Newsportal USENET - Re: A Famous Security Bug

Re: A Famous Security Bug

Sujet : Re: A Famous Security Bug
De : jameskuyper (at) *nospam* alumni.caltech.edu (James Kuyper)
Groupes : comp.lang.c
Date : 28. Mar 2024, 12:14:24

Autres entêtes

Organisation : A noiseless patient Spider
Message-ID : <uu3fu0$3gmba$1@dont-email.me>
References : 1 2 3 4 5 6 7 8 9 10 11
User-Agent : Mozilla Thunderbird

On 24/03/2024 19:58, bart wrote:

On 24/03/2024 15:53, Michael S wrote:

#include <stdio.h>
#include <stddef.h>
>
int main(void)
{
   char* p0 = (char*)((size_t)main & -(size_t)0x10000);
   printf("%c%c\n", p0[0], p0[1]);
   return 0;
}
>
>
That would work for small programs. Not necessarily for bigger
programs.
>

I'm not sure how that works. Are EXE images always loaded at multiple of
64KB? I suppose on larger programs it could search backwards 64KB at a
time (although it could also hit on a rogue 'MZ' in program data).

My point however was whether C considered that p0[0] access UB because
it doesn't point into any C data object.

Here's what the standard says about (size_t)main:
"... the result is implementation-defined. If the result cannot be
represented in the integer type, the behavior is undefined. The result
need not be in the range of values of any integer type."

Here's what the standard says about the conversion to char*:
"the result is implementation-defined, might not be correctly aligned,
might not point to an entity of the referenced type, and might produce
an indeterminate representation when stored into an object."

Alignment cannot be an issue with char*, but the other two problems
remain. In particular, I think you're assuming that, when converted back
to a pointer, the resulting pointer will point 0x10000 bytes further on
in memory. There's no such guarantee.

p0[0] is defined as *(p0+0). As a result, the relevant wording occurs in
the description of the unary * operator.

"If the operand points to a function, the result is a function
designator; if it points to an object, the result is an lvalue
designating the object."

Here's the most fundamental problem: there's no guarantee that p0[0]
points at a C object. There's a very good chance, if the code does what
you're hoping it will do, that it points inside a function. As a result,
the following applies:

"If an invalid value has been assigned to the pointer, the behavior of
the unary * operator is undefined."

So, an implementation is free to define the behavior of such code so
that it does what you want - but the C standard doesn't even come close
to mandating that it do so.

Les messages affichés proviennent d'usenet.

