I recently came across a very interesting post on OpenSSL blog which detailed how a "bad" use of pointer arithmetic lead to a possible low-level security breach in the library. I will let the interested reader go through the original post to understand all the technical details and I will focus on a short explanation. In C90 pointer arithmetic is only defined/specified for malloc-ed pointers with operands less than the malloc-ed size, everything else is undefined behavior.
It means that in the following example, len must be less or equal to SIZE for the test to work as expected, which makes it pretty much completely useless since this code is supposed to test that specific condition.
/* implied */ char* p = malloc(SIZE); // buffer overflow detection if (p + len < limit) { // manage overflow case }
The reason is as follows: if len is superior to SIZE, then p + len may overflow from the memory bound and wrap, thus resulting in a lesser value which will then be wrongly compared as lesser than limit. In the case of OpenSSL it could leads to decryption or encryption outside the assumed area (at the least).
This is a good example showing that arithmetic overflow (and pointer arithmetic) must be considered carefully, especially when security is a concern,
References
- https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/
No comments:
Post a Comment