[v4] gdb: Update SECURITY.txt to mention extension scripts and internal errors

Message ID 20240917185840.3430190-2-blarsen@redhat.com
State New
Headers
Series [v4] gdb: Update SECURITY.txt to mention extension scripts and internal errors |

Checks

Context Check Description
linaro-tcwg-bot/tcwg_gdb_build--master-arm success Build passed
linaro-tcwg-bot/tcwg_gdb_build--master-aarch64 success Build passed
linaro-tcwg-bot/tcwg_gdb_check--master-aarch64 success Test passed
linaro-tcwg-bot/tcwg_gdb_check--master-arm fail Test failed

Commit Message

Guinevere Larsen Sept. 17, 2024, 6:58 p.m. UTC
  Given the recent CVE filed for GDB (CVE-2024-36699), I decided to update
the gdb/SECURITY.txt to be more explicit about some details. Specifically,
we now explicitly say that internal errors aren't security
vulnerabilities, and mention that users should review plugins before
running them, and under which conditions a plugin can cause a security
bug.

Reviewed-By: Luis Machado <luis.machado@arm.com>
---
 gdb/SECURITY.txt | 51 ++++++++++++++++++++++++++++++++++++------------
 1 file changed, 38 insertions(+), 13 deletions(-)
  

Comments

Tom Tromey Sept. 25, 2024, 5:03 p.m. UTC | #1
>>>>> Guinevere Larsen <blarsen@redhat.com> writes:

> Given the recent CVE filed for GDB (CVE-2024-36699), I decided to update
> the gdb/SECURITY.txt to be more explicit about some details. Specifically,
> we now explicitly say that internal errors aren't security
> vulnerabilities, and mention that users should review plugins before
> running them, and under which conditions a plugin can cause a security
> bug.

Thank you.

> +  control of the user and are always safe to load.  All of these files
> +  are treated as trusted input, meaning GDB makes no attempt to sanitize
> +  commands and has no sandboxing or other protections against effects of
> +  commands ran by any automatically loaded file.  It is up to the user to

I think I'd write "...effects of commands run by any...".
That is s/ran/run/

> +  GDB is not meant to be offered as a service (that is, offered
> +  over an insecure connection to non-local users), and so denial of
> +  service attacks targetting GDB itself, or other bugs that target
> +  this use case, are not considered a security bug.

Typo, "targeting".

I was considering that may be this section isn't fully correct, because
if a program is somehow specially crafted to make it impossible for gdb
to debug it, that is a bug.  However I suppose it isn't a security bug,
just an ordinary one.

Anyway I'm happy with the proposed text, and I'm happy to give my
approval, but I think perhaps others ought to read it as well before
checking it in.

Tom
  
Guinevere Larsen Sept. 25, 2024, 6:10 p.m. UTC | #2
On 9/25/24 2:03 PM, Tom Tromey wrote:
>>>>>> Guinevere Larsen <blarsen@redhat.com> writes:
>> Given the recent CVE filed for GDB (CVE-2024-36699), I decided to update
>> the gdb/SECURITY.txt to be more explicit about some details. Specifically,
>> we now explicitly say that internal errors aren't security
>> vulnerabilities, and mention that users should review plugins before
>> running them, and under which conditions a plugin can cause a security
>> bug.
> Thank you.
>
>> +  control of the user and are always safe to load.  All of these files
>> +  are treated as trusted input, meaning GDB makes no attempt to sanitize
>> +  commands and has no sandboxing or other protections against effects of
>> +  commands ran by any automatically loaded file.  It is up to the user to
> I think I'd write "...effects of commands run by any...".
> That is s/ran/run/
Ok, I'll change it.
>
>> +  GDB is not meant to be offered as a service (that is, offered
>> +  over an insecure connection to non-local users), and so denial of
>> +  service attacks targetting GDB itself, or other bugs that target
>> +  this use case, are not considered a security bug.
> Typo, "targeting".
thanks!
>
> I was considering that may be this section isn't fully correct, because
> if a program is somehow specially crafted to make it impossible for gdb
> to debug it, that is a bug.  However I suppose it isn't a security bug,
> just an ordinary one.
If I remember correctly, there are some ways to detect you're running 
under GDB and change behavior, making things undebuggable, so yeah, I 
think opening that opportunity for this to be considered a security bug 
is too broad.
>
> Anyway I'm happy with the proposed text, and I'm happy to give my
> approval, but I think perhaps others ought to read it as well before
> checking it in.
Ok. In the meantime, can I add your review tag?
>
> Tom
>
  
Luis Machado Sept. 26, 2024, 6:07 a.m. UTC | #3
Just a couple nits.

