forked from coq/coq
-
Notifications
You must be signed in to change notification settings - Fork 2
/
critical-bugs
653 lines (584 loc) · 28.6 KB
/
critical-bugs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
Preliminary compilation of critical bugs in stable releases of Coq
==================================================================
WORK IN PROGRESS WITH SEVERAL OPEN QUESTIONS
##################################################################
##################### Non fixed bugs #############################
##################################################################
component: VM reduction machine
summary: buffer overflow on large records and closures (infinite loop with OCaml 5)
introduced: 8.1
impacted versions: 8.1-NOW
impacted coqchk versions: none (no VM in coqchk)
fixed in: NONE
found by: Dolan, Roux, Melquiond
GH issue number: ocaml/ocaml#6385, #13439
exploit: ??
risk: requires very large number of arguments, fix block size or nested letins
component: VM and native reduction machines
summary: memory corruption by evaluating on ill-typed terms (obtained from unsafe tactics)
introduced: 8.1
impacted versions: 8.1-NOW
impacted coqchk versions: none (no VM or native in coqchk)
fixed in: NONE
found by: Gaëtan Gilbert, Andres Erbsen
GH issue number: #16891
exploit: requires a memory corruption to craft something that doesn't just SIGSEV
risk: could be activated by chance but unlikely to produce anything
other than SIGSEV outside a deliberate attack
component: name handling / typechecker
summary: kernel and checker accept incorrect name aliasing information
introduced: a long time ago
impacted versions: -NOW
impacted coqchk versions: same
fixed in: NONE
found by: Pierre-Marie Pédrot
GH issue number: #7609
exploit: see issue (requires a plugin or hand crafted .vo file)
risk: low
component: primitive types and operators
summary: coqchk checks too little about primitive declarations
introduced: v8.10 (#6914 primitive integers)
impacted versions: coqchk only
impacted coqchk versions: V8.10-NOW
fixed in: NONE
found by: Gaëtan Gilbert
GH issue number: #12439
exploit: not fully worked out, requires crafted .vo file
risk: none (requires crafted .vo file)
component: module functors
summary: Print Assumptions + Parameter Inline fails to report some inconsistent flags
introduced: #79
impacted versions: V8.6-NOW
impacted coqchk versions: none
found by: Jason Gross
GH issue number: #12155
exploit: see issue
risk: moderate if not using coqchk, none if using coqchk (coqchk rejects the produced file)
component: module functors
summary: Print Assumptions does not report Unset Universe Checking used during functor application
introduced: v8.11 (#10291) or earlier
impacted versions: V8.11-NOW
impacted coqchk versions: none
found by: Gaëtan Gilbert
GH issue number: #16646
exploit: see issue
risk: moderate if not using coqchk, none if using coqchk (coqchk rejects the produced file)
##################################################################
######################### Fixed bugs #############################
##################################################################
Typing constructions
component: "match"
summary: substitution missing in the body of a let
introduced: ?
impacted released versions: V8.3-V8.3pl2, V8.4-V8.4pl4
impacted development branches: none
impacted coqchk versions: ?
fixed in: master/trunk/v8.5 (e583a79b5, 22 Nov 2015, Herbelin), v8.4 (525056f1, 22 Nov 2015, Herbelin), v8.3 (4bed0289, 22 Nov 2015, Herbelin)
found by: Herbelin
exploit: test-suite/success/Case22.v
GH issue number: ?
risk: ?
component: fixpoint, guard
summary: missing lift in checking guard
introduced: probably from V5.10
impacted released versions: probably V5-V7, V8.0-V8.0pl4, V8.1-V8.1pl4
impacted development branches: v8.0 ?
impacted coqchk versions: ?
fixed in: master/trunk/v8.2 (ff45afa8, r11646, 2 Dec 2008, Barras), v8.1 (f8e7f273, r11648, 2 Dec 2008, Barras)
found by: Barras
exploit: test-suite/failure/guard.v
GH issue number: none
risk: unprobable by chance
component: cofixpoint, guard
summary: de Bruijn indice bug in checking guard of nested cofixpoints
introduced: after V6.3.1, before V7.0
impacted released versions: V8.0-V8.0pl4, V8.1-V8.1pl4, V8.2-V8.2pl2, V8.3-V8.3pl2, V8.4-V8.4pl4
impacted development branches: none
impacted coqchk versions: ?
