Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Jul 2016 19:59:54 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: passwdqc code quality

On Sat, Jul 16, 2016 at 06:47:15PM +0200, Daniel Cegie??ka wrote:
> btw. I suspect that this error with memset

What "error with memset"?  Do you mean the potential removal of memset()
calls that we use for zeroization?  That's unrelated to the bug reported
via Debian that prompted me to look into passwdqc code quality again.

No, LTO had nothing to do with the bug reported via Debian.  There was
no memset() to remove in the first place.  And if there were, it
wouldn't be a valid optimization for the compiler to remove it, so a
bug-free compiler would not.

Maybe you haven't read this thread closely enough.

> fuzzers like Michal's AFL:
> 
> http://lcamtuf.coredump.cx/afl/

While AFL is great, I don't see how you'd use it to detect either bug
(the missed pw_dir initialization or the removal of memset() calls used
for zeroization).  If you can detect things like this with AFL, please
share how you do it.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