From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from buffalo.tulip.relay.mailchannels.net (buffalo.tulip.relay.mailchannels.net [23.83.218.24]) by sourceware.org (Postfix) with ESMTPS id 6443E3858436 for ; Mon, 20 Mar 2023 16:56:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6443E3858436 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 1A80D8828D4; Mon, 20 Mar 2023 16:56:37 +0000 (UTC) Received: from pdx1-sub0-mail-a306.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 47EC9882A23; Mon, 20 Mar 2023 16:56:36 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1679331396; a=rsa-sha256; cv=none; b=HYS3Wwv3bMI6WaoaSArFzJQhIZmpUGBME1z1AhN7HfDApHP1Pry5uQQKRz1Vd6MQy2ImwS CJ80mIXdq9bFpbL9uUkAo4GfwQb4O4CqS3IcK54JCk7PmrJqHtY9VVuQ+rfpWTCQEkbusC oT5SkBajUXcTkQIqgro1bvpEDGgpFJVL2BXI0vf/G4Vgee4b/Qes/Bgx0A4hkr/odsZjlh SbF6o6qJFD2hxJhT3Zg3St6tSGtBOnB9FRm9AXYEW7HNSvSYtvwWaYXu2kZZXA3ONGjGbt T6GaXAAh6LtqCcbVxq/nrgNuk+89/mgcXjCSuRpPqeLcBQqXl7j66GBtc5WlWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1679331396; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+uZ0bw+u/X1O8Txr3tX+UZkxWIrrERcqnYK4sreVvMc=; b=GFJ9/xlrnim6Cv19FqR68igpR/9IGD5Eg3hpe1OHUcjVKkPQOJ19Isv6kmEG7yH7KopQVX tYiuusSaVDcoqv6kJkEaIEYKDnaDRtFC5xsePrueRI0IL84Ede3yVuxahIlyoqb+LFsqPG ZlhFuZPMIvdHFrxM6Day3RXClaZYZKO7/LrjuoWoAFAwZG6nN8LTPnN8Ha+Bv/TqvL+dMz 66hpwx2pjKNux9IttjO6p+9xyN8+kLUjpxojl2ODcP4s7u4mp/6hCsVGqToxf9sjpf9WUT /ygqw5sp9RlF+zkLPhYj8MJE2L1kRMvzeAcl7JVajGm9b/y9x5hm83LEKCZB8A== ARC-Authentication-Results: i=1; rspamd-59dbd69698-7ll57; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Bitter-Slimy: 25ef37a15348d5a2_1679331396528_893785841 X-MC-Loop-Signature: 1679331396528:2351811099 X-MC-Ingress-Time: 1679331396528 Received: from pdx1-sub0-mail-a306.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.114.178.106 (trex/6.7.2); Mon, 20 Mar 2023 16:56:36 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-09-174-91-45-153.dsl.bell.ca [174.91.45.153]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a306.dreamhost.com (Postfix) with ESMTPSA id 4PgLVW6dYjz15C; Mon, 20 Mar 2023 09:56:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1679331396; bh=+uZ0bw+u/X1O8Txr3tX+UZkxWIrrERcqnYK4sreVvMc=; h=Date:Subject:To:From:Content-Type:Content-Transfer-Encoding; b=oJcXGgzR+FzArm7yqkI5/xx0eiEnhXgwoQ5REU5k2iLQYw2peUkVHprqlJh/pQJJJ jHokNsQ4mxURQrC+muW5MZvWqStz23qjI1sa+RfGhskICCqIDRsnvCQa/0HWBYMlH9 n3ugT8LtCTKfyvl2TAAz4vO4te9gO00Kh7UessUuQXJjDpXqFodNdjvsKQhOlbjlM7 f4nwQ2ly2J4ElA2A5sGvdjyw4Wc5MUWlrIsTbIlnEp5nw+OmFluNJIjEb41bDZIfk/ X2hA6oC7MfZoudF0zSlkyDBh3m7RoKUZVk78Gd3wgyH2JCsAZheDcfaqinAPI4ONmU JrlsBvQ1QhvnA== Message-ID: Date: Mon, 20 Mar 2023 12:56:34 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: UB status of snprintf on invalid ptr+size combination? Content-Language: en-US To: Vincent Lefevre , libc-alpha@sourceware.org References: <9d7ca3d8-6998-e741-b669-03ef42bc99f1@gmail.com> <20230319230722.GD390223@zira.vinc17.org> <20230320135044.GB203866@cventin.lip.ens-lyon.fr> From: Siddhesh Poyarekar In-Reply-To: <20230320135044.GB203866@cventin.lip.ens-lyon.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3030.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-03-20 09:50, Vincent Lefevre wrote: > On 2023-03-20 08:05:32 -0400, Siddhesh Poyarekar wrote: >> I think on the glibc front it makes sense from a security >> perspective to interpret this through POSIX than the C standard. >> Even if the C standard is clarified to be contrary to POSIX and >> explicitly state that n is not the size of the buffer (which would >> be a terrible mistake IMO), I'd lean towards violating the C >> standard and conforming to POSIX instead. > > I disagree about the POSIX behavior (assuming it is intentional). Why do you think it may be unintentional? The POSIX wording seems pretty deliberate and clear to me. The C standard wording on the other hand leaves things to the imagination, which is why we're having this discussion. > With it, if the compiler detects that n is larger than the actual > buffer size, then due to undefined behavior, the compiler could > assume that this is dead code and introduce erratic behavior in > code written with the C standard in mind (or when it was introduced > in BSD). In fact, with _FORTIFY_SOURCE, if the runtime detects that n is larger than the actual buffer size, the code will abort, see pr28989[1]. But that's a runtime feature, nothing to do with gcc. gcc at the moment doesn't have any such check AFAICT but if it does, I reckon that's a discussion to be had on the gcc mailing list. Sid [1] https://sourceware.org/bugzilla/show_bug.cgi?id=28989