Re: The Case for Rust (in any system)
- Reply: Steffen Nurpmeso : "Re: The Case for Rust (in any system)"
- Reply: Warner Losh : "Re: The Case for Rust (in any system)"
- Reply: Alan Somers : "Re: The Case for Rust (in any system)"
- In reply to: ske-89_a_pkmab.se: "Re: The Case for Rust (in any system)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 05 Sep 2024 22:51:29 UTC
sigh. now i am back. ske-89@pkmab.se wrote in <202409052313.aa18097@berenice.pkmab.se>: |Alan Somers <asomers@freebsd.org> wrote: |> In fact, of all the C bug fixes that I've been involved with (as |> either author or reviewer) since May, about three quarters could've |> been avoided just by using a better language. |... |> To summarize, here's the list of this week's security advisories, and |> also some other recent C bug fixes of my own involvement: | |After checking several of these examples, I'm wondering what the code |would have looked like in some "better language", where those bugs would |have been avoided? Examples. I find the absolute opposite after checking four. Ie, if you implement some SCSI command - - /* - * struct scsi_sense_data, which is currently set to 256 bytes, is - * larger than the largest allowed value for the length field in the - * REQUEST SENSE CDB, which is 252 bytes as of SPC-4. - */ - ctsio->kern_data_len = cdb->length; - ctsio->kern_total_len = cdb->length; + ctsio->kern_data_len = ctsio->kern_total_len = + MIN(cdb->length, sizeof(*sense_ptr)); This is a super clear logic error, that even says the comment, which did not care for security related impacts. It came in as part of a tremendious super large patch "Add the CAM Target Layer (CTL)." (130f4520cba830cc6da47c9f871fed78710a4709) in 2012, 34000 lines of code additions. There were a couple of fixup commits. It seems to have been sponsored, but i have no idea of review or anything. Compared to the WireGuard stuff, for example. Now i had to look more deeply why the commit says three bytes whereas the naive eye counts four. (Maybe NUL terminated.) The ones from OpenSSL and ctld are more complex. But the libnv is pretty clear again, it even uses strnlen() (urgh). |E.g for the "use after free" or "unitialized memory" examples. Examples. You are just saying. |To me, several of those bugs seem fairly complex, and not just a |question of having bounds checking for arrays or a borrow checker |for pointers, or something simple like that. Two of four. |But maybe the bugs could have been detected[.] yes, maybe. I doubt it. |[.] and prevented if the |code would have been forced to be expressed in a completely |different manner by some other language? Or what is your vision |of how that would be accomplished? Actually yes. String objects. I mean it is easy to say that, but if you look at the SCSI thing, one would normally do things like eg we_parse_THIS_SCSI_COMMAND([.]u8 *buf, u16 len){ ... /* C99 */{ struct a_mmc_cmd_x42_resp_data_head *dhp; ^argument etc of THIS_SCSI_COMMAND dhp = R(struct a_mmc_cmd_x42_resp_data_head*,buf); buf += sizeof(*dhp); len -= sizeof(*dhp); } ... irp = R(struct a_mmc_cmd_x42_isrc_resp*,buf); Unfortunately it was forgotten for one of many use cases, where a byte buffer of reality matches a structure of a language abstraction. How could a different language aid here. |You seem to be saying that certain examples would be solved by |a better language, and certain ones would not, so I suppose you |do have some vision of how that would work. And *i* am saying that for example the nvlist could have been done very safely in C, if instead of strnlen() etc something more sane would have been used. Like a string object. But it is more typing work etc. *That* of course, yes. |I'm just curious to learn more, since it is not obvious to me, |and thus all the more interresting. This is all very unspecific. I have also seen quite a lot of things. What should be the answer to this unspecific question, except continuation of this thread? |/Kristoffer Eriksson --End of <202409052313.aa18097@berenice.pkmab.se> In support for that swedish hm virgin, yes, sweden is not a clean country for sure. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)