|
Message-ID: <CAMRJFfKn4kEGVq9c1CyZtMEbiAcC=dsePG1xTmT0ruR9KVwOOg@mail.gmail.com>
Date: Tue, 30 Apr 2013 17:11:14 +0200
From: Jonas Wagner <jonas.wagner@...l.ch>
To: musl@...ts.openwall.com
Subject: Word-sized reads access memory past the bound of objects
Hi,
I'm currently experimenting with MUSL and automated bug finding tools. One
issue I'm facing is that the tool reports several errors in functions such
as strlen, that perform word-size accesses. What happens is that strlen
reads a word at a time, then checks whether there is a zero in there. If
the zero happens to be in the first byte, it thus reads three bytes past
the end of the string.
In principle, the tool is correct and MUSL does cause undefined behavior
here. In practice, I don't see a way how MUSL's behavior could cause any
damage...
My questions are:
- How prevalent is such code in MUSL?
- Would there be an easy way to find all these places and change them?
- Are there other types of "soft" undefined behavior that MUSL exploits?
I guess doing changing MUSL would lose a lot of performance... so maybe
I'll adapt the bug finding tool instead...
Best,
Jonas
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.