Date: Tue, 7 Jul 2015 02:36:13 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: How serious is undefined behavior? On Mon, Jul 06, 2015 at 06:17:34PM +0200, Hanno B??ck wrote: > However I wonder how practically relevant these issues are I think we have to estimate their practical impact on a case by case basis, and such assessments may need adjustment over time. > and also how much focus should be given to them. I'm not sure how much, but I think it should be increasing over time, especially for new code. > Do people have good examples > where e.g. an invalid shift operation caused a real, severe security > issue? Not exactly what you asked for, but a recent example is Pufferfish, a Password Hashing Competition finalist, where an invalid shift operation results in it being effectively undefined for requested memory sizes beyond 2 MiB, contrary to the designer's intent. In practice, Pufferfish would appear to work, but deliver slightly worse security properties than intended and different behavior between some systems. Luckily, this was found while still evaluating the finalists. > Would people think it's a wise idea to put a lot of effort into testing > applications with ubsan enabled and reporting all the bugs that pop up? > (that would mean a lot of bugreports) Or would this be perceived as an > annoying "that's a theoretical C language nitpick issue and not a real > bug". Both. I think it's worth reporting these bugs primarily to more recent, cleaner, and better maintained projects, as well as to smaller projects, where it is realistic that all of these bugs would be fixed. For older projects of substantial size, maybe just publish summaries. > https://github.com/madler/zlib/commit/8a979f6c7986574e37316148cd8ca440c3bc08a3 I think this was worth reporting. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.