back to article GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps

A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win – it snared an exploitable flaw in OpenSSL. Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the OpenSSL team. It …

  1. bombastic bob Silver badge
    Devil

    llvm already had it - thought so

    I remember seeing something uncovered in a kernel module by a new feature in llvm nearly a year ago. I forget exactly what it was, [it was an nvidia driver module compiled for FreeBSD] but it spat out some warnings I hadn't seen before. The updated version didn't have those warnings, though. But the older compiler didn't show those warnings, so I guess it was added last year some time.

    Yeah, It's all good. I should add this flag to my own stuff, check for it in the configure script

  2. Steve Crook

    El Reg (or the readership) really has changed

    > GCC is the GNU Compiler Collection, a free software suite of tools that compile source code written in C, C++, and other languages, into applications and other executables.

    When did article authors start to think the readership wouldn't know this?

    1. Graham Cunningham

      Re: El Reg (or the readership) really has changed

      I have no problem with acronyms being explained, even if I already know them. Unexplained acronyms needlessly put up barriers to visiting readers who may be new to the subject matter.

      1. bombastic bob Silver badge
        Devil

        Re: El Reg (or the readership) really has changed

        "I have no problem with acronyms being explained, even if I already know them."

        ack, but there are always those who *FEEL* as if an explanation is "beneath them" or insulting. Sometimes, to preclude that with hyper-snowflake types, you can include a funny joke like "Captain Obvious knows ..."

        Or whatever. Yeah, I hate that TOO. Happens a lot. People who get bent out o' shape seeing an explanation are snobby snowflakes. 'Nuff on that, yeah.

        (making readership into an "exclusive club" where ONLY THE INSIDERS UNDERSTAND THINGS is NEVER a good thing, and I bet n00bs are CONSTANTLY being added to the readership)

    2. diodesign (Written by Reg staff) Silver badge

      Re: El Reg (or the readership) really has changed

      As our readership expands - and it has done lately - we have developers (and non-developers) following us with a wide range of ability. Some know C/C++. Some know JavaScript and Python. Some have never touched GCC and are pure Windows developers.

      I edited that sentence in to throw a bone to those thinking, 'wtf is GCC 10'. Sometimes people need their memory jogged. Articles that are focused on specific tools, like Docker or Powershell, don't need reminders like this. Articles that have a potential wide appeal may have a line or two explaining the toolchains involved.

      If I don't put these in, I get accused of alienating potential new readers. If I do put them in, I get accused of dumbing down the site.

      We don't think you're dumb. But I don't want to assume everyone knows what GCC is.

      C.

      1. Mike Shepherd
        Meh

        Re: El Reg (or the readership) really has changed

        Oh, let's have more, not fewer, explanations. No real expert will be insulted by seeing his familiar jargon explained to others. It will annoy only those who fear that their mystique will be punctured. I've used GCC, but am not an expert in it, because most of my work is elsewhere. Do I feel embarrassed by this? I do not. I worked in what's now called IT when most GCC users were still soiling their pants, so their attempts to impress me with an array of acronyms will likely fall flat.

        IT is now a vast field. Those who believe their recondite portion is the whole need to get out more.

        1. John H Woods Silver badge

          Re: their recondite portion

          Hold on, is this the bit that belongs to a German techno artist?

          Now that's recondite knowledge. Twice.

        2. eldakka Silver badge

          Re: El Reg (or the readership) really has changed

          No real expert will be insulted by seeing his familiar jargon explained to others.

          The other advantage it has is it explicitly puts everyone on the same page. Maybe some person thought GCC stood for something else, Global Cat Catastrophe or something.

          The problem with jargon is that the same phrase or acronym could mean different things to different professions. Not to mention "casual" usage v. technically correct usage, e.g. "sounds good in theory" vs "Theory of ... says ... ".

      2. Anonymous Coward
        Anonymous Coward

        Re: El Reg (or the readership) really has changed

        > But I don't want to assume everyone knows what GCC is.

        Although Mr Crook's comment came across as a bit snarky, I admit to thinking that this article did not flow as nicely as it could have; maybe that's what bothered the other reader?

        That said, I am a big fan of the Economist's style rule by which they describe the nature of every business / entity they mention ("Boeing, an aerospace company…") so it's a welcome approach, in particular as it stands the test of time ("Pan-Am, an airline…")

        1. nijam

          Re: El Reg (or the readership) really has changed

          > Boeing, an aerospace company…

          Are they still?

