From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id AKzYBnciOWSifCsAWB0awg (envelope-from ) for ; Fri, 14 Apr 2023 05:52:55 -0400 Received: by simark.ca (Postfix, from userid 112) id 0F1941E221; Fri, 14 Apr 2023 05:52:55 -0400 (EDT) Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=WqWvPOWM; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-8.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_DNSWL_HI,RDNS_DYNAMIC,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from sourceware.org (ip-8-43-85-97.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 7F09F1E0D2 for ; Fri, 14 Apr 2023 05:52:54 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 07847385772D for ; Fri, 14 Apr 2023 09:52:53 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 07847385772D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1681465973; bh=pq6WADCLZYj7i9qGwtbn3cdRF1EHE9csKrPwLM3bScw=; h=Date:Subject:To:Cc:References:In-Reply-To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=WqWvPOWMG3UB3iJF3SsEtvuBUFVQLQnnU6vzjMdMstWBJ/pHeQ5mGLBJBEec7B/4o +OwnI8UuoVq+CZP9HjKwwfJdSoHdT0hLQQZoXAMFoJiauYXOoaVM22IUrzDsgr8fnV 3WjJyLnAdCQA+17l5wSvIkLrVgrzwEu1g2aHyqdI= Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by sourceware.org (Postfix) with ESMTP id EF7D13858422; Fri, 14 Apr 2023 09:52:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EF7D13858422 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E48711FB; Fri, 14 Apr 2023 02:53:04 -0700 (PDT) Received: from [10.2.78.76] (e126323.cambridge.arm.com [10.2.78.76]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BB03C3F587; Fri, 14 Apr 2023 02:52:19 -0700 (PDT) Message-ID: Date: Fri, 14 Apr 2023 10:52:18 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils Content-Language: en-GB To: Siddhesh Poyarekar , Nick Clifton , Binutils Cc: "gdb@sourceware.org" References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <5b147005-bd28-4cf9-b9e7-479ef02cb1ad@foss.arm.com> <5d044987-39eb-a060-1b2b-9d07b1515e7d@gotplt.org> <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org> <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> <7b6b10f8-e480-8efa-fbb8-4fc4bf2cf356@gotplt.org> <0224757b-6b17-f82d-c0bf-c36042489f5e@foss.arm.com> <01e846c0-c6bf-defe-0563-1ed6309b7038@gotplt.org> <2d4c7f13-8a35-3ce5-1f90-ce849a690e66@foss.arm.com> <01b8e177-abfd-549e-768f-1995cab5c81d@gotplt.org> <43912382-2d32-9fff-8dad-5c41491eb804@foss.arm.com> <613a6e55-846c-9f1f-cfd0-046b52487ae3@gotplt.org> In-Reply-To: <613a6e55-846c-9f1f-cfd0-046b52487ae3@gotplt.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Richard Earnshaw via Gdb Reply-To: Richard Earnshaw Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" On 13/04/2023 17:42, Siddhesh Poyarekar wrote: > On 2023-04-13 11:05, Richard Earnshaw wrote: >> On 13/04/2023 16:02, Siddhesh Poyarekar wrote: >>> On 2023-04-13 10:50, Richard Earnshaw wrote: >>>> No, whilst elf can be executed, objdump should never be doing that: >>>> it's a tool for examining a file, not running it.  You have to have >>>> a tool that can safely examine the contents of an elf file or you >>>> can never verify it for issues - opening it up in emacs to examine >>>> the contents is not the way to do that :) >>> >>> You can verify it for issues, in a sandbox. >> >> Maybe.  But not always, it might not crash the program, but still lead >> to issues once taken outside of the sandbox. > > You don't analyze untrusted data outside of a sandbox.  Really, it's > security 101. I think your definition of trusted and untrusted must vary from mine. And I think your expectations on users is somewhat unreasonable. In my book any binary object obtained from the internet is /potentially/ untrusted. That includes any object file that is downloaded from, say, a Red Hat server in an RPM package (even if it's been signed). Are you seriously suggesting that every user should deal with every file as though it was completely untrustworthy? > >>>> But all that is beside the point.  The original case I gave was a >>>> /corrupt/ elf file that caused a buffer overrun in the objdump binary. >>> >>> ... and that's a robustness issue.  Any buffer overrun in any program >>> could in theory be exploited to send out files. >>> >> >> So what's your point?  These /are/ vulnerabilities in the program and >> need to be considered security issues. > > I already made my point; I agree that they are security issues but the > security mitigation mechanism is in the environment, not the program.  I > do not think it is in the interest of the binutils project to guarantee > safety in analysis of untrusted programs without requisite protections > of the environment. > > Sid Any buffer overflow where the data used to do the overflow comes from an object file is a potential breach, unless the program can detect this and make a controlled abort before any possible break-out can occur. The key here is defence in depth. It's not enough to say that everything must be done in a sandbox, even if that is advisable. R.