lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 29 Aug 2007 19:46:23 +0200
From:	Michael Buesch <mb@...sch.de>
To:	David Miller <davem@...emloft.net>
Cc:	joe@...ches.com, johannes@...solutions.net, netdev@...r.kernel.org
Subject: Re: [PATCH net-2.6.24] introduce MAC_FMT/MAC_ARG

On Wednesday 29 August 2007 00:54:19 David Miller wrote:
> From: Michael Buesch <mb@...sch.de>
> Date: Tue, 28 Aug 2007 16:48:44 +0200
> 
> > On Monday 27 August 2007 23:11:50 David Miller wrote:
> > > From: Joe Perches <joe@...ches.com>
> > > Date: Mon, 27 Aug 2007 13:57:42 -0700
> > > 
> > > > On Mon, 2007-08-27 at 13:41 -0700, David Miller wrote:
> > > > > From: Johannes Berg <johannes@...solutions.net>
> > > > > Date: Mon, 27 Aug 2007 12:54:09 +0200
> > > > > > #define MAC_FMT "%s"
> > > > > > #define MAC_ARG(a) ({char __buf[18]; print_mac(a, __buf); __buf;})
> > > > 
> > > > > I don't think this works.
> > > > 
> > > > $ cat test_fmt.c
> > > > #include <stdio.h>
> > > > #include <stdlib.h>
> > > 
> > > You're just getting lucky in this test case.
> > > 
> > > The language does not allow what you are doing, so you're
> > > playing with fire.
> > 
> > What exactly to you think it invalid in this code?
> > I think it's fine (except that I'd chose an u8* for the mac
> > address (first arg in print_mac()).
> 
> The __buf[] is used out of scope, therefore it's stack space is
> fair game for the compiler to reuse.
> 
> When the compiler sees:
> 
> 	printk(FMT, ({ char __buf[x]; print_mac(a, __buf); __buf;}));
> 
> It first all of the printk() argument expressions, first FMT and
> then it evaluates the ({ ... }) argument.
> 
> Now that the ({ ... }) expression is done, __buf[] is out of
> scope and illegal to reference.
> 
> printk() is now called, with a pointer to an out-of-scope buffer.
> This is illegal.
> 
> I don't know how else to explain this to you, I can learn how to
> describe the issue in German if this would help :-)

Oh, not needed. I see the bug and indeed, this is a ticking
timebomb.
I don't use the ({}) notation a lot, so I didn't see this here.

-- 
Greetings Michael.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