Subject: Re: exploit with memcpy()
To: None <firstname.lastname@example.org, email@example.com>
From: TAMURA Kent <firstname.lastname@example.org>
Date: 07/02/2002 23:24:58
> > - The check is at the outside of the loop.
> > - It is done only if the destination address < the source address (+length)
for arch/i386/string/bcopy.S, dest < source+length
for string/bcopy.c, dest > source
> > - Many applications uses gcc's builtin memcpy().
> unluckily the 3rd bullet means that the patch won't take effect
> to most of the binaries, am i right? do we want to modify gcc to
> generate the change you've proposed?
Right and no. The exploit succeeds if and only if memcpy() is
compatible with memmove(). Gcc's builtin memcpy() is not.
TAMURA Kent <kent2002@hauN.org> <email@example.com>