On 07/24/2018 01:59 AM, Bernd Edlinger wrote:
Hi!
This patch makes strlen range computations more conservative.
Firstly if there is a visible type cast from type A to B before passing
then value to strlen, don't expect the type layout of B to restrict the
possible return value range of strlen.
Furthermore use the outermost enclosing array instead of the
innermost one, because too aggressive optimization will likely
convert harmless errors into security-relevant errors, because
as the existing test cases demonstrate, this optimization is actively
attacking string length checks in user code, while and not giving
any warnings.
I strongly object to this change.
As you know, I am actively working in this area -- I asked you
to hold off on submitting patches for it until the review of
bug 86532 has completed. It's not just unhelpful but
disrespectful of you to ignore my request and to try to make
changes you know I will likely have a strong opinion on in
spite of it, and without as much as involving me in the proposal.
As the author of this code and of many security improvements
in GCC I also find your characterization above of "actively
attacking" user code insulting. If security is your main
concern then helping detect the invalid code you are trying
to accommodate with this change would be the right thing to
do. One of the reasons for the tight bound is to build
a better foundation for the detection of buffer overflow
in string functions. Relaxing the bound could make
the detection more difficult.
So again, I strongly object to both this change and to your
conduct.
Martin
