Linked by Thom Holwerda on Thu 23rd May 2013 23:22 UTC
X11, Window Managers "Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues."
Order by: Score:
Overflowing
by kwan_e on Fri 24th May 2013 01:11 UTC
kwan_e
Member since:
2007-02-18

Surely there should be some automated process just to go through and check for this kind of fundamental error.

Reply Score: 2

RE: Overflowing
by chekr on Fri 24th May 2013 03:23 UTC in reply to "Overflowing"
chekr Member since:
2005-11-05

Surely there should be some automated process just to go through and check for this kind of fundamental error.


And which automated process would that be? Coverity already have coverage over x.org and they are arguably one of the most effective automated tools.

Reply Score: 3

RE[2]: Overflowing
by kwan_e on Fri 24th May 2013 04:18 UTC in reply to "RE: Overflowing"
kwan_e Member since:
2007-02-18

Coverity already have coverage over x.org and they are arguably one of the most effective automated tools.


Does it cover this kind of error?

"These calls do not check that the lengths and/or indexes returned by the
server are within the bounds specified by the caller or the bounds of the
memory allocated by the function, so could write past the bounds of
allocated memory when storing the returned data."

Reply Score: 2

RE: Overflowing
by Brendan on Fri 24th May 2013 04:25 UTC in reply to "Overflowing"
Brendan Member since:
2005-11-16

Hi,

Surely there should be some automated process just to go through and check for this kind of fundamental error.


The problem is that for some languages (C, C++) it's impossible to (e.g) tell the difference between a potential overflow that can't happen, an intentional potential overflow that is meant to happen, and an erroneous potential overflow.

For a simple example consider this:

int foo(int b, int c) {
int a = b + c;
return a;
}

This is a potential overflow, but can it happen (you'd have to analyse all the callers to determine the range/s of values that might be passed), and if it can happen is it intentional?

The other problem is that these languages don't support range limiting. For example, you can't do something like "typedef int range 1 to 12 monthType;". This means that if you solve the first problem you still can't determine when something is out of range.

The end result is that it's impossible for a tool to detect when a programmer has failed to validate data from an external source.

- Brendan

Reply Score: 3

RE[2]: Overflowing
by Alfman on Fri 24th May 2013 15:14 UTC in reply to "RE: Overflowing"
Alfman Member since:
2011-01-28

Brendan,

"The problem is that for some languages (C, C++) it's impossible to (e.g) tell the difference between a potential overflow that can't happen, an intentional potential overflow that is meant to happen, and an erroneous potential overflow."


It's true the C language doesn't do a good job of allowing the programmer to express intent with regards to overflow. I've always been disappointed that it doesn't even expose a carry flag given how indispensable it is for multi-word algorithms. In retrospect, it was a mistake not to expose overflow.

Many languages allow the compiler to handle numeric overflow, I don't really know why C doesn't.

http://www.codeproject.com/Articles/7776/Arithmetic-Overflow-Checki...


Still, an unchecked structural bounds overflow is far worse since the unbounded access to this structure (via indexes/pointers) can give an attacker a window to the entire process space. While C could help here by implementing range checked array access, there's no trivial way to guarantee the validity of code that uses pointers. Of course, managed languages don't bother offering them for this reason.

Reply Score: 2

RE: Overflowing
by moondevil on Fri 24th May 2013 05:45 UTC in reply to "Overflowing"
moondevil Member since:
2005-07-08

Use a proper systems programing language and make C and C++ join PL/I.

Failing that, only -Wall -Wpedatic -Werror, Lint and code review can help.

Reply Score: 3

RE[2]: Overflowing
by Neolander on Fri 24th May 2013 06:08 UTC in reply to "RE: Overflowing"
Neolander Member since:
2010-03-08

Can you think of such a language, whose implementations are fast enough for graphics-intensive work, and which interfaces well with other languages, though?

Without the former requirement, a number of core C/C++ libraries will always be required. Think of OpenGL itself, as an example, and often that alone is not enough.

Without the latter, you can make the most beautiful library in the world, but it will still largely fade into irrelevance, since only users of the programming language you have written it in can use it.

Edited 2013-05-24 06:09 UTC

Reply Score: 2

RE[3]: Overflowing
by moondevil on Fri 24th May 2013 06:33 UTC in reply to "RE[2]: Overflowing"
moondevil Member since:
2005-07-08

Ada, Modula-2, Extended Pascal, ....

When I started coding in 1986, C was the language used to code for in the UNIX operating system, that was about it.

As for the C ABI, this is only relevant in the cases where the operating system ABI happens to be C compatible.

In the old days, C ABI was only relevant in the UNIX world.

z/OS, Symbian and the COM changes in Windows are a few examples of non C ABI compatible systems.

Reply Score: 3

RE[4]: Overflowing
by zima on Fri 24th May 2013 20:13 UTC in reply to "RE[3]: Overflowing"
zima Member since:
2005-07-06

Ada, Modula-2, Extended Pascal, ....

Do I have the right impression that the world has generally moved away from them?

