From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-4.6 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,RCVD_IN_DNSWL_MED,SPF_HELO_PASS, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id AF52F1F8C6 for ; Mon, 12 Jul 2021 10:29:07 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id B6C9E3885C3D for ; Mon, 12 Jul 2021 10:29:06 +0000 (GMT) Received: from eastern.birch.relay.mailchannels.net (eastern.birch.relay.mailchannels.net [23.83.209.55]) by sourceware.org (Postfix) with ESMTPS id 27C993857436 for ; Mon, 12 Jul 2021 10:28:54 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 27C993857436 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id C09E6781A30; Mon, 12 Jul 2021 10:28:53 +0000 (UTC) Received: from pdx1-sub0-mail-a70.g.dreamhost.com (100-96-11-33.trex.outbound.svc.cluster.local [100.96.11.33]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 04DE3781782; Mon, 12 Jul 2021 10:28:53 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a70.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.11.33 (trex/6.3.3); Mon, 12 Jul 2021 10:28:53 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Callous-Desert: 48b054fc6c5c3ed8_1626085733239_1949981927 X-MC-Loop-Signature: 1626085733238:1053001609 X-MC-Ingress-Time: 1626085733238 Received: from pdx1-sub0-mail-a70.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a70.g.dreamhost.com (Postfix) with ESMTP id BFA6688688; Mon, 12 Jul 2021 03:28:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gotplt.org; h=subject:to :cc:references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=gotplt.org; bh=3cLrOH x/2nBRSnGeMdUczc/IAsg=; b=YC6lqy8jUsI23Zd2OjxYILyqRCIX5mM2tR/3Ew FsX3ZNiyhu/FgjtnxtDe4tlBAlqC+cvz0xud1jPXwXsc4b7/C81bXn341q3Qm2Iu vnGvI4brsu2rTFiNtbSCCvzngiZ5bR+w4sevH5UsbEoB7n3CoDbvyhi4R2zWlrau 7OH3g= Received: from [192.168.1.139] (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a70.g.dreamhost.com (Postfix) with ESMTPSA id C329D879D2; Mon, 12 Jul 2021 03:28:50 -0700 (PDT) Subject: Re: Security implications of debugging features To: Florian Weimer References: <4d9d675f-cffa-4a5f-0af2-3be56532ce67@gotplt.org> <87lf6bdf33.fsf@oldenburg.str.redhat.com> <746d3148-7ea3-d204-6e76-6f1c2092643a@gotplt.org> <87h7gzdegg.fsf@oldenburg.str.redhat.com> X-DH-BACKEND: pdx1-sub0-mail-a70 From: Siddhesh Poyarekar Message-ID: Date: Mon, 12 Jul 2021 15:58:45 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: <87h7gzdegg.fsf@oldenburg.str.redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: libc-alpha@sourceware.org Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Sender: "Libc-alpha" On 7/12/21 3:46 PM, Florian Weimer wrote: > * Siddhesh Poyarekar: > >> On 7/12/21 3:33 PM, Florian Weimer wrote: >>>> ~~~~~~~~~~ >>>> Debugging features >>>> >>>> glibc comes with a number of debugging features that allow developers >>>> to isolate root causes of problems. Bugs in debugging features that >>>> are enabled by explicitly compiling applications or glibc to use them >>>> are not considered security vulnerabilities and will be treated as >>>> regular bugs. Examples of such features are mcheck and mtrace, which >>>> allow debugging and tracing of glibc malloc functions. >>>> >>>> Bugs in debugging features that are enabled by exporting an >>>> environment variable in the environment of a program may for now be >>>> considered security issues in a local context. >>>> ~~~~~~~~~~ >>> I don't understand the second paragraph. >> >> What I intend to convey is that bugs in debugging features won't be >> considered remotely exploitable. > > I think it's not remote vs local. It's about whether a trust boundary > is crossed. This happens only for AT_SECURE invocations. > >>> I think we need to talk about AT_SECURE (SUID) mode in this context. >> >> Could you elaborate on what you'd like mentioned? Would you like a >> note that the dynamic linker wipes out debugging options when running >> setuid binaries? It seems like a security claim (there could well be >> a bug in there that negates it) and hence not suitable for this text. > > Those are debugging features, too, and we will treat them as security > bugs. So the exception should not cover them. OK, then how about just the first paragraph for now? I was trying to write for a future where we have a way to, say, administratively disable the debugging features but I guess we could add that in later. ~~~~~~~~~~ Debugging features glibc comes with a number of debugging features that allow developers to isolate root causes of problems. Bugs in debugging features that are enabled by explicitly compiling applications or glibc to use them are not considered security vulnerabilities and will be treated as regular bugs. Examples of such features are mcheck and mtrace, which allow debugging and tracing of glibc malloc functions. ~~~~~~~~~~