[OffTopic] A vulnerability postmortem on Network Security Services
Johan
j at j.nl
Thu Dec 2 12:15:38 UTC 2021
On Thursday, 2 December 2021 at 11:01:07 UTC, Imperatorn wrote:
> On Thursday, 2 December 2021 at 08:09:18 UTC, Paulo Pinto wrote:
>> Google's Project Zero goes through a memory corruption exploit
>> on Network Security Services, where despite all static
>> analysers, fuzzers and code reviews, it flew under the radar.
>>
>> https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html
>>
>> Hence why @safe matters.
>
> Bottom line:
> Use D instead of C 😎
Sorry to rain on the party here, but D is of course not at all
immune to this problem.
It was not hard to find out-of-bounds memory access in the D
compiler, using the fuzz techniques mentioned in the article.
https://johanengelen.github.io/ldc/2018/01/14/Fuzzing-with-LDC.html
https://github.com/dlang/dmd/pull/7050
Note the discussion of bounds checking in the PR...
-Johan
More information about the Digitalmars-d
mailing list