User topics

Article topics

Log in Sign up

GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps

A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win – it snared an exploitable flaw in OpenSSL. Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the OpenSSL team. It …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Thursday 23rd April 2020 10:16 GMT bombastic bob

llvm already had it - thought so

I remember seeing something uncovered in a kernel module by a new feature in llvm nearly a year ago. I forget exactly what it was, [it was an nvidia driver module compiled for FreeBSD] but it spat out some warnings I hadn't seen before. The updated version didn't have those warnings, though. But the older compiler didn't show those warnings, so I guess it was added last year some time.

Yeah, It's all good. I should add this flag to my own stuff, check for it in the configure script

5 0 Reply
Thursday 23rd April 2020 10:24 GMT Steve Crook

El Reg (or the readership) really has changed

> GCC is the GNU Compiler Collection, a free software suite of tools that compile source code written in C, C++, and other languages, into applications and other executables.

When did article authors start to think the readership wouldn't know this?

8 47 Reply
1. Thursday 23rd April 2020 10:43 GMT Graham Cunningham
  
  Re: El Reg (or the readership) really has changed
  
  I have no problem with acronyms being explained, even if I already know them. Unexplained acronyms needlessly put up barriers to visiting readers who may be new to the subject matter.
  
  69 0 Reply
  1. Thursday 23rd April 2020 23:29 GMT bombastic bob
    
    Re: El Reg (or the readership) really has changed
    
    "I have no problem with acronyms being explained, even if I already know them."
    
    ack, but there are always those who *FEEL* as if an explanation is "beneath them" or insulting. Sometimes, to preclude that with hyper-snowflake types, you can include a funny joke like "Captain Obvious knows ..."
    
    Or whatever. Yeah, I hate that TOO. Happens a lot. People who get bent out o' shape seeing an explanation are snobby snowflakes. 'Nuff on that, yeah.
    
    (making readership into an "exclusive club" where ONLY THE INSIDERS UNDERSTAND THINGS is NEVER a good thing, and I bet n00bs are CONSTANTLY being added to the readership)
    
    9 2 Reply
2. Thursday 23rd April 2020 10:46 GMT diodesign
  
  Re: El Reg (or the readership) really has changed
  
  As our readership expands - and it has done lately - we have developers (and non-developers) following us with a wide range of ability. Some know C/C++. Some know JavaScript and Python. Some have never touched GCC and are pure Windows developers.
  
  I edited that sentence in to throw a bone to those thinking, 'wtf is GCC 10'. Sometimes people need their memory jogged. Articles that are focused on specific tools, like Docker or Powershell, don't need reminders like this. Articles that have a potential wide appeal may have a line or two explaining the toolchains involved.
  
  If I don't put these in, I get accused of alienating potential new readers. If I do put them in, I get accused of dumbing down the site.
  
  We don't think you're dumb. But I don't want to assume everyone knows what GCC is.
  
  C.
  
  78 1 Reply
  1. Thursday 23rd April 2020 11:39 GMT Mike Shepherd
    
    Re: El Reg (or the readership) really has changed
    
    Oh, let's have more, not fewer, explanations. No real expert will be insulted by seeing his familiar jargon explained to others. It will annoy only those who fear that their mystique will be punctured. I've used GCC, but am not an expert in it, because most of my work is elsewhere. Do I feel embarrassed by this? I do not. I worked in what's now called IT when most GCC users were still soiling their pants, so their attempts to impress me with an array of acronyms will likely fall flat.
    
    IT is now a vast field. Those who believe their recondite portion is the whole need to get out more.
    
    39 0 Reply
    1. Thursday 23rd April 2020 21:55 GMT John H Woods
      
      Re: their recondite portion
      
      Hold on, is this the bit that belongs to a German techno artist?
      
      Now that's recondite knowledge. Twice.
      
