Kernel buffer overflow exposes iPhone 11 Pro to radio based attacks

Dukc ajieskola at gmail.com
Wed Dec 9 11:46:41 UTC 2020 

On Wednesday, 9 December 2020 at 01:23:37 UTC, Paul Backus wrote:
> The problem with this is that there is existing *correct* D 
> code that relies "no attributes" meaning @system, and which 
> would silently become incorrectly-annotated if the default were 
> changed. For example, there are many external @system functions 
> in the D runtime that do not have an explicit @system 
> annotation.
>
> You flip the switch, your tests pass, and then months or years 
> later, you discover that a memory-corruption bug has snuck its 
> way into your @safe code, because no one ever got around to 
> putting an explicit @system annotation on some external 
> function deep in one of your dependencies. How would you react? 
> Personally, I'd jump ship to Rust and never look back.

Yes, this would be a problem, but I believe it'd be less of a 
problem than you think. If you use some third-party library, you 
need to think twice how much you trust it's `@safe`ty in any 
case. At least if you're that strict about it. No annotations 
anywhere is about the easiest thing to spot when considering that.

>
> Of course, you can try to argue that it's the fault of the 
> library maintainer for not realizing that they need to 
> re-review all of their external function declarations--but why 
> should they have to, when the compiler can just as easily flag 
> those functions automatically?

It might have some benefit: If non-annotated C libraries are 
considered `@safe`, it'll mean that not-so-quality code is using 
compromised `@safe`. Bad. But if they are considered `@system`, 
not-so-quality code will not be using `@safe` AT ALL. Even worse.

Now I understand there is a drawback for higher-quality code. You 
have to either copy-paste the C library header and add `@system:` 
to top of it, or make a module that automatically wraps the 
header as `@system`. That's more work than just importing the C 
header, and thus will result in more greenwashed headers than C 
headers being `@system` by default.

Also it sure sucks that the compiler would do the wrong thing by 
default, but would the pragmatic downsides be even worse for the 
Common Sense option? I don't know, But I'm saying that 1: it's a 
judgement call, not anything absolute, 2: either way one could 
live with, and would be far from making `@safe` meaningless.

More information about the Digitalmars-d mailing list