A nice story reported by ISC today! A Linux kernel vulnerability has been discovered in the Linux kernel (and was present for a while IMHO!)
The vulnerability origin was not the “human being the keyboard” but the compiler! GCC, the GNU C compiler has lot of optimization features (If you are interested, have a look at this article from the LinuxJournal.com about GCC optimizations).
As explained on the ISC diary page, the vulnerability was very difficult to detect while reading the source code. It’s due to an optimization by the compiler: GCC decided to skip a condition block, enabling a security breach in the code.
A new vulnerability is never good but what else can we “learn” from this story? The Linux code is constantly reviewed by hundreds of developers and the problem described here was very difficult to detect. That’s why you need multiple lines of defenses: You cannot rely only on a strong source code audit, you have to take other countermeasures. Also, can you trust the tools you use on a daily purpose? Who knows exactly what kind of optimizations are performed by the GCC compile when optimization is enabled? GCC is used by thousands of developers every day and, for sure, the same kind of vulnerability exists in other applications. Keep this in mind!