lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5e01c29a0603281957i4428e0a7t4a0d8c1fc34c38a1@mail.gmail.com>
Date: Wed Mar 29 04:57:10 2006
From: michaelslists at gmail.com (michaelslists@...il.com)
Subject: Re: Java integer overflows (was: a really long
	topic)

Obviously there is other issues around not sanitising the data
yourself, but in the context of the reply - i.e. buffer overflows for
arbitrary code exec - java is fully protected.

any access to an array is checked by the vm.

-- Michael


On 3/29/06, Eliah Kagan <degeneracypressure@...il.com> wrote:
> > On 3/29/06, Andrew van der Stock wrote:
> > > This is not quite true.
> > >
> > > Java does not prevent integer overflows (it will not throw an
> > > exception). So you still have to be careful about array indexes.
>
> On 3/28/06, michaelslists@...il.com replied:
> > No you dont.
> >
> > Arrays are all bounds checked; ..., that is, the following code will
> > throw an exception:
> >
> > ================================
> > class Foo {
> >   static {
> >     int[] m = new int[2];
> >     System.out.println(m[34]);
> >   }
> > }
> > ================================
> >
> >
> > What do you mean by "overflow"? Do you mean this?
> >
> > ================================
> > class Foo {
> >   static {
> >     int m = Integer.MAX_VALUE;
> >     int k = Integer.MAX_VALUE + Integer.MAX_VALUE;
> >     System.out.println(m);
> >     System.out.println(k);
> >     System.exit(0);
> >   }
> > }
> > ================================
> >
> > if so, I don't see how that is an issue.
> >
> > -- Michael
>
> That is an issue in a limited way--if you are trying to access a
> record with a high enough number (say by adding a number to a previous
> array index), you might end up accessing a record with a low number,
> which could potentially compromise the security of an application if
> certain assumptions are made. But this would only be within the same
> array that is already being accessed. The risk is minimal compared to
> the risks of accessing past the end of an array in, say, C.
>
> Even with bounds checking, there is no general way for a programming
> language to stop the programmer from writing a program that accesses
> the wrong piece of data in within a data structure, causing a security
> problem. Java was never designed to solve this sort of problem. Java
> does abstract data access so that many common bugs like buffer
> overflows are prevented, which is very useful.
>
> -Eliah
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