mailing list of musl libc
 help / color / mirror / code / Atom feed
* [musl] out-of-bounds reads in strstr
@ 2020-12-08 19:39 Brooks Davis
  2020-12-08 19:53 ` Rich Felker
  0 siblings, 1 reply; 7+ messages in thread
From: Brooks Davis @ 2020-12-08 19:39 UTC (permalink / raw)
  To: musl

[-- Attachment #1: Type: text/plain, Size: 625 bytes --]

The strstr implementation contains the following snippet which results
in out-of-bounds reads in memchr (we detect them on CHERI because we
have byte-granularity bounds of small buffers):

	/* Fast estimate for MIN(l,63) */
	size_t grow = l | 63;
	const unsigned char *z2 = memchr(z, 0, grow);

The use of `|` means this is very much not an approximation of
`MIN(l,63)`.  What is actually intended here?  For CheriBSD (via FreeBSD)
I need a way to avoid out-of-bounds reads entirely (`MIN(l,63)` does seem
to work in simple system-level testing, but given the mismatch it's
unclear that's what was intended).

Thanks,
Brooks

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2020-12-24 22:27 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-08 19:39 [musl] out-of-bounds reads in strstr Brooks Davis
2020-12-08 19:53 ` Rich Felker
2020-12-08 22:44   ` Brooks Davis
2020-12-08 22:57     ` Rich Felker
2020-12-09  6:54       ` Alexander Monakov
2020-12-09 16:37         ` Rich Felker
2020-12-24 22:26           ` Fangrui Song

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).