On 9/17/24 19:58, Guinevere Larsen wrote:
> Given the recent CVE filed for GDB (CVE-2024-36699), I decided to update
> the gdb/SECURITY.txt to be more explicit about some details. Specifically,
> we now explicitly say that internal errors aren't security
> vulnerabilities, and mention that users should review plugins before
> running them, and under which conditions a plugin can cause a security
> bug.
> 
> Reviewed-By: Luis Machado <luis.machado@arm.com>
> ---
>  gdb/SECURITY.txt | 51 ++++++++++++++++++++++++++++++++++++------------
>  1 file changed, 38 insertions(+), 13 deletions(-)
> 
> diff --git a/gdb/SECURITY.txt b/gdb/SECURITY.txt
> index e483790349b..298c5ed26e0 100644
> --- a/gdb/SECURITY.txt
> +++ b/gdb/SECURITY.txt
> @@ -62,19 +62,25 @@ What Is A Security Bug?
>    (either from the GDB command line, a GDB configuration file, or from
>    the GDB prompt) are considered security bugs.
>  
> -  GDB will check for and load multiple configuration files.  When
> -  initially started GDB can load user- and system-specific
> -  configuration files, this is done unconditionally as it is assumed
> -  these files are under control of the user and are always safe to
> -  load.
> -
> -  GDB can also load per-project and per-program configuration files,
> -  this is done when a program to debug is loaded into GDB.  These
> -  configuration files will only be loaded if the user has given GDB
> -  permission to load these files.  Any bug in GDB which allows
> -  per-project or per-program configuration files to be loaded without
> -  permission having been granted by the user is considered a security
> -  bug.
> +  GDB will check for and load multiple configuration files, sometimes
> +  referred to as extension scripts or plugins.  When initially started
> +  GDB can load user-specific and/or system-specific configuration files,
> +  this is done unconditionally as it is assumed these files are under
> +  control of the user and are always safe to load.  All of these files
> +  are treated as trusted input, meaning GDB makes no attempt to sanitize
> +  commands and has no sandboxing or other protections against effects of
> +  commands ran by any automatically loaded file.  It is up to the user to
> +  audit files against documentation provided by the relevant projects to
> +  protect against malicious commands.  If executing commands provided by
> +  the GDB project generates undocumented side effects, this is a bug.  For
> +  that bug to be considered a security bug, it must meet other definitions
> +  of security bugs outlined in this document.
> +
> +  GDB can also load per-project and/or per-program configuration files
> +  when a program is loaded for debugging.  Such files will only be loaded
> +  if the user has given GDB permission to load them.  Any bug in GDB which
> +  allows per-project or per-program configuration files to be loaded without
> +  permission having been granted by the user is considered a security bug.
>  
>    When gdbserver is started, if it is passed a program on its command
>    line then that program will be started, but paused before executing
> @@ -101,6 +107,25 @@ What Is Not A Security Bug
>    In the context of local debugging, when GDB is used to execute a
>    program, the program runs with the same privileges as GDB itself.
>  
> +  GDB is not meant to be offered as a service (that is, offered
> +  over an insecure connection to non-local users), and so denial of
> +  service attacks targetting GDB itself, or other bugs that target
> +  this use case, are not considered a security bug.
> +
> +  By the same token, simply triggering an internal error in GDB is not
> +  considered a security bug, since GDB has detected an issue and
> +  handled it in a non-exploitable manner.  If it can be demonstrated
> +  that some bug other than the internal error happens, this other bug
> +  should be evaluated independently of the error, and may be a security
> +  bug if it fits some of the definitions in this document.
> +
> +  GDB provides 3 different turing complete languages, Guile, Python
> +  and direct access to the shell.  Making use of these languages can
> +  have unknown effects, including outside of the GDB process.  Such
> +  effects will only be considered security bug if they fit some of the

s/considered security bug/considered security bugs

> +  definitions defined in this document and the effect can only be

Maybe drop "defined" here. It still seems clear for me without it.

