Two among the bugs uncovered by CHERI (the mcel bug [1] and the xgettext bug
[2]) could be found
- by CHERI, or
- by "gcc -fsanitize=address", or
- by "clang -fsanitize=address",
but not by valgrind.
This raises the question: Should we better use CHERI for general pre-release
testing, or the address sanitizers?
The answer is in [3], page 4, table III: CHERI does not detect use-after-free
and stack-use-after-return bugs ("temporal memory safety").
Because of this, I'll be using address sanitizers, not CHERI, for the next
foreseeable time.
Find a writeup at [4].
Although running a desktop where everything, from the kernel to the web browser,
has CHERI-enabled pointer validation would be cool from the security point of
view. But that's a different goal than searching for bugs in a particular
package...
Bruno
[1] https://lists.gnu.org/archive/html/bug-gnulib/2023-11/msg00034.html
[2] https://lists.gnu.org/archive/html/bug-gnulib/2023-11/msg00109.html
[3]
https://www.techrxiv.org/articles/preprint/Towards_a_Hybrid_Approach_to_Protect_Against_Memory_Safety_Vulnerabilities/14680185
[4] https://gitlab.com/ghwiki/gnow-how/-/wikis/Finding_memory_bugs