Date	Sujet	#	Auteur
20 Mar 24	A Famous Security Bug	118	Stefan Ram
20 Mar 24	Re: A Famous Security Bug	108	Kaz Kylheku
20 Mar 24	Re: A Famous Security Bug	2	Keith Thompson
20 Mar 24	Re: A Famous Security Bug	1	Keith Thompson
21 Mar 24	Re: A Famous Security Bug	35	David Brown
21 Mar 24	Re: A Famous Security Bug	34	Kaz Kylheku
21 Mar 24	Re: A Famous Security Bug	4	Chris M. Thomasson
21 Mar 24	Re: A Famous Security Bug	3	Chris M. Thomasson
22 Mar 24	Re: A Famous Security Bug	2	Chris M. Thomasson
22 Mar 24	Re: A Famous Security Bug	1	Chris M. Thomasson
21 Mar 24	Re: A Famous Security Bug	28	Keith Thompson
22 Mar 24	Re: A Famous Security Bug	24	Kaz Kylheku
22 Mar 24	Re: A Famous Security Bug	19	Keith Thompson
22 Mar 24	Re: A Famous Security Bug	18	Kaz Kylheku
22 Mar 24	Re: A Famous Security Bug	2	James Kuyper
22 Mar 24	Re: A Famous Security Bug	1	Kaz Kylheku
22 Mar 24	Re: A Famous Security Bug	1	David Brown
22 Mar 24	Re: A Famous Security Bug	14	Keith Thompson
22 Mar 24	Re: A Famous Security Bug	13	Kaz Kylheku
23 Mar 24	Re: A Famous Security Bug	12	David Brown
23 Mar 24	Re: A Famous Security Bug	11	Kaz Kylheku
23 Mar 24	Re: A Famous Security Bug	2	David Brown
24 Mar 24	Re: A Famous Security Bug	1	Kaz Kylheku
23 Mar 24	Re: A Famous Security Bug	8	James Kuyper
24 Mar 24	Re: A Famous Security Bug	7	Kaz Kylheku
24 Mar 24	Re: A Famous Security Bug	6	David Brown
24 Mar 24	Re: A Famous Security Bug	5	Kaz Kylheku
24 Mar 24	Re: A Famous Security Bug	3	David Brown
27 Mar 24	Re: A Famous Security Bug	2	Kaz Kylheku
28 Mar 24	Re: A Famous Security Bug	1	David Brown
24 Mar 24	Re: A Famous Security Bug	1	Chris M. Thomasson
22 Mar 24	Re: A Famous Security Bug	1	James Kuyper
22 Mar 24	Re: A Famous Security Bug	3	David Brown
22 Mar 24	Re: A Famous Security Bug	2	Kaz Kylheku
22 Mar 24	Re: A Famous Security Bug	1	David Brown
22 Mar 24	Re: A Famous Security Bug	3	James Kuyper
22 Mar 24	Re: A Famous Security Bug	2	Kaz Kylheku
22 Mar 24	Re: A Famous Security Bug	1	James Kuyper
22 Mar 24	Re: A Famous Security Bug	1	David Brown
21 Mar 24	Re: A Famous Security Bug	70	Anton Shepelev
21 Mar 24	Re: A Famous Security Bug	1	Keith Thompson
21 Mar 24	Re: A Famous Security Bug	15	Kaz Kylheku
22 Mar 24	Re: A Famous Security Bug	13	David Brown
22 Mar 24	Re: A Famous Security Bug	12	Kaz Kylheku
22 Mar 24	Re: A Famous Security Bug	1	James Kuyper
22 Mar 24	Re: A Famous Security Bug	10	David Brown
23 Mar 24	Re: A Famous Security Bug	9	Richard Kettlewell
23 Mar 24	Re: A Famous Security Bug	1	Kaz Kylheku
23 Mar 24	Re: A Famous Security Bug	2	David Brown
23 Mar 24	Re: A Famous Security Bug	1	Kaz Kylheku
24 Mar 24	Re: A Famous Security Bug	5	Tim Rentsch
24 Mar 24	Re: A Famous Security Bug	4	Malcolm McLean
17 Apr 24	Re: A Famous Security Bug	3	Tim Rentsch
18 Apr 24	Re: A Famous Security Bug	1	David Brown
18 Apr 24	Re: A Famous Security Bug	1	Keith Thompson
28 Mar 24	Re: A Famous Security Bug	1	Anton Shepelev
22 Mar 24	Re: A Famous Security Bug	1	Tim Rentsch
22 Mar 24	Re: A Famous Security Bug	52	James Kuyper
22 Mar 24	Re: A Famous Security Bug	51	bart
23 Mar 24	Re: A Famous Security Bug	5	Keith Thompson
23 Mar 24	Re: A Famous Security Bug	4	Kaz Kylheku
23 Mar 24	Re: A Famous Security Bug	3	David Brown
23 Mar 24	Re: A Famous Security Bug	2	bart
24 Mar 24	Re: A Famous Security Bug	1	David Brown
23 Mar 24	Re: A Famous Security Bug	45	James Kuyper
23 Mar 24	Re: A Famous Security Bug	44	bart
23 Mar 24	Re: A Famous Security Bug	37	David Brown
23 Mar 24	Re: A Famous Security Bug	36	bart
24 Mar 24	Re: A Famous Security Bug	29	David Brown
24 Mar 24	Re: A Famous Security Bug	28	bart
24 Mar 24	Re: A Famous Security Bug	12	Keith Thompson
25 Mar 24	Re: A Famous Security Bug	1	David Brown
25 Mar 24	Re: A Famous Security Bug	3	Michael S
25 Mar 24	Re: A Famous Security Bug	1	David Brown
25 Mar 24	Re: A Famous Security Bug	1	Keith Thompson
25 Mar 24	Re: A Famous Security Bug	7	bart
25 Mar 24	Re: A Famous Security Bug	6	Michael S
25 Mar 24	Re: A Famous Security Bug	4	bart
25 Mar 24	Re: A Famous Security Bug	3	David Brown
25 Mar 24	Re: A Famous Security Bug	2	Malcolm McLean
25 Mar 24	Re: A Famous Security Bug	1	Michael S
25 Mar 24	Re: A Famous Security Bug	1	David Brown
25 Mar 24	Re: A Famous Security Bug	15	David Brown
25 Mar 24	Re: A Famous Security Bug	14	Michael S
25 Mar 24	Re: A Famous Security Bug	13	David Brown
25 Mar 24	Re: A Famous Security Bug	3	Michael S
25 Mar 24	Re: A Famous Security Bug	1	David Brown
25 Mar 24	Re: A Famous Security Bug	1	bart
25 Mar 24	Re: A Famous Security Bug	9	bart
25 Mar 24	Re: A Famous Security Bug	7	Michael S
25 Mar 24	Re: A Famous Security Bug	6	bart
25 Mar 24	Re: A Famous Security Bug	1	David Brown
25 Mar 24	Re: A Famous Security Bug	4	Michael S
25 Mar 24	Re: A Famous Security Bug	3	bart
26 Mar 24	Re: A Famous Security Bug	2	Michael S
26 Mar 24	Re: A Famous Security Bug	1	bart
25 Mar 24	Re: A Famous Security Bug	1	David Brown
24 Mar 24	Re: A Famous Security Bug	6	Michael S
24 Mar 24	Re: A Famous Security Bug	5	bart
25 Mar 24	Re: A Famous Security Bug	2	Michael S
25 Mar 24	Re: A Famous Security Bug	1	Michael S
25 Mar 24	Re: A Famous Security Bug	1	David Brown
28 Mar 24	Re: A Famous Security Bug	1	James Kuyper
23 Mar 24	Re: A Famous Security Bug	1	Tim Rentsch
24 Mar 24	Re: A Famous Security Bug	1	Michael S
24 Mar 24	Re: A Famous Security Bug	3	Michael S
28 Mar 24	Re: A Famous Security Bug	1	James Kuyper
20 Mar 24	Re: A Famous Security Bug	1	Joerg Mertens
20 Mar 24	Re: A Famous Security Bug	5	Chris M. Thomasson
27 Mar 24	Re: A Famous Security Bug	3	Stefan Ram