[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12418 [Applications/Tor Browser]: TBBs with UBSan create lots of errors when running



#12418: TBBs with UBSan create lots of errors when running
------------------------------------------------+--------------------------
 Reporter:  gk                                  |          Owner:  tbb-team
     Type:  defect                              |         Status:  assigned
 Priority:  Medium                              |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201709  |  Actual Points:
Parent ID:                                      |         Points:
 Reviewer:                                      |        Sponsor:
------------------------------------------------+--------------------------

Comment (by cypherpunks):

 Replying to [comment:13 tom]:
 > What do you mean by "amount of UBSAN"?  There are some checks that
 should have basically no false-positives (like pointer overflow) - those
 should be feasible for whole-browser I think.

 Amount of UB (undefined behavior), not amount of UBSAN. And yes, some
 checks seem to very compatible with many programs (`-fsanitize=object-
 size` for example). Those should be the first tested, though instrumenting
 the image decoders as thoroughly as possible should be high priority.

 Just a side-note, but `-ftrapv` and friends interfere with `-fsanitize
 =signed-integer-overflow`, such that the former disables the latter, even
 though it is easier to bypass. They should never be combined.

 > Instrumenting components with more verbose tests (like int overflows) is
 definitely valuable though!
 >
 > Mind you, Mozilla's not going to ship Firefox with UBSAN enabled, we'll
 just run tests with it to catch issues. Maybe Tor would ship something
 with UBSAN (??) but maybe not since I don't think you can enable both ASAN
 and UBSAN.

 You can enable both ASAN and UBSAN, but ASAN is not intended for use in
 production systems for security as the complex runtime can introduce
 vulnerabilities, and it's quite easy to bypass anyway considering it's
 looking for unintentional bugs that aren't trying to be stealthy. UBSAN on
 the other hand is fine for production use.

 > Well, It's a big org, we're not all bad ;)  But I hear you loud and
 clear. My main point was not "Try and get Mozilla to take your patches"
 but rather "You can almost certainly make use of Mozilla's infrastructure
 to do experimental runs and examine the output."  For example, you could
 queue up 10 jobs that turn on UBSAN for 10 individual components, and run
 them all at once.

 I have a small cluster of computers which I can use to do the test myself,
 so long as I have the code for the unit tests. Getting trusted by Mozilla
 to the point where I can use their test infrastructure is not something
 I'm eager to commit to.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12418#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs