From nobody Fri Sep 6 14:24:07 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X0dlS3cjHz5V9wX for ; Fri, 06 Sep 2024 14:24:20 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com [209.85.222.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X0dlS1X3Zz4S4d for ; Fri, 6 Sep 2024 14:24:20 +0000 (UTC) (envelope-from asomers@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ua1-f50.google.com with SMTP id a1e0cc1a2514c-846bc75136eso521455241.3 for ; Fri, 06 Sep 2024 07:24:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725632659; x=1726237459; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ihU1IY6TB9MF30F06ZebofAOjXbQOKOJ83fRkWKf/H0=; b=qP9HIwXh1Zsuwk0vijxKYwuhyAXupLn2ySNYGayW/aOtb+gCBatYJhlbrx4i73aq4n SidFOU4n8/476R+pLMB2d7KLwqJbtSlspItKvYnwaPuIBlnpeWok11MY2a5x85zef8dR 8LUiCZrfRbA3O0Uil/GUoIbvxqSRVcGzqUOiAW0DYwtW9ow9X2o5tO7eZuWU42Hk4V50 ng539Rq4qOrA1oDRfU1UmzMLzW+Ol+Thi/qcn5Y59Vq9pQpFH+PjAzFXZMVrKVH9494J JT/EJYjXKaQRBd2HfxDhWAGUjm0abNw8/yKnU3TAGIPV34hPuotZR/yOS7zosnfZF0B1 v/Zw== X-Forwarded-Encrypted: i=1; AJvYcCWmmzA+7V3tUjT+ICUN5aHCDyHy7LHJNM3pRWFjqojxX7E8HitmY5vpXAUTxB5IQhlM7/IdylEC/1PN3apz/N0=@freebsd.org X-Gm-Message-State: AOJu0YwRCNgNU0KtdWup1HurazSM9LEtVq0qMwlO7TU4Gk0rtxhjxMwg pIma7gcuW7/AwwrdsKF0zxomsUv5aaiuWuGVa8Dcy9XeH5LkEQbcYTMsjeAHwcYgkei07ErExPV ULagMBEUip/cvWo4UGKKRErn8314dyg== X-Google-Smtp-Source: AGHT+IH094NsJg6bRzYfjt7wok9JLIVK/npcBPmkF6DsVUUQhZ2i/d5t40EwrQWlxEO5HsngXEuRsHhhR118P+0U1E8= X-Received: by 2002:a05:6122:2a12:b0:4eb:499a:2453 with SMTP id 71dfb90a1353d-502143ca0bamr3006671e0c.8.1725632658940; Fri, 06 Sep 2024 07:24:18 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 References: <202409052313.aa18097@berenice.pkmab.se> <20240905225129.UvYYMXDa@steffen%sdaoden.eu> In-Reply-To: <20240905225129.UvYYMXDa@steffen%sdaoden.eu> From: Alan Somers Date: Fri, 6 Sep 2024 08:24:07 -0600 Message-ID: Subject: Re: The Case for Rust (in any system) To: Steffen Nurpmeso Cc: ske-89@pkmab.se, freebsd-hackers@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] X-Rspamd-Queue-Id: 4X0dlS1X3Zz4S4d On Thu, Sep 5, 2024 at 4:51=E2=80=AFPM Steffen Nurpmeso wrote: > > sigh. now i am back. > > ske-89@pkmab.se wrote in > <202409052313.aa18097@berenice.pkmab.se>: > |Alan Somers wrote: > |> In fact, of all the C bug fixes that I've been involved with (as > |> either author or reviewer) since May, about three quarters could've > |> been avoided just by using a better language. > |... > |> To summarize, here's the list of this week's security advisories, and > |> also some other recent C bug fixes of my own involvement: > | > |After checking several of these examples, I'm wondering what the code > |would have looked like in some "better language", where those bugs woul= d > |have been avoided? > > Examples. I find the absolute opposite after checking four. > Ie, if you implement some SCSI command > > - > - /* > - * struct scsi_sense_data, which is currently set to 256 bytes, i= s > - * larger than the largest allowed value for the length field in = the > - * REQUEST SENSE CDB, which is 252 bytes as of SPC-4. > - */ > - ctsio->kern_data_len =3D cdb->length; > - ctsio->kern_total_len =3D cdb->length; > + ctsio->kern_data_len =3D ctsio->kern_total_len =3D > + MIN(cdb->length, sizeof(*sense_ptr)); > > This is a super clear logic error, that even says the comment, > which did not care for security related impacts. It came in as > part of a tremendious super large patch "Add the CAM Target Layer > (CTL)." (130f4520cba830cc6da47c9f871fed78710a4709) in 2012, 34000 > lines of code additions. There were a couple of fixup commits. > It seems to have been sponsored, but i have no idea of review or > anything. Compared to the WireGuard stuff, for example. > Now i had to look more deeply why the commit says three bytes > whereas the naive eye counts four. (Maybe NUL terminated.) > > The ones from OpenSSL and ctld are more complex. But the libnv is > pretty clear again, it even uses strnlen() (urgh). > > |E.g for the "use after free" or "unitialized memory" examples. > > Examples. You are just saying. > > |To me, several of those bugs seem fairly complex, and not just a > |question of having bounds checking for arrays or a borrow checker > |for pointers, or something simple like that. > > Two of four. > > |But maybe the bugs could have been detected[.] > > yes, maybe. I doubt it. > > |[.] and prevented if the > |code would have been forced to be expressed in a completely > |different manner by some other language? Or what is your vision > |of how that would be accomplished? > > Actually yes. String objects. > I mean it is easy to say that, but if you look at the SCSI thing, > one would normally do things like eg > > we_parse_THIS_SCSI_COMMAND([.]u8 *buf, u16 len){ > ... > /* C99 */{ > struct a_mmc_cmd_x42_resp_data_head *dhp; > > ^argument etc of THIS_SCSI_COMMAND > > dhp =3D R(struct a_mmc_cmd_x42_resp_data_head*,buf); > buf +=3D sizeof(*dhp); > len -=3D sizeof(*dhp); > } > ... > irp =3D R(struct a_mmc_cmd_x42_isrc_resp*,buf); > > Unfortunately it was forgotten for one of many use cases, where > a byte buffer of reality matches a structure of a language > abstraction. How could a different language aid here. > > |You seem to be saying that certain examples would be solved by > |a better language, and certain ones would not, so I suppose you > |do have some vision of how that would work. > > And *i* am saying that for example the nvlist could have been done > very safely in C, if instead of strnlen() etc something more sane > would have been used. Like a string object. But it is more > typing work etc. *That* of course, yes. > > |I'm just curious to learn more, since it is not obvious to me, > |and thus all the more interresting. > > This is all very unspecific. I have also seen quite a lot of > things. What should be the answer to this unspecific question, > except continuation of this thread? I'm having trouble following your English, but you seem to be missing the point. The point is not whether the bugs can be fixed in C; of course they can, after all we just did. The point is that safe programming languages make it nearly impossible to create the bugs in the first place. For example, a language that uses RAII everywhere makes it nearly impossible to allocate a structure without initializing it. Nearly impossible to leak memory, too. > > |/Kristoffer Eriksson > --End of <202409052313.aa18097@berenice.pkmab.se> > > In support for that swedish hm virgin, yes, sweden is not a clean > country for sure. Again, I don't know what you mean. But it looks like a personal attack to me. Please try to keep your discourse on the public mailing lists respectful. -Alan