Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260421075735.164237-1-florian.schmaus@codasip.com>
Date: Tue, 21 Apr 2026 09:57:35 +0200
From: Florian Schmaus <florian.schmaus@...asip.com>
To: musl@...ts.openwall.com
Cc: Florian Schmaus <florian.schmaus@...asip.com>
Subject: [PATCH] qsort: align 'tmp' buffer to preserve CHERI capabilities

The cycle() function in qsort.c uses a local stack buffer 'tmp'
to temporarily hold elements being permuted.

Under CHERI architectures, like CHERI RISC-V, pointers are represented
as capabilities, which include an out-of-band hardware tag bit used to
enforce memory safety. For this tag bit to be preserved when a
capability is written to memory, the target address must be strictly
aligned to the capability's size requirement (e.g., 16-byte aligned
for 128-bit capabilities).

Previously, 'tmp' was declared as an 'unsigned char' array, which only
guarantees a 1-byte alignment. If qsort is called to sort an array of
pointers, writing these capabilities into an unaligned 'tmp' buffer
causes the processor to strip their validity tags. When these untagged
capabilities are copied back out and later dereferenced, the hardware
will throw a capability fault, crashing the program.

By changing the buffer type to an array of 'void *' we force the
compiler to align the stack allocation to the architectural
pointer/capability alignment boundary. This ensures that capabilities
stored in the buffer retain their tags and remain valid.
---
 src/stdlib/qsort.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/stdlib/qsort.c b/src/stdlib/qsort.c
index 28607450b885..862a3099d98f 100644
--- a/src/stdlib/qsort.c
+++ b/src/stdlib/qsort.c
@@ -44,7 +44,7 @@ static inline int pntz(size_t p[2]) {
 
 static void cycle(size_t width, unsigned char* ar[], int n)
 {
-	unsigned char tmp[256];
+	void* tmp[16 * sizeof(void*)];
 	size_t l;
 	int i;
 
-- 
2.53.0

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.