This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Don't bind to registered ports in bindresvport

From: Carlos O'Donell <carlos_odonell at mentor dot com>
To: Roland McGrath <roland at hack dot frob dot com>
Cc: Petr Baudis <pasky at ucw dot cz>, Dan Nicholson <dbn dot lists at gmail dot com>,<libc-alpha at sourceware dot org>
Date: Wed, 6 Jun 2012 17:58:22 -0400
Subject: Re: [PATCH] Don't bind to registered ports in bindresvport
References: <20120531153241.GA21672@buster.dwcab.com> <CADZpyiyzShWCe1OgA0b+vZW6NQGT0Q9WUK4=jev5MRu7pUxKtQ@mail.gmail.com> <20120601200113.GA24584@buster.dwcab.com> <CADZpyizNLJkWKZKPhmb1GRZr33jsBR8wMkwE8EnN3nU8Mu_0cw@mail.gmail.com> <20120606004617.GD24309@machine.or.cz> <4FCFBB9D.5030407@mentor.com> <20120606205149.99DBD2C096@topped-with-meat.com>

On 6/6/2012 4:51 PM, Roland McGrath wrote:
>> Using alloca can create a security risk by putting the buffer in
>> in the same location every time relative to the stack pointer or
>> call sequence. While with malloc the allocation locations can be 
>> random.
> 
> This kind of rationale is a very generic one.  Throughout libc, we
> have decided that using alloca (or VLAs) is the appropriate thing to
> do because of the performance benefit despite this kind of concern.
> (It's also the case that for reasonably small sizes alloca can "never"
> fail--i.e. the only way it can fail is a stack-extending page fault
> that cannot be serviced, crashing the program--while using malloc
> requires handling the ENOMEM case explicitly.)  There is always a
> trade-off between performance and "hardening" and other such concerns.
> I think we should be more systematic about this than simply going with
> the preference of whoever happens to be writing or reviewing the code.
> 
> This particular case is one where the interface is not at all
> performance-sensitive (if it were, even considering having it call NSS
> modules and such things would be entirely out of the question--as it
> stands, I just think it's quite dubious, but others feel differently)
> and the API doesn't make it particularly difficult to fail gracefully
> for the ENOMEM case.  So that may be good reason to choose malloc over
> alloca here.  It's probably right that the decision should be made
> case-by-case considering these sorts of issues.  But I don't think the
> decision should ever be ad hoc like this.
> 
> The existing standard is that using alloca in libc is always fine,
> given appropriate use of the size-cutoff macros.  Before objecting to
> use of alloca is considered a valid reason to reject a libc change,
> we need to have a clear and systematic policy about how the decision
> is made.

You make a very good point.

First draft:
http://sourceware.org/glibc/wiki/Style_and_Conventions#Alloca_vs._Malloc

Cheers,
Carlos.
-- 
Carlos O'Donell
Mentor Graphics / CodeSourcery
carlos_odonell@mentor.com
carlos@codesourcery.com
+1 (613) 963 1026

Follow-Ups:
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Roland McGrath

References:
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Dan Nicholson
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Carlos O'Donell
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Petr Baudis
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Carlos O'Donell
- Re: [PATCH] Don't bind to registered ports in bindresvport
  - From: Roland McGrath

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]