The code looks pretty rough [LWN.net]

The code looks pretty rough

Posted Nov 10, 2010 15:27 UTC (Wed) by Ross (subscriber, #4065)
Parent article: Jones: system call abuse

I took a quick look at the way it was generating plausible file descriptors, PIDs, etc. and noticed lots of mishandling of rand output:

sanitise.c -> get_interesting_value:
i = rand() & 20;
...
switch (i) {
case 0: return 0x00000001;
...
case 20: return 0xffffffffffffffff;

So I think that should have been rand() % 21...

sanitise.c -> get_address:
i = rand() % 2
...
switch (i) {
case 0: return KERNEL_ADDR;
...
case 2: return get_interesting_value();

So that probably should be rand() % 3

That's not to mention how horrible rand() is at actually being random, especially
in the lower two bits of output. Between those bugs it really reduces the number
of addresses that are tried. I notice that random() is used other places but
srandom() isn't ever called (though srand() is called twice).

I also wonder if address space randomization makes this less useful -- how
often does it fail to reproduce the same crash or misbehavior because memory
has shifted around?

I suppose I should send a patch instead of complaining.

-Ross

(Log in to post comments)

The code looks pretty rough

Posted Nov 10, 2010 16:32 UTC (Wed) by MisterIO (guest, #36192) [Link]

Ah, so he's consistent with the error I reported above! I thought it was just a typo or a distraction.