Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Jul 2015 17:37:55 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: How serious is undefined behavior?

On 2015-07-06 19:17, Hanno Böck wrote:
> Would people think it's a wise idea to put a lot of effort into testing
> applications with ubsan enabled and reporting all the bugs that pop up?

I think the situation is the same as with other bugs -- it depends on 
the project. I would report them if the application in question is in a 
good shape. Otherwise I would start with crashes.

My experience in fuzzing binutils[1] and elfutils[2] with ubsan was 
quite positive. It was easy to integrate it into my workflow and all 
reported issues were promptly fixed by the maintainers.

[1] reports with ubsan start at
https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c196
https://sourceware.org/bugzilla/show_bug.cgi?id=17531#c82

[2] reports with ubsan start at
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c29

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