Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJOtW+5UMd0=ADz6cZdCo_zFaJrkQjzbNQ7N7CZr_UmL1f+sqw@mail.gmail.com>
Date: Sat, 21 Dec 2024 17:29:23 +0300
From: Yuri Gribov <tetra2005@...il.com>
To: oss-security@...ts.openwall.com
Cc: Qualys Security Advisory <qsa@...lys.com>, Douglas Bagnall <douglas.bagnall@...alyst.net.nz>
Subject: Re: Out-of-bounds read & write in the glibc's qsort()

Hi colleagues,

I've recently come across discussion of invalid qsort comparators (and
unpleasant consequences which they may have) at
https://www.openwall.com/lists/oss-security/2024/01/30/7 and
https://www.openwall.com/lists/oss-security/2024/06/24/3

I myself have run into similar issues in the past and ended up
developing a dynamic checker to detect them automatically:
https://github.com/yugr/sortcheck (and its C++ analog at
https://github.com/yugr/sortcheckxx for std::sort and other relevant
STL APIs).

Even with very basic setup (semi-automatic testing of Debian packages,
no fuzzing) the tool was able to find numerous bugs in open-source
programs (see e.g.
https://github.com/yugr/sortcheck?tab=readme-ov-file#what-are-current-results).
I believe many (10x) more bugs are still out there, waiting for more
patient testers.

Please let me know if someone is interested in applying these tools to
their programs/distros.

Best regards,
Yury "yugr" Gribov

PS: In case anyone wants more background on comparators, here is a
presentation with some general theory, most popular errors and
overview of existing tooling:
https://github.com/yugr/CppRussia/blob/master/2023/EN.pdf

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Никаких вирусов.www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.