This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: US-CERT Vulnerability Note VU#162289

From: David Edelsohn <dje at watson dot ibm dot com>
To: "Robert C. Seacord" <rcs at cert dot org>
Cc: mark at codesourcery dot com, gcc at gcc dot gnu dot org, Chad Dougherty <crd at cert dot org>
Date: Mon, 07 Apr 2008 14:12:45 -0400
Subject: Re: US-CERT Vulnerability Note VU#162289
References: <47FA59B5.5000606@cert.org>

>>>>> Robert C Seacord writes:

Robert> I believe the vulnerability is that gcc may *silently* 
Robert> discard the overflow checks and that this is a recent change in behavior. 


Robert> You are also right that the popularity of gcc is one of the reasons we 
Robert> decided to publish on this.  If you identify other compilers that a) are 
Robert> relatively popular, b) have changed their behavior recently, and c) 
Robert> silently optimize out overflow checks we will consider publishing 
Robert> vulnerability notes for those compilers as well.

	All optimizing compilers silently should remove the check in the
process of optimizating the example code.  Compilers generally do not warn
by default when processing code in a way that conforms to a language
standard.

	I believe that GCC developers are disappointed that CERT has
chosen to single out GCC using the above set of criteria while most other
compilers perform the same transformation.  If CERT wants to warn about
poorly-written code, it should focus on that vulnerability.

David

References:
- Re: US-CERT Vulnerability Note VU#162289
  - From: Robert C. Seacord

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]