看板 DFBSD_submit 關於我們 聯絡資訊
發信人"Kevin M. Kilbride" <kmk@ssl.org>,
看板DFBSD_submit
標 題Re: Patch to execve
發信站(null) (Tue Mar 1 07:54:59 2005)
轉信站ptt!crater_reader.dragonflybsd.org!crater.dragonflybsd.org!127.0.0.1.M
Joerg Sonnenberger wrote: >On Sun, Feb 27, 2005 at 03:45:39PM -0800, Kevin M. Kilbride wrote: > > >>The documentation for the compiler actually points out the problem with >>the write-strings option: >> >>"These warnings will help you find at compile time code that can try to >>write into a string constant, but only if you have been very careful >>about using const in declarations and prototype. Otherwise, it will just >>be a nuisance; this is why we did not make -Wall request these warnings." >> >>It should be removed from WARNS=6. >> >> > >No. Code has to understand that there is a difference between: >const char * >char * >char [] > > It is precisely that difference I am talking about, Joerg. This code is safe: void function(void) { char *x = "some string"; potential_string_modifier(x); } This code is not safe: void function(void) { char x[] = "some string"; potential_string_modifier(x); } In the first case, if the potential modifier attempts to write to the string, the program will die. As I pointed out previously, dead programs are always safe. In the second case, if the potential modifier attempts to write to the string, it will succeed---even if it overwrites the stack. It is exercises similar to this that permit stack overflow exploits. Moreover, passing truly-writable copies prevents you from later finding any calls that should not be modifying strings, but which actually do. Keep in mind what ( char x[] = "some string"; ) is actually doing. It declares an automatically-sized array on the stack and then initializes it with a string literal. For whatever reason, the userland code I've looked at so far often declares string constants as automatic variables---but at least it does it with pointers to literals. Doing this as a pointer to a string literal can never open the door to safety issues. Doing it as an automatic initialization of an array on the stack, on the other hand, *may* open the door to potential safety issues. Kernel functions should never be a problem, since they are absolutely privileged and completely trusted; but if you start encouraging WARNS=6 compliance in general, then people will, ironically, be given a false sense of security by making their code warnings-free. Aside from which, even within their own applications, they will have a more difficult time finding bugs related to unintentional writing to should-be-constant strings. That is why -Wwrite-strings should be removed from WARNS=6.