fixed in: master (9f81e2c36, 10 Apr 2014, Dénès), v8.4 (f50ec9e7d, 11 Apr 2014, Dénès), v8.3 (40c0fe7f4, 11 Apr 2014, Dénès), v8.2 (06d66df8c, 11 Apr 2014, Dénès), v8.1 (977afae90, 11 Apr 2014, Dénès), v8.0 (f1d632992, 29 Nov 2015, Herbelin, backport)
found by: Dénès
exploit: ?
GH issue number: none ?
risk: ?
component: inductive types, elimination principle
summary: de Bruijn indice bug in computing allowed elimination principle
introduced: 23 May 2006, 9c2d70b, r8845, Herbelin (part of universe polymorphism)
impacted released versions: V8.1-V8.1pl4, V8.2-V8.2pl2, V8.3-V8.3pl2, V8.4-V8.4pl4
impacted development branches: none
impacted coqchk versions: ?
fixed in: master (8a01c3685, 24 Jan 2014, Dénès), v8.4 (8a01c3685, 25 Feb 2014, Dénès), v8.3 (2b3cc4f85, 25 Feb 2014, Dénès), v8.2 (459888488, 25 Feb 2014, Dénès), v8.1 (79aa20872, 25 Feb 2014, Dénès)
found by: Dénès
exploit: see GH#3211
GH issue number: #3211
risk: ?
component: universe subtyping
summary: bug in Prop<=Set conversion which made Set identifiable with Prop, preventing a proof-irrelevant interpretation of Prop
introduced: V8.2 (bba897d5f, 12 May 2008, Herbelin)
impacted released versions: V8.2-V8.2pl2
impacted development branches: none
impacted coqchk versions: ?
fixed in: master/trunk (679801, r13450, 23 Sep 2010, Glondu), v8.3 (309a53f2, r13449, 22 Sep 2010, Glondu), v8.2 (41ea5f08, r14263, 6 Jul 2011, Herbelin, backport)
found by: Georgi Guninski
exploit: test-suite/failure/prop_set_proof_irrelevance.v
GH issue number: none?
risk: ?
Module system
component: modules, universes
summary: missing universe constraints in typing "with" clause of a module type
introduced: ?
impacted released versions: V8.3-V8.3pl2, V8.4-V8.4pl6; unclear for V8.2 and previous versions
impacted development branches: none
impacted coqchk versions: ?
fixed in: master/trunk (d4869e059, 2 Oct 2015, Sozeau), v8.4 (40350ef3b, 9 Sep 2015, Sozeau)
found by: Dénès
exploit: test-suite/bugs/bug_4294.v
GH issue number: #4294
risk: ?
component: modules, universes
summary: universe constraints for module subtyping not stored in vo files
introduced: presumably 8.2 (b3d3b56)
impacted released versions: 8.2, 8.3, 8.4
impacted development branches: v8.5
impacted coqchk versions: none
fixed in: v8.2 (c1d9889), v8.3 (8056d02), v8.4 (a07deb4), trunk (0cd0a3e) Mar 5, 2014, Tassi
found by: Tassi by running coqchk on the mathematical components library
exploit: requires multiple files, no test provided
GH issue number: #3243
risk: could be exploited by mistake
component: modules, universes, inductives
summary: module subtyping disrespected squashing status of inductives
introduced: probably 7.4 (12965209478bd99dfbe57f07d5b525e51b903f22)
impacted released versions: until 8.15.0
impacted coqchk versions: none
fixed in: 8.15.1, 8.16
found by: Pédrot
exploit: see GitHub issue
GH issue number: #15838
risk: unlikely (caught by coqchk, needs Unset Elimination Schemes in the module type)
component: Modules
summary: Functor inlining drops universe substitution
introduced: ?