      3 1 Reply
    2. Friday 24th April 2020 03:28 GMT eldakka
      
      Re: El Reg (or the readership) really has changed
      
      No real expert will be insulted by seeing his familiar jargon explained to others.
      
      The other advantage it has is it explicitly puts everyone on the same page. Maybe some person thought GCC stood for something else, Global Cat Catastrophe or something.
      
      The problem with jargon is that the same phrase or acronym could mean different things to different professions. Not to mention "casual" usage v. technically correct usage, e.g. "sounds good in theory" vs "Theory of ... says ... ".
      
      4 0 Reply
  2. Thursday 23rd April 2020 18:18 GMT Anonymous Coward
    
    Re: El Reg (or the readership) really has changed
    
    > But I don't want to assume everyone knows what GCC is.
    
    Although Mr Crook's comment came across as a bit snarky, I admit to thinking that this article did not flow as nicely as it could have; maybe that's what bothered the other reader?
    
    That said, I am a big fan of the Economist's style rule by which they describe the nature of every business / entity they mention ("Boeing, an aerospace company…") so it's a welcome approach, in particular as it stands the test of time ("Pan-Am, an airline…")
    
    9 0 Reply
    1. Friday 24th April 2020 17:09 GMT nijam
      
      Re: El Reg (or the readership) really has changed
      
      > Boeing, an aerospace company…
      
      Are they still?
      
      3 1 Reply
  3. Thursday 23rd April 2020 19:32 GMT Irongut
    
    Re: El Reg (or the readership) really has changed
    
    > Some have never touched GCC and are pure Windows developers.
    
    Just because I develop for Windows doesn't mean I don't know what GCC is or that I've never used it. Even 20 years ago when I worked purely in Delphi I knew what GCC was.
    
    Not that I have any issue with you explaining acrponymns, I wish more sites would do so, but I do have an issue with you assuming Windows devs don't know about anything else.
    
    1 2 Reply
  4. Thursday 23rd April 2020 23:30 GMT bombastic bob
    
    Re: El Reg (or the readership) really has changed
    
    "We don't think you're dumb. But I don't want to assume everyone knows what GCC is."
    
    see icon
    
    4 0 Reply
  5. Friday 24th April 2020 07:28 GMT Steve Crook
    
    Re: El Reg (or the readership) really has changed
    
    I've been reading this particular red-top since at least 2007 when I posted my first comment, and it just seemed to highlight the changes there have been both at El Reg and in the base of the readership. It intended to be an observation, *not* a criticism. But I could have phrased it better to minimise the whiff of snark.
    
    As you say, the IT business has shifted, technologies have moved and, naturally El Reg has moved with them because what floats the readerships boat has also changed. So there *was* a time when GCC would have been assumed knowledge, now it'll be other stuff.
    
    Nothing wrong with that. Evolve or die.
    
    1 4 Reply
3. Thursday 23rd April 2020 10:55 GMT Warm Braw
  
  Re: El Reg (or the readership) really has changed
  
  For new visitors, El Reg is a familiar, shorthand name used to refer to the online publication "The Register" which covers issues relating to Information Technology, regional foodstuffs and bodily functions.
  
  32 0 Reply
  1. Thursday 23rd April 2020 11:34 GMT N2
    
    Re: El Reg (or the readership) really has changed
    
    Otherwise known as El Regizeera
    
    10 1 Reply
  2. Thursday 23rd April 2020 22:31 GMT Robert Grant
    
    Re: El Reg (or the readership) really has changed
    
    Renowned author Dan Brown would be proud.
    
    1 0 Reply
4. Thursday 23rd April 2020 11:04 GMT The Man Who Fell To Earth
  
  Re: El Reg (or the readership) really has changed
  
  Anyone who knows how to write a technical document correctly knows you either expand every acronym the first time it is used, or you have an acronym table in the document. Anything less is incompetent technical writing. The goal in any type of professional writing is to be as unambiguous as possible so the document can be read & understood years later without the reader needing to know what fad long past you were were talking about. This is true for papers (I bounce a lot for this first round when I referee journal articles), technical documents (we send back before signoff a lot of new hires writing because they never learned to write properly in college), and news articles (if they have competent copy editors).
  
