Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Apr 2013 17:11:14 +0200
From: Jonas Wagner <>
Subject: Word-sized reads access memory past the bound of objects


I'm currently experimenting with MUSL and automated bug finding tools. One
issue I'm facing is that the tool reports several errors in functions such
as strlen, that perform word-size accesses. What happens is that strlen
reads a word at a time, then checks whether there is a zero in there. If
the zero happens to be in the first byte, it thus reads three bytes past
the end of the string.

In principle, the tool is correct and MUSL does cause undefined behavior
here. In practice, I don't see a way how MUSL's behavior could cause any

My questions are:
- How prevalent is such code in MUSL?
- Would there be an easy way to find all these places and change them?
- Are there other types of "soft" undefined behavior that MUSL exploits?

I guess doing changing MUSL would lose a lot of performance... so maybe
I'll adapt the bug finding tool instead...


Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.