From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: "Adhemerval Zanella Netto" <adhemerval.zanella@linaro.org>,
"Volker Weißmann" <volker.weissmann@gmx.de>,
libc-alpha@sourceware.org
Subject: Re: [PATCH v3] Fix FORTIFY_SOURCE false positive
Date: Wed, 4 Oct 2023 13:08:57 -0400 [thread overview]
Message-ID: <598cb79e-c23b-1c13-5896-3cf46f9adf64@gotplt.org> (raw)
In-Reply-To: <3484e51b-af95-4f11-8d15-5ec21c0827c0@linaro.org>
On 2023-10-04 12:57, Adhemerval Zanella Netto wrote:
>
>
> On 04/10/23 11:43, Volker Weißmann wrote:
>> I thought about my patch again...
>>
>> If an attacker can make the victim-program leak file descriptors, this
>> can be used to defeat string fortification.
>>
>> Since leaking file-descriptors is normally not that bad (normally, it
>> cannot lead to anything worse than a DOS), programmers/security auditors
>> might be less careful in ensuring that no fd leaks.
>>
>> It doesn't even have to be a true leak, image if e.g. the attacker
>> controls python code that runs inside an interpreter that does some
>> sandboxing. Then the attacker could do something like:
>>
>> with open("/dev/zero") as file1:
>> with open("/dev/zero") as file2:
>> ...
>> with open("/dev/zero") as file1023:
>> trigger_formatstring_bug_in_the_python_interpreter()
>>
>> to break out of the sandbox.
>>
>> I know I'm being a bit paranoid, but glibc is used *everywhere*.
>>
>> I think instead of "return 1;" we should do
>>
>> __libc_fatal ("*** too many open file descriptors ***\n");
>>
>> instead.
>
> The same if also check for procfs support, meaning that if it is not accessible
> the process will start to abort execution. Not sure about what kind of breakage
> it would incur, but it should reasonable to abort on both cases since this is
> done iff fortify is enabled.
I'm worried that this would result in spurious reports and may
discourage usage of fortification, something that we do
distribution-wide right now.
Sid
next prev parent reply other threads:[~2023-10-04 17:09 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 17:18 Volker Weißmann
2023-10-03 17:25 ` Siddhesh Poyarekar
2023-10-03 18:13 ` [PATCH] debug: Add regression tests for BZ 30932 Adhemerval Zanella
2023-10-03 18:48 ` Siddhesh Poyarekar
2023-10-04 14:43 ` [PATCH v3] Fix FORTIFY_SOURCE false positive Volker Weißmann
2023-10-04 16:57 ` Adhemerval Zanella Netto
2023-10-04 17:08 ` Siddhesh Poyarekar [this message]
2023-10-04 14:51 ` Andreas Schwab
2023-10-04 15:44 ` Volker Weißmann
2023-10-04 17:36 ` Florian Weimer
2023-10-04 17:45 ` Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=598cb79e-c23b-1c13-5896-3cf46f9adf64@gotplt.org \
--to=siddhesh@gotplt.org \
--cc=adhemerval.zanella@linaro.org \
--cc=libc-alpha@sourceware.org \
--cc=volker.weissmann@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).