Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5040B343.7040809@redhat.com>
Date: Fri, 31 Aug 2012 14:51:15 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: operator new[] overflow checking in G++

Last week, I was finally able to fix the operator new[] overflow in gcc 
trunk:

   <http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351>

This version rejects any attempt to allocate an array of variable-length 
arrays, thus avoiding a variable-times-variable multiplication, for 
which the overflow check was deemed too costly in previous discussions 
with GCC developers.  Variable-length arrays are a GCC extension carried 
over from C++ mode.

The nature of this fix requires that affected software is recompiled—the 
multiplication which needs checking is inside code generated by the 
compiler.  Looking exclusively at referenced symbols, it is not possible 
to check if a C++ program uses operator new[].  (Most don't, std::vector 
is not affected.)

There is another patch which touches code which is not actually used by 
GCC, but could theoretically be called by code emitted by other compilers:

   <http://gcc.gnu.org/ml/gcc-patches/2012-08/msg01416.html>

We're working on a backport of the patch to GCC 4.7:

   <https://bugzilla.redhat.com/show_bug.cgi?id=850911>

This patch will not reject previously accepted programs.  The current 
version does not check for overflow in the array-of-VLAs case, but we 
might still change this.

Additional testing for both versions of the patch is welcome.

PS: If this receives a CVE, it will need one from 2002:
<http://cert.uni-stuttgart.de/ticker/advisories/calloc.html>
-- 
Florian Weimer / Red Hat Product Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.