Subject: Re: exploit with memcpy()
To: TAMURA Kent <kent@netbsd.org>
From: Bill Sommerfeld <sommerfeld@netbsd.org>
List: tech-userlevel
Date: 07/02/2002 11:29:38
so, a few comments..

0) remember that, fundamentally, the code in error here is the caller
to memcpy().  the appropriate thing to do is find some way to trigger
a trap/signal or otherwise abort the process rather than patch it up
and keep on chugging in face of an obvious user error.

1) despite the x86's register-deprived existance, there is a free
caller-save register: %edx!

[warning, patch not particularly well tested; use at your own risk.]

Index: bcopy.S
===================================================================
RCS file: /cvsroot/basesrc/lib/libc/arch/i386/string/bcopy.S,v
retrieving revision 1.6
diff -u -r1.6 bcopy.S
--- bcopy.S	1996/11/12 00:50:06	1.6
+++ bcopy.S	2002/07/02 15:13:02
@@ -62,7 +62,8 @@
 	movl	12(%esp),%esi
 	movl	16(%esp),%edi
 #endif
-	movl	20(%esp),%ecx
+	movl	20(%esp),%edx
+	movl	%edx,%ecx
 	movl	%edi,%eax
 	subl	%esi,%eax
 	cmpl	%ecx,%eax	/* overlapping? */
@@ -90,7 +91,7 @@
 	decl	%esi
 	rep
 	movsb
-	movl	20(%esp),%ecx	/* copy remainder by words */
+	movl	%edx,%ecx	/* copy remainder by words */
 	shrl	$2,%ecx
 	subl	$3,%esi
 	subl	$3,%edi