This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Set behavior of sprintf-like functions with overlapping source and destination

From: Florian Weimer <fw at deneb dot enyo dot de>
To: Zack Weinberg <zackw at panix dot com>
Cc: Jonathan Nieder <jrnieder at gmail dot com>, Paul Eggert <eggert at cs dot ucla dot edu>, Siddhesh Poyarekar <siddhesh at gotplt dot org>, "Gabriel F. T. Gomes" <gabriel at inconstante dot eti dot br>, GNU C Library <libc-alpha at sourceware dot org>
Date: Thu, 27 Dec 2018 19:16:30 +0100
Subject: Re: [PATCH] Set behavior of sprintf-like functions with overlapping source and destination
References: <20181220215409.8971-1-gabriel@inconstante.eti.br> <fd68b440-14ce-dd14-fd80-20c80e097e20@cs.ucla.edu> <03d805a8-258c-cefa-4c8d-f4f1d577c3d5@gotplt.org> <9e180abb-7527-5759-0850-e23d0bb23f73@cs.ucla.edu> <20181226201950.GD11055@google.com> <87zhsruh0h.fsf@mid.deneb.enyo.de> <CAKCAbMhmH1-rdJmpqLmYDNm-6LMeqj8MZAxZrkfvsMVt0WaagQ@mail.gmail.com>

* Zack Weinberg:

>> The sprintf change clearly is in category (2).  However, there's a
>> mitigation circumstance: Distributions already build with
>> _FORTIFY_SOURCE (at least they try to), so they are largely exposed to
>> the new behavior.  So I'd expect that in this particular case, the
>> recompilation problem would largely affect unpackaged, in-house
>> software.  Maybe this makes the change more acceptable and could
>> actually justify introducing a symbol version in this case?
>
> It seems to me it's the other way around: distribution-packaged
> software is more likely to receive fixes for this type of problem than
> unpackaged in-house stuff is.

On common code paths, yes, but the same applies to in-house code.
What I tried to say is that the distribution fixes have already
happened due to the impact of -D_FORTIFY_SOURCE=2 by default and
hopefully have been upstreamed by now.  (This may have given us the
delay that Jonathan was suggesting.)  As a result, we wouldn't punish
free software over proprietary software in this case.  Sorry if I
didn't explain my line of reasoning clearly enough.

References:
- [PATCH] Set behavior of sprintf-like functions with overlapping source and destination
  - From: Gabriel F. T. Gomes
- Re: [PATCH] Set behavior of sprintf-like functions with overlapping source and destination
  - From: Paul Eggert
- Re: [PATCH] Set behavior of sprintf-like functions with overlapping source and destination
  - From: Siddhesh Poyarekar
- Re: [PATCH] Set behavior of sprintf-like functions with overlapping source and destination
  - From: Paul Eggert
- Re: [PATCH] Set behavior of sprintf-like functions with overlapping source and destination
  - From: Jonathan Nieder
- Re: [PATCH] Set behavior of sprintf-like functions with overlapping source and destination
  - From: Florian Weimer
- Re: [PATCH] Set behavior of sprintf-like functions with overlapping source and destination
  - From: Zack Weinberg

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]