  Your comment makes me wonder if you know how to write properly commented code...
  
  48 0 Reply
  1. Thursday 23rd April 2020 15:39 GMT Blazde
    
    Re: El Reg (or the readership) really has changed
    
    It should be true everywhere. My pet hate is people who talk about their obscure health conditions in acronym.
    
    "So... yea, I have TDH. Diagnosed about a year ago, so.. ya know"
    
    No, no I don't know! Without a single medically descriptive word I can't even begin to calibrate my sympathy. Are you dying or have you just been scammed by a quack over a made-up disease?
    
    14 0 Reply
    1. Thursday 23rd April 2020 15:59 GMT GrumpenKraut
      
      Re: El Reg (or the readership) really has changed
      
      Now I am scratching my head over whether TDH is something you just made up or... Too Damned Healthy.
      
      Whatever, icon for the cure.
      
      7 0 Reply
      1. Thursday 23rd April 2020 17:36 GMT Anonymous Coward
        
        Re: El Reg (or the readership) really has changed
        
        It's stands for "The Dick Hammer" an incurable disorder that whenever you meet someone called Richard you want to hit them with a hammer.
        
        8 0 Reply
        
        Thursday 23rd April 2020 18:12 GMT Richard 12
        
        Re: El Reg (or the readership) really has changed
        
        It's very common around these parts.
        
        10 0 Reply
  2. Saturday 30th May 2020 11:34 GMT Anonymous Coward
    
    " The goal in any type of professional writing is "
    
    Page views?
    
    In the later part of the 20th century, there were some people and organisations who cared about readability and appropriateness of the documents they produced.
    
    That was largely before TechNet and MSDN and a million and one unconnected and sometimes incompatible or even conflicting answers to the same questions in different sites across the Interweb.
    
    It was called progress.
    
    And then came DevoPS.
    
    "Your comment makes me wonder if you know how to write properly commented code..."
    
    Another 20th century concept, now barely recognised.
    
    1 0 Reply
5. Thursday 23rd April 2020 12:04 GMT alain williams
  
  Re: El Reg (or the readership) really has changed
  
  Just listen to the news, you hear things like "Rishi Sunak, Chancellor of the Exchequer, said ...".
  
  Most Brits will (should) know who he is but they still remind - just in case.
  
  It irritates me slightly but I accept since not everyone does - especially listeners from other countries: El Reg equivalent of non techy readers.
  
  12 0 Reply
  1. Thursday 23rd April 2020 18:13 GMT Richard 12
    
    Re: El Reg (or the readership) really has changed
    
    They have to say as Cabinet ministers change weekly
    
    15 1 Reply
  2. Thursday 23rd April 2020 21:28 GMT herman
    
    Re: El Reg (or the readership) really has changed
    
    Nevermind the Chancellor of Checkers - the last British PMs that I can remember were Wilson and Heath...
    
    3 0 Reply
  3. Thursday 23rd April 2020 21:51 GMT vogon00
    
    Re: El Reg (or the readership) really has changed
    
    "Most Brits will (should) know who he is but they still"........ won't care.
    
    3 0 Reply
  4. Thursday 23rd April 2020 22:16 GMT katrinab
    
    Re: El Reg (or the readership) really has changed
    
    To be honest, the only household name in the can8net is Boris Johnson, and maybe Jacob Rees Mogg. When I saw that Rishi Sunak had been appointed Chancellor, I didn’t know who he was.
    