impacted released versions: ??-V8.8.0
impacted coqchk versions: same? not sure if coqchk has a this bug
fixed in: V8.8.1, V8.9.0 (#7616)
found by: Pierre-Marie Pédrot
GH issue number: #7615
exploit: see issue
risk: medium
component: modules, primitive types
summary: Primitives are incorrectly considered convertible to anything by module subtyping
introduced: 8.11
impacted released versions: V8.11.0-V8.18.0
impacted coqchk versions: same
fixed in: V8.19.0
found by: Gaëtan Gilbert
GH issue number: #18503
exploit: see issue
risk: high if there is a Primitive in a Module Type, otherwise low
Universes
component: template polymorphism
summary: issue with two parameters in the same universe level
introduced: 23 May 2006, 9c2d70b, r8845, Herbelin
impacted released versions: V8.1-V8.1pl4, V8.2-V8.2pl2, V8.3-V8.3pl2
impacted development branches: none
impacted coqchk versions: ?
fixed in: trunk/master/v8.4 (8082d1faf, 5 Oct 2011, Herbelin), V8.3pl3 (bb582bca2, 5 Oct 2011, Herbelin), v8.2 branch (3333e8d3, 5 Oct 2011, Herbelin), v8.1 branch (a8fc2027, 5 Oct 2011, Herbelin),
found by: Barras
exploit: test-suite/failure/inductive.v
GH issue number: none
risk: unlikely to be activated by chance
component: universe polymorphism
summary: universe polymorphism can capture global universes
impacted released versions: V8.5 to V8.8
impacted coqchk versions: V8.5 to V8.9
fixed in: ec4aa4971f (58e1d0f200 for the checker)
found by: Gaëtan Gilbert
exploit: test-suite/misc/poly-capture-global-univs
GH issue number: #8341
risk: unlikely to be activated by chance (requires a plugin)
component: template polymorphism
summary: template polymorphism not collecting side constrains on the
universe level of a parameter; this is a general form of the
previous issue about template polymorphism exploiting other ways to
generate untracked constraints
introduced: morally at the introduction of template polymorphism, 23
May 2006, 9c2d70b, r8845, Herbelin
impacted released versions: at least V8.4-V8.4pl6, V8.5-V8.5pl3,
V8.6-V8.6pl2, V8.7.0-V8.7.1, V8.8.0-V8.8.1, V8.9.0-V8.9.1, in theory
also V8.1-V8.1pl4, V8.2-V8.2pl2, V8.3-V8.3pl2 but not exploit found
there yet (an exploit using a plugin to force sharing of universe
level is in principle possible though)
impacted development branches: all from 8.4 to 8.9 at the time of writing and suspectingly also all from 8.1 to 8.4 if a way to create untracked constraints can be found
impacted coqchk versions: a priori all (tested with V8.4 and V8.9 which accept the exploit)
fixed in: soon in master and V8.10.0 (PR #9918, Aug 2019, Dénès and Sozeau)
found by: Gilbert using explicit sharing of universes, exploit found for 8.5-8.9 by Pédrot, other variants generating sharing using sections, or using ltac tricks by Sozeau, exploit in 8.4 by Herbelin and Jason Gross by adding new tricks to Sozeau's variants
exploit: test-suite/failure/Template.v
GH issue number: #9294
risk: moderate risk to be activated by chance
component: template polymorphism
summary: using the same universe in the parameters and the
constructor arguments of a template polymorphic inductive (using
named universes in modern Coq, or unification tricks in older Coq)
produces implicit equality constraints not caught by the previous
template polymorphism fix.
