oss-sec mailing list archives

Re: How serious is undefined behavior?

From: Alexander Cherepanov <ch3root () openwall com>
Date: Thu, 09 Jul 2015 17:37:55 +0300

On 2015-07-06 19:17, Hanno Böck wrote:

Would people think it's a wise idea to put a lot of effort into testing
applications with ubsan enabled and reporting all the bugs that pop up?

I think the situation is the same as with other bugs -- it depends onthe project. I would report them if the application in question is in agood shape. Otherwise I would start with crashes.

My experience in fuzzing binutils[1] and elfutils[2] with ubsan wasquite positive. It was easy to integrate it into my workflow and allreported issues were promptly fixed by the maintainers.


[1] reports with ubsan start at
https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c196
https://sourceware.org/bugzilla/show_bug.cgi?id=17531#c82

[2] reports with ubsan start at
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c29

--
Alexander Cherepanov

Current thread:

How serious is undefined behavior? Hanno Böck (Jul 06)
- Re: How serious is undefined behavior? John Haxby (Jul 06)
- Re: How serious is undefined behavior? Daniel Micay (Jul 06)
- Re: How serious is undefined behavior? Solar Designer (Jul 06)
- Re: How serious is undefined behavior? Alexander Cherepanov (Jul 09)
- Re: How serious is undefined behavior? Solar Designer (Jul 12)
  - Re: How serious is undefined behavior? Alexander Cherepanov (Jul 13)
- Re: How serious is undefined behavior? Xi Wang (Jul 13)