From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-out.m-online.net (mail-out.m-online.net [212.18.0.9]) by sourceware.org (Postfix) with ESMTPS id 656553858C50 for ; Thu, 7 Apr 2022 10:16:13 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 656553858C50 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=linux-m68k.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=nefkom.net Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 4KYy2h1thyz1r1Mk; Thu, 7 Apr 2022 12:16:12 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 4KYy2g71ncz1qqkH; Thu, 7 Apr 2022 12:16:11 +0200 (CEST) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id XDnVAjvd0xQ1; Thu, 7 Apr 2022 12:16:11 +0200 (CEST) X-Auth-Info: I673prBpEH14vFQZmuUnwoOn2ywLe8hUeFCBTeGbP98IQ28mDMgVeCAdydemn81D Received: from igel.home (ppp-46-244-170-243.dynamic.mnet-online.de [46.244.170.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Thu, 7 Apr 2022 12:16:11 +0200 (CEST) Received: by igel.home (Postfix, from userid 1000) id 7CEB62C39CE; Thu, 7 Apr 2022 12:16:10 +0200 (CEST) From: Andreas Schwab To: Siddhesh Poyarekar Cc: libc-alpha@sourceware.org, Adhemerval Zanella , Carlos O'Donell , Florian Weimer , Jakub Jelinek , Martin =?utf-8?Q?Li=C5=A1ka?= Subject: Re: [RFC] _FORTIFY_SOURCE strictness References: X-Yow: This is PLEASANT! Date: Thu, 07 Apr 2022 12:16:10 +0200 In-Reply-To: (Siddhesh Poyarekar's message of "Thu, 7 Apr 2022 11:56:18 +0530") Message-ID: <87ilrlryfp.fsf@igel.home> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2022 10:16:14 -0000 On Apr 07 2022, Siddhesh Poyarekar wrote: > The downside of this approach is the possibility that some applications > don't fortify beyond level 2, insisting that their usage is safe enough. The problem with this argument is that what is safe enough now, may be unsafe later due to an unrelated change elsewhere, or an attacker injecting some unforeseen data. It is generally better to be safer in the first place, because aborting deep inside the call chain is a risk in itself, even if it prevented an acute undefined behaviour from doing bad side effects. By checking bounds early better error recovery is possible in general. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."