[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-hackers] [PATCH] Fix incorrect trampoline argvector constructio
From: |
Peter Bex |
Subject: |
[Chicken-hackers] [PATCH] Fix incorrect trampoline argvector construction |
Date: |
Fri, 1 Dec 2017 22:24:23 +0100 |
User-agent: |
NeoMutt/20170113 (1.7.2) |
Hi all,
I figured out the cause behind #1428; there's (sometimes) a mismatch
between the size of the temporary stack and the number of arguments that
we tell C_reclaim to restore from the temporary stack (which gets stored
in C_restart_c and read by the trampoline).
The fun bit is that CHICKEN_run would ignore C_restart_c and directly
calculate the effective temporary stack size, which means we'd usually
ignore this problem (but we'd call C_restart_trampoline with C_restart_c
instead of argcount, which _should_ cause issues too...). However,
C_callback would do it as designed, by looking at C_restart_c.
This means that in most cases we wouldn't even notice when C_restart_c
was larger than the temporary stack, only in C_callback could this fail.
When is C_restart_c too large? Well, just check the patch; there are
a few places in the code where we call C_save() a number of times but
then pass "c" (the size of the argvector for the called function) to
C_reclaim(), but we would save less values than the called function
accepted.
All of this means we'd read bytes beyond the bottom of the temporary
stack, which is memory that *might* be unallocated (but will typically
just be the mutation stack, unless either of them was resized).
I think this cannot be exploited except perhaps if you're extremely
[un]lucky as a denial of service via segfault (but would love a second
opinion on this).
Attached are patches for master and chicken-5.
An alternative would be to always copy everything from the temporary
stack (like we do with "argcount" in CHICKEN_run before the patch),
which would be somewhat simpler but maybe also more susceptible to
subtle bugs, so I prefer (for now at least) the current patch.
Cheers,
Peter
0001-Fix-calls-to-C_reclaim-to-use-the-number-of-saved-ob.chicken-5.patch
Description: Text Data
0001-Fix-calls-to-C_reclaim-to-use-the-number-of-saved-ob.master.patch
Description: Text Data
signature.asc
Description: PGP signature
- [Chicken-hackers] [PATCH] Fix incorrect trampoline argvector construction,
Peter Bex <=