> 2023-12-05: Red Hat Product Security sent us a patch for CVE-2023-6246
(written by the glibc developers), and asked us for our feedback.
> 2023-12-07: While reviewing this patch, we discovered two more minor
vulnerabilities in the same function (an off-by-one buffer overflow and
an integer overflow). We immediately sent an analysis, proof of concept,
and patch proposal to Red Hat Product Security, and suggested that we
directly involve the glibc security team.
This all could be fixed with better string library,
Strings in C are awful to deal with and
most of such errors is about memory buffers
for strings that are manually allocated.
The vast majority of services and user programs don't need to escalate privileges by invoking SUID/SGID binaries. no_new_privs should be used on them so that the "setuid with libc/LD programs" security boundary is avoided.
"A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980 language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."
-- C.A.R Hoare's "The 1980 ACM Turing Award Lecture"
Thankfully the powers of the law are finally taking attention to it, after a couple of decades since that speech took place.
I'm tired of sloppy testing. This issue was discoverable via a fuzzer as noted in the bug report. Software that accepts external inputs needs to be fuzzed regardless of whether it is written in a memory safe language or not. Uncaught exceptions and panics are still bugs and recovering from one without clearing internal state could lead to a security hole.
"All of the NSS fuzzers are represented in combined coverage metrics by oss-fuzz, rather than their individual coverage. This data proved misleading, as the vulnerable code is fuzzed extensively but by fuzzers that could not possibly generate a relevant input."
Saying "important software should be rigorously tested" isn't an excuse, it's an actionable and reasonable suggestion. Tut-tutting about implementation language choice in (literally) the platform C runtime is quite a bit less so.
Grandparent was being helpful, basically. You're just sniping.
Exhaustive testing tops out at about two float 32s[0], so of course do that for small functions, but for full application testing type checks are much cheaper.
Fuzzing isn't exhaustive testing, it's dynamic coverage testing. You provide random input until you discover your (compiler-instrumented) binary doing something you haven't seen yet, then permute the input until you get it to do something else, etc... For almost all non-pathological algorithms, it's capable of reaching full coverage in linear time; though some algorithms are always going to have pathological edge and require some whiteboxing.
Amusingly, the first thread in there opens up about how Docker security is comparable to a VM, yet today has a Docker exploit on the frontpage https://news.ycombinator.com/item?id=39250975
> 2023-12-07: While reviewing this patch, we discovered two more minor vulnerabilities in the same function (an off-by-one buffer overflow and an integer overflow). We immediately sent an analysis, proof of concept, and patch proposal to Red Hat Product Security, and suggested that we directly involve the glibc security team.