    3 0 Reply
  5. Friday 24th April 2020 01:48 GMT ThatOne
    
    Re: El Reg (or the readership) really has changed
    
    > Rishi Sunak, Chancellor of the Exchequer
    
    Well, not everyone is into chess, so it is helpful to specify what's special about that person... :-p
    
    3 0 Reply
6. Thursday 23rd April 2020 12:17 GMT FrogsAndChips
  
  Re: El Reg (or the readership) really has changed
  
  I've not done much programming since my academic years, so to me GCC was still GNU C Compiler, and we used g++ for C++ compiling. I'm happy to have my knowledge updated.
  
  17 0 Reply
Thursday 23rd April 2020 10:57 GMT karlkarl

Some more info about the static analyser here: https://developers.redhat.com/blog/2020/03/26/static-analysis-in-gcc-10

Impressive how it is already being used in large (overly) complex software like OpenSSL.

12 0 Reply
Thursday 23rd April 2020 12:21 GMT sawatts

Address sanitizer

The current GCC (since 5.x?) include clang sanitizers - including the address sanitizer (ASAN) - which should catch these issues at runtime, usually when unit tests are invoked.

You have comprehensive unit tests don't you? Of course you do...

0 2 Reply
1. Thursday 23rd April 2020 18:16 GMT Richard 12
  
  Re: Address sanitizer
  
  Unit tests generally only find regressions.
  
  This kind of issue needs a fuzzer too.
  
  7 1 Reply
Thursday 23rd April 2020 12:26 GMT alain williams

Look at valgrind

valgrind is an excellent tool that lets you find similar bugs.

However: for valgrind to work you need to run the program and execute a code path that triggers the bug, not always easy. So static analysis is a great addition.

11 0 Reply
1. Thursday 23rd April 2020 16:01 GMT GrumpenKraut
  
  Re: Look at valgrind
  
  % type -a val
  
  val is an alias for valgrind --tool=memcheck --leak-check=full --show-reachable=yes --error-exitcode=1
  
  Repeat after me: valgrind is awe ... wait for it ... some!
  
  3 1 Reply
2. Friday 24th April 2020 18:12 GMT Anonymous Coward
  
  Re: Look at valgrind
  
  <ShamelessPlug>
  
  The Oso Memory Profiler (one of my evenings-and-weekends side projects) can also help track down some memory-related errors.
  
  Out of the box it will flag memory leaks and double frees as errors, but with the ability to add custom attribute data to every memory event and write your own (simple) predicate functions that can use those attributes you can define your own conditions for what constitutes an error as far as memory allocation patterns are concerned.
  
  It's an intrusive profiler, so you will need to build the SDK into your application's memory manager (or if you don't have a memory manager (and why not?!) use the bundled new & delete operators if you're working in C++). The choice to make the profiler intrusive was decided a long time ago when I realised I wanted detailed information more than the same bland top-level overview most profilers provide.
  
  By a happy coincidence, I just so happened to release a new version this afternoon. :)
  
  More information and a free trial version can be found on my company's website: https://osocorporation.com/memoryprofiler/index.php
  
  Happy profiling. (And if profiling isn't your thing, have a few beers and a good weekend.) :)
  
  1 1 Reply
  1. Tuesday 28th April 2020 23:23 GMT alain williams
    
    Re: Look at valgrind
    
    When will you port this to Linux ?
    
    1 0 Reply
    1. Wednesday 29th April 2020 18:29 GMT Anonymous Coward
      
      Re: Look at valgrind
      
      The SDK should support clang under Linux today. (I haven't tested it on Linux directly, but it has been used on MacOS, iOS, and Android as well as Windows. Might support gcc too. YMMV. If you do encounter any problems, just give me a shout through the contact page on the website and I'll see what I can do to help out.)
      
      So as long as you have a Windows PC you can profile directly from Linux over TCP, or profile to a file and load it on Windows later. I have a friend at Facebook who says they'd be interested in using it too, but they want a Mac port. If I can port it to one other platform, the third will be more straight forward.
      
