Re: MIT discovered issue with gcc

To: Michael Tautschnig <mt@debian.org>, Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>, debian-security@lists.debian.org, debian-user <debian-user@lists.debian.org>
Subject: Re: MIT discovered issue with gcc
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sun, 24 Nov 2013 11:15:31 -0200
Message-id: <[🔎] 20131124131530.GA3717@khazad-dum.debian.net>
In-reply-to: <[🔎] 20131123111822.GJ1923@l04-3.local>
References: <[🔎] 52900522.9040507@affinityvision.com.au> <[🔎] 20131123111822.GJ1923@l04-3.local>

On Sat, 23 Nov 2013, Michael Tautschnig wrote:
> This should be taken with a grain of salt. (I'm doing research in the area of
> automated software analysis myself.) It clearly is a well-written paper with a
> nice tool. Yet "unstable code" results from code that would otherwise be
> considered bogus anyway (they give a nice list in Figure 3 in their paper), thus
> it is not necessarily the case that compilers introduce completely new bugs -
> they just might make the existing ones worse. The use of the term
> "vulnerabilities" could be very misleading here: not all bugs yield security
> issues - many of them might just lead to unexpected behaviour, and not be
> exploitable to gain elevated privileges or the like.

The bugs the paper is about, if I recall correctly, are real code bugs made
dormant by the internal workings of the compiler (often only in some
optimization levels, so the bug might show up at -O0 and not at -O2, for
example).

Obviously these are an issue for Debian.  Not only we'd like to be able to
use c-lang/llvm as a real alternative in the not-too-distant future (say, 3
years from now), and that would likely "awaken" many of these latent bugs,
but also any major gcc upgrade can also "awaken" a subset of them.

Whether these "dormant" bugs will cause information security issues or not
(and most of the wouldn't), they're still a problem.

> > This looks very serious indeed, but a quick search of Debian mailing
> > lists didn't show anything being acknowledged for this issue.... should
> > Debian users be concerned?

Well, my best guess is that this is going to be considered "upstream issues"
by the majority of the package maintainers, and thus they won't get much
attention downstream (in Debian) until they start causing large headaches.

So, yes, users should be concerned (but not alarmed).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: MIT discovered issue with gcc
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

References:
- MIT discovered issue with gcc
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: MIT discovered issue with gcc
  - From: Michael Tautschnig <mt@debian.org>

Prev by Date: Re: MIT discovered issue with gcc
Next by Date: Re: MIT discovered issue with gcc
Previous by thread: Re: MIT discovered issue with gcc
Next by thread: Re: MIT discovered issue with gcc
Index(es):
- Date
- Thread