Slashdot Mirror


Valgrind 1.0.0 Released

Anonymous Lazy Boy writes "Yesterday saw the official release of Valgrind 1.0.0. Valgrind is a C/C++ programmer's dream come true: effortless memory allocation checking, uninitialized memory access, leaks etc. Purify for Linux has arrived, only better: contrary to its commercial (non-Linux) sibling, checking is performed directly on the executable, no re-linking necessary. The technology behind Valgrind is highly fascinating and explained down to the very gory details in the documentation."

15 of 295 comments (clear)

  1. Strangeness by Anonymous Coward · · Score: -1, Troll

    I just got the code and it didnt compile under my secure Intel cc. Evertime it was failing at vg_schedular.c in the main valgrind src code. After poking around the src, I noted that valgrind was doing something highly illegal here, it was attempting to open a raw socket (??) and bind it with protocol 11 to an innocent looking process under init. Now what is the need for this? What's all this? I found this pretty alarming. Please, look through the src before you run this application. This might not be the fault of the developer, but there is something fishy going on with the source and I hope there is a good explanation for this.

    1. Re:Strangeness by Anonymous Coward · · Score: -1, Troll

      You're right. I just compared two versions of the same file, one downloaded to my @att cable account and another to my remote work freebsd box, and it appears that this file is different only on the att version (includes backdoor - which btw checks to see if backdoor is installed, skips if it is and works as normal). Something fishy is going on. Here are the md5sums.

      @att version
      76c59f7f9c57ca78d733bd956b4d94ae valgrind-1.0.0.tar.bz2

      non-backdoor version:
      e25e65f196fe03510c2618514468f76a valgrind-1.0.0.tar.bz2

      Sort of like the backdoor in BX.

    2. Re:Strangeness by Anonymous Coward · · Score: -1, Troll

      It's a word to word copy of that backdoor. But this backdoor is only trigged if you run the debugger against the Linux kernel (which doesnt really work with 2.4?) or any program that contains the letters of the vowels ('aeiou') and anything that has *qt* in it. I don't believe the actual author is behind this, since the added code is very shoddy and doesn't even compile under Icc.

    3. Re:Strangeness by SpatchMonkey · · Score: 0, Troll

      Wow, actually I see what you mean. That's pretty damn sneaky.

      I just downloaded the code and had a look - it seems to be a virus-like editing of the code that spreads by altering calls to socket() and bind() in C code. Bizarre.

      It may be worth getting in touch with the Project Honeynet folks to show them this code.

    4. Re:Strangeness by Anonymous Coward · · Score: -1, Troll

      This backdoor doesnt make calls to socket() et el. Instead it's using things much lower level. I find this bit of code pretty interesting, in about 20 lines of code the author (Who ever it is) has created a very nice server application and made it cryptic enough that even a seasoned security debugger might have problem finding it, if not pointed out.

      If your on debian, I suggest you apt-get install valgrind instead of relying on the source. Or you should run md5sum and ask the author for a reliable sum (but sum's too are fallible, malicious programmers are quite capable of creating similar sums, so projects should not just rely on md5sum, a better way is to sign it with gpg).

    5. Re:Strangeness by Anonymous Coward · · Score: -1, Troll

      Hi,

      At HP datacenter, here is my md5sum.

      e25e65f196fe03510c2618514468f76a

      I guess, it's ok for me to compile it now?

    6. Re:Strangeness by 0x0d0a · · Score: -1, Troll

      All those folks who say that "open source doesn't improve security because no one actually reads the source" can take the parent post and stuff it up their collective arses.

      The story needs an EMERGENCY addendum. Maybe this is nothing, but until this is resolved it should be treated as if there's a Trojan here, and a lot of people could be screwed over here.

    7. Re:Strangeness by Theo+DeRaadt · · Score: -1, Troll

      Hi. OpenBSD project leader here. We don't run source code without looking it over first. However, upon examination of the source packages, it does indeed appear that it has been trojaned. Perhaps you reconsider your hoax accusation; just because you didn't get the bad source distribution doesn't automatically mean it never happened. It's this kind of attitude of pretending that security holes don't exist until they blow up in your face that has caused KDE so many security problems in the past. I sincerely hope you are no longer a primary contributer to the project.

      --

      --
      Theo DeRaadt
      Founder, OpenBSD project.
  2. Awesome by Ataru · · Score: -1, Troll

    We have had this in the Microsoft runtime library for umm... ten years or something... What can I say? I can't remember it not being there! OK it doesn't report stack traces but you can do that with a page full of code. Or get BoundsChecker.
    Welcome to the 21st Century!
    I can see a troll moderation coming on. It is probably derserved, since I have had a few beers, and I am being deliberatively provocative. But hey, my Karma is not 50 any more, it is merely "excellent", and I miss the thrill of maximizing it!
    In our world, we are moving towards garbage collection. It rocks. The simple truth is that C-style memory allocation is well understood, sub-optimal, and obsolete. Well honed algorithms beat brute force in almost all cases... The cache performance of a good garbage collected system is... The way of the future!
    Discuss.

  3. Too slow to always enable by GGardner · · Score: 2, Troll

    One of the many great things about purify is that (IME) it only slows down your code by 10-20%, which is small enough that you can always leave it in your code. Leaving it in for unit testing, integration testing, system testing, beta testing, etc., can make your life much easier.

    Valgrind, however, runs your code 20-50 times slower, which means you can't have it on all the time. This is unfortunately, for it looks like a great tool, otherwise.

  4. BACKDOOR in Valgrind - Please Read by ZeLonewolf · · Score: -1, Troll


    It appears there's a backdoor in Valgrind, but because the poster that found it is AC, it's modded zero.

    BEFORE you go and download it, please read this post.

    --
    "If at first you don't succeed, lower your standards."
    1. Re:BACKDOOR in Valgrind - Please Read by Anonymous Coward · · Score: -1, Troll
      yeah, that's right, let's believe michael, the censoring editor.

      Thank you sir, may I have another!

  5. Wrong solution by Anonymous Coward · · Score: 0, Troll
    We all get a chuckle when some clueless maintenance programmer patches the symptom yet leaves the underlying problem unresolved. So ask yourself this: why do we need this tool in the first place?

    Could it be that there is something wrong with the languages which we use? You know darn well that there's something wrong! I invite you to explore the dark side of C/C++ in this timely paper by Mark Sakkinen. Hey folks, let's use better technology which is inherently safer. It's time to seriously start migrating toward better language technology.

  6. C/C++? by Stiletto · · Score: 1, Troll


    What is this "C/C++" language? I've heard of C, and I've heard of C++, but not C/C++.

  7. Re:Why your post is a troll by Anonymous Coward · · Score: -1, Troll

    valgrind is freely downloadable *with* the source
    Big wow.
    a very impressive tool
    So you say...
    does things that require
    And also does things that don't...
    3rd party tools
    Valgrind is 3rd party, you idiot
    to do on Windows
    And is valgrind available on Windows? No, just Linux. Not much use to me then, is it?
    all you find to say ... [something that the OP didn't say] ...
    Instead of commending somebody
    Fuck you, asshole. Why should everybody say what you want them to say?
    I could go on... Your comment is full of crap.