Re: [CHECKER] Security reports involving isspace()

viro_at_parcelfarce.linux.theplanet.co.uk
Date: 04/21/04

  • Next message: William Lee Irwin III: "Re: bitmap, cpumask_arith (was: 2.6.6-rc1-mm1)" 
    Date:	Wed, 21 Apr 2004 00:25:45 +0100
To: ken@coverity.com

    On Tue, Apr 20, 2004 at 03:14:21PM -0700, ken@coverity.com wrote:
    > Here are some more static analysis reports from Coverity. These are
    > places where the kernel gets a scalar from the user and then uses it as an
    > array index with out bounds checking it.
    >
    > All of the reports below deal with the isspace macro. It expands to an
    > access to a static array with 256 entries. If we use an unsigned char to
    > index into the array, there are no problems. However, when that char is
    > signed, we can index off the left of the array.
    >
    > It seems like this isn't a big deal, but if the isspace array is located
    > after some important data structure, we could leak information.

    #define __ismask(x) (_ctype[(int)(unsigned char)(x)])
    #define isspace(c) ((__ismask(c)&(_S)) != 0)

    Figuring out why the reports mentioned in the quoted text are bull***
    is left as an exercise for readers.
    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  • Next message: William Lee Irwin III: "Re: bitmap, cpumask_arith (was: 2.6.6-rc1-mm1)"