: > On 14/04/2023 15:08, Siddhesh Poyarekar wrote: > > On 2023-04-14 09:12, Richard Earnshaw wrote: =20 >[...] > >> 2) Code directly generated by the tools contains a vulnerability > >> > >> =C2=A0 Nature: > >> =C2=A0 The vast majority of code output from the tools comes from the = input > >> =C2=A0 files supplied, but a small amount of 'glue' code might be need= ed in > >> =C2=A0 some cases, for example to enable jumping to another function in > >> =C2=A0 another part of the address space.=C2=A0 Linkers are also somet= imes asked > >> =C2=A0 to inject mitigations for known CPU errata when this cannot be = done > >> =C2=A0 during the compilation phase. =20 > >=20 > > Since you've split this one out from machine instructions, there's a=20 > > third category too; where binutils tools generate incorrect code for=20 > > alignment of sections, sizes of sections, etc.=C2=A0 There's also a (ra= re)=20 > > possibility of an infrequently used instruction having incorrect opcode= =20 > > mapping, resulting in a bug being masked when dumped with objdump or=20 > > resulting code having undefined behaviour. > > =20 I must be dumb, but isn't the biggest risk is that GNU Binutils produce an exploitable bug in the target binary? Let me give a silly hypothetical example. If the linker places Global Offset Table incorrectly, so that it overlaps stack, then I would definitely consider it a security bug in GNU Binutils, because all input object files were OK, but the result is not. Just my two cents, Petr T