From patchwork Mon Dec 18 14:35:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 1877476 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gotplt.org header.i=@gotplt.org header.a=rsa-sha256 header.s=dreamhost header.b=l8W8SlS8; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Sv2S02yJGz23yq for ; Tue, 19 Dec 2023 01:35:44 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 10B7938582BA for ; Mon, 18 Dec 2023 14:35:42 +0000 (GMT) X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from dog.birch.relay.mailchannels.net (dog.birch.relay.mailchannels.net [23.83.209.48]) by sourceware.org (Postfix) with ESMTPS id D3B5F385828F for ; Mon, 18 Dec 2023 14:35:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D3B5F385828F Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D3B5F385828F Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.209.48 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1702910132; cv=pass; b=WggaCKh0Uaa8rsYF1flGMthYCyXUq7mSy4+yUDDzhto/y3m0tUxbb2Ese0lOrRTb9sPjPhUA+5LFPxLJYd3fBhiMGlsV1Nh7CIrLBsq82EcPtCY5wSOIca1QZUCU6jQM8Z+aw/sJiP3MkOEcdfi+fNMo+QI9rHZFNu53PiDhFeU= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1702910132; c=relaxed/simple; bh=imcAWlBBmDFY58OgAQmIX0Cy00eV1xVf5pdm3YSCmTg=; h=DKIM-Signature:Message-ID:Date:MIME-Version:From:Subject:To; b=llzB8nseHhpDoOwukDm+a2RoUtFrqCTizbiMPeD9vR/bPevGVWG4uH2RtmAE6bzpqGalqs+l0fYZ5h5oSWRpe6Ra94Tea0aoZUbbROgX7exC6IUzBaje4xE1bhy8Xep/FLjRcJNS1j9QQVW7Xx+6jQHwy3SMs9JDV8YqWMK3RZA= ARC-Authentication-Results: i=2; server2.sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4F246903A40 for ; Mon, 18 Dec 2023 14:35:18 +0000 (UTC) Received: from pdx1-sub0-mail-a266.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id D6507903966 for ; Mon, 18 Dec 2023 14:35:17 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1702910117; a=rsa-sha256; cv=none; b=rYJmh0XCwtr891ehc7ppK+SnZSsZtImHIT7RNV3y8CwLeyzQaNsnKA+HjO6X05KMJcRoKw R/+R53GPYZDOBD2Mn/MEyn0lcOKmmkSe9d254sd5J0PxgUeQxnzUS/1S0PUTTEQH7LeyGF YQH+F7f8cy+827LnE2ZNoD8Abc3qYKJ3vkqLgxkA4Xg2ttNw0magQMMX9iWW/Dk9GFglVA tbEkWsMSdUh0S+n0Uz92vUV1HDjcevFRTkGAtX4Sah/aMS9+O5RVG9MdkbyVwTY6TouQYF TIHtKId4hzgWi/Hx3YZM3P0OFmxT9RnhU19VGTLPZ/MdPCnT6/ydqAU6Ri5ZKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1702910117; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=dDN3z092yfvmpTyk66yjXQIUBCPeECubfp/Uxel8dhc=; b=rkzcDBtbg/uoPEoiigEg4qwXWc2EtnIeCALsj4xT2QIWcefe+K1Jne9l1pDg6V7OaT0u0M owS1wYbEOEFq0o8B0bFVuLXkwvXQwSd9aLVIFuxPiXC8AzGXIMWclKHj6E4GMswk8FjBWK wV0akTy5pJh3ctt6NMBeCpzOil2l0CociesemGqwVEWC93bYMFfQTG2dTAFavjyDDOR6LI MwitApPpmrXKN+ZheiIRSCJWeMjmCdRf8QBlwT9xCfvYvIDEIn65dfCTUruNBh3a7wo9L5 B+/DM0Ds6E8NKjcXxTYGc5qbywKY9IpCATrFUs+Z2fFq0b5m75cD1M0mzbfH+Q== ARC-Authentication-Results: i=1; rspamd-659dcc87c8-q2gpp; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Soft-Relation: 163981aa466ab2d3_1702910118136_733348350 X-MC-Loop-Signature: 1702910118136:646784462 X-MC-Ingress-Time: 1702910118136 Received: from pdx1-sub0-mail-a266.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.96.174.32 (trex/6.9.2); Mon, 18 Dec 2023 14:35:18 +0000 Received: from [192.168.0.182] (unknown [142.113.138.136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a266.dreamhost.com (Postfix) with ESMTPSA id 4Sv2RT47xWz84 for ; Mon, 18 Dec 2023 06:35:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1702910117; bh=dDN3z092yfvmpTyk66yjXQIUBCPeECubfp/Uxel8dhc=; h=Date:From:Subject:To:Content-Type:Content-Transfer-Encoding; b=l8W8SlS8FAxVKSONLMDJivzLnqWUlAK4D0PX/+V6pyYMlGnR7IaNWzW/F5j985206 DP7i2WFqyBMtSVg8ladlQ+OzHXHWaKRkuawcphtToPwVpJr+FNbDxMyqdbzsS0t25I lgOIEE0bK3KBEggPm5GKE3EWdLb1ntp4/iT37+S1z/VN2zdqscMwuZ2S3zwKxkIW4s pHOPsxGrsHvSwG1vLZSnDH0xeGL4aEk0ODuoPmv3yHILdMuFpUgEyI4kSP/jwi+kve 2G2nu4vWBAuynhemy+8un7ZgK79S2eYKTF+BZBLc8PyIJM7/RNrwQf8QSdy3pFfTCv hru47k/kSZXBQ== Message-ID: <610f86be-79bb-451f-a9c1-6fcbdc78a2c9@gotplt.org> Date: Mon, 18 Dec 2023 09:35:06 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US From: Siddhesh Poyarekar Subject: [PATCH] SECURITY.txt: Drop "exploitable" in reference to hardening issues To: gcc Patches X-Spam-Status: No, score=-3036.1 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org The "exploitable vulnerability" may lead to a misunderstanding that missed hardening issues are considered vulnerabilities, just that they're not exploitable. This is not true, since while hardening bugs may be security-relevant, the absence of hardening does not make a program any more vulnerable to exploits than without. Drop the "exploitable" word to make it clear that missed hardening is not considered a vulnerability. diff --git a/SECURITY.txt b/SECURITY.txt index b3e2bbfda90..126603d4c22 100644 --- a/SECURITY.txt +++ b/SECURITY.txt @@ -155,10 +155,10 @@ Security features implemented in GCC GCC implements a number of security features that reduce the impact of security issues in applications, such as -fstack-protector, -fstack-clash-protection, _FORTIFY_SOURCE and so on. A failure of - these features to function perfectly in all situations is not an - exploitable vulnerability in itself since it does not affect the - correctness of programs. Further, they're dependent on heuristics - and may not always have full coverage for protection. + these features to function perfectly in all situations is not a + vulnerability in itself since it does not affect the correctness of + programs. Further, they're dependent on heuristics and may not + always have full coverage for protection. Similarly, GCC may transform code in a way that the correctness of the expressed algorithm is preserved, but supplementary properties