introduced: same as the previous template polymorphism bug, morally
from V8.1, first verified impacted version V8.5 (the universe
unification is sufficiently different in V8.4 to prevent our trick
from working)
fixed in: expected in 8.10.2, 8.11+beta, master (#11128, Nov 2019, Gilbert)
found by: Gilbert
exploit: test-suite/bugs/bug_11039.v
GH issue number: #11039
risk: moderate risk (found by investigating #10504)
component: universe polymorphism, asynchronous proofs
summary: universe constraints erroneously discarded when forcing an asynchronous proof containing delayed monomorphic constraints inside a universe polymorphic section
introduced: between 8.4 and 8.5 by merging the asynchronous proofs feature branch and universe polymorphism one
impacted released versions: V8.5-V8.10
impacted development branches: none
impacted coqchk versions: immune
fixed in: PR#10664
found by: Pédrot
exploit: no test
GH issue number: none
risk: unlikely to be triggered in interactive mode, not present in batch mode (i.e. coqc)
component: algebraic universes
summary: Set+2 was incorrectly simplified to Set+1
introduced: V8.10 (with the SProp commit 75508769762372043387c67a9abe94e8f940e80a)
impacted released versions: V8.10.0 V8.10.1 V8.10.2
impacted coqchk versions: same
fixed in: PR#11422
found by: Gilbert
exploit: see PR (custom application of Hurkens to get around the refreshing at elaboration)
GH issue number: see PR
risk: unlikely to be triggered through the vernacular (the system "refreshes" algebraic
universes such that +2 increments do not appear), mild risk from plugins which manipulate
algebraic universes.
component: cumulative inductives and sections
summary: variance inference for section universes ignored use of section universes in inductives and axioms defined before the inductive being inferred
introduced: V8.12 (73c3b874633d6f6f8af831d4a37d0c1ae52575bc)
impacted released versions: V8.12 to V8.15 including patch releases
impacted coqchk versions: none
fixed in: V8.16 PR#15950 (118ffbc010ce53ebd45baa42edd28335301ca9a5)
found by: Gilbert and Pédrot
exploit: see #15916
risk: could be used inadvertently in developments with complex universe usage, only when using cumulative inductives declared in sections. coqchk still works.
Primitive projections
component: primitive projections, guard condition
summary: check of guardedness of extra arguments of primitive projections missing
introduced: 6 May 2014, a4043608f, Sozeau
impacted released versions: V8.5-V8.5pl2,
impacted development branches: none
impacted coqchk versions: ?
fixed in: trunk/master/v8.5 (ba00867d5, 25 Jul 2016, Sozeau)
found by: Sozeau, by analyzing bug report #4876
exploit: to be done (?)
GH issue number: #4876
risk: consequence of bug found by chance, unlikely to be exploited by chance (MS?)
component: primitive projections, guard condition
summary: records based on primitive projections became possibly recursive without the guard condition being updated
introduced: 10 Sep 2014, 6624459e4, Sozeau (?)
impacted released versions: V8.5
impacted development branches: none
impacted coqchk versions: ?
fixed in: trunk/master/v8.5 (120053a50, 4 Mar 2016, Dénès)
found by: Dénès exploiting bug #4588
exploit: test-suite/bugs/bug_4588.v
GH issue number: #4588
risk: ?
component: modules and universes
summary: incorrect checking of subtyping with algebraic universes
introduced: a long time ago
impacted released versions: ??-V8.8.0
impacted coqchk versions: same
fixed in: V8.8.1, V8.9.0 (#7798)
found by: Gaëtan Gilbert
GH issue number: #7695
exploit: see issue
risk: needs usage of explicit algebraic universe annotations, coqchk
may catch through defunctorialization
Conversion machines
component: "lazy machine" (lazy krivine abstract machine)
