Boost C++ Libraries: Ticket #6528: Potential vulnerability in programs recompiled for 64-bit platforms https://svn.boost.org/trac10/ticket/6528 <p> Default block size for the dynamic_bitset&lt;&gt; class on a 32bit platform is 4 bytes, while on a 64bit one it is actually 8 bytes. Therefore, objects of dynamic_bitset&lt;&gt; will have different m_bits array lengths on 32- and 64-bit platforms. It is very likely to cause an overflow on the 64-bit platform. </p> <p> Conclusion: any program using dynamic_bitset&lt;&gt;::m_bits and recompiled from 32- to 64-bit is vulnerable. </p> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/6528 Trac 1.4.3 Steven Watanabe Tue, 07 Feb 2012 02:06:47 GMT <link>https://svn.boost.org/trac10/ticket/6528#comment:1 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6528#comment:1</guid> <description> <p> I don't understand. The maximum size of a dynamic_bitset is larger on a 64-bit platform. How can it overflow if it works in 32-bit? In any event, the size it has to get to before it can overflow is ridiculously large. Unless you have an example that demonstrates the problem, I'm going to close this. </p> </description> <category>Ticket</category> </item> <item> <dc:creator>anonymous</dc:creator> <pubDate>Tue, 07 Feb 2012 08:45:48 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6528#comment:2 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6528#comment:2</guid> <description> <p> I mean if you have written a code on 32-bit and are working directly with m_bits, with the default dynamic_bitset&lt;&gt; you may suppose that m_bits is an array of 4byte unsigned ints. But on the 64-bit m_bits.size() is already twice lower! m_bits[index] is very likely to generate segfault in this case. That is, the same code produces different results on 32-bit and 64-bit and the 64-bit one is vulnerable. </p> <p> There is nothing to do with the </p> <pre class="wiki">maximum size of a dynamic_bitset </pre><p> </p> </description> <category>Ticket</category> </item> <item> <author>Ulrich Eckhardt <ulrich.eckhardt@…></author> <pubDate>Wed, 08 Feb 2012 12:36:22 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6528#comment:3 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6528#comment:3</guid> <description> <p> <code>buffer_type m_bits</code> is private. If <code>BOOST_DYNAMIC_BITSET_PRIVATE</code> is defined as public to work around compiler bugs, it should still be treated as private. Further, the <code>block_type</code> isn't exposed in the interface either. In summary, valid code will not not touch <code>m_bits</code> or its elements, so any size differences there are not a problem. Even if by some fiendish hackery you are accessing <code>m_bits</code>, any assumption about the size of its elements are invalid, unless they based on the use of the <code>sizeof</code> operator. </p> <p> What exactly are you doing? What code is vulnerable to buffer overflows? </p> </description> <category>Ticket</category> </item> <item> <dc:creator>anonymous</dc:creator> <pubDate>Wed, 08 Feb 2012 13:23:21 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6528#comment:4 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6528#comment:4</guid> <description> <p> Replying to <a class="ticket" href="https://svn.boost.org/trac10/ticket/6528#comment:3" title="Comment 3">Ulrich Eckhardt &lt;ulrich.eckhardt@…&gt;</a>: </p> <blockquote class="citation"> <p> What exactly are you doing? What code is vulnerable to buffer overflows? </p> </blockquote> <p> I have solved the problem by explicit usage of <code>dynamic_bitset&lt;unsigned int&gt;</code> instead of default <code>dynamic_bitset&lt;&gt;</code>. In this case, the code is performed equivalently on all platforms. </p> <p> Anyway, if you are so confident, that it cannot generate errors in programs where BOOST_DYNAMIC_BITSET_PRIVATE is not "<code>treated as private</code>", you can remove the ticket. </p> </description> <category>Ticket</category> </item> <item> <dc:creator>anonymous</dc:creator> <pubDate>Wed, 08 Feb 2012 13:29:16 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6528#comment:5 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6528#comment:5</guid> <description> <p> Replying to <a class="ticket" href="https://svn.boost.org/trac10/ticket/6528#comment:3" title="Comment 3">Ulrich Eckhardt &lt;ulrich.eckhardt@…&gt;</a>: </p> <blockquote class="citation"> <p> <code>buffer_type m_bits</code> is private. If <code>BOOST_DYNAMIC_BITSET_PRIVATE</code> is defined as public to work around compiler bugs, it should still be treated as private. Further, the <code>block_type</code> isn't exposed in the interface either. In summary, valid code will not not touch <code>m_bits</code> or its elements </p> </blockquote> <p> P.S.: I find the possibility of accessing m_bits nice. Why must it be private? </p> </description> <category>Ticket</category> </item> <item> <author>Ulrich Eckhardt <ulrich.eckhardt@…></author> <pubDate>Thu, 09 Feb 2012 08:13:54 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6528#comment:6 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6528#comment:6</guid> <description> <p> It is private exactly so that people don't mess with it and so that dynamic_bitset's class invariants are guaranteed. This is the 101 of encapsulation. </p> <p> BTW: What you probably want is a look at <code>boost/stdint.hpp</code>, in particular <code>uint32_t</code> there, which is guaranteed to be 32 bits on any platform. Using unsigned int and and relying on its size being 32 bits is simply not guaranteed anywhere. You also make your code more self-commenting. </p> </description> <category>Ticket</category> </item> <item> <dc:creator>acharles</dc:creator> <pubDate>Fri, 21 Feb 2014 11:19:52 GMT</pubDate> <title>owner, status changed https://svn.boost.org/trac10/ticket/6528#comment:7 https://svn.boost.org/trac10/ticket/6528#comment:7 <ul> <li><strong>owner</strong> changed from <span class="trac-author">jsiek</span> to <span class="trac-author">acharles</span> </li> <li><strong>status</strong> <span class="trac-field-old">new</span> → <span class="trac-field-new">assigned</span> </li> </ul> Ticket acharles Fri, 21 Feb 2014 11:20:11 GMT status changed; resolution set https://svn.boost.org/trac10/ticket/6528#comment:8 https://svn.boost.org/trac10/ticket/6528#comment:8 <ul> <li><strong>status</strong> <span class="trac-field-old">assigned</span> → <span class="trac-field-new">closed</span> </li> <li><strong>resolution</strong> → <span class="trac-field-new">invalid</span> </li> </ul> <p> This isn't an issue. </p> Ticket