From owner-freebsd-security  Tue Jul 21 02:20:18 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA12956
          for freebsd-security-outgoing; Tue, 21 Jul 1998 02:20:18 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA12856
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 02:20:04 -0700 (PDT)
          (envelope-from peter.jeremy@alcatel.com.au)
Received: from mfg1.cim.alcatel.com.au ("port 3760"@[139.188.23.1])
 by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695)
 with ESMTP id <01IZO525QM8W00007X@gatekeeper.alcatel.com.au> for
 security@FreeBSD.ORG; Tue, 21 Jul 1998 17:25:56 +1000
Received: from gsms01.alcatel.com.au by cim.alcatel.com.au
 (PMDF V5.1-10 #U2695) with ESMTP id <01IZNW18VCG0JK9GH6@cim.alcatel.com.au>;
 Tue, 21 Jul 1998 13:01:30 +1000
Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3)
 id NAA10787; Tue, 21 Jul 1998 13:01:27 +1000 (EST)
Date: Tue, 21 Jul 1998 13:01:27 +1000 (EST)
From: Peter Jeremy <peter.jeremy@alcatel.com.au>
Subject: Re: The 99,999-bug question: Why can you execute from the stack?
To: Don.Lewis@tsc.tdk.com
Cc: security@FreeBSD.ORG
Message-id: <199807210301.NAA10787@gsms01.alcatel.com.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 20 Jul 1998 14:30:33 -0700, Don Lewis <Don.Lewis@tsc.tdk.com> wrote:
>In the situations where I've used code compiled this way, it seems
>to average about a factor of 20 more expensive in terms of CPU usage.
I have used this code in the past, and that sounds about right.

>If this is acceptable to you, feel free to get the GCC patches and
>recompile userland (or at least those pieces that are compatible
>with the bounds checker).  See
><http://www-dse.doc.ic.ac.uk/~rj3/bounds-checking.html>.

Note that this code is getting fairly old and doesn't appear to be
maintained.  I am aware of the following undocumented bugs with it:
- str[n]casecmp() doesn't work when either string contains characters
  with the MSB set (I have submitted patches to fix this).
- side-effects in multi-dimensional array references are evaluated
  multiple times.  In particular `foo[y++][x]' increments y by 2.
  (I can see why this is occurring, but I haven't been able to work
  out how to cleanly fix it).

Given the (documented) restrictions relating to signal handlers and
setjmp/longjmp, together with the second bug above, I don't believe
it's usable as a general-purpose debugging tool.  I think this is
unfortunate, because it can be very useful.

Peter
--
Peter Jeremy (VK2PJ)                    peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5247

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message