Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150618004040.GK1173@brightrain.aerifal.cx>
Date: Wed, 17 Jun 2015 20:40:41 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] Implement glibc *_chk interfaces for ABI
 compatibility.

On Wed, Jun 17, 2015 at 02:07:08PM -0500, Josiah Worcester wrote:
> >> +size_t __wcrtomb_chk(char *restrict s, wchar_t wc, mbstate_t *restrict st, size_t slen)
> >> +{
> >> +     if (slen < MB_CUR_MAX) a_crash();
> >> +     return wcrtomb(s, wc, st);
> >> +}
> >
> > i think this can cause a false positive crash
> > but glibc seems to do the same..
> >
> > (eg some api passes wchar_t* and the exact mb encoded length of
> > a string so the output s can be safely shorter than max mb length)
> >
> I'm not sure if we should match glibc here or do a better check.
> 
> Thanks for the input. I'm going to wait a bit before posting a new
> patch, though, in hopes that more comments are forthcoming.

This code is definitely wrong as-is; for example:

	char c;
	wcrtomb(&c, L'0', st)

is perfectly valid (albeit useless) code. Other examples are possible
too. I think a decent check would be:

	size_t r = wcrtomb(s, wc, st);
	if (r+1 > slen+1) a_crash();
	return r;

This allows an overflow of up to 3 bytes to occur before the trap, but
there's no way a valid dest buffer could be within 3 bytes of this
function's or wcrtomb's stack, so you should safely reach the a_crash
even on overflow.

The alternative would be using a temp buffer of size MB_LEN_MAX and
then performing memcpy to the caller's buffer if the result fits or
a_crash if not.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.