Date: Sat, 22 Jun 2002 00:29:49 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: arch@freebsd.org Subject: Possibly change to bcopy.S to thwart (a very few) future exploits? Message-ID: <20020622002329.G36900-200000@patrocles.silby.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Important Note: I have not actually tested this code on my machine; I'm too much of a wuss to risk messing up libc until someone else has doublechecked the code, or I can figure out how to statically link a binary with a non-default libc. That being said, the above is a quick change so that memcpy doesn't reload the length field from the stack during the middle of a copy. In theory, this should stop the OpenBSD exploit (which I'm sure will appear in a FreeBSD version shortly) from working. Granted, there's probably some other vector which could be used to exploit the bug, but this might make it just a bit harder. Can anyone see any downsides to this change? It appears that performance should be unchanged, as we're removing one mem->reg copy and replacing it with two reg->reg copies. Any thoughts? If this were some complex workaround, I wouldn't mention it. However, it's so simple that it seems worth the effort. Mike "Silby" Silbersack [-- Attachment #2 --] --- bcopy.S.old Sat Jun 22 00:15:41 2002 +++ bcopy.S Sat Jun 22 00:17:13 2002 @@ -69,10 +69,11 @@ cmpl %ecx,%eax /* overlapping? */ jb 1f cld /* nope, copy forwards. */ + movl %ecx, %eax shrl $2,%ecx /* copy by words */ rep movsl - movl 20(%esp),%ecx + movl %eax, %ecx andl $3,%ecx /* any bytes left? */ rep movsb @@ -86,12 +87,13 @@ addl %ecx,%edi /* copy backwards. */ addl %ecx,%esi std + movl %ecx, %eax andl $3,%ecx /* any fractional bytes? */ decl %edi decl %esi rep movsb - movl 20(%esp),%ecx /* copy remainder by words */ + movl %eax, %ecx shrl $2,%ecx subl $3,%esi subl $3,%edi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020622002329.G36900-200000>