      It's something I'm slowly working towards doing, but obviously life and real work gets in the way far too often these days, it seems. The main profiler engine and support libraries are fully separated out from the UI already, so it's really just a question of getting those building under clang - partially done already - and finding a UI solution I'm happy with.
      
      0 0 Reply
Thursday 23rd April 2020 12:46 GMT Doctor Syntax

It helps, of course, if you understand the code it's checking. Remember the Debian SSL whoopsie?

3 0 Reply
1. Thursday 23rd April 2020 18:27 GMT Anonymous Coward
  
  > Remember the Debian SSL whoopsie?
  
  Vaguely. I remember feeling a bit smug that I had already moved away from Debian at the time, precisely because of their habit of "improving" stuff downstream leading to truly unpleasant surprises.
  
  But I don't recall the specifics, no.
  
  1 1 Reply
  1. Thursday 23rd April 2020 20:29 GMT Ozan
    
    That was Windows ME level of fuck-up.
    
    https://en.wikipedia.org/wiki/Debian#2008_OpenSSL_vulnerability
    
    Basically they added initial values to couple of values without understanding why they leftwithout initial values to shut up varlang warnings.
    
    I was on Slackware by then. Well I am still on Slackware.
    
    4 2 Reply
    1. Friday 24th April 2020 14:14 GMT Anonymous Coward
      
      Thanks for jogging my memory. Indeed, there were a few lessons that could be learned from that one:
      
      1. Code checking tools are an aid, not an oracle. The point is not to silence the warnings but to understand why they are there.
      
      2. When doing something that other devs otherwise familiar with the subject domain may see as unusual or deviating from the norm, that's a good time to add a comment or two in your code.
      
      3. If working downstream, your patches should be limited to whatever non-core modifications are necessary for the thing to build and integrate with your system. Stay the fuck away from anything else, especially core code!
      
      Mine's OpenSuse but I ran an incredibly successful project on Slackware¹ and hold it in high regard.
      
      ¹ There is an interesting story of how Slackware got "chosen" for that project. On my way to the very remote project site it transpired that the CDs with the software hadn't actually made it there, so I headed for the airport's news stand and grabbed a few copies (for redundancy) of some foreign language computer magazine which came with a Slackware CD. There are times when improvisation is called for and this was one of them.
      
      2 2 Reply
Thursday 23rd April 2020 20:12 GMT STrRedWolf

Optional

If you ever read the OpenSSL Valhalla Rampage site, you'll see that OpenSSL's devs need all the help they can get.

Detecting use-after-free at compile time is a welcome addition to GCC.

6 0 Reply
Thursday 23rd April 2020 22:35 GMT John Smith 19

Just amazed it's taken this long.

Really.

1 2 Reply
Thursday 23rd April 2020 23:51 GMT Robert Carnegie

I believe OpenSSL was audited...

Google handed me this: https://ostif.org/the-ostif-and-quarkslab-audit-of-openssl-is-complete/

If I'm reading this right, they're saying that as of January 2019, OpenSSL 1.1.1 passed their "audit". Roll on version 1.1.1a.

The new bug appears in versions 1.1.1d, e, and f, I think you said.

Presumably, 1.1.1a, b, and c had limitations, as well.

It is what it is. (If it is.)

1 0 Reply
1. Friday 24th April 2020 14:29 GMT richardcox13
  
  Re: I believe OpenSSL was audited...
  
  It was.
  
  But neither an audit or extra compiler checks solve the halting problem.
  
  Because it is insoluble.
  
  2 0 Reply
Friday 24th April 2020 08:02 GMT Michael H.F. Wilkinson

Sounds very useful

Any tool that can spot bugs early at limited cost is great. I wonder how it deals with the particularly complex situations that can occur multi-threaded code. We develop quite a bit of parallel and distributed code for image analysis, and whilst that can certainly add much needed speed, programs also crash much quicker, and debugging is much harder. Any additional tool to hunt bugs is very welcome.

