On Wed, 2025-03-12 at 15:05 +0000, Yao Shuangjie wrote: > We are cybersecurity researchers from the Hong Kong University of > Science and Technology. We found several security violations of > undefined behaviors in GNU make 4.4.1 using our novel symbolic > execution technique several months ago. The details are shown below.
Thanks for your work. However, I don't think you're correct in your statement above. In C, unsigned integer overflow is NOT undefined behavior; in fact it's very well defined and specified by the standard and has been essentially forever. This is also not a security violation: this function is generating a hash value to use as a key (not an index) into an open hash table, and as such we don't really care if the value overflows. We only care that it is stable (that is, given the same inputs it should always yield the same hashed value). Cheers!