      3. Irongut Silver badge

        Re: El Reg (or the readership) really has changed

        > Some have never touched GCC and are pure Windows developers.

        Just because I develop for Windows doesn't mean I don't know what GCC is or that I've never used it. Even 20 years ago when I worked purely in Delphi I knew what GCC was.

        Not that I have any issue with you explaining acrponymns, I wish more sites would do so, but I do have an issue with you assuming Windows devs don't know about anything else.

      4. bombastic bob Silver badge
        Thumb Up

        Re: El Reg (or the readership) really has changed

        "We don't think you're dumb. But I don't want to assume everyone knows what GCC is."

        see icon

      5. Steve Crook

        Re: El Reg (or the readership) really has changed

        I've been reading this particular red-top since at least 2007 when I posted my first comment, and it just seemed to highlight the changes there have been both at El Reg and in the base of the readership. It intended to be an observation, *not* a criticism. But I could have phrased it better to minimise the whiff of snark.

        As you say, the IT business has shifted, technologies have moved and, naturally El Reg has moved with them because what floats the readerships boat has also changed. So there *was* a time when GCC would have been assumed knowledge, now it'll be other stuff.

        Nothing wrong with that. Evolve or die.

    3. Warm Braw Silver badge

      Re: El Reg (or the readership) really has changed

      For new visitors, El Reg is a familiar, shorthand name used to refer to the online publication "The Register" which covers issues relating to Information Technology, regional foodstuffs and bodily functions.

      1. N2 Silver badge

        Re: El Reg (or the readership) really has changed

        Otherwise known as El Regizeera

      2. Robert Grant Silver badge

        Re: El Reg (or the readership) really has changed

        Renowned author Dan Brown would be proud.

    4. The Man Who Fell To Earth Silver badge
      FAIL

      Re: El Reg (or the readership) really has changed

      Anyone who knows how to write a technical document correctly knows you either expand every acronym the first time it is used, or you have an acronym table in the document. Anything less is incompetent technical writing. The goal in any type of professional writing is to be as unambiguous as possible so the document can be read & understood years later without the reader needing to know what fad long past you were were talking about. This is true for papers (I bounce a lot for this first round when I referee journal articles), technical documents (we send back before signoff a lot of new hires writing because they never learned to write properly in college), and news articles (if they have competent copy editors).

      Your comment makes me wonder if you know how to write properly commented code...

      1. Blazde

        Re: El Reg (or the readership) really has changed

        It should be true everywhere. My pet hate is people who talk about their obscure health conditions in acronym.

        "So... yea, I have TDH. Diagnosed about a year ago, so.. ya know"

        No, no I don't know! Without a single medically descriptive word I can't even begin to calibrate my sympathy. Are you dying or have you just been scammed by a quack over a made-up disease?

        1. GrumpenKraut Silver badge
          Pint

          Re: El Reg (or the readership) really has changed

          Now I am scratching my head over whether TDH is something you just made up or... Too Damned Healthy.

          Whatever, icon for the cure.

          1. Anonymous Coward
            Anonymous Coward

            Re: El Reg (or the readership) really has changed

            It's stands for "The Dick Hammer" an incurable disorder that whenever you meet someone called Richard you want to hit them with a hammer.

            1. Richard 12 Silver badge
              Angel

              Re: El Reg (or the readership) really has changed

              It's very common around these parts.

      2. Anonymous Coward
        Anonymous Coward

        " The goal in any type of professional writing is "

        Page views?

        In the later part of the 20th century, there were some people and organisations who cared about readability and appropriateness of the documents they produced.

        That was largely before TechNet and MSDN and a million and one unconnected and sometimes incompatible or even conflicting answers to the same questions in different sites across the Interweb.

        It was called progress.

        And then came DevoPS.

        "Your comment makes me wonder if you know how to write properly commented code..."

        Another 20th century concept, now barely recognised.

    5. alain williams Silver badge

      Re: El Reg (or the readership) really has changed

      Just listen to the news, you hear things like "Rishi Sunak, Chancellor of the Exchequer, said ...".

      Most Brits will (should) know who he is but they still remind - just in case.

      It irritates me slightly but I accept since not everyone does - especially listeners from other countries: El Reg equivalent of non techy readers.

      1. Richard 12 Silver badge

        Re: El Reg (or the readership) really has changed

        They have to say as Cabinet ministers change weekly

      2. herman Silver badge

        Re: El Reg (or the readership) really has changed

        Nevermind the Chancellor of Checkers - the last British PMs that I can remember were Wilson and Heath...

