0001-Fix-calls-to-C_reclaim-to-use-the-number-of-saved-ob.chicken-5.patchDescription: Text Data
|
| From: | Peter Bex |
| Subject: | [Chicken-hackers] [PATCH] Fix incorrect trampoline argvector construction |
| Date: | Fri, 1 Dec 2017 22:24:23 +0100 |
| User-agent: | NeoMutt/20170113 (1.7.2) |
Hi all, I figured out the cause behind #1428; there's (sometimes) a mismatch between the size of the temporary stack and the number of arguments that we tell C_reclaim to restore from the temporary stack (which gets stored in C_restart_c and read by the trampoline). The fun bit is that CHICKEN_run would ignore C_restart_c and directly calculate the effective temporary stack size, which means we'd usually ignore this problem (but we'd call C_restart_trampoline with C_restart_c instead of argcount, which _should_ cause issues too...). However, C_callback would do it as designed, by looking at C_restart_c. This means that in most cases we wouldn't even notice when C_restart_c was larger than the temporary stack, only in C_callback could this fail. When is C_restart_c too large? Well, just check the patch; there are a few places in the code where we call C_save() a number of times but then pass "c" (the size of the argvector for the called function) to C_reclaim(), but we would save less values than the called function accepted. All of this means we'd read bytes beyond the bottom of the temporary stack, which is memory that *might* be unallocated (but will typically just be the mutation stack, unless either of them was resized). I think this cannot be exploited except perhaps if you're extremely [un]lucky as a denial of service via segfault (but would love a second opinion on this). Attached are patches for master and chicken-5. An alternative would be to always copy everything from the temporary stack (like we do with "argcount" in CHICKEN_run before the patch), which would be somewhat simpler but maybe also more susceptible to subtle bugs, so I prefer (for now at least) the current patch. Cheers, Peter
0001-Fix-calls-to-C_reclaim-to-use-the-number-of-saved-ob.chicken-5.patch
Description: Text Data
0001-Fix-calls-to-C_reclaim-to-use-the-number-of-saved-ob.master.patch
Description: Text Data
signature.asc
Description: PGP signature
| [Prev in Thread] | Current Thread | [Next in Thread] |