SECURITY.txt - gcc - Git at Google

 What is a GCC security bug?
 ===========================

     A security bug is one that threatens the security of a system or
     network, or might compromise the security of data stored on it.
     In the context of GCC, there are multiple ways in which this might
     happen and some common scenarios are detailed below.

     If you're reporting a security issue and feel like it does not fit
     into any of the descriptions below, you're encouraged to reach out
     through the GCC bugzilla or, if needed, privately, by following the
     instructions in the last two sections of this document.

 Compiler drivers, programs, libgccjit and support libraries
 -----------------------------------------------------------

     The compiler driver processes source code, invokes other programs
     such as the assembler and linker and generates the output result,
     which may be assembly code or machine code.  Compiling untrusted
     sources can result in arbitrary code execution and unconstrained
     resource consumption in the compiler. As a result, compilation of
     such code should be done inside a sandboxed environment to ensure
     that it does not compromise the host environment.

     The libgccjit library can, despite the name, be used both for
     ahead-of-time compilation and for just-in-compilation.  In both
     cases, it can be used to translate input representations (such as
     source code) in the application context; in the latter case, the
     generated code is also run in the application context.

     Limitations that apply to the compiler driver apply here too in
     terms of trusting inputs and it is recommended that both the
     compilation *and* execution context of the code are appropriately
     sandboxed to contain the effects of any bugs in libgccjit, the
     application code using it, or its generated code to the sandboxed
     environment.

     Libraries such as libiberty, libcc1 and libcpp are not distributed
     for runtime support and have similar challenges to compiler drivers.
     While they are expected to be robust against arbitrary input, they
     should only be used with trusted inputs when linked into the
     compiler.

     Libraries such as zlib that are bundled with GCC to build it will be
     treated the same as the compiler drivers and programs as far as
     security coverage is concerned.  However, if you find an issue in
     these libraries independent of their use in GCC, you should reach
     out to their upstream projects to report them.

     As a result, the only case for a potential security issue in the
     compiler is when it generates vulnerable application code for
     trusted input source code that is conforming to the relevant
     programming standard or extensions documented as supported by GCC
     and the algorithm expressed in the source code does not have the
     vulnerability.  The output application code could be considered
     vulnerable if it produces an actual vulnerability in the target
     application, for example:

     - The application dereferences an invalid memory location despite
       the application sources being valid.
     - The application reads from or writes to a valid but incorrect
       memory location, resulting in an information integrity issue or an
       information leak.
     - The application ends up running in an infinite loop or with
       severe degradation in performance despite the input sources having
       no such issue, resulting in a Denial of Service.  Note that
       correct but non-performant code is not a security issue candidate,
       this only applies to incorrect code that may result in performance
       degradation severe enough to amount to a denial of service.
     - The application crashes due to the generated incorrect code,
       resulting in a Denial of Service.

 Language runtime libraries
 --------------------------

     GCC also builds and distributes libraries that are intended to be
     used widely to implement runtime support for various programming
     languages.  These include the following:

     * libada
     * libatomic
     * libbacktrace
     * libcc1
     * libcody
     * libcpp
     * libdecnumber
     * libffi
     * libgcc
     * libgfortran
     * libgm2
     * libgo
     * libgomp
     * libitm
     * libobjc
     * libphobos
     * libquadmath
     * libssp
     * libstdc++

     These libraries are intended to be used in arbitrary contexts and, as
     a result, bugs in these libraries may be evaluated for security
     impact.  However, some of these libraries, e.g. libgo, libphobos,
     etc.  are not maintained in the GCC project, due to which the GCC
     project may not be the correct point of contact for them.  You are
     encouraged to look at README files within those library directories
     to locate the canonical security contact point for those projects
     and include them in the report.  Once the issue is fixed in the
     upstream project, the fix will be synced into GCC in a future
     release.

     Most security vulnerabilities in these runtime libraries arise when
     an application uses functionality in a specific way.  As a result,
     not all bugs qualify as security relevant.  The following guidelines
     can help with the decision:

     - Buffer overflows and integer overflows should be treated as
       security issues if it is conceivable that the data triggering them
       can come from an untrusted source.
     - Bugs that cause memory corruption which is likely exploitable
       should be treated as security bugs.
     - Information disclosure can be security bugs, especially if
       exposure through applications can be determined.
     - Memory leaks and races are security bugs if they cause service
       breakage.
     - Stack overflow through unbounded alloca calls or variable-length
       arrays are security bugs if it is conceivable that the data
       triggering the overflow could come from an untrusted source.
     - Stack overflow through deep recursion and other crashes are
       security bugs if they cause service breakage.
     - Bugs that cripple the whole system (so that it doesn't even boot
       or does not run most applications) are not security bugs because
       they will not be exploitable in practice, due to general system
       instability.