      3. vogon00

        Re: El Reg (or the readership) really has changed

        "Most Brits will (should) know who he is but they still"........ won't care.

      4. katrinab Silver badge
        Meh

        Re: El Reg (or the readership) really has changed

        To be honest, the only household name in the can8net is Boris Johnson, and maybe Jacob Rees Mogg. When I saw that Rishi Sunak had been appointed Chancellor, I didn’t know who he was.

      5. ThatOne Silver badge
        Joke

        Re: El Reg (or the readership) really has changed

        > Rishi Sunak, Chancellor of the Exchequer

        Well, not everyone is into chess, so it is helpful to specify what's special about that person... :-p

    6. FrogsAndChips Silver badge

      Re: El Reg (or the readership) really has changed

      I've not done much programming since my academic years, so to me GCC was still GNU C Compiler, and we used g++ for C++ compiling. I'm happy to have my knowledge updated.

  3. karlkarl Silver badge

    Some more info about the static analyser here: https://developers.redhat.com/blog/2020/03/26/static-analysis-in-gcc-10

    Impressive how it is already being used in large (overly) complex software like OpenSSL.

  4. sawatts

    Address sanitizer

    The current GCC (since 5.x?) include clang sanitizers - including the address sanitizer (ASAN) - which should catch these issues at runtime, usually when unit tests are invoked.

    You have comprehensive unit tests don't you? Of course you do...

    1. Richard 12 Silver badge

      Re: Address sanitizer

      Unit tests generally only find regressions.

      This kind of issue needs a fuzzer too.

  5. alain williams Silver badge

    Look at valgrind

    valgrind is an excellent tool that lets you find similar bugs.

    However: for valgrind to work you need to run the program and execute a code path that triggers the bug, not always easy. So static analysis is a great addition.

    1. GrumpenKraut Silver badge
      Thumb Up

      Re: Look at valgrind

      % type -a val

      val is an alias for valgrind --tool=memcheck --leak-check=full --show-reachable=yes --error-exitcode=1

      Repeat after me: valgrind is awe ... wait for it ... some!

    2. Def Silver badge

      Re: Look at valgrind

      <ShamelessPlug>

      The Oso Memory Profiler (one of my evenings-and-weekends side projects) can also help track down some memory-related errors.

      Out of the box it will flag memory leaks and double frees as errors, but with the ability to add custom attribute data to every memory event and write your own (simple) predicate functions that can use those attributes you can define your own conditions for what constitutes an error as far as memory allocation patterns are concerned.

      It's an intrusive profiler, so you will need to build the SDK into your application's memory manager (or if you don't have a memory manager (and why not?!) use the bundled new & delete operators if you're working in C++). The choice to make the profiler intrusive was decided a long time ago when I realised I wanted detailed information more than the same bland top-level overview most profilers provide.

      By a happy coincidence, I just so happened to release a new version this afternoon. :)

      More information and a free trial version can be found on my company's website: https://osocorporation.com/memoryprofiler/index.php

      Happy profiling. (And if profiling isn't your thing, have a few beers and a good weekend.) :)

      1. alain williams Silver badge

        Re: Look at valgrind

        When will you port this to Linux ?

        1. Def Silver badge

          Re: Look at valgrind

          The SDK should support clang under Linux today. (I haven't tested it on Linux directly, but it has been used on MacOS, iOS, and Android as well as Windows. Might support gcc too. YMMV. If you do encounter any problems, just give me a shout through the contact page on the website and I'll see what I can do to help out.)

          So as long as you have a Windows PC you can profile directly from Linux over TCP, or profile to a file and load it on Windows later. I have a friend at Facebook who says they'd be interested in using it too, but they want a Mac port. If I can port it to one other platform, the third will be more straight forward.

          It's something I'm slowly working towards doing, but obviously life and real work gets in the way far too often these days, it seems. The main profiler engine and support libraries are fully separated out from the UI already, so it's really just a question of getting those building under clang - partially done already - and finding a UI solution I'm happy with.

  6. Doctor Syntax Silver badge

    It helps, of course, if you understand the code it's checking. Remember the Debian SSL whoopsie?

    1. Anonymous Coward
      Anonymous Coward

      > Remember the Debian SSL whoopsie?

      Vaguely. I remember feeling a bit smug that I had already moved away from Debian at the time, precisely because of their habit of "improving" stuff downstream leading to truly unpleasant surprises.

