Python, Linux, and the setuid bit
Richard Kettlewell
rjk at greenend.org.uk
Tue Apr 15 05:28:47 EDT 2014
Chris Angelico <rosuav at gmail.com> writes:
> Richard Kettlewell <rjk at greenend.org.uk> wrote:
>> Ethan Furman <ethan at stoneleaf.us> writes:
>>> memset(envp_write, 0, ((unsigned int) envp_read -
>>> (unsigned int) envp_write));
>>
>> That is a remarkable blunder for a security-critical program.
>>
>> On a 64-bit platform, the best case outcome is that it will throw away
>> the top 32 bits of each pointer before doing the subtraction, yielding
>> the wrong answer if the discarded bits happen to differ.
>
> If the pointers are more than 4GB apart, then yes, it'll give the
> wrong answer - just as if you'd subtracted and then cast down to an
> integer too small for the result. But if they're two pointers inside
> the same object (already a requirement for pointer arithmetic) and not
> 4GB apart, then two's complement arithmetic will give the right result
> even if the discarded bits differ. So while you're correct in theory,
> in practice it's unlikely to actually be a problem.
This program is on a security boundary, the pathological cases are
precisely the ones the attacker looks for.
(It’s hard to see how an attacker could turn this into a useful attack.
But perhaps the attacker has more imagination than me.)
--
http://www.greenend.org.uk/rjk/
More information about the Python-list
mailing list