Re: [CHECKER] Security reports involving isspace()

From: viro
Date: Tue Apr 20 2004 - 18:35:05 EST

Next message: Erik Steffl: "Re: logitech mouseMan wheel doesn't work with 2.6.5"
Previous message: john stultz: "Re: Failing back to INSANE timesource :) Time stopped today."
In reply to: ken: "[CHECKER] Security reports involving isspace()"
Next in thread: ken: "Re: [CHECKER] Security reports involving isspace()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 20, 2004 at 03:14:21PM -0700, ken@xxxxxxxxxxxx wrote:
> Here are some more static analysis reports from Coverity. These are
> places where the kernel gets a scalar from the user and then uses it as an
> array index with out bounds checking it.
>
> All of the reports below deal with the isspace macro. It expands to an
> access to a static array with 256 entries. If we use an unsigned char to
> index into the array, there are no problems. However, when that char is
> signed, we can index off the left of the array.
>
> It seems like this isn't a big deal, but if the isspace array is located
> after some important data structure, we could leak information.

#define __ismask(x) (_ctype[(int)(unsigned char)(x)])
#define isspace(c) ((__ismask(c)&(_S)) != 0)

Figuring out why the reports mentioned in the quoted text are bullshit
is left as an exercise for readers.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Erik Steffl: "Re: logitech mouseMan wheel doesn't work with 2.6.5"
Previous message: john stultz: "Re: Failing back to INSANE timesource :) Time stopped today."
In reply to: ken: "[CHECKER] Security reports involving isspace()"
Next in thread: ken: "Re: [CHECKER] Security reports involving isspace()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]