[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MIT discovered issue with gcc

On Sun, Nov 24, 2013 at 6:23 AM, Stan Hoeppner <stan@hardwarefreak.com> wrote:
> On 11/22/2013 7:34 PM, Andrew McGlashan wrote:
>
>> http://www.securitycurrent.com/en/research/ac_research/mot-researchers-uncover-security-flaws-in-c
>
> "the team ran Stack against the Debian Linux archive, of which 8575 out
> of 17432 packages contained C/C++ code.  For a whopping 3471 packages,
> STACK detected at least one instance of unstable code."
>
> So 3471 Wheezy packages had one ore more instances of gcc introduced
> anomalies.  And the kernel binary they tested had 32.
>
> As an end user I'm not worried about this at all.  But I'd think
> developers may want to start taking a closer look at how gcc does its
> optimizations and creates these anomalies.  If the flaws are serious
> they should obviously takes steps to mitigate or eliminate this.
>
> I didn't read the full paper yet, but I'm wondering how/if the
> optimization flag plays a part in this.  I.e. does "O2" produce these
> bugs but "OO" (default) or "Og" (debugging) does not?

The paper says some of the surprise optimizations happen at even the
default optimization level.

And I remember one that definitely does, although I don't remember
where I put the code where I played with it.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.
Reply to: