Mailinglist Archive: opensuse (1470 mails)

< Previous Next >
Re: [opensuse] Now what? Glibc bug, vulnerability
  • From: Greg Freemyer <greg.freemyer@xxxxxxxxx>
  • Date: Wed, 17 Feb 2016 15:52:50 -0500
  • Message-id: <CAGpXXZKF=m7stCTMsxOEUnYhn25QKtWA-zoy=GXG8pauAAA9Xw@mail.gmail.com>
On Wed, Feb 17, 2016 at 3:41 PM, Carlos E. R.
<robin.listas@xxxxxxxxxxxxxx> wrote:
On 02/17/2016 06:22 PM, Christopher Myers wrote:

Pardon my ignorance on this, but is there any way to harden the language
itself so that it's less prone to issues like this?


Not really.

C is close to assembler on steroids. It is fast and powerful because of
that. If you write to a variable beyond the end of the variable, that's your
sole fault as programmer. The language will not check, can not check, by
design. You, the programmer, are the master and you know what you do. If you
don't... disaster.

I have worked with languages that did range checks at compile and at run
time. Many programmers disabled the runtime checks because they made the
code slower.

I'm not the c expert I was 20 years ago, but I think you should add
static code checkers to your list of potential solutions. Coverty has
been scanning the linux kernel and other open source projects for
years and sending out warnings/patches when they find issues.

http://www.coverity.com/products/code-advisor/
http://www.coverity.com/press-releases/coverity-scan-2010-report-reveals-high-risk-software-flaws-in-android/

Others can speak to the effectiveness / coverage of their solution,
but I don't think it should be ignored.

Greg
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups