Dear "Cert",

I originally raised this with you privately, but you are slow to
respond, so I am raising this again, more concisely, and CC'd to a less
private forum.

(a) Arithmetic overflows have historically been a significant source of
security vulnerabilities.

(b) Recent versions of gcc (along with other compilers) contain an
optimisation that can *REMOVE* arithmetic overflows.

Why is Cert advising people to avoid an optimisation that can ---
realistically, although probably rarely --- remove security
vulnerabilities?

[I also note that the example you claim is a "length check" in your
advisory, is nothing of the sort.  It is an oddly written test of the
absolute position of a pointer.  I don't actually see how the
optimisation in question could remove a check on the length of
something.  And even more, I don't see how such a hypothetical length
check could not also avoid being broken by other 101 other things,
such as variations in OS memory layout, which may vary even between
successive runs of identical binarys]

Ralph.

Reply via email to