[Info-vax] VAX Macro to C conversion
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Thu Jul 25 20:18:26 EDT 2019
On 2019-07-25, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
> On 2019-07-25 00:36:27 +0000, Craig A. Berry said:
>
>> On 7/24/19 8:28 AM, John Reagan wrote:
>>>
>>> DECC$ATOI = PROCEDURE,-
>>> DECC$ATOL = PROCEDURE,-
>>> DECC$MEMCHR = PROCEDURE,-
>>> DECC$MEMCMP = PROCEDURE,-
>>> DECC$STRCAT = PROCEDURE,-
>>> DECC$STRCHR = PROCEDURE,-
>>> DECC$STRCMP = PROCEDURE,-
>>> DECC$STRCPY = PROCEDURE,-
>>
>> Yum, ASCIZ string functions with no bounds checking in the kernel :-).
>> Probably not the most dangerous thing out there, but possibly worth a
>> rethink at some point.
>
> Not only in the OpenVMS kernel code, but also third-party inner-mode code.
>
Careful Craig and Stephen. :-)
Counted strings and/or descriptors are not some magical fix for
buffer overflows.
They are a lot harder than ASCIZ strings to compromise, but once
compromised, they can be way easier than ASCIZ strings to exploit
for some types of attack.
That's because with counted strings/descriptors, you don't have to
worry about embedded 0x00 characters terminating the copy so you
can just directly embed addresses as-is (including 0x00 characters)
without having to worry about the copy terminating when the first
0x00 in your payload is encountered.
Overall, counted strings and descriptors are way better than ASCIZ
strings but they are not a magical solution and come with risks of
their own.
However, as Stephen mentioned, it would also be nice to see safer
versions of the ASCIZ routines introduced and the non-safe versions
depreciated for kernel mode code.
Notice BTW that I said "safer". I did not say "safe".
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list