On 2/7/19 1:30 PM, Peter Maydell wrote: > Currently QEMU has 9 uses of variable length arrays > (found using -Wvla): >
> > Should we be looking to get rid of these and turn on the -Wvla > warning? I know the Linux kernel has recently decided to do this > (some rationale at the start of https://lwn.net/Articles/749064/). > Now that doesn't necessarily apply to us as a userspace program, But systemd-journal is a userspace program bit by VLA: https://www.openwall.com/lists/oss-security/2019/01/09/3 So the gnulib project recently switched to making it easier to disable VLA: https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00110.html > but on the other hand if any of these were allowing the guest to > determine the size of an on-stack array that would not be great. > (The linux-user one is bogus in that way, though not a security issue > as the guest code there has full control anyway.) > > Opinions? I admit that to some extent this is just my sense of > tidiness thinking that if we only have a handful of uses of > something we should squash that down to zero :-) I'm all for removing it. (Hmm, I should update BiteSizedTasks to call out general compiler-driven cleanups, calling out both -Wshadow and -Wvla as separate subtasks in that category) -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