3 0 Reply
Friday 24th April 2020 08:53 GMT Mike 137

Great to have a tool but...

it's a shame (and indeed somewhat shaming) that 42 years after K&G published 'The C Programming Language' folks are still making these very basic mistakes. In the 80s we were taught to wrap the "hazardous" C library functions and include run time checks of pointers and dynamic memory allocation in our code as a matter of course.

2 1 Reply
1. Wednesday 29th April 2020 17:18 GMT A random security guy
  
  Re: Great to have a tool but...
  
  I audit C code and I hear these mystifying commentS all the the time:
  
  1. “Once the code is tested we don’t need to have the checks in place.”
  
  2. “These parameters have been checked before. Yeah right“. Probably at a certain point in time.
  
  3. “Prove to me that this is a security issue.”
  
  4. “This code is complex because...”. Trust me, if I can’t read a snippet of code after 40 years of programming no one else should waste their time either.
  
  5. “Only Jack/Jill/Godfather can explain what this code does”.
  
  6. Please add a few more.
  
  Right now I am fighting a Program Manager who doesn’t believe her project needs to fix a Critical website vulnerability.
  
  3 0 Reply
Friday 24th April 2020 18:14 GMT UncleDavid

But... But... Eric Raymond himself assured me thirty years ago that OSS meant there could be no more security flaws, because "with many eyes, all bugs are shallow". I'll just leave that there without riffing on the general concept of shallowness. He also didn't know the difference between DOS and NT. This was all at the same presentation. At Microsoft.

3 2 Reply
1. Friday 24th April 2020 19:13 GMT Mike Shepherd
  
  Many eyes
  
  "Many eyes" depends on source code written clearly enough that others will read it when there's nothing in it for them. Sadly, very little software (open source or not) rises above the level of "abysmal" in that respect, so most is examined only by the original author or by a few enthusiasts. Where OpenSSL lies in this, I'll leave others to judge.
  
  3 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Other stories you might like

PumpkinOS carves out a FOSS PalmOS-compatible runtime environment

And rePalm may yet bring real PalmOS to new hardware … even the Raspberry Pi

OSes 11 Apr 2024 | 12

Torvalds intentionally complicates his use of indentation in Linux Kconfig

Paramount penguin forces more robust whitespace handling

OSes 16 Apr 2024 | 85

YouTube now sabotages ad-blocking apps that stream its vids

EFF lambastes latest 'lazy and deliberately malicious move'

Applications 16 Apr 2024 | 65

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Hard-coded credentials last thing you want in home security app

Security 15 Apr 2024 | 49

Apple's failure to duck UK antitrust probe could bring £785M windfall for devs

That 30% app tax may turn out to be a hefty liability

Legal 12 Apr 2024 | 17

Malicious xz backdoor reveals fragility of open source

Analysis This time, we got lucky. It mostly affected bleeding-edge distros. But that's not a defense strategy

Devops 1 Apr 2024 | 98

How this open source LLM chatbot runner hit the gas on x86, Arm CPUs

Way to whip that LLaMA's ass

Applications 3 Apr 2024 | 3

What if AI produces code not just quickly but also, dunno, securely, DARPA wonders

As 70% of boffinry nerve center's projects involve machine learning

AI + ML 2 Apr 2024 | 13

Execs in Japan busted for winning dev bids then outsourcing to North Koreans

Government issues stern warning over despot money-making scheme

Cyber-crime 28 Mar 2024 | 11

No App Store needed: Apple caves, will allow sideloading in EU

Think this'll help you escape the fees? Nope – Apple still wants a cut for letting devs install things on user devices

Applications 12 Mar 2024 | 14

Grab shrank its superapp by a quarter in order to survive

Large APKs and disk footprints spell doom in a developing market

Software 5 Mar 2024 | 12

Mamas, don't let your babies grow up to be coders, Jensen Huang warns

Maker of ML accelerators wants more people to use ML

AI + ML 27 Feb 2024 | 131

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024