On Mon, 2023-08-14 at 09:26 -0400, Siddhesh Poyarekar wrote:
> Hi,
>
> Here's the updated draft of the top part of the security policy with all
> of the recommendations incorporated.
>
> Thanks,
> Sid
>
>
> What is a GCC security bug?
> ===========================
>
> A security bug is one that threatens the security of a system or
> network, or might compromise the security of data stored on it.
> In the context of GCC there are multiple ways in which this might
> happen and they're detailed below.
>
> Compiler drivers, programs, libgccjit and support libraries
> -----------------------------------------------------------
>
> The compiler driver processes source code, invokes other programs
> such as the assembler and linker and generates the output result,
> which may be assembly code or machine code. It is necessary that
> all source code inputs to the compiler are trusted, since it is
> impossible for the driver to validate input source code beyond
> conformance to a programming language standard.
>
> The GCC JIT implementation, libgccjit, is intended to be plugged
> into applications to translate input source code in the application
> context. Limitations that apply to the compiler
> driver, apply here too in terms of sanitizing inputs, so it is
> recommended that inputs are either sanitized by an external program
> to allow only trusted, safe execution in the context of the
> application or the JIT execution context is appropriately sandboxed
> to contain the effects of any bugs in the JIT or its generated code
> to the sandboxed environment.
I'd prefer to reword this, as libgccjit was a poor choice of name for
the library (sorry!), to make it clearer it can be used for both ahead-
of-time and just-in-time compilation, and that as used for compilation,
the host considerations apply, not just those of the generated target
code.
How about:
The libgccjit library can, despite the name, be used both for
ahead-of-time compilation and for just-in-compilation. In both
cases it can be used to translate input representations (such as
source code) in the application context; in the latter case the
generated code is also run in the application context.
Limitations that apply to the compiler driver, apply here too in
terms of sanitizing inputs, so it is recommended that inputs are
either sanitized by an external program to allow only trusted,
safe compilation and execution in the context of the application,
or that both the compilation *and* execution context of the code
are appropriately sandboxed to contain the effects of any bugs in
libgccjit, the application code using it, or its generated code to
the sandboxed environment.
...or similar.
[...snip...]
Thanks
Dave
