From: Kostya Serebryany <kcc@google.com>
To: Yuri Gribov <tetra2005@gmail.com>
Cc: Florian Weimer <fw@deneb.enyo.de>,
Jakub Jelinek <jakub@redhat.com>,
Andrew Pinski <pinskia@gmail.com>,
Maxim Ostapenko <m.ostapenko@samsung.com>,
GNU C Library <libc-alpha@sourceware.org>
Subject: Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
Date: Tue, 04 Oct 2016 00:53:00 -0000 [thread overview]
Message-ID: <CAN=P9piFwKNNK88BbEMMT6H8S1SndzuKqK4XJVHQVA-4A3MK=g@mail.gmail.com> (raw)
In-Reply-To: <CAJOtW+4zPuy3n7deKWGvtAs9PL1rmEua8GMG_3zW57GG6tZNSA@mail.gmail.com>
>> Why do you think this is very sad? This is not a misuse of fortify
>> but rather santizers not adapting to the changing environments and
>> handling how people are treating security issues now. Remember 10
>> years ago there was no such thing as fortification and security was
>> not treated as a first class citizen. Now Security is treated as a
>> first class and people are requiring security before anything else.
>> Well, -D_FORTIFY_SOURCE=2 has been used heavily already 10 years ago.
>> But I certainly don't find anything sad on the fact that many programs
>> are fortified, it is a good thing.
I am sad because the current state causes other security/testing
measures to silently fail.
Fortify is a security measure for corner cases, it does not protect
from 95% of bugs that asan/etc find,
but as we see it actively hurts asan.
An unrelated sadness is caused by popular user attitude, which I've
heard several times:
"I am using Fortify, an advertised security feature, so I am safe. "
(Admittedly, this is not related to the current discussion)
>> Why do you want to put this into sanitizer_common?
I don't! I pretty much hate this idea. But do I have any other choice?
>> It would make more sense to maintain this inside glibc, so that it can
>> be updated in sync with fortification development. We can keep an eye
>> on the ability to build the sources separately from glibc, to bridge
>> the time until this DSO is routinely shipped as part of glibc.
Yes, please.
More broadly, it would be nice if glibc had some process to test that
the sanitizers still work.
Since sanitizers are largely based on *assumptions* about how glibc
works and not on contracts,
glibc changes has broken *san a few times in the past.
My attempt (suggested by Jakub in some other discussion) to have such
a contract did not end with anything,
https://sourceware.org/glibc/wiki/ThreadPropertiesAPI, so I've never
made another attempt.
I may be asking too much here...
>> Because you really don't know what kind of information will each tool want
>> to know, and that can significantly differ between valgrind, [amt]san etc.
>> In sanitizer_common, you can come up with some macros that will serve the
>> needs of all the tools, and have each tool use those macros, other than
>> that, it is a trivial 3 liner wrapper for each fortification function
Disagree. all the sanitizers will want to be directed to the original functions.
Valgrind most likely too.
>> Frankly I'm not sure why an arbitrary dynamic tool would want to
>> handle fortified APIs differently from to their unfortified
>> counterparts. It's certainly not the case for sanitizers.
Yes.
>> Well, simple dynamic redirection of fortified APIs would be enough for
>> all sanitizer tools (ASan, MSan, TSan) and probably also Valgrind. I
>> suggested that it's common across majority of dynamic tools (which
>> would justify it's centralized implementation, be it in Glibc itself
Yes.
>> or outside) but this has been debated by Jakub above.
... and I frankly don't understand why.
--kcc
On Sun, Oct 2, 2016 at 7:02 AM, Yuri Gribov <tetra2005@gmail.com> wrote:
> On Sun, Oct 2, 2016 at 10:43 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
>> * Jakub Jelinek:
>>
>>> Because you really don't know what kind of information will each tool want
>>> to know, and that can significantly differ between valgrind, [amt]san etc.
>
> Frankly I'm not sure why an arbitrary dynamic tool would want to
> handle fortified APIs differently from to their unfortified
> counterparts. It's certainly not the case for sanitizers.
