Patch to execve

Kevin M. Kilbride kmk at ssl.org
Mon Feb 28 15:49:20 PST 2005 

Joerg Sonnenberger wrote:

On Sun, Feb 27, 2005 at 03:45:39PM -0800, Kevin M. Kilbride wrote:
 

The documentation for the compiler actually points out the problem with 
the write-strings option:

"These warnings will help you find at compile time code that can try to 
write into a string constant, but only if you have been very careful 
about using const in declarations and prototype. Otherwise, it will just 
be a nuisance; this is why we did not make -Wall request these warnings."

It should be removed from WARNS=6.
   

No. Code has to understand that there is a difference between:
const char *
char *
char []
 

It is precisely that difference I am talking about, Joerg. This code is 
safe:

   void function(void) {
      char *x = "some string";
      potential_string_modifier(x);
   }
This code is not safe:

   void function(void) {
     char x[] = "some string";
     potential_string_modifier(x);
   }
In the first case, if the potential modifier attempts to write to the 
string, the program will die. As I pointed out previously, dead programs 
are always safe. In the second case, if the potential modifier attempts 
to write to the string, it will succeed---even if it overwrites the 
stack. It is exercises similar to this that permit stack overflow 
exploits. Moreover, passing truly-writable copies prevents you from 
later finding any calls that should not be modifying strings, but which 
actually do.

Keep in mind what ( char x[] = "some string"; ) is actually doing. It 
declares an automatically-sized array on the stack and then initializes 
it with a string literal. For whatever reason, the userland code I've 
looked at so far often declares string constants as automatic 
variables---but at least it does it with pointers to literals. Doing 
this as a pointer to a string literal can never open the door to safety 
issues. Doing it as an automatic initialization of an array on the 
stack, on the other hand, *may* open the door to potential safety 
issues. Kernel functions should never be a problem, since they are 
absolutely privileged and completely trusted; but if you start 
encouraging WARNS=6 compliance in general, then people will, ironically, 
be given a false sense of security by making their code warnings-free. 
Aside from which, even within their own applications, they will have a 
more difficult time finding bugs related to unintentional writing to 
should-be-constant strings. That is why -Wwrite-strings should be 
removed from WARNS=6.

More information about the Submit mailing list