Reply Score: 2

RE[5]: Overflowing
by Neolander on Sat 25th May 2013 06:31 UTC in reply to "RE[4]: Overflowing"
Neolander Member since:
2010-03-08

"Ada, Modula-2, Extended Pascal, ...."

Do I have the right impression that the world has generally moved away from them?

I'm pretty sure that Ada and its various subsets are still used in the niche which the language was designed for, that is, mission-critical devices where software failure is an absolute disaster. Many teachers also seem to like it as a first programming language, arguing that it would enforce good programming practices better than other languages.

What makes me say that is, I regularly see it mentioned in online and real-world discussions which I happen to follow related to these two subjects (mission-critical environment and teaching). Of course, that's not a reliable quantitative measurement of popularity, but qualitatively it does show that the language isn't dead.

As for Modula-2 and Pascal dialects, however, I barely see these mentioned outside of history books and the OP's comments, so I would be more pessimistic about them...

Edited 2013-05-25 06:38 UTC

Reply Score: 1

RE[3]: Overflowing
by kug1977 on Fri 24th May 2013 06:37 UTC in reply to "RE[2]: Overflowing"
kug1977 Member since:
2013-05-24

You may have a look on Ada, which checking ranges by definition, is fast enough to work in real time systems, tasking, packaging and OOP is a native part of the language and it is designed to work well with other languages like C/C++. There is a Interface for OpenGL libraries all ready to use.

http://libre.adacore.com/

And if you want to check for programming errors more complicated to find like the posted one, you may have a look on SPARK, which is a subset of the Ada language to program with contracts and automatically prove your code as error free.

https://en.wikipedia.org/wiki/SPARK_%28programming_language%...

Reply Score: 2

RE[4]: Overflowing
by kwan_e on Fri 24th May 2013 08:55 UTC in reply to "RE[3]: Overflowing"
kwan_e Member since:
2007-02-18

You may have a look on Ada, which checking ranges by definition


It must be warned that most Ada compilers actually don't inject range checking code in practice unless specifically requested.

Reply Score: 2

RE[5]: Overflowing
by moondevil on Fri 24th May 2013 11:31 UTC in reply to "RE[4]: Overflowing"
moondevil Member since:
2005-07-08

But it can still be controlled, while in C and C++ given the implicit decay of arrays into pointers and how many developers micro-optimize by using pointer arithmetic that is very hard to validate.

Even in compilers that have extensions for bounds checking.

Reply Score: 2

RE[6]: Overflowing
by kwan_e on Fri 24th May 2013 11:31 UTC in reply to "RE[5]: Overflowing"
kwan_e Member since:
2007-02-18

std::array

But the point of my earlier comment was that it's a useful thing to know for those not familiar with Ada so people don't get caught out.

Edited 2013-05-24 11:34 UTC

Reply Score: 2

RE[7]: Overflowing
by moondevil on Fri 24th May 2013 11:53 UTC in reply to "RE[6]: Overflowing"
moondevil Member since:
2005-07-08

std::array


Sure. I only place C++ in the same league as C due to its C foundation and it being unsafe by default.

Truth is, that C++ standard library offers ways to do safe programming and modern C++ is quite good, but there are still many companies out there that forbid modern C++ practices. ;)

I only touched C one year long back in 1993/4, then jumped straight into C++, only using C when required to do so in university assignments and a project back in 2000.

I felt more at home in C++ as a Object Pascal refugee than with C.

Reply Score: 2

RE[5]: Overflowing
by Jondice on Fri 24th May 2013 14:30 UTC in reply to "RE[4]: Overflowing"
Jondice Member since:
2006-09-20

If anyone interested in safe systems programming hasn't heard of ATS, I'd suggest having a look: http://www.ats-lang.org/

Reply Score: 3

RE[6]: Overflowing
by moondevil on Fri 24th May 2013 14:58 UTC in reply to "RE[5]: Overflowing"
moondevil Member since:
2005-07-08

+1, since I cannot vote.

It warms my ML heart. ;)

Reply Score: 2

RE[4]: Overflowing
by Neolander on Fri 24th May 2013 17:48 UTC in reply to "RE[3]: Overflowing"
Neolander Member since:
2010-03-08

Thank you and moondevil for pointing me in the Ada direction. I overlooked its ability of interfacing well with other languages, which together with its other strengths would definitely make it worth trying out to me.

(Making my "to-learn" list now contain three groups of languages : Ada 2012 or Squeak, Haskell or Scheme, and Fortran)

@moondevil : I disagree regarding the importance of the system having a C ABI.

It is true that if every computer was running, say, Microsoft Singularity, C# would take the place of C today as a lingua franca among library developers, and that it could even be a good thing. But at this point in time, most computers seem to be running either a variant of Windows and Unix, which are both C/++ based.

Consequently, whenever a programming language has to interface with the rest of the programming world, it will tend to do so using a mechanism that greatly favors C libraries over others (think JNI, P/Invoke, Cgo). Moreover, as of today, most popular libraries are also implemented in C or C++, and are consequently designed for the C or the C++ ABI, with wrappers for other languages coping with that fact with variable success.

