CWE-787 Weakness in Manjaro GCC

chrisbr · 19 September 2022 08:48

Hello dear community,
in my master’s thesis, I noticed that the software weakness CWE-787 does not universally affect every Linux distribution. For example, it is mitigated in Fedora or Debian, but not in Manjaro.
As a passionate user of Manjaro, I wanted to point out this fact and ask whether the GCC should/could not be hardened accordingly in the future.
Everyone can think about the consequences for themselves

More information about the weakness can be found here at the Website of Mitre[dot]org

I would be pleased to receive an answer.
Best regards, chrisbr

linux-aarhus · 19 September 2022 09:37

If you are a developer - not just another academic - you know it is common to the most used paradigm in programming - loops.

A programming language - on it’s own - cannot make any decision on the validity of an instruction - it must adhere to the programmers decision - and it is the programmer which must add the proper validation and error handling.

chrisbr · 19 September 2022 10:14

Yes, I know that very well, because I have been a software developer myself for years. You have to be able to deal with exceptions. But I know from experience that it doesn’t happen consistently. One proof of this is the CVE list.

But this simple C code causes a crash in Manjaro. Not in the other systems mentioned.
However, this possibility would help to at least mitigate previously undiscovered vulnerabilities through the “false bottom”.

#include <stdio.h>
/* Source: https://cwe.mitre.org/data/definitions/787.html */

int main()
{
	int id_sequence[3];

	printf("Kontrollpunkt 1\n");
	
	id_sequence[0] = 123;
	printf("Kontrollpunkt 2.1: %i\n", id_sequence[0]);
	id_sequence[1] = 234;
	printf("Kontrollpunkt 2.2: %i\n", id_sequence[1]);
	id_sequence[2] = 345;
	printf("Kontrollpunkt 2.3: %i\n", id_sequence[2]);
	id_sequence[3] = 456;
	printf("Kontrollpunkt 2.4: %i\n", id_sequence[3]);

	return 0;

}

How Fedora reacts:

Kontrollpunkt 1
Kontrollpunkt 2.1: 123
Kontrollpunkt 2.2: 234
Kontrollpunkt 2.3: 345
Kontrollpunkt 2.4: 456

How Manjaro reacts:

Kontrollpunkt 1
Kontrollpunkt 2.1: 123
Kontrollpunkt 2.2: 234
Kontrollpunkt 2.3: 345
Kontrollpunkt 2.4: 456
*** stack smashing detected ***: terminated
Abgebrochen (Speicherabzug geschrieben)

philm · 19 September 2022 19:47

It depends which version of GCC you had tested. Most likely Arch will act the same way …

Hanzel · 19 September 2022 21:14

Not so much as an answer, but a question based on observation.I’m not sure how to read the output and certainly not a programmer so please forgive me for completely misunderstanding this, apologies in advance.

Since the sample code posted does not include the feedback
*** stack smashing detected ***: terminated

On what basis would one assume that the error means that this weakness is present and that the lack of error means the weakness is not present?

The mitre link with example code explains the example with

Since the array is only allocated to hold three elements, the valid indices are 0 to 2; so, the assignment to id_sequence[3] is out of bounds.

But no output example, eg, if you see x you are vulnerable.

ivoshm · 20 September 2022 04:43

Looking at the code above, Manjaro’s behavior is IMHO much more correct than Fedora’s - when someone writes “behind an array,” it’s perfectly fine (and safer) to kill the process due to memory corruption.

Appendices:

If you use the gcc -O2 “optimization” flag in Manjaro, you get the same behavior as in Fedora.
CWEs are primarily intended for programmers so that they do not introduce weaknesses into the software they are developing, not for the operating system or development tools to address them directly.