From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 8C9911F8C6 for ; Mon, 12 Jul 2021 10:01:30 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 754E53835829 for ; Mon, 12 Jul 2021 10:01:28 +0000 (GMT) Received: from quail.birch.relay.mailchannels.net (quail.birch.relay.mailchannels.net [23.83.209.151]) by sourceware.org (Postfix) with ESMTPS id 34BEF3835814 for ; Mon, 12 Jul 2021 10:01:14 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 34BEF3835814 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4606A36270C; Mon, 12 Jul 2021 10:01:13 +0000 (UTC) Received: from pdx1-sub0-mail-a70.g.dreamhost.com (100-96-17-89.trex.outbound.svc.cluster.local [100.96.17.89]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 9DE1D36139A; Mon, 12 Jul 2021 10:01:12 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a70.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.17.89 (trex/6.3.3); Mon, 12 Jul 2021 10:01:13 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Stupid-Snatch: 4768f4106ee39322_1626084073074_2993838194 X-MC-Loop-Signature: 1626084073074:2768376517 X-MC-Ingress-Time: 1626084073073 Received: from pdx1-sub0-mail-a70.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a70.g.dreamhost.com (Postfix) with ESMTP id 5E8C888688; Mon, 12 Jul 2021 03:01:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gotplt.org; h=from:subject :to:cc:message-id:date:mime-version:content-type :content-transfer-encoding; s=gotplt.org; bh=EjXK6iN50EAVCImI6f8 UkxSPbSQ=; b=nTC52nvSsHxvsnLaToEfdypBZK9o/1rwDXlPBuGGR0IlMIw+y8O sASVlbke+khyAd9Jw8pCCGR+cP2OLrmJJPqIhrjcJ9Zm7S90EvdylkPzq19cc3kw /rxc+X9uMO74vYmKkTi2ZJr3E6xnuoDULNd+kQ0TZp1YztQ7tQl9yrH0= Received: from [192.168.1.139] (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a70.g.dreamhost.com (Postfix) with ESMTPSA id 34E2C879D2; Mon, 12 Jul 2021 03:01:10 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a70 From: Siddhesh Poyarekar Subject: Security implications of debugging features To: libc-alpha@sourceware.org Message-ID: <4d9d675f-cffa-4a5f-0af2-3be56532ce67@gotplt.org> Date: Mon, 12 Jul 2021 15:31:00 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Florian Weimer Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Sender: "Libc-alpha" Hi, It occurred to me that our security exceptions are silent on our policy with debugging features. This was specifically in the context of mcheck but I think it extends to other debugging features too. mcheck is technically a supported glibc feature and may have been used in code bases for a while. However given the lack of mcheck bugs (and boy is it buggy!), the latter seems to be not as common. Given that debugging features must not be enabled in production, should we add the following exception for our security process? I've kept the wording generic to cover any debugging features (source based or otherwise) that I may have missed or we end up adding in future. ~~~~~~~~~~ Debugging features glibc comes with a number of debugging features that allow developers to isolate root causes of problems. Bugs in debugging features that are enabled by explicitly compiling applications or glibc to use them are not considered security vulnerabilities and will be treated as regular bugs. Examples of such features are mcheck and mtrace, which allow debugging and tracing of glibc malloc functions. Bugs in debugging features that are enabled by exporting an environment variable in the environment of a program may for now be considered security issues in a local context. ~~~~~~~~~~ Siddhesh