Chris Angelico <ros...@gmail.com> writes: > Richard Kettlewell <r...@greenend.org.uk> wrote: >> Ethan Furman <et...@stoneleaf.us> writes: >>> memset(envp_write, 0, ((unsigned int) envp_read - >>> (unsigned int) envp_write)); >> >> That is a remarkable blunder for a security-critical program. >> >> On a 64-bit platform, the best case outcome is that it will throw away >> the top 32 bits of each pointer before doing the subtraction, yielding >> the wrong answer if the discarded bits happen to differ. > > If the pointers are more than 4GB apart, then yes, it'll give the > wrong answer - just as if you'd subtracted and then cast down to an > integer too small for the result. But if they're two pointers inside > the same object (already a requirement for pointer arithmetic) and not > 4GB apart, then two's complement arithmetic will give the right result > even if the discarded bits differ. So while you're correct in theory, > in practice it's unlikely to actually be a problem.
This program is on a security boundary, the pathological cases are precisely the ones the attacker looks for. (It’s hard to see how an attacker could turn this into a useful attack. But perhaps the attacker has more imagination than me.) -- http://www.greenend.org.uk/rjk/ -- https://mail.python.org/mailman/listinfo/python-list