DragonFly BSD
DragonFly submit List (threaded) for 2005-02
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Patch to execve


From: "Kevin M. Kilbride" <kmk@xxxxxxx>
Date: Mon, 28 Feb 2005 15:49:11 -0800

Joerg Sonnenberger wrote:

On Sun, Feb 27, 2005 at 03:45:39PM -0800, Kevin M. Kilbride wrote:


The documentation for the compiler actually points out the problem with the write-strings option:

"These warnings will help you find at compile time code that can try to write into a string constant, but only if you have been very careful about using const in declarations and prototype. Otherwise, it will just be a nuisance; this is why we did not make -Wall request these warnings."

It should be removed from WARNS=6.



No. Code has to understand that there is a difference between:
const char *
char *
char []



It is precisely that difference I am talking about, Joerg. This code is safe:


   void function(void) {
      char *x = "some string";
      potential_string_modifier(x);
   }

This code is not safe:

   void function(void) {
     char x[] = "some string";
     potential_string_modifier(x);
   }

In the first case, if the potential modifier attempts to write to the string, the program will die. As I pointed out previously, dead programs are always safe. In the second case, if the potential modifier attempts to write to the string, it will succeed---even if it overwrites the stack. It is exercises similar to this that permit stack overflow exploits. Moreover, passing truly-writable copies prevents you from later finding any calls that should not be modifying strings, but which actually do.

Keep in mind what ( char x[] = "some string"; ) is actually doing. It declares an automatically-sized array on the stack and then initializes it with a string literal. For whatever reason, the userland code I've looked at so far often declares string constants as automatic variables---but at least it does it with pointers to literals. Doing this as a pointer to a string literal can never open the door to safety issues. Doing it as an automatic initialization of an array on the stack, on the other hand, *may* open the door to potential safety issues. Kernel functions should never be a problem, since they are absolutely privileged and completely trusted; but if you start encouraging WARNS=6 compliance in general, then people will, ironically, be given a false sense of security by making their code warnings-free. Aside from which, even within their own applications, they will have a more difficult time finding bugs related to unintentional writing to should-be-constant strings. That is why -Wwrite-strings should be removed from WARNS=6.




[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]