From: "Reece Dunn" <msclrhd@googlemail.com>
To: "Timo Sirainen" <tss@iki.fi>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
git@vger.kernel.org
Subject: Re: Buffer overflows
Date: Thu, 30 Aug 2007 22:35:19 +0100 [thread overview]
Message-ID: <3f4fd2640708301435s7067137cp5db6334af844158a@mail.gmail.com> (raw)
In-Reply-To: <7D84F3C7-129D-4197-AAF1-46298E5D0136@iki.fi>
On 30/08/2007, Timo Sirainen <tss@iki.fi> wrote:
> On 30.8.2007, at 23.46, Linus Torvalds wrote:
>
> > On Thu, 30 Aug 2007, Timo Sirainen wrote:
> >>
> >> Looks like nothing has happened since my last mail about this
> >> (http://marc.info/?l=git&m=117962988804430&w=2).
>
> > If you were to send in a patch that simply just fixed some random case
> > without introducing the other stuff in forms that nobody is used to,
> > people would probably react more.
>
> The problem is that the git code is full of these random cases. It's
> simply a huge job to even try to verify the correctness of it. Even
> if someone did that and fixed all the problems, tomorrow there would
> be new ones because noone bothers to even try to avoid them. So there
> really isn't any point in trying to make git secure until the coding
> style changes.
You don't want a manual check to do these kinds of checks. Not only is
it a huge job, you have the human factor: people make mistakes. This
is (in part) what the review process is for, but understanding how to
identify code that is safe from buffer overruns, integer overflows and
the like is a complex task. Also, it may work on 32-bit which has been
verified, but not on 64-bit.
It would be far better to specify the rules on how to detect these
issues into a static analysis tool and have that do the checking for
you. Therefore, it is possible to detect when new problems have been
added into the codebase. Does sparse support identifying these issues?
> The code should be easy to verify to be secure, and with some kind of
> a safe string API it's a lot easier than trying to figure out corner
> cases where strcpy() calls break.
Why is it easier? If you have a fixed-size buffer, why not use
strncpy, which is what a safe string API is essentially doing anyway?
In this case, detecting strcpy usage can be done via grep. This is
quick, simple and easy to repeat. Other things are more complicated,
which is where automated verification tools help.
- Reece
next prev parent reply other threads:[~2007-08-30 21:35 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-30 19:26 Buffer overflows Timo Sirainen
2007-08-30 20:26 ` Lukas Sandström
2007-08-30 20:46 ` Linus Torvalds
2007-08-30 21:08 ` Timo Sirainen
2007-08-30 21:35 ` Reece Dunn [this message]
2007-08-30 21:51 ` Timo Sirainen
2007-08-30 22:34 ` Reece Dunn
2007-08-31 10:52 ` Wincent Colaiuta
2007-08-31 12:48 ` Simon 'corecode' Schubert
2007-08-30 22:14 ` Junio C Hamano
2007-08-30 22:36 ` Pierre Habouzit
2007-08-30 22:41 ` Timo Sirainen
2007-09-02 13:42 ` Johan Herland
2007-09-02 15:11 ` Reece Dunn
2007-09-02 15:19 ` David Kastrup
2007-09-02 15:35 ` Reece Dunn
2007-09-03 0:19 ` Jakub Narebski
2007-09-03 0:31 ` Junio C Hamano
2007-09-02 17:17 ` René Scharfe
2007-09-02 17:39 ` Lukas Sandström
2007-08-31 4:09 ` Linus Torvalds
2007-08-31 5:00 ` Timo Sirainen
2007-08-31 9:53 ` Andreas Ericsson
2007-08-31 10:06 ` Johannes Schindelin
2007-08-30 21:48 ` [PATCH] Temporary fix for stack smashing in mailinfo Alex Riesen
2007-08-30 22:53 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3f4fd2640708301435s7067137cp5db6334af844158a@mail.gmail.com \
--to=msclrhd@googlemail.com \
--cc=git@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tss@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).