oss-sec mailing list archives
Re: How serious is undefined behavior?
From: Daniel Micay <danielmicay () gmail com>
Date: Mon, 6 Jul 2015 14:17:53 -0400
It's a problem from a practical point of view too. It can and does end up triggering dangerous compiler optimizations like removing array bounds checks that are deemed impossible. It hasn't been a huge problem in the past because compilers sucked at optimization and it will usually slip by unnoticed. A compiler removing a check like this would be correct, but it's a trivial case so it will warn: if (index >= length) { INT_MAX + 1; // can be considered to be __builtin_unreachable() abort(); } It's a security bug even if it doesn't happen with a compiler today as theoretical examples become practical ones when optimization passes get smarter. The -fwrapv switch offers sane signed integer semantics as a language extension so it's a lot less bad than most of the issues. The consequences of signed integer overflow usually only mess around with loops today because that's one of the few places where integer range analysis is used (iteration count, etc.). It can assume loops will terminate where it couldn't with -fwrapv and so on. It will cause more problems as the optimization passes get better. It's possible to make lots of concrete, scary examples that already happen today but most are going to involve pointers: strict aliasing, pointer arithmetic rules, NULL dereferences, __attribute__((nonnull)), memcpy non-overlap guarantee, etc. There are -fno-strict-aliasing and -fno-delete-null-pointer-checks, but nothing to deal with some of the issues like pointer arithmetic. I think it's important to note that ubsan / asan / tsan only catch a subset of UB. There are lots of issues that will slip by but can actually cause real world problems. For example, I don't think any of the sanitizers will catch out-of-bounds pointer arithmetic even though they perform LOTS of common optimizations based on the guarantee.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- How serious is undefined behavior? Hanno Böck (Jul 06)
- Re: How serious is undefined behavior? John Haxby (Jul 06)
- Re: How serious is undefined behavior? Daniel Micay (Jul 06)
- Re: How serious is undefined behavior? Solar Designer (Jul 06)
- Re: How serious is undefined behavior? Alexander Cherepanov (Jul 09)
- Re: How serious is undefined behavior? Solar Designer (Jul 12)
- Re: How serious is undefined behavior? Alexander Cherepanov (Jul 13)
- Re: How serious is undefined behavior? Xi Wang (Jul 13)