Here’s the more constructive part of the (I still think warranted - but likely a bit tone deaf) rant: https://github.com/tukaani-project/xz/pull/181

@Alexstarfire@lemmy.world I sure did. I also renamed the variable to a name that makes its existence obvious to anyone reading the code.

The code originally made a copy of a struct before modifying the copy. The original was then used afterwards. I entirely missed the later use and that it was critical that the original struct was used as is. So I passed a subtly modified struct to the later processing, which, in combination with a second bug I had introduced some time earlier, caused all kinds of havoc.

There was another bug I also introduced, which funnily had similar effects. This bug was added months ago, and it affected only older OS versions. I typically only run the bleeding version during development (but I had tested the change with older versions, too). Unfortunately, this issue was random as it depended on stack contents to get triggered, and thus went unnoticed until the additional scrutiny introduced this intense debugging session.

The combination of these factors made this highly frustrating thing to debug, as any kind of A-B testing fails when you have multiple or random issues.

#bugstories

I still occasionally write some m68k code and apps. These are from 2024:

- Execute code in #amiga color registers: https://sintonen.fi/src/colexec/colexec.asm
- RXS-M-XS 32bit->32bit Permuted Congruential Generator: https://sintonen.fi/src/misc/pcg/_rand.asm
- Minimal modplayer (protracker music player): https://sintonen.fi/src/minimod/ (the replayer routine is mostly from Frank Wille however)

I also participated in very useless size/speedcoding competitions - some of them are still accessible from this old web page: https://amycoders.org/compo/

Note that some of the HTML is a bit broken, for example https://amycoders.org/compo/circlecompo.html - you can view source to see the full routine

#m68k #assembly #sizecoding #speedcoding

So what could you do if the microcode signature verification can be bypassed? While not directly applicable, this #defcon presentation “DEF CON 31 - Backdoor in the Core - Altering Intel x86 Instruction Set at Runtime - Krog, Skovsende” gives some ideas: https://www.youtube.com/watch?v=Zda7yMbbW7s

@gabrielesvelto Yeah, information for that vulnerability is non-existent as well. In all the vulnerability management doesn’t seem to be going great here.

Update: The “PeCoffLoader memory overflow issue for security” likely is CVE-2024-38796: https://nvd.nist.gov/vuln/detail/cve-2024-38796

I had actually forgotten I still had Docker installed on this system. I’ve now fixed this issue by uninstalling the malicious app. I’m using #podman elsewhere already, just had this install lingering still. Apple: Thanks for the warning!

@g@irrelephant.co Oof, that’s not good at all.