Re: [RFC] Adding a SECURITY policy for GDB

[Tom Tromey <tom@tromey.com>]

>>>>> "Andrew" == Andrew Burgess <aburgess@redhat.com> writes:

Andrew> Apologies for taking so long to get a second version of this document
Andrew> prepared.  I've been through several iterations of this text since I
Andrew> last posted trying to get something semi-reasonable... It would be great
Andrew> to get your feedback on this new text.

Thank you for doing this.

Andrew>     So, instead, I've just given up on that.  I think Simon, Paul, and
Andrew>     Felix should find (at least this part of) the new text satisfactory;
Andrew>     loading a binary, but not executing it, should be safe to do, and if
Andrew>     that's not the case, then this is a security issue.

I think this is what users expect, but I don't think this is at all in
line with what we can promise.  We couldn't get consensus to deprecate
the stabs reader last year, but at the same time, nobody works on the
existing fuzzer bugs that have been reported against it (or was it
mdebugread?) ... the point being that there's a lot of
dead-but-vulnerable code.

For the DWARF reader, this safety might be attainable, though given the
large number of DWARF scenarios, I am skeptical.  In any case, this
promise definitely doesn't describe the situation *today*, where nobody
has seriously tried fuzzing, or even really looking through the more
obvious possible buffer overruns.

To be clear, I'm not at all opposed to someone fixing fuzzer bugs.  It's
clear to me that it ought to be done, even if it comes at some cost.

Perhaps this is covered by the section recommending sandboxing.

Andrew> One last thing, while writing this, I did wonder if this text would be
Andrew> better moved into the GDB manual, and the gdb/SECURITY.txt document
Andrew> should just say "See the GDB manual", but I figure that's a problem for
Andrew> future me, for now I just need to find some words we can all agree on.

I think this would be good.

Tom