Python, Linux, and the setuid bit
Richard Kettlewell
rjk at greenend.org.uk
Tue Apr 15 04:00:55 EDT 2014
Ethan Furman <ethan at stoneleaf.us> writes:
> memset(envp_write, 0, ((unsigned int) envp_read -
> (unsigned int) envp_write));
That is a remarkable blunder for a security-critical program.
On a 64-bit platform, the best case outcome is that it will throw away
the top 32 bits of each pointer before doing the subtraction, yielding
the wrong answer if the discarded bits happen to differ.
(There is no limit to the worst case behavior; the effect of converting
a pointer value to an integer type which cannot represent the result is
undefined.)
I would write:
(envp_read - envp_write) * sizeof *envp_read
--
http://www.greenend.org.uk/rjk/
More information about the Python-list
mailing list