Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jul 2015 14:17:53 -0400
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: How serious is undefined behavior?

It's a problem from a practical point of view too.

It can and does end up triggering dangerous compiler optimizations like
removing array bounds checks that are deemed impossible. It hasn't been
a huge problem in the past because compilers sucked at optimization and
it will usually slip by unnoticed.

A compiler removing a check like this would be correct, but it's a
trivial case so it will warn:

    if (index >= length) {
        INT_MAX + 1; // can be considered to be __builtin_unreachable()
        abort();
    }

It's a security bug even if it doesn't happen with a compiler today as
theoretical examples become practical ones when optimization passes get
smarter. The -fwrapv switch offers sane signed integer semantics as a
language extension so it's a lot less bad than most of the issues.

The consequences of signed integer overflow usually only mess around
with loops today because that's one of the few places where integer
range analysis is used (iteration count, etc.). It can assume loops will
terminate where it couldn't with -fwrapv and so on. It will cause more
problems as the optimization passes get better.

It's possible to make lots of concrete, scary examples that already
happen today but most are going to involve pointers: strict aliasing,
pointer arithmetic rules, NULL dereferences, __attribute__((nonnull)),
memcpy non-overlap guarantee, etc. There are -fno-strict-aliasing and
-fno-delete-null-pointer-checks, but nothing to deal with some of the
issues like pointer arithmetic.

I think it's important to note that ubsan / asan / tsan only catch a
subset of UB. There are lots of issues that will slip by but can
actually cause real world problems. For example, I don't think any of
the sanitizers will catch out-of-bounds pointer arithmetic even though
they perform LOTS of common optimizations based on the guarantee.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.