funsec mailing list archives
Re: Confusion Flaw?
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 24 Jan 2012 18:26:57 -0500
On Tue, Jan 24, 2012 at 6:19 PM, <Valdis.Kletnieks () vt edu> wrote:
On Tue, 24 Jan 2012 18:04:13 EST, Jeffrey Walton said:From USN-1263-2 (http://www.ubuntu.com/usn/usn-1263-2/): It was discovered that a type confusion flaw existed in the in the Internet Inter-Orb Protocol (IIOP) deserialization code. A remote attacker could use this to cause an untrusted application or applet to execute arbitrary code by deserializing malicious input. (CVE-2011-3521) I give - what is a confusion flaw?'type confusion' - where a programmer forgot what type a variable had. Was that a signed int or an unsigned int? 32-bit or 64-bit? A pointer to a string, or a pointer to a struct?
Gotcha. Perhaps he was following Linus' lead: when static analysis warned the kernel's sys_prctl was comparing an unsigned value against less than zero, Jesper Juhl offered a patch to clean up the code. Linus Torvalds decried “No, we don't do this... GCC is crap”. See Re: [PATCH] Don't compare unsigned variable for <0 in sys_prctl() [http://linux.derkeiler.com/Mail- ing-Lists/Kernel/2006-11/msg08325.html]. Jeff _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Confusion Flaw? Jeffrey Walton (Jan 24)
- Re: Confusion Flaw? Valdis . Kletnieks (Jan 24)
- Re: Confusion Flaw? Jeffrey Walton (Jan 24)
- Re: Confusion Flaw? Valdis . Kletnieks (Jan 24)