[GitHub] [incubator-nuttx] patacongo edited a comment on pull request #1341: Call c++ global variables in nxtask_startup

Tue, 30 Jun 2020 18:43:10 -0700 


patacongo edited a comment on pull request #1341:
URL: https://github.com/apache/incubator-nuttx/pull/1341#issuecomment-652127320


   It is an incorrect design to call C++ constructors or destructors from the 
OS in kernel mode (PROTECTED and KERNEL builds) or with interrupts disabled.  
Calling the constructors.destructors introduces new problems similar to those 
discussed in Issue #1263 and which I am working toward fixing in PR #1328 
   
   Executing the constructors/destructors in kernel mode is a security 
violation.  Running the constructors/destructors with interrupts disabled is 
just wrong.  What if they need to wait for an event in a busy loop?  No user 
code should ever run with interrupts disabled:
   
   This change should not be done.  You should consider contributing to the 
correct fix that does not introduce additional problems of this nature.  I 
would recommend that this change not be merged is it is not correct.  It is 
expedient... but it is wrong.  That is forbidden in the INVIOLABLES.txt:
   
       The Enemies
       ===========
       
       No Short Cuts
       -------------
       
         o Doing things the easy way instead of the correct way.
         o Reducing effort at the expense of Quality, Portability, or
           Consistency.
         o Focus on the values of the organization, not the values of the Open
           Source project.  Need to support both.
         o It takes work to support the Inviolables.  There are no shortcuts.
   
   Let's do things right.
   
   There is also a bug already listed in the to-level TODO list (This is also 
Issue #1265 ):
   
         Title:       C++ CONSTRUCTORS HAVE TOO MANY PRIVILEGES (PROTECTED MODE)
         Description: When a C++ ELF module is loaded, its C++ constructors are 
called
                      via sched/task_starthook.c logic.  This logic runs in 
protected mode.
                      The is a security hole because the user code runs with 
kernel-
                     privileges when the constructor executes.
       
                      Destructors likely have the opposite problem.  The 
probably try to
                      execute some kernel logic in user mode?  Obviously this 
needs to
                      be investigated further.
         Status:      Open
         Priority:    Low (unless you need build a secure C++ system).
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to