This, and not some alleged intrinsic superiority of C over other languages, would lead me to believe that being able to interface with C is indirectly important for a general-purpose programming language today.

Now, if some bright minds produced a superior language-agnostic library interface, and if that started to got very wide acceptance even across OS boundaries, I would certainly be interested in using that instead of helping keeping the C monopoly alive.

Edited 2013-05-24 18:07 UTC

Reply Score: 2

RE[5]: Overflowing
by moondevil on Fri 24th May 2013 18:12 UTC in reply to "RE[4]: Overflowing"
moondevil Member since:
2005-07-08

Good luck using a C ABI with WinRT or Symbian.

Reply Score: 2

RE[6]: Overflowing
by Neolander on Fri 24th May 2013 18:18 UTC in reply to "RE[5]: Overflowing"
Neolander Member since:
2010-03-08

Symbian is as good as dead now, and whether WinRT will reach wide acceptance in the future remains to be seen considering the lukewarm reception of Windows 8.

Again, I was talking about the world we live in today, and which we are going to stay in for, say, 5 years from now at least.

Edited 2013-05-24 18:21 UTC

Reply Score: 1

RE[7]: Overflowing
by moondevil on Fri 24th May 2013 19:48 UTC in reply to "RE[6]: Overflowing"
moondevil Member since:
2005-07-08

Then good luck with a C ABI in z/OS, with uses a kernel level JIT where all userspace applications are bytecode, which is JITted at installation time.

Reply Score: 2

RE[6]: Overflowing
by Alfman on Fri 24th May 2013 18:45 UTC in reply to "RE[5]: Overflowing"
Alfman Member since:
2011-01-28

moondevil,

"Good luck using a C ABI with WinRT or Symbian."


I might be wrong, but isn't WinRT still implemented on top of win32s? Even if it were conceivably moved to something else, it would be really a surprise if it weren't written in C. That's the thing, everyone wants to have better abstractions, but they're still building the system code in C because all the existing system code is already in C.

Reply Score: 2

RE[7]: Overflowing
by moondevil on Fri 24th May 2013 19:41 UTC in reply to "RE[6]: Overflowing"
moondevil Member since:
2005-07-08

WinRT uses an updated version of COM implemented with C++ templates also known as Windows Runtime C++ Template Library (WRL).

To simplify its usage, you have C++ extensions known as C++/CX. Basically Microsoft is finally doing what Borland did years ago with C++ Builder.

Since deep down it is still COM, you can try to use the old COM APIs from C like in the old days, but it will be an effort similar to using pure Assembly, due to the amount of code required.

Additionally you would need to implement yourself the code to read WinRT metadata, which is part of WinRT ABI.

Finally C is deprecated in Microsoft tooling.

Officially the C compiler will not be updated, staying at C90 standard level, meanwhile the dev teams are making their C code compile as C++ code as mentioned in one of the talks at BUILD 2012.

Reply Score: 3

RE[5]: Overflowing
by Alfman on Fri 24th May 2013 18:35 UTC in reply to "RE[4]: Overflowing"
Alfman Member since:
2011-01-28

Neolander,

That's it exactly. C has first comer advantages and is the defacto standard for all system programming. Overturning it today would require an enormous amount of energy. Even if all new C development were stopped, it still has enough momentum to continue for several more decades at least owing to it's pervasiveness in existing code bases.

That's the main problem modern languages are facing, they aren't just competing against the older languages on merit, they're competing against the existing code and skills that have already been invested in the older languages.

Reply Score: 2

RE[6]: Overflowing
by moondevil on Fri 24th May 2013 19:46 UTC in reply to "RE[5]: Overflowing"
moondevil Member since:
2005-07-08

In Germany you will hardly find pure C related jobs outside the embedded industry (robotics, car equipment, general electronics stuff).

Reply Score: 2

Not as bad as it sounds?
by Gullible Jones on Fri 24th May 2013 01:30 UTC
Gullible Jones
Member since:
2006-05-23

Most of these don't look like they matter on typical desktop setups.

OTOH, I would think lots of bugs of this type bespeaks bad coding practice. I wonder if more serious vulnerabilities lurk in the bowels of Xorg. (Never mind the design flaws that allow keylogging, etc.)

Reply Score: 2

RE: Not as bad as it sounds?
by darknexus on Fri 24th May 2013 11:49 UTC in reply to "Not as bad as it sounds?"
darknexus Member since:
2008-07-15

Most of these don't look like they matter on typical desktop setups.

That's because X.org's only strengths are irrelevant to most desktop setups.

Reply Score: 2

link
by TheGreatSudoku on Fri 24th May 2013 01:51 UTC
TheGreatSudoku
Member since:
2009-07-28

the link in the article is no longer working

Reply Score: 2

RE: link
by Morgan on Fri 24th May 2013 01:52 UTC in reply to "link"
Morgan Member since:
2005-06-29

It has a double quote mark at the end, just delete that from the URL and it loads fine.

Reply Score: 3

RE[2]: link
by Neolander on Fri 24th May 2013 05:58 UTC in reply to "RE: link"
Neolander Member since:
2010-03-08

Fixed!

Reply Score: 2