OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
Erik Cederstrand
erik+lists at cederstrand.dk
Wed Apr 23 10:14:01 UTC 2014
Den 23/04/2014 kl. 03.12 skrev Ronald F. Guilmette <rfg at tristatelogic.com>:
>
> In message <20140423010054.2891E143D098 at rock.dv.isc.org>,
> Mark Andrews <marka at isc.org> wrote:
>
>> As for the number of CLANG analysis warnings. Clang has false
>> positives
>
> Please define your terms.
>
> I do imagine that the truth or falsehood of your assertion may depend
> quite substantally on what one does or does not consider a "false
> positive" in this context.
Have a look at the ~10.000 reports at http://scan.freebsd.your.org/freebsd-head/ (unavailable ATM). Silly things are reported like missing return at the end of main() or not free()ing memory two lines before program exit. There are nonsensical reports because the analyzer doesn't detect exit() in a usage() function because usage() is defined in a separate compilation unit, or this:
int foo(int y, int z) {
int x;
if (y == z) {
x = 0;
} else {
if (y != z) {
x = 1;
}
}
return x;
}
warning that x may be uninitialized. Fixing these require considerable effort e.g. improving IPA and adding alpha-remaning support to the analyzer's constraint manager, or would result in unnecessary code churn in FreeBSD just to work around the reports.
My best guess is that at least 90% of the reports are either false positives or really silly. Which doesn't mean that the reports are useless, but a lot of time is wasted finding real bugs.
Erik
More information about the freebsd-security
mailing list