On Sun, 12 Jan 2003, Moriyoshi Koizumi wrote:
> On Sun, Jan 12, 2003 at 12:12:39AM +0100, Sascha Schumann wrote:
> > As many past security advisories have shown, signedness
> > issues are the frequent cause for severe vulnerabilities in
> > software (recent examples include MySQL, OpenBSD kernel).
>
> Actually codes like below produce vulnerble runtimes because
> the length of string is expected to be a positive integer value...
Yes, unfortunately. Basically the same problem as in the
OpenBSD kernel and its select syscall:
http://www.phrack.org/phrack/60/p60-0x06.txt
Quote:
Whilst there is a check [1] on the 'nd' argument (nd represents the highest
numbered descriptor plus one, in any of the fd_sets), which is checked
against the p->p_fd->fd_nfiles (the number of open descriptors that the
process is holding), this check is inadequate -- 'nd' is declared as signed
[6], so it can be negative, and therefore will pass the greater-than check
[1].
Then 'nd' is put through a macro [2], in order to calculate an unsigned
integer, 'ni', which will eventually be used as the the length argument for
the copyin operation.
- Sascha
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
