From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bee.tesarici.cz (bee.tesarici.cz [IPv6:2a03:3b40:fe:2d4::1]) by sourceware.org (Postfix) with ESMTPS id B2D8F3858D20 for ; Fri, 14 Apr 2023 16:45:18 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B2D8F3858D20 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=tesarici.cz Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tesarici.cz Received: from meshulam.tesarici.cz (dynamic-2a00-1028-83b8-1e7a-4427-cc85-6706-c595.ipv6.o2.cz [IPv6:2a00:1028:83b8:1e7a:4427:cc85:6706:c595]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bee.tesarici.cz (Postfix) with ESMTPSA id 9C9A7156010; Fri, 14 Apr 2023 18:45:15 +0200 (CEST) Authentication-Results: mail.tesarici.cz; dmarc=fail (p=none dis=none) header.from=tesarici.cz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tesarici.cz; s=mail; t=1681490716; bh=5L7rfHy7y1zOFyAuOjRpq0/1FFZkHXhQz/9wQ9MxDoc=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=qwY95v+1KQt+mEmpJt2PnZvDcClN1Z8J6PBLYpbOi1+Ga5P5LtPsfLHcFKrmjQspF ka2TRGEg7Ic2v784Qgu9gDCkFiD5IBi1wSUC65vGqsSn9a8PnN17fR+WfeBwHfv7x2 hS6JSENXaudhfXNsd8mLKrVUoV1Wt3cjyNciNz22UWCVwU0+6zpvqPi6SbiNy2LBK8 3FWsTjVf8mCQhbvldzokdCypH1hCY00Gde0nhwxIF3R1FIMaBFRRAOL8b36W1L+qwi UW/h/ytUOhJv+QQAr6hMIoVzzc9zJo12DPmqeV1NmLyA5hffK/6LosajUCYMdN4tK8 +vR3NCTl/QHPA== Date: Fri, 14 Apr 2023 18:45:13 +0200 From: Petr =?UTF-8?B?VGVzYcWZw61r?= To: Richard Earnshaw Cc: gdb@sourceware.org Subject: Re: Threat model for GNU Binutils Message-ID: <20230414184513.5c82bc4a@meshulam.tesarici.cz> In-Reply-To: <539b2e82-b084-784b-673b-b175638454f8@foss.arm.com> References: <032c1307-c143-3f2c-0502-683d966f0257@foss.arm.com> <78f3e6a6-dec2-3aa2-d1b6-935d842add1e@gotplt.org> <5947697c-274f-58a7-af02-00618691021d@foss.arm.com> <20230414172538.1ddee8d5@meshulam.tesarici.cz> <539b2e82-b084-784b-673b-b175638454f8@foss.arm.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-suse-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Fri, 14 Apr 2023 16:31:58 +0100 Richard Earnshaw wrote: > On 14/04/2023 16:25, Petr Tesa=C5=99=C3=ADk wrote: > > On Fri, 14 Apr 2023 15:41:38 +0100 > > Richard Earnshaw via Gdb wrote: > > =20 > >> On 14/04/2023 15:08, Siddhesh Poyarekar wrote: =20 > >>> On 2023-04-14 09:12, Richard Earnshaw wrote: =20 > >> [...] =20 > >>>> 2) Code directly generated by the tools contains a vulnerability > >>>> > >>>> =C2=A0 Nature: > >>>> =C2=A0 The vast majority of code output from the tools comes from t= he input > >>>> =C2=A0 files supplied, but a small amount of 'glue' code might be n= eeded in > >>>> =C2=A0 some cases, for example to enable jumping to another functio= n in > >>>> =C2=A0 another part of the address space.=C2=A0 Linkers are also so= metimes asked > >>>> =C2=A0 to inject mitigations for known CPU errata when this cannot = be done > >>>> =C2=A0 during the compilation phase. =20 > >>> > >>> Since you've split this one out from machine instructions, there's a > >>> third category too; where binutils tools generate incorrect code for > >>> alignment of sections, sizes of sections, etc.=C2=A0 There's also a (= rare) > >>> possibility of an infrequently used instruction having incorrect opco= de > >>> mapping, resulting in a bug being masked when dumped with objdump or > >>> resulting code having undefined behaviour. > >>> =20 > >=20 > > I must be dumb, but isn't the biggest risk is that GNU Binutils produce > > an exploitable bug in the target binary? > >=20 > > Let me give a silly hypothetical example. If the linker places Global > > Offset Table incorrectly, so that it overlaps stack, then I would > > definitely consider it a security bug in GNU Binutils, because all > > input object files were OK, but the result is not. > >=20 > > Just my two cents, > > Petr T =20 >=20 > This probably comes under the 2) of generated output, but it could be=20 > more explicit. Layout bugs is also something Sid alluded to with his=20 > comments about alignment. Ah. Since you wrote "code", I had the impression you considered only machine code. I wanted to make it clear that *anything* in the output can be potentially security-relevant. Petr T