From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id UMyIMt5MwWViVRQAWB0awg (envelope-from ) for ; Mon, 05 Feb 2024 16:02:22 -0500 Authentication-Results: simark.ca; dkim=fail reason="signature verification failed" (768-bit key; unprotected) header.d=tromey.com header.i=@tromey.com header.a=rsa-sha256 header.s=default header.b=S4Bom7io; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id C94A01E0C3; Mon, 5 Feb 2024 16:02:22 -0500 (EST) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id B2CEC1E092 for ; Mon, 5 Feb 2024 16:02:20 -0500 (EST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 408183858004 for ; Mon, 5 Feb 2024 21:02:20 +0000 (GMT) Received: from omta036.useast.a.cloudfilter.net (omta036.useast.a.cloudfilter.net [44.202.169.35]) by sourceware.org (Postfix) with ESMTPS id 86A263858C2D for ; Mon, 5 Feb 2024 21:01:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 86A263858C2D Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=tromey.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tromey.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 86A263858C2D Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=44.202.169.35 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707166921; cv=none; b=dJ7/nv/Ke2Z+4wmOMZqjl2EmqsUhqYloVT2UrLGuVelBja5Zwf0FUH4J2AzOD36VjTQF4WNESFlF7qZqbythvSuYJZRS42VSl8o+xHbqfretRuP3Bh/bdBFb0f8+fqhU5kwUoH7SU4U59QuSqCeUkOdLxGBji7W00hRhNTGCz+c= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707166921; c=relaxed/simple; bh=kjsVO+Z3QiSclZ0Zc8M4G+4lAeiFaWYEF0Mjrm/BK4g=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=exWq2MvNIIuAO6P+GPiH+Wb7EQ7W/Ivn4q1D4e3qb7XzrZa7bJlSu/5QmI0oDl2AFVXg13+l7wsKRLBDSXZlB+87NCGiQ1WWlhpMJnsLR4Xgt514wKQGnDwOFXBG6nMXPixunZpwmcjksWs8uHnNG7wTbzZjb/6nevbgdYxcjog= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from eig-obgw-6004a.ext.cloudfilter.net ([10.0.30.197]) by cmsmtp with ESMTPS id X0evrqXpP8uLRX66JreYQl; Mon, 05 Feb 2024 21:01:59 +0000 Received: from box5379.bluehost.com ([162.241.216.53]) by cmsmtp with ESMTPS id X66IrYOlmRITNX66IrRWi1; Mon, 05 Feb 2024 21:01:58 +0000 X-Authority-Analysis: v=2.4 cv=WOPcXWsR c=1 sm=1 tr=0 ts=65c14cc6 a=ApxJNpeYhEAb1aAlGBBbmA==:117 a=ApxJNpeYhEAb1aAlGBBbmA==:17 a=k7vzHIieQBIA:10 a=Qbun_eYptAEA:10 a=20KFwNOVAAAA:8 a=RC0VYKuBJ2rEaDkzwv4A:9 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tromey.com; s=default; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:References :Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sjaQARpVM6T31IPlviCZiO91Z62CskooBWlmA9r6B/g=; b=S4Bom7iotGDJV52++uAy0AunhY AoobpcCMk7TgcB2J3pRMkI2VB8CI/pLRWmUipeNe/WObKFwQ7JYXIPbI98/iCzm0NaV1nE1t3quPH c4Pa6vi8dsNKf9skxXQUgPZK6; Received: from 97-122-68-157.hlrn.qwest.net ([97.122.68.157]:53082 helo=murgatroyd) by box5379.bluehost.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from ) id 1rX66H-003PLL-27; Mon, 05 Feb 2024 14:01:57 -0700 From: Tom Tromey To: Andrew Burgess Cc: gdb-patches@sourceware.org, Siddhesh Poyarekar , Kevin Buettner , Simon Marchi , felix.willgerodt@intel.com, Paul Koning Subject: Re: [RFC] Adding a SECURITY policy for GDB References: <877cmvui64.fsf@redhat.com> <87wmtog2f4.fsf@redhat.com> X-Attribution: Tom Date: Mon, 05 Feb 2024 14:01:56 -0700 In-Reply-To: <87wmtog2f4.fsf@redhat.com> (Andrew Burgess's message of "Fri, 08 Dec 2023 15:05:35 +0000") Message-ID: <87msseeibf.fsf@tromey.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - box5379.bluehost.com X-AntiAbuse: Original Domain - sourceware.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - tromey.com X-BWhitelist: no X-Source-IP: 97.122.68.157 X-Source-L: No X-Exim-ID: 1rX66H-003PLL-27 X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: 97-122-68-157.hlrn.qwest.net (murgatroyd) [97.122.68.157]:53082 X-Source-Auth: tom+tromey.com X-Email-Count: 2 X-Org: HG=bhshared;ORG=bluehost; X-Source-Cap: ZWx5bnJvYmk7ZWx5bnJvYmk7Ym94NTM3OS5ibHVlaG9zdC5jb20= X-Local-Domain: yes X-CMAE-Envelope: MS4xfJsEYQsUkSHoXLXRmFFvo8eqqXIoYYEaBeJDx2Gu5Lm/ONZkJ/MWqcctp/tJ2VwnBqRFBPruTiftQ3UmLO/kCRvAiHV4OfrXvpx1yaAYitp2tSjpAOpu bR1UNa/WhZ4fbZz8HlTpy1/xuq8wZzKJd+K7CXMR5rmxKSfCm+DJl9AbJz/4zMQnqduMDxdjmAd48oGLR4WixDA0BBG+aKMrC0M= X-Spam-Status: No, score=-3016.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, JMQ_SPF_NEUTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces+public-inbox=simark.ca@sourceware.org >>>>> "Andrew" == Andrew Burgess writes: Andrew> Apologies for taking so long to get a second version of this document Andrew> prepared. I've been through several iterations of this text since I Andrew> last posted trying to get something semi-reasonable... It would be great Andrew> to get your feedback on this new text. Thank you for doing this. Andrew> So, instead, I've just given up on that. I think Simon, Paul, and Andrew> Felix should find (at least this part of) the new text satisfactory; Andrew> loading a binary, but not executing it, should be safe to do, and if Andrew> that's not the case, then this is a security issue. I think this is what users expect, but I don't think this is at all in line with what we can promise. We couldn't get consensus to deprecate the stabs reader last year, but at the same time, nobody works on the existing fuzzer bugs that have been reported against it (or was it mdebugread?) ... the point being that there's a lot of dead-but-vulnerable code. For the DWARF reader, this safety might be attainable, though given the large number of DWARF scenarios, I am skeptical. In any case, this promise definitely doesn't describe the situation *today*, where nobody has seriously tried fuzzing, or even really looking through the more obvious possible buffer overruns. To be clear, I'm not at all opposed to someone fixing fuzzer bugs. It's clear to me that it ought to be done, even if it comes at some cost. Perhaps this is covered by the section recommending sandboxing. Andrew> One last thing, while writing this, I did wonder if this text would be Andrew> better moved into the GDB manual, and the gdb/SECURITY.txt document Andrew> should just say "See the GDB manual", but I figure that's a problem for Andrew> future me, for now I just need to find some words we can all agree on. I think this would be good. Tom