From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@gotplt.org>
Received: from brown.elm.relay.mailchannels.net
 (brown.elm.relay.mailchannels.net [23.83.212.23])
 by sourceware.org (Postfix) with ESMTPS id EA3B1385840C
 for <libc-alpha@sourceware.org>; Fri,  8 Apr 2022 03:24:42 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org EA3B1385840C
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=gotplt.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id F161E760EB6;
 Fri,  8 Apr 2022 03:24:40 +0000 (UTC)
Received: from pdx1-sub0-mail-a307.dreamhost.com (unknown [127.0.0.6])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 5AA29760B66;
 Fri,  8 Apr 2022 03:24:40 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1649388280; a=rsa-sha256;
 cv=none;
 b=5AFw1HtX5AapujMONDW4hcuUr531NPYgc+XvuLKmdInwffYNV7YcGHywpYg2+n1wVg+O1c
 QLNFMZ1KU1MtSPkLJVj4h8KIFv+AQjpybf/U49Iz7vS118VFqoWGxnkMgYFJezPWmuPGSs
 l/1hVMsuY6EOvpzqhs7nIZ41b6ufE5QMn9WzOBlZvstT2qw6eMCzSfP1rKdEed3gv2QbK+
 xECP9OaMm7oUUg/PD4ehmQ2TQ2530t0Y/1xJdHaQ1devkxiO7hl07uknIbM1DEe/fAsyNA
 nJWl3ApxjHW7mVD/ZQBU834luWDZke9nNUatIRvdo2qm+2F0DNMZx4s1Ns3aZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net; s=arc-2022; t=1649388280;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references:dkim-signature;
 bh=4OaoJtGA22fa/6Va2wthF2q1TpGC19iqHI6ibczNLts=;
 b=Pdj/n70fmDO1cKL8mKPaCcaV09WdmvKipZqjnJzBrcJHMSCj1Ngo85WhuPmeTcb4GC6Ms2
 1bhKQ0fL99/LnlfausnSyzaiYY3l7adgoC7PKAnthOyKPSDLZ3btl5VsmkiKnCXir/N73f
 nTvrGqJvCtR0C6ARxMQJkwBZxb0nArHP4fBt5UT6TlSdIbtvlbeua+YiLDQU3a7Nk0MHqy
 mobjx9kNEYJz0CnDfQ354TiU7QKYdkqWJja5unAWIofCxIJQuflBe6+PNIXiz+mC+x2r4u
 46+U5dbO+mzlrLPfuIRHw6/pTIN7QouX0m3z7WR8fG4kFch2pqtzGPLUAlJ0WA==
ARC-Authentication-Results: i=1; rspamd-54997cf457-4gqh2;
 auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from pdx1-sub0-mail-a307.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
 by 100.116.106.96 (trex/6.7.1); Fri, 08 Apr 2022 03:24:40 +0000
X-MC-Relay: Junk
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Supply-Thread: 4191b7d37dee366d_1649388280743_2158794252
X-MC-Loop-Signature: 1649388280743:4208105687
X-MC-Ingress-Time: 1649388280743
Received: from [192.168.1.174] (unknown [1.186.223.102])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a307.dreamhost.com (Postfix) with ESMTPSA id 4KZNsJ5Q98z2L; 
 Thu,  7 Apr 2022 20:24:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org;
 s=dreamhost; t=1649388279;
 bh=4OaoJtGA22fa/6Va2wthF2q1TpGC19iqHI6ibczNLts=;
 h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding;
 b=x22zywho/eUzOcr/AV17khdTOXaknFS9aXiu6T8R/zyAjOnPFNR7YRUt90gWahswj
 ZRKbmpQDnwEtfcihrl8s1NUMjTVE1KaGrVyRcOq66poI7yHkROcToHky9DNx6S7lAS
 M+dY1zQojKay2pzcoSCuc0UrEgtiXCAzstZ5NaSq1fdH63AtqSkvtISjEIQTG/ImkH
 tyz4oyXe9KXxIZRdXJdMk30uY+PQPeR9eEdg/0w5O2WBOhk3gUd3rA+ygTMggyyE0V
 1nGL4txL8dO1DP/TWyw0QnSK8Gsv983f2NMz/qTjhQ092ctkoOLj9FfMWjvATp7uf/
 Fi2P2lylHfApA==
Message-ID: <213b617b-5fd7-93a8-51fd-cdbfdb9564c2@gotplt.org>
Date: Fri, 8 Apr 2022 08:54:32 +0530
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Subject: Re: [RFC] _FORTIFY_SOURCE strictness
Content-Language: en-US
To: Andreas Schwab <schwab@linux-m68k.org>
Cc: libc-alpha@sourceware.org,
 Adhemerval Zanella <adhemerval.zanella@linaro.org>,
 Carlos O'Donell <carlos@redhat.com>, Florian Weimer <fweimer@redhat.com>,
 Jakub Jelinek <jakub@redhat.com>, =?UTF-8?Q?Martin_Li=c5=a1ka?=
 <mliska@suse.cz>
References: <d0b28dea-0d61-49bf-aa75-a96fc71e3d07@gotplt.org>
 <87ilrlryfp.fsf@igel.home>
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
In-Reply-To: <87ilrlryfp.fsf@igel.home>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3030.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, RCVD_IN_BL_SPAMCOP_NET,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2022 03:24:44 -0000

On 07/04/2022 15:46, Andreas Schwab wrote:
> On Apr 07 2022, Siddhesh Poyarekar wrote:
> 
>> The downside of this approach is the possibility that some applications
>> don't fortify beyond level 2, insisting that their usage is safe enough.
> 
> The problem with this argument is that what is safe enough now, may be
> unsafe later due to an unrelated change elsewhere, or an attacker
> injecting some unforeseen data.  It is generally better to be safer in
> the first place, because aborting deep inside the call chain is a risk
> in itself, even if it prevented an acute undefined behaviour from doing
> bad side effects.  By checking bounds early better error recovery is
> possible in general.
> 

That's a fair point.

Thanks,
Siddhesh