Robert C. Seacord wrote:
You are also right that the popularity of gcc is one of the reasons we
decided to publish on this. If you identify other compilers that a) are
relatively popular, b) have changed their behavior recently, and c)
silently optimize out overflow checks we will consider publishing
vulnerability notes for those compilers as well.
I have sent CERT information about two other popular optimizing
compilers which do this optimization. Those compilers may have done it
for longer than GCC, or not; I'm not sure. But, users of those
compilers are just as vulnerable.
The advisory suggests that people not use GCC. If you don't mention
that other compilers also do this, you may just prompt people to switch
from GCC to some other compiler that behaves in the same way.
The tone of the note also suggests that GCC is uniquely defective in
some way. The title of the note mentions GCC, and the overview suggests
that GCC is doing something wrong:
"Some versions of gcc may silently discard certain checks for overflow.
Applications compiled with these versions of gcc may be vulnerable to
buffer overflows."
Why not change the overview to something like:
"Some compilers (including, at least, GCC, PathScale, and xlc) optimize
away incorrectly coded checks for overflow. Applications containing
these incorrectly coded checks may be vulnerable if compiled with these
compilers."
?
--
Mark Mitchell
CodeSourcery
[EMAIL PROTECTED]
(650) 331-3385 x713