summary: the invariant justifying some optimization was wrong for some combination of sharing side effects
introduced: prior to V7.0
impacted released versions: V8.0-V8.0pl4, V8.1-V8.1pl3
impacted development branches: none
impacted coqchk versions: (eefe63d52, Barras, 20 May 2008), was in beta-development for 8.2 at this time
fixed in: master/trunk/8.2 (f13aaec57/a8b034513, 15 May 2008, Barras), v8.1 (e7611477a, 15 May 2008, Barras), v8.0 (6ed40a8bc, 29 Nov 2016, Herbelin, backport)
found by: Gonthier
exploit: by Gonthier
GH issue number: none
risk: unrealistic to be exploited by chance
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: collision between constructors when more than 256 constructors in a type
introduced: V8.1
impacted released versions: V8.1-V8.5pl3, V8.2-V8.2pl2, V8.3-V8.3pl3, V8.4-V8.4pl5
impacted development branches: none
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: master/trunk/v8.5 (00894adf6/596a4a525, 26-39 Mar 2015, Grégoire), v8.4 (cd2101a39, 1 Apr 2015, Grégoire), v8.3 (a0c7fc05b, 1 Apr 2015, Grégoire), v8.2 (2c6189f61, 1 Apr 2015, Grégoire), v8.1 (bb877e5b5, 29 Nov 2015, Herbelin, backport)
found by: Dénès, Pédrot
exploit: test-suite/bugs/bug_4157.v
GH issue number: #4157
risk:
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: wrong universe constraints
introduced: possibly exploitable from V8.1; exploitable at least from V8.5
impacted released versions: V8.1-V8.4pl5 unknown, V8.5-V8.5pl3, V8.6-V8.6.1, V8.7.0-V8.7.1
impacted development branches: unknown for v8.1-v8.4, none from v8.5
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: master (c9f3a6cbe, 12 Feb 2018, PR#6713, Dénès), v8.7 (c058a4182, 15 Feb 2018, Zimmermann, backport), v8.6 (a2cc54c64, 21 Feb 2018, Herbelin, backport), v8.5 (d4d550d0f, 21 Feb 2018, Herbelin, backport)
found by: Dénès
exploit: test-suite/bugs/bug_6677.v
GH issue number: #6677
risk:
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: missing pops in executing 31bit arithmetic
introduced: V8.5
impacted released versions: V8.1-V8.4pl5
impacted development branches: v8.1 (probably)
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: master/trunk/v8.5 (a5e04d9dd, 6 Sep 2015, Dénès), v8.4 (d5aa3bf6, 9 Sep 2015, Dénès), v8.3 (5da5d751, 9 Sep 2015, Dénès), v8.2 (369e82d2, 9 Sep 2015, Dénès),
found by: Catalin Hritcu
exploit: lost?
GH issue number: ?
risk:
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: primitive integer emulation layer on 32 bits not robust to garbage collection
introduced: master (before v8.10 in GH pull request #6914)
impacted released versions: none
impacted development branches: v8.10
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: 5914313 (v8.10)
found by: Roux, Melquiond
exploit:
GH issue number: #9925
risk:
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: broken long multiplication primitive integer emulation layer on 32 bits
introduced: e43b176
impacted released versions: 8.10.0, 8.10.1, 8.10.2
impacted development branches: 8.11
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: 4e176a7
found by: Soegtrop, Melquiond
exploit: test-suite/bugs/bug_11321.v
GH issue number: #11321
risk: critical, as any BigN computation on 32-bit architectures is wrong
component: "native" conversion machine (translation to OCaml which compiles to native code)
summary: translation of identifier from Coq to OCaml was not bijective, leading to identify True and False
introduced: V8.5
impacted released versions: V8.5-V8.5pl1
impacted development branches: none
impacted coqchk versions: none (no native computation in coqchk)
fixed in: master/trunk/v8.6 (244d7a9aa, 19 May 2016, letouzey), v8.5 (088b3161c, 19 May 2016, letouzey),
found by: Letouzey, Dénès
exploit: see commit message for 244d7a9aa
GH issue number: ?
