This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: FD_SET and FORTIFY_SOURCE
- From: Rich Felker <dalias at aerifal dot cx>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Thu, 28 Feb 2013 08:41:39 -0500
- Subject: Re: FD_SET and FORTIFY_SOURCE
- References: <512F0CC6.8080302@redhat.com>
On Thu, Feb 28, 2013 at 08:52:38AM +0100, Florian Weimer wrote:
> I thought we did bounds checking for FD_SET in FORTIFY_SOURCE mode.
> But it seems we don't. Would this be reasonable to add?
>
> (The advantages are rather minor because it's not immediately
> obvious how these out-of-bound writes could be exploited for code
> execution, considering that the index is not under full control by
> the attacker. So all that FORTIFY_SOURCE does is that it turns a
> potential crash into a definite crash.)
The problem is that a large amount of otherwise-correct software uses
malloc and out-of-bounds FD_SET arguments to work with sets larger
than FD_SETSIZE. I have written on the issue before that the "correct"
way to do this is allocate an array of fd_set objects and use / and %
to address the bit rather than passing an out-of-bounds argument to
FD_SET (which invokes UB), but some important software like libevent
(if I remember correctly) remains wrong in this regard.
So, any such change needs to consider this issue. Personally, I'm
still not opposed to it; I think it would get these broken programs to
fix the way they're doing things if they got bug reports that say "X
breaks with _FORTIFY_SOURCE because it's invoking UB". But others
might want to be more conservative.
Rich