Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 20 Jul 2011 12:30:35 +0200
From: "Luka M." <paxcoder@...il.com>
To: musl@...ts.openwall.com
Subject: Re: cluts memcpy() test

On Wed, Jul 20, 2011 at 2:28 AM, Solar Designer <solar@...nwall.com> wrote:

> Luka, Rich -
>
> It'd be nice for cluts to detect issues like this:
>
> http://www.nodefense.org/eglibc.txt
>
> Maybe it already does?
>

Hey Alexander. Cluts doesn't test negative values for memcpy. Such a thing
hasn't occured to me: The prototype for the function specifies a size_t
argument, and size_t is supposed to be unsigned. This means, _afaik_, that a
negative value should be implicitly cast to a positive "equivalent". So, I
assume testing for this would be only useful as a way to show that (one of)
eglibc's implementation(s) doesn't obey sheer basics. However (not that this
isn't an eerie bug), I'm also a bit skeptical as to how a user-provided
value [+not stored in a size_t] would find itself in an argument to memcpy.
String.c is next after the alloc.c rewrite which is what I'm doing now (and
possibly after the task #7 which you suggested a while back), so if Rich
thinks this may be important to test for a reason unobvious to me, I guess I
can throw it in (though I'd have to use some non-size_t, sufficiently big
signed type to store test data :-/). In case of eglibc, I could have memcpy
jump to the same function used as the signal handler, and then it'd jump
back to a setjmp and we'd notice this behavior (that is, assuming the size
of the real argument type can be callculated for each platform). If I then
use the same setjmp/handler for a SIGSEGV, we could also catch other
hypothetical and only similarily buggy implementation behavior, and have
both report a same ambigous "negative argument" error message. But then I
guess the same applies to all other functions that should take a size_t or
any other positive type, doesn't it? :-/
Luka.

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.