risk:
component: primitive projections, native_compute
summary: stuck primitive projections computed incorrectly by native_compute
introduced: 1 Jun 2018, e1e7888a, ppedrot
impacted released versions: 8.9.0
impacted coqchk versions: none
found by: maximedenes exploiting bug #9684
exploit: test-suite/bugs/bug_9684.v
GH issue number: #9684
component: lazy machine
summary: incorrect De Bruijn handling when inferring the relevance mark for a lambda
introduced: 2019-03-15, 23f84f37c674a07e925925b7e0d50d7ee8414093 and 71b9ad8526155020c8451dd326a52e391a9a8585, SkySkimmer
impacted released versions: 8.10.0
impacted coqchk versions: 8.10.0
found by: ppedrot investigating unexpected conversion failures with SProp
exploit: test-suite/bugs/bug_10904.v
GH issue number: #10904
risk: none without using -allow-sprop (off by default in 8.10.0),
otherwise could be exploited by mistake
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: buffer overflow on large accumulators
introduced: 8.1
impacted released versions: 8.1-8.12.1
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: 8.13.0 (#13431)
found by: Dolan, Roux, Melquiond
GH issue number: ocaml/ocaml#6385, #11170
risk: medium, as it can happen for large irreducible applications
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: buffer overflow, arbitrary code execution on floating-point operations
introduced: 8.13
impacted released versions: 8.13.0
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: 8.13.1
found by: Melquiond
GH issue number: #13867
risk: none, unless using floating-point operations; high otherwise;
noticeable if activated by chance, since it usually breaks
control-flow integrity
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: arbitrary code execution on irreducible PArray.set
introduced: 8.13
impacted released versions: 8.13.0, 8.13.1
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: 8.13.2
found by: Melquiond
GH issue number: #13998
risk: none, unless using primitive array operations; systematic otherwise
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: arbitrary code execution on arrays of floating point numbers
introduced: 8.13
impacted released versions: 8.13.0, 8.13.1, 8.14.0
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: 8.14.1
found by: Melquiond
GH issue number: #15070
risk: none, unless mixing open terms and primitive floats inside primitive
arrays; critical otherwise
component: "native" conversion machine (translation to OCaml which compiles to native code)
summary: conversion of Prod / Prod values was comparing the wrong components
introduced: V8.5
impacted released versions: V8.5-V8.16.0 (when built with native computation enabled)
impacted coqchk versions: none (no native computation in coqchk)
fixed in: 8.16.1
found by: Melquiond
GH issue number: #16645
risk: systematic
component: "virtual" and "native" conversion machines
summary: η-expansion of cofixpoints was performed in the wrong environment
introduced: V8.9
impacted released versions: V8.9-V8.16.0
impacted coqchk versions: none (no VM / native computation in coqchk)
fixed in: 8.16.1
found by: Gaëtan Gilbert and Pierre-Marie Pédrot
GH issue number: #16831
risk: low, as it requires carefully crafted cofixpoints
component: all 3 kernel conversion machines (lazy, VM, native), primitive arrays
summary: conversion would compare the mutated version of primitive arrays instead of undoing mutation where needed
introduced: V8.13
impacted released versions: V8.13 to V8.16.0
impacted coqchk versions: same
fixed in: V8.16.1, V8.17
found by: Maxime Buyse and Andres Erbsen
exploit: Andres Erbsen
GH issue number: #16829
risk: some if using primitive arrays
component: "virtual" reduction machine
summary: tactic code could mutate a global cache of values for section variables
introduced: V8.1
impacted released versions: V8.1-V8.16.1
impacted coqchk versions: none (no tactics in coqchk, VM only sees checked terms)
fixed in: V8.17.0
found by: Gaëtan Gilbert with hint from Pierre-Marie Pédrot
GH issue number: #16957
risk: the full exploitation seems to require "Definition := ltac:()"
with change_no_check on a section variable in the ltac
component: VM machine
summary: incorrect handling of universe polymorphism
introduced: V8.5
impacted released versions: V8.5-V8.8.0
impacted coqchk versions: none (no VM in coqchk)
fixed in: V8.8.1, V8.9.0
found by: Jason Gross
GH issue number: #7723
exploit: see issue
risk: ??
Side-effects
component: side-effects
summary: polymorphic side-effects inside monomorphic definitions incorrectly handled as not inlined
introduced: ?
impacted released versions: at least from 8.6 to 8.12.0
impacted coqchk versions: none (no side-effects in the checker)
found by: ppedrot
exploit: test-suite/bugs/bug_13330.v
GH issue number: #13330
risk: unlikely to be exploited by mistake, requires the use of unsafe tactics
Forgetting unsafe flags
component: sections
summary: unsafe typing flags used inside a section would not be reported by Print Assumptions
after closing the section
introduced: abab878b8d8b5ca85a4da688abed68518f0b17bd (#10291, 8.11)
technically available earlier through plugins
impacted coqchk versions: none (coqchk rejects affected files)
found by: Anton Trunov
GH issue number: #14317
risk: low as it needs the use of explicit unsafe flags
Conflicts with axioms in library
component: library of real numbers
summary: axiom of description and decidability of equality on real numbers in library Reals was inconsistent with impredicative Set
introduced: 67c75fa01, 20 Jun 2002
impacted released versions: 7.3.1, 7.4
impacted coqchk versions:
fixed by deciding to drop impredicativity of Set: bac707973, 28 Oct 2004
found by: Herbelin & Werner
exploit: need to find the example again
GH issue number: no
risk: unlikely to be exploited by chance
component: library of extensional sets, guard condition
summary: guard condition was unknown to be inconsistent with propositional extensionality in library Sets
introduced: not a bug per se but an incompatibility discovered late
impacted released versions: technically speaking from V6.1 with the introduction of the Sets library which was then inconsistent from the very beginning without we knew it
impacted coqchk versions: ?
