Date: Sat, 16 Jul 2016 19:59:54 +0300 From: Solar Designer <solar@...nwall.com> To: owl-dev@...ts.openwall.com Subject: Re: passwdqc code quality On Sat, Jul 16, 2016 at 06:47:15PM +0200, Daniel Cegie??ka wrote: > btw. I suspect that this error with memset What "error with memset"? Do you mean the potential removal of memset() calls that we use for zeroization? That's unrelated to the bug reported via Debian that prompted me to look into passwdqc code quality again. No, LTO had nothing to do with the bug reported via Debian. There was no memset() to remove in the first place. And if there were, it wouldn't be a valid optimization for the compiler to remove it, so a bug-free compiler would not. Maybe you haven't read this thread closely enough. > fuzzers like Michal's AFL: > > http://lcamtuf.coredump.cx/afl/ While AFL is great, I don't see how you'd use it to detect either bug (the missed pw_dir initialization or the removal of memset() calls used for zeroization). If you can detect things like this with AFL, please share how you do it. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.