 Diagnostic libraries
 --------------------

     Libraries like libvtv and the sanitizers are intended to be used in
     diagnostic cases and not intended for use in sensitive environments.
     As a result, bugs in these libraries will not be considered security
     sensitive.

 GCC plugins
 -----------

     It should be noted that GCC may execute arbitrary code loaded by a
     user through the GCC plugin mechanism or through system preloading
     mechanism.  Such custom code should be vetted by the user for safety,
     as bugs exposed through such code will not be considered security
     issues.

 Security features implemented in GCC
 ------------------------------------

     GCC implements a number of security features that reduce the impact
     of security issues in applications, such as -fstack-protector,
     -fstack-clash-protection, _FORTIFY_SOURCE and so on.  A failure of
     these features to function perfectly in all situations is not a
     vulnerability in itself since it does not affect the correctness of
     programs.  Further, they're dependent on heuristics and may not
     always have full coverage for protection.

     Similarly, GCC may transform code in a way that the correctness of
     the expressed algorithm is preserved, but supplementary properties
     that are not specifically expressible in a high-level language
     are not preserved. Examples of such supplementary properties
     include absence of sensitive data in the program's address space
     after an attempt to wipe it, or data-independent timing of code.
     When the source code attempts to express such properties, failure
     to preserve them in resulting machine code is not a security issue
     in GCC.

 Reporting private security bugs
 ===============================

     *All bugs reported in the GCC Bugzilla are public.*

     In order to report a private security bug that is not immediately
     public, please contact one of the downstream distributions with
     security teams.  The following teams have volunteered to handle
     such bugs:

       Debian:  security@debian.org
       Red Hat: secalert@redhat.com
       SUSE:    security@suse.de
       AdaCore: product-security@adacore.com

     Please report the bug to just one of these teams.  It will be shared
     with other teams as necessary.

     The team contacted will take care of details such as vulnerability
     rating and CVE assignment (http://cve.mitre.org/about/).  It is likely
     that the team will ask to file a public bug because the issue is
     sufficiently minor and does not warrant an embargo.  An embargo is not
     a requirement for being credited with the discovery of a security
     vulnerability.

 Reporting public security bugs
 ==============================

     It is expected that critical security bugs will be rare, and that most
     security bugs can be reported in GCC, thus making
     them public immediately.  The system can be found here:

       https://gcc.gnu.org/bugzilla/
	What is a GCC security bug?
	===========================

	A security bug is one that threatens the security of a system or
	network, or might compromise the security of data stored on it.
	In the context of GCC, there are multiple ways in which this might
	happen and some common scenarios are detailed below.

	If you're reporting a security issue and feel like it does not fit
	into any of the descriptions below, you're encouraged to reach out
	through the GCC bugzilla or, if needed, privately, by following the
	instructions in the last two sections of this document.

	Compiler drivers, programs, libgccjit and support libraries
	-----------------------------------------------------------

	The compiler driver processes source code, invokes other programs
	such as the assembler and linker and generates the output result,
	which may be assembly code or machine code. Compiling untrusted
	sources can result in arbitrary code execution and unconstrained
	resource consumption in the compiler. As a result, compilation of
	such code should be done inside a sandboxed environment to ensure
	that it does not compromise the host environment.

	The libgccjit library can, despite the name, be used both for
	ahead-of-time compilation and for just-in-compilation. In both
	cases, it can be used to translate input representations (such as
	source code) in the application context; in the latter case, the
	generated code is also run in the application context.

	Limitations that apply to the compiler driver apply here too in
	terms of trusting inputs and it is recommended that both the
	compilation and execution context of the code are appropriately
	sandboxed to contain the effects of any bugs in libgccjit, the
	application code using it, or its generated code to the sandboxed
	environment.

	Libraries such as libiberty, libcc1 and libcpp are not distributed
	for runtime support and have similar challenges to compiler drivers.
	While they are expected to be robust against arbitrary input, they
	should only be used with trusted inputs when linked into the
	compiler.

	Libraries such as zlib that are bundled with GCC to build it will be
	treated the same as the compiler drivers and programs as far as
	security coverage is concerned. However, if you find an issue in
	these libraries independent of their use in GCC, you should reach
	out to their upstream projects to report them.