>
>>> In sanitizer_common, you can come up with some macros that will serve the
>>> needs of all the tools, and have each tool use those macros, other than
>>> that, it is a trivial 3 liner wrapper for each fortification function.
>>
>> Uh-oh, would you subject matter experts please come up with a
>> consistent opinion what is *actually* needed?
>>
>> Further up thread, in
>> <CAJOtW+7xjtx=DxEOSnaPfpU708RdUJYLRX8prv0bFW=x47+tmA@mail.gmail.com>,
>> Yuri Gribov said that the sanitizers will work fine despite the
>> additional indirection.
>>
>> If this is not actually true, then of course it does not make sense to
>> maintain the unfortify bits in glibc.
>
> Well, simple dynamic redirection of fortified APIs would be enough for
> all sanitizer tools (ASan, MSan, TSan) and probably also Valgrind. I
> suggested that it's common across majority of dynamic tools (which
> would justify it's centralized implementation, be it in Glibc itself
> or outside) but this has been debated by Jakub above.
>
> -Y
next prev parent reply other threads:[~2016-10-04 0:53 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-05 17:27 Maxim Ostapenko
2016-09-05 19:48 ` Andrew Pinski
2016-09-06 8:39 ` Florian Weimer
2016-09-06 8:58 ` Yuri Gribov
2016-09-06 9:13 ` Florian Weimer
2016-09-06 9:20 ` Yuri Gribov
2016-09-06 9:51 ` Florian Weimer
2016-09-09 22:35 ` Kostya Serebryany
[not found] ` <CAN=P9phe_OP+tU+nnDDPEeZCR77w2ddrSX+LtSnx2-42p9JgUg@mail.gmail.com>
2016-09-12 9:36 ` Florian Weimer
2016-09-06 9:16 ` Maxim Ostapenko
2016-09-06 9:44 ` Florian Weimer
2016-09-09 22:36 ` Kostya Serebryany
2016-09-12 9:31 ` Florian Weimer
2016-09-12 18:54 ` Kostya Serebryany
2016-09-17 9:00 ` Yuri Gribov
2016-09-29 8:08 ` Florian Weimer
2016-09-29 9:47 ` Yuri Gribov
2016-09-29 10:04 ` Jakub Jelinek
2016-09-29 10:32 ` Yuri Gribov
2016-09-29 10:44 ` Jakub Jelinek
2016-09-29 10:52 ` Andrew Pinski
2016-09-29 21:23 ` Kostya Serebryany
2016-10-01 21:38 ` Andrew Pinski
2016-10-01 21:50 ` Jakub Jelinek
2016-10-02 7:51 ` Florian Weimer
2016-10-02 9:40 ` Jakub Jelinek
2016-10-02 9:43 ` Florian Weimer
2016-10-02 14:02 ` Yuri Gribov
2016-10-04 0:53 ` Kostya Serebryany [this message]
2016-10-04 6:46 ` Jakub Jelinek
2016-10-04 12:15 ` fortification and valgrind/memcheck (Was: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify@the same time) Mark Wielaard
2016-10-05 11:49 ` Florian Weimer
2016-10-05 12:02 ` Mark Wielaard
2016-10-05 14:27 ` [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time Florian Weimer
2016-10-05 15:46 ` Maxim Ostapenko
2016-10-05 16:01 ` Kostya Serebryany
2016-10-05 16:01 ` Maxim Ostapenko
2016-10-05 16:06 ` Zack Weinberg
2016-10-05 16:11 ` Kostya Serebryany
2016-10-05 16:46 ` Zack Weinberg
2016-10-05 17:58 ` Yuri Gribov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAN=P9piFwKNNK88BbEMMT6H8S1SndzuKqK4XJVHQVA-4A3MK=g@mail.gmail.com' \
--to=kcc@google.com \
--cc=fw@deneb.enyo.de \
--cc=jakub@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=m.ostapenko@samsung.com \
--cc=pinskia@gmail.com \
--cc=tetra2005@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).