Path: csiph.com!news.mixmin.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Keith Thompson <Keith.S.Thompson+u@gmail.com>
Newsgroups: comp.lang.c
Subject: Re: A Famous Security Bug
Date: Wed, 20 Mar 2024 14:23:52 -0700
Organization: None to speak of
Lines: 36
Message-ID: <87v85g1tsn.fsf@nosuchdomain.example.com>
References: <bug-20240320191736@ram.dialup.fu-berlin.de> <20240320114218.151@kylheku.com> <lXGKN.156286$t8cc.2924@fx06.iad> <87zfus1txp.fsf@nosuchdomain.example.com>
MIME-Version: 1.0
Content-Type: text/plain
Injection-Info: dont-email.me; posting-host="5d6dd62c05ea9ae13c7053cd9c4c457b"; logging-data="1815152"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/2m39vwk8qvztkC2lhX+ZF"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
Cancel-Lock: sha1:UCz3GPEZI3qgxygOih3Ml3kLc0s= sha1:CYhy/Se1fqmMU8FECJ1Z6DM3ABM=
Xref: csiph.com comp.lang.c:383820

Keith Thompson <Keith.S.Thompson+u@gmail.com> writes:
> scott@slp53.sl.home (Scott Lurndal) writes:
>> Kaz Kylheku <433-929-6894@kylheku.com> writes:
>>>On 2024-03-20, Stefan Ram <ram@zedat.fu-berlin.de> wrote:
>>>>   A "famous security bug":
>>>>
>>>> void f( void )
>>>> { char buffer[ MAX ];
>>>>   /* . . . */
>>>>   memset( buffer, 0, sizeof( buffer )); }
>>>>
>>>>   . Can you see what the bug is?
>>>
>>>I don't know about "the bug", but conditions can be identified under
>>>which that would have a problem executing, like MAX being in excess
>>>of available automatic storage.
>>
>> Perhaps Stephan is under the mistaken assumption that
>> 'buffer' devolves to a type of 'char *' when used
>> with the sizeof operator.
>
> That was my first thought, but I think the idea (not clearly stated) is
> that the /* . . . */ code stores sensitive information in buffer, and
> the memset call is intended to clobber that information, but may be
> elided since buffer is not explicitly used later.  A malicious process
> with access to the program's memory might be able to read that
> information after f() has returned.

And I should acknowledge that Kaz mentioned that before I did.

> C23 adds memset_explicit() for this purpose.

-- 
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
Working, but not speaking, for Medtronic
void Void(void) { Void(); } /* The recursive call of the void */