Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 7 Jul 2015 02:36:13 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: How serious is undefined behavior?

On Mon, Jul 06, 2015 at 06:17:34PM +0200, Hanno B??ck wrote:
> However I wonder how practically relevant these issues are

I think we have to estimate their practical impact on a case by case
basis, and such assessments may need adjustment over time.

> and also how much focus should be given to them.

I'm not sure how much, but I think it should be increasing over time,
especially for new code.

> Do people have good examples
> where e.g. an invalid shift operation caused a real, severe security
> issue?

Not exactly what you asked for, but a recent example is Pufferfish, a
Password Hashing Competition finalist, where an invalid shift operation
results in it being effectively undefined for requested memory sizes
beyond 2 MiB, contrary to the designer's intent.  In practice,
Pufferfish would appear to work, but deliver slightly worse security
properties than intended and different behavior between some systems.
Luckily, this was found while still evaluating the finalists.

> Would people think it's a wise idea to put a lot of effort into testing
> applications with ubsan enabled and reporting all the bugs that pop up?
> (that would mean a lot of bugreports) Or would this be perceived as an
> annoying "that's a theoretical C language nitpick issue and not a real
> bug".

Both.

I think it's worth reporting these bugs primarily to more recent,
cleaner, and better maintained projects, as well as to smaller projects,
where it is realistic that all of these bugs would be fixed.

For older projects of substantial size, maybe just publish summaries.

> https://github.com/madler/zlib/commit/8a979f6c7986574e37316148cd8ca440c3bc08a3

I think this was worth reporting.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.