On Mon, Jul 15, 2013 at 06:19:27PM -0400, Alvaro Herrera wrote:
> Robert Haas escribió:
> > On Mon, Jul 15, 2013 at 5:59 PM, Alvaro Herrera
> > <alvherre@2ndquadrant.com> wrote:
> > > Xi Wang escribió:
> > >> Intel's icc and PathScale's pathcc compilers optimize away several
> > >> overflow checks, since they consider signed integer overflow as
> > >> undefined behavior. This leads to a vulnerable binary.
> > >
> > > This thread died without reaching a conclusion. Noah Misch, Robert Haas
> > > and Greg Stark each gave a +1 to the patches, but Tom Lane gave them a
> > > -inf; so they weren't applied. However, I think everyone walked away
> > > with the feeling that Tom is wrong on this.
> > >
> > > Meanwhile Xi Wang and team published a paper:
> > > http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf
> > >
> > > Postgres is mentioned a number of times in this paper -- mainly to talk
> > > about the bugs we leave unfixed.
> > >
> > > It might prove useful to have usable these guys' STACK checker output
> > > available continuously, so that if we happen to introduce more bugs in
> > > the future, it alerts us about that.
> >
> > Yeah, I think we ought to apply those patches. I don't suppose you
> > have links handy?
>
> Sure, see this thread in the archives: first one is at
> http://www.postgresql.org/message-id/510100AA.4050105@gmail.com and you
> can see the others in the dropdown (though since the subjects are not
> shown, only date and author, it's a bit hard to follow. The "flat" URL
> is useful.)
Should these patches be applied?
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ It's impossible for everything to be true. +
