On 13/01/2020 18:46, Evgeniy Berdnikov via Exim-users wrote: > Surprised that tainting mechanizm requires some knowledge about > address space mapping or RTL internals. I'd expect "tainting" to be > simply a flag in some structure attached to the string.
An exim string is is just a C string; there's no sophistication at all. The taint is carried via the memory pools used for allocation of the memory for the strings, and the wish during development for taint-checking to be high-performance led to the observation that, for Linux, malloc'd (i.e. sbrk-derived, heap) address space was distinct from mmap'd address space. This meant that a couple of address compares were all that was needed to evaluate "is this string tainted?", the memory used for tainted values being allocated using mmap. The various BSDs appear to intermix the address-space used for sbrk with mmap so that trick cannot be used; the build uses a #define to say so and the "is it tainted" predicate walks the list of tainted memory pool regions checking start and end addresses. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
