From: Andrew Burgess <aburgess@redhat.com>
To: Eli Zaretskii <eliz@gnu.org>
Cc: gdb-patches@sourceware.org, siddhesh@redhat.com,
kevinb@redhat.com, simark@simark.ca, felix.willgerodt@intel.com,
paulkoning@comcast.net
Subject: Re: [RFC] Adding a SECURITY policy for GDB
Date: Mon, 05 Feb 2024 11:06:21 +0000 [thread overview]
Message-ID: <87v87341ci.fsf@redhat.com> (raw)
In-Reply-To: <8634u82lna.fsf@gnu.org>
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Andrew Burgess <aburgess@redhat.com>
>> Cc: gdb-patches@sourceware.org, siddhesh@redhat.com, kevinb@redhat.com,
>> simark@simark.ca, felix.willgerodt@intel.com, paulkoning@comcast.net
>> Date: Sun, 04 Feb 2024 15:32:58 +0000
>>
>> >> Any bugs in GDB that result in execution of the program being
>> >> debugged without a user issued GDB command triggering execution
>> > ^^^^^^
>> > "issuing"
>> >
>> >> (either from the GDB command line, a GDB configuration file, or from
>> >> the GDB prompt) are considered security bugs.
>> >
>> > Is any execution of the program triggered by starting GDB considered
>> > "a command issued by the user"? IOW, are we sure GDB will never cause
>> > some program code to be executed just as result of the user saying
>> >
>> > $ gdb ./program
>> >
>> > ? The above text seems to assume that any such execution at startup
>> > must be the result of some command-line argument or some configuration
>> > file, but is that 110% certain, and are we sure this will _never_
>> > change?
>>
>> Am I 110% certain? No. I'm never going to claim that level of
>> certainty on a topic. But I am 99% certain.
>>
>> Am I sure this will _never change? No. But that's OK.
>>
>> This document is about writing down an agreed project position on this
>> behaviour today.
>>
>> If tomorrow someone wants to propose a patch where 'gdb ./prog' would
>> automatically run './prog' then they are welcome to do so. But part of
>> that patch would require updating the SECURITY.txt document, and
>> hopefully, by touching the SECURITY.txt document, this would trigger a
>> conversation about whether we actually wanted to make that change.
>>
>> But that doesn't mean this document cannot be changed.
>>
>> FYI, right now, if someone did propose such a patch, I would be against
>> it being merged due to the possible security implications.
>
> What bothered me here is that when you say "gdb ./program", GDB can do
> two things which constitute code execution:
>
> . run some startup code in the program, for example, load some
> shared libraries, which could trigger execution of some code in
> those libraries, or
In a pure GDB world I don't think this is correct. No inferior process
is created until some user command, from _somewhere_ tells GDB to start
a process. That might be from a `.gdbinit` file, but I have tried to
cover this case by referencing 'configuration files'.
No shared libraries will be loaded until the inferior process starts
running.
> . process various init files, which could invoke code in
> Python/Guile, or call functions inside the debuggee
>
> The second item actually happens when you say "gdb ./emacs" in the src
> directory of an Emacs source tree, because there's a .gdbinit file
> that which can call functions inside the executable and/or run Python
> code. Are these cases relevant to this part of the policy?
You are correct that loading a particular executable might auto-load a
configuration files, so maybe that needs to be specifically called out,
but I do consider this covered by my mention of 'configuration files'.
Without such a configuration files which starts the inferior then there
should be no inferior execution.
Maybe we do need to mention the auto-loading, and draw attention to the
auto-load safe-path stuff, I'll see if I can work something about this
in -- though I want to try and avoid being too specific, this isn't
intended as a "how too", but more a high level policy document, but I
think mentioning the idea of auto-loading, and that GDB will always make
such auto-loading "opt-in" rather than "opt-out" is certainly something
that the document should cover.
Thanks,
Andrew
next prev parent reply other threads:[~2024-02-05 11:06 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 13:26 Andrew Burgess
2023-11-06 18:55 ` Kevin Buettner
2023-11-06 19:34 ` Simon Marchi
2023-11-06 20:09 ` Siddhesh Poyarekar
2023-11-06 20:15 ` Simon Marchi
2023-11-07 12:17 ` Siddhesh Poyarekar
2023-11-07 14:22 ` Simon Marchi
2023-11-09 14:35 ` Willgerodt, Felix
2023-11-16 17:19 ` Andrew Burgess
2023-11-16 17:27 ` Paul Koning
2023-11-16 21:35 ` Siddhesh Poyarekar
2023-12-08 15:05 ` Andrew Burgess
2023-12-09 10:55 ` Eli Zaretskii
2024-02-04 15:32 ` Andrew Burgess
2024-02-04 17:18 ` Eli Zaretskii
2024-02-04 17:43 ` Andreas Schwab
2024-02-04 18:56 ` Eli Zaretskii
2024-02-05 11:06 ` Andrew Burgess [this message]
2023-12-12 7:27 ` Willgerodt, Felix
2024-02-04 15:36 ` [V3] " Andrew Burgess
2024-02-18 13:55 ` Andrew Burgess
2024-03-27 11:00 ` [V4] " Andrew Burgess
2024-04-08 11:01 ` [V5] " Andrew Burgess
2024-04-09 20:30 ` Tom Tromey
2024-04-10 10:22 ` Willgerodt, Felix
2024-04-26 15:44 ` Andrew Burgess
2024-02-05 21:01 ` Tom Tromey
2024-02-09 15:59 ` Andrew Burgess
2024-02-12 16:43 ` Guinevere Larsen
2024-02-12 17:06 ` Siddhesh Poyarekar
2024-02-14 15:03 ` Andrew Burgess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v87341ci.fsf@redhat.com \
--to=aburgess@redhat.com \
--cc=eliz@gnu.org \
--cc=felix.willgerodt@intel.com \
--cc=gdb-patches@sourceware.org \
--cc=kevinb@redhat.com \
--cc=paulkoning@comcast.net \
--cc=siddhesh@redhat.com \
--cc=simark@simark.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox