From owner-freebsd-security@FreeBSD.ORG Thu May 1 16:11:51 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 337C010A; Thu, 1 May 2014 16:11:51 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0F8341CC6; Thu, 1 May 2014 16:11:50 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s41GBh8s066498 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 1 May 2014 09:11:43 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s41GBghF066497; Thu, 1 May 2014 09:11:42 -0700 (PDT) (envelope-from jmg) Date: Thu, 1 May 2014 09:11:42 -0700 From: John-Mark Gurney To: Lev Serebryakov Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? Message-ID: <20140501161142.GL43976@funkthat.com> Mail-Followup-To: Lev Serebryakov , "Ronald F. Guilmette" , "freebsd-security@freebsd.org security" References: <32377.1398460907@server1.tristatelogic.com> <25986221.20140501115424@serebryakov.spb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <25986221.20140501115424@serebryakov.spb.ru> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Thu, 01 May 2014 09:11:43 -0700 (PDT) Cc: "freebsd-security@freebsd.org security" , "Ronald F. Guilmette" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2014 16:11:51 -0000 Lev Serebryakov wrote this message on Thu, May 01, 2014 at 11:54 +0400: > Hello, Ronald. > You wrote 26 ???????????? 2014 ??., 1:21:47: > > RFG> The (modified/quieted) code example under discussion is as follows: > RFG> variable = value0; /* initialization */ > RFG> if (condition) variable = value1; > RFG> if (!condition) variable = value2; > RFG> use (variable); > > RFG> Please note that variable *is* *always* set to some value (either value1 > RFG> or value2) after initialization. The "error condition" that you seem > RFG> concerned about having explicitly flagged does not in fact exist in the > RFG> example code snippet under discussion. > I have only one question: which memory model do you have in mind when you > do this statement? I assume he's talking about the abstract machine as defined in the C standard, like C99... which implies single threaded execution... > Please note, that now you could hardly find single-core/single-threaded CPU > (even current ARMs are multi-cored now) and only two non-functional > languages with formally specified memory model I know is C++11 and Java. > I belive, Ada should have well-defined memory model, but I know next to > nothing about Ada. > > I could easily write code like shown above in Java, which left "variable" > with value0 up to line with "use()" and it will be not a bug in JVM, but bug > in code: everything depend on variables which are used in "condition" and > "variable" itself. Yes, it is not possible (in Java!) when everything is > arguments to method or local (on stack), but as soon I don't know YOUT > memory model and that YOUR compiler and execution environment implements > this mode PROPERLY, I could not be sure, that even "localness" of data > helps. > > And please note, that different CPUs has very different memory model (even > now, when Alpha is long-dead), and as C is very down-to-hardware language > and C standard doesn't have any real memory-model described, so it is very > hard to reason about this C code, if it i C. You can properly reason about this code.. Per the C standard (5.1.2.3 para 2&3): Accessing a volatile object, modifying an object, modifying a file, or calling a function that does any of those operations are all side effects,11) which are changes in the state of the execution environment. Evaluation of an expression may produce side effects. At certain specified points in the execution sequence called sequence points, all side effects of previous evaluations shall be complete and no side effects of subsequent evaluations shall have taken place. (A summary of the sequence points is given in annex C.) In the abstract machine, all expressions are evaluated as specified by the semantics. An actual implementation need not evaluate part of an expression if it can deduce that its value is not used and that no needed side effects are produced (including any caused by calling a function or accessing a volatile object). It is up to the compiler to ensure that the abstract machine is properly translated to the CPU and memory model of said CPU... So, as long as condition is an object that is not volatile (or accessed through volatile pointers), it's state cannot change, and there for is the equivalent to if/else, though the definition of condition was left out making this hard to decide, but considering the original discussion, we should make that assumption... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."