Python, Linux, and the setuid bit

[Richard Kettlewell]

Chris Angelico <rosuav at gmail.com> writes:
> Richard Kettlewell <rjk at greenend.org.uk> wrote:
>> Ethan Furman <ethan at stoneleaf.us> writes:
>>>         memset(envp_write, 0, ((unsigned int) envp_read -
>>>                                (unsigned int) envp_write));
>>
>> That is a remarkable blunder for a security-critical program.
>>
>> On a 64-bit platform, the best case outcome is that it will throw away
>> the top 32 bits of each pointer before doing the subtraction, yielding
>> the wrong answer if the discarded bits happen to differ.
>
> If the pointers are more than 4GB apart, then yes, it'll give the
> wrong answer - just as if you'd subtracted and then cast down to an
> integer too small for the result. But if they're two pointers inside
> the same object (already a requirement for pointer arithmetic) and not
> 4GB apart, then two's complement arithmetic will give the right result
> even if the discarded bits differ. So while you're correct in theory,
> in practice it's unlikely to actually be a problem.

This program is on a security boundary, the pathological cases are
precisely the ones the attacker looks for.

(It’s hard to see how an attacker could turn this into a useful attack.
But perhaps the attacker has more imagination than me.)

-- 
http://www.greenend.org.uk/rjk/