[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Dangerous use of alloca
|
From: |
Agustina Arzille |
|
Subject: |
Dangerous use of alloca |
|
Date: |
Tue, 15 Mar 2016 10:11:27 -0300 |
Hello, everyone.
I was browsing some gnumach source files, and noticed some dangerous use
of the gcc builtin 'alloca'. In the file kern/bootstrap.c, lines 212 and
228, we have the following statement:
memcpy (alloca (len), ...)
This is dangerous because alloca works by adjusting the stack pointer,
which
is already being modified by the function call. As described in the
section
BUGS in http://man7.org/linux/man-pages/man3/alloca.3.html , using
alloca in
this way is dangerous. An obvious workaround is as follows:
diff --git a/kern/bootstrap.c b/kern/bootstrap.c
index 249c605..abff749 100644
--- a/kern/bootstrap.c
+++ b/kern/bootstrap.c
@@ -209,7 +209,8 @@ void bootstrap_create(void)
for (ep = environ; *ep != 0; ++ep)
{
size_t len = strlen (*ep) + 1;
- char *var = memcpy (alloca (len), *ep, len);
+ void *tmpbuf = alloca (len);
+ char *var = memcpy (tmpbuf, *ep, len);
char *val = strchr (var, '=');
*val++ = '\0';
losers = boot_script_set_variable (var, VAL_STR, (long)
val);
@@ -225,7 +226,8 @@ void bootstrap_create(void)
oskit's environ in the oskit-mach case (above). */
int len = strlen (kernel_cmdline) + 1;
- char *s = memcpy (alloca (len), kernel_cmdline, len);
+ void *tmpbuf = alloca (len);
+ char *s = memcpy (tmpbuf, kernel_cmdline, len);
char *word;
while ((word = strsep (&s, " \t")) != 0)
{
- Dangerous use of alloca,
Agustina Arzille <=