Re: [CHECKER] Security reports involving isspace()

From: viro
Date: Tue Apr 20 2004 - 18:35:05 EST


On Tue, Apr 20, 2004 at 03:14:21PM -0700, ken@xxxxxxxxxxxx wrote:
> Here are some more static analysis reports from Coverity. These are
> places where the kernel gets a scalar from the user and then uses it as an
> array index with out bounds checking it.
>
> All of the reports below deal with the isspace macro. It expands to an
> access to a static array with 256 entries. If we use an unsigned char to
> index into the array, there are no problems. However, when that char is
> signed, we can index off the left of the array.
>
> It seems like this isn't a big deal, but if the isspace array is located
> after some important data structure, we could leak information.

#define __ismask(x) (_ctype[(int)(unsigned char)(x)])
#define isspace(c) ((__ismask(c)&(_S)) != 0)

Figuring out why the reports mentioned in the quoted text are bullshit
is left as an exercise for readers.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/