Path: csiph.com!news.swapon.de!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Keith Thompson Newsgroups: comp.lang.c Subject: Re: A Famous Security Bug Date: Wed, 20 Mar 2024 14:20:50 -0700 Organization: None to speak of Lines: 33 Message-ID: <87zfus1txp.fsf@nosuchdomain.example.com> References: <20240320114218.151@kylheku.com> MIME-Version: 1.0 Content-Type: text/plain Injection-Info: dont-email.me; posting-host="5d6dd62c05ea9ae13c7053cd9c4c457b"; logging-data="1815152"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX196NRTxR7HVtsqt7DwnZF4D" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) Cancel-Lock: sha1:ri0jQKTo9IDw1PRDMb+YPVerzd8= sha1:PolEQWvgKU/bMSoffH4IY3iYIwA= Xref: csiph.com comp.lang.c:383819 scott@slp53.sl.home (Scott Lurndal) writes: > Kaz Kylheku <433-929-6894@kylheku.com> writes: >>On 2024-03-20, Stefan Ram wrote: >>> A "famous security bug": >>> >>> void f( void ) >>> { char buffer[ MAX ]; >>> /* . . . */ >>> memset( buffer, 0, sizeof( buffer )); } >>> >>> . Can you see what the bug is? >> >>I don't know about "the bug", but conditions can be identified under >>which that would have a problem executing, like MAX being in excess >>of available automatic storage. > > Perhaps Stephan is under the mistaken assumption that > 'buffer' devolves to a type of 'char *' when used > with the sizeof operator. That was my first thought, but I think the idea (not clearly stated) is that the /* . . . */ code stores sensitive information in buffer, and the memset call is intended to clobber that information, but may be elided since buffer is not explicitly used later. A malicious process with access to the program's memory might be able to read that information after f() has returned. C23 adds memset_explicit() for this purpose. -- Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com Working, but not speaking, for Medtronic void Void(void) { Void(); } /* The recursive call of the void */