From: "Petr Tesařík" <petr@tesarici.cz>
To: Richard Earnshaw <Richard.Earnshaw@foss.arm.com>
Cc: gdb@sourceware.org
Subject: Re: Threat model for GNU Binutils
Date: Fri, 14 Apr 2023 18:45:13 +0200 [thread overview]
Message-ID: <20230414184513.5c82bc4a@meshulam.tesarici.cz> (raw)
In-Reply-To: <539b2e82-b084-784b-673b-b175638454f8@foss.arm.com>
On Fri, 14 Apr 2023 16:31:58 +0100
Richard Earnshaw <Richard.Earnshaw@foss.arm.com> wrote:
> On 14/04/2023 16:25, Petr Tesařík wrote:
> > On Fri, 14 Apr 2023 15:41:38 +0100
> > Richard Earnshaw via Gdb <gdb@sourceware.org> wrote:
> >
> >> On 14/04/2023 15:08, Siddhesh Poyarekar wrote:
> >>> On 2023-04-14 09:12, Richard Earnshaw wrote:
> >> [...]
> >>>> 2) Code directly generated by the tools contains a vulnerability
> >>>>
> >>>> Nature:
> >>>> The vast majority of code output from the tools comes from the input
> >>>> files supplied, but a small amount of 'glue' code might be needed in
> >>>> some cases, for example to enable jumping to another function in
> >>>> another part of the address space. Linkers are also sometimes asked
> >>>> to inject mitigations for known CPU errata when this cannot be done
> >>>> during the compilation phase.
> >>>
> >>> Since you've split this one out from machine instructions, there's a
> >>> third category too; where binutils tools generate incorrect code for
> >>> alignment of sections, sizes of sections, etc. There's also a (rare)
> >>> possibility of an infrequently used instruction having incorrect opcode
> >>> mapping, resulting in a bug being masked when dumped with objdump or
> >>> resulting code having undefined behaviour.
> >>>
> >
> > I must be dumb, but isn't the biggest risk is that GNU Binutils produce
> > an exploitable bug in the target binary?
> >
> > Let me give a silly hypothetical example. If the linker places Global
> > Offset Table incorrectly, so that it overlaps stack, then I would
> > definitely consider it a security bug in GNU Binutils, because all
> > input object files were OK, but the result is not.
> >
> > Just my two cents,
> > Petr T
>
> This probably comes under the 2) of generated output, but it could be
> more explicit. Layout bugs is also something Sid alluded to with his
> comments about alignment.
Ah. Since you wrote "code", I had the impression you considered only
machine code. I wanted to make it clear that *anything* in the output
can be potentially security-relevant.
Petr T
next prev parent reply other threads:[~2023-04-14 16:45 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-14 13:12 Richard Earnshaw
2023-04-14 14:08 ` Siddhesh Poyarekar
2023-04-14 14:41 ` Richard Earnshaw
2023-04-14 15:25 ` Petr Tesařík
2023-04-14 15:31 ` Richard Earnshaw
2023-04-14 15:50 ` Phi Debian
2023-04-14 16:45 ` Petr Tesařík [this message]
2023-04-17 16:17 ` Siddhesh Poyarekar
2023-04-17 16:22 ` Siddhesh Poyarekar
2023-04-14 15:07 ` Richard Earnshaw
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230414184513.5c82bc4a@meshulam.tesarici.cz \
--to=petr@tesarici.cz \
--cc=Richard.Earnshaw@foss.arm.com \
--cc=gdb@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).