This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG


On 08/09/2015 06:43 PM, Rich Felker wrote:
>>  warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
>> +	      /* Don't let an attacker inject arbitrary data into the stack area */
>> +	      __builtin_memset(copy, 0, len);
>>  	    }
> This memset will be optimized out by any decent compiler. Some
> mechanism to prevent that is needed.

Funny you should mention that ... (see the other message I just posted)

> BTW are you sure you haven't uncovered a much more serious bug?
> Unbounded alloca allows the clobbering of arbitrary memory. While it's
> not entirely unbounded, the environment/argv size limit was removed on
> modern Linux, so it's quite possible to have multi-MB or even GB
> strings there. It's possible/likely that we got lucky and get an
> unconditional crash at a point where there's only one thread and no
> signal handlers, but I still think this should be checked and the
> bogus alloca removed.

Agree, but note that this might be happening so early that malloc isn't
available (I haven't checked); is it really necessary to copy the string
at all?

zw

Attachment: signature.asc
Description: OpenPGP digital signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]