	As a result, the only case for a potential security issue in the
	compiler is when it generates vulnerable application code for
	trusted input source code that is conforming to the relevant
	programming standard or extensions documented as supported by GCC
	and the algorithm expressed in the source code does not have the
	vulnerability. The output application code could be considered
	vulnerable if it produces an actual vulnerability in the target
	application, for example:

	- The application dereferences an invalid memory location despite
	the application sources being valid.
	- The application reads from or writes to a valid but incorrect
	memory location, resulting in an information integrity issue or an
	information leak.
	- The application ends up running in an infinite loop or with
	severe degradation in performance despite the input sources having
	no such issue, resulting in a Denial of Service. Note that
	correct but non-performant code is not a security issue candidate,
	this only applies to incorrect code that may result in performance
	degradation severe enough to amount to a denial of service.
	- The application crashes due to the generated incorrect code,
	resulting in a Denial of Service.

	Language runtime libraries
	--------------------------

	GCC also builds and distributes libraries that are intended to be
	used widely to implement runtime support for various programming
	languages. These include the following:

	* libada
	* libatomic
	* libbacktrace
	* libcc1
	* libcody
	* libcpp
	* libdecnumber
	* libffi
	* libgcc
	* libgfortran
	* libgm2
	* libgo
	* libgomp
	* libitm
	* libobjc
	* libphobos
	* libquadmath
	* libssp
	* libstdc++

	These libraries are intended to be used in arbitrary contexts and, as
	a result, bugs in these libraries may be evaluated for security
	impact. However, some of these libraries, e.g. libgo, libphobos,
	etc. are not maintained in the GCC project, due to which the GCC
	project may not be the correct point of contact for them. You are
	encouraged to look at README files within those library directories
	to locate the canonical security contact point for those projects
	and include them in the report. Once the issue is fixed in the
	upstream project, the fix will be synced into GCC in a future
	release.

	Most security vulnerabilities in these runtime libraries arise when
	an application uses functionality in a specific way. As a result,
	not all bugs qualify as security relevant. The following guidelines
	can help with the decision:

	- Buffer overflows and integer overflows should be treated as
	security issues if it is conceivable that the data triggering them
	can come from an untrusted source.
	- Bugs that cause memory corruption which is likely exploitable
	should be treated as security bugs.
	- Information disclosure can be security bugs, especially if
	exposure through applications can be determined.
	- Memory leaks and races are security bugs if they cause service
	breakage.
	- Stack overflow through unbounded alloca calls or variable-length
	arrays are security bugs if it is conceivable that the data
	triggering the overflow could come from an untrusted source.
	- Stack overflow through deep recursion and other crashes are
	security bugs if they cause service breakage.
	- Bugs that cripple the whole system (so that it doesn't even boot
	or does not run most applications) are not security bugs because
	they will not be exploitable in practice, due to general system
	instability.

	Diagnostic libraries
	--------------------

	Libraries like libvtv and the sanitizers are intended to be used in
	diagnostic cases and not intended for use in sensitive environments.
	As a result, bugs in these libraries will not be considered security
	sensitive.

	GCC plugins
	-----------

	It should be noted that GCC may execute arbitrary code loaded by a
	user through the GCC plugin mechanism or through system preloading
	mechanism. Such custom code should be vetted by the user for safety,
	as bugs exposed through such code will not be considered security
	issues.

	Security features implemented in GCC
	------------------------------------

	GCC implements a number of security features that reduce the impact
	of security issues in applications, such as -fstack-protector,
	-fstack-clash-protection, _FORTIFY_SOURCE and so on. A failure of
	these features to function perfectly in all situations is not a
	vulnerability in itself since it does not affect the correctness of
	programs. Further, they're dependent on heuristics and may not
	always have full coverage for protection.

	Similarly, GCC may transform code in a way that the correctness of
	the expressed algorithm is preserved, but supplementary properties
	that are not specifically expressible in a high-level language
	are not preserved. Examples of such supplementary properties
	include absence of sensitive data in the program's address space
	after an attempt to wipe it, or data-independent timing of code.
	When the source code attempts to express such properties, failure
	to preserve them in resulting machine code is not a security issue
	in GCC.

	Reporting private security bugs
	===============================

	All bugs reported in the GCC Bugzilla are public.

	In order to report a private security bug that is not immediately
	public, please contact one of the downstream distributions with
	security teams. The following teams have volunteered to handle
	such bugs:

	Debian: security@debian.org
	Red Hat: secalert@redhat.com
	SUSE: security@suse.de
	AdaCore: product-security@adacore.com

	Please report the bug to just one of these teams. It will be shared
	with other teams as necessary.

	The team contacted will take care of details such as vulnerability
	rating and CVE assignment (http://cve.mitre.org/about/). It is likely
	that the team will ask to file a public bug because the issue is
	sufficiently minor and does not warrant an embargo. An embargo is not
	a requirement for being credited with the discovery of a security
	vulnerability.

	Reporting public security bugs
	==============================

	It is expected that critical security bugs will be rare, and that most
	security bugs can be reported in GCC, thus making
	them public immediately. The system can be found here:

	https://gcc.gnu.org/bugzilla/