Re: How serious is undefined behavior?

[Solar Designer <solar () openwall com>]

On Mon, Jul 06, 2015 at 06:17:34PM +0200, Hanno B??ck wrote:
> However I wonder how practically relevant these issues are

I think we have to estimate their practical impact on a case by case
basis, and such assessments may need adjustment over time.

> and also how much focus should be given to them.

I'm not sure how much, but I think it should be increasing over time,
especially for new code.

> Do people have good examples
> where e.g. an invalid shift operation caused a real, severe security
> issue?

Not exactly what you asked for, but a recent example is Pufferfish, a
Password Hashing Competition finalist, where an invalid shift operation
results in it being effectively undefined for requested memory sizes
beyond 2 MiB, contrary to the designer's intent.  In practice,
Pufferfish would appear to work, but deliver slightly worse security
properties than intended and different behavior between some systems.
Luckily, this was found while still evaluating the finalists.

> Would people think it's a wise idea to put a lot of effort into testing
> applications with ubsan enabled and reporting all the bugs that pop up?
> (that would mean a lot of bugreports) Or would this be perceived as an
> annoying "that's a theoretical C language nitpick issue and not a real
> bug".

Both.

I think it's worth reporting these bugs primarily to more recent,
cleaner, and better maintained projects, as well as to smaller projects,
where it is realistic that all of these bugs would be fixed.

For older projects of substantial size, maybe just publish summaries.

> https://github.com/madler/zlib/commit/8a979f6c7986574e37316148cd8ca440c3bc08a3

I think this was worth reporting.

Alexander