[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: security-related gcc bug

To: Michael Ströder <michael@stroeder.com>
Subject: Re: security-related gcc bug
From: Howard Chu <hyc@symas.com>
Date: Mon, 07 Apr 2008 01:40:27 -0700
Cc: OpenLDAP Devel <openldap-devel@openldap.org>
In-reply-to: <47F9D652.2030408@stroeder.com>
References: <47F9D652.2030408@stroeder.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b5pre) Gecko/2008030700 SeaMonkey/2.0a1pre

Michael Ströder wrote:

HI!

Did anyone already take not of this?
Are parts of OpenLDAP's code affected?

Looks like a really stupid way to do bounds checking. I've never seen it in OpenLDAP code, but I also haven't looked for it explicitly either. The examples would only ever work for a machine with 32 bit pointers, you'd get no meaningful safety check with 64 bit pointers. (In fact, it's unlikely to provide a meaningful check on most 32 bit platforms, since user memory tends to be mapped into the lower 31 bits of the address space. You would have to be overflowing by more than 2^31 for the check to catch anything. What idiot would write a check that's so fragile?)

[Bug c/27180] New: pointer arithmetic overflow handling broken
http://gcc.gnu.org/ml/gcc-bugs/2006-04/msg01297.html

US-CERT - Vulnerability Note VU#162289:
gcc silently discards some wraparound checks
http://www.kb.cert.org/vuls/id/162289


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- security-related gcc bug
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: security-related gcc bug
Next by Date: Re: OpenLDAP Developer's Day - Dublin 2008 (early call for participation)
Index(es):
- Chronological
- Thread