From: Paul Eggert <eggert@cs.ucla.edu>
To: Rich Felker <dalias@libc.org>
Cc: Florian Weimer <fweimer@redhat.com>,
glibc list <libc-alpha@sourceware.org>,
Eric Blake <eblake@redhat.com>,
"libguestfs@redhat.com" <libguestfs@redhat.com>
Subject: Re: RFC: *scanf vs. overflow
Date: Sat, 23 May 2020 10:18:31 -0700 [thread overview]
Message-ID: <e3ae3760-3cb7-9fc7-92a6-e0b3e362fa45@cs.ucla.edu> (raw)
In-Reply-To: <20200523164500.GK1079@brightrain.aerifal.cx>
On 5/23/20 9:45 AM, Rich Felker wrote:
> It's relevant because you want to propose this for standardization.
I don't think it's ready for standardization now. I'm merely proposing it for
glibc. If it works well there, great; if not, then glibc should do something
more ambitious, such as Eric's proposal.
Doing nothing is not a good option; this is a real problem that affects many
real programs.
> that's syntax. It's /[^ ]{1,n}"/.
I'll concede that. That being said, the difference between syntax and semantics
is always somewhat arbitrary, and there's little point to slicing and dicing the
fuzzy boundary here. Regardless of whether the change is to "syntax" or
"semantics" it would be easy to change POSIX to allow the proposed behavior;
it's not a fundamental change to the spec.
> *Any* use of scanf on untrusted input is "vulnerable
> to the integer-overflow issue" in the sense that overflow is UB.
Absolutely, but that was not the point. The issue is what's the best thing to do
for these programs. Many carefully-written but imperfect programs have these
bugs, and although glibc is within its rights to dump core or worse when these
programs run, it's better if glibc's behavior improves their overall
reliability. Letting these errors run through silently causing further
corruption later is not a good strategy for improving overall reliability.
Pointing fingers at developers and telling them not to use scanf is not likely
to be a good strategy either.
> Any value that could be produced via overflow
> could also be produced via non-overflowing input, and you have to
> validate data either way.
Sure, but silently treating 2**32 as if it were zero is more likely to cause
real problems later. We need a better way for *scanf to reflect these errors
back to the calling code.
next prev parent reply other threads:[~2020-05-23 17:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-22 20:59 RFC: *scanf vs. overflow Eric Blake via Libc-alpha
2020-05-23 1:16 ` Rich Felker
2020-05-23 3:06 ` Paul Eggert
2020-05-23 16:11 ` Rich Felker
2020-05-23 16:28 ` Paul Eggert
2020-05-23 16:45 ` Rich Felker
2020-05-23 17:18 ` Paul Eggert [this message]
2020-05-26 9:30 ` [Libguestfs] " Richard W.M. Jones via Libc-alpha
2020-05-23 7:06 ` Richard W.M. Jones via Libc-alpha
2020-05-23 15:25 ` Paul Eggert
2020-05-23 16:21 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e3ae3760-3cb7-9fc7-92a6-e0b3e362fa45@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=dalias@libc.org \
--cc=eblake@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=libguestfs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).