> +  reproduced when executed in the GDB environment.
> +
>    Any issues that arise from running an untrusted program outside of a
>    secure environment are not security bugs in GDB.  Any issues that
>    arise from running an untrusted program through GDB inside a secure

Reviewed-By: Luis Machado <luis.machado@arm.com>
  
Guinevere Larsen Sept. 26, 2024, 7:45 p.m. UTC | #4
On 9/26/24 3:07 AM, Luis Machado wrote:
> Just a couple nits.
>
> On 9/17/24 19:58, Guinevere Larsen wrote:
>> Given the recent CVE filed for GDB (CVE-2024-36699), I decided to update
>> the gdb/SECURITY.txt to be more explicit about some details. Specifically,
>> we now explicitly say that internal errors aren't security
>> vulnerabilities, and mention that users should review plugins before
>> running them, and under which conditions a plugin can cause a security
>> bug.
>>
>> Reviewed-By: Luis Machado <luis.machado@arm.com>
>> ---
>>   gdb/SECURITY.txt | 51 ++++++++++++++++++++++++++++++++++++------------
>>   1 file changed, 38 insertions(+), 13 deletions(-)
>>
>> diff --git a/gdb/SECURITY.txt b/gdb/SECURITY.txt
>> index e483790349b..298c5ed26e0 100644
>> --- a/gdb/SECURITY.txt
>> +++ b/gdb/SECURITY.txt
>> @@ -62,19 +62,25 @@ What Is A Security Bug?
>>     (either from the GDB command line, a GDB configuration file, or from
>>     the GDB prompt) are considered security bugs.
>>   
>> -  GDB will check for and load multiple configuration files.  When
>> -  initially started GDB can load user- and system-specific
>> -  configuration files, this is done unconditionally as it is assumed
>> -  these files are under control of the user and are always safe to
>> -  load.
>> -
>> -  GDB can also load per-project and per-program configuration files,
>> -  this is done when a program to debug is loaded into GDB.  These
>> -  configuration files will only be loaded if the user has given GDB
>> -  permission to load these files.  Any bug in GDB which allows
>> -  per-project or per-program configuration files to be loaded without
>> -  permission having been granted by the user is considered a security
>> -  bug.
>> +  GDB will check for and load multiple configuration files, sometimes
>> +  referred to as extension scripts or plugins.  When initially started
>> +  GDB can load user-specific and/or system-specific configuration files,
>> +  this is done unconditionally as it is assumed these files are under
>> +  control of the user and are always safe to load.  All of these files
>> +  are treated as trusted input, meaning GDB makes no attempt to sanitize
>> +  commands and has no sandboxing or other protections against effects of
>> +  commands ran by any automatically loaded file.  It is up to the user to
>> +  audit files against documentation provided by the relevant projects to
>> +  protect against malicious commands.  If executing commands provided by
>> +  the GDB project generates undocumented side effects, this is a bug.  For
>> +  that bug to be considered a security bug, it must meet other definitions
>> +  of security bugs outlined in this document.
>> +
>> +  GDB can also load per-project and/or per-program configuration files
>> +  when a program is loaded for debugging.  Such files will only be loaded
>> +  if the user has given GDB permission to load them.  Any bug in GDB which
>> +  allows per-project or per-program configuration files to be loaded without
>> +  permission having been granted by the user is considered a security bug.
>>   
>>     When gdbserver is started, if it is passed a program on its command
>>     line then that program will be started, but paused before executing
>> @@ -101,6 +107,25 @@ What Is Not A Security Bug
>>     In the context of local debugging, when GDB is used to execute a
>>     program, the program runs with the same privileges as GDB itself.
>>   
>> +  GDB is not meant to be offered as a service (that is, offered
>> +  over an insecure connection to non-local users), and so denial of
>> +  service attacks targetting GDB itself, or other bugs that target
>> +  this use case, are not considered a security bug.
>> +
>> +  By the same token, simply triggering an internal error in GDB is not
>> +  considered a security bug, since GDB has detected an issue and
>> +  handled it in a non-exploitable manner.  If it can be demonstrated
>> +  that some bug other than the internal error happens, this other bug
>> +  should be evaluated independently of the error, and may be a security
>> +  bug if it fits some of the definitions in this document.
>> +
>> +  GDB provides 3 different turing complete languages, Guile, Python
>> +  and direct access to the shell.  Making use of these languages can
>> +  have unknown effects, including outside of the GDB process.  Such
>> +  effects will only be considered security bug if they fit some of the
> s/considered security bug/considered security bugs
>
>> +  definitions defined in this document and the effect can only be
> Maybe drop "defined" here. It still seems clear for me without it.
>
>> +  reproduced when executed in the GDB environment.
>> +
>>     Any issues that arise from running an untrusted program outside of a
>>     secure environment are not security bugs in GDB.  Any issues that
>>     arise from running an untrusted program through GDB inside a secure
> Reviewed-By: Luis Machado <luis.machado@arm.com>
>
Thanks, I fixed all the nits!
  
