Stream: wg-secure-code

Topic: Old crossbeam::queue causing SIGILL


RalfJ (Aug 07 2019 at 08:38, on Zulip):

With some compiler changes (that are being backed out to give broken code some more time to get fixed), ancient crossbeam::queue SIGILLs because it causes UB by calling mem::zeroed or mem::uninitialized the wrong way. A fixed version is out for 7 months but some projects are updating only now that they have to. Is it appropriate to file an advisory to make people upgrade, or is that not how advisories are supposed to be used? We have no information on exploitability or severity, all we know is "there is UB" (and I am not really interested in spending lots of time to figure out how bad the UB is).
The crossbeam 0.4 versions are broken, and crossbeam-queue 0.1 seems fixed. Which version of crossbeam itself is the first to be fixed I don't know (@stjepang ?)

RalfJ (Aug 07 2019 at 08:40, on Zulip):

(There was another bug fixed by crossbeam 0.4.1, but that does not seem to be the same one -- crates using 0.4.1 still saw SIGILLs.)

Alex Gaynor (Aug 07 2019 at 11:17, on Zulip):

Personally, I don't think it's right to file an advisory unless we think it's actually a security issu

RalfJ (Aug 08 2019 at 08:25, on Zulip):

fair. but I will also note that once I found that some code is UB or is unsound (lets safe code trigger UB), I see my "job" done. whether that is exploitable in any way -- basically coming up with an exploit -- is not even a formally well-defined question, it is a very practical question concerned with what exactly the compiler happens to (not) do. it is not an interesting question to me. I have little expertise in that area and I think I have better ways to spend my time.
I am not saying you should change your policy, I am just informing you that there is a gap here and that this will mean I am unlikely to file many advisories even if I find lots of UB and some of it is actually security-relevant.

RalfJ (Aug 08 2019 at 08:27, on Zulip):

maybe there are people interested in closing that gap? I'd be happy to leave a note somewhere any time I find UB, and I'd be happy to explain the what and why and where, so should someone be interested they can see if this justifies an advisory or not.

Thom Chiovoloni (Aug 08 2019 at 16:55, on Zulip):

did these versions of crossbeam_queue pull in the memoffset that had a notice recently? i feel like they did but could be wrong. if they do then anybody who follows the notices already will have updated, i think

RalfJ (Aug 09 2019 at 08:12, on Zulip):

hm, good question

RalfJ (Aug 09 2019 at 08:13, on Zulip):

yes, seems like they did. crossbeam 0.4 -> crossbeam-epoch 0.5 -> memoffset 0.2

RalfJ (Aug 09 2019 at 08:14, on Zulip):

so people following advisories are already warned. good :)

Tony Arcieri (Aug 12 2019 at 15:22, on Zulip):

@RalfJ unless it's a security issue, I'd imagine yanking would be better, but if the memoffset stuff did it vicariously, great

Last update: Nov 11 2019 at 22:00UTC