The researchers' point was that an attacker might be able to remap that memory page so that dereferencing a null pointer would NOT segfault. (I don't actually know how feasible this is; I'm just paraphrasing their argument. They footnote this claim but I didn't bother to read the cited sources.) Checking if tun is null is [apparently] a valid precautionary measure -- not useless -- except an optimizer might remove it. The order of these statements is definitely wrong, but the authors are claiming that this optimization turns an otherwise innocuous bug into an exploitable vulnerability. Anyway, I don't see what this has to do with Debian. It's an interesting paper, but Debian can't find and fix all upstream bugs, nor do I think most users would be happy if suddenly everything was compiled without any optimizations. -- Mark E. Haase
|