Tom Tromey Sept. 27, 2024, 5:31 p.m. UTC | #5
>>>>> "Guinevere" == Guinevere Larsen <guinevere@redhat.com> writes:

>> Anyway I'm happy with the proposed text, and I'm happy to give my
>> approval, but I think perhaps others ought to read it as well before
>> checking it in.

Guinevere> Ok. In the meantime, can I add your review tag?

Definitely.  Thanks.

Tom
  

Patch

diff --git a/gdb/SECURITY.txt b/gdb/SECURITY.txt
index e483790349b..298c5ed26e0 100644
--- a/gdb/SECURITY.txt
+++ b/gdb/SECURITY.txt
@@ -62,19 +62,25 @@  What Is A Security Bug?
   (either from the GDB command line, a GDB configuration file, or from
   the GDB prompt) are considered security bugs.
 
-  GDB will check for and load multiple configuration files.  When
-  initially started GDB can load user- and system-specific
-  configuration files, this is done unconditionally as it is assumed
-  these files are under control of the user and are always safe to
-  load.
-
-  GDB can also load per-project and per-program configuration files,
-  this is done when a program to debug is loaded into GDB.  These
-  configuration files will only be loaded if the user has given GDB
-  permission to load these files.  Any bug in GDB which allows
-  per-project or per-program configuration files to be loaded without
-  permission having been granted by the user is considered a security
-  bug.
+  GDB will check for and load multiple configuration files, sometimes
+  referred to as extension scripts or plugins.  When initially started
+  GDB can load user-specific and/or system-specific configuration files,
+  this is done unconditionally as it is assumed these files are under
+  control of the user and are always safe to load.  All of these files
+  are treated as trusted input, meaning GDB makes no attempt to sanitize
+  commands and has no sandboxing or other protections against effects of
+  commands ran by any automatically loaded file.  It is up to the user to
+  audit files against documentation provided by the relevant projects to
+  protect against malicious commands.  If executing commands provided by
+  the GDB project generates undocumented side effects, this is a bug.  For
+  that bug to be considered a security bug, it must meet other definitions
+  of security bugs outlined in this document.
+
+  GDB can also load per-project and/or per-program configuration files
+  when a program is loaded for debugging.  Such files will only be loaded
+  if the user has given GDB permission to load them.  Any bug in GDB which
+  allows per-project or per-program configuration files to be loaded without
+  permission having been granted by the user is considered a security bug.
 
   When gdbserver is started, if it is passed a program on its command
   line then that program will be started, but paused before executing
@@ -101,6 +107,25 @@  What Is Not A Security Bug
   In the context of local debugging, when GDB is used to execute a
   program, the program runs with the same privileges as GDB itself.
 
+  GDB is not meant to be offered as a service (that is, offered
+  over an insecure connection to non-local users), and so denial of
+  service attacks targetting GDB itself, or other bugs that target
+  this use case, are not considered a security bug.
+
+  By the same token, simply triggering an internal error in GDB is not
+  considered a security bug, since GDB has detected an issue and
+  handled it in a non-exploitable manner.  If it can be demonstrated
+  that some bug other than the internal error happens, this other bug
+  should be evaluated independently of the error, and may be a security
+  bug if it fits some of the definitions in this document.
+
+  GDB provides 3 different turing complete languages, Guile, Python
+  and direct access to the shell.  Making use of these languages can
+  have unknown effects, including outside of the GDB process.  Such
+  effects will only be considered security bug if they fit some of the
+  definitions defined in this document and the effect can only be
+  reproduced when executed in the GDB environment.
+
   Any issues that arise from running an untrusted program outside of a
   secure environment are not security bugs in GDB.  Any issues that
   arise from running an untrusted program through GDB inside a secure