啥啊て言うの?
2009/1/29 ayarei <[email protected]> > > 扂岆圉裂赽ㄛ妦繫飲祥雅腔.... > 呇葭珩祥諒諒扂陛 > > On 1堎29, 狟敁5奀41煦, raystyle <[email protected]> wrote: > > 褥ㄛAY珩旃噶祛堤賸ˋ > > > > 2009/1/29 ayaREI <[email protected]> > > > > > > > > > Periodically we get reports into the MSRC of stack exhaustion in > > > client-side applications such as Internet Explorer, Word, etc. These > are > > > valid stability bugs that, fortunately, do not lead to an exploitable > > > condition by itself (no potential for elevation of privilege). We > wanted to > > > clarify the distinction between stack exhaustion and stack buffer > overflow. > > > Stack buffer overflows often lead to elevation of privilege. > Unfortunately, > > > the literature tends to use stack overflow to refer to both cases, > hence the > > > confusion. The error code STATUS_STACK_BUFFER_OVERRUN (0xc0000409) > refers to > > > a stack buffer overflow while the error code STATUS_STACK_OVERFLOW > > > (0xc00000fd) refers to stack exhaustion. > > > > > On Bugtraq this morning, there was a public post of a stack exhaustion > bug > > > that, fortunately, does not lead to arbitrary code execution. Let's > take a > > > closer look at it and a few other examples. We'll start with today's > Bugtraq > > > posting: > > > > > <INPUT type="text" name="A" value="CCCCCCCCCCCCCCCCCCCC(many > thousands)"> > > > > > When IE attempts to parse this HTML, it runs out of stack space. > Hooking up > > > Windbg, you will observe the following first-chance exception: > > > > > (f9c.5b8): Stack overflow - code c00000fd (first chance) > > > First chance exceptions are reported before any exception handling. > > > This exception may be expected and handled. > > > eax=00000000 ebx=0337304c ecx=09410040 edx=0007c3c0 esi=00000000 > edi=0346b800 > > > eip=77f66627 esp=03373000 ebp=03373000 iopl=0 nv up ei pl nz na > pe nc > > > cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 > efl=00010206 > > > 77f66627 56 push esi > > > > > The stack is simply exhausted and there is no possibility of running > > > arbitrary code in this case. Let's look at a few others. > > > > > The next issue was also reported in IE recently: > > > > > <SCRIPT> > > > foo = new Array(); > > > while(true) {foo = new Array(foo).sort();} > > > </SCRIPT> > > > > > Again, the HTML has requested an extra-ordinary amount of stack space. > IE > > > attempts to allocate space and it eventually runs out. Unable to > process the > > > HTML, it returns a stack overflow / exhaustion error (0xc00000fd). > > > > > One last example is from April 2008 and, again, it leads to a stack > > > overflow/exhaustion error (0xc00000fd): > > > > > var str = "aaaaaaaaaaaaaaa(many thousands)" > > > document.myform.text.value = str > > > document.myform.submit() > > > > > <form name='myform'> > > > <input name='text' type='text' /> > > > <input name='Submit' type='submit' /> > > > </form> > > > > > As you can see, there are several ways of reaching a stack exhaustion > > > condition. Fortunately, these are stability issues that by themselves > cannot > > > lead to remote code execution. This happens when a parsing client-side > > > application cannot allocate enough stack space to complete an operation > (as > > > shown in the examples here where a web page was attempting to allocate > as > > > much stack as possible and eventually runs out of space). > > > > > We are always happy to triage bugs sent to [email protected]. > Please > > > send them in to us. We are definitely committed to engineering and > security > > > excellence. We evaluate every report and determine whether to service > them > > > as security issues or whether to hand them off to the product team to > fix as > > > reliability and stability issues. For each security issues, we will > triage > > > against the SDL bug bar (link to sample bug bar< > http://msdn.microsoft.com/en-us/library/cc307404.aspx>) and > > > address via the MSRC security bulletin process. All issues (such as > these > > > stack exhaustion bugs) that are stability or reliability issues are > triaged > > > according to customer impact and addressed in future releases of the > > > product. > > > > > - Jonathan Ness, SVRD blogger > > > > > *Posting is provided "AS IS" with no warranties, and confers no > rights.* > > > > > References: > > > > > STATUS_STACK_OVERFLOW (0xc00000fd ): > > > > > - Debugging a Stack Overflow > > > http://msdn.microsoft.com/en-us/library/cc267849.aspx > > > - StackOverflowException Class > > > > http://msdn.microsoft.com/en-us/library/system.stackoverflowexception... > > > > > STATUS_STACK_BUFFER_OVERRUN (0xc0000409): > > > > > - Analyze Crashes to Find Security Vulnerabilities in Your Apps > > > http://msdn.microsoft.com/en-us/magazine/cc163311.aspx > > > > --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [email protected] -~----------~----~----~----~------~----~------~--~---
