Re: Responses to: Unix Security Kernel Changes

From: der Mouse (mouseat_private)
Date: Fri Jan 29 1999 - 05:32:08 PST

Next message: Paul Braman: "Re: Responses to: Unix Security Kernel Changes"

Previous message: FrontLine Assembly: "Re: Digital Unix 4.0 exploitable buffer overflows"
Maybe in reply to: Jonathan A. Zdziarski: "Responses to: Unix Security Kernel Changes"
Next in thread: Paul Braman: "Re: Responses to: Unix Security Kernel Changes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> OK NOW:  Let me introduce a new question to you.  How come we cannot
> write our std c libraries to do something similar to this before
> performing strcat's, etc...

> a[sizeof(b)] = NULL (or 0);

There are several reasons.

One, it wouldn't help all that much, because the offending strcat()s
and sprintf()s and similar functions are often in application code,
where they are beyond reach of the C library.  For calls within the
library itself, this usually can't be done because the input string is
read-only ("const char *", typically); such input arguments may even be
in read-only VM, if they're string literals and the compiler in
question puts them in the text segment (at least one common compiler -
gcc - likes to do this).

Two, if this can be done, it's just as easy (and less destructive) to
recode the copy properly anyway.  Sometimes something like the above
*is* a proper fix; sometimes the proper fix is to use strncpy or
snprintf or something similar.  (Yes, I know, many systems don't have
snprintf...but if you can meddle with libc source you might as well add
snprintf while you're about it.)

Three, NULL is for pointer types; you want 0 or '\0'.  You might
#define NUL, which is the correct name for the character with value
zero - but NULL is semantically wrong; even if it happens to work on
your system, it is liable to break when the next system over defines
NULL as ((void*)0), which is allowed.

Four, this usually hits the wrong byte.  Most of these "unsafe"
routines copy the NUL as well, so the length has to be sizeof(b)
*including* the NUL.

Five, this risks a segfault itself.  If a is short and near the top of
VM, a[sizeof(b)] could very well be off the end of valid memory.

Six, this risks corrupting a random piece of data structure.  If a is a
small string in a small buffer, followed by some other data structure,
the assignment will drop a 0 byte into the middle of that other data
structure, which is unlikely to have any good effects.

					der Mouse

			       mouseat_private
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Next message: Paul Braman: "Re: Responses to: Unix Security Kernel Changes"
Previous message: FrontLine Assembly: "Re: Digital Unix 4.0 exploitable buffer overflows"
Maybe in reply to: Jonathan A. Zdziarski: "Responses to: Unix Security Kernel Changes"
Next in thread: Paul Braman: "Re: Responses to: Unix Security Kernel Changes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:59 PDT