From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 15913 invoked from network); 8 Dec 2020 22:53:27 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 8 Dec 2020 22:53:27 -0000 Received: (qmail 23773 invoked by uid 550); 8 Dec 2020 22:53:25 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 18125 invoked from network); 8 Dec 2020 22:45:06 -0000 Date: Tue, 8 Dec 2020 22:44:54 +0000 From: Brooks Davis To: Rich Felker Cc: Brooks Davis , musl@lists.openwall.com Message-ID: <20201208224454.GB5522@spindle.one-eyed-alien.net> References: <20201208193919.GA5522@spindle.one-eyed-alien.net> <20201208195327.GJ534@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XOIedfhf+7KOe/yw" Content-Disposition: inline In-Reply-To: <20201208195327.GJ534@brightrain.aerifal.cx> User-Agent: Mutt/1.9.4 (2018-02-28) Subject: Re: [musl] out-of-bounds reads in strstr --XOIedfhf+7KOe/yw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 08, 2020 at 02:53:28PM -0500, Rich Felker wrote: > On Tue, Dec 08, 2020 at 07:39:19PM +0000, Brooks Davis wrote: > > The strstr implementation contains the following snippet which results > > in out-of-bounds reads in memchr (we detect them on CHERI because we > > have byte-granularity bounds of small buffers): > >=20 > > /* Fast estimate for MIN(l,63) */ > > size_t grow =3D l | 63; > > const unsigned char *z2 =3D memchr(z, 0, grow); > >=20 > > The use of `|` means this is very much not an approximation of > > `MIN(l,63)`. What is actually intended here? For CheriBSD (via FreeBS= D) > > I need a way to avoid out-of-bounds reads entirely (`MIN(l,63)` does se= em > > to work in simple system-level testing, but given the mismatch it's > > unclear that's what was intended). >=20 > There is no OOB read in strstr here. The overread is in the > implementation of memchr, which (if you're using the musl version) is > relying on the ability to overread as long as the address is aligned > (assuming protection is at boundaries larger than word size). If this > is a problem, you should use a version of memchr that does not > overread. Note that, per 7.24.5.1 The memchr function, ??2: >=20 > "The implementation shall behave as if it reads the characters > sequentially and stops as soon as a matching character is found." >=20 > so strstr's use of memchr here is perfectly correct/valid without any > assumption of implementation details, i.e. [at least this part of] > strstr is portable C. Ok, I see that. I'll adjust our (musl-derived) memchr to work correctly in this case. That being said. I'm still confused by the comment in strstr. `l | 63` is closer to `MAX(l,63)` than `MIN(l,63)`. Thanks, Brooks --XOIedfhf+7KOe/yw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJf0AHlAAoJEKzQXbSebgfA4AsH/jQNQtGw4b9R+66+LhEQAFBB 3KLTM5rd1KJ2kIRVdqAz0sw4Ee8Ih4lQCZK8hPPbLtlhq+gH7MWTbBRrpAcYNTdB pOHnmV4/AEIbhIb/7n57rkQeQg043IsGs31D30q/TYkbeqls2R15pUz48Hf9KRin yj8BOdNMbtV5Bz2kxYcvypwe28hec/SFdOTcnLNS4eKF/U0DrHlPS9nZKUE4jy/M cYRKy9acOvza3Iy4Z0lYwGJLt3aPgJseOWPriDkh9yo6iUhwCzs1P2MnEYd6Hn0c nd76RHRLsUiRB/iz4aOK0iHRX6brkh/hWfwEo+LS42OrNMZk6rLIXERrCQhmNHk= =5SfL -----END PGP SIGNATURE----- --XOIedfhf+7KOe/yw--