From owner-freebsd-security@FreeBSD.ORG  Thu Apr 24 18:11:47 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4FA08824;
 Thu, 24 Apr 2014 18:11:47 +0000 (UTC)
Received: from mail-out.apple.com (mail-out.apple.com [17.151.62.50])
 (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 2B0BC1B9B;
 Thu, 24 Apr 2014 18:11:46 +0000 (UTC)
MIME-version: 1.0
Received: from mail-out.apple.com by local.mail-out.apple.com
 (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013))
 id <0N4J00J00RIO2400@local.mail-out.apple.com>; Thu,
 24 Apr 2014 11:11:46 -0700 (PDT)
Received: from relay2.apple.com ([17.128.113.67]) by local.mail-out.apple.com
 (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct
 22 2013))
 with ESMTP id <0N4J009E7RV6HDK1@local.mail-out.apple.com>; Thu,
 24 Apr 2014 11:11:46 -0700 (PDT)
X-AuditID: 11807143-f79f66d0000015d3-ba-535953e262d3
Received: from [17.149.225.103] (Unknown_Domain [17.149.225.103])
 (using TLS with cipher AES128-SHA (128/128 bits))
 (Client did not present a certificate)	by relay2.apple.com (Apple SCV relay)
 with SMTP id 46.79.05587.2E359535; Thu, 24 Apr 2014 11:11:46 -0700 (PDT)
Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
From: Charles Swiger <cswiger@mac.com>
In-reply-to: <CAG5KPzxeupwCTK7-7oA1nhM7Q=Ggv-QCwBrNchM1wM3Hwvtv_w@mail.gmail.com>
Date: Thu, 24 Apr 2014 11:11:45 -0700
Message-id: <FA7F2274-910F-4DBB-A393-64FFD3523181@mac.com>
References: <10999.1398215531@server1.tristatelogic.com>
 <50CA7E78-BB5E-4872-A272-B7374627EC12@cederstrand.dk>
 <B4A7F879-588B-4414-B416-601066C4E61A@mac.com>
 <CAG5KPzxeupwCTK7-7oA1nhM7Q=Ggv-QCwBrNchM1wM3Hwvtv_w@mail.gmail.com>
To: Ben Laurie <benl@freebsd.org>, Erik Cederstrand <erik+lists@cederstrand.dk>
X-Mailer: Apple Mail (2.1510)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrFLMWRmVeSWpSXmKPExsUiOPVhuu6j4MhggzuTFCy+TZrBavH0rb1F
 z6YnbA7MHs3LF7N7zPg0nyWAKYrLJiU1J7MstUjfLoErY9WCDvaCyxUVE2c8Zm9g/J/SxcjJ
 ISFgInH26AZ2CFtM4sK99WxdjFwcQgL9TBJv2lezgCSYBRIkjizZCGRzcPAK6Els/yUHYgoL
 +Eg8OGIMYrIJqElMmMgDUswpECgxf1EzWDGLgKrEnv95EDO8JB49nsgIYvMKWElcOXaUBWLR
 I0aJP4samUESIkC9v/42M0NcIytx+txzlgmMfLOQ3DAL4QaIsLbEsoWvmUHCzAI6EpMXMqIK
 Q9gfzx9hWsDItopRoCg1J7HSSC+xoCAnVS85P3cTIyhEGwqddzAeW2Z1iFGAg1GJh3eCbGSw
 EGtiWXFl7iFGCQ5mJRHedbZAId6UxMqq1KL8+KLSnNTiQ4zSHCxK4ryqYRHBQgLpiSWp2amp
 BalFMFkmDk6pBkbWS4oXPeoN/UMyGCTXtTveKc8o7P7Qlv1G5vZLV98pkV7RmyqOvblX6+u8
 0GWy7VZNqefZvAky3bzMzwP/uj1ntVzZrJvfuGVyl+iWC8sevy/9qOeYu9C+e7Gy7a/kCecX
 8LOecV5x6UnbuhbbJcurqjTXLdfc9mzhwZyMhbbB4aL2B4P+ayqxFGckGmoxFxUnAgBsvnmv
 TQIAAA==
Content-Type: text/plain; CHARSET=US-ASCII
Content-Transfer-Encoding: 7BIT
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
Cc: "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 18:11:47 -0000

Hi--

On Apr 24, 2014, at 3:58 AM, Ben Laurie <benl@freebsd.org> wrote:
[ ... ]
>> It's worth noting that even if you believe that (e.g.) the clang static analyzer isn't properly doing liveness analysis and misjudging whether there's a dead assignment (writing to a variable which is never read), the clang compiler will be using the same analysis when doing dead-code elimination and common-subexpression elimination and such while optimizing.
> 
> I think this is not true. I could be wrong, but I've actually worked
> on clang static analysis and I think it is an entirely separate
> system. Certainly there's no guarantee that a static analysis result
> will be reflected in the output of the compiler.

You appear to be disagreeing with something which was almost-- but not quite-- what I said.  :-)

scan-build invokes a wrapper called ccc-analyzer (for C code; c++-analyzer for C++), which they interpose around the compiler such as clang or even gcc.  The docs are informative:

 --use-cc=[compiler path]

   scan-build analyzes a project by interposing a "fake compiler", which
   executes a real compiler for compilation and the static analyzer for analysis.
   Because of the current implementation of interposition, scan-build does not
   know what compiler your project normally uses.  Instead, it simply overrides
   the CC environment variable, and guesses your default compiler.

   In the future, this interposition mechanism to be improved, but if you need
   scan-build to use a specific compiler for *compilation* then you can use
   this option to specify a path to that compiler.

 --use-analyzer [Xcode|path to clang]
 --use-analyzer=[Xcode|path to clang]

   scan-build uses the 'clang' executable relative to itself for static
   analysis. One can override this behavior with this option by using the
   'clang' packaged with Xcode (on OS X) or from the PATH.

...and to pick a specific example from the end of the openssl-1.0.1g build+scan:

~/WorkAreas/llvm/tools/clang/tools/scan-build/ccc-analyzer -DMONOLITH -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o engine.o engine.c
engine.c:114:3: warning: Value stored to 'l' is never read
                l += 2;         /* ", " */
                ^    ~
1 warning generated.

That's from clang.  You can get the same output by invoking clang directly as:

clang -DMONOLITH -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -Wall --analyze -c -o engine.o engine.c
engine.c:114:3: warning: Value stored to 'l' is never read
                l += 2;         /* ", " */
                ^    ~
1 warning generated.

If you check the file, openssl-1.0.1g/apps/engine.c around line 114, you'll see it was quite right:

static int append_buf(char **buf, const char *s, int *size, int step)
        {
        int l = strlen(s);

        if (*buf == NULL)
                {
                *size = step;
                *buf = OPENSSL_malloc(*size);
                if (*buf == NULL)
                        return 0;
                **buf = '\0';
                }

        if (**buf != '\0')
                l += 2;         /* ", " */

        if (strlen(*buf) + strlen(s) >= (unsigned int)*size)
                {
                *size += step;
                *buf = OPENSSL_realloc(*buf, *size);
                }

        if (*buf == NULL)
                return 0;

        if (**buf != '\0')
                BUF_strlcat(*buf, ", ", *size);
        BUF_strlcat(*buf, s, *size);

        return 1;
        }

Ewww.

Regards,
-- 
-Chuck