Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EnterCriticalSection flagged? #19

Closed
rgetz opened this issue Apr 23, 2020 · 4 comments
Closed

EnterCriticalSection flagged? #19

rgetz opened this issue Apr 23, 2020 · 4 comments

Comments

@rgetz
Copy link

rgetz commented Apr 23, 2020

First - thanks.

Next, a question about a potential false positive (or at least aged out positive)

https://github.com/david-a-wheeler/flawfinder/blob/master/flawfinder#L1266

flags EnterCriticalSection as

"On some versions of Windows, exceptions can be thrown in low-memory situations",
"Use InitializeCriticalSectionAndSpinCount instead

However, the doc makes no mention of that.

The page from the book Writing Secure Code describes EnterCriticalSection as something that will not throw errors on XP, .NET Server, and later. Considering that XP EOL in April 8, 2014; .Net Server EOL 14 July 2015 if people are using OSes earlier than that - they have bigger issues than what will be flagged with flawfinder...

The doc for InitializeCriticalSection does indicate:

Windows Server 2003 and Windows XP:  In low memory situations, InitializeCriticalSection can raise a STATUS_NO_MEMORY exception. 
Starting with Windows Vista, this exception was eliminated and InitializeCriticalSection always succeeds, even in low memory situations.

Windows Server 2003 operating system EOL'ed on July 14, 2015.

What's the goal from flawfinder for managing the versions of Windows?

Thanks again.
@david-a-wheeler
Copy link
Owner

There's no formal position on EOL, I generally ask, "What seems to be common?".

For example, while officially Windows 7 is end-of-life, over 30% of all client systems (not just Windows systems) use Windows 7 today. So if something impacts Windows 7, it's a serious issue. Stats here.

I take Python in a similar vein. Officially Python 2 is end-of-life, but in practice Python 2 is everywhere & there are still many systems that only have Python2, so I continue to support it.

As of August 2005, over 600,000 sites ran Windows Server 2003 even though it was out of support according to Netcraft. I don't know the numbers now, but if the numbers are significant, it seems worth worrying about. Eventually it's not worth worrying about, of course, but what matters is the number of systems actually deployed.

Too many people in the tech bubble think that when a new version of software is released, everyone magically updates to it. That's not how things work in the real world, and I want to help people out in the real world.

@rgetz
Copy link
Author

rgetz commented Apr 27, 2020

Agree - but I think you missed of what I was saying.

I'm not asking about Win 7 (the fix as made before Win 7 was released).

InitializeCriticalSection

Windows Server 2003 and Windows XP: In low memory situations, InitializeCriticalSection can raise a STATUS_NO_MEMORY exception.
Starting with Windows Vista, this exception was eliminated and InitializeCriticalSection always succeeds, even in low memory situations.

According to your stats, XP has a 1.7% market share. Is that enough people to leave it on the list - probably, but the warning message should change to indicate that it does not happen on modern versions of Windows.

On old versions of Windows (including and before XP and Server 2003), exceptions can be
thrown in low-memory situations. Use InitializeCriticalSectionAndSpinCount instead

EnterCritcalSection

EnterCriticalSection - as something that will not throw errors on XP (released October 25, 2001), .NET Server (released April 24, 2003), and later _(including Win 7 (released October 22, 2009).

What we are talking about being susceptible is these operating systems:
Windows 1.0 (November 20, 1985), Windows 2.0 (December 9, 1987), Windows 2.10 (May 27, 1988), Windows 2.11 (March 13, 1989), Windows 3.0 (May 22, 1990), Windows 3.0 with Multimedia Extensions (October 20, 1991), Windows 3.1 (April 6, 1992), Windows for Workgroups 3.1 (October 27, 1992), Windows NT 3.1 (July 27, 1993), Windows for Workgroups 3.11 (November 8, 1993), Windows NT 3.5 (September 21, 1994), Windows NT 3.51 (May 30, 1995), Windows 95 (August 24, 1995), Windows NT 4.0 (August 24, 1996), Windows 98 (June 25, 1998), Windows 98 SE (May 5, 1999), Windows 2000 (February 17, 2000). Windows Me (September 14, 2000)

From the list you provided, even if you look at the top 1000 operating systems:

  • Windows Me doesn't even make the list
  • Windows 2000, Windows 98, Windows NT, Windows, 95 all have zero percent.
  • The older ones - also doesn't make the list.

I think the risk is low/non-existent of removing this check.

david-a-wheeler added a commit that referenced this issue Jan 9, 2021
@david-a-wheeler
Remove InitialCriticalSection
7321f9f 
This is no longer a vulnerability on widely-used Windows versions.
See:
#19

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
@david-a-wheeler
Copy link
Owner

Great points! I've made the change, it'll be in the next release.

@rgetz
Copy link
Author

rgetz commented Jan 9, 2021

Thanks for following up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@david-a-wheeler @rgetz