Sujet : Re: A Famous Security Bug
De : Keith.S.Thompson+u (at) *nospam* gmail.com (Keith Thompson)
Groupes : comp.lang.cDate : 20. Mar 2024, 22:23:52
Autres entêtes
Organisation : None to speak of
Message-ID : <87v85g1tsn.fsf@nosuchdomain.example.com>
References : 1 2 3 4
User-Agent : Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
Keith Thompson <Keith.S.Thompson+
u@gmail.com> writes:
scott@slp53.sl.home (Scott Lurndal) writes:
Kaz Kylheku <433-929-6894@kylheku.com> writes:
On 2024-03-20, Stefan Ram <ram@zedat.fu-berlin.de> wrote:
A "famous security bug":
>
void f( void )
{ char buffer[ MAX ];
/* . . . */
memset( buffer, 0, sizeof( buffer )); }
>
. Can you see what the bug is?
>
I don't know about "the bug", but conditions can be identified under
which that would have a problem executing, like MAX being in excess
of available automatic storage.
>
Perhaps Stephan is under the mistaken assumption that
'buffer' devolves to a type of 'char *' when used
with the sizeof operator.
>
That was my first thought, but I think the idea (not clearly stated) is
that the /* . . . */ code stores sensitive information in buffer, and
the memset call is intended to clobber that information, but may be
elided since buffer is not explicitly used later. A malicious process
with access to the program's memory might be able to read that
information after f() has returned.
And I should acknowledge that Kaz mentioned that before I did.
C23 adds memset_explicit() for this purpose.
-- Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.comWorking, but not speaking, for Medtronicvoid Void(void) { Void(); } /* The recursive call of the void */
A Famous Security Bug
Re: A Famous Security Bug