Bug#563637: improvements from Ubuntu to handle compiler hardening better

To: Aurelien Jarno <aurelien@aurel32.net>
Cc: 563637@bugs.debian.org
Subject: Bug#563637: improvements from Ubuntu to handle compiler hardening better
From: Kees Cook <kees@debian.org>
Date: Thu, 11 Feb 2010 11:37:10 -0800
Message-id: <20100211193710.GK18073@outflux.net>
Reply-to: Kees Cook <kees@debian.org>, 563637@bugs.debian.org
In-reply-to: <20100207131308.GA20616@volta.aurel32.net>
References: <20100104092033.GI16532@outflux.net> <20100207131308.GA20616@volta.aurel32.net>

Hi Aurelien,

On Sun, Feb 07, 2010 at 02:13:08PM +0100, Aurelien Jarno wrote:
> > I would like to include the following patches that Ubuntu has carried for
> > several releases now.  (Note that submitted-leading-zero-stack-guard.diff
> > will need to be adjusted slightly if stack-guard-quick-randomization.diff
> > is not applied.)
> 
> I have applied the two stack protection patches in the Debian package,
> but not the two other ones. See my comments below.

Excellent, thanks!

> > no-sprintf-pre-truncate.diff
> >     The sprintf function used when -D_FORTIFY_SOURCE=2 is used incorrectly
> >     pre-truncates the destination buffer; this changes the long-standing
> >     expectation of sprintf(foo,"%sbaz",foo) to work.  See the patch for
> >     further discussion.
> 
> As explained in the bug report, this code is not valid anyway. If we
> want people to fix their code, we should not workaround the issue. Also
> I am not able to evaluate the impact on the fix, and don't know if it
> may introduce a security bug.

Right, it's incorrect, but around 200 packages[1] use it and expect the
prior behavior.  I don't feel there is a security issue here, but I can
respect not wanting to change it.  200 is a pretty small number of
packages compared to the overall size of the archive.

Perhaps I can re-scan the archive and actually do the mass bug filing.

> > local-fwrite-no-attr-unused.diff
> >     Again, patch contains discussion, but basically, this disables a
> >     useless and noisy warning that -D_FORTIFY_SOURCE=2 triggers.
> 
> I think people should either not use -D_FORTIFY_SOURCE=2 or fix their
> code. This is a warning anyway. I agree an error can happens up to the
> fclose() call, but it's not an excuse to not check possible errors at
> the fwrite() level. The real bug is actually that fclose() is not marked
> __wur, and that's probably what has to be fixed.

Yeah, I would tend to agree.  The main glitch was that there is no
compiler option to turn off the warning.  :(

Thanks for reviewing the patches!

-Kees

[1] http://lists.debian.org/debian-devel/2008/12/msg01079.html

-- 
Kees Cook                                            @debian.org

Reply to:

References:
- Bug#563637: improvements from Ubuntu to handle compiler hardening better
  - From: Aurelien Jarno <aurelien@aurel32.net>

Prev by Date: r4191 - glibc-package/branches/eglibc-2.11/debian
Next by Date: Bug#569517: libc6-dev: sys/stat.h should provide S_ISSOCK with sufficiently recent _POSIX_C_SOURCE
Previous by thread: Bug#563637: improvements from Ubuntu to handle compiler hardening better
Next by thread: Bug#555168: Bug #555168: considering the pseudo-licences in locale files as "non-free"?
Index(es):
- Date
- Thread