fixed by constraining the guard condition: (9b272a8, ccd7546c 28 Oct 2014, Barras, Dénès)
found by: Schepler, Dénès, Azevedo de Amorim
exploit: ?
GH issue number: none
risk: unlikely to be exploited by chance (?)
component: library for axiom of choice and excluded-middle
summary: incompatibility axiom of choice and excluded-middle with elimination of large singletons to Set
introduced: not a bug but a change of intended "model"
impacted released versions: strictly before 8.1
impacted coqchk versions: ?
fixed by constraining singleton elimination: b19397ed8, r9633, 9 Feb 2007, Herbelin
found by: Benjamin Werner
exploit:
GH issue number: none
risk:
component: primitive floating-points
summary: Incorrect specification of PrimFloat.leb
introduced: 8.11
impacted released versions: 8.11.0, 8.11.1, 8.11.2
fixed by fixing the spec: #12484
found by: Pierre Roux
exploit: test-suite/bugs/bug_12483.v
GH issue number: #12483
risk: proof of false when using the incorrect axiom
component: floating-point library
summary: Incorrect implementation of SFclassify.
introduced: 8.11
impacted released versions: 8.11.0-8.15.1
fixed by fixing the implementation: #16101
found by: François Bobot
exploit: test-suite/bugs/bug_16096.v
GH_issue_number: #16096
risk: proof of false when using the axioms in Floats.Axioms.
component: primitive floating-points + "native" conversion machine (translation to OCaml which compiles to native code)
summary: nativenorm reading back closures as arbitrary floating-point values
introduced: 8.11
impacted released versions: 8.11.0-8.17.1
impacted coqchk versions: none (no native computation in coqchk)
fixed in: 8.18.0
found by: Jason Gross
GH issue number: #17871
risk: proof of false when using primitive floats and native_compute
Deserialization
component: coqchk (coqc trusts that .vo files are well formed)
summary: deserialization of .vo data not properly checked
introduced: 8.16 (univ levels), 8.10 (retroknowledge)
impacted released versions: 8.10-8.18.1
impacted coqchk versions: same
fixed in: 8.19
found by: Mario Carneiro
GH issue number: N/A (fix pull requests: #18403, #18406)
risk: can lead to segfaults or arbitrary code execution on crafted .vo files
(files produced by coqc are fine)
There were otherwise several bugs in beta-releases, from memory, bugs with beta versions of primitive projections or template polymorphism or native compilation or guard (e7fc96366, 2a4d714a1).
There were otherwise maybe unexploitable kernel bugs, e.g. 2df88d83 (Require overloading), 0adf0838 ("Univs: uncovered bug in strengthening of opaque polymorphic definitions."), 5122a398 (#3746 about functors), #4346 (casts in VM), a14bef4 (guard condition in 8.1), 6ed40a8 ("Georges' bug" with ill-typed lazy machine), and various other bugs in 8.0 or 8.1 w/o knowing if they are critical.
Another non exploitable bug?
component: "virtual machine" (compilation to bytecode ran by a C-interpreter)
summary: bug in 31bit arithmetic
introduced: V8.1
impacted released versions: none
impacted development branches:
impacted coqchk versions: none (no virtual machine in coqchk)
fixed in: master/trunk/v8.5 (0f8d1b92c, 6 Sep 2015, Dénès)
found by: Dénès, from a bug report by Tahina Ramananandro
exploit: ?
GH issue number: ?
risk: