Boost logo

Boost :

Subject: Re: [boost] [stacktrace] Partial review
From: Florian Weimer (fw_at_[hidden])
Date: 2017-03-27 11:19:34


* Antony Polukhin:

>> addr2line_pipe uses execvp, which could lead to evaluation of the PATH
>> variable from programs which underwent an AT_SECURE transition (e.g.,
>> SUID programs), which could lead to privilege escalation issues.
>
> I'm providing an absolute path to the executable, so there must be no
> PATH evaluation. Am I missing something?

I'm talking about this:

        char prog_name[] = "addr2line";

As far as I can see, this is not just used as the argv[0] argument,
but also as the program to execute.

>> With inlining, a single stack frame can expand to a list of source
>> locations (reflecting the inlineed call stack). The current design
>> does not take that into account.
>
> I've found no system API to get multiple locations. So the Stacktrace
> API is designed to have at most 1 location.

addr2line can optionally resolve inlining information. The additional
frames come from the DWARF data.


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk