From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9960 Path: news.gmane.org!not-for-mail From: Alexander Monakov Newsgroups: gmane.linux.lib.musl.general Subject: Re: Removing stupid, spurious UB in stdio (bikeshed time) Date: Wed, 27 Apr 2016 21:39:28 +0300 (MSK) Message-ID: References: <20160426221815.GA24105@brightrain.aerifal.cx> <20160427181745.GT21636@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Trace: ger.gmane.org 1461782387 28060 80.91.229.3 (27 Apr 2016 18:39:47 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 27 Apr 2016 18:39:47 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-9973-gllmg-musl=m.gmane.org@lists.openwall.com Wed Apr 27 20:39:46 2016 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1avUNC-0002wZ-4S for gllmg-musl@m.gmane.org; Wed, 27 Apr 2016 20:39:42 +0200 Original-Received: (qmail 17471 invoked by uid 550); 27 Apr 2016 18:39:40 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 17450 invoked from network); 27 Apr 2016 18:39:39 -0000 In-Reply-To: <20160427181745.GT21636@brightrain.aerifal.cx> User-Agent: Alpine 2.20 (LNX 67 2015-01-07) Xref: news.gmane.org gmane.linux.lib.musl.general:9960 Archived-At: On Wed, 27 Apr 2016, Rich Felker wrote: > > > I think a good place to start might be coming up with and documenting a > > > clear model for how stdio's buffer internals are supposed to work, what > > > operations are allowed, what invariants hold, etc. based on the above > > > analysis of current UB issues and what the code is doing. > > > > would be nice to have; you recently noted that setvbuf has restrictions, > > and if there are other non-obvious stuff (especially if musl-specific), > > having it written down should be useful. > > Are you talking about the C-standard-imposed restriction that you can > only use setvbuf as the first operation on a new FILE? Or something > else I said that I'm not remembering? I had in mind your "Non-stub setvbuf" post; "restrictions" was a poor choice of wording on my part, I guess: [ quoting from http://www.openwall.com/lists/musl/2016/01/17/1 ] > Right now, musl's stdio setvbuf function does nothing but set the > buffering mode; it does not honor the buffer provided by the caller. > This is perfectly conforming (whether or how the buffer is used is > unspecified), but I realized from the recent thread about OpenSSH's > CVE-2016-0777 on oss-security that a non-stub setvbuf admits a nice > type of hardening: > > http://www.openwall.com/lists/oss-security/2016/01/15/15 > > In short, the application has no way to scrub implementation-internal > stdio buffers that might contain sensitive data read from or written > to files, but it can scrub buffers it provides via setvbuf. So, I'd > like to start actually using the latter, so that apps that attempt > this hardening measure can benefit from it on musl like they would on > other implementations. Alexander