Kernel buffer overflow exposes iPhone 11 Pro to radio based attacks

Paul Backus snarwin at gmail.com
Wed Dec 9 01:23:37 UTC 2020 

On Tuesday, 8 December 2020 at 22:52:29 UTC, Dukc wrote:
> On Sunday, 6 December 2020 at 04:52:19 UTC, Bruce Carneal wrote:
>> Even though I love working on projects that should operate 
>> near HW limits, I would like to see defaults favor newcomers 
>> and prototyping (@safe, throw, gc).
>>
>> 1028 without the "C is @safe" falsehood could work.
>
> Consider a module with `@safe:` or `@trusted:` at top. The 
> problem with the rule "external C functions can't be @safe" or 
> "can't be @safe by default" is that you do not know why the 
> annotation is at the top of module. It could be because it has 
> been reviewed, or it could be just to get functions calling it 
> to quickly work.
>
> Theoretically, if C code is considered `@safe` by default, you 
> can tell them from each other. No attributes: `@system`, but 
> considered `@safe` for now, meaning you want to review the 
> module in the near future. `@safe` or `@trusted`: someone has 
> checked the module, nothing to worry about.

The problem with this is that there is existing *correct* D code 
that relies "no attributes" meaning @system, and which would 
silently become incorrectly-annotated if the default were 
changed. For example, there are many external @system functions 
in the D runtime that do not have an explicit @system annotation.

You flip the switch, your tests pass, and then months or years 
later, you discover that a memory-corruption bug has snuck its 
way into your @safe code, because no one ever got around to 
putting an explicit @system annotation on some external function 
deep in one of your dependencies. How would you react? 
Personally, I'd jump ship to Rust and never look back.

Of course, you can try to argue that it's the fault of the 
library maintainer for not realizing that they need to re-review 
all of their external function declarations--but why should they 
have to, when the compiler can just as easily flag those 
functions automatically? Isn't the whole reason we have automatic 
memory-safety checks in the first place to *avoid* relying on 
programmer discipline for this kind of thing?

More information about the Digitalmars-d mailing list