From: Eli Zaretskii <eliz@gnu.org>
To: Andrew Burgess <aburgess@redhat.com>
Cc: gdb-patches@sourceware.org, siddhesh@redhat.com,
kevinb@redhat.com, simark@simark.ca, felix.willgerodt@intel.com,
paulkoning@comcast.net
Subject: Re: [RFC] Adding a SECURITY policy for GDB
Date: Sun, 04 Feb 2024 19:18:33 +0200 [thread overview]
Message-ID: <8634u82lna.fsf@gnu.org> (raw)
In-Reply-To: <877cjk5jo5.fsf@redhat.com> (message from Andrew Burgess on Sun, 04 Feb 2024 15:32:58 +0000)
> From: Andrew Burgess <aburgess@redhat.com>
> Cc: gdb-patches@sourceware.org, siddhesh@redhat.com, kevinb@redhat.com,
> simark@simark.ca, felix.willgerodt@intel.com, paulkoning@comcast.net
> Date: Sun, 04 Feb 2024 15:32:58 +0000
>
> >> Any bugs in GDB that result in execution of the program being
> >> debugged without a user issued GDB command triggering execution
> > ^^^^^^
> > "issuing"
> >
> >> (either from the GDB command line, a GDB configuration file, or from
> >> the GDB prompt) are considered security bugs.
> >
> > Is any execution of the program triggered by starting GDB considered
> > "a command issued by the user"? IOW, are we sure GDB will never cause
> > some program code to be executed just as result of the user saying
> >
> > $ gdb ./program
> >
> > ? The above text seems to assume that any such execution at startup
> > must be the result of some command-line argument or some configuration
> > file, but is that 110% certain, and are we sure this will _never_
> > change?
>
> Am I 110% certain? No. I'm never going to claim that level of
> certainty on a topic. But I am 99% certain.
>
> Am I sure this will _never change? No. But that's OK.
>
> This document is about writing down an agreed project position on this
> behaviour today.
>
> If tomorrow someone wants to propose a patch where 'gdb ./prog' would
> automatically run './prog' then they are welcome to do so. But part of
> that patch would require updating the SECURITY.txt document, and
> hopefully, by touching the SECURITY.txt document, this would trigger a
> conversation about whether we actually wanted to make that change.
>
> But that doesn't mean this document cannot be changed.
>
> FYI, right now, if someone did propose such a patch, I would be against
> it being merged due to the possible security implications.
What bothered me here is that when you say "gdb ./program", GDB can do
two things which constitute code execution:
. run some startup code in the program, for example, load some
shared libraries, which could trigger execution of some code in
those libraries, or
. process various init files, which could invoke code in
Python/Guile, or call functions inside the debuggee
The second item actually happens when you say "gdb ./emacs" in the src
directory of an Emacs source tree, because there's a .gdbinit file
that which can call functions inside the executable and/or run Python
code. Are these cases relevant to this part of the policy?
next prev parent reply other threads:[~2024-02-04 17:19 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 13:26 Andrew Burgess
2023-11-06 18:55 ` Kevin Buettner
2023-11-06 19:34 ` Simon Marchi
2023-11-06 20:09 ` Siddhesh Poyarekar
2023-11-06 20:15 ` Simon Marchi
2023-11-07 12:17 ` Siddhesh Poyarekar
2023-11-07 14:22 ` Simon Marchi
2023-11-09 14:35 ` Willgerodt, Felix
2023-11-16 17:19 ` Andrew Burgess
2023-11-16 17:27 ` Paul Koning
2023-11-16 21:35 ` Siddhesh Poyarekar
2023-12-08 15:05 ` Andrew Burgess
2023-12-09 10:55 ` Eli Zaretskii
2024-02-04 15:32 ` Andrew Burgess
2024-02-04 17:18 ` Eli Zaretskii [this message]
2024-02-04 17:43 ` Andreas Schwab
2024-02-04 18:56 ` Eli Zaretskii
2024-02-05 11:06 ` Andrew Burgess
2023-12-12 7:27 ` Willgerodt, Felix
2024-02-04 15:36 ` [V3] " Andrew Burgess
2024-02-18 13:55 ` Andrew Burgess
2024-03-27 11:00 ` [V4] " Andrew Burgess
2024-04-08 11:01 ` [V5] " Andrew Burgess
2024-04-09 20:30 ` Tom Tromey
2024-04-10 10:22 ` Willgerodt, Felix
2024-04-26 15:44 ` Andrew Burgess
2024-02-05 21:01 ` Tom Tromey
2024-02-09 15:59 ` Andrew Burgess
2024-02-12 16:43 ` Guinevere Larsen
2024-02-12 17:06 ` Siddhesh Poyarekar
2024-02-14 15:03 ` Andrew Burgess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8634u82lna.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=aburgess@redhat.com \
--cc=felix.willgerodt@intel.com \
--cc=gdb-patches@sourceware.org \
--cc=kevinb@redhat.com \
--cc=paulkoning@comcast.net \
--cc=siddhesh@redhat.com \
--cc=simark@simark.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox