On Mon, Jul 25, 2022 at 7:20 AM Theo de Raadt <dera...@openbsd.org> wrote:
> I've been watching conversation on a mailing list, and it leads me to > wonder if we should inform the userbase better. > Too true. Certification *is* the key thing that protects users, not careful, well engineered designs. We should be giving this warning in many other places too; for example: Index: stdlib/malloc.3 =================================================================== RCS file: /data/src/openbsd/src/lib/libc/stdlib/malloc.3,v retrieving revision 1.129 diff -u -p -r1.129 malloc.3 --- stdlib/malloc.3 31 Mar 2022 17:27:16 -0000 1.129 +++ stdlib/malloc.3 25 Jul 2022 20:00:07 -0000 @@ -766,6 +766,11 @@ and functions appeared in .Ox 6.6 . .Sh CAVEATS +Layout randomization in +.Nm malloc +uses uncertified random number generators, +so the security properties cannot be guaranteed. +.Pp When using .Fn malloc , be wary of signed integer and
