From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shrimp.cherry.relay.mailchannels.net (shrimp.cherry.relay.mailchannels.net [23.83.223.164]) by sourceware.org (Postfix) with ESMTPS id B62183887F7E for ; Wed, 4 Oct 2023 17:09:00 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B62183887F7E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 9A38A1415A0; Wed, 4 Oct 2023 17:08:59 +0000 (UTC) Received: from pdx1-sub0-mail-a214.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 2B6391411E8; Wed, 4 Oct 2023 17:08:59 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696439339; a=rsa-sha256; cv=none; b=C/znJ3dpF1YzypOPzY237T74VgIruOXDMk7bXYpAmVwraoOQL85HX7fZ2RMRm/NxxSjxZV 0t+Bk55G3GdQC6NncB4YceYoCzmdUihTs7r8Iob6Dn+ehCQpw/dhiG0UBmd0LA//iaOM/g 0KM3ja9VRrdgThCqR4XY5ULJy91tVulov2RZFmrksLr9I9YrdOl+50SI1I7XUzc0M5W5Nb 9SlIJFaFZ8RdyDbbpyWkEkX9G6sQMU10qQebOfakTjI60BEmumhc8JtxrOnus78oMcHYcJ gRp19UslQLobUwQW9anLjFiWFc/r/wVW2InlgCgq7Gl8wxZ9YIzTwnhlr9knhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1696439339; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=jURnbuY56+9KqNf+2c1eJem+uFqlnywcriU+MZKBQnA=; b=EkP6Ovp+FMPoRvTaCEwFunMaLql5AGEPUmiSQ31bWMFvsXbgwhF0wDaaOb37b3tN1s/ojN a8ZY2Rnd1UPvYyH688A/jDouSpGu6cLYM1EN5oeYy9Imu/Y0bxQUaaxlxvfqnNSfrOwO1U 0/W87UFxLDfYnNtPTNHrzu9J9wKg7A09SgFzDtpup6JN2ep0z96/WsccV+i2TWsEEg2tN4 M+CZYO0nndMBR7tMHUAB+pB48VE6RsRGNuFT7EgHNUi4Fm9ex/r0TcS2MawfBsvIpjkDnj RYTOULCEvkpVPgmK5ZFGlC3SYx7HQ+4lPqdimH8soRLePrufu9p2UCO37RBvpA== ARC-Authentication-Results: i=1; rspamd-7c449d4847-l4ft5; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Plucky-Interest: 3238164130f0e438_1696439339416_548417938 X-MC-Loop-Signature: 1696439339416:1480203878 X-MC-Ingress-Time: 1696439339416 Received: from pdx1-sub0-mail-a214.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.104.112.136 (trex/6.9.1); Wed, 04 Oct 2023 17:08:59 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a214.dreamhost.com (Postfix) with ESMTPSA id 4S11PQ5H5Bz7w; Wed, 4 Oct 2023 10:08:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1696439339; bh=jURnbuY56+9KqNf+2c1eJem+uFqlnywcriU+MZKBQnA=; h=Date:Subject:To:From:Content-Type:Content-Transfer-Encoding; b=qAj1mcdox7EwfTfwwRlC7U809FtenDVYp6mAXqtxUIejfto5M2Js871LajuaXtUhh BBLSRWcZxBDsBw3lpi+wzNvHCL9bTYUrABtf2edkB8Njhrkj1cBhfpPmyPj3mc9sxl rkuIWc1wkSYIpeGkrc/EGpevbWdzYk1oFv0aXf8ml7uOrbbqg6W6Dx/YzaVP4VHaQA gt8SDf7RMtEaPV0Hepub+Jd7/X2aolNsNDLAoRW+SOGR632C6rNsMUeiSwOKb9RjBT Zz+VNB7oNYdGR+I1H2LgXPDrjCcnbMY7dRaCuvezmwdfnzfH+hqGfkx0HOch8OdajN pav9ZLfps+wIg== Message-ID: <598cb79e-c23b-1c13-5896-3cf46f9adf64@gotplt.org> Date: Wed, 4 Oct 2023 13:08:57 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH v3] Fix FORTIFY_SOURCE false positive Content-Language: en-US To: Adhemerval Zanella Netto , =?UTF-8?Q?Volker_Wei=c3=9fmann?= , libc-alpha@sourceware.org References: <20231003171844.9586-1-volker.weissmann@gmx.de> <74fc573f-e83e-4383-af94-95f49d9ea1b2@gmx.de> <3484e51b-af95-4f11-8d15-5ec21c0827c0@linaro.org> From: Siddhesh Poyarekar In-Reply-To: <3484e51b-af95-4f11-8d15-5ec21c0827c0@linaro.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3031.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-10-04 12:57, Adhemerval Zanella Netto wrote: > > > On 04/10/23 11:43, Volker Weißmann wrote: >> I thought about my patch again... >> >> If an attacker can make the victim-program leak file descriptors, this >> can be used to defeat string fortification. >> >> Since leaking file-descriptors is normally not that bad (normally, it >> cannot lead to anything worse than a DOS), programmers/security auditors >> might be less careful in ensuring that no fd leaks. >> >> It doesn't even have to be a true leak, image if e.g. the attacker >> controls python code that runs inside an interpreter that does some >> sandboxing. Then the attacker could do something like: >> >> with open("/dev/zero") as file1: >>     with open("/dev/zero") as file2: >>     ... >>         with open("/dev/zero") as file1023: >>             trigger_formatstring_bug_in_the_python_interpreter() >> >> to break out of the sandbox. >> >> I know I'm being a bit paranoid, but glibc is used *everywhere*. >> >> I think instead of "return 1;" we should do >> >> __libc_fatal ("*** too many open file descriptors ***\n"); >> >> instead. > > The same if also check for procfs support, meaning that if it is not accessible > the process will start to abort execution. Not sure about what kind of breakage > it would incur, but it should reasonable to abort on both cases since this is > done iff fortify is enabled. I'm worried that this would result in spurious reports and may discourage usage of fortification, something that we do distribution-wide right now. Sid