|
Message-ID: <CAJOtW+5UMd0=ADz6cZdCo_zFaJrkQjzbNQ7N7CZr_UmL1f+sqw@mail.gmail.com> Date: Sat, 21 Dec 2024 17:29:23 +0300 From: Yuri Gribov <tetra2005@...il.com> To: oss-security@...ts.openwall.com Cc: Qualys Security Advisory <qsa@...lys.com>, Douglas Bagnall <douglas.bagnall@...alyst.net.nz> Subject: Re: Out-of-bounds read & write in the glibc's qsort() Hi colleagues, I've recently come across discussion of invalid qsort comparators (and unpleasant consequences which they may have) at https://www.openwall.com/lists/oss-security/2024/01/30/7 and https://www.openwall.com/lists/oss-security/2024/06/24/3 I myself have run into similar issues in the past and ended up developing a dynamic checker to detect them automatically: https://github.com/yugr/sortcheck (and its C++ analog at https://github.com/yugr/sortcheckxx for std::sort and other relevant STL APIs). Even with very basic setup (semi-automatic testing of Debian packages, no fuzzing) the tool was able to find numerous bugs in open-source programs (see e.g. https://github.com/yugr/sortcheck?tab=readme-ov-file#what-are-current-results). I believe many (10x) more bugs are still out there, waiting for more patient testers. Please let me know if someone is interested in applying these tools to their programs/distros. Best regards, Yury "yugr" Gribov PS: In case anyone wants more background on comparators, here is a presentation with some general theory, most popular errors and overview of existing tooling: https://github.com/yugr/CppRussia/blob/master/2023/EN.pdf <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Никаких вирусов.www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.