      But I don't recall the specifics, no.

      1. Ozan

        That was Windows ME level of fuck-up.

        https://en.wikipedia.org/wiki/Debian#2008_OpenSSL_vulnerability

        Basically they added initial values to couple of values without understanding why they leftwithout initial values to shut up varlang warnings.

        I was on Slackware by then. Well I am still on Slackware.

        1. Anonymous Coward
          Anonymous Coward

          Thanks for jogging my memory. Indeed, there were a few lessons that could be learned from that one:

          1. Code checking tools are an aid, not an oracle. The point is not to silence the warnings but to understand why they are there.

          2. When doing something that other devs otherwise familiar with the subject domain may see as unusual or deviating from the norm, that's a good time to add a comment or two in your code.

          3. If working downstream, your patches should be limited to whatever non-core modifications are necessary for the thing to build and integrate with your system. Stay the fuck away from anything else, especially core code!

          Mine's OpenSuse but I ran an incredibly successful project on Slackware¹ and hold it in high regard.

          ¹ There is an interesting story of how Slackware got "chosen" for that project. On my way to the very remote project site it transpired that the CDs with the software hadn't actually made it there, so I headed for the airport's news stand and grabbed a few copies (for redundancy) of some foreign language computer magazine which came with a Slackware CD. There are times when improvisation is called for and this was one of them.

  7. STrRedWolf

    Optional

    If you ever read the OpenSSL Valhalla Rampage site, you'll see that OpenSSL's devs need all the help they can get.

    Detecting use-after-free at compile time is a welcome addition to GCC.

  8. John Smith 19 Gold badge
    Unhappy

    Just amazed it's taken this long.

    Really.

  9. Robert Carnegie Silver badge

    I believe OpenSSL was audited...

    Google handed me this: https://ostif.org/the-ostif-and-quarkslab-audit-of-openssl-is-complete/

    If I'm reading this right, they're saying that as of January 2019, OpenSSL 1.1.1 passed their "audit". Roll on version 1.1.1a.

    The new bug appears in versions 1.1.1d, e, and f, I think you said.

    Presumably, 1.1.1a, b, and c had limitations, as well.

    It is what it is. (If it is.)

    1. richardcox13

      Re: I believe OpenSSL was audited...

      It was.

      But neither an audit or extra compiler checks solve the halting problem.

      Because it is insoluble.

  10. Michael H.F. Wilkinson Silver badge
    Thumb Up

    Sounds very useful

    Any tool that can spot bugs early at limited cost is great. I wonder how it deals with the particularly complex situations that can occur multi-threaded code. We develop quite a bit of parallel and distributed code for image analysis, and whilst that can certainly add much needed speed, programs also crash much quicker, and debugging is much harder. Any additional tool to hunt bugs is very welcome.

  11. Mike 137 Silver badge

    Great to have a tool but...

    it's a shame (and indeed somewhat shaming) that 42 years after K&G published 'The C Programming Language' folks are still making these very basic mistakes. In the 80s we were taught to wrap the "hazardous" C library functions and include run time checks of pointers and dynamic memory allocation in our code as a matter of course.

    1. A random security guy Bronze badge

      Re: Great to have a tool but...

      I audit C code and I hear these mystifying commentS all the the time:

      1. “Once the code is tested we don’t need to have the checks in place.”

      2. “These parameters have been checked before. Yeah right“. Probably at a certain point in time.

      3. “Prove to me that this is a security issue.”

      4. “This code is complex because...”. Trust me, if I can’t read a snippet of code after 40 years of programming no one else should waste their time either.

      5. “Only Jack/Jill/Godfather can explain what this code does”.

      6. Please add a few more.

      Right now I am fighting a Program Manager who doesn’t believe her project needs to fix a Critical website vulnerability.

  12. UncleDavid

    But... But... Eric Raymond himself assured me thirty years ago that OSS meant there could be no more security flaws, because "with many eyes, all bugs are shallow". I'll just leave that there without riffing on the general concept of shallowness. He also didn't know the difference between DOS and NT. This was all at the same presentation. At Microsoft.

    1. Mike Shepherd
      Meh

      Many eyes

      "Many eyes" depends on source code written clearly enough that others will read it when there's nothing in it for them. Sadly, very little software (open source or not) rises above the level of "abysmal" in that respect, so most is examined only by the original author or by a few enthusiasts. Where OpenSSL lies in this, I'll leave others to judge.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020