This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
On 08/09/2015 06:43 PM, Rich Felker wrote: >> warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy); >> + /* Don't let an attacker inject arbitrary data into the stack area */ >> + __builtin_memset(copy, 0, len); >> } > This memset will be optimized out by any decent compiler. Some > mechanism to prevent that is needed. Funny you should mention that ... (see the other message I just posted) > BTW are you sure you haven't uncovered a much more serious bug? > Unbounded alloca allows the clobbering of arbitrary memory. While it's > not entirely unbounded, the environment/argv size limit was removed on > modern Linux, so it's quite possible to have multi-MB or even GB > strings there. It's possible/likely that we got lucky and get an > unconditional crash at a point where there's only one thread and no > signal handlers, but I still think this should be checked and the > bogus alloca removed. Agree, but note that this might be happening so early that malloc isn't available (I haven't checked); is it really necessary to copy the string at all? zw
Attachment:
signature.asc
Description: OpenPGP digital signature
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |