US-CERT Vulnerability Note VU#162289

[Mark Mitchell]

Robert C. Seacord wrote:

> You are also right that the popularity of gcc is one of the reasons we 
> decided to publish on this.  If you identify other compilers that a) are 
> relatively popular, b) have changed their behavior recently, and c) 
> silently optimize out overflow checks we will consider publishing 
> vulnerability notes for those compilers as well.

I have sent CERT information about two other popular optimizing 
compilers which do this optimization.  Those compilers may have done it 
for longer than GCC, or not; I'm not sure.  But, users of those 
compilers are just as vulnerable.

The advisory suggests that people not use GCC.  If you don't mention 
that other compilers also do this, you may just prompt people to switch 
from GCC to some other compiler that behaves in the same way.

The tone of the note also suggests that GCC is uniquely defective in 
some way.  The title of the note mentions GCC, and the overview suggests 
that GCC is doing something wrong:

"Some versions of gcc may silently discard certain checks for overflow. 
Applications compiled with these versions of gcc may be vulnerable to 
buffer overflows."

Why not change the overview to something like:

"Some compilers (including, at least, GCC, PathScale, and xlc) optimize 
away incorrectly coded checks for overflow.  Applications containing 
these incorrectly coded checks may be vulnerable if compiled with these 
compilers."

?

-- 
Mark Mitchell
CodeSourcery
mark@codesourcery.com
(650) 331-3385 x713