Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <559E8743.2040203@openwall.com>
Date: Thu, 09 Jul 2015 17:37:55 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: How serious is undefined behavior?

On 2015-07-06 19:17, Hanno Böck wrote:
> Would people think it's a wise idea to put a lot of effort into testing
> applications with ubsan enabled and reporting all the bugs that pop up?

I think the situation is the same as with other bugs -- it depends on 
the project. I would report them if the application in question is in a 
good shape. Otherwise I would start with crashes.

My experience in fuzzing binutils[1] and elfutils[2] with ubsan was 
quite positive. It was easy to integrate it into my workflow and all 
reported issues were promptly fixed by the maintainers.

[1] reports with ubsan start at
https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c196
https://sourceware.org/bugzilla/show_bug.cgi?id=17531#c82

[2] reports with ubsan start at
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c29

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.