zoukankan      html  css  js  c++  java
  • chapter 2: Representing and manipulating information

        

        C allows conversion between unsigned and signed. The rule is that the underlying bit representation is not changed. Generally, most numbers are signed by default.For example, when declaring a
    constant such as 12345 or 0x1A2B, the value is considered signed. Adding character ‘U’ or ‘u’ as a suffix creates an unsigned constant, e.g., 12345U or 0x1A2Bu.
        When printing numeric values with printf, the directives %d, %u, and %x are used to print a number as a signed decimal, an unsigned decimal, and in hexadecimal format, respectively. Note that printf does not make use of any type information, and so it is possible to print a value of type int with directive %u and
    a value of type unsigned with directive %d. For example, consider the following code:

          int x = -1;
          unsigned u = 2147483648; /* 2 to the 31st */


          printf("x = %u = %d ", x, x);
          printf("u = %u = %d ", u, u);
    When run on a 32-bit machine, it prints the following:
         x = 4294967295 = -1
         u = 2147483648 = -2147483648


    buger from:


          Suppose, however, that some malicious programmer writes code that calls copy_from_kernel with
    a negative value of maxlen. Then the minimum computation on line 16 will compute this value for len,
    which will then be passed as the parameter n to memcpy. Note, however, that parameter n is declared as
    having data type size_t. This data type is declared (via typedef) in the library file stdio.h. Typically it is defined to be unsigned int on 32-bit machines. Since argument n is unsigned, memcpy will treat it as a very large, positive number and attempt to copy that many bytes from the kernel region to the user’s buffer. Copying that many bytes (at least 231) will not actually work, because the program will encounter invalid addresses in the process, but the program could read regions of the kernel memory for which it is not authorized.

         We can see that this problem arises due to the mismatch between data types: in one place the
    length parameter is signed; in another place it is unsigned. Such mismatches can be a source of bugs
    and, as this example shows, can even lead to security vulnerabilities. Fortunately, there were no reported cases where a programmer had exploited the vulnerability in FreeBSD. They issued a security advisory, “FreeBSD-SA-02:38.signed-error,” advising system administrators on how to apply a patch that would remove the vulnerability. The bug can be fixed by declaring parameter maxlen to copy_from_kernel
    to be of type size_t, to be consistent with parameter n of memcpy. We should also declare local variable len and the return value to be of type size_t.


  • 相关阅读:
    王道考研复习-操作系统-进程管理(二)
    王道考研复习-操作系统-计算机系统概述(一)
    Understanding Undefined Behavior
    iOS开发需要掌握的命令
    LLDB命令速查
    Flutter简介
    poj 2115 C Looooops 扩展欧几里得算法
    poj 2635 The Embarrassed Cryptographer ??/Java??(???)
    poj 3292 Semi-prime H-numbers 筛素数(简单题)
    poj 1019 Number Sequence 数学
  • 原文地址:https://www.cnblogs.com/keanuyaoo/p/3343494.html
Copyright © 2011-2022 走看看