diff options
| author | Nick Mathewson <nickm@torproject.org> | 2016-04-12 18:59:40 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-05-12 11:21:28 -0400 |
| commit | ce854a8d22d5056cc1a47a0d4d4251f93a0c667c (patch) | |
| tree | 52579eb2bff509a54933805655a70f4091e7b4c0 /changes/bug17983 | |
| parent | bd34edc18d6e21f5ba7bddf5a7ebe6582e8dc639 (diff) | |
| download | tor-ce854a8d22d5056cc1a47a0d4d4251f93a0c667c.tar.gz tor-ce854a8d22d5056cc1a47a0d4d4251f93a0c667c.zip | |
Add -ftrapv to gcc-hardening ... mostly!
We know there are overflows in curve25519-donna-c32, so we'll have
to have that one be fwrapv.
Only apply the asan, ubsan, and trapv options to the code that does
not need to run in constant time. Those options introduce branches
to the code they instrument.
(These introduced branches should never actually be taken, so it
might _still_ be constant time after all, but branch predictors are
complicated enough that I'm not really confident here. Let's aim for
safety.)
Closes 17983.
Diffstat (limited to 'changes/bug17983')
| -rw-r--r-- | changes/bug17983 | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/changes/bug17983 b/changes/bug17983 new file mode 100644 index 0000000000..db52a37615 --- /dev/null +++ b/changes/bug17983 @@ -0,0 +1,11 @@ + o Minor features (bug-finding): + - Tor now builds with -ftrapv by default on compilers that support it. + This option detects signed integer overflow, and turns it into a + hard-failure. We do not apply this option to code that needs to run + in constant time to avoid side-channels; instead, we use -fwrapv. + Closes ticket 17983. + - When --enable-expensive-hardening is selected, stop applying the clang/gcc + sanitizers to code that needs to run in constant-time to avoid side + channels: although we are aware of no introduced side-channels, we + are not able to prove that this is safe. Related to ticket 17983. + |