Jonas Termansen wrote: > I object to the attitude that code analysis tools should only really be > supported on glibc systems. A lot of security features are being > pioneered on other systems and making it easier for everyone to use > these tools benefits everyone > > "Exploit mitigation counter-measures" is whenever a system has an > exploit mitigation and software goes out of its way to not take benefit. > A good example is the 2014 Heartbleed vulnerability where there was a > good old buffer overflow. OpenSSL was wrapping malloc with its own > allocation layer, which made use-after-free bugs worse and did not > support zeroing freed allocations. That meant that systems with a > hardened malloc (an exploit mitigation) such as OpenBSD, which would > have reduced the data leakage a lot, did not benefit from the exploit > mitigation. ...
The gnulib malloc wrapper is not an as severe problem as you might think. It is only enabled - on AIX, because malloc(0) -> NULL on this platform, - on native Windows, because malloc does not errno upon failure, - in cross-compiles - a problem for which we are searching a solution. When you say "A lot of security features are being pioneered on other systems", these are mostly BSD and research OSes, not AIX nor native Windows. Bruno
